Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Dunkin' Donuts Accounts Compromised in Second Credential Stuffing Attack in Three Months

Dunkin' Donuts announced today that it was the victim of a credential stuffing attack during which hackers gained access to customer accounts.dunkin donuts

This marks the second time in three months that the coffee shop chain notifies users of account breaches following credential stuffing attacks.

Credentials stuffing is a cyber-security term that describes a type of cyber-attack where hackers take combinations of usernames and passwords leaked at other sites and use them to gain (illegal) access on accounts on new sites.

Dunkin' Donuts reported a first credential stuffing attack at the end of November (the actual attack occurred on October 31). Today, the company reported a second credential stuffing attack (attack happened on January 10).

Just like in the first, hackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts, which provide repeat customers with a way to earn points and use them to get free beverages or discounts for other Dunkin' Donuts products.


Continue reading

Why You Should Choose a Pseudonym at Starbucks

Innocently providing your name at your local coffee shop is just an example of how easy it can be for miscreants to cut through the ‘privacy’ of social media accounts.starbucks

When Starbucks introduced personalising the coffee shop experience by writing their customer’s names on their coffee cups people felt violated. Why on earth would a coffee chain want to know your name?

Once coffee drinkers came round to the idea that the baristas were demanding their names, then began a wave of uproar across social media for those with names spelt incorrectly. Admittedly, it would increase the queue length if each time you were asked how to spell your name  – “is that with or without an E”. There is a theory that this misspelling is actually on purpose so people will turn to social media with a photo of their branded coffee cup to complain about their barista not knowing how to spell “Bob” or whatever ‘straightforward’ name they possess.

Anyway, once you have given your name to the barista (and any prying ears in the queue), you are giving away something very personal to unknown entities. It might not feel that significant at the time as you wait for your skinny-single-shot-sugar-free-vanilla-latte but giving away anything personally identifiable could ultimately be used against you.

Starbucks don’t ask for ID so should we think of a pseudonym or a code word instead? Here is a real-life example why you should at least think about making up a new name…

Recently, whilst on the train to London, I was sat behind a man accompanied by a laptop and a personalised coffee cup. He opened his laptop and signed in (it was not full disk encrypted I hasten to add, tut tut) and I could see a company logo physically on the laptop and as the desktop background: I couldn’t read every word but I knew the company well enough to recognise it. Now, added to the fact I knew his first name, I could start my open source research on him.

Within moments of searching his company on Google, I found his full name on the firm’s ‘About’ page, complete with head shot and bio. Next, I turned to LinkedIn (using my limited second profile to reduce personal tracks which would tell him I’ve been snooping on his page) and located his career history. LinkedIn also offered me his personal email, twitter handle and hobbies from his bio.

Switching to Twitter, I located his contacts, family connections and even children’s names. His wife’s Facebook was open and included lots of photos of their two pets. She seemed very proud of their wedding photos and dates (albeit I didn’t have the year just day and month).

Moving to Strava, a fitness activity sharing app, I was able to put in his name and locate his profile showing me his recent run and cycle routes. The thing about Strava, and other fitness logging apps, is that they show anyonerecent routes so when most people start and finish their training at either their home or work address, it tells the world where they live and work!

With his daughter’s name, I moved to Instagram. Although her account was private, it took less than half an hour to befriend her from my fake account (you would be surprised how few background checks teenagers do on accounts wanting to follow them). Wading through the endless selfies and food photos, I was able to find a happy birthday photo to her Dad plus a rather significant happy anniversary message to her folks, which now gave me the year of his wedding too.

To top it off, while I was watching him work, he was noticeably having fingerprint issues with his phone so after each unsuccessful attempt to unlock his screen, he would then revert to typing in a 6-digit code which I could view. This was his first daughter’s date of birth: That would have been my second guess after his wedding anniversary.

At this point, many people are possibly thinking “who cares?” or “what can a hacker really do with my information?” This attitude is what’s getting many people into trouble with their cybersecurity. Whilst banks are reducing how often they refund such instances, the problem will only increase. Hackers can and will make your life a misery using targeted attacks.

Even if you are sitting there thinking that your security is foolproof, what information is given away via your family and how good is their security? If your partner’s email got hacked and you received an email from him or her asking a relatively normal question like “what’s our banking password again, darling?” Would you be tempted to respond or would flashing lights and alarm bells go off?

So how do we overcome this issue? And how long before the banks don’t even chase any of the money that has been unfortunately swindled?

Awareness training has limitations and e-learning rarely benefits a company, so the answer lies fundamentally in shifting culture. Making people aware is one thing but making them better is another. For example, we all know not to reuse passwords, but so many people still take that risk every single day.

People don’t change very easily and when people don’t care about the issue, it makes it harder to persuade them not to fall into potential pitfalls. If I spin the argument around I think the answer could in fact lie with the cybersecurity industry itself: companies who make it compulsory to use a unique password and authenticator app to sign in, would soon give their data and networks a stronger defence.

Inevitably, there will be an immediate outcry from and torrent of angry tweets by inconvenienced customers.  However, if people don’t change by choice, making security mandatory will soon make companies and their customers much safer, without having to worry about splashing our data on our personalised coffee cups.


Continue reading

True North Networks Ranks High in 2019 T3 Software Survey

True North Networks Ranks High in 2019 T3 Software Survey

Swanzey, N.H.: The 2019 T3 Software Survey Report shows that True North Networks, LLC, ranks as the IT service provider with the highest satisfaction ranking among eight hosting/ cybersecurity resources used by T3 survey 2019financial advisors, ranks fourth in market share and ranks first among programs survey respondents were thinking about adding. Sponsored by Orion Advisor Services and Morningstar, Inc., Bob Veres and Joel Bruckenstein analyzed the survey responses of over 5,500 financial advisors and shared the report at the 16th Annual T3 (Technology Tools for Today) Advisor Conference.

Located at 15 Business Center Drive, Swanzey, New Hampshire, True North was established in 2002 as a secure, remote-access IT provider. It has since developed into a full-fledged managed service and private cloud hosting provider specializing in supporting the Registered Investment Advisor industry and other professional organizations.

True North Networks has supported the RIA industry for more than a decade, with clients located throughout the country. Its President and Founder, Steve Ryder, whose background includes positions as vice president of two banks, said, “Especially in the highly regulated financial industry, it’s vital that advisory firms have an IT partner providing comprehensive protection, proactive monitoring and employee awareness training as part of a layered approach to securing sensitive information. That’s what we do for our clients.”

True North Networks helps its clients be more productive by designing, delivering and servicing tailored network solutions, pledging to equip them with the best security solutions available and to provide the highest level of service in the industry. In addition to its headquarters in Swanzey, it has offices in Chichester, New Hampshire, Scarborough, Maine, Pittsburgh, Pennsylvania, and Houston, Texas. To learn more, visit or call 603-624-6777.

Continue reading

Seven Cybersecurity Rules for Financial Advisors

Here's how financial advisors can mitigate the risks of cyberattacks, according to Steven Ryder, president of True North Networks.

Cybersecurity was a major theme at this year’s T3 Advisor Conference—and for good reason. Financial services are naturally attractive to criminals. In 2017, the sector experienced the highest volume of cybersecurity laptopsecurity incidents and the third-highest volume of cyberattacks across all industries, according to an IBM security report. The same report found that in 2017, more than 2.9 billion records were leaked from publicly disclosed data incidents and ransomware attacks alone cost companies more than $8 billion around the globe. Steven Ryder, president of True North Networks, presented suggestions for mitigating those risks at the 2019 T3 Advisor Conference.

Many IoT-connected devices were designed with convenience, not security, in mind. Routers tend to have a built-in firewall—don’t bypass it with your IoT devices. Even better, isolate it on your network.

As voicebots continue to increase in popularity, it may be tempting to keep them in your office. If you do, make sure to keep your personal and business bots separate, says Ryder. Other security experts recommend keeping voicebots completely out of the office.

Train employees not to click on things they shouldn’t be clicking on, says Ryder. Regular reviews will help employees avoid making mistakes.

Even if you are expecting an email with a link, consider navigating to the website or link outside of the email.

Use pass phrases to stop credential stuffing, a type of cyberattack that capitalizes on reused usernames and passwords. Consider using a password manager to prevent the reuse of credentials and use multifactor authentication whenever possible.

Intruders can spend hundreds of days on someone’s network, exploring and probing, before they make a move that affects your business, says Ryder. An expert can help prevent intrusion.

“Do not think that your antivirus is a magic bullet, because it isn’t,” says Ryder.


Continue reading

True North Rated as One of the Top Cloud Hosting & Cybersecurity Providers

Keeping up with the financial services professional technology sector is no easy task, and one could say the same for tech companies trying to adapt to the changing landscape of the financial planning profession. T3 survey 2019Advisors are evolving, and they readily acknowledge that they are struggling to stay ahead of the technology knowledge curve. In the largest survey of its type in the industry, with over 5,500 responses, Bob Veres ( and Joel Bruckenstein ( shed new light on the market share of most software applications used by financial advisors as well as their satisfaction with these products. This year’s survey was sponsored by Orion Advisor Services and Morningstar, Inc.

Most Valuable Tool: Respondents overwhelmingly (52.29%) cited CRM software as their most valuable software tool, followed by financial planning software (22.90%) and portfolio management software (12.38%). The authors view this as a positive industry trend.

Top finding: Over 85% of respondents think the CFP Board should be granting CE credit for Technology. Of those surveyed, over 85% believe that the CFP Board should grant continuing education credit for technology, as they do for other core competencies. Many advisors are moving from investment-centric value propositions (relying primarily on portfolio management and investment data tools) to planning-centric (relying primarily on a different set of software), while others are making a further evolution toward service-centric, where increasingly sophisticated CRM may be the heart of the business.

According to Bob Veres, co-producer of the survey: “This indicates a profession that has migrated away from an investment return focus (portfolio management software) to one focused on client service (CRM software).”

Joel Bruckenstein, the survey’s other co-producer says: “Younger planners were much more likely than older advisors to cite financial planning software as their most valuable tool. 33.79% of advisors in our youngest cohort cited financial planning as most valuable vs. 16.64% in our oldest cohort.”


Each year, different options, deeper integrations, new entrants and custodial adaptations create a dynamic marketplace. The third annual T3/Inside Information Software Survey is an attempt to provide a snapshot of the state of the industry. Once again, it serves a dual function: first, to help advisory firms evaluate their options. In an effort to be more comprehensive, the producers expanded the survey to include 20 different industry categories. Any potential buyer or user of advisor technology is likely to get an education simply by being exposed to the more than 500 tools and resources rated, categorized or reader-added in the course of the survey.

Once again, the survey collected user satisfaction ratings, so advisory firms would be able to see how satisfied existing users were with each software pro- gram they may be using. And in some categories, the survey producers broke down the market share information more finely, according to years in the business, business model and size of the firm, so that readers could see which programs are most popular with firms and advisors who look like them.

Continue reading

Update now! Chrome and Firefox Patch Security Flaws

It’s 2019’s first browser update week with both Google and Mozilla tidying up security features and patching vulnerabilities in Chrome and Firefox for Mac, Windows, and Linux.patch

But for Chrome security in version 72, it’s more about what’s being taken out than what’s being added.

One of these changes is the deprecation of support for obsolete TLS 1.0 and 1.1 protocols with a view to removing support completely by Chrome 81, scheduled for early next year (the same will apply to Firefox, Microsoft Edge and Apple’s Safari). This will affect developers rather than users who will still be able to connect to the tiny number of sites using TLS 1.0/1.1 for another year.

However, one standard that is completely banished in Chrome 72 is HTTP-Based Public Key Pinning (HPKP), deprecated from version 67 last May.

An IETF security standard designed to counter digital certificate impersonation, HPKP’s problem wasn’t obsolescence so much as doubts about the unintended problems it could cause. Consequently, uptake was low.

Also on the slippery slope is FTP, which Google considers to be a legacy protocol that it’s time to migrate away from. The latest version will only render directory listings, downloading anything else.

An interesting tweak is the integration of WebAuthn APIs to allow users to authenticate using FIDO U2F keys and Windows Hello. Although still not defaults – and no major websites offer WebAuthn in anything other than a test state – it’s a necessary stage for enabling this by default in a future release.

Security fixes

Chrome 72 fixes 58 CVE-level flaws, including 17 rated ‘high’ severity and one ‘critical’, identified as CVE-2019-5754 and described simply as an “inappropriate implementation in QUIC Networking.”

Continuing its six-week schedule, the next version, Chrome 73, is due out on 12 March, with version 74 appearing on 23 April.

Part of this update will see Chrome warn users when they visit lookalike URLs meant to resemble popular websites.

Firefox 65

Naked Security has already covered the new content blocking setting added to Firefox 65, but this also patches seven CVEs, including three marked ‘critical’ and two ‘high’.

The criticals include CVE-2018-18500 (reported by SophosLabs’ researcher Yaniv Frank), described as:

A use-after-free vulnerability that can occur while parsing an HTML5 stream in concert with custom HTML elements.

Also fixed are CVE-2018-18501 and CVE-2018-18502, both memory safety flaws plus CVE-2018-18504, a memory corruption issue, and CVE-2018-18505, a privilege escalation affecting Inter-process Communication (IPC) authentication.

Continuing the memory theme, Linux, macOS and Android versions get protection against ‘stack smashing’, which attackers can use to take control of a browser process.


Continue reading

Too Few Cybersecurity Professionals is a Gigantic Problem for 2019

As the new year begins gaining steam, there is ostensibly a piece of good news on the cyber front. Major cyber attacks have been in a lull in recent months and still are.hackers cybercriminals kris fenton under attack

The good tidings are fleeting, however. Attacks typically come in waves. The next one is due, and 2019 will be the worst year yet — a sad reality as companies increasingly pursue digitization to drive efficiency and simultaneously move into the “target zone” of cyberattacks.

This bad news is compounded by the harsh reality that there are not nearly enough cybersecurity pros to properly respond to all the threats.

The technology industry has never seen anything quite like it. Seasoned cyber pros typically earn $95,000 a year, often markedly more, and yet job openings can linger almost indefinitely. The ever-leaner cybersecurity workforce makes many companies desperate for help.

Between September 2017 and August 2018, U.S. employers posted nearly 314,000 jobs for cybersecurity pros. If they could be filled, that would boost the country’s current cyber workforce of 714,000 by more than 40%, according to the National Initiative for Cybersecurity Education. In light of the need, this is still the equivalent of pocket change.

Global Gap of Nearly 3 Million Cybersecurity Positions

In a recent study, (ISC)2 – the world’s largest nonprofit association of certified cybersecurity pros – said there is now a gap of almost 3 million cybersecurity jobs globally – substantially more than other experts said might be the case years into the future.

Companies are trying to cope in part by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem. Big companies have their hands full, and it’s even worse for smaller enterprises. They’re attacked more — sometimes as a conduit to their larger business partners – because their defenses are weaker.

So what kind of cyber talent are companies and government entities looking for?

Preferably, they want people with a bachelor’s degree in programming, computer science or computer engineering. They also warm up to an academic background replete with courses in statistics and math. They want cybersecurity certifications as well, and, of course, experience in specialties plagued by staffing shortages, such as intrusion detection, secure software development and network monitoring.

These are ideal candidates, but, in fact, the backgrounds of budding cyber pros need not be nearly this good.

Only Recently Has Formal Training Existed

Cybersecurity has long been a field that has embraced people with nontraditional backgrounds. Almost no cybersecurity pro over 30 today has a degree in cybersecurity and many don’t even have degrees in computer science. Professionals need some training to become familiar with select tools and technologies – usually at a community college or boot camp — but even more they need curiosity, knowledge of the current threat landscape and a strong passion for learning and research. Particularly strong candidates have backgrounds as programmers, systems administrators and network engineers.

Asking too much from prospective pros isn’t the only reason behind the severe cyber manpower shortage. In general, corporations do too little to help their cyber staffs stay technically current and even less when it comes to helping their IT staffs  pitch in.

(ISC) 2 formalized a study of more than 3,300 IT professionals less than 18 months ago and learned that organizations aren’t doing enough to properly equip and power their IT staffs with the education and authority to bolster their implementation of security technologies.

Inadequate Corporate Cyber Training

One key finding was that 43% of those polled said their organization provides inadequate security training resources, heightening the possibility of a breach.

Universities suffer shortcoming as well. Roughly 85 of them offer undergraduate and/or graduate degrees in cybersecurity. There is a big catch, however.  Far more diversified computer science programs, which attract substantially more students, don’t mandate even one cybersecurity course.

Fortunately, positive developments are popping up on other fronts. Select states have begun taking steps to help organizations and individuals alleviate a talent shortage by building information sharing hubs for local businesses, government and academia — all revolving around workforce development.

Georgia recently invested more than $100 million in a new cybersecurity center. A similar facility in Colorado, among other things, is working with area colleges and universities on educational programs for using the next generation of technology. Other states have begun following in their wake.

On another front, there is discussion about a Cybersecurity Peace Corps. The model would be similar to the original Peace Corps but specific to nascent cybersecurity jobs. The proposed program — which would require an act of Congress and does not yet exist — would place interested workers with nonprofits and other organizations that could not otherwise afford them and pay for their salaries and training.

Cyber Boot Camps and Community College Programs

Much further along are cyber boot camps and community college cybersecurity programs. The boot camps accept non-programmers, train them in key skills and help them land jobs. Established boot camps that have placed graduates in cyber jobs include Securest Academy in Denver, Open Cloud Academy in San Antonio and Evolve Security Academy in Chicago.

There are also more than a dozen two-year college cybersecurity programs scattered across the country. A hybrid between a boot camp and community college program is the City Colleges of Chicago (CCC), which partners with the Department of Defense on a free cybersecurity training program for active military service members.

A small handful of technology giants have also stepped into the fray. IBM, for example, creates what it calls “new collar” jobs, which prioritize skills, knowledge and willingness to learn over degrees. Workers pick up their skills through on-the-job training, industry certifications and community college courses and represent 20% of Big Blue cybersecurity hires since 2015.

Technology companies still must work much harder to broaden their range of potential candidates, seeking smart, motivated and dedicated individuals who would be good teammates. They can learn on the job, without degrees or certificates, and eventually fit in well. You can quibble with how much time, energy and work this might take. It’s clear, however, that there is no truly viable alternative.


Continue reading

Want to Help Stop Cybersecurity Breaches? Focus on Human Error

When you think about cyber security incidents, the images that are likely to come to mind are nefarious hackers breaking into a corporate network to steal data or a ransomware attack that shuts down systems at ahuman error 2019 bank or a hospital.

The fact is, research has shown that the majority of information security attacks stem from human error, not from malicious intent. With the first quarter of the year and the busiest hiring season underway, it's imperative that organizations put together a training plan for new employees who are not up to speed on cyber security basics, according to the National Cybersecurity Center (NCC).

The non-profit organization, which helps business executives protect against cyber attacks, said employee education and applying common sense practices needs to be a priority at companies -- and could end up saving them millions of dollars.

Here are steps organizations can take to provide employee education and training to mitigate attacks caused by human error, according to Jonathan Steenland, COO of the NCC.

Most security awareness training is conducted by IT, which means it's focused on information security as a topic and doesn't emphasize the human element of the risk sufficiently. Effective training includes content that addresses the threat's psychological, behavioral, and economic aspects, Steenland said, with practical advice on how to spot scams and protect data.


Take staff demographics (age, technical proficiency, etc.) into account and create a program that focuses on employees' lives and the risks they face. "Most people can't fathom losing millions of dollars due to an organizational data breach," Steenland said. "But they can imagine having their personal bank account hacked and their money stolen. Make it personal."

Too many companies create cheesy, overly long security awareness training modules that seem designed to tick yet another compliance box, Steenland said. IT and security executives need to work with the marketing team to come up with bite-sized training modules with snappy taglines and engaging graphics. These should grab employees' attention and deliver a compelling call to action. 


Let employees know there will be tests, such as a white-hat phishing expedition or an unescorted visitor in the workplace to see how employees use their new knowledge to spot scams and intruders. Followup testing also provides a baseline to measure the training's effectiveness, so that the company can gauge security program maturity going forward.


To get true buy-in on security awareness training, it's a good idea to enlist key influencers within the organization to serve as ambassadors for the program. "A 'train the trainer' effort can extend program reach beyond the original modules, and help make security awareness a core component of company culture," Steenland said.


Continue reading

$18.6 Million Gone: Business Email Compromise at a Whole New Level

Business Email Compromise (BEC) is heavily tied to social engineering, where criminals con their way into victims' compromise 2019

And our team just came across an incredible example of BEC that takes this crime to a whole new level.

Chinese hackers steal $18.6 million in BEC scam

The Economic Times of India is reporting on an Italian company that had its operations in India taken for a ride through Business Email Compromiseand more:

The hackers sent emails to the head of Tecnimont Pvt Ltd, the Indian subsidiary of Milan-headquartered Tecnimont SpA, through an email account that looked deceptively similar to that of group CEO Pierroberto Folgiero, according to a police complaint, which ET has seen.

The hackers then arranged a series of conference calls to discuss a possible “secretive” and “highly confidential” acquisition in China. Several people played various roles during these calls, pretending to be the group.

The hackers convinced the India head that the money couldn’t be transferred from Italy due to regulatory issues.

So the Indian arm of this Italian company made three transfers to a Hong Kong bank over the course of a week in the fall of 2018: $5.6 million, $9.4 million, and $3.6 million.

The investigation has since revealed that those Hong Kong accounts were opened with fake identification documents and the money is gone.

Business Email Compromise, more sophisticated than ever

This topic really caught our attention because we just sat in on a SecureWorld web conference on NextGen Business Email Compromise.

This case proves the point made by KnowBe4 Security Awareness Advocate Erich Kron. He says a challenge for organizations now is that many underestimate the sophistication and urgency of these BEC attacks. 

"Sophisticated hackers have moved way beyond misspelled, poorly-formatted emails. Now, they turn the tables on employees, often by using fear as a trigger as if that person needs to act right now to avoid consequences for the organization or the employee."

And when you transfer $18.6 million in a week as part of a BEC scam, clearly, hackers created a sense of urgency.

Someday, someone will probably make a movie out of a heist like this. The orchestration, the planning, the conference calls full of criminals, one of whom even sounded like the company's CEO.

It is not only an incredible story. It's an incredible story of caution for CISOs, CFOs, and anyone who could be a money-making target at organizations around the globe.

The company fired its India chief and the head of accounts and finance because of the scam.

Continue reading

End of Windows 7 Support Could Spark PC Boom

Microsoft to discontinue free support for the popular OS, forcing upgrades to Windows 10

The days of free support for Windows 7, one of the most popular commercial and consumer operating systems in the world, will end in January 2020. Businesses will have the windows7desktop 770x515option of buying extended support contracts or upgrading to Windows 10. And the upgrading could spark a boom in PC sales in 2019.

The Lowdown:  Microsoft announced that its free support and packing for Windows 7 will stop Jan. 14, 2020, ending five years of free maintenance and patching. Microsoft will offer business users Windows 7 Extended Security Updates (ESUs) on a per-user basis, with the price increasing annually until the operating system reaches its end of life. Microsoft Windows Virtual Desktop service customers will receive the ESU at no additional cost.

The Details:  In addition, Microsoft will stop providing support for Office 365 ProPlus running on Windows 7. Businesses can buy the ESU for the productivity package for an additional three years. Other products scheduled to have their free support end in 2020 include Exchange Server 2010, Windows Server 2008/R2, and Windows 7 for Embedded Systems.

The Impact:  Windows 10, the current Microsoft operating system, recently surpassed Windows 7 among desktop and notebook operating systems. Windows 10 has a 39 percent market share, while Windows 7 has 37 percent. In real numbers, this means more than 700 million personal computers running Windows 7 around the world need either ESUs or upgrades to Windows 10.

Background:  Microsoft made no secret of its plans to discontinue free patching and support for Windows 7. Demand for new PCs running Windows 10 increased in the second half of 2018. Unfortunately,'); return false;" style="margin: 0px; padding: 0px; border: 0px; vertical-align: baseline; font-size: 15px; font-family: inherit; opacity: initial; color: rgb(0, 51, 55); text-decoration: none; transition: none 0s ease 0s; box-shadow: none;">a shortage of Intel Xeon and Core processors caused inventory shortfalls that blunted PC sales. Analysts anticipate those sales will rebound in 2019 as more businesses choose to refresh their PC fleets concurrent with an upgrade to Windows 10.

Channelnomics Point of View:  PC sales have steadily declined over the past seven years, mostly due to consumers switching their primary computing device to tablets and smartphones that run non-Windows operating systems. PC sales peaked in 2011 with more than 365 million units shipping. In 2018, PC shipments tallied just 254 million. The end of support for Windows 7 could prompt more businesses to refresh their PC fleets, opening tremendous opportunities for vendors and partners to cross-sell and upsell complementary products as well as managed and cloud services. The wild card in the equation is Intel, which is trying to ramp up processor production to meet demand.


Continue reading

Is Your Business Prepared for a Winter Storm?

What would you do if your business was pummeled by a winter storm, causing power outages and prohibiting access from your office and clients? storm

Disaster recovery planning is an absolute must in a situation like this. It’s important to consider the impact a storm can have and to ensure you have a plan in place. Understand your vulnerabilities, safeguard against risks, and prepare for the worst.

Some things to consider to protect your business during a storm include preparing your building and ensuring there are no leaking pipes that may turn into a hazard with freezing temperatures, removing snow surrounding your building and on the roof, and obtaining a backup generator in case you lose power during the storm. For some more basic tips before and during a winter storm, head to

If you’re interested in more information about how you ensure your business will not suffer during hazardous weather, check out our Natural Disaster Survival Guide for Businesses. This guide provides information about the risk levels and potential impact of various disasters, how disaster recovery planning can keep your business running, and more. Above all, stay safe during the storm!

Resource taken from:

Continue reading

CES IoT security – Do You Know Who Your Home is Talking To?

There’s a digital treasure trove to be had in your home so you should take steps to protect it.

There isn’t a square meter of the show floor here at CES that doesn’t have some gadget connected to the internet. Whether tiny robots, your next house lighting controller, or new-fangled drink machine, it’s all connected. And while we’ve worked with multiple IoT manufacturers to help secure their devices once we discover vulnerabilities, the sprawl of potential vulnerable devices here is simply overwhelming.wpid Free Home Security Survey with Era.1501510987

For example, multiple vendors offer pieces of (or total) house control via audio. While it’s cool to have the house automatically open the curtains when you walk in and tell it to, there’s a potential downside. If someone could capture your voice, it’s easy to envision replay attacks where your house opens the doors, or those same windows so they can see what’s going on inside. This would be invaluable to would-be burglars before they attempt to break in, making sure nobody is home.

This sort of rush to market vibe runs amok here at CES – the idea that your company needs to display the latest thing to capture market share and development capital. Hopefully, security catches up along the way.

It’s easy to imagine things like whole-home ransomware, where rogue actors take over these automation systems, lock you out of them, then try to fleece you for money, and/or drain your bank account tied to a voice-activated ordering platform.

One company has a digital toothbrush that records your brushing patterns and develops trends over time. The dental industry and its insurers might view this granular information as a gold mine for marketing and determining insurance premiums. The question of privacy comes to the fore, as well as GDPR-style personal data conversations, in this case very personal. This, and other medical sensors displayed here walk a fine line, and privacy issues aside, a data leak would be most embarrassing and potentially damaging the victim and IoT provider.

As sensors become more central to the way we live, approach healthcare, and transport ourselves, the attack surface rises exponentially, especially as these sensors interface with the internet. It’s now possible to have digital spies in your house in whole new ways, but would you really know if they were?

There’s a digital treasure trove to be had in your home. At the center of it all is your home router. You know, the one you haven’t upgraded the firmware on (or there’s none available) since you bought it back in the day? Keeping track of this important digital intersection will become increasingly important, re-focusing the digital defense industry on defending your home network, which will become more complex and diverse than the corporate networks of yesteryear.

And while it’s probably not life threatening if one of those underwater robot fish they have here (really) for your low maintenance Koi pond motif goes berzerk, it might still be time to update your router and home security solutions to keep an eye out for rogue machines in your house. After all, you may not know that they’ve been revealing your deepest secrets, or if they soon will.


Continue reading

Got an SMS offering $$$ refund? Don’t fall for it…

SMS, also known as text messaging, may be a bit of a “yesterday” technology……but SMS phishing is alive and well, and a good reminder that KISS really works.

If you aren’t familiar with the acronym KISS, it’s short for “keep it simple, stupid.”

Despite the rather insulting tone when you say the phrase out aloud, the underlying ideas work rather well in cybercrime.

Don’t overcomplicate things; pick a believable lie and stick to it; and make it easy for the victim to “figure it out” for themselves, so they don’t feel confused or pressurised anywhere along the way.

Here’s an SMS phish we received today, claiming to come from Argos, a well-known and popular UK catalogue merchant:

You have a refund of £245. Request refund and allow 3 days for it to appear in your account.

The wording here probably isn’t exactly what a UK retailer would write in English (we’re not going to say more, lest we give the crooks ideas for next time!), but it’s believable enough.

That’s because SMS messages, of necessity, rely on a brief and direct style that makes it much easier to get the spelling and grammar right.

Ironically, after years of not buying anything from Argos, we recently purchased a neat new phone for our Android research from an Argos shop – the phone we mentioned in a recent podcast, in fact – so we weren’t particularly surprised or even annoyed to see a message apparently from the company.

We suspect that many people in the UK will be in a similar position, perhaps having done some Christmas shopping at a genuine Argos, or having tried to return an unwanted gift for a genuine refund.

The login link ought to be a giveaway, but the crooks have used an age-old trick that still works well: register an innocent looking domain name, such as online.example, and add the domain name you want to phish at the start.

This works because once you own the domain online.example, you automatically acquire the right to use any subdomain, all the way from to

Because we read from left-to-right, it’s easy to spot what looks like a domain name at the left-hand end of the URL and not realise that it’s just a subdomain specified under a completely unrelated domain.

These crooks chose the top-level domain (TLD) .shop, which is open for registrations from anywhere in the world.

Although .shop domains are generally a bit pricier than TLDs such as .com and .net, we found registrars with special deals offering cool-looking .shop names starting under $10.



What if you click through?

What harm in looking?

Well, the problem with clicking through is that you put yourself directly in harm’s way.

Visting the link provided takes you to a pretty good facsimile of the real Argos login page, shown below on the left (the real page is on the right):
















There’s not much fanfare, just a realistic clone of exactly the sort of content you’d expect to see, except for the lack of HTTPS and the not-quite-right domain name.

Getting free HTTPS certificates is pretty easy these days, so the crooks could have taken this extra step if they’d wanted.

Perhaps they were feeling lazy, or perhaps they figured that anyone who’d take care to check for the presence of a certificate might also click through to view the certificate, which would only serve to emphasise that it didn’t belong to Argos?

If you do fill in a username and password, then you have not only handed both of them to the crooks, but also embarked on a longer phishing expedition by the crooks, because the next page asks for more:

We didn’t try going any further than this, so we can’t tell you what the crooks might ask you next – but one thing is clear: by the time you get here, you’ve already given away far too much.



What to do?

  • Check the full domain name. Don’t let your eyes wander just because the server name you see in the link starts off correctly. What matters is how it ends.
  • Look for the padlock. These days, many phishing sites have a web security certificate so you will often see a padlock even on a bogus site. So the presence of a padlock doesn’t tell you much on its own. But the absence of a padlock is an instant warning saying, “Go no further!”
  • Don’t use login links in SMSes or emails. If you think you are getting a refund, find your own way to the merchant’s login page, perhaps via a bookmark, a search engine, or a printed invoice from earlier. It’s a bit slower than just clicking through but it’s way safer.
Continue reading

How one hacked laptop led to an entire network being compromised

A corporate laptop being used in a coffee shop at a weekend was enough to allow a sophisticated cybercrime group to compromise an organisation's entire infrastructure.hacked laptop

The incident was detailed by cybersecurity firm Crowdstrike as part of its Cyber Intrusion Services Casebook 2018 report and serves as a reminder that laptops and other devices that are secure while running inside the network of an organisation can be left exposed when outside company walls.

Crowdstrike described the company that fell victim to the hackers only as apparel manufacturer "with an extensive global presence, including retail locations".

The incident began when an employee of the manufacturer took their laptop to a coffee shop and used it to visit the website of one of the firm's partners.

The security researchers said the user visited the site after being directed there by a phishing email -- and that the site had been compromised by FakeUpdates, a malware and social engineering campaign affecting thousands of Joomla and Wordpress sites.

The malware shows users pop-ups which claim their browser software needs updating. In this instance, the laptop was then infected with the Dridex banking trojan and the PowerShell Empire post-exploit toolset.

The security software being used by the clothing company -- Crowdstrike didn't name the vendor -- relied on devices being inside the corporate network to pick up threats. As the laptop was being used outside the network, this incident didn't become apparent until the laptop was back in the office -- by which time it was too late.

The infected laptop then served as an entry point for the attackers to compromise the corporate network, allowing the attackers to use PowerShell exploit to access dozens of systems that could be compromised by taking advantage of the user's permissions.

The attackers were also able to gather additional privileged account credentials by using Mimikatz, an open-source utility used to retrieve clear text credentials and hashes from memory, to gain access to servers and further move across the network.

"Local administrator privileges made it easier for the threat actor to access a multitude of endpoints by accessing just one account that linked them all. Once access to the domain was gained, it left the organization completely exposed," Bryan York, director of professional services at Crowdstrike told ZDNet.

This exposure allowed the attackers to install Framework POS malware on the retail store server with the intention of stealing credit card data.

Researchers have identified a cyber criminal group they call Indrik Spider as the culprits of the attack. The hacking operation has been active since 2014 and is heavily associated with Dridex and BitPaymer ransomware campaigns, which are thought to have netted the attackers millions of dollars.

It's the first time Indrik Spider has been associated with FakeUpdates, indicating that the group is expanding its operations as it continues to find new means of illicitly making money. Crowdstrike wouldn't say whether the campaign was successful in its goal or if credit card data was stolen from the company -- but there are lessons that organisations should take on board to avoid falling victim to similar campaigns.

Crowdstrike recommends that accounts should be segregated, and that end users shouldn't be given administrator privileges on their local systems. In this incident, the adversary abused a misconfiguration within the company's Active Directory that provided unnecessary privileges -- so the security firm recommends that organisations should regularly review Active Directory configurations across the entire global enterprise.

"Attackers used PowerShell or Windows Management Instrumentation in 20 percent of the cases we saw this year and businesses need to know how to better detect and protect against these," said York.


Continue reading

How To Spot a Social Media Hoax

Well, well, well, if it isn’t the WhatsApp Gold/’martinelli’ video scam, back again, as half-bunk and half-real-threat as ever.

Excellent! It’s a great opportunity to offer some advice on pulling the rug out from under these and other scammers. For the dissection of Gold/martinelli, read on. For some whats appadvice to forward to the prey of the scammers, jump on further down!

The current bunk

As Snopes tells it, the WhatsApp Gold scam messages have been kicking around since at least 2016 in varyingly worded messages, claiming that some new “premium service” would get users extra goodies, such as video calling and new emojis.

Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.

Users who clicked on the link got no goodies. They got baddies, in the form of a malware-rigged, non-WhatsApp website. The malware, nicknamed WhatsApp Gold, was designed to break into phones and steal victims’ messages and other private data.

Bad enough, eh? Well, the mad cyber scientists decided to make it a bit more poisonous when they wrapped a true warning about the real WhatsApp Gold malware around a bogus warning about a fictional video called martinelli.

This scam burrito has been getting passed around since at least mid-2017, picking up only minor word swaps but still refusing to unglue its death-grip on arbitrary, proofreader-taunting, inappropriate spaces around punctuation.

The version we saw in November:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word. If you receive a message to update the Whatsapp to Whatsapp Gold, do not click !!!!!
Now said on the news this virus is difficult and severe

Pass it on to all

According to multiple news outlets, that sage, fictional “IT colleague” is back again, once again babbling about this equally fictional martinelli video.

That’s just fine, you scammers. We’re back again, too, you purveyors of WhatsApp Fool’s Gold. We’re here to tell you how to spot these hoaxes. Sage IT colleague types, please do enlighten the not-so-IT-savvy among you with these nuggets.

How to spot WhatsApp hoaxes

Atrocious punctuation and feeble English are common in phishing/spam/hoax messages, but we need more tools than that to discern when something’s a threat. After all, it’s not a given that a) non-threat-actors (as in, our friends) know how to use commas, et al., or b) scammers don’t use proper English and punctuation. To that end, keep an eye out for these elements on top of funky, clunky English:

Call to action. As Sophos’s John Shier has noted in an excellent “Phish or legit?” walk-through, most phishing campaigns snap their fingers at you.

Scam WhatsApp messages and Facebook hoaxes have a call to action, too: they urge readers to copy/paste the warning and forward it to others. It’s meant to add a sense of urgency to the message and compel you to do something.

The threat. As WhatsApp notes in its FAQ about hoax messages, hoaxers often claim you can avoid punishment, such as account suspension, if you forward the message. A sender might imply that they have the law on their side, and that they’ll use their law enforcement affiliations should you be up to something dodgy.

In the case of WhatsApp Gold/martinelli, the “threat” is from a (nonexistent) video, and that you shouldn’t click on a link urging you to update Whatsapp to Whatsapp Gold (true!), less your phone get hacked.

Authority figures. To make the threat convincing, hoaxers often sprinkle in references to voices of authority. If it’s not the cops, it’s that Gold/martinelli “IT colleague”. Way, way too often, friends will pass on these words from purported experts, or police, or the tax authorities, reasoning that “it can’t hurt.”

And after you’ve spotted the Gold/martinelli or any other hoax…

Don’t forward. Just simply warn them without the forward. Consider doing it by private message. After all, if you comment on, say, a Facebook post itself, you’re adding to its page ranking, pushing it all that much closer to going viral.

Like Sophos’s Paul Ducklin said in a recent video, it can do us harm when we copy, paste and spread somebody else’s lies. It hurts our reputations and our accountability. Who needs that?

Arm yourself against WhatsApp Gold malware

Staying safe online means keeping out all the malware that’s out there, not just the one or two rogue applications you hear about via friends’ WhatsApp messages.

Instead, just follow some simple advice to keep your phone secure, and advise your friends and family to do the same:

  • Apply security updates promptly.
  • Get your apps from the App Store or Google Play.
  • Use security software like Sophos Mobile Security for iOS or Android.

Resource taken from: 

Continue reading

NSA will release a free tool for reverse engineering malware

It's helping to improve security rather than undermine it.

The NSA has frequently been accused of holding on to info that could potentially improve security, but this time it's being a little less secretive. The agency is planning to release NSA malwarea free reverse engineering tool, GHIDRA, in tandem with the RSA Conference on March 5th. The software dissects binaries for Android, iOS, macOS and Windows, turning them into assembly code that can help analyze malware or pinpoint questionable activity in otherwise innocent-looking software.

ZDNet noted that this kind of software isn't strictly new, and GHIDRA in particular isn't secret (it mainly entered the spotlight with the Vault 7 leak). However, existing reverse engineering options like IDA are expensive and generally inaccessible -- this would let any reasonably knowledgeable person tear open a program and gain a better understanding of what makes it tick.

As with the NSA's other open source projects, this isn't an altruistic gesture. In addition to improving overall security, it could improve the quality of GHIDRA by letting the community address bugs and introduce their own features. Whatever the NSA loses in control it might gain through better overall security.

Resource taken from:

Continue reading

Cybersecurity 101: How to Browse the Web Securely and Privately

So you want to browse the web securely and privately? Here’s a hard truth: it’s almost impossible.cybersecurity 101

It’s not just your internet provider that knows which sites you visit, it’s also the government — and other governments! And when it’s not them, it’s social media sites, ad networks or apps tracking you across the web to serve you specific and targeted ads. Your web browsing history can be highly personal. It can reveal your health concerns, your political beliefs and even your porn habits — you name it. Why should anyone other than you know those things?

Any time you visit a website, you leave a trail of data behind you. You can’t stop it all — that’s just how the internet works. But there are plenty of things that you can do to reduce your footprint.

Here are a few tips to cover most of your bases.

A VPN can help hide your identity, but doesn’t make you anonymous

You might have heard that a VPN — or a virtual private network — might keep your internet traffic safe from snoopers. Well, not really.

A VPN lets you create a dedicated tunnel that all of your internet traffic flows through — usually a VPN server — allowing you to hide your internet traffic from your internet provider. That’s good if you’re in a country where censorship or surveillance is rife or trying to avoid location-based blocking. But otherwise, you’re just sending all of your internet traffic to a VPN provider instead. Essentially, you have to choose who you trust more: your VPN provider or your internet provider. The problem is, most free VPN providers make their money by selling your data or serving you ads — and some are just downright shady. Even if you use a premium VPN provider for privacy, they can connect your payment information to your internet traffic, and many VPN providers don’t even bother to encrypt your data.

Some VPN providers are better than others: tried, tested — and trusted — by security professionals.

Services like WireGuard are highly recommended, and are available on a variety of devices and systems — including iPhones and iPads. We recently profiled the Guardian Mobile Firewall, a smart firewall-type app for your iPhone that securely tunnels your data anonymously so that even its creators don’t know who you are. The app also prevents apps on your phone from tracking you and accessing your data, like your contacts or your geolocation.

As TechCrunch’s Romain Dillet explains, the best VPN providers are the ones that you control yourself. You can create your own Algo VPN server in just a few minutes. Algo is created by Trial of Bits, a highly trusted and respected security company in New York. The source code is available on GitHub, making it far more difficult to covertly insert backdoors into the code.

With your own Algo VPN setup, you control the connection, the server, and your data.

You’ll need a secure DNS

What does it mean that “your internet provider knows what sites you visit,” anyway?

Behind the scenes on the internet, DNS — or Domain Name System — converts web addresses into computer-readable IP addresses. Most devices automatically use the resolver that’s set by the network you’re connected to — usually your internet provider. That means your internet provider knows what websites you’re visiting. And recently, Congress passed a law allowing your internet provider to sell your browsing history to advertisers.

You need a secure and private DNS provider. Many use publicly available services — like OpenDNS or Google’s Public DNS. They’re easy to set up — usually on your computer or device, or on your home router.

One recommended offering is Cloudflare’s secure DNS, which it calls Cloudflare encrypts your traffic, won’t use your data to serve ads, and doesn’t store your IP address for any longer than 24 hours. You can get started here, and you can even download Cloudflare’s app from Apple’s App Storeand Google Play.

HTTPS is your friend

One of the best things for personal internet security is HTTPS.

HTTPS secures your connection from your phone or your computer all the way to the site you’re visiting. Most major websites are HTTPS-enabled, and appear as such with a green padlock in the address bar. HTTPS makes it almost impossible for someone to spy on your internet traffic intercept and steal your data in transit.

Every time your browser lights up in green or flashes a padlock, HTTPS encrypts the connection between your computer and the website. Even when you’re on a public Wi-Fi network, an HTTPS-enabled website will protect you from snoopers on the same network.

Every day, the web becomes more secure, but there’s a way to go. Some websites are HTTPS ready but don’t have it enabled by default. That means you’re loading an unencrypted HTTP page when you could be accessing a fully HTTPS page.

That’s where one browser extension, HTTPS Everywhere, comes into play. This extension automatically forces websites to load HTTPS by default. It’s a lightweight, handy tool that you’ll forget is even there.


Reconsider your web plug-ins

Remember Flash? How about Java? You probably haven’t seen much of them recently, because the web has evolved to render them obsolete. Both Flash and Java, two once-popular web plug-ins, let you view interactive content in your web browser. But nowadays, most of that has been replaced by HTML5, a technology native to your web browser.

Flash and Java were long derided for their perpetual state of insecurity. They were full of bugs and vulnerabilities that plagued the internet for years — so much so that web browsers started to pull the plug on Java back in 2015, with Flash set to sunset in 2020. Good riddance!

If you don’t use them — and most people don’t anymore — you should remove them. Just having them installed can put you at risk of attack. It takes just a minute to uninstall Flash on Windows and Mac, and to uninstall Java on Windows and Mac.

Most browsers — like Firefox and Chrome — let you run other add-ons or extensions to improve your web experience. Like apps on your phone, they often require certain access to your browser, your data or even your computer. Although browser extensions are usually vetted and checked to prevent malicious use, sometimes bad extensions slip through the net. Sometimes, extensions that were once fine are automatically updated to contain malicious code or secretly mine cryptocurrency in the background.

There’s no simple rule to what’s a good extension and what isn’t. Use your judgment. Make sure each extension you install doesn’t ask for more access than you think it needs. And make sure you uninstall or remove any extension that you no longer use.

These plug-ins and extensions can protect you

There are some extensions that are worth their weight in gold. You should consider:

  • An ad-blocker: Ad-blockers are great for blocking ads — as the name suggests — but also the privacy invasive code that can track you across sites. uBlock is a popular, open source efficient blocker that doesn’t consume as much memory as AdBlock and others. Many ad-blockers now permit “acceptable ads” that allow publishers to still make money but aren’t memory hogs or intrusive — like the ones that take over your screen. Ad-blockers also make websites load much faster.
  • A cross-site tracker blocker: Privacy Badger is a great tool that blocks tiny “pixel”-sized trackers that are hidden on web pages but track you from site to site, learning more about you to serve you ads. To advertisers and trackers, it’s as if you vanish. Ghostery is another example of an advanced-level anti-tracker that aims to protect the user by default from hidden trackers.

And you could also consider switching to more privacy-minded search engines, like DuckDuckGo, a popular search engine that promises to never store your personal information and doesn’t track you to serve ads.

Use Tor if you want a better shot at anonymity

But if you’re on the quest for anonymity, you’ll want Tor.

Tor, known as the anonymity network is a protocol that bounces your internet traffic through a series of random relay servers dotted across the world that scrambles your data and covers your tracks. You can configure it on most devices and routers. Most people who use Tor will simply use the Tor Browser, a preconfigured and locked-down version of Firefox that’s good to go from the start — whether it’s a regular website, or an .onion site — a special top-level domain used exclusively for websites accessible only over Tor.

Tor makes it near-impossible for anyone to snoop on your web traffic, know which site you’re visiting, or that you are the person accessing the site. Activists and journalists often use Tor to circumvent censorship and surveillance.

But Tor isn’t a silver bullet. Although the browser is the most common way to access Tor, it also — somewhat ironically — exposes users to the greatest risk. Although the Tor protocol is largely secure, most of the bugs and issues will be in the browser. The FBI has been known to use hacking tools to exploit vulnerabilities in the browser in an effort to unmask criminals who use Tor. That puts the many ordinary, privacy-minded people who use Tor at risk, too.

It’s important to keep the Tor browser up to date and to adhere to its warnings. The Tor Project, which maintains the technology, has a list of suggestions — including changing your browsing behavior — to ensure you’re as protected as you can be. That includes not using web plug-ins, not downloading documents and files through Tor, and keeping an eye out for in-app warnings that advise you on the best action.

Just don’t expect Tor to be fast. It’s not good for streaming video or accessing bandwidth-hungry sites. For that, a VPN would probably be better.

Resource taken from: 

Continue reading

True North Lends a Hand

See what we’re up to:

philanthropy hands

TNN’s Philanthropy Committee continues to be busy; please visit the causes belowthat we supported during the last quarter of 2018!

Are you passionate about helping your community? 

Want to team up with TNN to make a difference? 

Are you a non-profit and in need of some assistance? TNN is here to help!

We would love to hear from you - please email Suzanne Ruse for more information!


Continue reading

North Korean Ransomware Attack Disrupts Major U.S. News Media

It was all over the news. A server outage at a major newspaper publishing company on Saturday that prevented the distribution of many leading U.S. newspapers, including the north korea ransomwareWall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun. An early, unnamed source revealed they found files with a .RYK extension, and it looks like this might be a targeted ransomware attack using the specialized Ryuk ransomware family. This strain is the latest incarnation of the earlier HERMES ransomware which is attributed to the capable and active Lazarus Group that operates out of a Chinese city just north from North Korea and reportedly controlled by the N.K. Unit 180 spy agency. Unlike spray-and-pray ransomware, Ryuk is mainly used for tailored attacks very similar to SamSam, and its encryption scheme is specifically built for focused infections, such that only crucial assets and resources are encrypted in each targeted network, carried out manually by the attackers. Reality Check: "It Is Very Hard to Keep a State-Sponsored Bad Actor Out of Your Network" Security experts believe that the Ryuk crew targets and penetrates selected companies one at a time—charging exceptionally large ransoms—either via spear phishing, RDP connections, or other yet unknown penetration techniques. Ryuk is not decryptable at the time of this writing, and it is very hard to keep a determined state-sponsored "Advanced Persistent Threat" bad actor out of your network. You really need to practice defense-in-depth and even then... Now, having said that, I admit it is in the early days and this attribution is more a gut-feel estimate rather than something proven by forensics. There are a lot of "false flag" operations going on, and someone else may have gotten hold of that code. Feels like N.K. though. The infected publisher said in a statement Saturday that: “the personal data of our subscribers, online users, and advertising clients has not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation.” Any organization today needs to have weapons-grade backup procedures in place to restore production systems that have been compromised. I'm sure that they are doing exactly that, there are some IT heroes pulling all-nighters out there I'm sure. Also, it could mean they decided not to pay the ransom, good for them! Ryuk-HERMES Similarities Are Clear as Daylight The connections are pretty obvious, shown by Check Point researchers which recently analyzed the two ransomware strains. They pointed at clear similarities between past Hermes strains and current Ryuk samples, which share large chunks of code:

  • The function that encrypts a single file is almost identical
  • Ryuk and Hermes use the same file marker for encrypted files
  • The check for the file marker is also identical
  • Both whitelist similar folders (e.g. “Ahnlab”, “Microsoft”, “$Recycle.Bin” etc.)
  • Both write a batch script named “window.bat” in the same path
  • Both used a similar script to delete shadow volumes and backup files

Ryuk versions for 32-bit and 64-bit systems were discovered, suggesting the ransomware can infect all types of systems, new and old alike. But there are also some differences. The main one is that Ryuk comes with a huge list of apps and services it shuts down before infecting a victim's systems. "The ransomware will kill more than 40 processes and stop more than 180 services by executing taskkill and net stop on a list of predefined service and process names," Check Point researchers explained in a report. This is one nasty piece of malware.




Continue reading

What's Your Weakest Security Link?

Stephen Nardone, Director of the Security Practice at Connection, is a leader in the field of IT security risks, frameworks, assessment, strategy, and compliance. Stephen has weakest security linkbeen a CYTO/CSO for the Commonwealth of Massachusetts and has developed security strategies for multiple government and private sector organizations. With more than three decades in the field, Stephen understands that cyber threats and cyber attacks are part of today’s technology reality. It’s not a matter of if, but when the breach will happen. “Prepare for ‘the when,’” is one of his standard mantras.

Stephen recommends some very basic strategy to offer some protection from IoT cyber intruders:

  • Connection assessment:The first line of defense is common sense. Consider what you’re connecting to your network and understand with IoT standards and protocols, security blind spots are inevitable. Only connect devices you need and only if secured end-to-end.
  • Change passwords:Many plug-and-play IoT devices are set up with open, default, or no passwords. Set a password, and change often Remember the Mirai attack targeted default passwords.
  • Purchase known technology:Stay away from knock-offs, unknown names, and unproven devices.
  • Install patches and update firmware:Many security issues are due to end users ignoring the latest patches and firmware updates. Cyber criminals target missing patches. Reputable companies are on the cutting edge of security and offer managed patching strategies to avoid cyber penetration.
  • User awareness training:Training employees and learning of all the potential threats is the first course of action. The old saying “knowledge is power” goes a long way. Password and patch management, purchasing decisions, how things are connected to your network, and, of course, social engineering are key awareness training areas.
  • Data protection:Ensure that all users know their role in the oversight of protecting critical data at rest, data in process, and data in motion. Take the time to identify and classify your sensitive data.


Continue reading