Ransomware Awareness

What is Ransomware?

According to the FBI, “Ransomware is a type of malicious software cyber actors use to deny access to systems or data.” Typically, the malicious actor will hold the system or data hostage via encryption using a private key that only they know. The only way for the victim to regain access to their system or data is to pay the ransom fee to the malicious actor. If the ransom is not paid, the data will remain unavailable or be deleted by the malicious actor or the ransomware itself. In addition, ransomware may spread to storage drives and other systems present on the network.

How Does Ransomware Get Installed on a System?

Ransomware can be installed on a system through the following means:

  • According to Symantec, “Ransomware is predominantly found on suspicious websites, and arrives either via a “drive-by download”, stealth download or through a user clicking on an infected advert. Some distribution via email has also been seen.”
  •  Remote installation via a software vulnerability.
  • Opening or clicking on a malicious attachment or link found in an email.

Below is an example of CryptoLocker, a common ransomware variant.

Crypto

How Do I Protect Myself?

Prevention is one of the best methods to defend against ransomware. Below are several steps you can take to prevent ransomware from being installed on your system:

  •  Ensure proper anti-virus and anti-malware software is installed on your machine and that it is updated regularly. Please note, Fordham offers free antivirus software to students and faculty here.
  • Ensure your Operating System and programs have received the most current updates. Attackers can easily exploit vulnerabilities in out-of-date software.
  • Regularly backup your computer and important files. This allows you to have a recovery option in place so your data is not lost forever. If using portable media, make sure the device is removed once the backup is complete.
  • Do not click on or open any suspicious links, pop-ups, or attachments. If you come across questionable or suspicious emails or websites, contact IT Customer Care immediately and allow the University Information Security Office (UISO) to validate the respective content.

Paying a Ransomware Fee

As per the FBI:

“We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:

  • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
  • Some victims who paid the demand have reported being targeted again by cyber actors.
  • After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
  • Paying could inadvertently encourage this criminal business model.”

Useful Links

The FBI provides a more in-depth description of what ransomware is and what can be done to avoid becoming a victim.

https://www.us-cert.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_Document-FINAL.pdf

The SANS Institute newsletter provides further information on ransomware and steps that can be taken to protect against it.

http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201608_en.pdf

Article: Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

“Off Path Attack means malicious hackers can be located anywhere on the internet.”

“An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren’t encrypted, inject malicious code or content into the parties’ communications, researchers from mobile security firm Lookout said Monday.

As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In ablog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.

“The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted,” Lookout researcher Andrew Blaich told Ars. “If there’s somewhere they’re going to that they don’t want tracked, always ensure they’re encrypted.”

The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren’t encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.

One of the more likely ways exploits might target Android users is for them to insert JavaScript into otherwise legitimate Internet traffic that isn’t protected by the HTTPS cryptographic scheme. The JavaScript could display a message that falsely claims the user has been logged out of her account and instruct her to re-enter her user name and password. The login credentials would then be sent to the attacker. Similar injection attacks might also attempt to exploit unpatched vulnerabilities in the browser or e-mail or chat app the targeted Android user is using.

To make the attack work, the adversary must first spend about 10 seconds to test whether two specific parties—say a known Android user and USA Today—are connected. It then takes another 45 seconds or so to inject malicious content into their traffic. The time required probably makes it impractical to carry out opportunistic attacks that hit large numbers of people. Still, the technique appears well suited for targeted attacks, in which the adversary—say, a stalker or a nation-backed surveillance agency—is attempting to infect or spy on a specific individual, especially when the hacker knows some of the sites frequented by the target.

A Google representative said company engineers are are already aware of the vulnerability and are “taking the appropriate actions. As noted in this post, the representative pointed out the flaw resides within vulnerable versions of the Linux kernel and it’s not Android specific. The representative went on to say that the Android security team rates the risk “moderate,” as opposed to “high” or “critical” for many of the vulnerabilities it patches. Maintainers of the Linux kernel have already patched CVE-2016-5696. It wouldn’t be surprising if that fix is incorporated into a new Android release in the next month or so.”

Source: http://arstechnica.com/security/2016/08/linux-bug-leaves-1-4-billion-android-users-vulnerable-to-hijacking-attacks/

Article: 20 hotels suffer hack costing tens of thousands their credit card information

“The chain that owns Starwood, Marriott, Hyatt, and Intercontinental hotels—HEI Hotels & Resorts—said this weekend that the payment systems for 20 of its locations had been infected with malware that may have been able to steal tens of thousands of credit card numbers and corresponding customer names, expiration dates, and verification codes. HEI claims that it did not lose control of any customer PINs, as they are not collected by the company’s systems.

Still, HEI noted on its website that it doesn’t store credit card details either. ‘We believe that the malware may have accessed payment card information in real-time as it was being inputted into our systems,’ the company said.

The breach appears to have hit 20 HEI Hotels, and in most cases, the malware appears to have been active from December 2, 2015 to June 21, 2016. In a few cases, hotels may have been affected as early as March 1, 2015. According to a statement on HEI’s website, the malware affected point-of-sale (POS) terminals at the affected properties, but online booking and other online transactions were not affected.

Although an HEI representative told Reuters that it’s still unclear how many customers were affected as some may have used credit cards multiple times, thousands and sometimes tens of thousands of transactions occurred at each property during the months before the malware was detected. The malware was able to scrape credit card details from hotel restaurants, spas, and lobby shops.

HEI noted on its website that it had contacted law enforcement and began ‘promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network.’ The hotel chain also recommended that recent customers check their credit and debit card transaction histories to guard against fraud.

Similar large-scale attacks have hit chain stores such as Target and Home Depot in recent years. Such high-profile hacks have encouraged retail industries in the US to phase magnetic stripe cards out in favor of chip-based credit and debit cards, although rollout of the new system has been spotty as vendors are slow to buy the new terminals to read the chip cards. Magnetic strip cards pass static credit card information to a company’s POS system, leaving that information susceptible to hackers who want to steal it to make duplicate credit cards. Chip-based transactions transmit a dynamic card number that makes it much more difficult to steal card numbers and use them for fraudulent purposes.”

Source: http://arstechnica.com/security/2016/08/20-hotels-suffer-hack-costing-tens-of-thousands-their-credit-card-information/

James shared a document with you – Phishing Email Sent to the Fordham Community on 08/05/16

This is a Phishing email that has been reported. This message was
received on or about August 5th, 2016. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From: nmsparks@fsu.edu
Date: Fri, Aug 5, 2016 at 1:33 PM
To: user@fordham.edu
Subject: James shared a document with you

James has shared a document (School-ApprovedFee.pdf) with you.

View  Document  Now (LINK HERE)
Documents shared are removed from our system on its given expiry date.

Thank you!
– The Drop box Team
© 2016 Drop box Notifications

——————–End Message ——————————

FUND ADMINISTRATION ORDER CAP 000623 CODED – Scam Email Sent to the Fordham Community on 8/4/2016

This is Scam email that has been reported. This message was
received on or about August 4th, 2015. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From: EUMONETAY GROUPUK <drjohnikolo234@gmail.com>
Sent: Thursday, August 4, 2016 11:16 AM
Reply To: eumonetary2010groupuk@gmail.com
Subject: FUND ADMINISTRATION ORDER CAP 000623 CODED

OFFICE OF THE DIRECTOR-GENERAL
UNITED NATIONS OFFICE AT GENEVA
Palais des Nations
AVENUE DE LA PAIX 8 – 14
1211 Geneva 10
SWITZERLAND

RE: FUND ADMINISTRATION ORDER CAP 000623 CODED

I am Michael Møller, Director-General, United Nations office at Geneva
in charge of economic and financial matters. I have been mandated by
United Nations Department on International Fund delivery to confirm if
you have received your assigned compensation award of $ 2,500,000.00
among those paid in the first quarter payment schedule between 1st of January to 31st March 2016?

If you have not received your payment, then forward the Following
details: Full Names, Contact Address, Your Private Telephone / Mobile
Numbers and Valid Means of Identification and Your Current Receiving
Banking Details to Sir Moses Lambert payment coordinator European
Union Monetary Group. United Kingdom his contact information below:-

NAME: SIR MOSES LAMBERT
EMAIL:eumonetary2010groupuk@gmail.com
TEL: +447418469393

Warm Regards,
Michael Møller
Director-General
United Nations Office At Geneva.
Tel: +41225181581

——————–End Message ——————————

Phishing Email With No Subject Sent to the Fordham Community on 07/14/16

This is a Phishing email that has been reported. This message was
received on or about July 14th, 2016. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From: Help Desk <kjeffer5@emich.edu>
Date: Thu, Jul 14, 2016 at 2:32 PM
To: user@fordham.edu
Subject:

Suspicious sign in detected on your fordham.edu Account, We noticed
a recent login attempt from an unusual device or location. If this
wasn’t you Secure your account Now;
http://fordham-helpdesk-technology.my-free.website/

Please follow the instructions to avoid the disabling of your
account,

Note that we will not be able to process your application unless you
have submitted an accepted way.

Powered by Technology Resources Help Desk

——————–End Message ——————————

Security Alert: LogMeIn Forced Password Reset

It has come to the attention of Fordham University’s Information Security Office that LogMeIn, Fordham’s remote desktop access tool, might force a reset of your LogMeIn password.

This is due to the recent theft and subsequent release of passwords to various sites such as LinkedIn, Tumblr, and MySpace. Please note, this is a precautionary measure taken by LogMeIn. There are no current sources that indicate LogMeIn has been breached.

Further information from LogMeIn can be found at

https://blog.logmeininc.com/password-reuse-issue-affecting-logmein-users/

We continue to advise that you not reuse the password for your fordham.edu account for any other accounts and never reuse passwords for any accounts in general. Attackers are aware of the propensity for password reuse, and will try to leverage these username and password combinations to log in to your accounts.

Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these emails.

Questions?
Contact IT Customer Care 718-817-3999 | Tech Help tab at My.Fordham | HelpIT@fordham.edu

Keep in touch with Fordham IT
Twitter: @FordhamIT or twitter.com/FordhamIT
Blog: itnews.blog.fordham.edu/
Website: fordham.edu/IT
IT Event and Maintenance Calendar

Article: GoToMyPC Accounts Hacked

Users’ passwords to GoToMyPC accounts  have been reset due to an attack on their service. GoToMyPC is a service used to gain remote access to computers.

Statement from GoToMyPC:

“Unfortunately, the GoToMyPC service has been targeted by a very sophisticated password attack. To protect you, the security team recommended that we reset all customer passwords immediately.
Effective immediately, you will be required to reset your GoToMyPC password before you can login again.
To reset your password please use your regular GoToMyPC login link.
Recommendations for a strong password
• Don’t use a word from the dictionary
• Select strong passwords that can’t easily be guessed with 8 or more characters
• Make it Complex – Randomly add capital letters, punctuation or symbols
• Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”).

2-step Verification option
We encourage you to learn more about using the 2-step Verification option for GoToMyPC accounts.
The GoToMyPC Team is committed to protecting the security of our customers and our services. We apologize for any inconvenience this may have caused you.”

More information about the incident can be found at: http://status.gotomypc.com/incidents/s2k8h1xhzn4k

As a rule of thumb, never reuse passwords for any accounts.  Attackers are aware of the potential for password reuse, and will try to leverage these username and password combinations to authenticate to a victim’s accounts.

Source: https://www.grahamcluley.com/2016/06/gotomypc-hacked-customer-passwords-reset/

Security Alert: Tumblr Credentials Found Online

Tumblr recently learned that a third party had obtained access to a set of Tumblr user email credentials from early 2013.  Users affected may have received a notification from Tumblr. They recommend affected Tumblr users to set a new password.

As a rule of thumb, never reuse passwords for any accounts.  Attackers are aware of the potential for password reuse, and will try to leverage these username and password combinations to authenticate to a victim’s accounts.

The notice from Tumblr can be found at:

https://staff.tumblr.com/post/144263069415/we-recently-learned-that-a-third-party-had

Further information about how to protect your Tumblr account can be found at:

https://www.tumblr.com/docs/en/account_security#protection

Article: 32 Million Twitter Passwords Potentially Being Sold On DarkWeb

“Days after a number of prominent Twitter accounts got hacked — including those belonging to musicians Katy Perry and Drake as well as Twitter co-founder Evan Williams — nearly 33 million Twitter usernames and passwords are being sold online.

According to LeakedSource, a site that collects databases of stolen login credentials for a number of sites, the 32,880,300 Twitter credentials are being sold by a person identified by the alias Tessa88. Zdnet reported that the price Tessa88 is asking for the entire database (which allegedly contains 379 million records, but likely has many duplicates) is 10 bitcoins, or about $5,800 at the time of writing.

Each record consists of one or two email addresses, username and password, but what’s odd about this leak is that the passwords aren’t encrypted at all. While this is bad news for users whose credentials are now available online (Leakedsource says it checked the authenticity of the passwords with 15 users, all of which confirmed they were genuine), this indicates that they were not obtained by hacking Twitter or a third-party site.

‘The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,’ Leakedsource wrote in a blog post Wednesday.

Leakedsource lets anyone search through its database of stolen login credentials, but we advise caution, as any email addresses or other info entered into the search field could be harvested for nefarious purposes. You can, however, check Leakedsource’s list of the most commonly used passwords from its Twitter database — if your password (on any site, not just Twitter) resembles anything on that list, you should probably change it as soon as possible.

TechCrunch notes that the passwords Leakedsource has obtained might simply be old passwords that are circulating on the dark web. Be that as it may, you should make sure your Twitter account is safe, your password is hard to break, and turn on two-factor authentication. Here’s our advice on how to toughen the security of your online accounts. ”

Source: http://mashable.com/2016/06/09/twitter-password-leak/#Gmlg0wwHg5qQ