Consumer Alerts

10/12/2023

Cybersecurity Awareness Month 

In an effort to support Cybersecurity Awareness Month, 10-D Security has developed a quick, online training called, “Spot the Phish” that is available to everyone.  Please feel free to share with colleagues, clients, and business associates.  A little learning can go a long way in avoiding an attack.  The link is https://10dsecurity.com/sharedcourses/PhishingRefresherRiseModule_Web/content/index.html.

(And this link is NOT the first test in “Spot the Phish” – it’s legit!)

Authored by:  Brad Goetsch

 

9/29/2023

Here Comes Passkeys!

The next version of Windows 11 (23H2) due October 2023 adds support for passkeys.  Google also added passkey support for Google accounts back in May of this year, and many popular websites allow you to utilize this feature as well.  So, what are passkeys?  Simply, they eliminate the traditional username and password combination for logging in to things.  The are a ton of reasons why using a username and password is broken, and passkeys represent a strong effort to make authentication quick, easy, and more secure.  From Microsoft’s description:

Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords.  Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device’s unlock mechanism (such as biometrics or a PIN).  Passkeys can be used without the need for other sign-in challenges, making the authentication process faster, secure, and more convenient.

Today, we’re just going to cover some simple advantages and disadvantages of passkeys over passwords.

Advantages

• Passkeys are more secure.  They are linked to a specific device making it more difficult than just guessing a password by a bad guy.
• Better experience for users.  Whether client or employee, forgetting a password always negatively impacts the user experience.  Passkeys eliminate this issue.
• Passkeys are always strong, where passwords are not created equally – Some are weak, some are strong.
• Passwords need to be changed periodically with many password policies.  Not true with passkeys.
• No need for password storage.  Passkeys eliminate this need.
• Associated costs of passkeys over the long-term should ultimately be lower than password authentication.

Disadvantages

• Not all websites or applications accept passkeys, leaving users trying to take advantage of this new technology while still living in a world of the old.  Adoption may be slow for a while.
• While user experience with passkeys is an advantage, adapting to new technology can be difficult for some users.
• Passkeys use biometrics to verify accounts.  A smudge of dirt on a finger, a blemish on a face may hinder verification, making something easy become a minor annoyance.
• If you don’t have your device with you, you won’t be able to authenticate.
• Losing your authentication device with passkeys is painful.  Regaining access to your accounts may require providing IDs and take considerably more time than clicking “reset password.”

Like all things, passkeys have benefits as well as shortcomings when it comes to moving to passwordless authentication.  And while in theory, passkeys sound like a silver bullet, actual implementation will ultimately determine if passkeys are better for your organization.  Look for more discussion of passkeys in our weekly security tips as adoption of use grows, and implementation and management improve.

Authored by:  Brad Goetsch, CBISO

 

9/14/2023

Pig Butchering – What to Know About this Virtual Currency Scam

The Financial Crimes Enforcement Network (FinCEN), on September 8, 2023, issued a critical alert (FIN-2023-Alert005) regarding a prevalent virtual currency investment scam known as “Pig Butchering”.  This alert serves as a warning to the public, financial institutions, and cryptocurrency service providers about the growing threat posed by this fraudulent scheme.

What is “Pig Butchering”?

“Pig Butchering” is a deceptive investment scam that primarily targets unsuspecting individuals interested in cryptocurrency investments. Perpetrators of this scheme can employ various tactics to lure victims into parting with their cryptocurrency holdings or funds, though these scams commonly begin as a romance scam.  Unlike other types of scams in which smaller and more frequent transactions occur, the butcher’s goal is generally a large, single payday that may drain the life savings of victims.

Key Characteristics of the Scam:

1. False Promises: Scammers promise high returns on investments with minimal risk, often claiming to use complex trading strategies or insider information.
2. Fake Celebrity Endorsements: To gain credibility, fraudsters may use fabricated endorsements from celebrities, industry experts, or public figures.
3. Pressure Tactics: Victims are often subjected to high-pressure sales tactics, urging them to invest quickly before the opportunity vanishes.
4. Smishing: Scammers send text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
5. Phishing: Scammers send phishing emails or direct victims to fake websites that closely mimic legitimate cryptocurrency platforms.
6. Ponzi Schemes: In some cases, funds from new investors are used to pay returns to earlier investors, creating a Ponzi-like structure.

FinCEN’s Warning:

FinCEN’s alert underscores the need for vigilance in the cryptocurrency investment space. They emphasize that investors should conduct thorough due diligence before investing in any cryptocurrency opportunity. Furthermore, individuals and businesses should be cautious of unsolicited investment offers and exercise skepticism when presented with overly promising investment proposals.

 

Actions to Protect Yourself:

1. Verify Information: Always verify the legitimacy of investment opportunities by conducting independent research and seeking advice from trusted financial professionals.
2. Beware of Red Flags: Be cautious of investment offers that promise guaranteed returns, pressure you to act quickly, or request large sums of money upfront.
3. Use Trusted Platforms: Only use reputable cryptocurrency exchanges and investment platforms with a proven track record.
4. Report Suspicious Activity: If you encounter a suspected cryptocurrency scam or fraudulent activity, report it to relevant authorities and your financial institution.

Bottom Line:

Cryptocurrency scams like “Pig Butchering” continue to pose a significant threat to investors. FinCEN’s alert serves as a reminder to exercise caution and due diligence when considering any cryptocurrency investment opportunity. By staying informed and vigilant, individuals can protect themselves from falling victim to such fraudulent schemes.

Press Release: https://www.fincen.gov/news/news-releases/fincen-issues-alert-prevalent-virtual-currency-investment-scam-commonly-known

Alert: https://www.fincen.gov/sites/default/files/shared/FinCEN_Alert_Pig_Butchering_FINAL_508c.pdf

Authored by: Josh Mourning, CCBP

 

9/7/2023

Standard Password Complexity Rules Just Don’t Cut It Anymore

Microsoft Active Directory has had password complexity requirements built-in for a long time.  Most administrators are familiar with the standard settings.  You can set a minimum length, and require complexity, which, in Microsoft’s eyes is that the password must contain at least three (3) of the following:

• Uppercase letter
• Lowercase letter
• Number
• Special character

The problem with this is that you can have some terrible passwords that meet or exceed these requirements.  Let’s say you work at a fictional financial institution named “Bank of Mordor” and set a minimum length of ten (10) characters and require complexity…you can still (and probably do!) have users that will create passwords such as:

• Password123
• Summer2023
• Bankofmordor1
• Temp123456

Note that none of those have special characters…they aren’t required based on the standard complexity rules above.  Even if your users remember their security awareness training and throw a special character (normally a “!”) on the end, it won’t help much.  Many password lists will have variations on the above, and a brute force password cracker would break these within seconds.

So, what can be done?  Unfortunately, there isn’t much available out of the box to combat this particular issue.  Here are some suggestions:

• Keep up security awareness training.  Teach users that the way a password is made up can be just as important as meeting the requirement.
• Encourage passphrases.  Introducing even one space in a password can make a huge difference in work time to crack or guess a password.  Something like “I like hotdogs!” is simple to remember and the number of variables makes it very difficult to crack.
• Consider password “blacklisting”.  This control (generally provided by a 3rd party bolt-on solution) allows you to disallow certain words or patterns in user-created passwords.  If you integrate with Azure AD (now also known as Entra ID), there may be some functionality you can already leverage.

Authored by: Jeremy Johnson, OSCP, CISSP

 

8/3/2023

MFA Notification Fatigue Attacks

I can still recall my first horror movie starring a werewolf.  The bad news was that a scary monster was coming.  The good news, there was a way to definitively stop it – just use a silver bullet!

In real life, we have scary threat actors coming after us as well.  These “monsters” are ruthless in their attack methods and are unfortunately successful too many times to count.  Though we have many defensive tools in our toolbox, a fan favorite has emerged – multi-factor authentication.

Multi-factor authentication (MFA), aka two-factor authentication, is a security measure that goes beyond the traditional username and password combination by requiring additional authentication factors.  These are typically categorized into:

• Something you know: passwords, PINs
• Something you have: smartphones, tokens, smart cards
• Something you are: biometrics such as facial recognition, fingerprints, voice recognition, retina

To successfully log in with MFA, users must provide at least two of these factors, not just the “something you know” username and password combo.  A best practice is to use out-of-band (OOB) MFA, which means the user must use a separate communication channel or medium to verify a person’s identity.  It would be far less effective to have a revolving PIN code on the user’s desktop if a threat actor has established remote command of that workstation.  Instead, a push notification to your smart device or biometrics would be far more defensive approaches in comparison.

Your silver bullet is now in the chamber and ready to fire.

But wait, this method isn’t 100% effective?  How is that possible because I am using OOB MFA and the threat actors cannot directly access my cell phone, and good luck trying to get into my offline smart watch!

According to CISA, one way to circumvent this protection is an attack method known as MFA push-bombing, a form of MFA fatigue attacks.  Push bombing is a targeted MFA fatigue attack that involves threat actors sending excessive push notifications or alerts to users, hoping they will eventually accept or respond to the notifications out of frustration or exhaustion.  To initiate a push-bombing attack, the threat actor has already compromised the user’s credentials (username and password).  They will then begin a series of login attempts performed in quick succession to attempt to “fatigue” the user into approving the request in hopes of just making the notifications stop.  Imagine all that protection at your back door only to let the werewolf simply walk in the front door!  Though CISA and regulatory agencies encourage all organizations to consider implementing fatigue attack resistant MFA, many of us are just not there, yet.

In the interim, education can be your best defense when used in conjunction with your active authentication practices.  Train your users about phishing and MFA fatigue attacks along with your traditional social engineering campaign.  Teach them that the only time they should click accept is when they have sent the request during an actual login attempt initiated by them – with zero exceptions.  Failing to accept a suspicious MFA prompt is the first goal.  Then, to report these attempts to those in charge of IT infrastructure immediately.

Striking the right balance between security and usability is important.  Consider implementing user-friendly MFA solutions in conjunction with robust Information Security Awareness education to help your organization mitigate MFA fatigue and ensure the protection of sensitive information without compromising user experience.

Authored by:  Benjamin Caruso, CBISO

 

7/27/2023

Cybersafe Travel

Whether you are traveling for business or going on vacation, information security should always be part of the itinerary. Here are several tips to ensure you have a cybersafe journey.

Be cautious when connecting to public Wi-Fi networks.   Whether you are at the airport, a coffee shop, or any other public place, there are usually multiple public Wi-Fi options available. However, attackers can take advantage of this by creating fake networks that look like legitimate ones.  To stay safe, always verify that you are connecting to the intended network’s SSID (Service Set Identifier).  For example, at Atlanta Airport, there may be an imposter network called “Atlanta Airport Wi-Fi” instead of the legitimate “Atlanta International Wi-Fi.”  If possible, confirm the correct network with the on-site staff.

Whenever possible, use a VPN while on an unfamiliar network.  VPNs will encrypt your data and make it difficult for any bad actor on the network to steal.  Especially if you must access sensitive information, be it your own or your company’s, it is always best to do so over a VPN.

Bluetooth headphones have become more commonplace as fewer devices include a 3.5mm audio port.  However, it is important to treat Bluetooth as you would any other potential avenue for attackers to exploit.  To minimize risks, disable Bluetooth when it is not in use, especially in crowded environments where the likelihood of unauthorized connections is higher.  If you are renting a car and wish to pair your phone with the car’s Bluetooth for navigation and audio purposes, consider waiting until you are out of range from other cars to ensure you select the correct device.   In crowded areas, many devices may appear similar, making it easy to inadvertently connect to the wrong one.  Also, avoid synchronizing your contacts or messages, even if you plan to remove them later.

Take steps to secure your devices before and during your travels.  It is always a best practice to keep your devices up to date with the latest security software, but when you are traveling, this becomes even more important.  Double-check you have completed any pending software updates and restart your devices before embarking on your journey.  Additionally, back up any critical data from your devices to a secure location, such as cloud storage or an external hard drive, in case your device gets lost or damaged.

If possible, consider limiting the number of devices you bring with you. Carrying fewer devices reduces the potential points of vulnerability. For instance, avoid using unencrypted USB thumb drives to store or transfer sensitive data, as they can easily get lost or accessed by unauthorized individuals. Similarly, if you happen to find a USB drive in a public place, never plug it into your computer. Cyber attackers sometimes intentionally drop USB drives containing malicious software, hoping unsuspecting people will connect them to their devices.

Authored by:  John Stephens, Security+

 

6/1/2023

Importance of Disabling Legacy applications such as Internet Explorer

“Legacy” applications are products that are no longer being supported and therefore are not releasing any updates.  When an application is no longer being supported and managed, it allows bad actors to try and find vulnerabilities that lead to access of your network or data theft.  It may not always seem like the ideal, or easiest, task getting employees on board with using the latest and greatest but when it comes to security it is the most important.

Internet Explorer 11 (IE11) is one of the most utilized applications around which has made it the most difficult for people to let go.  As web browsers are applications used for a wide variety of tasks, it is important to stay current.   For security purposes, IE11 has been disabled by Microsoft through an update to help guide users over to Microsoft Edge. The update has only been pushed out on certain versions of Windows 10 (20H2 and newer.) However, Microsoft is also working on updates that will remove the IE11 desktop icons, as well as from the start menu and the task bar.  To try and help the transition, Microsoft has released an IE mode which gives users the ability to utilize web applications that operate only with IE, within Microsoft Edge (great for environments that have kept IE around for compatibility reasons). Unfortunately, older versions of Windows (Windows 10 prior to 20H2, Windows 7, Window Server 2008 R2, etc.) will not be updated and can still use IE11.  This will leave those hosts vulnerable to current and future exploits of the deprecated application.  The best policy is to keep Windows patching up to date after updating and testing within dev and test environments first.  For further detail and to stay current on updates about the matter: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/internet-explorer-11-desktop-app-retirement-faq/ba-p/2366549.

Wherever possible, get “Legacy” applications out of your environment and help keep your network up to date and secure!

Authored by: Taylor Conder, Sec+

 

3/16/2023

Exploiting the Silicon Valley Bank (SVB) Failure

The recent high-profile failures of SVB, Signature, and Silvergate Bank have been at the forefront of our news cycle. Unfortunately, this has given threat actors the chance to seize the moment and exploit the fear and panic associated with these events. Be aware of anything related to these events. Specifically, but not limited to emails with attachments/links, social media posts, or even texts or phone calls conveying an urgent call to action or disclosure of sensitive data. Below are some scenarios that are being used to manipulate people and/or steal information.

 

Risk #1: Fraudulent Transfers

Sample Scenario:

The most typical attack vector is the impersonation of a trusted contact. For example, the threat actor will impersonate one of your suppliers or vendors via email, text, or phone call claiming that they have moved from SVB to another bank and urgently need you to wire payment to this new account.

Mitigation Steps:

Remind your employees to avoid performing transactions to accounts whose details they received via unofficial channels. Any change in existing processes must be explicitly verified. This verification should involve reaching out to the actual vendor the email claims to be coming from and validating they actually sent the request. Use existing points of contact and do not reply to the email or call any numbers provided to you to verify these changes.

 

Risk #2: Phishing for Bank Account Credential

Sample Scenario:

A threat actor sends an email, claiming to be the FDIC, SVB, or another government agency providing instructions on how to access funds. You will be asked to immediately login to your new account using your old credentials by accessing a link provided in the email. This link, needless to say, leads to a credential harvesting web page.

Mitigation Steps:

Remind your employees and customers that they should never provide credentials to sites that are accessed via links incorporated in email messages, phone calls, or SMS. Use only trusted sources such as the FDIC web site or SVB banking site to identify how to access your funds.

 

Risk #3: Spreading Panic and Misinformation

Sample Scenario:

In addition to the above direct risks, attackers and hacktivists may also attempt to leverage existing tensions to accelerate panic and uncertainty by spreading disinformation on the alleged collapse of additional banks. You may see social media messages informing you that the banks you’re working with are at risk, urging you to withdraw your funds before it’s too late.

Mitigation Steps:

Only trust official communication channels from your banks and trusted government sources and avoid forwarding uncorroborated messages via social media or other communication channels.

Additional Steps:

Utilize Security Awareness Training to heighten understanding of social engineering risks.

 

Harden email security by:

• Enforcing MFA verification on any accounts that support it.
• Disabling legacy email protocols that are more susceptible to compromise.
• Blocking access to email from risky locations using conditional access policies.
• Enabling alerting for suspicious account activity for faster response times should something occur.

Authored by: CalTech Information Security Team

 

2/2/2023

Think before you click….

Phishing emails are becoming more realistic, and it is important to know what to look for and to be on the lookout. Certain things to review in emails to confirm legitimacy can be:
• Review sender information thoroughly in the header, as that can help provide a red flag that it is not a legit email. In other words, the boss isn’t going to email you from randoemailaddress@anflkwnero.ru.
• Before clicking on any hyper-links within emails, be sure to hover over and check to see if the URL looks suspicious.
• Do not open any attachments if not expected, especially zip files and macro enabled files, as they can contain hidden malicious code. If there is any question whether the attachments are legit or not, be sure to reach out to the contact directly by phone and ask them “Did you send this?”
• Be careful when downloading any images within the email, as it’s possible, though very rare, that images could contain hidden malicious code.
• When checking emails on a mobile device, be careful as it can be more difficult to review and confirm if the email is legit. If in question, hold off and review the email more thoroughly on desktop.

Authored by: Taylor Conder, Sec+

 

1/26/2023

Lock It Down!
Whether it’s our homes, our cars, or our bicycles, we know if we truly want to keep our valuables, we need to lock them up. Leaving ourselves exposed may not always lead to problems, but we know we’re secure when we keep our items locked.

In the same way, we need to lock our digital items when we’re away. It’s far too common to see smartphones, tablets, and computers left unlocked with no one in sight. With one quick move, a malicious attacker could snag your device and take all your information along with that expensive piece of technology.

However, a long-gone device is not the only threat. An attacker could leave the device but take important information from it: usernames, passwords, banking details, or other personally identifiable information. Furthermore, an attacker could extract proprietary information from your place of business, jeopardizing not only yourself but the company you work for.

To combat this, 10-D Security recommends considering the following steps to secure your systems:
• Set a password or passcode on your devices.
• Lock your device when you need to leave it unattended.
• Implement a policy for screen locking after periods of inactivity.
• Configure the device to encrypt data.

For organizations looking to protect company applications and data on mobile phones and tablets, a Mobile Device Management (MDM) system can be implemented to enable your organization to configure and manage these security measures across all devices. There are a lot of choices out there for MDM systems, and like most things IT, they all generally work well so long as their management and oversight are consistent.

With the above steps, you can better protect your digital world from attackers waiting for the moment you’re not looking.

Authored by: Scott Schook, PenTest+, eJPT

 

10/17/2022

Healthcare Reimbursement Phishing Scams

When you request a reimbursement from your healthcare provider, it may be completed through a third-party payment processor. These payment processors often offer direct deposit payments so you can get reimbursed as soon as possible. Unfortunately, cybercriminals can use social engineering to try to steal your reimbursement.

In a recent scam, cybercriminals are sending phishing emails that appear to be related to an active reimbursement request. The emails ask you to verify your request number and other identifying information to finish processing your request. If you provide this information, cybercriminals can use it to gain access to your account by verifying your identity. Then, they can update your direct deposit information to redirect payments to their own bank accounts.

Follow these tips to stay safe from healthcare claim scams:

• Never click a link in an email that you aren’t expecting. Contact the payment processor directly by using a known phone number or email address.
• Watch out for notifications that your account information, such as direct deposit information, was changed.

Always enable multi-factor authentication (MFA) on your accounts when available. MFA adds a layer of security by requiring that you provide additional verification to log in to your account.

 

9/15/2022

Malicious Monkeypox Scams

As health-related anxiety continues to be high from the COVID-19 pandemic, cybercriminals are creating scams to target a different health concern. Cybercriminals are using fear about monkeypox outbreaks to scare you into sharing sensitive information.

In one scam, cybercriminals send you an email about the latest monkeypox outbreaks and provide a link to mandatory safety awareness training. When you click this link, you’ll be taken to a fake Microsoft login page. If you enter your login credentials, you won’t get access to monkeypox safety awareness training. Instead, cybercriminals will get access to your credentials and account.

To stay safe from similar scams, remember the following tips:

• Cybercriminals often use alarming topics to trick you into clicking impulsively. Always think before you click!
• If you receive an unexpected training notification, reach out to your manager to confirm that the training is legitimate.
• Before you click a link, hover your mouse over it. Watch out for links that are suspiciously long or show a different domain than the official website.

 

8/18/2022

Zero-Day Chrome Vulnerability No. 5 for 2022

The fifth Google Chrome zero-day vulnerability of 2022 has been disclosed.  Automatic update patches are being pushed out in stages, but anyone can manually update now.  The vulnerability, CVE-2022-2856 has a ‘high severity’ rating, and follows, CVE-2022-0609 in February, CVE-2022-1096 in March, CVE-2022-1364 in April, and CVE-2022-2294 in July.

Google Chrome is the most popular browser in the world, owning almost 65% of the market.  For more details about this zero-day vulnerability go to, https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html.

Authored by: Brad Goetsch

 

8/15/2022

Scam of the month – Using QuickBooks to make a quick buck

QuickBooks is a popular accounting software that offers free accounts to its users. While many individuals and organizations use QuickBooks to track their finances, cybercriminals have been using it to run a “business” of their own. In a new scam, cybercriminals create a free QuickBooks account and use the associated email address to send you malicious emails.

To start, cybercriminals send you a phishing email that appears to be an invoice from a reputable organization, such as Norton or Microsoft. The email includes a phone number and directs you to call if the invoice seems suspicious. If you call the phone number, you’ll be asked to confirm your credit card information to cancel the fake transaction. Unfortunately, if you share this information, the cybercriminals can use it to make their own purchases.

To protect yourself from this malicious scam, follow the tips below:

• Never call a phone number provided in a suspicious email. Instead, visit the organization’s official website to find their contact information.
• If you’re asked to verify payment information over the phone, ask the caller to tell you what they have on file. If they decline, only provide the last four digits of your payment card number.

Cybercriminals can use fake invoices to alarm you and trick you into clicking impulsively. Always think before you click!

Authored by: CalTech

 

8/4/2022

Don’t Post That Pic!

A little advice on oversharing sensitive personal information this week.  Ah, summertime.  It’s a time for relaxation and fun, but for some, it is that time of year their teenage driver FINALLY gets their learner’s permit or restricted driver’s license.  There were likely many stressful hours in the car earning this coveted piece of freedom, not to mention the countless brake checks, the thumping of a parent’s foot on the imaginary brake pedal in the passenger floorboard, or maybe just the sheer number of times that little handle above the passenger’s seat was grabbed.

But now the young driver has their license!  Not only does this open a new world of possibilities to them, but the parent also unlocked a parenting achievement, someone to run errands for them!  This achievement can make a parent (or kid!) want to boast proudly with a a picture of a young driver with their newly acquired driver’s license on social media.

There is some risk here!  Phone cameras are pretty good today, and it’s not hard at all to zoom in and clearly see the driver’s license number, legal name, date of birth, and signature!  If you want to post that picture, do the responsible thing, and blur or obfuscate that info before you post it.  It is obvious what they are holding (with the DMV in the background), don’t give the bad actors of the world that personal information so easily.

Authored by: Dave Kelly, PenTest+, CEH

 

6/30/2022

Top 8 ways to have a safe and happy Independence Day!

While you are out enjoying your 4th of July holiday, here are a few tips to keep in mind:

• Avoid storing fireworks in server rooms . . . or in the cloud;
• Make sure your family turns on the Find my phone feature before you go to the fireworks show.  Somebody always puts their phone down and they can’t find it in the dark.
• When grilling, keep tablets and smartphones away from the grill.  Your melted device may limit your MFA capability;
• Stay off public Wi-Fi networks, or your ‘Independence’ might be hampered for a while;
• Think twice before using any fireworks that have a USB connection and require the installation of “drivers;”
• When using an old server as a boat anchor remember to remove and destroy the hard drives first; and
• If the fireworks are being sold out of a back room and they ask if you’re an ATF Agent, you may want to find a new store to shop!

 

6/23/2022

ELDER FINANCIAL EXPLOITATION – ENOUGH IS ENOUGH

Sadly, we’ve all seen, heard, or read articles regarding the proliferation of scams during the past two years.  I would venture to guess that most of you are like me … nothing gets my blood boiling more than hearing about those schmucks out there who have scammed and defrauded an elderly person.  I remember my own parents and grandparents and how hard they worked for every dime they earned, and I can’t understand how anyone would think it’s acceptable to exploit the elderly population.

On June 15, 2022, FinCEN issued an advisory which highlights behavioral and financial red flags to help financial institutions identify, prevent, and report suspected elder financial exploitation (EFE).  EFE is defined as the illegal or improper use of an older adult’s funds, property, or assets.  The advisory points out that elder abuse, including EFE, affects at least 10% of older Americans each year and that the estimated dollar value of suspicious transactions linked to EFE exceeded $3.4 billion in 2020.  What’s even more upsetting is that many of the perpetrators are known and trusted persons of the older adults, but there is a rising trend of scams that originate outside of the U.S. by individuals that have no relationship with the victim.

Many years ago, FinCEN added a specific category for EFE to the suspicious activity report (SAR).  But in addition to filing a SAR, financial institutions should refer their older customers who may be a victim of EFE to the Department of Justice’s National Elder Fraud Hotline (833-FRAUD-11).  Many states also have requirements that financial institutions contact local law enforcement or the applicable state’s Department of Aging or similar agency to report such activity. If you aren’t filing EFE SARs, you may need to beef up your controls – keep in mind that according to FinCEN the MAJORITY of EFE incidents go unidentified and unreported.

The newest advisory is linked here for your convenience.  Even if you think, “Oh, that’s a Compliance or BSA matter” – think again.  We all have elderly loved ones who can fall victim to a scam, so educate yourself and help protect them!  https://www.fincen.gov/sites/default/files/advisory/2022-06-15/FinCEN Advisory Elder Financial Exploitation FINAL 508.pdf

Authored by:  Joann Lang, CAMS, CIA, CCBP

 

6/16/2022

Memory Lane

As 10-D is approaching our 18^th year and it has fallen to me to write the WST this week, it got me wondering what some of our first weekly security tips were about.  So, I dug around in the archives and found some classic topics from our first year of tips; Java, Vishing & Smishing, Remote Access & Multi-Factor Authentication, ATM skimming, and password management, just to name a few.

One in particular caught my eye regarding password length.  Remember when the password length recommendation was 8 or more characters?  That was the message of this early WST.  It even included a chart noting it would take a hacker 115 days to crack an 8-character password.  Today, the bad guys will crack your 8-character password in 8 hours.  Yes, the bad guys are getting better, too.

Currently, 10-D recommends 10 or more characters using numbers, symbols, and upper- and lower-case letters.  Make it a passphrase so it is easier to remember and save yourself some reset headaches.  These changes will bump up hack time to about 5 years, so you should be well on to a new password by the time they crack this one!

Authored by: Brad Goetsch

 

6/2/2022

New Zero-Day Vulnerability Affecting Microsoft Products

On May 30, Microsoft reported a zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT).  Dubbed “Follina,” this vulnerability could be exploited by a malicious attacker to execute arbitrary code on a Windows system using the MSDT URL protocol via Microsoft Office applications (such as Microsoft Word).  Microsoft is reporting that an attacker that successfully exploits this vulnerability could install unauthorized programs, impact data, or conduct other unauthorized activity on an impacted system, including running arbitrary code.

At this time, no patch is available for this vulnerability.  Microsoft has provided workarounds for this issue, listed in the link below.  Basically, the workaround uses the Windows registry to disable the MSDT URL protocol.  For people and organizations using Microsoft Defender products for antivirus, Microsoft also provides additional guidance in the same article: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

As always, testing is important!  Consider working with your technical resources to test system changes before rolling them out to your whole organization.

We are also seeing that many antivirus vendors are pushing antivirus definition updates that can detect and block this vulnerability.  Organizations may want to check with their antivirus vendors to understand any recommended actions specific to their product. 

Authored by David Bentley, CISSP

 

5/19/2022

Do your backups match your expectations?

A previous WST (https://10dsecurity.com/wst/building-blocks-of-a-business-impact-analysis.html) described what a business impact analysis (BIA) is and how it’s a key component of your business continuity program and disaster recovery success.  If you’ve done the work to define recovery point objectives, have you also made sure that your backups actually match your needs?  For instance, if a server has a recovery point objective of eight hours but you are only backing it up every twenty-four hours, your backups are misaligned!  Should system recovery be necessary, data loss beyond eight hours may be experienced.  When updating and reviewing the BIA, we recommend that you include a review of your backup retention schedule to ensure that all backups meet the institution’s BIA requirements for recovery point objectives.  You may find systems that you need to expand backup frequency.  Or, you may find BIA requirements that are unrealistic or unattainable.  In those instances, it may be wise for the institution to adjust expectations or develop other processes to resolve the planning gaps.

Authored by: David Matt, CISSP, CEH

 

5/12/2022

Are You Sure That Laptop is Secured?

One of the many areas we look at when conducting an IT audit is the security of portable devices, including laptops.  With the proliferation of laptops that are now enabling so many remote workers, it seems obvious to inquire about the security of the information that might be found on devices that are sometimes outside the institution’s normal physical controls.  Laptops are at a higher risk of being lost, stolen, or accessed by unauthorized persons.

When discussing laptop security, we sometimes hear, “Our policy is not to let employees store any customer information on the laptop, so we don’t feel there is any value in encrypting the laptop’s storage.”  While this is probably a well-intentioned belief, this overlooks several ways sensitive information may be stored locally.

Application data – Many applications will keep working copies of files, at least in temporary storage.  For example, when you open a Word or Excel file, the application may open temporary storage locally on the laptop or workstation while you are editing files.  Think of it as a scratch pad the application uses, which could include almost any content from the file being edited.  If the application ends abnormally, that temporary data may accumulate instead of being deleted normally.  Other application data may be more permanent, such as personal archive files that Outlook may be saving locally (i.e., .pst files) that may contain massive amounts of personal or sensitive information.

Windows temporary data – Much like the application-specific temporary storage discussed above, Windows creates temporary files as well.  These files are usually hidden from the end user seeing them, but they also can contain some sensitive information.  Not as likely to include customer data, but these temporary files could provide useful information for a potential attacker as there may be user IDs, network topology data, configurations, recovery files, and other infrastructure information that shouldn’t be disclosed.

Deleted files – Wait, how are deleted files a risk?  Often, when files or folders are deleted, Windows won’t truly delete all the data from storage and will instead only erase the listing (or index) of that information.  An analogy would be a library where the index listing for a book is deleted but the book is left on the shelf.  Deleting the index listing will make it harder to locate the book, but it will still be there.  That is essentially how Windows works when a file is deleted, only the index is deleted, and the actual file contents will often stay on the local drive until the space is needed for a new file object.  There are special applications made for discovering the data from “deleted” files, available to any motivated person.

Cloud storage – If an institution is using a cloud storage solution, such as Google Drive or Microsoft OneDrive, and it is configured to synchronize data locally, then it will retain copies of files on the laptop or workstation.  As an example, OneDrive will usually keep local copies in C:\Users\[username]\OneDrive.

Intentional – Even when the institution is operating with the best of intentions, it is not uncommon for a rogue individual to intentionally circumvent the rules or inadvertently save files to their desktop.  They may only be taking home a file to work on over the weekend, but it is a potential risk, nonetheless.

There is a simple solution, and that is whole disk encryption. Most versions of Microsoft Windows have the functionality built in (BitLocker) and only need it to be configured (by a qualified IT administrator).  Whether built-in encryption or another readily available commercial solution is used, implementation will result in well-protected storage on the laptop (this functionality also exists for desktops).  If a laptop with encrypted storage is lost or stolen, the institution will be out the value of the device but will have a substantially lower risk of information disclosure.

Authored by: Jim Baird, CBCP, TCNA