Ransomware: Lessons learned

December 20, 2016

Don’t say that we didn’t warn you (see here, here and especially here). Here’s a tale about a synagogue in the NYC area, but it could happen to anyone.

In mid-November the rabbi’s secretary was going about her business on the shul computer. Whether she was duped to click on an infected popup advertisement or she visited an infected website the damage was done. What we do know is that this ransom note appeared on her screen:

ransomware-warning

Then the panic. The note was accurate, they were locked out of the shul’s only computer. What should the shul do?

  • They couldn’t get to their Quickbooks.
  • They couldn’t get to their member software.
  • They couldn’t get to the file with the Yahrzeits.
  • They couldn’t get to their record of Kol Nidre pledges

Some computer-savvy members tried various tools, but no luck. The problem was eventually brought to the synagogue board and a hearty debate followed. Would they just be paying a ransom and get nothing in return (See the FBI guidance here)?  Finally, the vote was to pay the ransom, 3 bitcoins (almost $2,400).  Fortunately, the thieves were relatively honest. The synagogue’s files were decrypted and they could recover their data. Many other victims pay, but their computers remain locked.

Lessons learned

People, there’s nothing new here. Check out JCRC-NY’s Cybersecurity Resources page and our cybersecurity blog posts. This episode is an expensive reminder that it’s crucial to practice good cyber-hygiene.

  1. Backup, backup, backup. There is no excuse. External thumb drives and hard drives are cheap. Buy one and take the time to configure the backup program so that it automatically, regularly keeps critical data safe. There are many free or low-cost cloud options. Backup to Google Drive, Dropbox or a cloud server provided by your anti-virus/backup program. The data in some shul membership management programs are automatically saved to the cloud which may even be monitored by full-time cybersecurity staff. Finally, more than one backup (e.g., one onsite, one offsite or in the cloud)  is better than one … one is better than none.
  2. Keep your anti-virus software up-to-date. The bad guys are smart and they’re getting smarter. Somehow, the bad guys got the rabbi’s secretary to click on the infected link. Our poor synagogue had anti-virus software, but it was a year out-of-date (duh, it turns itself off).  Most of the better anti-virus programs are updated constantly and will probably stop a ransomware attack before your data is seized. Buy a license that will protect all of your computers. (see bargain software rates for nonprofits at Techsoup).
  3. Have strong passwords and record them. Whoever set up the synagogue’s computer did follow “best practice” and didn’t give the users “Administrator” access (pardon the techy-talk). The trouble was that no one knew that password so the consultant who assisted the synagogue had to get permission from the board to reset the password before she could revive the computer. Click to https://www.lockdownyourlogin.com/ for the latest guidance on passwords.
  4. Beware of residual “bread crumbs”. Some ransomware leaves malware on a computer so that the bad guys can re-infect the computer. After all, you paid once, won’t you pay again? Once you have recovered the encrypted files, use multiple products to scan your computer: first your new, up-to-date anti-virus program, then a some others (the trial or basic versions are available free online) such as Malwarebytes, CCleaner, SUPERAntispyware, to name a few. There is no perfect solution. Each may find something that the others missed.
  5. Cybersecurity is a board responsibility. The incident was an expensive lesson. When no one on staff has computer skills, the board has a fiduciary responsibility to make sure that the staff know the basics of cyber-hygiene: the software is being updated, the backups are made, the anti-virus programs are working.

Finally, kudos to JCRC-NY’s outside computer maven from Dragonfly Technologies, who dropped everything to travel to the shul and spent many hours into the night to get them back in business and up-to-date.

Phishing: Will you be a victim?

December 01, 2016

Phishing attacks — usually giving you a plausible reason to “change” your password — have increased. Once they have your account information many criminal avenues open up. Here’s some background and good advice from Stratfor.

Start with Security: A Cybersecurity Guide for Business (even nonprofits)

October 13, 2016

Lessons from Federal Trade Commission cases

Go to the FTC Start with Security website here or click here to download a PDF copy of their full recommendations.

When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant. As the Federal Trade Commission outlined in Protecting Personal Information: A Guide for Business, you should know what personal information you have in your files and on your computers, and keep only what you need for your business. You should protect the information that you keep, and properly dispose of what you no longer need. And, of course, you should create a plan to respond to security incidents.

There’s another source of information about keeping sensitive data secure: the lessons learned from the more than 50 law enforcement actions the FTC has announced so far. These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps. Distilling the facts of those cases down to their essence, here are ten lessons to learn that touch on vulnerabilities that could affect your company, along with practical guidance on how to reduce the risks they pose.

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

It’s National Cyber Security Awareness Month

October 05, 2016

Cyber Security is Everyone’s Responsibility

Data breaches resulting in the compromise of personally identifiable information of thousands of Americans. Intrusions into financial, corporate, and government networks. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general.

These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

But it’s important for individuals, businesses, and others to be involved in their own cyber security. And National Cyber Security Awareness Month—a Department of Homeland Security-administered campaign held every October—is perhaps the most appropriate time to reflect on the universe of cyber threats and on doing your part to secure your own devices, networks, and data.

What are some of the more prolific cyber threats we’re currently facing?

Ransomware is type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom is paid. In addition to individual users, ransomware has infected entities such as schools, hospitals, and police departments. The actors behind these sophisticated schemes advise the users that if they pay the ransom, they will receive the private key needed to decrypt the files. Most recently, these cyber criminals—demonstrating some business savvy—give victims the option of decrypting one file for free to prove that they have the ability to restore the locked files.

Business e-mail compromise, or BEC, scams continue to impact many businesses across the U.S. and abroad. BEC is a type of payment fraud that involves the compromise of legitimate business e-mail accounts—often belonging to either the chief executive officer or the chief financial officer—for the purpose of conducting unauthorized wire transfers. After compromising a company’s e-mail account—usually through social engineering or malware—the criminals are then able to send wire transfer instructions using the victim’s e-mail or a spoofed e-mail account. BEC scams have been reported in all 50 states and in 100 countries and have caused estimated losses of more than $3 billion worldwide. More on BEC scams.

Intellectual property theft involves robbing individuals or companies of their ideas, inventions, and creative expressions—often stolen when computers and networks are accessed by unscrupulous competitors, hackers, and other criminals. Intellectual property can include everything from trade secrets and proprietary products and parts to movies, music, and software. And the enforcement of laws protecting intellectual property rights (IPR)—which are critical to protecting the U.S. economy, our national security, and the health and safety of the American public—is an FBI criminal priority. The Bureau’s IPR focus is the theft of trade secrets and infringements on products that can impact consumers’ health and safety, including counterfeit aircraft, automotive, and electronic parts.

“The FBI is doing everything we possibly can, at every level, to make it harder for cyber criminals to operate,” says Associate Executive Assistant Director David Johnson, “and I believe many of them are now starting to think twice before they put fingers to keyboard. But we also ask that the public do its part by taking precautions and implementing safeguards to protect their own data.”

Check back on our website during the month of October for information on protecting your data and devices and on FBI efforts to combat the most egregious cyber criminals.

Ransomware victims urged to report infections

September 15, 2016

FBI

 

 

 

September 15, 2016/Alert Number I-091516-PSA

RANSOMWARE VICTIMS URGED TO REPORT INFECTIONS TO FEDERAL LAW ENFORCEMENT

FBI says “don’t be a victim”: Ransomware on the rise

May 01, 2016

Graphic of Tablet Screen with Lock and Key (Stock Image)From the FBI’s Cyber Division: Incidents on the rise, protect yourself and your organization

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. See a New York Times article here.

The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.

And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.

Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.

While the below tips are primarily aimed at organizations and their employees, some are also applicable to individual users.

Tips for Dealing with the Ransomware Threat

Prevention Efforts

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts

  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

How does it work?

In a ransomware attack, victims—upon seeing an e-mail addressed to them—will open it and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.

And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

The FBI doesn’t support paying a ransom in response to a ransomware attack. Said Trainor, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

So what does the FBI recommend?

As ransomware techniques and malware continue to evolve—and because it’s difficult to detect a ransomware compromise before it’s too late—organizations in particular should focus on two main areas:

Prevention efforts—both in both in terms of awareness training for employees and robust technical prevention controls; and
The creation of a solid business continuity plan in the event of a ransomware attack. (See sidebar for more information.)
“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBI will continue working with its local, federal, international, and private sector partners to combat ransomware and other cyber threats.

If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

Resources:

IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s

March 02, 2016

WASHINGTON — The Internal Revenue Service today issued an alert to payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

The IRS has learned this scheme — part of the surge in phishing emails seen this year — already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

IRS Criminal Investigation already is reviewing several cases in which people have been tricked into sharing SSNs with what turned out to be cybercriminals. Criminals using personal information stolen elsewhere seek to monetize data, including by filing fraudulent tax returns for refunds.

This phishing variation is known as a “spoofing” email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office employee and requests a list of employees and information including SSNs.

The following are some of the details contained in the e-mails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The IRS recently renewed a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community.

The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.

The IRS, state tax agencies and tax industry are engaged in a public awareness campaign — Taxes. Security. Together. — to encourage everyone to do more to protect personal, financial and tax data. See IRS.gov/taxessecuritytogether or Publication 4524 for additional steps you can take to protect yourself.

What is cyber-hygiene? IRS guidance on Cyber-Monday

November 30, 2015

Sometimes the IRS really does want to help us. Their suggestions are straightforward and spot on:


Photo credit: Duke University

Seven Tips to Protect Your Computer Online

IRS Security Awareness Tax Tip Number 1, November 23, 2015

The Internal Revenue Service, the states and the tax industry urge you to be safe online and remind you to take important steps to help protect yourself against identity theft.

Taxes. Security. Together. Working in partnership with you, we can make a difference.

Scammers, hackers and identity thieves are looking to steal your personal information – and your money. But there are simple steps you can take to help protect yourself, like keeping your computer software up-to-date and giving out your personal information only when you have a good reason.

We all have a role to play to protect your tax account. There are just a few easy and practical steps you can take to protect yourself as you conduct your personal business online.

Here are some best practices you can follow to protect your tax and financial information:

  1. Understand and Use Security Software.  Security software helps protect your computer against the digital threats which are prevalent online. Generally, your operating system will include security software or you can access free security software from well-known companies or Internet providers. Other options may have an annual licensing fee and offer more features. Essential tools include a firewall, virus/malware protection and file encryption if you keep sensitive financial/tax documents on your computer. Security suites often come with firewall, anti-virus and anti-spam, parental controls and privacy protection. File encryption to protect your saved documents may have to be purchased separately. Do not buy security software offered as an unexpected pop-up ad on your computer or email! It’s likely from a scammer.
  2. Allow Security Software to Update Automatically.  Set your security software to update automatically. Malware – malicious software – evolves constantly and your security software suite is updated routinely to keep pace.
  3. Look for the “S” for Encrypted “https” Websites.  When shopping or banking online, always look to see that the site uses encryption to protect your information. Look for https at the beginning of the web address. The “s” is for secure. Unencrypted sites begin with an http address. Additionally, make sure the https carries through on all pages, not just the sign-on page.
  4. Use Strong Passwords.  Use passwords of at least 10 to 12 characters, mixing letters, numbers and special characters. Don’t use your name, birthdate or common words. Don’t use the same password for several accounts. Keep your password list in a secure place or use a password manager. Don’t share your password with anyone. Calls, texts or emails pretending to be from legitimate companies or the IRS asking you to update your accounts or seeking personal financial information are generally scams.
  5. Secure Your Wireless Network.  A wireless network sends a signal through the air that allows you to connect to the Internet. If your home or business wi-fi is unsecured it also allows any computer within range to access your wireless and steal information from your computer. Criminals also can use your wireless to send spam or commit crimes that would be traced back to your account. Always encrypt your wireless. Generally, you must turn on this feature and create a password.
  6. Be Cautious When Using Public Wireless Networks.  Public wi-fi hotspots are convenient but often not secure. Tax or financial Information you send though websites or mobile apps may be accessed by someone else. If a public Wi-Fi hotspot does not require a password, it probably is not secure. If you are transmitting sensitive information, look for the “s” in https in the website address to ensure that the information will be secure.
  7. Avoid Phishing Attempts.  Never reply to emails, texts or pop-up messages asking for your personal, tax or financial information. One common trick by criminals is to impersonate a business such as your financial institution, tax software provider or the IRS, asking you to update your account and providing a link. Never click on links even if they seem to be from organizations you trust. Go directly to the organization’s website. Legitimate businesses don’t ask you to send sensitive information through unsecured channels.

To learn additional steps you can take to protect your personal and financial data, visit Taxes. Security. Together. Also read Publication 4524, Security Awareness for Taxpayers.

Each and every taxpayer has a set of fundamental rights they should be aware of when dealing with the IRS. These are your Taxpayer Bill of Rights. Explore your rights and our obligations to protect them on IRS.gov.

IRS YouTube Video:

  • Taxes. Security. Together. – English

Cybersecurity: it’s not too late

October 08, 2015

Security crosswordSee the blog entry below from TechSoup, and the Cyber-awareness pages from the FBI and the NYPD and the JCRC Cybersecurity Resources page. Take a quiz from Symantec. Raise your Cyber-awareness and Cyber-security before it’s too late!


Are you a trivia master? Or a security enthusiast? Put your security smarts to the test and take the weekly security quiz brought to you by Symantec! For the entire month of October, TechSoup and our donor partners will be participating in National Cyber Security Awareness Month (also known as NCSAM). We’ll have blog posts, virtual events, resources, and more to help your organization stay secure online.

Here’s the sweet part: if you answer the quizzes correctly, you’ll be eligible for a prize courtesy of Symantec! We’ll be doing a random drawing weekly for a $100 Amazon gift card. And if you answer all four quizzes correctly, you might win a $500 Amazon gift card.

Read the sweepstakes terms and conditions.

Week 1 Quiz: Malware, Adware, and Viruses, Oh My!
Do you know the difference between malware, adware, viruses, and worms, and how to avoid them?

  • Malware is a term used to describe programs that are written with malicious intent. There are multiple types of malware used for a variety of nefarious purposes.
  • Adware makes its way on to your computer and causes unwanted advertisements to pop up. It may change your home screen or redirect you to websites you do not intentionally access.
  • Viruses are like a bad cold; this specific type of malware spreads itself once it’s initially run. Viruses can attach themselves to good files on your machine, or be self-contained and search out other machines to infect.
  • Worms are a type of virus that do not need to attach themselves to a good file to run. These bad guys move around on their own, as self-contained viruses, searching out other machines to infect.

Take the Quiz Now

Study Up
Need some more information before you start the quiz? Check out these security resources from TechSoup and beyond:

    • Safer Internet Guide
    • Stay Safe Online. The National Cyber Security Alliance (NCSA) builds strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity. Check out their resources.

Image: Maksim Kabakou / Shutterstock