The news headlines on Cyber Ransomware attacks that are occurring are becoming almost as common as Covid-19 news.  A recap of the major attacks that have occurred this year should be a wakeup call for all organizations using online computing technology.  First, there was the SolarWinds “Supply Chain” attack that affected most Fortune 500 companies and many US Government networks.  Then the Microsoft Exchange Server attack that affected over 400,000 customers.  Then water utility hacks that potentially could have exposed 10’s of thousands of people to unsafe drinking water.  Now the latest is a Ransomware attack against a petroleum pipeline company supplying gasoline, diesel, and jet fuel to many states along the eastern seaboard of USA.  These attacks are becoming more frequent and sophisticated.   Below is a link to a story on the CBC Website regarding the latest cyber-attack. 

Cyberattack on U.S. pipeline linked to criminal gang | CBC News

Microsoft estimated worldwide count of vulnerable Exchange servers to be in the range of 400,000.  Microsoft released security patches on March 2nd.  As of March 12th, Microsoft estimated there were still 82,000 Exchange servers that still had not been patched.  Palo Alto networks estimated the number to be even higher at 125,000 servers.

As these Exchange servers remain unpatched, they are left exposed to hacking or sanctioned rouge government groups that can, and have, planted Web Shells allowing remote access and back doors into company networks.  A new form of ransomware has recently been discovered, named “Dearcry”, targeting unpatched Exchange servers.

Last week, an FBI Cyber Division became involved in proactively removing malicious Web Shells from hundreds of US based Exchange servers.  The FBI took this approach because of unresponsive organizations that didn’t apply security patches in a timely manner, or not at all.
 
FBI blasts away web shells on US servers in wake of Exchange vulnerabilities

Feds turn into cyberfirefighters and hose down the web shell bonfire raging on hundreds of unpatched Exchange servers. "Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated," the department said.

"This operation removed one early hacking group's remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to US networks."  Despite the operation, those that run Exchange servers are still recommended to follow Microsoft's advice as well as ensure servers are properly patched.
 
"The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path)," it said.

"This operation was successful in copying and removing those web shells. However, it did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells."

Due to each shell having a unique file path and name, the department added it may have been difficult for "individual server owners" to find and remove them. As of the end of March, the department was aware of "hundreds" of shells still working on US servers. Microsoft released its first alerts on the vulnerabilities at the start of March.
 
The FBI is now attempting to alert server owners that it removed shells from. Affected users with publicly available contact information will receive an "e-mail message from an official FBI e-mail account (@FBI.gov) notifying the victim of the search", and failing that, ISPs will be contacted to provide notice.

"Today's court-authorized removal of the malicious web shells demonstrates the department's commitment to disrupt hacking activity using all of our legal tools, not just prosecutions," Assistant Attorney General for national security John C. Demers said.

"Combined with the private sector's and other government agencies' efforts to date, including the release of detection tools and patches, we are together showing the strength that public-private partnership brings to our country's cybersecurity.

"There's no doubt that more work remains to be done, but let there also be no doubt that the department is committed to playing its integral and necessary role in such efforts."
On March 24, Microsoft said 92% of vulnerable servers were patched or mitigated.

In Australia, the government's Australian Cyber Security Centre has been running scans to find vulnerable servers in the country.

https://www.zdnet.com/article/fbi-blasts-away-web-shells-on-us-servers-in-wake-of-exchange-vulnerabilities/
 

If your organization uses Microsoft Exchange Server for email, there may be a “Ticking Time Bomb” waiting in the background, ready to explode when you least expect it!

In early January 2021, several security research companies discovered some abnormal network activity, which eventually led them to believe that there were some discovered vulnerabilities allowing unauthorized access to Exchange Server.  After detailed investigation, these security research companies officially alerted Microsoft to this information in the end of January.  Microsoft didn’t react to the seriousness of this situation and didn’t alert or send out patches to all 2010-2019 Exchange Server customers until March 2nd, where 4 zero-day flaws were corrected.  Microsoft originally hadn’t planned to send out patches until their March 9th “Patch Tuesday” was scheduled.  Even after March 9th, Microsoft estimated that between 100,000 and 400,000 Exchange Servers remained unpatched.

Once the threat was made public and patches were available, security research companies detected a flood of attacks targeting all unpatched Exchange Servers, many of them having malware and backdoors installed into those Exchange Servers and exposing organization’s networks.  The real danger that exists now is the pending vulnerabilities that many organizations will most likely experience in the future, when the “Ticking Time Bomb” goes off!

The computer/network security industry is constantly preaching that the best way for businesses and computer users to avoid falling victim to malware attacks is to “ensure that the latest security patches are applied” to their network and computing environment.  With the latest revelation that a severe security breach, discovered in Dec 2020, infected a majority of Fortune 500 companies and most US Government agencies, as a result of a Solarwinds Orion platform update, many would question who can be trusted? 

Solarwinds is referred to as a “supply chain” vendor for companies utilizing their software in their computing environment.  Their Orion software provided an inventory and management function for large organizations that utilize large computing networks with vast numbers of PC’s. 

Software vendors are always coming out with upgrades to their software.  These upgrades are created to provide enhancements and improvements to the functionality of their software, but many times to fix known security vulnerabilities that have been discovered on their existing software.  Patching is a vital requirement for all companies, as a majority of them rely on computing and network presence for their everyday business practices, and their networks have to be protected from security threats that are constantly surfacing.
​
Companies have to ensure they have trusted and competent security staff to carry out and enforce security practices that are in place.  Using Solarwinds as an example, lax security practices can have dire consequences, put adverse conditions on a business, and possibly put the company’s survival in jeopardy. 

​Just in the last week, a number of security breaches have occurred that are almost too unbelievable to comprehend.   Organized crime and State Sponsored hackers are getting so sophisticated that even companies that specialize in “Security” are being targeted, and many of their customer base are being infected.  Solarwinds, a company that markets many software products to the IT marketplace experienced a security breach that affected a particular product they call Orion.  One of their “software updates” that they provide to their customer base was compromised.  Unsuspecting companies that proactively updated their software, were hit with security breaches because of the compromised software update.  We’re talking about large organizations and government departments that have been infected by this breach, giving the hacker’s backdoor access into their networks.  The US Department of Treasury and Commerce departments and US Department of Homeland Security are on the list.  FireEye, a cybersecurity company was also hit, and as a result, a number of their proprietary tools for penetration testing on client networks was stolen by the hacking group.  Solarwinds estimate that 18,000 of its customers downloaded the compromised update software.  There will be a lot of “reactive” work involved by these companies to check for collateral damage on their systems and establish how their systems have been compromised as well.  Heightened awareness and security practices are paramount for companies to survive in this global internet communication era.   

Security firm Kaspersky recently released a report indicating that approximately 45% of US and Canadian employees wouldn’t know how to respond if they were targeted in a Ransomware attach.  An alarming 37% didn’t even know what a Ransomware attach was.  
The Canadian Centre for Cyber Security (CCCS) has prepared a “Best Practices” document with information for companies to follow to prevent or recover from a Ransomware attach.  See link below.
https://cyber.gc.ca/en/guidance/ransomware-how-prevent-and-recover-itsap00099

One key aspect for companies to follow in preventing a Ransomware attach from occurring is educating their employees on what and what not to do, when dealing with potential Ransomware threats. 

The Canadian Anti-Fraud Centre has reported an increase in the number of computer related scams that are taking place as a result of the COVID-19 pandemic.  Crafty fraudsters take advantage of people and organizations in vulnerable times, many times because their guard has been taken down because of the situation.   Below is a link to a story that was posted on the CBC news website. 
https://www.cbc.ca/news/politics/covid-scams-fraud-crime-1.5551294

The Canadian Internet Registration Authority (CIRA) is a body that regulates the .ca domain on the Internet.  CIRA has developed and is providing a free service to all Canadian non-business residents for heightened Internet security.  They call this service the “Canadian Shield”.  What this service actually provides is added protection to your devices when DNS queries are made when you are connecting to sites on the Internet.  There are three levels of service that are available.  Below is a link to their website for instructions on making changes to your home router or devices.
  https://www.cira.ca/cybersecurity-services/canadian-shield/configure

IP addresses for resolving DNS queries are required to be changed on you home router, and/or computing device.  If changes are made to you home router, there is not a requirement to change IP address settings on all your individual devices while you’re on a wired or Wi-Fi connection within your house.  For portable devices like a tablet or cell phone, that may be connected to your data provider when you are away from your home, you should consider changing the IP settings on those devices for the full protection of this service.  
If you use Firefox or Chrome browsers, another setting that you should change on all your devices is a setting for DNS Encryption over HTTPS (DOH).  Instructions on how to make these changes are also contained in the link above.

Below is a link to a particularly good resource that was posted from the Canadian Centre for Cyber Security.  If you or your employees are teleworking from home, precautions should be made to prevent security issues from occurring. 
https://cyber.gc.ca/en/guidance/telework-security-issues-itsap10016

Below is a link to a German Web researcher and developer that has discovered that Avast and AVG online security extensions, that you would typically install on your web browser, in addition to you running their antivirus software, is spying on you.  Mozilla has already pulled the extentions from their Addon Repository.  If you are using these extensions, you should remove them from your browser addons.  If you are running Windows 10 OS, there's no need to be running 3rd party antivirus software, as Windows defender is doing a very good job.  Avast also provides their own web browser called Avast Secure Browser which is also spying on you. You should be using a browser that you can trust, like Firefox or Chrome.
palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/

Phishing is a technique used by criminals to gather personal and account login information from you, so they can exploit you or your organization. There are many various forms of phishing that exist.  Below is a link to a very good article describing the various types of phishing attacks that you should avoid. 
 6-common-phishing-attacks-and-how-to-protect-against-them/
It's important to remember that if you receive an offer either through email, SMS text or a phone call, and the offer sounds too good to be true, it's most likely a scam.  Phishing techniques are becoming so advanced that users find it difficult discerning a fake from a legitimate request.  

I might be dating myself, but I recall a TV series that played for seven seasons, starting in 1981 called "Hill Street Blues".  If you're not familiar with this program, it was based on the life and times of New York City police officers and the work they did on a daily basis.  At the beginning of every show was a segment where all the police officers had their morning briefing, conducted by their precinct sergeant.  At the conclusion on his briefing, he would always have a saying, "Let's Be Careful Out There" as he was concerned for the safety and well being  of all his officers.  I am reminded of this saying and think it would be a good slogan for this Website.  Every one of us that has an online presence to the Internet with either our computers or smart phones,  are subject to countless security threats.  Precautions are paramount in order to protect your privacy and data, from getting into the wrong hands of the criminal element.  Below is a short video of the sergeant finishing his briefing.

Microsoft has made changes in Windows 10 version 1903 that allows users an option to run an offline scan of their system using Windows Defender.  Periodically running this scan is a good security precaution to check for the presence of any rootkits that may be on your system, as a normal scan would be unable to detect the presence of a rootkit. 

If you are still using Windows 7 Operating System on any of your computers, you should seriously consider upgrading, as Windows will no longer be providing any support or updates.  Below is a link to Microsoft where you can find out more information.

support.microsoft.com/en-ca/help/4057281/windows-7-support-will-end-on-january-14-2020

Ransomware is becoming the number one threat in Cybersecurity.  It can be very profitable for criminal organizations or individuals to carry out ransomware attacks.  A large number of municipal government organizations have been targeted with ransomware attacks in 2019. Universities, public schools and Hospitals have also been targeted.  Below is a link to a very good explanation of ransomware by the University of California - Berkeley. 

security.berkeley.edu/faq/ransomware

The German Federal Office for Information Security (Bundesamt Fur Sicherheit in Der Informationschnik) tested four of the major web browsing applications to determine which one they considered the most secure.  The tests were conducted in September 2019 and the following browsers were tested:
Chrome vs 76, Microsoft Internet Explorer vs  11, Microsoft Edge vs 44, and Firefox vs 68.
Their test had a 21 point list of various security requirements and options.  Of the four browsers, Firefox received top marks and was the only one that passed all 21 points in their criteria. 

Hardly a day goes by without another news story being released on yet another “security breach” occurring, or a “new scam” being discovered, or a number of people finding their “bank accounts being drained” by sophisticated schemes of criminal individuals and organizations.  Below are three recent stories from the CBC website on some of the ugly things that are happening out in Cyber land.  The first story shows how your life can be turned around by being subjected to identity theft.   The second and third story relates to off shore organized crime organizations targeting Canadians in an attempt to defraud them of their money.  Most people will recognize a con job in the making, when they receive a phone call from someone claiming to be from the Canada Revenue Agency, or some other government department. Unfortunately, these organizations are very sophisticated and convincing, and there are always a number of people that fall victim to their schemes.   


cbc.ca/news/canada/toronto/meet-deborah-oguntoyinbo-accused-of-being-a-professional-and-prolific-identity-thief-1.5348438

cbc.ca/news/politics/fraud-spoofing-canada-government-1.5348659

cbc.ca/news/world/national-cra-india-rcmp-scam-1.4883796

Below are a couple of recent newsworthy stories posted on the CBC website regarding our banking institutions in Canada. 

www.cbc.ca/news/business/banks-deny-compensation-online-fraud-security-1.5322982

My take on this story...

Online banking can be risky if you don't take security precautions into consideration:
#1 Don't ever share your PIN number with anyone.  (See related story below.  It's shocking that a financial institution would be asking a potential customer for their account and associated PIN number!)
#2  Don't reuse passwords for any online accounts, especially banking and eCommerce sites.
#3  Use strong passwords.  Use a password manager (add-on to most browsers) to create and keep track of your passwords.  Lastpass is a good password manager in my opinion.  Don't allow your browser program to save all your passwords.  Use a password manager instead.
#4  If your financial institution offers Two-Factor Authentication in their login process, use it.  It may be a more cumbersome process to login, but it should provide a higher level of security for your online presence.  A warning though, criminals have figured out how to get around two-factor authentication as well, so the process is not bullet proof.  Even though your bank doesn't offer two- factor authentication, they may provide a second level of security in a different flavor.  RBC online banking offers a "Sign-in-protection" option where they ask you  a personal verification question. You have to set this up as an option in your online banking.  There is also a tick box asking that at least one PVQ is asked at sign in.  This should always be selected. As of this writing, only one of the five major banks in Canada provides two-factor authentication, which is TD Bank.
#5  Security is your responsibility, not only the bank's responsibility.  If you are lax on security precautions, you shouldn't expect the bank to cover all your loses if you're the victim of an online related fraud.

At the bottom of the first article, there are some good tips on how to prevent online banking fraud by Limor Kessem, an IBM X-Force, executive security adviser. 

www.cbc.ca/news/canada/nova-scotia/national-bank-canada-customer-banking-privacy-1.5334059

Not only should you be concerned with protecting yourself from security vulnerabilities, you should also be vigilant at protecting your privacy as well.  Most people use some form of Google Services, whether the applications are on your smartphone, or home/office computer, you potentially could be tracked extensively by Google, and other third party companies.  Google does provide you with the tools to adjust your privacy settings.  Below is a good article on how to set some of those privacy settings.   
www.itworldcanada.com/article/how-to-control-your-privacy-for-google-services/

A recently discovered critical vulnerability has been discovered on WINRAR, a compression/decompression utility program that is installed on more that 500 million PC's.  A new release V5.70 has been released as of Feb 28, 2019.  All older versions have the vulnerability and should be upgraded. 

The updated version is available here:  https://www.win-rar.com/

Con Artists have been around since the beginning of time.  They're constantly figuring out new techniques to scam you out of your hard earned money or possessions.  With the advent of the internet and personal computers, in many cases the profession of the con artist has evolved into the modern day hacker.  Creative Social Engineering is allowing hackers the ability to con unsuspected computer users into providing their personal or account related information, allowing their online accounts to be compromised.

Below are three YouTube links of excerpts of a UK TV program showing various ways that con artists can scam their potential victims.  The videos are a bit old, but still show how creative con artists can be. 

The Real Hustle:  Laptop stolen at airport scam
https://www.youtube.com/watch?v=H7N6WoaASDQ

The Real Hustle:  Stolen Bag at airport scam
https://www.youtube.com/watch?v=IwcTiuxzqv0

The Real Hustle:  The Give And Take
https://www.youtube.com/watch?v=KwFWJKMZ8uQ

In a previous blog post, a reference was made indicating Multi-Factor Authentication (MFA) was often referred to as Two-Factor Authentication (2FA).  There’s actually a difference between the two authentication methods, 2FA being a subset of MFA.  A website that only requires a userID/password combination is referred to as having Single-Factor Authentication.   2FA uses two pieces of evidence to provide authentication, whereas MFA uses more than two.  Most common 2FA implementations use a userID/Password combination, plus one other variable:  SMS message, phone call, email note, and software or hardware token.  MFA adds a more complex process for authentication, usually using some form of Biometrics, i.e. voice or facial recognition, retina or iris scan, or fingerprint recognition.  The current location where you attempt a website login can be also used as an additional factor in MFA.  MFA is a more robust form of authentication where a user is only granted access only after successfully presenting evidence in at least three categories:  Knowledge (something you know  [i.e. your userID/password] ), Possession (something you have [a software or hardware token] ) and Inherence (something you are [fingerprint recognition] ).

2FA (and eventually MFA) is a technology that will become a mainstream login process on user’s accounts in the future.  Currently, very few websites that require user login have implemented this technology.  Partially because of the amount of work that is required for companies to add this to their websites, and partially because of user resistance in using the technology, even if it’s offered.  2FA is an evolving technology that potentially could be prone to failure, partially because of the result of successful Social Engineering attacks by utilizing newly discovered vulnerabilities.    
   
Below is an article from a CBC News website on how a cryptocurrency executive lost money in an online account that she thought had a secure login process using 2FA. Her cell phone account was compromised and SMS 2FA failed as result of successful Social Engineering.
https://www.cbc.ca/news/technology/marketplace-social-engineering-sim-swap-hack-1.5009279

If you reside in Canada, you can watch the Marketplace episode that was originally broadcasted on Feb 8, 2019 at this address:  https://watch.cbc.ca/media/marketplace/season-46/episode-14/

Refer also to a previous post referring to the “Human Factor in Network Security”.
https://www.runetworksafe.com/blog/the-human-factor-in-network-security
 

Two-Factor Authentication (or Multifactor Authentication) has been mentioned in some previous blog postings.  What is it, you ask?  It’s an added layer of security in the login process, that’s implemented by a website owner (i.e. your bank for online account access or your favorite online retailer).  Why use it, it just makes logging in that much more difficult!  Having an extra layer of security also makes it much more difficult for the criminal element, preventing unauthorized access to your accounts. Data breaches on companies that have an online presence are becoming a common occurrence; there are more breaches that occur than the news media care to cover.  If you have an account with a company that has experienced a data breach, there's a high probability that your userID and password could eventually become exposed on the internet as a result of that data breach.  This is especially dangerous if you happen to reuse passwords for multiple accounts.

Here is an excellent article by a Time Magazine writer on staying safe online by using two-factor authentication.  http://time.com/5510195/two-factor-authentication In this article, another website is mentioned  https://twofactorauth.org/ that gives you the ability to check to see if your bank or retail website provides the option for two-factor authentication.  If you find that they don’t provide that service, they can and should be shamed on social media, encouraging them to provide that extra layer of security for their customer's.  An alternative would be to send a quick email note to the company that you deal with online, requesting that they add that service to their website.  Chances are, most companies will be scrambling to have their website developers implement this type of added security.  It protects their customer's and could also prevent them from potential liability.

Of the five major banks in Canada, notice that TD Canada Trust is the only Canadian bank that currently offers two-factor authentication for their online customers. The other banks have some website development to do!

Reusing passwords for numerous internet sites is dangerously insecure.   A typical computer user when warned about this practice might respond as “what’s the big deal, I do it all the time”.  The problem is, most typical computer users don’t really understand the inherent dangers associated with reusing passwords. This is especially troublesome if passwords are reused for sites that contain personal and/or financial information, i.e. credit card info.  Below is an example of why you shouldn’t reuse your passwords. 
                                                                                                                                                   
Joe Blow is a typical computer user who has a number of web site logins that are linked to his email account joeblow@email.com, and he uses the same password for all those sites.  He uses Facebook, Instagram, Google, online banking, Steam for his gaming, Expedia for his travel, and numerous online shopping accounts including Amazon.  Joe plays some online computer games and he had an account to play Town of Salem   that was produced by BlankMediaGames.  A recent discovery was made at the end of Dec, 2018 revealing that this site had been hacked.  A serious data breach had occurred resulting in the exposure of over 8 million individual user’s email accounts, web site usernames and passwords, IP addresses, past purchases, and website activity.  More information on this hack can be found here:  https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/   

Since Joe uses the same password for all of his website accounts, the Town of Salem breach created exposure to most of Joe’s online activity including his email account, banking, social media and online shopping.  A question most people would ask, “Once a breach has occurred, what do hackers do with all that data”?  Partial or complete databases of this kind of information are sold on the Dark Web, either outright or through an auction process to the highest bidder.  Data of this kind can make its way into criminal organizations where they can handsomely profit by exploiting user’s accounts and personal information. 
  
A data breach can occur on a targeted organization and not be discovered for several months.  In Joe’s case, he was unaware of the data breach that had occurred with his Town of Salem account.  One day, Joe tried to log into his online banking account, and kept getting an error, saying his userID or password was incorrect.  After several login attempts, he decided to reset his password, but when asked to complete an email verification, he was unable to log into his email account.  Joe was under a time constraint to make a rent payment to his landlord, so he made a trip to his local banking branch to make the payment and resolve his online login problem.  When he reached the bank, to his horror, the banking representative informed him that he only had a balance of $5 dollar remaining in his account.  

At this point, Joe realized something serious had occurred and his various online accounts had been compromised, but he couldn’t understand why this had happened?  He used what he thought was a very strong password. The problem was, he had reused his password on various accounts, including the Town of Salem account.  That security breach had exposed his email and password information for the criminal world to exploit.  His banking account was compromised because he reused his common password and didn’t use multifactor authentication (can also be referred as two-factor authentication), a service that his bank had offered, but something that he never got around to setting up.  Hackers were now able to log into his various internet accounts and not only drain his bank account, but gather and dissect all kinds of personal information on Joe.  Once the perpetrators had control of Joe’s email account, they were able to change his password on all of his other accounts, thus locking Joe out.  
         
By following more secure practices in Password Management, Joe could have avoided this situation from happening.  Joe wonders how one could possibly set up and remember countless user names and passwords for all his accounts. By utilizing a password management program like Lastpass, where only one master password has to be remembered, and a different password can be generated and used for all his accounts, Joe’s problem could have been alleviated.  Use multifactor authentication wherever possible, especially on your most important and sensitive web sites, or on sites where financial transactions are taking place.  Don’t allow web sites to remember your credit card information if possible (click the box “do not remember credit card” if that option exists).  Don’t allow your browser to remember your passwords.

Now Joe has the unwanted burden of resetting all his online accounts; not a simple process like setting up an online account in the first place.  He also has to set up credit monitoring, so he can hopefully avoid or minimize the affect of identity theft, since most of his online accounts had been compromised. Joe will never make the mistake of reusing passwords again, and will implement better password management habits from now on.   
 
 You can also refer to a previous blog posting on password management for more information.   https://www.runetworksafe.com/blog/password-management

Yesterdays blog post mentioned a web site that allows you the ability to verify if your email address has been compromised by a data breach in the past. Another web site that offers a similar service is provided by Mozilla.  The web site address is https://monitor.firefox.com/

You can also sign up for Firefox Monitor alerts, which will send you an email alert if you have an account with a company that experiences a new data breach, that has been discovered and details released to the public.