Monthly Archives: July 2021

Three Old School Attacks That Still Cause Trouble

Posted on by

Throughout the last several months, the MSI team has been performing some old-school types of attacks in our penetration testing work. Astoundingly, these “ancient” forms of hacking attacks are still yielding high levels of return. We’ve managed to steal amazing amounts of data using these tactics from the early days of the hacking community.

Dumpster Diving

Lots of confidential data still ends up in the trash. If you’re lucky enough to find a dumpster with sensitive information inside it, then you can get access to that data without having to break into any systems or networks. This is one of the most common ways for hackers to gain access to valuable data and intellectual property.

And, we’ve seen plenty of it. PII, PHI, employee data, mergers and acquisitions information and a whole lot of intellectual property is still turning up in our team’s testing. Even with corporate shred containers scattered about (which you should have), many sensitive documents still end up in the trash.

The best we’ve seen? A document with a plethora of sensitive data in it, generated by a corporate attorney, with a post-it still attached to it that says “Please shred!”. All we can say is, awareness is the key to mitigating this one.

Compromising Voicemail Boxes

It’s 2021, and yet, 1987 called and wants their hack back. Our team is still compromising voicemail boxes with ease. Most are protected by simple 4 digit codes, and even then, the majority of those codes fall into a short “easy pickings” list. PIN lockouts after so many bad attempts remain almost unheard of, and it’s simply astounding what you can learn from owning some corporate voicemails.

If you haven’t had your voicemail system audited recently, now might be a good time to talk about it. Not only can it lead to exposure of a variety of confidential information, credentials and customer data, but in many cases, it can also lead to toll fraud and significantly increased telecomm charges.

Our best story here? Compromising a voicemail box for a customer service rep, where thanks to COVID, they were working from home. We changed the message to ask for callers to leave their account information as a part of their support request. Lo and behold, an easy way to harvest that data. How long would it take you to notice this kind of attack?

Wardialing & Dial-up Compromises

Remember dial-up? Our team still loves to play with the “beauty of the baud”, so to speak. You’d be amazed how many companies still have modems attached to critical systems and exposed to the world via the phone. Routers, industrial automation, PBX remote management, critical ICS systems all abound in the dial-up world. Many have simple logins and passwords, but some don’t even have that anymore.

In addition, VoIP and cloud technologies were expanded years ago to include modern war dialing tools. Hunting for dial-ups remains easy, cheap and effective.

What’s worse? If the attacker “gets lucky”, they can find a loose dial-up system that is network connected on the other side, making it easy to bridge a dial-up compromise into network access. The next thing the penetration testing team knows, it’s “raining shells”, so to speak.

When was the last time you audited your dial-up space, or went looking for modems? Many remote vendor support agreements still contain these types of connections. Pay special attention to remote support for MPLS and telecomm circuits. We’ve found a lot of this equipment with dial-ups in place for inbound tech support when a circuit fails.

Need a war dial or some dial-up testing? Give us a call. We love it.

Give some thought to old-school attacks. Penetration testers with experience in these areas may have some grey hair, but you’d likely be surprised how much these long in the tooth exploits still have bite!

IT/OT Convergence and Cyber-Security

Posted on by
Reply

Today, I spoke at ComSpark as a part of a panel with Chris Nichols from LucidiaIT and David Cartmel from SMC. 

We talked extensively about convergence and the emerging threats stemming from the intertwined IT/OT world. 

If you missed it, check the ComSpark event page here. I believe they are making some of the content available via recording, though a signup might be required. 

Our virtual booth also had this excellent video around the topic. Check it out here.

Thanks and hit me up on Twitter (@lbhuston) and let me know your thoughts.

Tips For Recognizing a Phishing Email

Posted on by
Reply
Below are some common tips for helping to identify phishing emails at work or at home. The same rules apply.

Most Phishing Emails Originate at Common Domains

The first way to recognize a phishing email is that most originate from a public email domain.

There are few legitimate organizations that will send emails from an address that ends in @gmail.com, not even Google does this.

To check an organization’s name, type it into a search engine.Most of the time, organizations have their own email and company accounts and don’t need to use an @gmail.com address.

Check the Spelling of the Domain, Carefully!

There is another clue hidden in domain names that shows a strong indication of the scam.

Anyone can purchase a domain name from a website. There are many ways to create addresses that are easily confused with the official domain of a brand or company. The most common ways include slight mis-spellings of the domain name, or by changing one character to a number or letter that resembles the original. Be extra vigilant for these types of spoofing attempts.

Grammer and Spelling Counts

It’s often possible to tell if an email is a scam if it has poor spelling and grammar. Odd terminology or phrasing is also a clue. For example, your bank is unlikely to misspell the word checking or account, and they would not usually call an ATM machine a “cash machine”. These clues can be subtle, but often indicate that an email is not what it claims to be.

Beware of Potentially Malicious Links and Attachments

Sometimes, the wording in an email might be right, but the links send you to somewhere unexpected on the web. You can check this out in most clients and browsers by simply hovering the mouse cursor over the link without clicking on it. That’s an easy way to know where the link is taking you, and note that it might be somewhere other than what the links says it is.

You should always beware of attachments in emails. Everyone knows that malicious code and ransomware can be hiding in documents, spreadsheets and such, but they can also appear to be image files, presentations, PDFs and most types of documents. If you aren’t expecting the attachment, delete it!

Too Good To Be True

Lastly, if the offer is too good to be true, it probably is. Few people have won the lottery and been notified by email. Even less have been chosen for random gifts or to receive inheritance from Kings and Queens. Don’t be gullible, and remember, scammers are out there, and they want to trick you.

What to Do When You Spot a Phish

The first thing is to delete the email and attachments. If it is a work email, you should also notify the security team that you received it. They can investigate, as needed. In some firms, they may want you to forward it to a specific email address for the security team, but most security teams can recover the email information even if you delete it. Follow their instructions.

At home, just delete the email and tell your family and friends about it. The more folks are aware of what’s going around, the less likely there are to fall into the trap.

More Information

We’d love to discuss phishing attacks, emerging threats or common security controls for organizations. Reach out to info@microsolved.com or give us a call at 614-351-1237 for help.

Thanks for your attention, and until next time, stay safe out there.

 

 

IT Security and OT Security Converging

Posted on by

The term “information technology” (also known as “IT”) has been with us for more than 60 years now. It was first coined by Harold Leavitt and Thomas Whisler and published in an article in the Harvard Business Review in 1958 (long before the Internet was conceived of). It refers to all those pieces/parts that make up electronic information systems. The term “operational technology” (also known as “OT”) was first coined nearly half a century later in a research paper from Gartner in 2006. It refers to industrial control systems that are controllable from remote locations, especially those that are controllable over an Internet connection. It has spawned another new acronym: “IIoT” (“industrial internet of things”). For the security industry, these terms highlight one of the biggest security problems facing us today; securing industrial controls systems from remote attacks by cybercriminals and hostile nation states.

For most of the Information Age, such terms and considerations were not necessary. Industrial control systems were largely analog and not subject to remote attack. Even after the Internet had been well established, the security of industrial control systems was not seen as a big problem since there was little reward to be had by disrupting such systems to the average hacker. In recent years that has all changed. Industries from infrastructure (i.e. electric grids, pipelines, water systems) to the private sector (i.e. manufacturing, mining, cargo transport) have been, and continue to, embrace the Internet as a medium for controlling and communicating with their industrial controls systems. It increases efficiency and cuts cost for these concerns. It also allows them to decrease the number of personnel needed and to centralize control and monitoring of these systems. A great boon! Unfortunately, security was not well considered or implemented as these processes were put in place. As a result, industrial control systems are now among the easiest to compromise by Internet attack. On top of that, there is now an attack vector that is attracting your average cybercriminal motivated by greed to target industrial control systems: ransomware.

Ransomware allows attackers to make money from almost any business or institution, including industry and infrastructure. Modern ransomware attackers not only threaten to encrypt information and make it unavailable to legitimate users, they threaten to disrupt industrial control systems or reveal private information publicly. One example is the recent Colonial Pipeline debacle. Because of this, it is increasingly important for industrial concerns to solve their Internet security problems. This problem is finally being recognized by the U. S. Government at the highest level. President Biden has recently threatened reprisals for attacks against vital American infrastructure and manufacturing concerns.

In addition, the CISA has recently published a fact sheet detailing their recommendations for protecting these systems against ransomware attacks. These recommendations include:

  • Determining how much your critical OT systems rely on key IT infrastructure.
  • Planning for when you lose access to IT and/or OT environments.
  • Exercising your incident response plans, and testing manual controls if OT networks need to be taken offline.
  • Implementing regular data backup procedures for both OT and IT networks.
  • Requiring multi-factor authentication for both OT and IT networks, and
  • Segmenting IT and OT networks.

These are good suggestions and should be implemented ASAP. However, they are not a panacea. Nobody to date has come up with a true answer to the problem of cyberattacks against industrial control systems. Because of this it is important to remain flexible and to devote adequate resources for fighting this very thorny problem.