Importance of Disabling Legacy applications such as Internet Explorer
“Legacy” applications are products that are no longer being supported and therefore are not releasing any updates. When an application is no longer being supported and managed, it allows bad actors to try and find vulnerabilities that lead to access of your network or data theft. It may not always seem like the ideal, or easiest, task getting employees on board with using the latest and greatest but when it comes to security it is the most important.
Internet Explorer 11 (IE11) is one of the most utilized applications around which has made it the most difficult for people to let go. As web browsers are applications used for a wide variety of tasks, it is important to stay current. For security purposes, IE11 has been disabled by Microsoft through an update to help guide users over to Microsoft Edge. The update has only been pushed out on certain versions of Windows 10 (20H2 and newer.) However, Microsoft is also working on updates that will remove the IE11 desktop icons, as well as from the start menu and the task bar. To try and help the transition, Microsoft has released an IE mode which gives users the ability to utilize web applications that operate only with IE, within Microsoft Edge (great for environments that have kept IE around for compatibility reasons). Unfortunately, older versions of Windows (Windows 10 prior to 20H2, Windows 7, Window Server 2008 R2, etc.) will not be updated and can still use IE11. This will leave those hosts vulnerable to current and future exploits of the deprecated application. The best policy is to keep Windows patching up to date after updating and testing within dev and test environments first. For further detail and to stay current on updates about the matter: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/internet-explorer-11-desktop-app-retirement-faq/ba-p/2366549.
Wherever possible, get “Legacy” applications out of your environment and help keep your network up to date and secure!
Authored by: Taylor Conder, Sec+
Exploiting the Silicon Valley Bank (SVB) Failure
The recent high-profile failures of SVB, Signature, and Silvergate Bank have been at the forefront of our news cycle. Unfortunately, this has given threat actors the chance to seize the moment and exploit the fear and panic associated with these events. Be aware of anything related to these events. Specifically, but not limited to emails with attachments/links, social media posts, or even texts or phone calls conveying an urgent call to action or disclosure of sensitive data. Below are some scenarios that are being used to manipulate people and/or steal information.
Risk #1: Fraudulent Transfers
The most typical attack vector is the impersonation of a trusted contact. For example, the threat actor will impersonate one of your suppliers or vendors via email, text, or phone call claiming that they have moved from SVB to another bank and urgently need you to wire payment to this new account.
Remind your employees to avoid performing transactions to accounts whose details they received via unofficial channels. Any change in existing processes must be explicitly verified. This verification should involve reaching out to the actual vendor the email claims to be coming from and validating they actually sent the request. Use existing points of contact and do not reply to the email or call any numbers provided to you to verify these changes.
Risk #2: Phishing for Bank Account Credential
A threat actor sends an email, claiming to be the FDIC, SVB, or another government agency providing instructions on how to access funds. You will be asked to immediately login to your new account using your old credentials by accessing a link provided in the email. This link, needless to say, leads to a credential harvesting web page.
Remind your employees and customers that they should never provide credentials to sites that are accessed via links incorporated in email messages, phone calls, or SMS. Use only trusted sources such as the FDIC web site or SVB banking site to identify how to access your funds.
Risk #3: Spreading Panic and Misinformation
In addition to the above direct risks, attackers and hacktivists may also attempt to leverage existing tensions to accelerate panic and uncertainty by spreading disinformation on the alleged collapse of additional banks. You may see social media messages informing you that the banks you’re working with are at risk, urging you to withdraw your funds before it’s too late.
Only trust official communication channels from your banks and trusted government sources and avoid forwarding uncorroborated messages via social media or other communication channels.
Utilize Security Awareness Training to heighten understanding of social engineering risks.
Harden email security by:
Authored by: CalTech Information Security Team
Think before you click….
Phishing emails are becoming more realistic, and it is important to know what to look for and to be on the lookout. Certain things to review in emails to confirm legitimacy can be:
• Review sender information thoroughly in the header, as that can help provide a red flag that it is not a legit email. In other words, the boss isn’t going to email you from firstname.lastname@example.org.
• Before clicking on any hyper-links within emails, be sure to hover over and check to see if the URL looks suspicious.
• Do not open any attachments if not expected, especially zip files and macro enabled files, as they can contain hidden malicious code. If there is any question whether the attachments are legit or not, be sure to reach out to the contact directly by phone and ask them “Did you send this?”
• Be careful when downloading any images within the email, as it’s possible, though very rare, that images could contain hidden malicious code.
• When checking emails on a mobile device, be careful as it can be more difficult to review and confirm if the email is legit. If in question, hold off and review the email more thoroughly on desktop.
Authored by: Taylor Conder, Sec+
Lock It Down!
Whether it’s our homes, our cars, or our bicycles, we know if we truly want to keep our valuables, we need to lock them up. Leaving ourselves exposed may not always lead to problems, but we know we’re secure when we keep our items locked.
In the same way, we need to lock our digital items when we’re away. It’s far too common to see smartphones, tablets, and computers left unlocked with no one in sight. With one quick move, a malicious attacker could snag your device and take all your information along with that expensive piece of technology.
However, a long-gone device is not the only threat. An attacker could leave the device but take important information from it: usernames, passwords, banking details, or other personally identifiable information. Furthermore, an attacker could extract proprietary information from your place of business, jeopardizing not only yourself but the company you work for.
To combat this, 10-D Security recommends considering the following steps to secure your systems:
• Set a password or passcode on your devices.
• Lock your device when you need to leave it unattended.
• Implement a policy for screen locking after periods of inactivity.
• Configure the device to encrypt data.
For organizations looking to protect company applications and data on mobile phones and tablets, a Mobile Device Management (MDM) system can be implemented to enable your organization to configure and manage these security measures across all devices. There are a lot of choices out there for MDM systems, and like most things IT, they all generally work well so long as their management and oversight are consistent.
With the above steps, you can better protect your digital world from attackers waiting for the moment you’re not looking.
Authored by: Scott Schook, PenTest+, eJPT
Healthcare Reimbursement Phishing Scams
When you request a reimbursement from your healthcare provider, it may be completed through a third-party payment processor. These payment processors often offer direct deposit payments so you can get reimbursed as soon as possible. Unfortunately, cybercriminals can use social engineering to try to steal your reimbursement.
In a recent scam, cybercriminals are sending phishing emails that appear to be related to an active reimbursement request. The emails ask you to verify your request number and other identifying information to finish processing your request. If you provide this information, cybercriminals can use it to gain access to your account by verifying your identity. Then, they can update your direct deposit information to redirect payments to their own bank accounts.
Follow these tips to stay safe from healthcare claim scams:
Always enable multi-factor authentication (MFA) on your accounts when available. MFA adds a layer of security by requiring that you provide additional verification to log in to your account.
Malicious Monkeypox Scams
As health-related anxiety continues to be high from the COVID-19 pandemic, cybercriminals are creating scams to target a different health concern. Cybercriminals are using fear about monkeypox outbreaks to scare you into sharing sensitive information.
In one scam, cybercriminals send you an email about the latest monkeypox outbreaks and provide a link to mandatory safety awareness training. When you click this link, you’ll be taken to a fake Microsoft login page. If you enter your login credentials, you won’t get access to monkeypox safety awareness training. Instead, cybercriminals will get access to your credentials and account.
To stay safe from similar scams, remember the following tips:
Zero-Day Chrome Vulnerability No. 5 for 2022
The fifth Google Chrome zero-day vulnerability of 2022 has been disclosed. Automatic update patches are being pushed out in stages, but anyone can manually update now. The vulnerability, CVE-2022-2856 has a ‘high severity’ rating, and follows, CVE-2022-0609 in February, CVE-2022-1096 in March, CVE-2022-1364 in April, and CVE-2022-2294 in July.
Google Chrome is the most popular browser in the world, owning almost 65% of the market. For more details about this zero-day vulnerability go to, https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html.
Authored by: Brad Goetsch
Scam of the month – Using QuickBooks to make a quick buck
QuickBooks is a popular accounting software that offers free accounts to its users. While many individuals and organizations use QuickBooks to track their finances, cybercriminals have been using it to run a “business” of their own. In a new scam, cybercriminals create a free QuickBooks account and use the associated email address to send you malicious emails.
To start, cybercriminals send you a phishing email that appears to be an invoice from a reputable organization, such as Norton or Microsoft. The email includes a phone number and directs you to call if the invoice seems suspicious. If you call the phone number, you’ll be asked to confirm your credit card information to cancel the fake transaction. Unfortunately, if you share this information, the cybercriminals can use it to make their own purchases.
To protect yourself from this malicious scam, follow the tips below:
Cybercriminals can use fake invoices to alarm you and trick you into clicking impulsively. Always think before you click!
Authored by: CalTech
Don’t Post That Pic!
A little advice on oversharing sensitive personal information this week. Ah, summertime. It’s a time for relaxation and fun, but for some, it is that time of year their teenage driver FINALLY gets their learner’s permit or restricted driver’s license. There were likely many stressful hours in the car earning this coveted piece of freedom, not to mention the countless brake checks, the thumping of a parent’s foot on the imaginary brake pedal in the passenger floorboard, or maybe just the sheer number of times that little handle above the passenger’s seat was grabbed.
But now the young driver has their license! Not only does this open a new world of possibilities to them, but the parent also unlocked a parenting achievement, someone to run errands for them! This achievement can make a parent (or kid!) want to boast proudly with a a picture of a young driver with their newly acquired driver’s license on social media.
There is some risk here! Phone cameras are pretty good today, and it’s not hard at all to zoom in and clearly see the driver’s license number, legal name, date of birth, and signature! If you want to post that picture, do the responsible thing, and blur or obfuscate that info before you post it. It is obvious what they are holding (with the DMV in the background), don’t give the bad actors of the world that personal information so easily.
Authored by: Dave Kelly, PenTest+, CEH
Top 8 ways to have a safe and happy Independence Day!
While you are out enjoying your 4th of July holiday, here are a few tips to keep in mind:
ELDER FINANCIAL EXPLOITATION – ENOUGH IS ENOUGH
Sadly, we’ve all seen, heard, or read articles regarding the proliferation of scams during the past two years. I would venture to guess that most of you are like me … nothing gets my blood boiling more than hearing about those schmucks out there who have scammed and defrauded an elderly person. I remember my own parents and grandparents and how hard they worked for every dime they earned, and I can’t understand how anyone would think it’s acceptable to exploit the elderly population.
On June 15, 2022, FinCEN issued an advisory which highlights behavioral and financial red flags to help financial institutions identify, prevent, and report suspected elder financial exploitation (EFE). EFE is defined as the illegal or improper use of an older adult’s funds, property, or assets. The advisory points out that elder abuse, including EFE, affects at least 10% of older Americans each year and that the estimated dollar value of suspicious transactions linked to EFE exceeded $3.4 billion in 2020. What’s even more upsetting is that many of the perpetrators are known and trusted persons of the older adults, but there is a rising trend of scams that originate outside of the U.S. by individuals that have no relationship with the victim.
Many years ago, FinCEN added a specific category for EFE to the suspicious activity report (SAR). But in addition to filing a SAR, financial institutions should refer their older customers who may be a victim of EFE to the Department of Justice’s National Elder Fraud Hotline (833-FRAUD-11). Many states also have requirements that financial institutions contact local law enforcement or the applicable state’s Department of Aging or similar agency to report such activity. If you aren’t filing EFE SARs, you may need to beef up your controls – keep in mind that according to FinCEN the MAJORITY of EFE incidents go unidentified and unreported.
The newest advisory is linked here for your convenience. Even if you think, “Oh, that’s a Compliance or BSA matter” – think again. We all have elderly loved ones who can fall victim to a scam, so educate yourself and help protect them! https://www.fincen.gov/sites/default/files/advisory/2022-06-15/FinCEN Advisory Elder Financial Exploitation FINAL 508.pdf
Authored by: Joann Lang, CAMS, CIA, CCBP
As 10-D is approaching our 18th year and it has fallen to me to write the WST this week, it got me wondering what some of our first weekly security tips were about. So, I dug around in the archives and found some classic topics from our first year of tips; Java, Vishing & Smishing, Remote Access & Multi-Factor Authentication, ATM skimming, and password management, just to name a few.
One in particular caught my eye regarding password length. Remember when the password length recommendation was 8 or more characters? That was the message of this early WST. It even included a chart noting it would take a hacker 115 days to crack an 8-character password. Today, the bad guys will crack your 8-character password in 8 hours. Yes, the bad guys are getting better, too.
Currently, 10-D recommends 10 or more characters using numbers, symbols, and upper- and lower-case letters. Make it a passphrase so it is easier to remember and save yourself some reset headaches. These changes will bump up hack time to about 5 years, so you should be well on to a new password by the time they crack this one!
Authored by: Brad Goetsch
New Zero-Day Vulnerability Affecting Microsoft Products
On May 30, Microsoft reported a zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT). Dubbed “Follina,” this vulnerability could be exploited by a malicious attacker to execute arbitrary code on a Windows system using the MSDT URL protocol via Microsoft Office applications (such as Microsoft Word). Microsoft is reporting that an attacker that successfully exploits this vulnerability could install unauthorized programs, impact data, or conduct other unauthorized activity on an impacted system, including running arbitrary code.
At this time, no patch is available for this vulnerability. Microsoft has provided workarounds for this issue, listed in the link below. Basically, the workaround uses the Windows registry to disable the MSDT URL protocol. For people and organizations using Microsoft Defender products for antivirus, Microsoft also provides additional guidance in the same article: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
As always, testing is important! Consider working with your technical resources to test system changes before rolling them out to your whole organization.
We are also seeing that many antivirus vendors are pushing antivirus definition updates that can detect and block this vulnerability. Organizations may want to check with their antivirus vendors to understand any recommended actions specific to their product.
Authored by David Bentley, CISSP
Do your backups match your expectations?
A previous WST (https://10dsecurity.com/wst/building-blocks-of-a-business-impact-analysis.html) described what a business impact analysis (BIA) is and how it’s a key component of your business continuity program and disaster recovery success. If you’ve done the work to define recovery point objectives, have you also made sure that your backups actually match your needs? For instance, if a server has a recovery point objective of eight hours but you are only backing it up every twenty-four hours, your backups are misaligned! Should system recovery be necessary, data loss beyond eight hours may be experienced. When updating and reviewing the BIA, we recommend that you include a review of your backup retention schedule to ensure that all backups meet the institution’s BIA requirements for recovery point objectives. You may find systems that you need to expand backup frequency. Or, you may find BIA requirements that are unrealistic or unattainable. In those instances, it may be wise for the institution to adjust expectations or develop other processes to resolve the planning gaps.
Authored by: David Matt, CISSP, CEH
Are You Sure That Laptop is Secured?
One of the many areas we look at when conducting an IT audit is the security of portable devices, including laptops. With the proliferation of laptops that are now enabling so many remote workers, it seems obvious to inquire about the security of the information that might be found on devices that are sometimes outside the institution’s normal physical controls. Laptops are at a higher risk of being lost, stolen, or accessed by unauthorized persons.
When discussing laptop security, we sometimes hear, “Our policy is not to let employees store any customer information on the laptop, so we don’t feel there is any value in encrypting the laptop’s storage.” While this is probably a well-intentioned belief, this overlooks several ways sensitive information may be stored locally.
Application data – Many applications will keep working copies of files, at least in temporary storage. For example, when you open a Word or Excel file, the application may open temporary storage locally on the laptop or workstation while you are editing files. Think of it as a scratch pad the application uses, which could include almost any content from the file being edited. If the application ends abnormally, that temporary data may accumulate instead of being deleted normally. Other application data may be more permanent, such as personal archive files that Outlook may be saving locally (i.e., .pst files) that may contain massive amounts of personal or sensitive information.
Windows temporary data – Much like the application-specific temporary storage discussed above, Windows creates temporary files as well. These files are usually hidden from the end user seeing them, but they also can contain some sensitive information. Not as likely to include customer data, but these temporary files could provide useful information for a potential attacker as there may be user IDs, network topology data, configurations, recovery files, and other infrastructure information that shouldn’t be disclosed.
Deleted files – Wait, how are deleted files a risk? Often, when files or folders are deleted, Windows won’t truly delete all the data from storage and will instead only erase the listing (or index) of that information. An analogy would be a library where the index listing for a book is deleted but the book is left on the shelf. Deleting the index listing will make it harder to locate the book, but it will still be there. That is essentially how Windows works when a file is deleted, only the index is deleted, and the actual file contents will often stay on the local drive until the space is needed for a new file object. There are special applications made for discovering the data from “deleted” files, available to any motivated person.
Cloud storage – If an institution is using a cloud storage solution, such as Google Drive or Microsoft OneDrive, and it is configured to synchronize data locally, then it will retain copies of files on the laptop or workstation. As an example, OneDrive will usually keep local copies in C:\Users\[username]\OneDrive.
Intentional – Even when the institution is operating with the best of intentions, it is not uncommon for a rogue individual to intentionally circumvent the rules or inadvertently save files to their desktop. They may only be taking home a file to work on over the weekend, but it is a potential risk, nonetheless.
There is a simple solution, and that is whole disk encryption. Most versions of Microsoft Windows have the functionality built in (BitLocker) and only need it to be configured (by a qualified IT administrator). Whether built-in encryption or another readily available commercial solution is used, implementation will result in well-protected storage on the laptop (this functionality also exists for desktops). If a laptop with encrypted storage is lost or stolen, the institution will be out the value of the device but will have a substantially lower risk of information disclosure.
Authored by: Jim Baird, CBCP, TCNA
NOTICE OF EXPIRATION OF THE TEMPORARY FULL FDIC INSURANCE COVERAGE FOR NON-INTEREST-BEARING TRANSACTION ACCOUNTS: By operation of federal law, beginning January 1, 2013 funds deposited in a noninterest-bearing transaction account (including an Interest on Lawyer Trust Account) no longer will receive unlimited deposit insurance coverage by the Federal Deposit Insurance Corporation (FDIC). Beginning January 1, 2013, all of a depositor’s accounts at an insured depository institution, including all noninterest-bearing transaction accounts, will be insured by the FDIC up to the standard maximum deposit insurance amount ($250,000), for each deposit insurance ownership category. For more information, visit www.fdic.gov.