Category Archives: Information Security

Prevendra - Social Engineering Qatar

Social Engineering: From Qatar With Love – Cyber espionage

Is the Government of Qatar perfecting their social engineering or is this a case of Qatar vigilantism? A recent write-up by Claudio Guarnieri, a security researcher working for Amnesty International, leans toward nation state sponsorship, exercising what he describes as “Operation King Phish“.  

Prevendra - Social Engineering - Robin Sage

Robin Sage – 2009

A review of Guarnieri’s report and one’s brain will have a flurry of memory triggers, synapses, bringing to mind the highly successful social engineering exercise of 2009,  Robin Sage.  Like Robin Sage there is a femme fatale, with a multitude of social network profiles … Google+, LinkedIn, Twitter and Facebook (as of 03 March 2017 they have all been removed). 

Safeena Malik - 2017

Safeena Malik – 2017

Meet Safeena Malik. She claims to be a human right’s activist, a director at Amnet. At the height of her activity she had connected to over 500+ individuals on the professional network LinkedIn alone.

Her modus operandi … old fashion click-bait social engineering. She would send emails, direct message tweets, open Google hangouts or Facebook messenger apps. Each time she would provide a presentation or document for the recipient’s review.

Clickbait - Social Engineering used in the *Safeena Malik King Phish* op by Qatar | tks @amnesty Click To Tweet

Those who opened the file attachment or clicked on the link were either gifted with a malware payload or sent to a look-a-like login page for their Google accounts. In either scenario, the entity(ies) behind Malik were attempting to compromise your device and your Google ecosystem (google drive, photo, email, etc.).

The target?  The report indicates: “… (King Phish) was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal.”

The migrant worker issue has been a political hot potato in Qatar for quite some time, especially featuring those who migrate to Nepal specifically to help build the infrastructure required for the FIFA World Cup of 2022. In 2014, The Guardian reported, “Nepalese migrants building the infrastructure to host the 2022 World Cup have died at a rate of one every two days in 2014 – despite Qatar’s promises to improve their working conditions.” According to the BBC, more than 1400 had died as of 2015, no doubt the number is higher. 

The BBC has been covering the issue for some time, and in 2015 found that their reporter’s investigative skills were not appreciated by the Government of Qatar.  The video from the BBC reporter highlights the sensitivity in Doha.

How many migrant workers are there in Qatar? According to the Guardian, there are about 400,000 Nepalese workers in Qatar among the 1.4 million migrants.  

What say the Government of Qatar? Not only no, but emphatically no. They claim no interest in Amnesty International or any other and they too wish to know the identity of the culprits behind this activity.  They would never engage in cyber espionage.

What say Amnesty International on QatarThe authorities unduly restricted the rights to freedom of expression, association and peaceful assembly. One prisoner of conscience was pardoned and released. Migrant workers faced exploitation and abuse.

Will this be the last case of social engineering used in a political farcus. Those with opinions, remember the adage, don’t click. Nation states and unscrupulous competitors will use all the tools available to them to engage their target.

Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.
Prevendra: Intellectual Property Theft

Departing Zynga Employees Heist Intellectual Property?

Easiest way to lose your intellectual property?  When your departing employee walks your intellectual property right out the door. It happens far too often and the insider threat you thought of as a hypothetical?  Well, it is now a reality.

This is what apparently happened to Zynga.

Zynga (yes the game company is still alive and kicking) alleges in their complaint (United States District Court Northern District of California), that a number of employees have left their employ and went to a competitor, Scopely, with Zynga’s intellectual property in hand.

Nothing wrong with jumping ship to a greener pasture. Non-compete does not exist in California … so the move is all good.  However, it’s not ok to take the intellectual property of your employer (even if you had a hand in creating it) out the door with you for use at your next employer.

Let’s look at the ‘alleged’ smoking guns.

If your employee is looking for 'how to erase or delete their hard drive' CLUE: #insiderthreat Click To Tweet


Prevendra - ZyngaPrevendra - ScopelyZynga filed suit against a direct competitor, Scopely. The claim: Former-employees departed Zynga and took (stole) the intellectual property of Zynga on their way out the door and directly to Scopley.

How much of Zynga’s intellectual property did the departing employee(s) take? What other agreements did the employees violate?

The complaint alleges:

Massimo Maietti (Maietti worked for Zynga as a senior level game designer and is now employed by Scopely as a Vice President and General Manager of Product Development). Forensic examination of Maietti’s laptop two days after his departure from Zynga showed how one day before he tendered his resignation he downloaded Zynga Google Drive folders to his laptop. Maietti then inserted a USB drive into the laptop, copied all the folders to the USB drive. The laptop drive’s “trash” file contained 20,000 files. An analysis of the corresponding Google Drive folders revealed that Maietti took over 14,000 files and approximately 26 GB  which were from the  folders. Within this treasure trove of documents was Zynga’s new Project Mars.  (NOTE: Maietti’s access to these files were within his Zynga approved access, i.e. he had natural access to these folders on the Zynga Google Drive.)

Ehud Barlach (Barlach worked for Zynga as General Manager of Hit It Rich! Slots (“Hit It Rich!”). Forensic examination of Barlach’s Zynga issued computer revealed that when Barlach accepted Scopely’s offer of employment, he also offered to help Scopely raid Zynga’s workforce, which Scopley’s HR representative noted that had he not offered they would have asked on his first day.

It’s a dog eat dog world in the trenches of employee retention, and Zynga details the wholesale raid by Scopely on its talent pool, as a result of their contact with Maietti and Barlach. Three of which were Derek Heck, a Product Manager, Evan Hou, a Manager Data Analytics, and Zynga Lead Product Manager, Joshua Park.

The complaint indicates Zynga’s forensic analysis reveals “Barlach, Heck, and Hou all attached external USB devices to their Zynga-issued laptop computers in the weeks before resigning to go to work for Scopely. Heck also deleted more than 24,000 files and folders in the last month of his employment with Zynga, and referenced articles entitled, “How to erase my hard drive and start over” and “How to Erase a Computer Hard Drive…”.

Employee departs to competitor? #insiderthreat preserve their drive! Click To Tweet

What did Zynga do right?

They had their departing employees attest they had returned all Zynga’s intellectual property prior to their departure.

They also had the departing employee agree and sign that they would not solicit employees from Zynga for a period of one year.

“Maietti reaffirmed in writing that he had returned all of Zynga’s trade secrets and would not solicit its employees.”

They also preserved the laptop hard drives of employees who departed to competitors. The complaint explains: “Zynga realized that its key talent was being solicited and hired by Scopely with increasing frequency, Zynga commissioned a forensic examination of the departed employees’ computers, going back to Maietti’s resignation months earlier.”

Demonstrated forensic support capability should be in every company’s arsenal (in-house or out-sourced), Zynga was able to include the time line of Maietti’s removal of their intellectual property from the Google Drive to the laptop and then to the USB drive in their complaint.

• 9:01 a.m. – External USB device connected to laptop

• 9:04 a.m. – Google search for “download a google drive folder”

• 9:06 a.m. – Zip files downloaded to laptop

• 9:20 a.m. – Zip files copied onto external USB device

• 10:18 a.m. – Original Zip files placed in Trash (but not the copies Maietti created on his USB device)

Raw Material

Want to learn more and draw your own conclusions. Here is the Zynga complaint and the Scopley response — good reading.

Zynga-Scopely-Complaint – 29 November 2016

Scopely – Zynga – Response 08 December 2016

How this plays out will be one worth watching.


Prevendra - Privacy

January 28, 2017 – International Data Privacy Day

Prevendra - Data Privacy ChampionI am pleased to be recognized as a Data Privacy Day Champion, as is Prevendra. Every day efforts are expended to assist companies and individuals protect their collective privacy. In 2016 we witnessed millions of individuals having had their private information compromised. A healthy percentage of those compromised, found their information was being exploited and used.

This year’s theme for Data Privacy Day 2017 is privacy aware (#PrivacyAware). The intent it to empower every individual and business to respect privacy, safeguard data and enable trust. 

For the past seven years, I’ve been generating an annual missive on this topic.  This year, we’ll share the official infographic and a few of our privacy tips which have been shared over the years and remain accurate today.

So what can we do?  Here are the two steps that we can take to understand how your data (and privacy) is being used and at the same time not appreciably diminishing your online experience.

Privacy Tip #1

Privacy Statements

Read every site’s “Privacy” statements. Why? So you will know what information will be collected, how it will be used and with whom it will be “shared.”  Every time you open a privacy statement – search for the word “SHARE” and understand how your information will be shared.  Search for the word “USED” and understand how your information will be used.  Search for the word “COLLECT” and understand what is being collected.

Here’s is the Prevendra privacy statement – Prevendra, Inc. Privacy statement.

Read the privacy statement, before you share your data. #PrivacyAware Click To Tweet

Privacy Tip #2

Privacy Settings

Set your privacy settings to your individual comfort level. Whether you are using Facebook, Twitter, LinkedIn or any other social network, they have controls on how and with whom your information is available with the application.

Take the time necessary to set those settings. Take a moment to read how the different setting affect who has access to what you are sharing. For example on Facebook you can share with a micro-group of your “friends” or with your public or somewhere in between.

On your devices, under privacy or security settings you can adjust how you share your location, what information is accessible to the application or what information on your device the application has access.

Review your privacy settings at least once a month #PrivacyAware Click To Tweet

In 2010, I admonished that each individual should take steps to protect their own privacy. No surprise, the the two pieces of advice above, were the same advice provided in 2010. An excerpt from my advice on Privacy Day 2010:  “To accomplish this goal [privacy], it’s important to know how you are sharing your information, how others are sharing your information and, ultimately, how your information is being utilized. Some would say that it’s difficult to know in this digital age; others would say it has always been. It is difficult – but not insurmountable. With a bit of awareness and education it’s within our collective capacity to develop a better understanding so that we reduce the frequency with which we effectively shoot ourselves in the foot, both accidentally and seemingly on purpose.”

I advocated the following (and continue to do so)
  • Ask how your data will be used, under what circumstances, and by whom.
  • For those who use peer-to-peer software in your home: Review the settings in detail, as an incorrect setting can open your system to an outside entity.
  • Do you have a wireless network? Suppress the Service Set Identifier Data (SSID), limit access to specific MAC addresses, and use WPA2 encryption with strong passwords. A strong password consists of more than eight, preferably 14 characters consisting of symbols, numbers, and letters (which isn’t a word from a dictionary of any language). This will greatly reduce the likelihood of unauthorized access by criminals.
  • Data destruction: Shred your paper copy data; degauss or destroy your magnetic media prior to recycling. Don’t allow a physical harvest of your data.
  • Do others use your computer? If you allow visitors to use your computer or wireless network and you share the primary passwords, change them following each use.
  • Encryption: I advocate encryption, with a robust strong key phrase for your important data. Data or full-disk encryption, the choice is yours.

A year later, 2011 and I continued to cajole all to think about privacy.  I asked a question at an event in 2010: “How many of you check Twitter or your social networks before your feet hit the floor in the morning?”About one-quarter of the 300 people present raised their hand. Quite a telling answer, and one that solidified in my mind that checking in is right up there with reaching for your morning coffee.

I then discussed the influence of social networks on our everyday life. The unintended growth of personal data that each of us creates as we move through our daily lives. A professional colleague of mine coined this “our digital exhaust.”  We should continue to review our exhaust. Review how many different online profiles you’ve created. Consider how many photos, videos, emails, comments, and tweets you’ve posted in public or quasi-public locales. These are the nuclei of your biographic mass, which can and will be compiled about you by any number of interested entities, whether they are marketers or hiring managers. I assure you, this information will not match your well-framed and articulated persona or the resume that you so painstakingly created. The good news is that if you know what others know, then you are prepared for the question that may arise about a given incident or piece of publicly available data.

Then in 2012, privacy became more important to all and we began to see different rules and regulations come to the forefront.  I used the 2012 anniversary of Data Privacy Day to delve into the privacy statements of different conglomerates.  See above for the strong suggestion to search through the privacy statements of anyone holding or using your data, search for share was and is a reality.

In 2013, I declared the prior year of 2012, as the year our “privacy was collectively hosed”. We saw the influx in medical privacy breaches, the overstepping of the US government entities in requesting data from corporate entities was at an all time high. I shouted, how every consumer should measure their sharing of their information with two phrases:  “need to know“ or “do not track.” We all must pay attention to the minutia and details.

Again, here we are, 2017 and we are facing many of the same issues.  I implore each of you.  Protect your own data.  For those who collect data, do not collect what you can not protect. It is your privacy, you are the one to ultimately decide what you will share and what you will hold dear. I urge you to know what you share.

Thank you for your time.

Christopher Burgess
CEO Prevendra.

Prevendra - Data privacy day Infographic

Customer Loyalty Sweepstakes: The winner engages the customer securely

The 2016 Nielsen report addressing customer loyalty,  “Allegiant Alignment: What Faithful Followers of Retail Loyalty Programs Want” based on the 2016 Nielsen Global Survey of Loyalty Sentiment polled more than 30,000 online consumers in 63 countries throughout Asia-Pacific, Europe, Latin America, the Middle East/Africa and North America. They found loyalty programs continue to hook and keep hooked individual consumers. Nielsen noted, “more than seven in 10 loyalty-program participants in the survey somewhat or strongly agree that all other factors equal, they will buy from a retailer with a loyalty program over one without. Which continues the trend identified in 2013 and 2015 surveys.

Jeff Bezos may have said it best, “We see customers as invited guests to a party, and we are the hosts. It’s our job every day to make every important aspect of the customer experience a little better.” Loyalty programs, or in Amazon’s case, Amazon Prime is an excellent example of adding value to the membership and in Amazon’s case, having your most loyal customers pay a fee and in exchange receive a host of benefits.

Prevendra - Customer Loyalty - Bezos Quote on Loyalty2015

Then is 2015, Nielsen again looked at customer loyalty and found, “Consumer Loyalty is Not Much Deeper Than Our Pockets.” The 2015 global survey of 30,000 online respondents in 60 countries shows that price is the top driver of store switching behavior—and by a wide margin. Nielsen advises, “Approximately 84 percent of survey respondents indicated a strong preference to choose a retailer with a loyalty program over a competitor without one. The data points toward the efficacy of having a customer loyalty program over not having one. The vagaries of how customer relationship management (CRM) solutions are implemented is where the differentiation between brands takes place. Membership in the loyalty program does not guarantee loyalty, of course, but it does open the door for companies to earn the customer’s loyalty at every encounter.”


How Loyal Are Your Customers?”  Customer loyalty is driven by-product quality coupled with how successfully the engagement with the customer is executed, according to the November 2013 Nielsen report. ,which was derived from the Nielsen Global Survey of Loyalty Sentiment in which 29,000 Internet respondents from 58 countries participated. Nielsen’s global survey noted loyalty to be fickle, especially when competitors appear with product, promotions and technological infrastructure that not only catch the customer’s eye but also engage the customer with the least amount of technological friction.

This does beg the questions, “How are you going to engage with the customer when they are not standing in front of you?” and “How are you going to use the customer data derived from the engagement?” These two questions are not as simple as they may appear.

Use of Data

Information technology infrastructure capable of handling a robust influx of data is paramount. Data may come via a myriad of sources, including marketing, manufacturing, fulfillment, sales and support. Customers are likely to be well versed in digital engagement and will be in search of a frictionless experience. The challenge for the IT decision makers at midsize firms is to ensure that infrastructure is interconnecting all internal entities. Most importantly, it enables the company to avoid fragmentation of effort and to speak with one voice. Furthermore, it means having in place the technology to support personalized engagement oriented to the touch points between the customer and the company.


The customer may engage via social networks, a help line or loyalty program portals. In each case, the customer is choosing the manner in which it is most convenient to engage. IT leadership, especially in midsize businesses, is accountable for ensuring infrastructure is adequate to the task. If the infrastructure is not sufficiently integrated to allow the instant engagement to roll up to a customer service screen, then the customer experience will be fraught with potential disconnects. This is especially important for those small and medium businesses (SMBs) that may have a local physical presence as well as a far-reaching virtual presence. Capturing the interaction on both planes, the physical and virtual, allows SMBs a level of dexterity to make real-time adjustments to their customer interaction based on engagement data.

The loyalty program’s connectivity with the company’s social networks permits direct marketing and early warning to support staff in the event of a product failure. Moreover, there is no better way to engender word-of-mouth activity than personalization of the customer engagement via the social networks. The integration of social network engagement with the other areas of the company requires infrastructure concordance. The Nielsen reports indicated large swaths of respondents expected loyalty programs to provide perks, such as free products, with the North American market expecting discounts or other money-saving offers from the loyalty program. SMBs have the ability to engage their customers on the fly, making adjustments as necessary based on sales, social media network sentiment, volume and engagement, thus keeping their loyal customers loyal.

Privacy and Security

Loyalty programs require an investment in maintaining the privacy of the participant. If the loyalty program for the drug store chain is compromised, will the prescriptions be at risk (Walgreens,, CVS and others have experienced breaches which affected customers in recent year)?

If the airline loyalty program database is compromised, will the travel patterns of the participant and the personal identifying information be at risk?

In late-2016 the KFC UK loyalty program found itself picking up the crumbs following the compromise of 1.2 million customers data. In 2015,  Toys R Us loyalty program was compromised, and users were advised.

Are Customer Loyalty Programs for You?

Given more than 3.3 billion consumers participate in loyalty programs, so they are clearly here to stay, yet not all loyalty programs prove successful, and customer engagement comes in many flavors. Companies that make the investment in customer engagement that provides customers with useful information and that enhances their experience will be best positioned to win the customer loyalty sweepstakes.


A more condensed version of this article, by Christopher Burgess, previously appeared on an IBM blog.


Prevendra - Ameriprise FInancial

Financial Advisor at Ameriprise exposes millions in assets via NAS

Do you use a financial advisor? I do, and I recommend mine to others without reservation. Part of that recommendation comes from the manner in which the account data is secured, which provides me more than a modicum of assurance that the folks managing my money are not asleep at the switch when it comes to protecting my identity (and thus my assets).

Most financial firms of note have in place good to adequate security. And yes, like every industry, convenience is sometimes sacrificed (a little) to provide the level of security necessary to insure your data is protected. The convenience factor is a two-way street.

You the consumer need to have access to your own information and accounts; your financial advisor also needs access to your information and accounts. If either of you get lazy and bypass the established security and privacy implementations, then your data is being placed at risk.

And this is exactly what happened in the case when the Financial Data Worth Millions Unwittingly Exposed In Ameriprise Accountsthough it appears that Ameriprise and the advisor are at odds on what constitutes security.  From our optic, both failed!  The NAS (Network Attached Storage) device which housed the backup data of the financial advisor, had no security implementation in place.  

The financial advisor apparently backed up his client’s data to unsecured NAS. The advisor’s client’s data were included in the depository. Not just client account with Ameriprise, but all their accounts and their passwords … thus exposing for any who know how to scan the internet (Shodan was used in this instance) to see.   What exactly was available for harvesting?  Here are a two screenshots.

The first screenshot details the internal account details of the clients. Those portions which would expose the individual accounts of the client and the access credentials – the screenshot had been redacted and the password column omitted. In few words, a total compromise of the client’s financial accounts occurred.

Prevendra - Ameriprise Compromise 2

The second screenshot provided by the security researcher Chris Vickery is the questionnaire the financial advisor provides to Ameriprise in which data handling is discussed. 
Prevendra - Ameriprise Compromise

What to ask your financial advisor?

The financial industry is high on the threat list for lucrative harvesting by cyber criminals, we don’t need to intrust our fiscal assets with those who aren’t interested in protecting those assets.

Use the considerable assets of FINRA to fact check and augment your knowledge of the financial advisory industry and best practices. FINRA is there to protect you the investor and their tip-sheet (2 page pdf: Keeping Your Account Secure) is a good primer.

When engaging with your financial advisor ask some pointed questions on how your data is protected and secured!

  • Do you transmit my account data via unencrypted email? (Are they attaching a .pdf and winging it to you?)
  • Personal information forms and medical data for annuities, life insurance, etc. where are they physically stored?
  • How are they protected?
  • My external accounts (bank, brokerage, etc.) how is that data protected?
  • Who has access to my online account? Financial advisor? Supervisors? Analysts? (The more who have access the more opportunities to lose or misuse your data)

If you don’t like the answers or if their are no answers, find a new advisor.

Prevendra- BYOD Policies

BYOD: Users are a nightmare without policies

Over the course of the past several years business leaders have evaluated and implemented the bring-your-own-device (BYOD) movement as a cost-effective methodology to preserve or reduce information technology (IT) operating expenses. In the quest to reduce these operational expenses, one might overlook the need to have a robust BYOD policy. A policy of this order addresses not only the technological issues associated with individual use of a personally owned device but also any procedural and data ownership issues. In essence, a policy document levels the expectations between company and employee.

The prevalence of BYOD is growing exponentially. In 2013, Juniper Research recently predicted more than one billion BYOD users by 2018, a number expected to equal approximately 35 percent of all consumer mobile devices. It is unlikely that every one of these devices will be used in accordance with the company’s expectations, but small to medium businesses (SMBs) should integrate their technological solutions and policies and ensure that they are commensurate with their available resources, thus making their BYOD policy a foundational item by coupling it with existing information security policies and other regulatory requirements.

Everyone has policies?

92% of C-suite execs #BYOD, but only 31% have #infosec policies says @helpnetsecurity Click To Tweet

A recent study by Help Net Security indicates, “the majority of C-suite executives (92%) and just over half of small business owners (SBOs) (58%) have at least some employees using a flexible/off site working model. Yet, only 31% of C-suite executives and 32% of SBOs said they have an information security policy for both off-site work environments and flexible working areas in place.”

Whereas, Dell UK Security is spot-on, as detailed in the above video, the use of BYOD is a mainstay. Rare will be the company that does not want their workers to use their own devices.

There is a great deal of work to be accomplished by many companies, who are allowing convenience to trump their security.

Policies Are Married to Technology

In creating the BYOD policy, no assumption should be made by IT professionals or systems administrators regarding the technical acumen of their colleagues who are participating in a company’s offering. The aforementioned Juniper survey noted how 80 percent of smart phones will remain unprotected throughout 2013. In face of so sobering a data point, midsize businesses must implement a technical engagement protocol. The goal is to provide the best possible solution to protect company data today via a secure technological implementation and a road map to a better solution.

Technological solutions cannot stand alone; they must be coupled with appropriate BYOD policies, policies that protect the company’s intellectual property, trade secrets and customer data. At the same time, the policies should not be overly restrictive of how employees may use their device nor overly broad with granting the company access to the employee’s personal data. It may appear to be paradoxical, but an excessively strict policy implementation could in fact put the company at risk of accusation of unfair labor practices, according to a recent piece in CIO; not only that, but many employees faced with highly restrictive policies will seek unsafe workarounds. This is clearly not the purpose of a  policy, which is to improve BYOD risk management, not add to the risk.

BYOD Implementation

An effective BYOD policy engagement will begin with who owns what on the device, under what circumstances the company may access the employee’s device and how that access may occur. Any specialized applications or capabilities as part of the IT BYOD management suite that will be placed on the employee’s device will be identified. These applications may provide the company with an assurance of security through mandatory encryption or remote destruction capabilities. Regardless, it is incumbent upon the implementation team to tender an explanation of what data on the employee’s device the company’s required applications are accessing and how. Similarly, IT’s obligation to declare to the employee with specificity any prohibitions of placing third-party applications on the device that accesses company data should be spelled out with crystal-clear clarity.

As nice as it would be to open BYOD implementation to any and all devices, it is reasonable for the SMB to restrict BYOD to those devices that their IT department is able to support. The last step is to have the policy presented to the employee, signed by both the employee and the company’s representative and periodically revisited with each individual user on a semiannual basis. This will not only keep the company’s expectations top of mind, but IT leadership will also have a window into any hiccups in the technological or policy implementation; the latter is information that could go a long way toward achieving the principal objective of BYOD: To enable business to be conducted in an efficient and secure manner.


A desired outcome of any BYOD implementation is to conserve operating expenses, and cost of implementation is therefore a consideration. The Sans Institute white paper, “Managing the Implementation of a BYOD Policy,” provides an effective road map for a pilot BYOD project which can be implemented with little to no additional resources.

There are a plethora of mobile device management suites available from a variety of security vendors. Use one.

All the same, those who rush to embrace BYOD in order to save expense but who fail to ensure that implementation is accompanied by appropriate IT policies and infrastructure that pass legal muster may prove themselves to be penny wise and pound foolish.

A prior version of the above piece, authored by Christopher Burgess, originally appeared on IBM’s MidsizeInsider blog.

Prevendra: Ransomware

Ransomware: Attack and Resolution

Companies continue to fall victim to ransomware* on a regular basis. According to an IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data” 70 percent of companies who have fallen victim to ransomware, have paid the ransom. The FBI tells us the typical ransom is in the range of $200 to $10,000 paid, with some notable cases of ransome moving well into five, six and seven digit ranges. With a 70 percent success rate, one understands why the cyber criminal community is doubling down on ransomware as the malware of choice.

[x_pullquote cite=”FBI: Alert Number I-091516-PSA” type=”left”]What to Report to Law Enforcement

The FBI requests victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center.

  • Date of Infection Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  • Victim Company Information (industry type, business size, etc.)
  • How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  • Requested Ransom Amount Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  • Ransom Amount Paid (if any)
  • Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  • Victim Impact Statement
  • Don’t Pay a Ransom


IT departments are charged with the ensuring that their entity’s infrastructure is accessible by those who use the systems; data is secure and protected, with access by those who have a need to know; and that the information within the system is trustworthy and accurate. Planning for a ransomware attack is a must.

Don’t Pay Ransomware

But what of the companies/entities who decline to pay a ransom, how do they fair?

The ransomware event certainly creates havoc and expense. In some cases, preparedness and remediation exceeds the cost of the ransom. If you do not have cold-storage of your backups, you may lose your data permanently.

The San Francisco Municipal Transit Agency (SFMTA) recently fell victim to ransomware which impacted over 900 office computers. Once discovered, the SFMTA put into action their crisis management plan, and according to the SFMTA, they turned off the ticket machines (as a precaution), and opened up fare-gates. The SFMTA service was not disrupted, though riders rode for free as the IT team assessed the situation. Once the scope and nature of the event was determined, the SFMTA began restoring the affected devices. The SFMTA did not pay the ransom of $73,000 in bitcoins which was demanded, they had a plan and they executed the plan. (Source: Update on SFMTA Ransomware Attack | SFMTA )

Prepare for ransomware

Put in place a regimented regime with respect to your data and infrastructure. Both the FBI and IBM links provided are full of useful tips on putting one’s house in order. As the Cisco video above details, ransomware is a criminal enterprise and you and your business must be prepared.

In addition, every entity (and individual) should be familiar with “No More Ransom” which is a public-private resource which was initially created by Interpol, Kaspersky and Intel Security, and now includes a number of national Cyber Emergency Response Teams, multiple information security companies and has blossomed into a multi-lingual global resource. There mission is to disarm the cyber criminals. They provide, free, software to remove ransomware from devices, servers, etc.

NEED HELP unlocking your digital life without paying your attackers? #nomoreransom Click To Tweet

Here are the recommendations from No More Ransom:

  1. Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your back up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure.
  2. Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected.
  3. Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it.
  4. Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming partner. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system.
  5. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Scammers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).
  6. If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.


Additional Reading:

IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data”

*Ransomware: Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-by downloads (which does not require user-initiation) from a compromised Web site. (Source FBI)

Disclosure:  Christopher Burgess is a paid content contributor to IBM’s Security Intelligence Blog

Prevendra - MSU data breach

MSU data breach: Database with 400,000 records accessed

Michigan State University (MSU) has confirmed that on Nov. 13 an unauthorized party gained access to an MSU server containing certain sensitive data which included the personal identifying information of 400,000 individuals. The MSU data breach, characterized by the MSU President Lou Anna K. Simon as a,”criminal act in which unauthorized users gained access to our computer and data systems”.

Simon continued, “Only 449 records were confirmed to be accessed within the larger database to which unauthorized individuals gained access. However, as a precaution, we will provide credit monitoring and ID theft services for any member of our community who may have been impacted by this criminal act.”

MSU data breach

According to MSU, the database which was accessed contained the 400,000 records, each containing PII of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, or were students between 1991 and 2016.. 

  • Names
  • Social Security Numbers
  • MSU identification numbers
  • Birth Dates

MSU noted, that the compromised records did not contain: passwords, financial, academic, contact, gift or health information. Apparently the information technology (IT) and information security (INFOSEC) teams had in place the ability to determine which records were opened during the period of “unauthorized access” and confirmed 449 of the 400,000 were confirmed to be accessed by the unauthorized party. 

Furthermore, unlike many instances where a data breach causes paralysis within the entity, the MSU data breach shows us the presence of an INFOSEC team, having a plan, and executing on that plan.

Education as a target

The education sector is and always will be a lucrative target from both unscrupulous entities, as well as nation states. The information desired ranges from the PII as targeted and captured in this instance for current or future use to make an approach to an individual to the advanced transformative research being conducted at the college or university.  The need to lock down the infrastructure across academia remains challenging.  According to the 2016 Voremetric Data Threat Report, the number one shortcoming to implementation of cybersecurity infrastructure within the educational sector is the lack of skilled IT/INFOSEC staff.

In 2015, NBC News produced a short piece on the a targeting the online infrastructure of the educational sector. The salient data points within the video remain as true today (2016) as they did when the piece was pulled together.

Prevendra - blu phone's phone home

Chinese Cyber Espionage: What’s leaving your smartphone?

This week we saw, possible evidence of, yet another form of the Chinese cyber espionage. Smartphones calling “home” to China with user data. This is every government’s worst counterintelligence and cyber security nightmare. We are warned, repeatedly about the threat of Chinese cyber espionage, especially those in the national security arena. For those in the private sector, having the data from a smartphone being surreptitiously sent to servers in China, should make every company’s information security team skin crawl, as they watch their intellectual property fly out the window.

What’s a backdoor?

A backdoor is a means by which user information is provided without the user’s knowledge via device, software or other technical capabilities to a third party.

Smartphones forwarding user information to China?

Users of Android smartphones from BLU Products may be surprised to learn that security firm Kryptowire uncovered a backdoor in the firmware installed on their phones by their “firmware over the air” service provider. A quick online check shows their phones available via Google, Best Buy, and other retailers.  A deeper review shows that the company which handled the firmware updating, Shanghai ADUPS Technology Co., Ltd, has both ZTE and Huawei smartphones in their client list. Furthermore, ADUPS claims their service counts over 700 million active users.

Chinese Cyber Espionage: Are the backdoors in smartphones sending your data to China? Click To Tweet

What was compromised?

In this instance, per Kryptowire, the firmware provided the following to identified servers located in Shanghai, China.

  • Actively transmitted user and device information
  • The full-body of text messages,
  • Contact lists,
  • Call history with full telephone numbers,
  • Unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).
  • The firmware could target specific users and text messages matching remotely defined keywords.
  • The firmware also collected and transmitted information about the use of applications installed on the monitored device
  • Firmware bypassed the Android permission model,
  • Executed remote commands with escalated (system) privileges, and
  • Remotely reprogram the devices

The real kicker is, because the backdoor is located within the firmware, the activity bypasses the anti-virus security protocols of the device as it is considered safe, white-listed. User’s didn’t stand a chance, their only defense, to upgrade the firmware to a “clean version” or junk the phone.

What does Adups Technologies have to say about their firmware?

Adups Technology has issued a statement, explaining, without explicitly using the words, “China cyber espionage,” that this version of firmware was designed for use in the local, China only market, and was mistakenly placed on smart devices in other markets. The statement continues that the data collected was deleted and the firmware updated on all devices to have this feature removed. In other words, a private company, providing services to their client company made a mistake.

Something to keep in mind should you be traveling to China or Hong Kong and wish to use a burner phone for your local telephone calls, this capability is likely to exist on any device you may purchase in China and therefore, your device may be easily compromised in a difficult to detect manner.

China Cyber Espionage: Thinking of using a phone purchased in China? Click To Tweet

What should you do?

You have two options.

Carry-on:  If you are using a BLU phone, and take Adups Tehcnology at their word, make sure your firmware has indeed been updated. The Adups Technology link above, provides an email address for contacting the company, who no doubt can identify which firmware version does not send your data to China.

Junk the device:  If you are using a BLU phone, and don’t believe Adups Technology, short of taking your devices to a lab for confirmation (not something many would have the ability to do) there is little you as an individual user can do to confirm the backdoor in their provided firmware isn’t still there.  Therefore, you may wish to junk the BLU phone or the phone from any other manufacturer which uses the Adups Technology services to update the smart devices.

Additional reading:

Chinese company installed secret backdoor on hundreds of thousands of phones (ARS Technica, 15 November 2016)

Firmware Secretly Sent Text, Call Data On Android Users To China (Dark Reading, 15 November 2016)

Prevendra - Reliability

Reliability disrupted when your data isn’t stolen, it’s changed

[text_output]Competitors and nation states have long known that to disrupt your competition is often times all that is necessary in order to garner a competitive advantage. It is for this reason that all information security (infosec) practitioners have long understood the importance of the three status indicators of the network infrastructure and data/services within: Reliability, Availability and Serviceability (RAS).

We see “availability” being challenged on a regular basis, with the plethora of distributed denial of service (DDOS) attacks being conducted against companies, services and individuals. The adversary peppers the targeted entity with massive amounts of queries (see How Will the Internet of Things Be Leveraged to Ruin Your Company’s Day? Understanding IoT Security) which causes the servers to overload and effectively blocking legitimate queries.

Then we have “serviceability,” if part of the infrastructure fails, does the architecture include hot backup for automatic a failover, or is your company off the air. Many of us overlook the fact that manufacturers include an important data point on mechanical devices, MTBF (mean time between failures). MTBF should be a consideration in all infrastructructure, as equipment does fail, and not on a predictable schedule. This happened to me, when I found my hard drive had failed, Where’s Your data and Can You Actually Get To It?

And finally, we see “reliability”, the trust factor. If I can’t trust the data coming from this engagement, how can I trust this relationship?  In late 2015, Greensboro, NC television station, WFMY, ran a piece New Hacker Plan: Don’t Steal Data, Change It, which I recently re-reviewed. The content of the piece is absolutely on-point and accurate. The influx of ransomware is absolutely changing the landscape. In the healthcare arena, if you have had your servers compromised, it will be hard pressed to plead that patient data has not been compromised.  Indeed, in a recent piece, Healthcare Ransomware Increasing, Education Sector Top Target aptly points out the risk.

It goes one step further.  There will be those, who, as discussed in the WFMY piece, who simply want to get in and then out of your infrastructure in an undetected manner, so that while inside your protected and secured environment they can adjust and change your data. In doing so, they disrupt you, they create mistrust within and possibly with external facing customers. Indeed, there have been instances where the intruder went on to launch denial of service attacks from inside the network on the internal network.

In sum.  Security includes the addressing and mitigating all threats, not just those threats which result in your data being stolen. As noted supra, there are so many other ways to effectively disrupt the operational cadence of a company.


Below is the video of the WFMY piece.[/text_output][x_video_embed id=”” class=”” style=””][/x_video_embed]

Prevendra - Data backup

Where’s Your data and Can You Actually Get To It?

You arrive at work or home. You unload your laptop or go to your desktop and power up the system by pressing the “ON/OFF” button. Lights flicker; nothing happens. If you’re like me your mind races; you sigh and think, “I don’t need this today.” You repeat. You inspect. You scratch your head. This was my situation a few weeks ago. I had been away on a business trip, came home and powered up my desktop. The lights flickered, glowed and then nothing happened. I was stymied. I repeated the sequence; still nothing. I grabbed a screwdriver and dug into the system. It didn’t take me long for my inspection to reveal that the motherboard was toast (literally).

My initial reaction was one of relief that it wasn’t the hard drive, and I glowed knowing that I followed my own advice and had a multi-drive data backup regime. But then I quickly realized that while I had thought through the protection of data, I couldn’t get to it. I was offline. This was a scenario I had neglected to anticipate: the death of the primary client having nothing to do with accessing the data. I needed a new computer and a means to access the data from the now-deceased laptop. I removed the hard drive and secured it, along with the multiple external drive, data-backup devices. I took the remnants of the computer to the local technology recycle center. I began researching the type of computer I was going to purchase, and what my options were to access the data housed on the multiple devices in my possession.

Along with the new computer, I purchased an external-drive chassis that was compatible with the hard drive I had rescued from the defunct desktop. This allowed me to place the drive into the chassis and have the new computer recognized it as an external drive through a USB connection. I was able to transfer the data to the new computer as well as keep it on the old drive. The entire process took me three days to complete – three full days that I didn’t have access to data, email, and my life online.

My lesson learned: I need to establish a methodology to access my data in the event the primary routes have been corrupted or are unavailable. In my case, I acquired a used laptop with basic capabilities to serve as a backup device to access my data in the event my primary device fails. I was fortunate. My event happened on a Friday and by Monday I was back in business. Can you or your business afford to be without your data for three days?

I strongly advocate the back-up of data both at home and at the office, as you just never know when that media holding your data will receive a coffee-bath, run afoul with a magnet or simply go missing. I also recommend having a back-up device to access your data in the event your primary device fails. This will help you from having to ask yourself, “Why can’t I get to my data?”


Huffington PostThe above was originally published in Huffington Post in March 2010, authored by Christopher Burgess


Prevendra - Insider Theft

Insider Threat Becomes Insider Theft: What’s your plan.

In a prime example of insider threat, becomes insider theft, we saw the FBI arrest and the Department of Justice file a criminal complaint against Ralph Mandil, an employee of an unidentified distributor of “As Seen on TV” products (we believe to be Corvex Cookware). Mandil faces two federal charges: Theft of Trade Secrets and Wire Fraud.

Prevendra - Ralph Mandil - LinkedIn photo

Ralph Mandil – LinkedIn photo

A Ralph Mandil’s, LinkedIn Profile identifies him as the President of Corvex Cookware since May 2011.  Corvex’s “As Seen on TV” cookware fits the description found in the criminal complaint. Mandil’s LinkedIn bio can be viewed (here).

The crime

Mandil contacted an individual in early August 2016(soon after to become the confidential source (CS) of the FBI) and offered to sell the confidential trade secrets of his employer.  At the direction (and under the supervision) of law enforcement, the CS corresponded with Mandil. Mandil offered to the CS the log-in credentials of his employer’s DropBox account in which the CS would find the confidential market information on future products. This materials included:  sales sheets, product sheets, videos, inventory lists, account lists, etc. Mandil requested that in exchange for providing the CS with covert access to the employer’s DropBox  account he wished to be paid $197,500.

For complete details on how CS introduced Mandil to the FBI undercover special agent and the mechanics of the exchange of money and stolen information, please refer to the criminal complaint, which can be downloaded below).

#insiderthreat becomes insider theft - what's your plan? Click To Tweet

NOTE: The criminal complaint explains that Mandil’s employer’s Dropbox account was accessible by a limited number of employees, who use userid and password authentication to access the DropBox account. It is unclear if the employer enabled two-factor authentication which is offered by DropBox, though it is possible that such was the case, and Mandril was prepared to offer the CS ten offline backup codes which he had purloined and preserved.

According to Mandil’s employer, the proprietary information Mandil was offering to sell to CS had a value of between $30-125 million in revenue to the employer and his competitors (the market opportunity)

Insider Threat

Insider threat programs are a necessary evil for every company. The large the entity, the more robust the need. At a minimum, we recommend all companies take a moment and ensure that they know the state of their data. What’s that?  If you can’t answer yes to all of the following questions, you don’t know the state of your data, and should put it on your to-do list. You will be in a far better position to address unauthorized access and you will also be able to explain, with precision to your customers how their data is protected within your infrastructure.

  1. Can you trace the flow of your data from its arrival to storage?
  2. Do you know when your data is encrypted and when it is not?
  3. If your data is encrypted, how is the key protected?
  4. Do you know, precisely, who has access to your data?
  5. Are you logging each access to your data, with IP addresses, device, OS, etc.
  6. What are the various means to access your data?
  7. What credentials are required to access your data?  Are the credentials shared?
  8. When employees depart, can you confirm their access to your data has been curtailed?
  9. Do you have a process to train your employees on protecting trade secrets and intellectual property?

Additional Reading

Prevendra - US v. Ralph Mandil - Insider Threat becomes Insider Theft

US v. Ralph Mandil (Click to download)

Department of Justice’s Press Release: New Jersey Man Charged With Stealing Employer’s ‘As Seen On TV’ Trade Secrets And Attempting To Sell Them To Competition | USAO-NJ | Department of Justice

Department of Justice’s Criminal Complaint  US v. Ralph Mandil (October 12, 2016)




NOTE:  This post updates on 19 October to include information identifying Ralph Mandil, his LinkedIn profile, photo and employer.