This Midnight Blizzard brings an avalanche of trouble 
0
Dan Gavin
This Midnight Blizzard brings an avalanche of trouble 

The wind howled; the snow swirled. It had been like this all day. (Why had Karen left Phoenix again? … Never mind.) She knew she should have been home hours ago. Now it was well after dark, approaching midnight, and the streets hadn’t been plowed. Driving home would be dangerous. She sighed. More from habit than necessity, she opened the door to the car, sat, reached for her phone, and checked her email. 

“What? Again?”  

Karen was sick of receiving these cybersecurity training reminders from IT. They were obviously unaware that she had an important and fast-approaching deadline. If she missed it, she would lose her biggest account and Christmas bonus. Her children were counting on this bonus. They had planned a cruise during spring break. She didn’t have time to waste. 

On closer inspection, though, the email had nothing to do with training this time. Channeling all the security knowledge she had previously acquired through IT, Karen checked the sender address. 

“It’s good. It actually is from IT. It’s just for verification of my username and password. This one should be quick,” she thought. 

Oh no. Karen’s about to be the victim of a classic phishing-email-sender-verification oversight. And I’ll bet you’re thinking, “Tom, she checked the sender. She verified it really was from IT.” Yep. Most of our readers will notice from the start that Karen was astute. But it’s midnight. She’s tired and cupcake-drunk (ask me later), and she’s pushing up against a terrifying deadline. So, she did the only thing her amygdala would allow her to do: find the shortest path to safety. 

In this case, “safety” meant getting the annoying email out of the way so she could finish her report before the deadline. What she missed was context. IT never asks for a user to verify credentials in response to an email. Actually, she was instructed during on-boarding never to respond to an email requesting credential verification. The sender address was spoofed—a.k.a., faked. Yes, that’s a thing. 

The attack we’re scrutinizing this week is currently in use by a Russian attacker that Microsoft calls “Midnight Blizzard” (for real). The attack goes like this: thousands of emails are sent to users at various target companies. Attached to these emails is a file with a “.rdp” at the end of the name. This file will connect your computer with a server on the internet controlled by Midnight Blizzard. 

Always remember, whether it’s the IT department asking for password verification, the IRS notifying you of an audit, or a Nigerian prince asking for a loan, the rule is the same: never respond to any communication asking you to verify anything. Never trust any information you receive in an email, phone call, or text. When in doubt, hang up the call, close the email or text, and make contact using a phone number you know is good. 

Even if Karen had chosen to remain in Phoenix, it would have served her to be wary of a blizzard. And it will serve you, too, whether in the blistering heat storms of Arizona or far beyond. 

Voting Village In Vegas: Gambling Or Voting? 
0
Dan Gavin
Voting Village In Vegas: Gambling Or Voting? 

As you walk through the lobby of Caesar’s Palace, you marvel at the grand marble pillars and the sea of glittering chandeliers. You are floored by the opulence and glitz that surrounds you. The lobby bustles with tourists looking to win big, and their excitement fills the air. As you open the door to the conference room, though, the atmosphere does a complete 180. Computers, voting machines and E-polling devices fill the room wall to wall, with network and power cables snaked between them. Blinking lights pulse to a steady rhythm. You’ve just stepped into the DEF CON Voting Village. 

White hat hackers (the good guys) travel here annually from around the world to hack into voting machines and report whatever vulnerabilities they find to vendors and authorities. This year, their convergence at Caesar’s Palace took place from the tenth of August to the twelfth. They’ve been meeting since 1993, figuring out how to hack anything from security systems to light bulbs to cars. They started hacking voting machines in 2017.    

That first year, it took them two minutes to hack the system remotely and manipulate the votes. This year, one participant modified the touch-screen voting platform to show a video of Rick Astley’s “Never Gonna Give You Up”—just a fun little prank to demonstrate the system’s vulnerability. But beyond that, they found many real issues. For instance, they were able to use a USB drive to scramble the machines’ tallying capabilities. Though many more issues were found, they’ve been kept closely guarded so as not to fall into the hands of bad actors. 

The hacking team provided their results to the vendors. Unfortunately, none of the vulnerabilities they discovered will be fixed in time for the election. The vendors claim that there isn’t enough time, and that the process is much more complex than the tailoring and debugging of your monthly Microsoft updates. Many of the vulnerabilities DEF CON identified in their first Voting Villages were found again this year. Harri Hursti, Voting Village’s co-founder, said in an interview at the end of the event, “There’s so much basic stuff that should be happening and is not happening, so yes I’m worried about things not being fixed, but they haven’t been fixed for a long time, and I’m also angry about it.” 

Hursti seems concerned about the threat foreign adversaries pose to US elections. He noted that it took his team only two-and-a-half days to find and take advantage of the faults in the system. “If you don’t think this kind of place is running 24/7 in China, Russia, you’re kidding yourselves,” he said. I agree. Any organization with the resources and an incentive can easily hack this infrastructure.   

Jake Braun, another co-founder of the event, noted in a podcast in August that the E-poll books are especially easy to hack and are notorious for breaking often. This could cause serious delays. He recommends that polling stations print multiple copies of the voter registration lists for each district. 

In our column on voting machines this past spring, I noted that the calibration of the touchscreen affects how the voters’ input maps to different locations on the screen.  If the calibration is incorrect, it could alter the voters’ choices.  During early voting for the November election, there are reports that this has happened in both Tarrant County, TX and in Shelby County, TN. The screen showed the proper vote, but the printed copy showed a vote for the unselected candidate.  If you are using the touch screen device, check your printed ballot. 

Although gambling might be the heart of Las Vegas, it should not be the heart of Election Day. Using this infrastructure to determine who governs our land is like pulling a handle of a slot machine in Caesar’s lobby 

NSA And Your Privacy, How To Hide In Plain Sight 
0
Dan Gavin
NSA And Your Privacy, How To Hide In Plain Sight 

Lightning flashes, splitting the darkness and casting a brilliant, grey light upon the boxy concrete building. The sight evokes a feeling of dread. It’s funny. For all its striving, the government cannot seem to communicate any other feeling in its architectural designs. This site would benefit from a flower bed or a colorful flag . . . but razor wire? 

I’m referring to the euphemistically-named Utah Data Center in Bluffdale, Utah—once a plot of dry desert grass, now a sprawling federal compound comprising a total of twelve cooling towers and two Chiller plants. Chilling is right. The Wall Street Journal calls it a “symbol of the spy agency’s surveillance prowess”.  

Edward Snowden, National Security Agency (NSA) contractor turned snitch, pulled back the curtain at the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center (in case you’ve ever wondered whether Doublespeak exists outside the book 1984). Behind the curtain sits a wizard of data storage capacity some have estimated at yottabytes or zettabytes—a.k.a., “tons and tons”. For perspective, 400 terabytes can store every book that has ever been written. Given that the suspected capacity of the Utah Data Center is a trillion times greater, its wizardry could hold a trillion copies of every book in the world. 

But they aren’t actually storing books. They’re storing copies of every text message, every email, every phone call, and every web search any of us has made since 2013. And now that the Artificial Intelligence genie is out of its lamp, we know how easy it is for this “benevolent” spy agency to find anything they want. (Hang on a second, my tin foil hat is sliding off a little.) 

Now, I’m often told by passers-by, “The government doesn’t care about me. I’m a nobody.” That’s true. They don’t care about you. Until they do. In 1932, approximately 3.9 million “nobodies” were starved to death in Ukraine. According to an authoritative article on History.com, the reason was (partly) “to punish independence-minded Ukrainians who posed a threat to [Stalin’s] totalitarian authority”. 

Here in Cochise County, we have a lot (terabytes, maybe?) of independent-minded citizens—nobodies, if you will—posting messages to Facebook and Instagram, Snapping, Tweeting, DM-ing, emailing, chatting over the phone without reserve. We nobodies have a choice to make: we can either continue to have faith that our privacy protections are guaranteed, or we can hide. 

If you’d like to hide, then consider encrypting all your communications. Two excellent choices are the Signal app for texting and phone calls and Proton Mail for all your email communications. I use them, and I know a lot of brilliant people who do the same, not because we have anything illegal to hide, but because we believe our private communications should remain private. 

The NSA plays an important role in safeguarding our Republic. May they continue to do so. Like lightning in a storm, may they shed light on the darkness that threatens to swallow us 

Butch Cassidy, the Sundance Kid, and the Money Mules 
0
Dan Gavin
Butch Cassidy, the Sundance Kid, and the Money Mules 

On a dry and pitch-dark night in early June of 1899, the tired old engineer of the Union Pacific Railroad train thought he saw a flicker up ahead. Since he was just outside of Wilcox, Wyoming, he assumed those two lanterns meant that the bridge ahead was washed out. He rolled the engine to a stop to find two masked men held the lanterns. With the “Hole-in-the-Wall” gang led by the famous duo of Butch Cassidy and the Sundance Kid running loose in these parts, he knew this was trouble. Soon four more bandits joined the first where they found the safe. When the security guard refused to open the safe, they laid dynamite and blew it open. The team of bandits made off with $50K in cash plus jewelry, gold, and diamonds.  

Executing the heist was one thing, but getting away with it was another. Sundance handled the heist, and Butch handled the get-away. While Sundance’s team was busy cold-cocking engineers and blowing up safes, Butch was setting up a chain of horses to get the gang out of danger. They ran the horses until exhausted and picked up fresh horses, so they were far out of reach of any possible pursuing posse.  

Cybercrime today is a lot like the Wild West. The hackers are experts at executing the modern-day bank heist via the cyber realm. They skillfully slip into critical computers, crack passwords, and open up the victim’s bank account. Now how do they get the money out without being tracked? I’m glad that you asked. They use money mules. 

A money mule is someone who transfers the money from the victim’s account and wires the money into the hacker’s account. They are the middlemen of the operation. The money mules have no idea that they are actively participating in a criminal activity. They think they have a part-time job that pays well. Sometimes they call themselves transfer agents. Money mule recruiters tend to target people looking for part-time, remote employment, and the jobs usually involve little work other than receiving and forwarding bank transfers. They advertise just like any other recruiter. Initially the mules are given busy-work, menial tasks for the first week where the criminals weed out the bad workers. If they are late to work or lazy, they are fired. A money mule must be reliable. It could cost the organization a large amount of money.  

On a given day the mule would watch the “company’s” message board for instructions. It would say something like: “Good morning. Our client, Acme Corp, is sending you some money today. Please visit your bank, withdraw this payment in cash, and then wire the funds in equal payments, minus your commission, to these three individuals in Eastern Europe.”  

Evil Corp, a Russian hacker group, used money mules in their operations and is in the news again. There have been multiple arrests in the United Kingdom, France, and Spain. Some of the arrests were the unwitting money mules. The United States Department of Justice worked with European authorities as many of the Evil Corp victims were located in the United States.  

Evil Corp’s leader, Maksim Yakubets, is still on the loose. Just like the Wild West, there is a bounty on his head, $5M. His father-in-law, Eduard Benderskiy was named and sanctioned by Western authorities recently describing him as a protector of the Evil Corp crime organization.  

If you see a post on social media or an unexpected direct message with a promise of easy money by being a money transfer agent, you may want to reconsider that opportunity. It could land you in jail. If you are like Butch and Sundance, you could end up surrounded by the Bolivian army in South America. Don’t take the bait.  

Darkness Rising 
0
Dan Gavin
Darkness Rising 

In the darkness the stranger dragged Frodo’s little frame banging each creaky stair along the way. After ducking through the narrow doorway he deposited his charge onto a scratchy straw mattress. “Are you afraid?” was the first thing the sweaty stranger uttered as his heavy boots thundered across the worn planks. His heart pounding in his throat, the only words Frodo could squeak out were, “A little”. As the looming figure swept hastily through the dank air dousing each candle with his filthy fingers, he scolded Frodo, “Not frightened enough! I know what hunts you.” 

The hunters from the Tolkien world of Middle Earth may have once been fiction. Then and there, it was a world of sinister forces bent on destroying most, and dominating the rest. Driven by a delusional Dark Lord, the seeping despair of Mordor seemed inevitable. Here and now, the veneer of fiction is worn precariously thin. Like butter scraped across too much bread. Sinister, dominating, and delusional forces are wreaking actual havoc. Frodo timidly lurks inside each of us as we naively peer through the computer monitor into the depths of Mordor itself.  

Before anyone in Middle Earth feared the rise of the Dark Lord Sauron, there was a shadow in the east. But too many were too busy being normal in the light to fear the abnormal darkness they couldn’t see. Like the people of Middle Earth, there is a darkness looming. Lurking. Creeping. No, Mordor is not the Dark Web. Mordor isn’t even distant. Mordor isn’t rising. It has risen. It is here. Mordor is your email. Or your favorite website. Mordor is a text message, or even a phone call from your son or daughter.  

You see, back in the 1900s when the internet was born, security wasn’t an afterthought. Nor was it a forethought. In the 1900’s when the internet was shiny like a new penny, when people planted gardens and helped a stranger. Work was where you went. And home was where work didn’t dare go.  

Now the new millennium has dawned. Work has invaded home. People don’t help strangers, or plant gardens. The internet has a patina. Or a mold. Or a fungus. Or a crust. And internet security is still mostly unthought. It’s sad that the millennial dawn did not bring the hope, or relief as promised. Dawn brought chaos. The Internet brought chaos.  

Since the internet was raised without rules or boundaries, like the Dark Lord Sauron, it is we who must change if we hope to defeat it. Our insistence that we can continue to do things the same way day after day is like carelessly giving a lift to a hitchhiker. Maybe it’s like thinking there will always be toilet paper at the store. Or that store-bought tomatoes are as good as those you used to grow in the back yard.  

At the end of Frodo’s story, the darkness of Mordor actually arrived at the shire. In the story of your world, you can’t really see the darkness. But the darkness can see you. In Frodo’s world, the antagonist was the aggressor. It’s usually the aggressor who has the upper hand. Oh, Frodo eventually won. But because he started too late there was a lot of pain between his home under the hill, the Mount called Doom, and back again. 

The Destruction of Tyre and the Security of Cloud Applications 
0
Dan Gavin
The Destruction of Tyre and the Security of Cloud Applications 

The city island of Tyre was a beautiful, powerful, and strategic Phoenician trading city in the eastern part of the Mediterranean Sea.  Its defenses were so great that it survived a 13-year siege from the great Babylonian conqueror, Nebuchadnezzar starting in 586BC.  The people were proud of how impenetrable they were.  That’s why when Alexander the Great came along in 332BC, they did not negotiate with him.  So, Alexander’s army razed Old Tyre which was on the mainland next to the great island city of Tyre.  The army used the rubble of Old Tyre to create a land bridge to the island of Tyre where they laid siege to the city for 7 months when they utterly destroyed the city and the people.  

That story comes to mind when I hear businesses say they don’t need cybersecurity protection because their data is in the cloud.  It is safe and sound and no one can hack it because it is not on site.  It’s hiding in the cloud.  Here are three reasons why they are wrong: Keyloggers, Stealers, and RATs.  

A keylogger is malware designed to record the keystrokes made on a computer or mobile device. A keylogger captures everything you type, including emails, passwords, messages, and search queries. This information is then sent to a third party.    

On a typical morning for a cloud-centric business, an employee would start work by opening email.  On an infected system, the keylogger has access to your business email to either spy or use the account for financial gains. The attacker is hoping your multi-factor authentication is sent to compromised email account.  Next the employee logs into the business apps that are in the cloud.  This could be a healthcare system, logistics system, or financial system – whatever makes that business move forward. Perhaps an administrator pays an invoice with bank account information or username and password to the bank.  Maybe they use a credit card to pay the invoice instead.    That’s right!  All that information is now in the hands of the hacker thanks to the keylogger.  

Stealer malware or infostealer malware targets user credentials, browser data, cryptocurrency wallets, and any other personal data on your device.  Not only can it take the usernames and passwords saved in your browser, but it can also steal the credentials from certain applications and accounts that are not run on the browser.  Some stealers have been able to access cypto-wallets such as Phantom, Binance, Coinbase, and more.  Stealers gather similar information compared to keyloggers, but they don’t have to wait for anyone to login and start typing.  They search your device for the information that is already available. 

A Remote Access Trojan (RAT) is a type of malware that allows hackers to gain remote control over an infected computer or device. It allows the hacker to use a limited set of commands providing access.  Sometimes they steal data. Other times they may install additional malware or spyware. They could reconfigure your local firewalls or shut down other security measures.  RATs are usually distributed through phishing or emails with an Adobe PDF attached.  The PDF calls an executable file to download the RAT.  

What can you do about all this, you ask?   First of all, do not fall for phishing and social engineering via email or text.  Do not click on a link from a user you don’t know.  Secondly, make sure you have set up multi-factor authentication everywhere possible especially anything dealing with money, but may also include social media, emails, and business applications. Making sure your anti-virus is up to date is a start, but that doesn’t stop zero day/ new malware.  Monitor your accounts.  If you run a business, you should have endpoint detection and response (EDR) installed on all your computers.  This is an application running on your computer that watches what is written and executes on your system and prevents unauthorized execution.  Talk to your local Cyber Guys for details.   

Just because all your applications and systems are in the cloud doesn’t make you bulletproof.  Don’t be like Tyre and find out too late that Alexander is building a land bridge in the front yard.   

SS7 SMS Attacks, a Throwback to the Phreaking of the 70s 
0
Dan Gavin
SS7 SMS Attacks, a Throwback to the Phreaking of the 70s 

This article will be hard for you to read. Not in the way all my other articles are hard to read. This one will be emotionally hard. And let me give you the call to action right now (in the government we call it the Bottom Line Up Front (BLUF)).  

The BLUF is this. You will need to do two things. First, you will need to log into all your bank, other financial accounts, and your email accounts. Set the security to Multi Factor Authentication turned on and make sure you ARE NOT using SMS or text message for delivery of the One Time Passcode. The second thing you will need to do if you are in a relationship where you do not trust your partner, is to either reset your phone to factory settings, or dispose of the phone and buy a new one. Then ensure they NEVER have access to your phone unlocked. Ever.  

Now, the reason for all this. The technical parts that follow are necessarily grossly oversimplified. In 1975, the telecommunications industry developed a security protocol to reduce the impact of “phreaking”. Phreaking was a way to trick the telecom network into allowing long distance calls for free. The protocol was not secure. It hasn’t really been updated. And it is all over your cell phone. It’s called SS7. By abusing it, anyone can intercept your phone connection from anywhere in the world and access your text messages and phone calls, without installing any malware. And you will never know.  

So, if you use text messages (SMS) for that One Time Passcode from your bank, all an attacker needs are your phone number, username, and password.  They can render you penniless. Your financial accounts and your email accounts are probably the most important part of your digital life. Treat their logins with the utmost care. 

That’s the first part. The second is this. If you are now, or have ever been, in an abusive or otherwise untrustworthy relationship what follows might sound familiar. Bob, (names have been changed for privacy) met Jane, the girl of his dreams. He thought it was cute when Jane insisted that they share their phone PIN codes. The cuteness ended there. Eventually Jane began to insist on more and more control over Bob’s life. Without reciprocating. Eventually, Bob found all the contacts in his phone had been deleted. All the female contacts. And Jane had changed her PIN. 

It’s just a PIN code. You don’t have anything to hide is your initial thought. But this sweet new addition to your life may have a dark side. This adorable partner could (with as little as $175) install spyware on your phone. Or buy a phone for you with the spyware already installed. The spyware literally gives them access to everything. Including both cameras and the microphone.  

People make a huge fuss over the need to keep Social Security Numbers (SSN) private. But did you ever think the secrecy of your phone number would be more important than your SSN? When it comes to your phone number, in the words of Gandalf, “Keep it secret. Keep it safe.” Fortunately, unlike your SSN, you can get a new phone number. 

In addition to factory resetting the phone, setting up non-SMS-based MFA for your online accounts, you should SERIOUSLY consider using the Signal app for all your communications. For the SS7 hack, it will help by encrypting all your communications (voice and video calls, and text messages) so eavesdroppers can’t eavesdrop. 

There are many more details. I’m more than happy to chat about it if you want to email me. Just no phone calls.  

Sale of the Eiffel Tower and Election Phishing 
0
Dan Gavin
Sale of the Eiffel Tower and Election Phishing 

In 1925, the Eiffel Tower was in a serious state of disrepair and there were rumors that it would be dismantled.  Not to let a good rumor go to waste, con artist, Victor Lustig, posed as a government official and invited several scrap metal dealers to a confidential meeting, claiming that the government wanted to sell the Eiffel Tower for scrap. Five dealers responded to his request for a meeting and one dealer, Andre Poisson, made the highest bid for the 15,000-beam structure.  Two days later the deal was closed for an undisclosed amount.   By the time Poisson discovered he was scammed, Lustig was in Austria.   

Con men and scammers have been around for ages.  In this digital age, scammers are using technology to add credibility to their scams.   Through email and text messaging they can cast a broad net.  It is a good day for them even if they only reel in two victims out of one hundred emails or texts.    Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. Phishing is the number one entry point for ransomware. 

Hackers use whatever topics are current or in the news to entice someone to let their guard down so the victim clicks the link or gives up critical information.  As the election is less than two months away, election campaign phishing is on the rise. As I was reviewing dark web reports, I noticed an advertisement selling a phishing platform.  They had templated the faux campaign donation emails and would provide the mass email platform.  The dark web customer could choose to target either the Harris or Trump voters, or both.  Nowadays, criminals don’t have to be technically proficient, they can outsource their evil.  

These days I am receiving several text messages a day asking me to donate to or vote for a particular candidate with a link at the end of the message. From the text, it is hard to determine if the message is legitimate.  If you are interested, research on the internet for the candidate’s site and learn more.  If you are not interested, delete the message and mark it as junk.  Whether it’s email or text, don’t click on any links.  

Scammers use the same techniques whether it is a text, email, or a phone call.  If you receive a phone call, be very careful if you choose to engage the caller. If there is a campaign or a charity that you are interested in supporting, thank the caller for their time and go to a known-good website for that organization.  Do not give the caller any financial information like credit card or bank account numbers.  

Before donating to any Political Action Committee (PAC), it is a great idea to verify that the organization is legitimate.  All PACs must register and report to the Federal Election Committee (FEC).  Check out this website from the FEC to verify the organization. www.fec.gov/data/reports/pac-party  

What does the sale of the Eiffel Tower and an election have in common?  They both have con men and scammers looking for ways to take advantage of unsuspecting victims. Just as Victor Lustig duped the scrap metal magnate, scammers are phishing to see who will take their bait. 

Don’t talk to strangers 
0
Dan Gavin
Don’t talk to strangers 

It was 1987. I was a junior in high school. And one of my best friends lived over an hour away. If I had owned a car that is. It was 1987 and I had no job and no car. But I really wanted to see my friend. So, I did what any other kid in high school in 1987 would do. I hitchhiked.  

For high school kids in the ’80s that wasn’t too big of a deal. It still wasn’t as safe as it had been during the 60’s and 70’s. But still the risk was low. It wouldn’t be the first time I’d hitchhiked either. I had been doing it for over a year. And I met some interesting people along the way.  

So not only did I talk to strangers, I got into their car with them. I heard their stories, and they heard mine. Then they dropped me off and we promptly forgot about each other. Now, I knew about stranger danger. Every kid who grew up in the 80’s and 90’s knew this. But that didn’t really seem to apply to me. And after all, it always turned out fine. Except for the time I got shot. With a fire extinguisher. From the passenger of a would-be free ride. 

These days the story is different. People mostly don’t hitchhike any more. But sadly, the warning to shun conversations with strangers is still ignored. Because we’re nice. 

If you have ever received a text message from a “wrong number” you’ve been had. They aren’t wrong numbers. They are shotgun blasting messages to thousands of potential good numbers and waiting for a response. So, let’s look at the anatomy of a “wrong number” text message. We’ll use the experience of a real victim but change the name for privacy’s sake.  

“Robert” receives a text message from a number not in his contact list. “Hi, did you enjoy the movie?” the message begins. “Who is this?” Robert replies. This is his first mistake. By responding, Robert has confirmed his number is valid. “This is Annie. Is this Frank?” Here is “Annies” first bait. By picking a random name, “she” is playing on Robert’s urge to correct her. So, he does, “no, this is Robert.” Now the scammer knows 2 things, the number is valid and that his name is Robert. At this point “Annie” can do a reverse lookup on the phone number and get Robert’s last name. With that she can look him up on social media. 

With the frightening amount of data, we willingly post to social media, “Annie” can get enough info to encourage Robert to continue the conversation. At some point, “Annie” will take the photos she gets from Robert’s social media account, alter them with Generative AI and potentially use them to blackmail Robert.  

It sounds far-fetched. But this happens thousands of times per day. All over the world. So, listen to your mother. Don’t talk to strangers. Set your phone to silence calls from those not in your contact list. Let the calls go to voicemail. And for texts, swipe left then select delete and block. Answering a call or text from a “wrong number” is like hitchhiking. Don’t do it. We don’t live in 1987 anymore. 

Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 
0
Dan Gavin
Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 

Week after week, we write about the latest breach or how hackers use social engineering to get into corporate and government systems, but as you read this in Cochise County you think these types of things only happen to big corporations in big cities.  You may think: “My small business is not worth the hackers’ efforts.”  I’ve got news for you; your small or medium-size business is worth their effort.  Why?  Because some businesses make it so easy for them. As we do forensic investigations locally in Cochise County, we have met some of the victims.  Sometimes healthcare providers post a banner on their web pages discussing their breach and compromised data. 

One of the most common way hackers get unauthorized access to local business systems is to scan for open ports on public facing servers. A port is simply a door into your network. The port in particular that they love is the one used for remote access.  In this case think of this port as the magic wardrobe that the children found to enter Narnia. During COVID when many switched from working at the office to working at home, the local IT guru opened that famous port so that users could remote into their server or desktop using Microsoft Remote Desktop.  It was a great solution because it is easy, and it works.  Unfortunately for many, it is not at all secure and is a favorite target for our worldwide hackers.   

It’s possible to scan the entire internet in hours. In 2019, a researcher named Robert Graham scanned the entire IPv4 address space for the remote desktop port and found around 3 million exposed servers. That’s exactly what the bad actors do.   Once they find the open port, the first tactic they try is to determine the type of server and use the default usernames and passwords from the manufacturers.  Many people never remove and reset these.  The next thing hackers will attempt a password cracking technique.  Some techniques are sophisticated like the credential stuffing attack, where hackers look on the dark web for actual cracked passwords for the business which was hacked.  They are hoping that people will reuse their passwords.  Another technique is to run a dictionary attack where common usernames and passwords are automatically attempted.  We see this occur locally where the port is opened for maintenance and within an hour there are failed login attempts from North Korea, China, Russia, and Iran. It really happens here in Cochise County. 

Many business owners believe that they are safe from cyber-attacks because their IT person assured the owners that they have the best firewall the world has ever seen along with the latest and greatest anti-virus.  This is a good start, but the bad news is unless you block internet and email traffic on the firewall, it won’t stop phishing emails.  Your anti-virus won’t stop brand new malware.  According to Verizon’s 2023 Data Breach Report, around 90% of breaches are linked to phishing emails. The others are related to downloading malware through internet browsing.   

Some business owners might say they are safe and don’t need cyber security because their software is cloud-based.  In that case, what happens when an employee downloads a key-logger program that was on a link in their email?   The hacker has access to all company data and if that employee had administrative privileges, the hacker has total control.   

If a breach or ransomware attack could shut down your business for more than a day or if a breach would make you liable to your clients, your business needs solid cybersecurity.  We recommend a defense-in-depth strategy where there are multiple layers of defense.  Start with the basics of up-to-date firewalls and anti-virus, then add endpoint detection response that stops malware from executing, then get some monitoring and user training.  You follow that up with solid security policies. 

Don’t be an easy target.  Harden your business with a defense-in-depth strategy to thrive in the digital world.  Get a cyber risk assessment done to make sure that you are not low hanging fruit for the lazy hacker. 

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981