Posts

Municipal IT Director Put on Leave Following Breach

Hackers Had Access for Months Before Launching Ransomware Attack

Municipal IT Director Put on Leave Following BreachIn another sign that accountability is rising in cyber security, the IT director of the Suffolk County Clerk’s Office in New York has been put on paid administrative leave. An investigation following a September ransomware attack found that hackers had been exploring and exploiting Suffolk County’s systems since December 19, 2021, and accused IT Director Peter Schlussler of acting in “an incredibly nonchalant manner” toward the county’s cyber security.

Schlussler disputed the investigation’s findings in an email to The New York Times, noting that his requests for stronger cyber security at the County Clerk’s office had been rejected by superiors. Suffolk County wound up taking all of its systems offline in September when the hack was finally discovered and, according to the Times, is still using workarounds for some online functions.

Suffolk County Hack Timeline Illustrates Common Tactics and Detection Failures

An examination of the Suffolk County hack reveals opportunities when the intrusion could have been detected, had the IT Director been following security protocols that most cyber security specialists recommend.

December 19, 2021: Criminals gain access to the County Clerk’s systems via a known flaw in a common piece of software. Investigators found that there was no centralized authority for the municipal systems run by Suffolk County. As a result, patches to fix the known vulnerability were not applied across all systems. Suffolk County Executive Steven C. Bellone cited the IT director’s failure to patch the vulnerability as a cause of the cyber attack.

January 2022: Hackers install Bitcoin mining software on the Suffolk County systems. Criminals install software like this for two reasons: To see if it will be detected and removed, and to see if the data it sends will be detected and removed. Organizations that fail to spot rogue software communicating with unknown parties will have their data stolen.

Many IT directors perform regular scans of all systems to look for new software installations, which can be sign of a breach. This can be a challenging task in a large, decentralized environment, which is why cyber security professionals recommend centralized administration for users and software.

March 2022: Hackers install tools to run Suffolk County systems remotely. Criminals who do this have a high level of confidence in their ability to carry out significant attacks. These systems will be tested before the next phase of intrusion begins, offering an opportunity to detect the activity.

Every IT director and security professional should be scanning systems regularly for all known remote clients. Although New York investigators did not specify the kind of remote access tools used, many criminals use the same remote-access software that organizations use to keep their own remote employees connected. By itself, the presence of remote access software may not trigger concern, but the alarm should be raised if it is suddenly used more often, at unusual times of day or in unusual ways. Use a Virtual Private Network (VPN) secured with two-factor authentication (2FA) to enhance the security of remote access.

April 2022: Criminals create the first of several admin-level user accounts in the County Clerk’s systems. This is the boldest step yet, and at this point, the hacker is the IT director. With Admin-level access, criminals can install software, exfiltrate data and manipulate systems to cover their tracks.

There are a number of ways to alert IT staff when new accounts are created, and a number of ways to limit the access that new users have. Beyond these safeguards, user lists and access levels should be audited and verified on a regular basis, with any unrecognized accounts immediately flagged and suspended.

July 2022: Data exfiltration begins, including at least one file with the name, “Passwords.”

August 2022: Keyloggers are installed. Intrusions begin on systems connected to the County Clerk’s system. Hackers encrypt everything they can access as they prepare to launch a ransomware attack.

What should stand out about the Suffolk County attack is the patient, meticulous nature of the hackers. This was not a high-speed raid or a crime of immediate opportunity. Hackers got in, then slowly built up their presence and toolkit over time, starting with nuisance software and moving on to complete control and surveillance. At each step, the hackers stopped and waited to see if their activity would be detected. When it was not, they executed the next step of their takeover plan.

The month-by-month increase in activity correlates with what hackers know about most cyber security solutions: Scans run at least once a month. If 30 days pass and software or activity has not been detected, it is safe to escalate. Think of this like a burglar finding a series of unlocked doors in a home. After opening each door, the burglar looks around to make sure it is safe before opening the next door.

The Myth of “Opportunistic” Cyber Attacks

Far too many business owners and organizational leaders think a cyber attack occurs because someone lets their guard down for a moment. While these attacks do occur, they tend to be low-level financial attacks that scam a few hundred or a few thousand dollars. Real cyber criminals are as patient and methodical as the group that attacked Suffolk County, and the damage they cause can lead to millions of dollars in remedies and restitution. Large, distributed, heavily used networks like those found in municipal government offices are ripe targets for the troves of personal information they hold and the opportunities they offer for criminals to conceal their activities.

We see multiple points where the Suffolk County attack could have been stopped, but we also see the challenges faced by the IT director, which are common to both businesses and the private sector. Too many leaders do not understand the real nature of cyber attacks. Too many government and private-sector organizations see Virtual CISO services or Dark Web Monitoring as a needless expense. The irony here is that they wind up paying for these services after a breach, alongside any fines and costs associated with data loss and system repairs, when they could have prevented the intrusion in the first place.

There is also the question of accountability, and the decision to suspend the Suffolk County Clerk’s IT director. This follows Federal sanctions against the CEO of Drizly following the theft of customer data. In both of these cases, investigators uncovered events that should have been prevented by cyber security best practices and held the people responsible for overseeing cyber security accountable.

Hackers Hacking Airport USB Ports

Have you ever wondered if it’s a good idea to surf the internet using a public WiFi network at the airport? It’s heavily trafficked, so it’s more likely that your information could get stolen, right? In some cases, it is safe to use public WiFi; your information isn’t always entirely at risk if you’re connecting to the airport network but there are definitely vulnerabilities. And, when at the airport, you may want to rethink the urge to plug in your phone using one of the USB charging stations near the gate.

It is possible that cybercriminals could use those stations to download your personal data or install malware onto your device without your knowledge or consent. It’s a crime that’s being called juice jacking.

The IBM Security X-Force Threat Intelligence sector, says that using a public USB port for charging is similar to finding a toothbrush in the street and making the decision to put it in your mouth. You don’t know where the toothbrush has been, and the same applies to that USB port. You don’t know who used it before you and may not be aware that these USB ports can pass along data.

While it is possible for this to happen, it’s not necessarily an epidemic, and there isn’t a reason to panic just yet. There haven’t been widespread reports that juice-jacking has happened in airports (or anywhere else.) However, it could be happening without people knowing, which means it could be a significant issue, and no one knows it yet.

If you don’t like the idea of cybercriminals stealing your information and want to stay safe, do this:

Prevent Juice Jacking

  • Before leaving your house, make sure your phone is fully charged if possible.
  • Buy a second charger that stays with you or in your car at all times, and make a habit of keeping your phone charged while you drive.
  • Of course, there will be times when you’re out and about, and before you realize it, your device has gotten low on power. And it’s time to hunt for a public charging station.
  • Have a cord with you at all times. This will enable you to use a wall socket.
  • Turn off your phone to save batt. But for many people, this will not happen, so don’t just rely only on that tactic.
  • Plug your phone directly into a public socket whenever you can.
  • If you end up using the USB attachment at the station, make a point of viewing the power source. A hidden power source is suspicious.
  • If bringing a cord with you everywhere is too much of a hassle, did you know you can buy a power-only USB cord on which it’s impossible for any data to be transferred?
  • Another option is an external battery pack. This will supply an addition of power to your device.
  • External batteries, like the power-only USB cord, do not have data transfer ability, and thus can be used at any kiosk without the possibility of a data breach.
  • Search “optimize battery settings” iPhone or Android and get to work.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Hacking the CEO with Social Media

If the super big wigs could get their social media accounts hacked, you can too. If you can believe it, the Twitter accounts of the following were recently hacked:14D

  • Google CEO Sundar Pichai
  • Yahoo CEO Marissa Mayer
  • Oculus CEO Brendan Iribe
  • Twitter co-founder Jack Dorsey

Shouldn’t these CEOs know how to prevent getting hacked? One little slip could let in the cybercriminals: reusing the same password.

Times have really changed. During the good ‘ol days, employees barely knew the CEO. Sometimes he was faceless, and at most, they received form letters from him…or her. Nowadays, company workers know the names of the CEO’s grandkids, new puppy, where they spent their last vacation, complete with photos.

CEOs want a human connection to their company’s worker bees and hence, many are very active on social media—so active, in fact, that they hardly think of security…like using old passwords for new accounts and/or using the same password for multiple accounts…and/or using an easily crackable password.

Other mistakes CEOs make:

  • Posting personal information—way too much, more than enough for hackers to use against them.
  • This includes names of kids and vacation destinations, details about hobbies, relatives and other personal data.
  • Inclusion of personal information on a professional social media profile.

That may all sound innocent and just a way for CEOs to humanize themselves, but the more personal information they share with the world, the easier it is for cybercriminals to bust in. Crooks can often easily obtain the CEO’s e-mail and send a message that appears innocent, but has a link or attachment that the recipient is lured into clicking.

Once clicked, the attachment or e-mail unleashes malware, giving the crook control of the CEO’s computer. So even if the CEO has a unique and very strong and long password for each social media account, all it takes is a moment of having their guard down and hastily clicking a malicious link or attachment to get infected.

The hacker may have many motives for breaking into an account, and this includes posing as the CEO and posting items on the social media account with the hopes of damaging the CEO’s reputation.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Mobile SIMs Hacks Cause Concern

A crook can steal your identity by taking control of your wireless phone account—by pretending to be you in person at the mobile store. The villain can then buy pricey mobiles and sell them—and guess who gets the bill but not the profit.

4DSymptoms of Hijacked Account

  • Suddenly losing service
  • Your carrier says you went to a store, upgraded a few phones, then shut down your old device.
  • Or, the rep will straight-out ask if the problem is with your new iPhone—even though you never purchased one.
  • You were never at the store and never authorized any account changes.

If this happens to you, says an article at nbc-2.com, you’ll need to visit the carrier’s local store, show your ID and get new SIM cards. The carrier absorbs the costs of the stolen new phones.

But it’s not as simple as it sounds. What if in the interim, you need to use your phone—like during an emergency or while conducting business? Or your phone goes dead just as your teen calls and says she’s in trouble?

The thief, with a fake ID, waltzes into a store that does not have tight owner-verification protocols, and gets away with changing the victim’s account and buying expensive phones.

The nbc-2.com report says that this crime is on the increase and is affecting all four of the major mobile carriers: AT&T, T-Mobile, Verizon and Sprint.

Here’s another thing to consider: The thief may keep the new phone, which still has your number, to gain access to your online accounts via the two-factor authentication process—which works by sending a one-time numerical text or voice message to the accountholder’s phone.

The thief, who already has your online account’s password, will receive this code and be able to log into the account. So as innocuous as stolen phones may seem, this can be a gateway to cleaning out your bank account. The thief can also go on a shopping spree with mobile phone based shopping.

We’re all anxiously waiting for mobile carriers to upgrade their store security so that people just can’t strut in and get away with pretending to be an accountholder. Biometrics come to mind. Photo IDs are worthless.

In the meantime, accountholders can create a PIN or password that’s required prior to changing anything on the account.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Hacking Humans is Painfully Easy

Hackers can take over someone’s life in a matter of hours. Just ask Patsy Walsh.

11DThough she is not a tech savvy person, the grandmother of six did have a Facebook account, and that was all the hackers needed to take over her life. By using methods such as click baiting, the act of convincing someone to click on a fake link, and then gathering information, the hackers were able to use this info to get into other accounts, and eventually hacked things such as her power of attorney form, Social Security information and learned how to open her garage door and her home.

How did they do this? Mrs. Walsh used the same password for all accounts and did not use recommended security measures.

Fortunately, Mrs. Walsh’s life wasn’t ruined. Instead, this hacking was set up by the New York Times and a private company made up of “ethical hackers”, yes there is such a thing, to show just how easy it is to gain access to someone’s digital life.

Computers Are Gold Mines of Important Information

When the team of ethical hackers gained access to Mrs. Walsh’s computer, they found a number of malicious programs running in the background. Examples include InstallBrain, a program that will download programs on demand, and programs such as SlimCleaner, SearchProtect and FunWebProducts, which can spy on Internet searches, change home pages and gather information through click baiting. More than likely she downloaded some lame tool bar that added all this bloatware. Keep in mind, Mrs. Walsh was only visiting sites such as Google and Facebook, sites that most of us visit several times a day.

Stopping the Hackers in Their Tracks

We can all learn lessons from Mrs. Walsh’s experience. Here are some things that she could have done to avoid this from occurring, and things you should do to remain safe:

  • Use a password manager to keep track of long or complicated passwords, and use a different password for every account.
  • Use a two-step authentication service, one that asks for a second password when an unrecognizable machine attempts to access an account.
  • Use automatic updates for services such as browser updates or operating system updates.
  • Wipe the computer clean if necessary, then start employing these new practices.
  • Stop downloading stupid useless tool bars that are often delivery methods for crappy software.
  • Pay attention to what you are downloading and why. Even when you are updating software, look for any checked boxes that install bloatware.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Anonymous Begins a 30 Day Assault Against Central Banks

“Anonymous” is an activist hacking group that has recently boasted that it will engage in 30 days of cyber assaults against “all central banks,” reports an article on cnbc.com.

2DAnd their bite is as big as their bark, as this announcement came soon after several major banks around the world were struck—and Anonymous proudly claimed credit. The banks that were apparently breached by Anonymous include:

  • Bangladesh Central Bank
  • National Bank of Greece
  • Qatar National Bank

Anonymous put up their plans on a YouTube video: a “30-day campaign against central banks around the world.” The hacking group calls their endeavor Operation Icarus, bragging about how they crumbled the Bank of Greece with a denial of service attack.

Anonymous has stated that it will target the following financial institutions:

  • Visa
  • MasterCard
  • Bank for International Settlements
  • London Stock Exchange
  • And of course, “all central banks” and “every major banking system”

Anonymous has a real gripe against banks, because they further state, “We will not let the banks win,” continues the report at cnbc.com. The hacking group wants everyone to know that their operation will be “one of the most massive attacks” ever committed in Anonymous’s history.

The article adds that another media outlet, Gulf News, reports that the hackers who infiltrated Qatar National Bank attacked yet another bank and intend on making the stolen data public for this second attack—very soon. It’s possible that this leaked data will be used for ransom.

For you, every day bank customer, don’t worry about any of this, BUT, always pay close attention to bank activity and make sure all transactions have been authorized by you. Sign up for alerts and notifications via text and email so you see every transaction in real-time.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How the FBI hacks You

In a recent Wired.com expose’, they expose how the FBI has been secretly hacking civilian computers for about 20 years, but thanks to Rule 41, their ability to hack has been expanded.

11DNevertheless, effective record keeping for these hacking incidents doesn’t exist. For instance, search warrants that permit hacking are issued using elusive language, and this makes it difficult to keep track of when the feds hack.

Also, it’s not required for the FBI to submit any reports to Congress that track the FBI’s court-sanctioned hacking incidents—which the FBI would rather term “remote access searches.”

So how do we know this then? Because every so often, bits of information are revealed in news stories and court cases.

Carnivore

  • Carnivore, a traffic sniffer, is the FBI’s first known remote access tool that Internet Service Providers allowed to get installed on network backbones in 1998.
  • This plan got out in 2000 when EarthLink wouldn’t let the FBI install Carnivore on its network.
  • A court case followed, and the name “Carnivore” certainly didn’t help the feds’ case.
  • Come 2005, Carnivore was replaced with commercial filters.

The FBI had an issue with encrypted data that it was taking. Thanks to the advent of keyloggers, this problem was solved, as the keylogger records keystrokes, capturing them before the encryption software does its job.

The Scarfo Case

  • In 1999 a government keystroke logger targeted Nicodemo Salvatore Scarfo, Jr., a mob boss who used encryption.
  • The remotely installed keylogger had not yet been developed at this time, so the FBI had to break into Scarfo’s office to install the keylogger on his computer, then break in again to retrieve it.
  • Scarfo argued that the FBI should have had a wiretap order, not just a search warrant, to do this.
  • The government, though, replied that the keylogger technology was classified.

Magic Lantern

  • The Scarfo case inspired the FBI to design custom hacking tools: enter Magic Lantern, a remotely installable keylogger that arrived in 2001.
  • This keylogger also could track browsing history, passwords and usernames.
  • It’s not known when the first time was that Magic Lantern was used.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Beware of Amazon’s scary Customer Service Hack

Do you shop at Amazon.com? Are you aware they have a back door through which hackers can slip in?

11DLet’s look at Eric’s experience with hackers and Amazon, as he recounts at medium.com/@espringe.

He received an e-mail from Amazon and contacted them to see what it was about. Amazon informed him that he had had a text-chat and sent him the transcript—which he had never been part of.

Eric explains that the hacker gave Eric’s whois.com data to Amazon. However, the whois.com data was partially false because Eric wanted to remain private.

So Eric’s “fake” whois.com information wasn’t 100 percent in left field; some of it was true enough for the customer service hack to occur, because in exchange for the “fake” information, Amazon supplied Eric’s real address and phone number to the hacker.

The hacker got Eric’s bank to get him a new copy of his credit card. Amazon’s customer service had been duped.

Eric informed Amazon Retail to flag his account as being at “extremely high risk” of getting socially engineered. Amazon assured him that a “specialist” would be in contact (who never was).

Over the next few months, Eric assumed the problem disintegrated; he gave Amazon a new credit card and new address. Then he got another strange e-mail.

He told Amazon that someone was impersonating him, and Amazon told him to change his password. He insisted they keep his account secure. He was told the “specialist” would contact him (who never did). This time, Eric deleted his address from Amazon.

Eric became fed up because the hacker then contacted Amazon by phone and apparently got the last digits of his credit card. He decided to close his Amazon account, unable to trust the giant online retailer.

  • Frequently log into your account to check on orders. See if there are transactions you are unaware of. Look for “ship to” addresses you didn’t authorize.
  • Amazon’s customer support reps should be able to see the IP address of the user who’s connecting. They should be on alert for anything suspicious, such as whether or not the IP address is the one that the user normally connects with.
  • Users should create aliases with their e-mail services, to throw off hacking attempts. In other words, having the same email address for all your online accounts will make it easy for them to be compromised.
  • If you own domain names, check out the “whois” info associated with the account. It may be worth making it private.

Be very careful when sharing information about yourself. Do not assume that just because a company is a mega giant (like Amazon), it will keep your account protected from the bad guys.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to recycle Old Devices

When it comes to tossing into the rubbish your old computer device, out of sight means out of mind, right? Well yeah, maybe to the user. But let’s tack something onto that well-known mantra: Out of site, out of mind, into criminal’s hands.

7WYour discarded smartphone, laptop or what-have-you contains a goldmine for thieves—because the device’s memory card and hard drive contain valuable information about you.

Maybe your Social Security number is in there somewhere, along with credit card information, checking account numbers, passwords…the whole kit and caboodle. And thieves know how to extract this sensitive data.

Even if you sell your device, don’t assume that the information stored on it will get wiped. The buyer may use it for fraudulent purposes, or, he may resell to a fraudster.

Only 25 states have e-waste recycling laws. And only some e-waste recyclers protect customer data. And this gets cut down further when you consider that the device goes to a recycling plant at all vs. a trash can. Thieves pan for gold in dumpsters, seeking out that discarded device.

Few people, including those who are very aware of phishing scams and other online tricks by hackers, actually realize the gravity of discarding or reselling devices without wiping them of their data. The delete key and in some cases the “factory reset” setting is worthless.

To verify this widespread lack of insight, I collected 30 used devices like smartphones, laptops and desktops, getting them off of Craigslist and eBay. They came with assurance they were cleared of the previous user’s data.

I then gave them to a friend who’s skilled in data forensics, and he uncovered a boatload of personal data from the previous users of 17 of these devices. It was enough data to create identity theft. I’m talking Social Security numbers, passwords, usernames, home addresses, the works. People don’t know what “clear data” really means.

The delete button makes a file disappear and go into the recycle bin, where you can delete it again. Out of sight, out of mind…but not out of existence.

What to Do

  • If you want to resell, then wipe the data off the hard drive—and make sure you know how to do this right. There are a few ways of accomplishing this:

Search the name of your device and terms such as “factory reset”, “completely wipe data”, reinstall operating system” etc and look for various device specific tutorials and in some cases 3rd party software to accomplish this.

  • If you want to junk it, then you must physically destroy it. Remove the drive, thate are numerous online tutorials here too. Get some safety glasses, put a hammer to it or find an industrial shredder.
  • Or send it to a reputable recycling service for purging.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

How to prevent your Pics from being lifted: Part 1 of 2

You need not be a celebrity or some big wig to suffer the devastating fallout of your online images (and videos) being stolen or used without your permission.

10DSo how does someone steal your image or use it without your permission?

Hacking

  • Hacking is one way, especially if passwords are weak and the answers to security questions can easily be figured out (e.g., “Name of your first pet,” and on your Facebook page there’s a picture of you: “My very first dog, Snickers”).
  • Malware can be installed on your device if the operating system, browser or security software is out of date.
  • But hackers may also get into a cloud service depending on their and your level of security.

Cloud Services

  • In 2014, the images of celebrities and others were stolen from their iCloud accounts. At the time, two factor authentication was not available to consumers.
  • Apple did not take responsibility, claiming that the hackers guessed the passwords of the victims. This is entirely possible as many use the same passwords for multiple accounts. It is reported that Jennifer Lawrence’s and Kate Upton’s passwords really were123qwe and Password1, respectively.

Social Media

  • Got a pretty avatar for your Facebook page? Do you realize how easy it is for someone to “Save image as…”?
  • Yup, someone could right-click on your provocative image, save it and use it for some sex site.
  • And it’s not just images of adults being stolen. Images of children have been stolen and posted on porn sites.
  • Stolen photos are not always racy. A stolen image could be of an innocent child smiling with her hands on her cheeks.
  • The thief doesn’t necessarily post his loot on porn or sex sites. It could be for any service or product. But the point is: Your image is being used without your authorization.

Sexting

  • Kids and teens and of course adults are sending sexually explicit images of each other via smartphone. These photos can end up anywhere.
  • Applications exist that destroy the image moments after it appears to the sender.
  • These applications can be circumvented! Thus, the rule should be never, ever, ever send photos via smartphone that you would not want your fragile great-grandmother or your employer to view.

How can you protect your digital life?

  • Long, strong passwords—unique for every single account
  • Change your passwords regularly.
  • Firewall and up-to-date antivirus software
  • Make sure the answers to your security questions can’t be found online.
  • If any of your accounts have an option for two-factor authentication, then use it.
  • Never open attachments unless you’re expecting them.
  • Never click links inside e-mails unless you’re expecting them.

Stay tuned to Part 2 of How to prevent your Pics from being lifted to learn more.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.