Archive | Editorial Articles RSS feed for this section

Target Breached – WSWiR Episode 89

SnapChat Snaffu, Backdoored Routers, and Target Turmoil

Happy New Years, and welcome to the first episode of WatchGuard Security Week in Review for 2014!

If you are new to the show, this is a weekly video podcast dedicated to summarizing the most important Information Security (InfoSec) news, while also sharing security tips and best practices. If you are too busy to follow the always active security industry yourself, this is a great way to catch up at the end of each week.

Today’s episodes covers a number of stories from past three weeks (due to our holiday hiatus), including news of the big Target data breach, info on a SnapChat vulnerability, the latest Hactivist attack, and a story about vulnerabilities in a number of consumer DSL routers. Watch the quick YouTube clip below, and check out the Reference section for more details, and links to extra stories. 

I hope you have a prosperous and secure year!

(Episode Runtime: 10:07)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Cyber Sharking – WSWiR Episode 88

Tons of Patches, Facebook Scams, and Games for Security

If you’re in a country that celebrates the Christmas holidays, it’s probably getting a little quieter at work lately. With that extra free time, why don’t you catch up on the week’s latest security news with our regular episode of WatchGuard Security Week in Review?

Today’s show covers the patches from patch week, the latest NSA hijinks, a wide-spread Facebook phishing scam, and a story about how playing video games can help improve software security. Like always, I also include links to all these stories, and a few extras, in the references below.

Quick show note: I’ll be taking some time off for the holidays, so this may be the last video until next year (though a may release a short one next week). Keep safe out there, and have a happy holiday!

(Episode Runtime: 7:27)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Drone Skyjacking – WSWiR Episode 87

NSA Botnet, Windows 0day, and Bitcoin Robberies

It’s time for our regular Information Security (Infosec) summary video. If you want to hear about all the latest network and computer security news from one quick and easy source, this video is for you. This week’s episode comes a bit late, but I will return to the Friday schedule this week.

In this episode, I talk about the NSA botnet, more Bitcoin heists, a Windows zero day exploit, and a new hack that can hijack AR.drone quadcopters. Watch the video for the details, and check out the references from more information (and some extra stories).

Keep safe out there!

(Episode Runtime: 9:36)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Avoid the Top Five Holiday Shopping Cyber Threats

To rephrase the ominous premonition of the Stark family, “The winter sales are coming!”

Perhaps you’re the type of person who gathers all the ads on Thanksgiving morning, planning how your family can synchronously hit three different stores to reap all their door-buster deals. Maybe you’re that guy who scours the Internet for early leaked copies of Monday’s sales, programming your scripts to ensure you’re the first to click buy. Or perchance—like me—you’d rather sleep in with a full belly and let others battle it out. Whichever profile fits you, Black Friday and Cyber Monday are coming, launching us into the busiest shopping season of the year… and bringing the cyber criminals scurrying out of the cracks in droves.

Criminal hackers follow the money. They track big trends and know when the biggest shopping seasons occur. Plus, like all good social engineers, they’re masters of human psychology, preying on our behavioral weaknesses to get what they want. You can bet criminal hackers are just as excited about the holiday sales season as the discount-seeking shoppers. For that reason, it’s important you enter this period with a little awareness and your eyes wide open. To help with the former, here are the top five cyber threats to watch out for during the shopping season:

  1. Seasonal email phishing scams – Attackers know you have your eye out for emails containing the latest sales and discounts and that you may have packages in transit from recent purchases. This makes it a great time for them to leverage some seasonal phishing scams to try and lure you to malicious sites or malware. Some of the most common malicious emails during the holidays are fake UPS, FedEx, or DHL messages claiming a delivery failed, bogus flight notices, and even phony secret Santa messages. All of these seasonal scams prey on common trends for the season, such as holiday vacations and trips, and people ordering more stuff online. To give you a specific example, right now a nasty new ransomware variant called Cryptolocker is spreading using the fake FedEx or UPS trick, and has cost many victims a lot of money. Avoid clicking links and attachments in unsolicited emails.
  2. Fake product giveaways – Every year the holiday shopping bonanza brings us at least one or two “must-have” items for the holiday season, whether they be Tickle-Me Elmo dolls or the latest gaming console. Cyber criminals always seem to recognize these popular consumer items early, and use them to lure unsuspecting victims to their trap. This year, two such items are the latest video game consoles—the PlayStation 4 and Xbox One. We’ve already seen phishers trying to steal personal information from victims by tricking them into filling out details to win one of these next-generation consoles. While some of these giveaways might be legit, you should be careful where you share your information, and what type of information you’re willing to give up.
  3. Dastardly Digital Downloads – During any special event or holiday, malicious hackers often pull out old reliable tricks of the trade. One such trick is the free screensaver, ringtone, or e-card offer. The attackers can easily theme their free download offers from whatever holiday or pop culture event they want, be it Thanksgiving, Christmas, or whatnot. If it sounds too good to be free, it probably is. As always, be careful what you download.
  4. Fraudulent e-commerce sites – The bad guys are great at faking web sites. They can fake your banking site, your favorite social network, and even online shopping sites that have suspiciously good deals for that one hot ticket item you’re looking for during the upcoming sales.  Of course, if they can lure you to their replica sites, they can leverage your trust in them to steal your personal information, swipe your credit card number, or force you into a drive-by download malware infection. Pay close attention to the domain names you visit, and vet your online retailers before ordering from them.
  5. Booby-trapped Ads and Blackhat SEO – Bad guys are always looking for new ways to attract you to their fake or malicious web sites. Phishing emails, instant messages, and social network posts with appealing links work, but they always experiment with new lures. Two popular new techniques are malicious online advertisements and evil search engine optimization (SEO) tricks. By either buying online ad space, or hacking online ad systems, hackers can inject fake advertisements into legitimate web sites, which redirect back to malicious sites. They can also leverage various SEO tricks to get their web sites to show up in the top results for popular searches. Are you searching for Lululemon yoga pants sales for your girlfriend this holiday? If criminals think that’s a popular gift, they can poison search results and hijack ads to use your interest against you. As you consider clicking ad links or following search results, be aware of the domains and URLs you click on.

The top five threats above all have consumers in mind, but let me share one last holiday cyber threat that merchants need too look out for; Distributed Denial of Service (DDoS) attacks. Cyber criminals realize the holidays are a very important seasons for online retailers—especially days like Cyber Monday. They know that even an hour of downtime can translate into millions in lost sales for big retailers, and they want to steal a piece of your pie. Expect to see some DDoS attacks targeting online store during the holidays, followed by extortion letters asking for money to stop the attack.

One of the best defenses to cyber attacks is a bit of awareness and vigilance. Now that you know what types of threats and scams to expect this holiday season, you can look out for them, and avoid becoming a patsy. While I shared a few security tips already, let me summarize a few other steps you can take to make your holidays hacker free.

  • Patch your software – If you let Microsoft, Apple, and Adobe (and other products) automatic software updates patch your machine regularly, you will remain safe from most cyber criminal’s technical attacks.
  • Don’t click on unsolicited links or attachments – Enough said.
  • Look for the padlock while shopping online – Though it’s no a guarantee you’re on the right site, do not share your personal or financial info with an online retailer unless you see a green padlock in your web browsers URL dialog (the icon’s appearance may differ slightly depending on your browser).
  • Use password best practices on shopping sites – You should use different, strong (i.e. long) passwords on every site you visit. If you are not familiar with password security, this post has some good advice.
  • Vet online merchants before clicking buy – A little online research can go a long way. Do Internet searches on a merchant before buying from them, paying close attention to customer reviews. When people get scammed they tend to share, so a little research can help you identify fakes retailers.

The holidays should be about family and fun. Keep your eye out for these five top threats and follow my basic security tips and you’ll surely enjoy a happy holiday season, and hopefully nab a cool treat for you and your family during this shopping season. — Corey Nachreiner, CISSP (@SecAdept)

BGP Man in the Middle Attacks – WSWiR Episode 86

Stuxnet Update, I2P Botnet, and BGP Hacking

Do you have too much to do to follow information security news? Or maybe you feel overwhelmed by so much security news (I sure do) that you don’t know which news is most important. In either case, I’m here to summarize the important stuff for you in my weekly Infosec summary video.

Today’s show talks about a sneaky new botnet and its C&C channel, the latest Stuxnet research, a few important credential breaches, and an Internet-wide man-in-the-middle (MitM) attack that leveraged BGP issues. Watch the episode below for all the details… and if you are hungry for more security news, be sure to check out the other stories in the Reference section.

Show note: We will be skipping next week’s episode due to the US holiday weekend. Have a great Thanksgiving, and don’t get trampled on Black Friday!

(Episode Runtime: 9:40)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

APT Exploits IE 0day – WSWiR Episode 85

Forum Hijacks, Singapore Hacking, and IE 0day

Happy Friday, everyone! The weekend is hours away; but before running off to finish of the last of your work week tasks, why not sit down with a hot cup of joe and catch up on what happened in security news this week?

In this episode, I talk about security patches for Microsoft, Adobe, and OpenSSH, cover some interesting web site hijacks, warn you of a new APT attack that leverages an IE zero day flaw, and mention an interesting hacking arrest in Singapore. Click the big red YouTube play button to learn more, and don’t forget to peek at the Reference section for links to other InfoSec news from the week.

Have fun this weekend!

(Episode Runtime: 8:52)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Bitcoin Weakness & Hack – WSWiR Episode 84

Microsoft Zero Day, PCI-DSS Update, and Bitcoin Attacks

Ingest this week’s biggest security news in one, easy to watch video with WatchGuard Security Week in Review. I consolidate the latest Infosec news in one place, so you don’t have to. 

Today’s episode covers the week’s security-related software updates, a zero day flaw in Windows and Office, the latest update to PCI-DSS, and some security problems with Bitcoin. Watch the video for the details, and check out the Reference section for a whole bunch of other interesting stories.

Thanks for watching, and have a great weekend!

(Episode Runtime: 9:28)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Everything You Wanted to Know About Cryptolocker…

… And Weren’t Afraid to Ask

If you follow my weekly Infosec news video, you probably remember me mentioning Cryptolocker in an episode late September. At the time, Cryptolocker seemed very similar to the many other ransomware variants in the wild, except that it seemed to be spreading a bit more quickly than others. However, over time Cryptolocker has proven much more aggressive than previous extortion malware campaigns. I have since received many emails and tweets from readers and customers asking about it; especially whether or not WatchGuard’s XTM security appliance can do anything to prevent it. With that in mind, I created a quick video about Cryptolocker, which also shows how WatchGuard’s XTM appliance can detect it. Watch the video below, and continue reading for more details and references.

(Episode Runtime: 12:54)

Direct YouTube Link:

Since many great sources have already described Cryptolocker in complete detail, I’ll just share a quick summary. However, I’ll include links to my favorite Cryptolocker resources at the end of the post.

Cryptolocker is a ransomware trojan that encrypts your personal files. It spreads in many ways, including in phishing emails that contain malicious attachments or links, or via drive-by download sites. Often, Cryptolocker arrives as a file with a double extension, such as *.pdf.exe. Since Windows doesn’t display file extensions by default, this file may look like a PDF file rather than an executable.

If you run Cryptolocker, it infects your computer like normal malware, placing its files in Windows directories, and creating registry entries that allow it to restart when you reboot. It then also tries to contact its command and control (C&C) server. The malware uses a random domain name generation algorithm to try and find a current C&C server.  Some sample Crytpolocker domains might look like this:


Once Cryptolocker contacts its C&C, it generates a public/private cryptographic key for your specific computer, using very strong and standard RSA and AES 2048-bit encryption. The private key is only stored on the attacker’s C&C servers, but the public key is saved in a registry entry on your computer. Cryptolocker then uses that key pair to encrypt many different types of files on your computer. Here’s a list of files Cryptolocker looks for:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c.

After encrypting your files, Cryptolocker shows a screen warning you that you have 72 hours to pay either $300 or £200 in order to get your files back.

What should I do if I get infected?

If you are infected with Cryptolocker, the first thing you should do is disconnect the infected PC from the internet. If Cryptolocker can’t access its C&C, it can’t encrypt files. Disconnecting the machine may prevent further files from being encrypted.

There are many tools that will totally clean a Cryptolocker infection, but most victims are more concerned with recovering encrypted files. Unfortunately, you will not be able to crack Cryptolocker’s encryption. It uses a very strong and reliable public/private key implementation that is similar to what commercial encryption products use. It would take decades to centuries to crack today. There is a chance that the good guys may eventually track down the attacker’s C&C servers, and recover some private keys. However, I would not hold out much hope for this.

Rather, if Cryptolocker encrypts some of your files, you should check if you have a backup, as that is your best chance of recovering the lost data. That said, some victims have reported some success with using Windows’ built-on System restore features to recover some lost files, too.

Many have asked whether or not Cryptolocker’s decryption process works if you pay the ransom. Personally, I highly discourage you from ever paying extortion to cyber criminals. Not only are you paying off criminals, but you are encouraging them to continue to use these methods in the future. That said, reports claim that Cryptolocker’s decryption does work. However, in order for the process to work, an infected computer must retain access to the C&C server. If the server is taken down by authorities, sink-holed, or temporarily goes offline, paying the ransom may only result in the loss of your money.

How can I avoid Cryptolocker?

First, most commercial antivirus (AV) products can detect many variants of Cryptolocker. So you should definitely use both host-based and network-based AV products, and keep them up to date. That said, Cryptolocker’s authors are very aggressive at re-packing and crypting their malware. Without going into technical details, packing and crypting are techniques malware authors use to make the same executable file look different on a binary level, which helps it evade some AV solutions. You can learn more about packing and crypting in this video (near the end). In short, though AV helps a lot, some variants may get past some AV solutions. You need to use other defenses as well.

Also note, some web security solutions, such as WatchGuard’s WebBlocker or Reputation Enabled Defense (RED) service can help. These services keep track millions of malicious URLS and web sites. This means they can block access to sites that distribute malware, or can prevent infected hosts from reaching C&C servers. In the video above, you can see WebBlocker preventing a Cryptolocker infected machine from reaching its C&C servers. If you aren’t using a WatchGuard XTM appliance with the UTM services, I highly recommend you do so, or at least use some other web security solution.

Finally, awareness is the best defense. Cryptolocker typically spreads in pretty obvious looking phishing emails. The emails may pretend to be FedEx or UPS related messages, which contain zip files that hide a double-extension executable. You should train your users to recognize some of the common phishing and malware signs, such as unsolicited emails from shipping providers, double-extension files, links that point to the wrong sites, and so on. With a little vigilance, and security products like our XTM appliance, you should be able to avoid most Cryptolocker infections.

So to summarize, Cryptolocker is aggressively spreading, and has infected many victims. However, security products like WatchGuard’s XTM appliance can detect and block it using various security services. That said, Cryptolocker can also spread internally through network shares,  which network security solutions can’t prevent. Ultimately, your best defense is awareness and vigilance. If you haven’t already warned your users about Cryptolocker, I recommend you do so, and perhaps even refer them to the video above.

If you’d like much more technical detail about Cryptolocker, here are some of my favorite resources:

— Corey Nachreiner, CISSP (@SecAdept)

Mysterious BadBIOS Malware – WSWiR Episode 83

Adobe Breach Gets Bigger, NSA MUSCULAR, and Mysterious Malware

No time to follow Infosec news, but need to know the latest so you can protect your network? Well you’ve come to the right place. In my weekly, security summary video I quickly highlight the big security stories from the week, so you’re aware of the latest threats and security news.

Today’s episode includes more concerning details about the recent Adobe network hack (change your password), news of the latest NSA snooping revelation, and a story about a very scary advanced malware infection that sounds more like science fiction than fact. To learn all the details, click play below… and don’t forget to check the Reference section for links to many other interesting Infosec stories.

Thanks for watching, and Happy Halloween!

(Episode Runtime: 11:04)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Hackers Lose Rights – WSWiR Episode 82

PHP.Net Hijack, Rooted ReadyNAS, and Harassed “Hacker”

This week you get two Infosec videos for the price of one! Of course, free plus free is still… well, free.

Last week, I had a busy travel schedule in the Middle East and Holland, and I did not find the time to produce my weekly security news summary on Friday. And yet, there was still plenty of security news to cover, so I didn’t want to leave you hanging. Hopefully, you can still learning something interesting, even if it comes a few days late.

Last week’s much belated episode includes, news of Cheney’s cardiac defibrillator hacking scare, a watering hole attack, yet another rooted consumer router, and a story about how just calling yourself a hacker may cost you some Constitutional rights. Watch the video below, and check the Reference section for more details.

Thanks for watching and I’ll see you again in two days, when I post this week’s video!

(Episode Runtime: 7:07)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)


Get every new post delivered to your Inbox.

Join 7,380 other followers

%d bloggers like this: