Massive Cyber Attack

Introduction

            The blog for week 10 will be dedicated to the massive cyber attack affecting over 150 countries. On May 12, 2017, a massive cyber attack was started because of a leaked NSA exploit. A hacking group called the Shadow Brokers broke into the NSA and stole a trove of exploits. With these exploits, a ransomware called WannaCrypt used two exploits called ETERNALBLUE and DOUBLEPULSAR. Below are more details on how the history of how this massive cyber attack started.

Shadow Brokers

            Who are the Shadow Brokers? The Shadow Brokers are a hacking group that are famous for stealing NSA hacking tools. The Shadow Brokers released a few of the NSA Hacking tools in August of 2016 after they failed to auction off the tools (Gibbs,2017). The Shadow Brokers voted for Donald Trump and were not happy with his policies and actions after he became president (Ghosh,2017). They released the second group of NSA hacking tools in April 2017. The Shadow Brokers have more hacking tools to release and Edward Snowden says the NSA has more hacking tools in their arsenal. The Shadow Brokers have yet to be identified and remain wanted for breaking into the NSA and stealing their tools.  

ETERNALBLUE

            ETERNALBLUE is the name of the exploit stolen from the NSA. ETNERNALBLUE abuses the Server Message Block (SMB), a network file sharing protocol (Fox-Brewster, 2017). SMB v1 is old, dating back to Windows 95 and it is enabled by default on Windows XP, Vista, 7, 8 and on some version of 10. An attacker must use a specially crafted packet that exploits a vulnerability in SMB v1. Once the specially crafted packet has been sent, the attacker can now run code on the victim’s computer.  The code the attacker can run could be ransomware, a Trojan, or any other program the attacker wants to run.

DOUBLEPULSAR

            DOUBLEPULSAR is another exploit that was stolen from the NSA. DOUBLEPULSAR is a remote access Trojan or RAT, which allows attackers to have remote control of the victim’s computer. DOUBLEPULSAR also acts as a malware downloader to install other types of malware such as bots. DOUBLEPULSAR exploits SMB v1 and can hide on a computer system avoiding detection systems (Arghire, 2017).

WannaCrypt

            WannaCrypt is a piece of malware that is part of the ransomware family. Ransomware is a piece of malware that encrypts a person’s files and demands money to decrypt the files. WannaCrypt raises the payment after a set amount of time and it will also delete the files if no payment is received. WannaCrypt uses the ETERNALBLUE exploit to run itself on the victim’s machine. WannaCrypt is a computer worm that uses the ETERNALBLUE exploit to also spread itself across a network in a matter of seconds. Once the victim’s computer is infected with WannaCrypt it will scan random hosts on the internet to try and spread itself further (Kumar, 2017).

http://d3i6fh83elv35t.cloudfront.net/newshour/wp-content/uploads/2017/05/RTX35YNS-1024x765.jpg 

Conclusion

            Microsoft in their new version of Windows needs to stop backwards capability. As seen by ETERNALBLUE, an exploit was found in a 20 plus year old service. If Windows stops backwards capability this massive attack could have been mitigated. People were surprised by the leak of the NSA hacking tools, but how hard was it to find a flaw in a 20-year-old software. WannaCrypt hit systems that were not patched by MS17-010. Legacy systems may still use SMB v1, but old protocols should not be enabled on new operating systems by default. Microsoft has released a patch to fix the SMB v1 exploits, which includes a patch for Windows XP, Vista, 8, Server 2002, and Server 2008. Installing the patch is not a guarantee there is not another backdoor. It is advised to disable old protocols if they are not being used especially since the Shadow Brokers can release more NSA exploits.

References

Gibbs, S. (2017, May 18). Shadow Brokers Threaten To Unleash More Hacking Tools. Retrieved May 21, 2017, from http://www.cio-today.com/article/index.php?story_id=103003JXPSMS

Ghosh, A. (2017, April 09). 'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools. Retrieved May 21, 2017, from http://www.ibtimes.co.uk/president-trump-what-fk-are-you-doing-say-shadow-brokers-dump-more-nsa-hacking-tools-1616141

Fox-Brewster, T. (2017, May 15). An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak. Retrieved May 21, 2017, from https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#3dcc7128e599

Arghire, I. (2017, April 24). Hackers Are Using NSA's DoublePulsar Backdoor in Attacks. Retrieved May 21, 2017, from http://www.securityweek.com/hackers-are-using-nsas-doublepulsar-backdoor-attacks

Kumar, M. (2017, May 15). WannaCry Ransomware: Everything You Need To Know Immediately. Retrieved May 21, 2017, from http://thehackernews.com/2017/05/how-to-wannacry-ransomware.html

Microsoft Anti-virus and Healthcare Vulnerability

Introduction

In Week 9 there has not been a shortage of security news. A healthcare organization had a vulnerability that allowed people to look at different patient records, which is quite serious. Microsoft had a remote code execution vulnerability that would allow an attacker to remotely control a machine. There were several other stories, but these were the two I chose to write on.

True Health Vulnerability

True Health Diagnostics located here https://truehealthdiag.com/ had a major vulnerability discovered by a patient. The vulnerability was found on their patient portal, which is located at the following link https://my.truehealthdiag.com/customlogin.htm. The patient was Troy Mursch who is an IT consultant that lives in Las Vegas (Krebs, 2107). Mursch found the vulnerability when he was looking at a PDF of this blood test and saw the link True Health Diagnostics created could be edited. Mursch edited the link to the PDF and was able to access other patient’s test and records. Once Mursch found the vulnerability he called and alerted True Health Diagnostics to the flaw. True Health Group shut down their website while they found and fixed the website.

https://my.truehealthdiag.com/customlogin.htm.

At this point, there is no knowledge of how long the vulnerability has existed. This means patients or an attacker could have been stealing data for several years. True Health Diagnostics needs to hire a forensic company to come in and do an investigation. This is the only way to know if there was unauthorized access to patient’s records. If they don’t hire a forensic investigator then I don’t think they are being ethical. I like the way True Health Diagnostics responded to the vulnerability by shutting off their site. This is the first time I have heard of this and it is truly a bold and interesting move. Most companies would say they will investigate an issue and either fix or not fix it while keeping their website up.

Microsoft Remote Code Execution

It has been discovered that Microsoft has a vulnerability in their malware scanner. Google Project Zero found the remote code execution in Windows anti-malware software. Per thehackernews article the following is the affected software Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection and Microsoft Forefront Endpoint Protection (Kumar, 2017). Google’s Project Zero found that if any of the Microsoft anti-virus programs above scanned a specially crafted file, a hacker could have full control of the computer. The file can get to the computer via an email phishing attack or by downloading the malicious file. One of the important details is that the attack can happen over email without reading or even opening the full email (Mix, 2017). Since Microsoft’s anti-virus programs have real time scanning once the file is created, opened, downloaded or moved it will trigger the exploit (Kumar, 2107). Microsoft has released a patch for Windows 7, 8, 10 and RT in only 3 days!

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCzqnnLyAg6_SjOQs2CZIvAQIWV0g-plxCJirtP0cv36sqXxAqjyI6q4-RhXURj_Dq52nI5vW5xuIaE6EQnCl5rfsiyI_x9I-0l6UdtuXL7TAt1bdmEKTZyFnjVs7AzwkaEDscxoJJpd7/s1600/windows-defender-remote-code-executiont.png

The remote code execution in this instance needs a special file for the exploit to work, but hackers can get their hands on this file and use it to spread malware. This “loophole” can allow a hacker to install new programs such as a Trojan or change program permission because it basically gives them ROOT access. It was good to see Microsoft patch this vulnerability, so quickly because it usually takes longer than 3 days. The scary part of this remote code execution exploit is the file doesn’t even need to run to infect the computer, only the Microsoft anti-virus program has to scan it. These types of exploits make a hacker’s job easy because it doesn’t really require them to trick a user into installing a file.

References

Krebs, Brian. "Krebs on Security." Brian Krebs. May 8, 2017. Accessed May 14, 2017. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/.

Kumar, Mohit. "Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner." The Hacker News. May 09, 2017. Accessed May 14, 2017. http://thehackernews.com/2017/05/windows-defender-rce-flaw.html.

Mix. "Microsoft issues fix for critical exploit in Windows Defender found by Google." The Next Web. Accessed May 14, 2017. https://thenextweb.com/microsoft/2017/05/09/microsoft-google-windows-vulnerability/?amp=1. 

Google Phishing Attack Plus Data Beach

Introduction

For Week 8 there has been no shortage of news articles to pick from. I will be covering another data breach from a large company and a large phishing attempt. Companies seem to be giving less and less details about data breaches, so I have found I need to write about other topics.

Google Phishing Attack

With all the news about the “Great Google Phishing Email” I figured I would talk about it in my blog. It is a simple phishing attempt that many people fell for even security professionals. The phishing email was simple it said “(Person’s name) has invited you to view the following document” and a button to open the link into Google Docs.  Below is a screenshot of the phishing message.

https://static01.nyt.com/images/2017/05/04/business/04spam1/04spam1-master768.png

If a user clicks on the link “Open in Docs” it opens a screen that says a person must allow access to Google Docs for the purpose of reading, sending, deleting and managing a person’s email along with managing a person’s contacts (Khandelwal, 2017).

http://thehackernews.com/2017/05/google-docs-phishing-email.html

If a user clicks allow, the attackers have full control over the user's email. Once full control is gain over the user’s mailbox the attackers use it to spread the phishing email.  If the user has two-factor authentication enabled, it will not stop the attackers from taking over the user’s email account. Per Google, only 1 percent of Gmail users were affected by this phishing attempt, which is about 1 million people (Khandelwal, 2017). Google has since blocked the fake application and phishing email.

Even Google can be a victim of a phishing attack, so it is best to be on alert when opening documents sent by contacts. With security professionals fooled by this phishing attack, it shows that these types of attacks can be complexed. Phishing attacks are thought to be easily spotted, but that is not always the case. Even simple attacks are missed because people don’t always read the entire email, which can lead to trouble. Google already does an excellent job of blocking most phishing emails, but if you use other email clients be aware and always read the email entirely. Another good tip is to look at the sender’s email address and if it is not recognizable don’t click on any links.

SynXis Data Breach

Sabre Corp has had a breach from their software as a service application called SynXis. The application comes from Sabre’s hospitality company called “Sabre Hospitality”. The SynXis system is a reservation software that hotels used to keep track of inventory and rate information. Per saberhospitality.com over 120 property management. 2 revenue management and 7 CRM organizations use the software (http://www.sabrehospitality.com/solutions/hotel-central-reservation-systems).  The hackers gain access to the SynXis application, but there is no information on what information they got ahold of or how they gained access to the system.  Sabre has said the unauthorized access to the system has been terminated and security firm Mandiant is investigating the breach after notifying law enforcement (Krebs, 2017). This breach is thought to be linked to the recent hotel breaches over the last several months. On Sabre’s SynXis system login only a username and password are required and the breach maybe a result of a credential stuffing attack from recent stolen username and passwords.

http://ef67fc04ce9b132c2b32-8aedd782b7d22cfe0d1146da69a52436.r14.cf1.rackcdn.com/sabre-warns-hotels-card-data-potentially-compromised-showcase_image-1-a-9884.jpg

Sabre is a large organization with an annual revenue of over 3 billion dollars and it seems they have not invested in security. The SynXis system does not have two-factor authentication, which could have prevented the hackers from logging onto the system. Sabre paid for cyber security insurance, but without knowing more details it’s hard to say if the insurance will cover the breach. Cyber security insurance is new, but it is like covering a person’s house or car. For some companies, it may be cheaper to buy cyber security insurance then hire a whole security team. Without more information about how the breach occurred, it is hard to say what could have been done to prevent it. Hotel companies seem to have lax security practices, which seems why hackers target them for credit and debit card information. When more information surfaces about the breach I will write a follow-up entry.

References

Khandelwal, Swati. "Warning! Don't Click that Google Docs Link You Just Received in Your Email." The Hacker News. N.p., 03 May 2017. Web. 06 May 2017. <http://thehackernews.com/2017/05/google-docs-phishing-email.html>.

Krebs, Brian. "Krebs on Security." Brian Krebs. N.p., 2 May 2017. Web. 06 May 2017. <https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/>. 

Bug Bounty plus UK Data Breach

Introduction

For Week 7 there has been interesting news articles. Of course there is another data breach, but this one happened outside of the United States. The Unites States Air Force has been following the other branches of the military and will start their own bug bounty program. 

Bug Bounty

The United States Air Force has started a bug bounty program. The bug bounty program is designed to pay hackers or security researchers to find vulnerabilities on their systems. The pay is based on the vulnerabilities found and how critical they are. Hackers and security researchers are invited from the United States and five other countries. The countries are the United Kingdom, Canada, Australia, and New Zealand (Kumar, 2017). For the “Hack the Air Force” program people must go through a background check and not have a criminal record. The reason for the background check and no criminal record is because people could access top secret materials and exfiltrate data. This will be one of the largest bug bounty programs put on by the United States military.

Allowing hackers inside the military network is a great idea! The best part is that if the hackers don’t find anything the military doesn’t need to pay them. The last event per the article had over 14,000 hackers and they found 138 vulnerabilities, plus 75,000 dollars was paid out in reward money (Kumar, 2017). Giving hackers a chance to use their skills to get paid is awesome! Hackers usually break into systems or steal information because they are bored or they want to make more money. Problems with this are vulnerabilities can be leaked out or information taken if a person is not ethical. In the end, paying individuals instead of a company can result in more vulnerabilities being found depending on the skill of the person.

https://www.hackerone.com/sites/default/files/inline-images/hack-the-air-force.png

Payday Loan Breach

A payday loan provider called Wonga has had its customer’s data stolen. Around 245,000 Wonga customers in the United Kingdom and 25,000 Wonga customers in Poland have been affected by the breach (Lomas, 2017). There is no information about how Wonga was broken into, but there will be more information in the following weeks. Wonga’s site has information about the data breach located at https://www.wonga.com/help/incident-faq. The hackers may have gotten access to people’s names, email addresses, home addresses, phone numbers, the last four numbers of their credit / debit card and or bank account numbers, plus the sort codes (Lomas, 2017). Wonga believes that passwords weren’t taken during the incident, but as a safety precaution, they want everyone to change their passwords.

The data breach happened on April 7, 2017, but there has been no update as to how the hackers got in. They will not release the information because it could be damaging to the company. An educated guess would be Wonga left a security hole in an external facing site. United Kingdom businesses in 2018 are going to want to better protect their customer’s data because of an upcoming law. The new EU law will require companies notify the data protection authorities with 3 days or face a fine up to 10 million euros (Lomas, 2017). Some people have even said that the hackers won’t get much from the company’s customers because they don’t have much money.  Without knowing how the breach occurred it is hard to say if the issue can be fixed.

Summary

If a company can’t hire their own internal security engineers, they need to pay companies to look at their security. The internet is not going away and with customers wanting more convenience, cyber security will only get more important. With the United Kingdom implementing new laws that companies must report data breaches is a new concept. The United States does not have laws like the United Kingdom, but they are coming. Soon there will be a branch of the FBI that will investigate data breaches and fines if people’s personal information is not kept “up to code”.  The other problem is every company wants all types of information and most of it is not stored correctly. The way the information is stored in some industries is not regulated at the current moment in the United States.

References

Lomas, N. (2017, April 10). Payday loan firm Wonga suffers data breach affecting up to 270,000. Retrieved April 29, 2017, from https://techcrunch.com/2017/04/10/pay-day-loan-firm-wonga-suffers-data-breach-affecting-up-to-270000/

Kumar, M. (2017, April 27). Hack'em If You Can - U.S. Air Force launches Bug Bounty Program. Retrieved April 29, 2017, from http://thehackernews.com/2017/04/hack-the-air-force.html

IHG Data Breach and NSA Hacking Tools Week 6

For week 6 I have two items to discuss. The first is the IHG or InterContinental Hotel Group data breach and the second is how the leaked NSA tools are being used to attack Windows PC’s.  IHG had a breach back in December of 2016 and IHG said the data breach only affect a few of its properties. Now in April 2017, IHG has released data showing that more than 1,000 IHG properties were affected by the data breach. IHG properties computer systems were compromised with malicious software designed to siphon customer debit and credit card data just let Target and Home Depot (Krebs, 2017). IHG has been in the process of implementing a secure payment solution that will encrypt customer's data end to end.  Unfortunately, IHG only had a few sites done at the time on the data breach and they were not affected. PCI has a requirement for point-to-point encryption, so it seems IHG is behind on their PCI requirements. At the following site, a person can look up what IHG properties were affected by the data breach and the dates https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/property-listing. The site can be used by a person to see if their credit or debit card was affected and if they need to be on the lookout for fraudulent charges. Below is a screenshot of an email sent to franchise hotel’s offering a forensic investigation to be paid by IHG (Krebs, 2017).

https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

The leaked NSA hacking tools are being used in the wild. A hacker group called Shadow Brokers has leaked hacking tools that supposedly belonged to the NSA’s Equation Group (Khandelwal, 2017).  A piece of malware designed by the NSA called DoublePulsar was one of the tools released by Shadow Brokers. DoublePulsar is being used as a spying tool and it is installed because of vulnerable SMB and RDP versions. DoublePulsar does not write any files to the computer to remain stealthy and DoublePulsar acts a remote access Trojan. A person has released a python script to test IP addresses to see if they have the DoublePulsar infection.  The python script is located at https://github.com/countercept/doublepulsar-detection-script. Below is a screenshot of someone who ran the python script and found computer infected with DoublePulsar. 

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimJXQ4EXZB3KXGEmzjWCJiAzRrz_u9oyTL7Hyq2KdtJQDgXUMPs_5TaMxTacklYnjOwed41c9vU82CkPVHNbZnDijjoCtR_7AiYxn36X6W247IXXIq4aCxrvoOf9y_rILKljkLlFlCOzfD/s1600/windows-hacking-tools.png

The numbers of how many machines are affected have been varying, but it seems to be at least 30,000 machines are infected. Microsoft has released patches to fix SMB and RDP vulnerabilities. If people are still using an end of life software such as Windows XP and Windows Server 2003 they are vulnerable and will remain vulnerable because they will not receive security patches (Khandelwal, 2017). Script kiddies and other hackers will be able to freely use DoublePulsar to infect machines and make them zombies until the patch from Microsoft has been applied.

With hotels and businesses not encrypting credit card data end to end data breaches will continue to happen. One item that will not show up in the news articles is how the malware got install on the machines. Some organizations do not have a good security and I know for a fact at one hotel computers are not locked down at all. It seems organizations would rather have a data breach then pay for security because it is cheaper. People have the stigma that if a company has a data breach it is bad, but because, so many are happening it is just another day. Look at Target and Home Depot; people still shop there after they have had a massive data breach. People will continue to stay at IHG properties and if they have stock there may be a blip in it, but it will come back. At the end of the day, security needs to be a priority for businesses that store or transport customers data.

References

Krebs, B. (2017, April 18). Krebs on Security. Retrieved April 23, 2017, from https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/

Khandelwal, S. (2017, April 22). Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs. Retrieved April 23, 2017, from http://thehackernews.com/2017/04/windows-hacking-tools.html

IRS Data Breach + Zero Day Week 5

During week 5 of CYBR 650 there has been plenty of security news. The blog this week will touch on a Microsoft zero day vulnerability and a data breach that happened at the IRS.  This Microsoft zero day vulnerability is in Microsoft Office and allows remote code execution to take place. This vulnerability affects all current versions of Microsoft Office, which includes Office 2016. The vulnerability was first found by Ryan Hanson in July of 2016. McAfee reported the zero day on Friday, but said Microsoft has known about it since January (Goodin, 2017). Hackers are now using this vulnerability to spread banking malware called Dridex. A word document that has been specially crafted can be executed on a computer, which allows an attacker to run code. The word document containing a malicious OLE2link object is how the attack starts. This specific attack runs the exploit code then makes a connection out to a remote server, where a malicious HTML application file or HTA gets downloaded (Khandelwal, 2017). Once the HTA file gets downloaded it runs and downloads different pieces of malware designed to gain control of the computer or steal credentials.  Below is a screenshot of a phishing email that contains a malicious word document.

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

            Microsoft has released a patch yesterday to fix the vulnerability. This will stop the code from running if an email of the word document gets through the security controls. The worst part about this zero day is Microsoft has known about this and did not fix it. The fix only came out after hackers were using it to spread malware via emailing a word document. ProofPoint saw the new malware campaign and was able to block the malicious word document.

            The Internal Revenue Service or IRS has had a data breach that may affect up to 100,000 people. The IRS has a tool for FAFSA or Free Application Federal Student Aid that hackers have exploited. The tool for FAFSA helped family and students complete the form because it is lengthy. Since I’m I have gotten my associates, bachelors and currently getting my masters I have had to fill out the FASFA forums. The FASFA forums are long and are a pain to fill out.  According to Krebs on Security fraudsters may have been using the tool to get AGI or adjusted gross income (Krebs, 2017). The IRS has disabled the tool because people were starting to use it for fraud. The tool is called the IRS Data Retrieval Tool or DRT. John Koshinen went before the Senate Finance Committee to testify that less than 8,000 fraudulent returns were processed by the IRS (Cohn, 2017).

            The good thing is the tool is expected to be back online, but not till October. Does the IRS run any penetration tests or security testing? It seems like their tools are put into production without any testing and it is causing people to lose their personal information. The IRS needs to provide protection to the users that were affected from the breach. Companies that have had a data breach have provided identity theft protection, but the government does not provide these protections.

References

Goodin, D (2017, April 11). Microsoft Word 0-day used to push dangerous Dridex malware on millions. Retrieved April 13, 2017, from https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

Cohn, M. (2017, April 10). Data breach of IRS student financial aid tool may have affected 100,000 taxpayers. Retrieved April 13, 2017, from https://www.accountingtoday.com/news/data-breach-of-irs-student-financial-aid-tool-could-have-affected-100-000-taxpayers

Krebs, B. (2017, March 21). Krebs on Security. Retrieved April 13, 2017, from https://krebsonsecurity.com/2017/03/student-aid-tool-held-key-for-tax-fraudsters/

Khandelwal, S. (2017, April 11). Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan. Retrieved April 13, 2017, from http://thehackernews.com/2017/04/microsoft-word-dridex-trojan.html

GameStop Breach + Ransomware

This week blog comes fresh off the press because a data breach happened yesterday. Gamestop.com is looking into a possible data breach of their websites. A third party notified GameStop that its customer’s credit card data was being sold on a website. Krebs’s financial sources say they have received alerts of fraud coming from gamestop.com. This does not affect in store purchases only purchases made from GameStop’s website Gamestop.com. According to Krebs’s customer card number, expiration date, name, address and card verification value (CVV2) were compromised (Krebs, 2017). The CVV2 is the three digit number on the back of credit and debit cards, which is used for security. Merchants are not supposed to store the CVV2 numbers, but that does not mean hackers can use software to get the number before it is encrypted (Petite, 2017).  GameStop has hired a security firm to investigate the data breach that happened between September 2016 and February 2017.

GameStop told customers to basically watch credit card and bank statements for authorized charges. The problem with looking at paper credit card and bank statements is they are monthly, which would give the bad guy plenty of time to buy items. If a person’s bank or credit card has a way to check purchases from an online interface (Online Banking) that would be a better way to check instead of paper statements. If the breach does turn out to be from GameStop I would hope GameStop offers to replace all the credit and debit cards affected from the breach.

Without knowing more about the breach (I’m sure more will come out in a couple weeks) it’s hard to say how the attackers were able to get the information. Most likely GameStop did not have security as part of building the website and there was a vulnerability, which allowed the attackers access to the data. I will update the blog once more information has been shared. Lately it has been quiet, but there will be more data breaches for the year of 2017.

Another subject I want to touch on is Ransomware. A project call No More Ransom (NMR) started collecting decryption tools and keys for Ransomware. The project was started by Europol, the Dutch National Police, Intel Security and Kaspersky Lab (Kumar, 2017). The project allows teaching users about ransomware and provides decryption tools, so that users can get their files back. According to the article the platform is available in 14 languages and it has over 40 free decryption tools (Kumar, 2017).  The website is located at https://www.nomoreransom.org/.

http://core0.staticworld.net/images/article/2014/01/cryptolocker-100222101-orig.png

With ransomware being the new way for attackers to make money there have been several variants. I have only heard of CryptoLocker , CryptoWall, and Locky, but some other names are Cerber, Crysis, CTB-Locker, Jigsaw, KeRanger, LeChiffre, TelsaCrypt, TorrentLocker, and ZCryptor (Brunau , 2017). I found the Jigsaw ransomware name interesting and decided to do more research. Jigsaw is a nasty type of ransomware that gives a user three days to pay the 150 dollars in bitcoin, but there is more. Jigsaw will start deleting files every hour until the payment is received. If no payment is received Jigsaw will delete all the encrypted files. If a person attempts to change registry settings or attempts to shut off the computer, Jigsaw will make the time jump 24 hours ahead. A person is only given three chances before all the files are deleted.  

A youtube video seen upload can be found at the founding link https://www.youtube.com/watch?v=cbHcDgMtA0k and it shows how to decrypt Cerber ransomware. I’m glad the project No More Ransom was setup to help people decrypt their files. For a default computer user they have no safe guards to protect their computer against ransomware. With these tools users can get away without paying the attackers, which is why ransomware is still around.  Tips for home users to protect themselves from ransomware:

1.    Ransomware mostly comes from emails, so be careful and look for spam emails

2.    Have two accounts one for regular use and another made to install applications

3.     Create backups using either backup software or online backups

References

Krebs, B. (2017, April 07). Krebs on Security. Retrieved April 08, 2017, from https://krebsonsecurity.com/2017/04/gamestop-com-investigating-possible-breach/#more-38927).

Petite, S. (2017, April 07). GameStop.com customers' credit card information may have been compromised. Retrieved April 08, 2017, from http://www.digitaltrends.com/gaming/gamestop-online-security-breach

Kumar, M. (2017, April 05). No More Ransom - 15 New Ransomware Decryption Tools Available for Free. Retrieved April 08, 2017, from http://thehackernews.com/2017/04/decrypt-ransomware-files-tool.html

Brunau, C. (2017, March 01). Common Types of Ransomware. Retrieved April 08, 2017, from https://www.datto.com/blog/common-types-of-ransomware