JohnCruzIT

Simple Setup Checklist for Microsoft Teams

News

Simple Setup Checklist for Microsoft Teams

Microsoft Teams is a lot of things. It’s a video conferencing tool, a team messaging channel, and a tool for in-app co-authoring, just to name a few. During the pandemic, the popularity of Teams skyrocketed.

User numbers for MS Teams jumped from 20 million in November 2019 to 75 million in April 2020. As of this year, Microsoft reports a user count of 270 million for the platform. This makes it the most popular business tool for team communications.

But one of the things that makes the app popular is also one that can make the setup complex. Microsoft Teams has many moving parts, but to use them effectively they need to be well organized. Additionally, users need to have a chance to learn the system and train on best practices.

What can Microsoft teams do?
First, let’s look at the different areas of Microsoft Teams and what it can do. Then, we’ll give you a simple setup checklist to help your team get up and running productively.

You can think of Teams as a virtual office in the cloud. It’s a centralized hub where teams can communicate, collaborate, and manage tasks. There is also an external communication component to Teams. You can use the app to video conference with anyone. You can also invite guests to a chat channel.

Here are some of the features of MS Teams:

  • Siloed chat channels
  • Security for team communications
  • Integration with Office apps
  • Integration with 3rd party apps
  • File sharing
  • Video and audio conferencing
  • VoIP phone system (with an extra add-on)
  • Keep all team resources in a single place
Microsoft Teams versions

Some good news for small businesses is that there is a free version of Microsoft Teams. If you sign up for a Microsoft 365 business plan, you get the app included, but with a few more features.

Microsoft has also been pushing MS Teams for personal use. So, you can use it to keep your departments better coordinated at work. Or to manage family video calls or PTA meeting collaboration. It’s a versatile and scalable virtual office platform.

Easy Checklist for Setting Up Microsoft Teams

1. Set Up Your Teams/Departments
One of the advantages of Teams is that it allows you to set up specific areas for your groups to collaborate. You do not want everyone to set these teams up on their own, or you could end up with an unorganized mess.

Some ideas for setting these up:

  • Set up teams by department (accounting, marketing, etc.)
  • Add a company-wide team (where everyone can collaborate)
  • Set up teams by role (office managers, executives, etc.)

Typically, if you mirror the hierarchy of your organisation, that’s a good place to start. Team areas are secured so only those users invited can see or access any of the content in that team.

2. Add Team members
For each team, add the members allowed to take part in that team. These would be people that can see the resources posted in that team area. It would normally be the members of the department or group that the team is designed for.

3. Set up Team Channels
The next level beneath the Team is the Channels. These team channels help organize conversations. For example, within a team set up for your marketing department, you may decide to add three channels. This keeps conversations more focused and makes it easier to find things.

For instance, you could have channels for:

  • Website Management
  • Social Media
  • Offline Advertising

Team channels are another area that you want to control. Don’t let everyone set up channels without a plan, otherwise, things get messy fast.

4. Set up Team tabs
Tabs are a great way to foster productivity. Say that employees on your accounting team need to access a tax reporting website. Inevitably, there can be time wasted asking for that link or a login. This is especially true if someone is filling in for a co-worker.

You can add that website link and info to the Tabs area at the top of the team channels. Just click the plus sign to add a new resource and consolidate things for your team members.

5. Schedule MS Teams training
One of the reasons that company initiatives fail is that users weren’t properly enabled. If users aren’t trained on using MS Teams, then they’ll revert to using whatever they used before. This negates the benefits of moving to Teams when not everyone is onboard.

Work with a Microsoft professional to train your teams. We can provide tips on the most productive features. As well as short-cut their learning curve quite a bit! Make sure to have a realistic timeframe. You should also survey users on whether they feel they need more training.

Need some help implementing teams in your organisation?

We can help you over many of the roadblocks that organisations face when starting with Teams. If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.

Small businesses are attacked by Hackers 3x more than larger ones

News

Small businesses are attacked by Hackers 3x more than larger ones

Have you felt more secure from cyberattacks because you have a smaller business? Maybe you thought that you couldn’t possibly have anything that a hacker could want? Didn’t think they even knew about your small business.

Well, a new report by cyber security firm Barracuda Networks debunks this myth. Their report analyzed millions of emails across thousands of organisations. It found that small companies have a lot to worry about when it comes to their IT security.

Barracuda Networks found something alarming. Employees at small companies saw 350% more social engineering attacks than those at larger ones. It defines a small company as one with less than 100 employees. This puts small businesses at a higher risk of falling victim to a cyberattack. We’ll explore why below.

Why are smaller companies targeted more?

There are many reasons why hackers see small businesses as low-hanging fruit. And why they are becoming larger targets of hackers out to score a quick illicit buck.

Small companies tend to spend less on cyber security
When you’re running a small business, it’s often a juggling act of where to prioritize your cash. You may know cyber security is important, but it may not be at the top of your list. So, at the end of the month, cash runs out, and it’s moved to the “next month” wish list of expenditures.

Small business leaders often don’t spend as much as they should on their IT security. They may buy an antivirus program and think that’s enough to cover them. But with the expansion of technology to the cloud, that’s just one small layer. You need several more for adequate security.

Hackers know all this and see small businesses as an easier target. They can do much less work to get a payout than they would, trying to hack into an enterprise corporation.

Every business has “Hack-Worthy” resources
Every business, even a 1-person shop, has data that’s worth scoring for a hacker. Credit card numbers, SSNs, tax ID numbers, and email addresses are all valuable. Cyber criminals can sell these on the Dark Web. From there, other criminals use them for identity theft.

It is now much easier for people to find and add polls to their chats and meetings. You can find the “Polls” app when searching in the Teams app store (via the sidebar or top nav bar in the meeting).

Here are some of the data that hackers will go after:

  • Customer Records
  • Employee records
  • Bank account information
  • Emails and passwords
  • Payment card details

Small businesses can provide entry into larger ones
If a hacker can breach the network of a small business, they can often make a larger score. Many smaller companies provide services to larger companies. This can include digital marketing, website management, accounting, and more.

Vendors are often digitally connected to certain client systems. This type of relationship can enable a multi-company breach. While hackers don’t need that connection to hack you, it is a nice bonus. They can get two companies for the work of one.

Small business owners are often unprepared for ransomware
Ransomware has been one of the fastest-growing cyberattacks of the last decade. So far in 2022, over 71% of surveyed organisations experienced ransomware attacks.

The percentage of victims that pay the ransom to attackers has also been increasing. Now, an average of 63% of companies pay the attacker money in hopes of getting a key to decrypt the ransomware.

Even if a hacker can’t get as much ransom from a small business as they can from a larger organisation, it’s worth it. They often can breach more small companies than they can larger ones.

When companies pay the ransom, it feeds the beast and more cyber criminals join in. And those newer to ransomware attacks will often go after smaller, easier-to-breach companies.

Employees at smaller companies usually aren’t trained in cyber security
Another thing is not usually high on the list of priorities for a small business owner. We’re talking about ongoing employee cyber security training. They may be doing all they can just to keep good staff. Plus, priorities are often sales and operations.

Training employees on how to spot phishing and password best practices often isn’t done. This leaves networks vulnerable to one of the biggest dangers, human error.

In most cyberattacks, the hacker needs help from a user. It’s like the vampire needing the unsuspecting victim to invite them inside. Phishing emails are the device used to get that unsuspecting cooperation.

Phishing causes over 80% of data breaches.

A phishing email sitting in an inbox can’t usually do anything. It needs the user to either open a file attachment or click a link that will take them to a malicious site. This then launches the attack.

Teaching employees how to spot these ploys can significantly increase your cyber security. Security awareness training is as important as having a strong firewall or antivirus.

Need affordable IT security services for your small business?

Reach out today to schedule a technology consultation. We offer affordable options for small companies. This includes many ways to keep you protected from cyber threats.

If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.

Top 3 Microsoft Teams updates

News

Top 3 Microsoft Teams updates

Microsoft Teams users have grown by 70% in recent months to 75 million active users worldwide. Teams are constantly adding new features to enhance their app and make meetings more collaborative. We will cover our top 3 recent updates.

Making Calls via Teams

Making calls to phone numbers via video meetings is often missing from video conferencing apps, Teams have introduced this very handy update.

Phone calling via Teams is a phone system built into the Microsoft Teams app. This call function can be carried out over direct routing. The new feature allows you to port your business phone numbers into the Teams applications and make and receive calls from the app.

Teams phone call feature offers call queues, call history, hunt groups, voicemail, video calls, and meetings. You will be able to enjoy a professional call experience while working remotely or at the office.

You can call and answer calls from anywhere in Teams and switch between devices.

Did you know you can route your calls through Microsoft's network? With the help of Teams calling plans, businesses can easily communicate with one another both domestically and abroad.

Teams Polls

Microsoft Teams is now better connected with Microsoft Forms. The “Forms” app within Teams is being replaced with a new app named “Polls”.

It is now much easier for people to find and add polls to their chats and meetings. You can find the “Polls” app when searching in the Teams app store (via the sidebar or top nav bar in the meeting).

Forms

Polls

There are new UI improvements to the poll suggestions pane, including the ability reposition the list of polls, provide

  • Re-position the list of suggested polls from the bottom to the side pane
  • Re-position the list of suggested polls from the bottom to the side pane
  • Provide the poll results view (previously, it only showed the voting view), which allows the poll creator to preview the poll's look to the meeting audience after it’s launched
  • You now view your recently created polls to re-use your past polls in a new meeting, saving you time!
  • A new poll animation appears after attendees have entered a response, this provides confirmation the vote has been captured. 
  • There is also an option to rate the Poll to provide feedback.
  • The poll results view has been improved and its now much easier to read

LinkedIn Integration

LinkedIn profiles are now integrated with Teams, to connect directly and build deeper relationships with your network. From Teams chat, channels, calls, or meetings, you will now be able to view your colleague’s LinkedIn profile, including their current role, past experiences, and other insights. Learn how to make the most of your LinkedIn integration.

If you need any help setting up your Microsoft Teams and managing IT services don’t hesitate to contact us at JohnCruzIT.

Image credit Microsoft tech connections

Interpol busts 2000 suspects in phone scamming takedown

News

Interpol busts 2000 suspects in phone scamming takedown

Sick of the unending stream of email and phone calls you receive from scammers claiming to represent your bank? Amazon? Microsoft? The tax office? The police?

We sympathise – we’re sick of them too, especially landline calls that could be a loved one calling for help or advice, and thus need to be answered…

…but that rarely, if ever, turn out to have a familiar voice at the other end.

Perhaps you’re one of the 40,000,000 or so viewers of famous science-and-engineering YouTuber Mark Rober’s video entitled Pranks Destroy Scam Callers – GlitterBomb Payback?

Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)…

Rober makes some alarming but entirely believable claims of just how much money [a] a top call-centre scammer can make if they hit their on-target earnings and [b] just how much a typical call centre of this sort turns over each day.

If you haven’t seen it, the video starts with the words, “I have 100 cockroaches here, and I placed them in this James Bond-style contraption,” so you can probably imagine how things end.

Despite the not-very-threatening outcome when Rober later releases the insects inside a scam call centre where he has access to footage from the CCTV feed, the video gives a good visual indication of just how industriously and unrelentingly these scammers operate. (When not driven from their work pods by roaches, that is.)

Fake refund scams

The scammers in Rober’s video seem to go in mainly for what are known as “fake refund” tricks, which go something like this:

  • Scammers “refund” you an impressive but believable amount, say $2000, for an “over-billing” for a product or service you actually use.
  • They then “help” you login to your bank account to ensure that the transaction went through.
  • They sneakily edit the HTML in your browser so the page shows a transaction for ten times the amount originally mentioned.
  • They cry out in alarm, claiming they themselves must have typed in an extra zero and that they’ve accidentally refunded too much.
  • Then they burst into tears, or turn on the emotional blackmail, claiming they (or you!) will be liable for the massive difference, so please, oh! please! won’t you help?

Their goal is to lure, browbeat, wheedle, threaten, cajole, beg and convince you to refund the “extra” money out of your own account.

After all, you can see the giant refund is there… except that it isn’t, because the item on the page is fake, with the HTML modified in memory to show a huge deposit and a vastly increased balance.

You’re scammed into thinking that they’ve made a mistake that will definitely get them in trouble, and could get you into trouble, too.

The crooks therefore hope to persuade you to help them “cover up” their mistake by withdrawing the “excess” from your own account and paying the non-existent “difference” back to them via some other channel.

While you might be sure that no criminal would ever catch you out with an apparently obvious trick like this, you’ll probably admit that, like most things, this sort of scam is only truly obvious the second time you see it or hear about it.

Travelling by bus is easy. Billions of people do it all over the world every week. But if you’ve ever taken a bus in a new town or city, you’ll know the uncertainty you face the first time you make a journey. Do you get off at this stop? Perhaps the next one is a bit closer? But what if the bus swoops into a tunnel and your next stop is hundreds of metres past your destination? How can you tell? And the simple answer is that you either need to ask someone else and trust their answer, or do an experiment and find out for yourself. Your next journey, if there is one, will be easy and certain. It’s during your first outing that you don’t know quite what to look for, and therefore when you are most likely to make a mistake.

Other common scams

Other common phone scams include:

  • Emailing you with an “receipt” for a fake transaction, such as a $79 Amazon charge you never made, but offering a “helpful” telephone support number you can call to disupte the “payment”.
  • Claiming to be from the tax office to discuss the “late payment” of the tax “penalty” in your latest “assessment”.
  • Pretending to be a police officer and reading out a list of “criminal charges” that could lead to your imminent arrest unless “fines” are swiftly paid.
  • Pressurising you into putting money in “high return” investment schemes, often backed by legitimate-looking but utterly bogus websites or mobile phone apps that simulate a healthy return.

Regular Naked Security readers know that these calls are just a pack of lies, so that although they’re a disruption and an annoyance, they’re not a direct danger.

But does your {child, grandparent, favourite aunt, cousin, not-so-technical friend} know they’re made-up garbage?

Perhaps not, if you look at Interpol’s latest report about cracking down on social engineering fraud.

Interpol’s definition of social engineering fraud is very much like our own, namely that it refers to “scams [that] manipulate or trick people into giving out confidential or personal information which can then be used for criminal financial gain.”

In a recent two-month global operation, dubbed First Light 2022, Interpol says that:

76 countries [took] part in an international clampdown on the organised crime groups behind telecommunications and social engineering scams. Police in participating countries raided national call centres suspected of telecommunications or scamming fraud, particularly telephone deception, romance scams, e-mail deception, and connected financial crime.

Although results are still coming in, Interpol claims that the operation has so far resulted in:

  • About 1770 locations raided worldwide.
  • About 3000 suspects identified.
  • About 2000 arrests of operators, fraudsters and money launderers.
  • About 4000 bank accounts frozen.
  • About $50,000,000 of illicit funds intercepted.

As Interpol notes, one of the scam back-stories used by these criminals is pretending to be from Interpol itself.

In some cases we’ve written up before, this sort of scam is sometimes used as a follow-up in order to rip off scared victims for a second time, by pretending to offer an “official” legal lifeline to recover some of the money they lost in the first part of the scam.

Of course, the reason that the “investigators” are so familiar with the details of how the scammers operated and how much the victim lost is not the result of good police work, but simply that the fake “police” are part of the same group that conducted the original scam.

What to do?

As Mark Rober’s video (see above) makes clear, busting 2000 suspected scammers and grabbing hold of $50m in ill-gotten gains is only a start.

Sadly, there are plenty more crooks where those 2000 came from, so:

  • Never be in a hurry to hand over personal information. Remember these two simple jingles: Stop. Think. Connect. And: If in doubt, don’t give it out!
  • Make sure your friends and family know where to look for genuine advice on how to spot scams. Don’t let them “learn” about scams by wandering into the hands (or onto the websites) of the scammers themselves.
  • If your friends or family warn you that you might be getting scammed, hear them out. Don’t let the scammers divide you from your loved ones as well as your money.

When it comes to personal data, whether that’s your username, password, home address, phone number, or anything else that you like to keep to yourself, remember this simple rule: If in doubt, don’t give it out.

Phishing goes KISS: Don’t let plain and simple messages catch you out!

News

Phishing goes KISS: Don’t let plain and simple messages catch you out!

We’re sure you’ve heard of the KISS principle: Keep It Simple and Straightforward.

In cybersecurity, KISS cuts two ways.

KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.

For example, most of the phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.

Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)…

…all these lead us instantly and unerringly to the  [Delete]  button.

If you don’t know our name, don’t know our bank, don’t know which languages we speak, don’t know our operating system, don’t know how to spell “respond immediately”, heck, if you don’t realise that Riyadh is not a city in Austria, you’re not going to get us to click.

That’s not so much because you’d stand out as a scammer, but simply that your email would advertise itself as “clearly does not belong here”, or as “obviously sent to the wrong person”, and we’d ignore it even if you were a legitimate business. (After that, we’d probably blocklist all your emails anyway, given your attitude to accuracy, but that’s an issue for another day.)

Indeed, as we’ve often urged on Naked Security, if spammers, scammers, phishers or other cybercriminals do make the sort of blunder that gives the game away, make sure you spot their mistakes, and make them pay for their blunder by deleting their message at once.

KISS, plain and simple

Sometimes, however, we receive phishing tricks that we grudgingly have to admit are better than average.

Although we’d hope you’d spot them easily, they might nevertheless have a good chance of attracting your attention because they’re believable enough, like this one from earlier today:

At 10:49 am [2] new emails were returned to the sender.

Click below to get a failed message.

https://sophos.com/message/failed_report/?tips@sophos.com

Thank you for using sophos.com

sophos.com Domain Manager

OK, so the English grammar and usage isn’t quite right, and our IT team would know who they are, so they wouldn’t sign off as [ company.name Domain Manager ] …

…but if we were a smaller company, and we’d outsourced our IT and email services, this sort of message might not so obviously be out of place.

Also, these crooks have used the simple and effective trick of creating a clickable link in which the text of the link itself looks like a URL, as though it was your email software than automatically converted a plain-text-only URL unto a clickable item.

Of course, the email isn’t plain text; it’s HTML, so that the offending link is actually encoded like this…

<a href="somewheredodgy">https://sophos.com/nothereatall</a>

…in the same way, but much more convicingly, than an email link such as…

Click <a href="someweredodgy">here</a> to see the message.

The link doesn’t take you to a real site, of course; it’s diverted to a server that was either set up for this specific scam, or hacked by the crooks to act as a temporary portal for collecting their data:

Fortunately, at this point the scam adheres to the KISS principle a bit too fiercely, relying on a web form that’s so stripped down as to be unusual, but it still doesn’t contain any obvious blunders other than the unexpected server name in the address bar.

Amusingly, because the hosting company that the criminals have used is based in Japan, turning JavaScript off results in an error message that we’re guessing the crooks didn’t care about (or perhaps were unable to change), giving you a JavaScript warning in Japanese:

Ironically, the web form works just fine without JavaScript, so if you were to fill in the form and click [Login], the crooks would harvest your username and password anyway.

As we often see, the scam page neatly avoids having to simulate a believable login by simply presenting you with an error message, until you your either give up, contact your IT team, or both:

What to do?

  • Don’t click “helpful” links in emails or other messages. Learn in advance how to find error messages and other mail delivery information in your webmail service via the webmail interface itself, so you can simply login as usual and then access the needed pages directly. Do the same for the social networks and content delivery sites you use. If you already know the right URL to use, you never need to rely on any links in emails, whether those emails are real or fake.
  • Think before you click. The email above isn’t glaringly false, so you might be inclined to click the link, especially if you’re in a hurry (though see point 1 about learning how to avoiding click-throughs in the first place). But if you do click through by mistake, take a few seconds to stop and double-check the site details, which would make it clear you were in the wrong place.
  • Use a password manager if you can. Password managers prevent you putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before.
  • Report suspicious emails to your own IT team. Even if you’re a small business, make sure all your staff know where to submit suspicious emails samples (e.g. cybersec911@example.com). Crooks rarely send just one phishing email to one employee, and they rarely give up if their first attempt fails. The sooner someone raises the alarm, the sooner you can warn everyone else.

When it comes to personal data, whether that’s your username, password, home address, phone number, or anything else that you like to keep to yourself, remember this simple rule: If in doubt, don’t give it out.

Ransomware with a difference: “Derestrict your software, or else!”

News

Ransomware with a difference: “Derestrict your software, or else!”
Ransomware with a difference: “Derestrict your software, or else!”

Just over a year ago, graphics card behemoth Nvidia announced an unexpected software “feature”: anti-cryptomining code baked into the drivers for its latest graphics processing units (GPUs).

Simply put, if the driver software thinks you’re using the GPU to perform calculations related to Ethereum cryptocurrency calculations, it cuts the execution speed of your code in half.

This restriction isn’t meant to protect you from yourself, for example to limit hardware damage if you try to drive the GPU too hard and cause it to overheat dangerously.

This is all about managing supply and demand.

Unfortunately for keen gamers, who love powerful GPUs because they improve their gaming experience with faster and more realistic graphics, cryptocurrency mining syndicates love good GPUs even more.

That’s because GPUs greatly accelerate the mining of Ethereum-based cryptocurrencies, with calculation speeds (or hashrates, as they are known in the jargon) anywhere from five to ten times higher than a normal CPU from the same amount of electricity.

Even more unfortunately for gamers, who might buy one or two GPUs each at a time, mining syndicates use their purchasing power to buy up GPUs in bulk.

This, in turn, encourages scalpers to buy in bulk too, aiming to sell their “second hand” cards well above new retail prices when official supplies run out.

Nvidia decided to appease its many avid gaming fans – surely the company’s most loyal long-term GPU customers, given that they actually want graphics cards for doing graphics – by splitting its processor card line in two.

Mining XOR Gaming

As Nvidia said last year:

To address the specific needs of Ethereum mining, we’re announcing the NVIDIA CMP [Cryptocurrency Mining Processor] product line for professional mining. CMP products, which don’t do graphics, are [… ]optimized for the best mining performance and efficiency. They don’t meet the specifications required of a GeForce GPU and thus don’t impact the availability of GeForce GPUs to gamers.

 

The idea is that GeForce GPUs run at full speed if used for graphics, but if used for Ethereum mining are deliberately hobbled by Nvidia’s Lite Hash Rate system, or LHR for short.

Public opinion at the time of the announcement was sharply divided, as a quick look at the many comments on last year’s article will reveal.

Naked Security readers reacted in many ways.

A gamer called Trillian said, “Good on Nvidia!”

Others claimed this LHR behaviour was unfair because they used their GPU cards for a mix of gaming and mining (intermingled, intriguingly, with comments from readers who claimed those claims were made up).

And a commenter called J Riley Castine was even more critical, wanting to know, “How is such a move […] not a violation of anti-trust laws?”

Exit light, enter night

Well, it looks as though this year-old community divide over LHR has spilled over into outright cybercrime.

Popular technology website Tom’s Hardware, amongst numerous other commenters, is reporting that cybercrime gang Lapsus$ claims to have hacked Nvidia and stolen a terabyte’s worth of data…

…only to issue what amounts to an unusual ransomware demand: Remove the Lite Hash Rate limiter, or else!

According to an IM screenshot posted by Tom’s Hardware, the alleged hackers wrote:

Hello,

We decided to help mining and gaming community, we want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder.

If they remove the lhr we will forget about hw folder (it’s a big folder) We both know lhr impact mining and gaming.

Thanks.

 

The hw folder (hw is short for “computer hardware”) alluded to above is the claimed 1TB of allegedly stolen data, apparently including card schematics, driver and firmware code, internal documentation, and more.

Ironically, in the same message thread, these hackers also claim to be selling their own “LHR unlocker” for some Nvidia cards, although the underground market for such a cracking tool would clearly evaporate if Nvidia were to remove the LHR restrictions for everyone.

Perhaps the alleged existence of this darkweb LHR unlocker is supposed to make Nvidia feel even more pressurised, on the grounds that an LHR bypass could be made public anyway, so the company might as well go along with the blackmail demand?

What to do?

It’s hard to know what to believe when messages of this sort start circulating.

Did the hackers actually get in to start with? Did they really manage to steal the information they’re claiming? Was this a conventional ransomware attack, aiming at both stealing and scrambling data for extra leverage? If so, and we therefore assume that the data scrambling part was thwarted, why should we believe any of the boasts in the messages? Do the crooks really have an LHR unlocker of their own to add to the drama?

We may never know the answers to these questions, but we can learn from the allegations anyway, which reiterate the importance of defence-in-depth.

Defence-in-depth not only involves multiple layers of proactive protection aimed at early threat detection and prevention, but ideally also needs ongoing threat assessment and response, in order to figure out what really happened if anomalies are detected.

As the self-styled Nvidia hackers say:

We were into nvidia systems for about a week, we fastly escalated to admin of a lot of systems. We grabbed 1TB of data.

Whether that’s is true or not in this case, it does describe the nature of many modern cyberattacks, which aren’t simply automated “smash, gran and run” sallies any more.

Modern cyberintrusions typically involve human-led network exploration, privilege escalation, and data exfiltration, often over an extended period.

Intruders with administrator powers often introduce backdoors along the way, or add extra network accounts for themselves, thus giving themselves a quiet and easy way back in next time…

…if you don’t take the trouble to seek-and-destroy the boobytraps they left behind this time.

 

If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.

Wormhole cryptotrading company turns over $340,000,000 to criminals

News

Wormhole cryptotrading company turns over $340,000,000 to criminals

To misquote (and, indeed, to mispunctuate) Charles Dickens: it was the best of blockchains; it was the worst of blockchains.

This week, cryptocurrency company Wormhole lived up to its name by exposing an exploitable vulnerability that apparently allowed cybercriminals to run off with an eye-watering 120,000 Ether tokens.

Assuming a conversion rate of ETH1 = US$2800, that comes out close to $340,000,000.

You’ll find mention of this cyberheist on Wormole’s Twitter feed (@wormholecrypto), under an apparently un-ironic heading that describes the company’s business as:

Interoperability protocol powering the seamless transfer of value and information across 7 high value chains with just one integration”

“Seamless transfer” indeed!

Let’s rewrite history

 

As pointed out by Elliptic, a company that offers blockchain analytics to assist with compliance, the Wormhole team tried the same trick that was used by cryptocoin company Poly Networks when it was defrauded of more than $600,000,000 in August 2021.

The company apparently asked the crooks nicely, in a comment embedded in zero-value Ether transaction aimed at the criminals, to give the money back:



Printing out the input data above in ASCII text instead of as hexadecimal codes reveals an apparent offer to redefine the criminals as bona fide researchers and pay out a $10,000,000 bug bounty…

…if the crooks were to reveal the exploit they used:



We’re sure that anyone who thinks that ransomware payments should be illegalised – and there’s a vocal minority who think they should – will be aghast at this sort of retrospective offer to “give the money back and we’ll write the whole thing up (and off) as legitimate security research”.

Nevertheless, you can understand why a company in Wormhole’s desperate position might make the offer, even if it’s hard to imagine at first thought why crooks who had already – and apparently anonymously – made off with $340,000,000 would waive their anonymity in exchange for a fraction of the amount.

In the Poly Networks hack, the ruse seemed to work: the alleged hacker or hackers did utlimately return most of the stolen funds, with Poly Networks referring to them as “Mr White Hat”, telling them they could keep $500,000, and offering them a role as a security advisor to the business.

Thanks, but no thanks

This time, the cybercriminals don’t seem to have come to the party. Instead, vaguely mysterious blockchain startup Jump Crypto seems to have, hmmm, jumped in with money of its own to backfill the third-of-a-billion-sized, ahhh, wormhole opened up by Wormhole’s exploitable cryptocurrency code:  
So, according to Wormhole“All funds have been restored and Wormhole is back up,” and, “The team is working on a detailed incident report and will share it asap.” Not a word about the disaster, however, on Wormhole’s blog or website, which still leads unashamedly with the words THE BEST OF BLOCKCHAINS in giant text… …albeit with an unintentionally hyper-accurate strapline underneath in tiny characters: “Move information and value anywhere.”

What to do?

As the saying goes, you couldn’t make this stuff up. So, as we did after the Poly Networks hack, where customers’ funds similarly vanished and later reappeared as if by magic, we’ll leave you with some general cryptotrading advice, rather than anything specific to this incident:
  • If you’re thinking of getting into the cryptocurrency scene, never invest more than you can afford to lose. And when we say “lose”, we mean “lose everything”, not merely “fail to make any profit”. There are more than 10,000 different cryptocoins currently in existence, many of which were kicked off by cash injections from early investors. Not all cryptocoins can or will follow the Bitcoin pattern of going from a few cents in value in 2010 to just under $40,000 each in February 2022. Even worse, some are unreconstructed scams in which the “creators” of the cryptocoinage collect startup funds from early investors in what’s known as an ICO (initial coin offering), only to run off without ever establishing a new cryptocurrency or trading site at all.
  • If you plan to buy and hold cryptocurrency, keep as much of you can offline in what’s known as a cold wallet. A cold wallet is an encrypted file that you keep where you won’t lose track of it, and where other people can’t use it unless they know your password. Be careful of trusting too much of your investment to hot wallet situations, where you need to trust other people totally, just so you can trade faster and more aggressively.
We started by misquoting Mr Charles Dickens, so we’ll end by reminding you that the quotation goes on to say, “It was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity.” Remember that trust is quick to evaporate precisely because it is supposed to take time to gain in the first place.

What to do?

We’ve always been happy to report on malware takedowns, cybercrime busts and other disruptions that have removed or reduced cybercriminality, but we’ve also always advised against relaxing too much when that sort of report appears.

Here’s our advice, whether this Emotet “revival” is the same criminals who’ve returned from takedown to active duty or new recruits; whether it’s the old malware code or a re-written variant; whether the new botnet has the same goals or yet more aggressive ones:

    • Old malware rarely actually dies. Sometimes, as happened with floppy disk boot sector viruses, malware families get killed off by technological changes. But the truth is that once a technique is out there, and is known to work, even modestly well, someone new is likely to copy it, re-use it, or revive it. So we live with the sum of the threats of the past as well as all the genuinely new tools, techniques and procedures that come along.
    • Don’t focus on individual malware families or malware types when planning your protection. Emotet may be well-known, and rightly feared, but its method of operation (MO) is widely copied in many, perhaps most, malware attacks these days, and this MO has been in use since malware first became a money-making game. In some senses, an initial infection by nmalware like Emotet is the end of one attack chain, because it doesn’t itself contain specific malware tools such as password stealers, keyloggers, cryptominers or ransomare scramblers. But it is also very much the start of a whole new attack chain, ready to receive and deploy “updates” or “plugins” – new malware samples that may vary over time, by region, by victim’s computer type, or simply at the whim of the criminals in command-and-control.
    • Consider managed threat response (MTR). If you don’t have the time or expertise to keep track of criminality on or against your network on your own, an MTR service can help you ensure that you chase back any attacks that you do detect to their root cause. Sometimes, this might be a weak password or an unpatched server, but often it’s down to “beachhead” malware like Emotet. If you find and remove only the end of the attack chain, but leave the entry point in place, then the command-and-control crooks behind that beachhead malware will simply sell you out to the next cybergang that’s willing to pay the asking price.

If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.

Emotet malware: “The report of my death was an exaggeration”

News

Emotet malware: “The report of my death was an exaggeration”

You’ve probably seem the breathless media headlines everywhere: “Emotet’s back!”

One cybersecurity article we saw – and we knew what it was about right away – didn’t even give a name, announcing simply, “Guess who’s back?”

As you almost certainly know, and may sadly have experienced first hand, Emotet is a blanket term that typically refers both to a family of “command-and-control” malware and the gang who are its commanders-and-controllers.

The idea is simple: instead of building a single-purpose malware program for each attack, and unleashing it on its own, why not spearhead the attack with a general purpose malware agent that calls home to report its arrival, and awaits further instructions?

In popular terminology, that sort of malware is often referred to as a zombie or bot, short for software robot, and a collection of bots with the same command-and-control servers (known as C&C or C2 servers in the jargon), under the same botmasters, is known as a botnet.

Emotet, however, was not just a bot – to many sysadmins and threat responders, it was the bot, run by a notoriously resilient and determined criminal gang who operated their botnet as a disturbingly effective content delivery network for cybercrime.

An attack chain of attack chains

A common Emotet attack chain typically ran in multiple stages, something like this:

  1. Emotet first, to form a beachhead inside your network;
  2. Followed by Trickbot or some other network-snooping malware to learn, plunder, hack, tweak, reconfigure and manipulate your computer estate until the crooks behind the stealing and surveillance had learned as much as they felt they needed to know (or made as much money as they thought they could, or both);
  3. Followed by a final, apocalyptic, flaming-skulls-on-your-wallpaper-type blast of ransomware and an associated, possibly breathtakingly expensive, blackmail demand.

Back in February 2021:

The [Emotet crew] typically use the zombies under their control as a sort of content delivery network for other cybercriminals, offering what amounts to a pay-to-play service for malware distribution.

The Emotet gang does the tricky work of building booby-trapped documents or web links, picking enticing email themes based on hot topics of the day, and tricking victims into infecting themselves…

…and then sells on access to infected computers to other cybercriminals so that those crooks don’t have to do any of the initial legwork themselves.

That quote, notably, comes from an article entitled Emotet take”down – Europol attacks “world’s most dangerous malware”

All quiet on the Emotet front

Since then, the Emotet ecosystem, if we may use that word to describe it, has been essentially off the radar, silent, and invisible.

But as we mentioned in February 2021, the same gang went quiet in February 2020, only to reappear suddenly in July of that year.

And, according to current reports, something similar has happened again, with researchers around the world noting a return of “Emotet-like” activity, and announcing, as Mark Twain famously did after reading in the newspapers that he had passed away, that the report of its death was an exaggeration.

What to do?

We’ve always been happy to report on malware takedowns, cybercrime busts and other disruptions that have removed or reduced cybercriminality, but we’ve also always advised against relaxing too much when that sort of report appears.

Here’s our advice, whether this Emotet “revival” is the same criminals who’ve returned from takedown to active duty or new recruits; whether it’s the old malware code or a re-written variant; whether the new botnet has the same goals or yet more aggressive ones:

    • Old malware rarely actually dies. Sometimes, as happened with floppy disk boot sector viruses, malware families get killed off by technological changes. But the truth is that once a technique is out there, and is known to work, even modestly well, someone new is likely to copy it, re-use it, or revive it. So we live with the sum of the threats of the past as well as all the genuinely new tools, techniques and procedures that come along.
    • Don’t focus on individual malware families or malware types when planning your protection. Emotet may be well-known, and rightly feared, but its method of operation (MO) is widely copied in many, perhaps most, malware attacks these days, and this MO has been in use since malware first became a money-making game. In some senses, an initial infection by nmalware like Emotet is the end of one attack chain, because it doesn’t itself contain specific malware tools such as password stealers, keyloggers, cryptominers or ransomare scramblers. But it is also very much the start of a whole new attack chain, ready to receive and deploy “updates” or “plugins” – new malware samples that may vary over time, by region, by victim’s computer type, or simply at the whim of the criminals in command-and-control.
    • Consider managed threat response (MTR). If you don’t have the time or expertise to keep track of criminality on or against your network on your own, an MTR service can help you ensure that you chase back any attacks that you do detect to their root cause. Sometimes, this might be a weak password or an unpatched server, but often it’s down to “beachhead” malware like Emotet. If you find and remove only the end of the attack chain, but leave the entry point in place, then the command-and-control crooks behind that beachhead malware will simply sell you out to the next cybergang that’s willing to pay the asking price.

If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.

Cybersecurity Awareness

News

Cybersecurity Awareness

It’s Cybersecurity Awareness Month, and this week’s theme is an alliterative reminder: Fight the Phish!

Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.

Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)

Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)…

…and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.

And if phishing is a “solved game”, surely it’s not worth worrying about anymore?

 

How hard can it be?

Simply put, the phishing “game” only has two moves: the scammers always play first, trying to trick you, and you always get to play second, after they’ve sent out their fake message.

There’s little or no time limit for your move; you can ask for as much help as you like; you’ve probably got years of experience playing this game already; the crooks often make really silly mistakes that are easy to spot…

…and if you aren’t sure, you can simply ignore the message that the crooks just sent, which means you win anyway!

 

How hard can it be to beat the criminals every time?

Of course, as with many things in life, the moment you take it for granted that you will win every time is often the very same moment that you stop being careful, and that’s when accidents happen.

Don’t forget that phishing scammers get to try over and over again.

They can use email attachments one day, dodgy web links the next, rogue SMSes the day after that, and if none of those work, they can send you fraudulent messages on social networks.

The crooks can try threatening you with closing your account, warning you of an invoice you need to pay, flattering you with false praise, offering you a new job, or announcing that you’ve won a fake prize.

They may pretend to be your ISP today, they may masquerade as Apple iTunes tomorrow, and yesterday they might have said they were a courier company trying to deliver your latest online order.

In contrast, you only have to make one mistake for the crooks to win.

You might be tired, or in a hurry, or simply get caught up in an unlucky coincidence where the subject of a phishing message happens to match up with something you just did online.

Phishing isn’t a “solved game” after all, and phishing scams are still the main way that crooks get their first toe over the threshold in online cyber incidents such as ransomware attacks.

If you need any help with your IT security or suspect your system is compromised, don’t hesitate to contact us at JohnCruzIT.

Passwords: How to hack into 5500 accounts… just using “credential stuffing”

News

test
Passwords: How to hack into 5500 accounts… just using “credential stuffing”​​

We all ought to know by now that passwords that are easy to guess will get guessed.

We recently reminded ourselves of that by guessing, by hand, 17 of the top 20 passwords in the Have I Been Pwned (HIBP) Pwned Passwords database in under two minutes.

We tried the 10 all-digit sequences 1, 12, 123 and so on up to 1234567890, and eight of them were in the top 20.

Then we tried other obvious digit combos such as 000000, 111111 and 123123 (we started with six digits because that’s Apple’s current minimum length, and because we noted that 123456 came out well ahead of 12345 and 1234).

The others were equally easy: qwerty, password, abc123, password1, iloveyou and qwertyuiop, the last being a useful reminder that length alone counts for very little.

Rank Password SHA-1 Hash Appearances
1: 123456 7C4A8D09CA3762AF61E59520943DC26494F8941B 24,230,577
2: 123456789 F7C3BC1D808E04732ADF679965CCC34CA7AE3441 8,012,567
3: qwerty B1B3773A05C0ED0176787A4F1574FF0075F7521E 3,993,346
4: password 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 3,861,493
5: 111111 3D4F2BF07DC1BE38B20CD6E46949A1071F9D0E3D 3,184,337
6: 12345678 7C222FB2927D828AF22F592134E8932480637C0D 3,026,692
7: abc123 6367C48DD193D56EA7B0BAAD25B19455E529F5EE 2,897,638
8: 1234567 20EABE5D64B0E216796E834F52D61FD0B70332FC 2,562,301
9: 12345 8CB2237D0679CA88DB6464EAC60DA96345513964 2,493,390
10: password1 E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D 2,427,158
11: 1234567890 01B307ACBA4F54F55AAFC33BB06BBBF6CA803E9A 2,293,209
12: 123123 601F1889667EFAEBB33B8C12572835DA3F027F78 2,279,322
13: 000000 C984AED014AEC7623A54F0591DA07A85FD4B762D 1,992,207
14: iloveyou EE8D8728F435FD550F83852AABAB5234CE1DA528 1,655,692
15: 1234 7110EDA4D09E062AA5E4A390B0A572AC0D2C0220 1,371,079
16: – – – – – B80A9AED8AF17118E51D4D0C2D7872AE26E2109E 1,205,102
17: qwertyuiop B0399D2029F64D445BD131FFAA399A42D2F8E7DC 1,117,379ll
18: 123 40BD001563085FC35165329EA1FF5C5ECBDBBEEF 1,078,184

Strong enough for everything?

The problem is that some of us still seem to think that once we have memorised a truly long-and-strong password, we’ve basically solved the password problem.

Simply put, there’s still a school of thought that goes like this:

  • The password is a bad idea. It’s always bad, so you shouldn’t use it anywhere.
  • The password is safe enough, as long as you only ever use it on one site.
  • But is SUCH A GOOD PASSWORD that you might as well use it everywhere, because no one will ever figure it out.

Until they do figure it out, of course.

As we explained earlier this week, cyber crooks often obtain passwords without needing to guess them or crack them algorithmically, for example:

  • If a sloppy internet service stores your password in plaintext and then gets breached, the crooks acquire your actual password directly, regardless of how complex it is.
  • Keylogging malware on your computer can capture your passwords as you type, thus obtaining them “at source”, no matter how long or weird they might be.
  • Memory-scraping malware on hacked servers can sniff out raw passwords while they are being checked, even if the password itself never gets saved to disk.

Enter credential stuffing

Password re-use is why cybercriminals use a trick called credential stuffing to try to turn a hack that worked on one account into a hack that will work on another.

After all, if they know that one of your accounts was protected by yjCMth15S­U,atTWT?, it costs almost nothing in time or effort to see if any of your other accounts use the same password, or one that’s obviously related to it, giving the crooks a two-for-the-price-of-one attack.

(By “obviously related” we mean that if the crooks acquire a password list that shows your Facebook password was yjCMth15SU-FB, they’ll probably try yjCMth15SU-TW for Twitter and yjCMth15SU-GM for Gmail, because that sort of pattern is rather obvious.)

And, according to the US Department of Justice (DOJ), that’s how an alleged cybercriminal called Charles Onus, who was arrested earlier this year in San Francisco, is said to have made off with a tidy $800,000 in just a few months.

The suspect, claims the DOJ, simply tried the already-known passwords of thousands of users against their accounts on an online payroll service in New York.

We’re assuming it was possible to guess which potential victims were users of the payroll service simply by looking at their email addresses.

If the address matched (or perhaps the person’s social media profile gave away) the name of an employer that used the service…

…then it was a good bet that they’d have a payroll account with the same email address, and therefore also a worthwhile criminal experiment to see if they had the same password.

Onus, says the allegation, was able to login unlawfully to at least 5500 different accounts using this simple system – so simple that it doesn’t even really count as “hacking”.

He was then apparently able to change the bank account details of some users so that their next wage payment went into a debit card account that he himself controlled, and to skim off a whopping $800,000 between July 2017 and the start of 2018 or thereabouts.

What to do?

  • Don’t re-use passwords. And don’t try to invent a technique for modifying each password slightly from an original template to make them seem different, because the crooks are on the lookout for that.
  • Consider a password manager. Password managers generate random and unrelated passwords for each account, so there are no similarities a crook could figure out, even if one of the password gets compromised. Remember that you don’t have to put all your passwords into the manager app if you don’t want to: it’s OK to have a special way of dealing with your most important accounts, especially if you don’t use them often.
  • Turn on 2FA if you can. Two-factor authentication doesn’t guarantee to keep the crooks out, but it stops attacks like this one from being carried out so easily and on such a broad scale, because the passwords alone would not have been enough.
  • Report payment anomalies. Obviously, you need to look for outgoing payments that shouldn’t have happened, and for incoming payments that never arrived. But also look out for outgoing payments that somehow failed when they should have gone through, or for incoming funds you didn’t expect, no matter how small the amount. The sooner you report any errors, even if you didn’t lose any money, the sooner you help both yourself and everyone else.

If you need any with your IT security or suspect your system is compromised, dont hesitate to contact us at JohnCruzIT.