Category: Fight Back

UK Gov Cyber Essentials 10 Step Plan

This is a summary of the UK Government 10 step plan for Cyber Essentials, which is designed for organisations looking to protect themselves in cyberspace.

1.      Risk Management

Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

2.      Secure Configuration

Identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. Develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities.

3.      Network Security

The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding. Your organisation’s networks may use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult.

4.      Managing User Privileges

All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed.

5.      User Education and Awareness

It’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

6.      Incident Management

Invest in establishing effective incident management policies and processes to help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.

7.      Malware Prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall ‘defence in depth’ approach.

8.      Monitoring

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies.

9.      Removable Media Controls

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.

10. Home and Mobile Working

Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers.

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security has further information.

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

Project Zero at Google

Project Zero is the name of a team of security analysts employed by Google, tasked with finding zero-day vulnerabilities in commercial software. This means bugs in other people’s software that can lead to security problems. They have no interest in everyday bugs that affect people’s work but not security.

After finding a number of flaws in software used by many end-users while researching other problems, Google decided to form a full-time team dedicated to finding such vulnerabilities, not only in Google software but any software used by its users. It’s establishment fits into the larger trend of Google’s counter-surveillance initiatives in the wake of the 2013 global surveillance disclosures by Edward Snowden.

Responsible Disclosure

When serious security bugs are found in software, should the world be informed or just the software maker?

Bugs found by the Project Zero team are reported to the manufacturer and only made publicly visible once a patch has been released or if 90 days have passed without a patch being released.

This is Google’s way of implementing responsible disclosure, giving software companies 90 days to fix a problem before informing the public so that users themselves can take necessary steps to avoid attacks.

Notable Discoveries

On 30 September 2014 Google detected a security flaw within Windows 8.1 which allows a normal user to gain administrative access. Microsoft was notified of the problem immediately but did not fix the problem within 90 days, so the information about the bug was made publicly available on 29 December 2014. Releasing the bug to the public brought a response from Microsoft that they were working on the problem.

On 19 February 2017 Google discovered a flaw within Cloudflare, which caused their edge servers to run past the end of a buffer and return memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.

On 27 March 2017 Project Zero discovered a vulnerability in the popular password manager LastPass and four days later LastPass announced they had fixed the problem.

Project Zero was involved in discovering the Meltdown and Spectre vulnerabilities affecting many modern CPUs, which were discovered in mid-2017 and disclosed in early January 2018.

Keep up the good work!

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Scammer Targeting The Elderly Is Caught

A Canadian con man who was caught on video bragging about stealing from the elderly was among 200 people charged by US Authorities with defrauding seniors.

Andrew John Thomas boasted about his sweepstakes scheme at a conference for postal scammers in British Columbia.

“My ability to whore my beautiful talent to sell this s— to people who don’t need it. It’s hard to be, it’s hard to be proud of it, but well I’m good at it.” said Thomas.

Authorities say Thomas masterminded the swindle of more than $4.5 million annually by duping senior citizens into believing they had won large sums of money. He targeted elderly Americans typically notifying them via mail that they’d won a sweepstakes prize and all they needed to do to claim it was to pay a processing fee and money for taxes.

The mailings instructed recipients to return a response card with a processing fee in order to accept the bogus winnings. They received no money — only more solicitations. While many stopped sending money after realizing they had been duped, others continued to do so in hopes of claiming the prize.

U.S. law enforcement officials  announced what they labelled as the largest ever fraud enforcement action involving elderly Americans, charging more than 200 people and bringing civil actions against dozens more.

Agents from the U.S. Postal Inspection Service, (the enforcement arm of the U.S. Postal Service), executed search warrants at 14 locations that some of the same fraudsters have run for years.

Officers from the Vancouver Police Department in Canada served dozens of search warrants as part of the enforcement action.

This was a clearly a well organised and effective take-down of a lot of scammers by co-ordinated action between US agencies and the Canadian Police.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Identify a Virus

The website VirusTotal at https://www.virustotal.com was created to help people identify computer viruses. It does this by analysing infected files or URLs supplied to it and it’s a free service.

VirusTotal inspects items by using 70+ antivirus scanners and URL/domain blacklisting services, plus a range of tools to extract signals from the studied content.

How to use the Website

You can select a file on your computer and upload it to VirusTotal in your browser.

There is also the option of desktop uploaders, browser extensions and a programmatic API if this is to become a regular practice.

As with files, URLs can be submitted via several different means including the VirusTotal webpage, browser extensions and the API.

How Does the Virus Checker Work?

A submitted file or URL is scanned and the results shown on screen. The data and results are shared with VirusTotal partners who use the results to improve their own systems. As a result, by submitting files, URLs, domains, etc. to VirusTotal you are contributing to raise the global IT security level.

Scanning reports produced by VirusTotal are shared with the public VirusTotal community. Users can contribute comments and vote on whether particular content is harmful. In this way, users help to deepen the community’s collective understanding of potentially harmful content and identify false positives (i.e. harmless items detected as malicious by one or more scanners).

Commercial Service

The service provides qualified customers and anti-virus partners with tools to perform complex criteria-based searches to identify and access harmful files samples for further study. This helps organizations discover and analyse new threats and fashion new mitigations and defences.

VirusTotal not only tells you whether a given antivirus solution detected a submitted file as malicious, but also displays each engine’s detection label (e.g., I-Worm.Allaple.gen).

This is a valuable resource in the fight against computer viruses.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

The UK Online Safety Bill Makes Progress

https://www.gov.uk/government/news/world-first-online-safety-laws-introduced-in-pa

The UK Online Safety Bill marks a milestone in the fight for a new digital age which is safer for users and holds tech giants to account. It will protect children from harmful content such as pornography and limit people’s exposure to illegal content, while protecting freedom of speech.

At least that’s the intention, but these matters are very difficult to codify into law and the online world keeps changing at an ever faster pace.

Key points include:

  • It will require social media platforms, search engines and other apps and websites allowing people to post their own content to protect children, tackle illegal activity and uphold their stated terms and conditions.
  • The regulator Ofcom will have the power to fine companies failing to comply with the laws up to ten per cent of their annual global turnover, force them to improve their practices and block non-compliant sites.
  • Executives whose companies fail to cooperate with Ofcom’s information requests could now face prosecution or jail time within two months of the Bill becoming law, instead of two years as it was previously drafted.

The government significantly strengthened the Bill since it was first published in draft in May 2021. Changes since the draft Bill include:

  • Making sure all websites which publish or host pornography, including commercial sites, put robust checks in place to ensure users are 18 years old or over.
  • Adding new measures to clamp down on anonymous trolls to give people more control over who can contact them and what they see online.
  • Making companies proactively tackle the most harmful illegal content and criminal activity quicker.
  • Criminalising the sending of unsolicited sexual images to people using social media, known as cyber-flashing
  • Giving people the right to appeal if they feel their social media posts were removed unfairly
  • Preventing online scams, such as paid-for fraudulent adverts, investment fraud and romance scammers
  • Requiring pornography websites to verify their users’ ages

Any firm breaching the rules would face a fine of up to 10% of its turnover, while non-compliant websites could be blocked entirely.

If you have any experiences with these scams do let me know, by email.

Surrey Scammer Caught

Thomas Proudfoot 21, of Leatherhead in Surrey pleaded guilty to computer misuse, money laundering and several counts of fraud following an investigation by the Dedicated Card and Payment Crime Unit (DCPCU), a specialist police unit funded by the banking and finance industry.

He was sentenced to 4 years and 8 months in prison and also received a Criminal Behaviour Order to prevent further fraud offences.

Proudfoot had been conducting scams based around Covid business grants.

He would send out scam text messages that offered victims Covid-19 grants and asked them to click a link to a fake website.

The website asked for the victim’s personal and financial details which he could then use to steal from them.

Proudfoot also designed software which he sold as a service to other fraudsters, the court heard.

He also admitted to hacking a private business website and providing other individuals with software to help them commit fraud offences.

The Police found that he was selling methods to complete smishing and phishing fraud, including possessing copies of fake web pages relating to Covid-19 and other organisations.

Detective Sergeant Ben Hobbs at the DCPCU, said: “This sentencing is a warning to those who believe they can benefit financially from fraud that they will be caught and punished. The DCPCU will continue to clamp down on the criminal gangs seeking to use the pandemic to defraud people.

Good riddance, at least for a while, to a thief targeting vulnerable people during the pandemic.

If you have any experiences with these scams do let me know, by email.

Fightback Ninja Signature