Mitigating sophisticated phishing attacks

Phishing has always been a rather difficult issue to solve.

I’ve spent countless hours trying to create programs to successfully keep employees from opening suspicious emails, believe me!

The new generation of phishing, however, is even more complex and the threat is even more difficult to mitigate.

In the most recent cases I worked on, the email sent to the victim was either announced or followed up by a phone call from a seemingl legitimate source.

Thereby, the victim was dooped into opening the attachment to infect the system/network, and there is pretty much no training that will help to reduce that risk.

One of the issues we began working on was to have existing contacts confirm their identity through an IM. Of course this only works if the source is internal, and/or the source is available on an IM service.

Stay safe folks! These new attacks are devious with potentially devastating consequences, essentially with no one to blame.

@Cloudflare and @TorProject: Speeding up #Privacy

One of the most annoying things when using TOR browser, and surfing to conventional websites using Cloudflare CDN was that you got a reCaptcha.

More often than not this would not happen once, or twice – but multiple times over before you actually got the content you wanted.

Appearently, this has changed because in September Cloudflare annouced that it worked together with the Tor Project to mitigate this annoying issue, but in the course of their coop, they actually found a genius way to make Tor faster with their technology.

This is great for those seeking privacy… yeah, I know… the criminals, too. But hey, you can use a knife to cut onions. Oh, wait – stupid analogy…

This just as a heads up… go to the website to read the technicallities yourself; and how to activate them in the case you run a .onion TLD website.

Why is it important to have a BOYD policy

BOYD, or bring your own device describes the scenario in which an employee is encouraged to bring their own computer hardware to the office, and use it for productivity purposes.

Obviously, this has benefits for the company. The company does not need to invest into equipment for the employee to be productive. Also, the employee will be more familiar with their own hardware, then they would be with a computer or telephone provide it for them.

However, a bring your own device policy brings along certain risks.

The company will have less influence on the hygiene of the devices. Also, there are certain drawbacks in terms of control the company has over the device.

A majority of users will – if they bring their own device Dash feel as if the company has no influence on the device.

The case of the spying paper shredder

When you think of spies, you never think of a harmless paper shredder.

A few years back, and one of my most meaningful contracts, was to find out and stuff a leak inside and organization with offices six of the seven continents.

I have been introduced to the company through a mutual connection between myself and the chief executive of the organization a question.

Aforementioned CEO was dissatisfied with the work of my predecessors. These had conducted extensive analyses in the organization; but all by the book.

The result was: the leak was still there or not fixed even some $3.5 million later.

The mutual connection I mentioned earlier got a hold of this information and was so Milyer with my out-of-the-box thinking and introduced us through an email upon which I was hired to conduct another analysis to find out where the leak was and to submit a proposal on how to stuff it.

I spent the next next weeks on planes traveling to pretty much all of their facilities and offices around the globe.

Very quickly managed to isolate the office where the leak originated. So for the next weeks I was in that office conducting research as to how the sensitive information got out of the office and into the hands of the competition.

We conducted everything from radio frequency and analysis to exclude the possibility that the information was sent out of the building to the obvious suspects being a leak in the IT infrastructure and even to suspecting certain Individuals in the organization.

None of this yielded any results turning the excitement from the beginning and to somewhat have a frustrating project.

Some weeks later I was sitting in a conference room at 2 AM chewing on a piece of stale pizza that was left over from dinner, while playing carousel with an office chair I was sitting in.

Every time I made a turn a paper shredder caught my attention with the red LED on top.

One of our desperate measures was too exchange parts of the furniture, artwork, and office equipment. This pull through to replacing parts of the coffee canisters placed in that specific meeting room. What we had not taken into consideration previously was the old style of information extraction.

This organization was still rather paper heavy and a lot of the meeting notes were taken on paper; and parts of them disposed through conventional means.

No I was curious to find out whether or not this paper shredder was the culprit. And so 230 in the morning I went to the janitor of the building and asked him for a screwdriver and other tools; if you want to know that you’re right, he wants and village at that moment!

I opened the case of the paper shredder, disconnected it from the power supply, and as I opened it I saw a perfectly integrated scanner which snapped scans of every piece of paper from both sides before it was destroyed. It’s took me two or three closer looks to find it, and the contraption was brilliantly engineered have to agree where strips were fit it inside so that no light of the scanning process what escape the housing.

Bottom line: the competitor in question went through a lot of trouble to place this device. The cost of engineering it was quite extensive: further, the reason the information was not discovered by the radio frequency analysis is that the middleman of the competitor and bribed One of the cleaning ladies to replace a USB key if they had inserted into the machine on a weekly basis.

So you see: not even are we safe from paper shredders anymore.

The most complex case of CEO Fraud… yet; and how to mitigate it.

CEO fraud was probably one of the most devious forms of cyber crime. Above that, it is the highest form of social engineering.

Do you know that feeling when you get to a project and you’re thinking: how in the hell could this have happened?

Recently happened to me in the form that I was called, and sitting in a helicopter being airlifted to a midsized organization in which The most complex case of the CEO Friday I’ve seen today it had happened.

In short: the perpetrators head injected malware into the email server of the organization, thereby being able to monitor both the CEOs and the CFO$ mailboxes permanently.

The CEO was about to contact to deal with an organization in London, and all of his itinerary was in his mailbox; even The telephone number of his hotel.

Long before this happened, the perpetrators had hired someone with a similar voice to that of the CEO, and above that spoke his native language. The CEO used Voice Memos frequently, which allowed the perpetrators to also copy a style of speaking.

The CEO arrived in London, and the deal did not come to fruition. However, the perpetrators called the CFO and the organization, and the impersonator they had hired claimed that the deal had in fact been signed.

The impersonator then gave the CFO the bank details upon which DCF I will execute the transfer of €25 million.

Upon the CEOs returned to the organization into the office A day later to see if I congratulated him to the deal closure.

The CEO then replied that the deal had not been closed, and the things started to unravel

The damage turned out mildly, and we put the necessary precautions and methodology is in place so that the kids like that can never repeat again; at least not with this organization.

Why it’s a good idea to isolate EOL applications/software with insufficient patches, and how to do it

Software and applications are the Achilles’ heel of the information technology; when they reach end of life which is inevitable, or when they are not updated in high enough frequency, protocol suggests to stop using them altogether.

However, a lot of applications are mission critical for an organization.

In this case, and as I have seen and applied in the wild, one of the ways to continue using them is to isolate them from the rest of the network.

Isolating specific pieces of software or applications from the rest of your IT environment is by running them inside dedicated virtual machines there by cutting them off from most of the rest of the network.

Why you don’t want your RJ 45 sockets available in the wild

A few weeks ago I had friends visiting from Thailand. Being the good host I try to be I took them to see several A few weeks ago I had friends visit from Thailand. Being the good host I try I took them on a variety of sightseeing tours; one of them was inevitably to one of the castle switch around here.

While we were strolling through the facility I couldn’t help but see a wire running throughout the complex, which obviously didn’t exist back in the 1800s.

Lo and behold it was a network cable.

This network cable was not only connected to the sprinkler system and the fire alarms, the exit signs and alarm system; it was also the same cable that ran to the cashier. Meaning, that the entire network infrastructure was exposed to interception.

Technically, it would be possible to separate the cable and install a device which will give you permanent access to the network.

As if this wasn’t bad enough, I found at least half a dozen RJ 45 sockets throughout the complex which would have made my work even easier; had I been a criminal.

It’s important to understand that these sockets were at locations where I would have been undisturbed four hours.

After this startling experience I kept my eyes open for rogue RJ 45 sockets in the wild.

A few days after the visit I mentioned, I had to go to a public and ministration building: and what was the first thing that smiled at me? Right! Another rogue RJ-45 socket.

Now, unless you have very specific MAC address filtering in place, rogue sockets will allow criminals to get a very good scan of your organization. If the access to systems is limited to, even then would it be possible to conduct a scan of the network, Which would reveal devices that are vulnerable, and allow for penetration of the network through that device.

Well this may seem obvious to a lot of us, they’re obviously a lot of people out there in our profession that do not take such Warnerville it is as a given fact.

Therefore, I dedicated an entire part of my cyber security risk assessment checklist to not only wrote RJ-45 sockets in the wild, but also to their placement, the mapping of the placement in case someone tampers with the box, and a variety of other issues.

Contact me if you’d like to get a copy of my checklist for your work.