You are not logged in. Please log in or become a member to unlock your benefits.

Information Coalition Community Blog

Information Coalition: Resources For Your Enterprise Information Success.

Malware attacking your computer

If you input in your browser, that may redirect you to a strange page. You will see something that looks like a Facebook page. It features a YouTube video and may display extra URL: The address varies from case to case.

Do not click the video. Clicking the link launches the installation of a critical virus. It may affect Facebook and overall computer settings.

If you still proceed with the above dialogue, the page will invite you to download some freeware. It may call it VideoCovertor. The naming does not correspond to the item actually available.If you go that far, do not download anything. The download contains a virus. Leave the tricky page and restart your browser. Apply free scan solution, preferably the one available herewith.

Startgo123 is a browser hijacker. It affects a range of browser adjustments. On the surface, you will experience redirects to annoying ads; your new tab, default search, and similar preferences willchange as ordered by the malicious invader.

IT security has notified the Internet community of this risk. However, it tends to ignore the viral background ofthe adware.Unlike most of the advertising apps, Startgo123 does not just generate web-traffic. The above facebook example indicates the rogue may drop a critical malware. Removal of Startgo123 hijacker is thus a matter of overall system security.

The infection harnesses a range of routines to get into target computers. The most common infection vector resorts to a bundled download scheme.The latter implies the victims download something attractive from the web. For instance, you may want to download a video converter. There are hundreds of options, most of them free. There's no such thing as a free lunch. As you grab warez or freeware or such like free unverified contents, beware of the concealed items attached to the target. That is to say, a free video converter installation includes the adware introduction without adequate notification of the user concerned.

The bundling infiltration prevails but does not exclude other options. In general, poor security performance, failure to update software enable alternate infecting scenarios.

Adware like the one described above is nasty but not as dangerous as the Crypt0L0cker virus. It is a file encrypting ransomware that locks all your data and demands ransomware payment to decrypt it. It uses very strong encryption techniques and cannot be decrypted. Only hackers who have the private decryption key may unlock your files. To stay safe and you should make regular backups of your files and system

Rate this blog entry:
2132 Hits

Cyber Crime: Investigating Bitcoin Transactions

‚ÄčFirst of all, this article assumes the reader has a basic understanding of the innovative technology called blockchain (‚ÄčEditor's Note: If you do not, check out this article from O'Reilly, "Understanding the Blockchain"). You just need to realize the blockchain is a sequence of data records maintained as a distributed database. It is a peer-to-peer system. Nobody has exclusive permission to add or remove records thereto, yet anybody can do that. Any entries must satisfy strict rules. It is a public, open-access list of data blocks. However, it is not available for revision and tampering.

The technology is capable of accommodating a number of inventions. Bitcoin is but a first breakthrough. One can compare it to the beginning of the world wide web era. For the time being, any of the search providers, social networks, accommodation and travel websites had not yet developed a worldwide recognized business. Would anyone expect Google to become a global corporation with a budget exceeding that of many world's countries?

The blockchain today makes its first steps like the web 30 years ago. Public opinion tends to associate it with Bitcoin while sees the latter as a nursery for a black hat hacker's transactions. True, before we unleash the white power of the chain, its black power needs to be oppressed. Given the current development of cyber technology, the law enforcement and businesses enjoy a unique opportunity to explore the blockchain. It is a fast, safe and stable financial tool.

Meanwhile, the cryptocurrency poses a range of challenges to the public security, for example when dealing with ransomware. To start with, a Bitcoin wallet does not necessarily refer to a particular person. Any kinds of virtual money are hard to trace back to a specific person or company. International law enforcement agencies follow quite different regulations in tracking virtual currencies.

Again, these are the issues inherent in any online transactions. On the other hand, the blockchain features a number of exclusive benefits in terms of public disclosure, stability and traceability.

The first one is really stunning for a newbie. It may dramatically change public opinion regarding the subject matter.

Rumors have it the Bitcoin ensures complete anonymity of the parties. That is not quite true. Anybody using Bitcoin must have a unique address. In case it is possible to link that address to a specific person, you are able to track down and all the transactions in which that person has taken part utilizing that address.

A Bitcoin user may try all sorts of tricks to cheat the system and remain anonymous. For such cases, a number of counter-measures are available. But blockchain provides a more sophisticated option for the crime investigators. Investigating Bitcoin transactions differs greatly from the old-school online transactions.

The exchanged Bitcoin data remains intact as long the blockchain exists. In other words, the data logs are always available. It can be used at any time any case filed to the Court may reasonably need it. The design of the public ledger implies its data, once deposited, is to be retained forever.

Quite in contrary, using traditional bank accounts and switching providers from different countries the cyber criminals manage to bewilder the law enforcement. The investigators often apply enormous effort to find to the final mediator and eventually put their hands on the hacker's keyboard. When they are about to reach the target, it escapes as the finance institution just does not retain the records long enough.

Third party issues. In the case of online bank transactions, there is a concept of a Third Party Doctrine. It basically declares that, once you have exposed your data to your bank or similar entity, you are aware of the risk that other parties may reach it. It is the above doctrine that the authorities use to obtain logs relevant to the suspect's cell phone or account number without going through the complex system for obtaining relevant permits.

The doctrine still requires the law enforcement to get a subpoena. Besides, the court, governmental, public, and research bodies keep on discussing the viability of the doctrine.

If you need to trace a blockchain transaction, it remains forever and is available to anyone. Any search warrants or subpoena do not apply as such.

The bitcoin knows no borders. Indeed, cybercrimes committed overseas are harder to investigate. With traditional online currencies, one would need to go through a troublesome MLAT (Mutual Legal Assistance Treaty) routine to get the foreign authority to assist you in the investigation by disclosing the data available within their jurisdiction. Bitcoin is beyond any governmental system. You can get the data whenever you reside. All you need is an Internet connection.

Rate this blog entry:
567 Hits

Meet Zepto, a new ransom Trojan in the Locky family

Enter yourIt has been a month since a tangible decline in the spreading of the Locky ransomware occurred. Back then, experts discovered that a supporting botnet stopped functioning, which explains why the number of infection incidents dropped dramatically. The comeback of both the botnet and the crypto malware in question, therefore, isn't accidental. The new iteration reportedly uses the same data encryption technique but differs from the forerunner in several ways.

First off, the ransomware now appends the .zepto extension to files instead of the previous .locky one. Secondly, the names of files holding the ransom instructions have altered, with the _HELP_instructions.html and _HELP_instructions.bmp combo being dropped on victims' machines. The format of tweaked filenames proper underwent a modification as well. While the preceding variant replaced the names with uninterrupted strings consisting of victim ID and 16 hexadecimal characters, the new one uses five blocks of symbols separated by hyphens.

The distribution of the Zepto version rests upon large volumes of spam. By leveraging the automated botnet, the ransomware operators are able to generate thousands of contagious messages sent to potential victims around the globe. These are emails pretending to be tax reports, invoices or CVs. The attached ZIP or Microsoft Office files are programmed to execute Zepto as soon as the users open them.

The infection encourages victims to visit the Locky Decrypter Page, which contains tips on how to purchase Bitcoins and a Bitcoin address to send the ransom of 0.5 BTC. After the payment has been confirmed, the service will allegedly provide a link to download the decrypt solution. Just like in the average ransomware breach scenario, paying up is the last resort. Before doing so, users should try to recover their data using an alternative methodology based on forensic tools and the built-in Windows backup features.

Rate this blog entry:
702 Hits

Amazon Users Hit with Fake Emails Distributing Ransomware

Yet another ransomware strike focusing on Amazon customers was discovered last week utilizing a fake sender address. Funny enough, the attack has started just when the new study indicates that the majority of computer users are unaware of ransomware threats and how to handle them.

Security researches inform of phishing email messages which have been delivered to customers presumably originating from Amazon official website and the sender email looking like

Supposedly, you will not find any single word in the body of the message, just the subject line which reads: "Your order has dispatched." The elements that cuase the problems are the actually the attachments, that look like MS Word files.

At the time the files were examined, it was discovered there was no content inside, just macros. Email recipients are triggered to allow the the material inside the attachment and so the macro codes are executed.

In particular, the malicious payload happens to be the Locky ransomware, which targets and locks all types of user documents. The original data files are wiped and swapped over by the encrypted documents renamed and the .locky extension added. New encrypted files are all stored in the same folders just like the original documents. Needless to say, people are later requested to pay out the ransom to obtain their files back and recovered.

The new report from Kaspersky Lab, shows that 43% of computer users have no idea what ransomware is, in spite of its present-day excessive distribution. A comparable group of users (44%) stated they didn't realize what information or data may be damaged during a ransomware assault.

Furthermore, it's not a strong concern for tech-savvy population born after 2000. Only 13% of Millennials stated they were concerned about ransomware plague on the whole.

Additionally, a lot of respondents do not understand how to act during a ransom attack. The study discovered that 16% of North Americans believe unplugging the PC or turning off the smart phone might put an end to ransomware. And a tiny quantity actually hoping negotiating with the hacker is a good approach to eliminate the problem.

Rate this blog entry:
719 Hits

Locky Ransomware Virus Is on the Rise

Locky does not hesitate encrypting files on any PC it has managed to compromise. In the case of landing into a network computer, the virus tries to reach every drive available in that network. The aim is obvious: the rogue tries to prevent access to as many items as possible. That makes it especially dangerous for corporate networks. 

The infection has been propagating in the wild at varying intensity. Quiet conditions could last for long. They are always replaced with periods of increased activities. 

The virus hits users worldwide. Observations reveal it may abstain from encrypting files for the computers registered in certain regions. 

As the Locky virus is available as a service, its distributors may adjust malware behavior. The developers of this ransomware sell it to their affiliates. The infection is available at a number of darknet forums. Access to those forums is restricted, but basically, even kids manage to get there. It is but a matter of some simple tricks and persistence. 

The forums offer the infection on pre-paid and affiliate conditions. There is also an option to adjust a range of presets determining the malware behavior. For instance, the virus anyway detects IP of the affected machine. A distributor of the infection may disable its installation for IP's corresponding to certain locations. 

Distributors of Locky are also free to set the ransom amount, payment deadline, encryption details etc. 

The ransom virus applies a complex scrambling algorithm. That involves generating a key. The key gets destroyed after having being used to encode data on the affected machine. Its only copy is available on the remote server. 

Besides, the key applied to encrypt data may differ from that required to decrypt it. If that is the case, we deal with asymmetric encryption. The encryption key becomes useless in terms of decrypting the data. 

Once Locky completes its encoding campaign, it issues a file with instructions for the victims. The users are prompted to purchase the decryption key. The key is to be purchased with Bitcoins. The transaction shall complete in TOR browser. 

There is no guarantee the crooks are to provide the victims with the key. Too many intermediaries are involved, scrupulosity of each being very poor. Needless to say, transferring the ransom provides further incentives for the scam development. 

Locky removal is recommended. However, it shall follow only after proper recovery campaign has completed. The suggestion is to stick to ransom-free methods.

Rate this blog entry:
698 Hits

The BA and the Shiny Objects

A few weeks ago I was approached about working with an organization to help them put together a new SharePoint 2013 site to replace the one they currently have (SP2010). The business unit that approached me is responsible for engaging with stakeholders when the company wants to build infrastructure in their operating region; let's call the unit EE (external engagement) for the sake of discussion.

Now, before I get all ranty and critical, you should know that EE wasn't getting much love and attention from IT; this post is not about assigning blame to EE or their Business Analyst, with whom I'll be working pretty closely. The fact is that there are problems in how IT engages with the business that are way beyond the scope of this post. As you read this post, keep in mind that a business case has been prepared and approved by IT (a VP) and EE (a Director and an SVP).

"To enable [EE] to capture the benefits of SharePoint in our department, we need to revisit our existing 2010 [EE] Team site." That quote is the first sentence of the main body of the approved business case for the project. The case goes on, in excruciating detail, to describe in non-quantifiable terms how implementing various features and functions available in SharePoint 2013 will benefit the department. What the case doesn't contain is any sort of goal or objective from the business indicating why the project is necessary and what the measurable business outcomes ought to be. Nor does the case contain any criteria upon which project success will be based.

If I were to summarize the business case as it's currently written, it would be something like "There's a bunch of cool SP2013 stuff that isn't being used and we think we can use it to make our site look pretty and show people what we're doing and we've started a Proof of Concept (PoC) that we're going to finish soon to show you just how pretty those SP2013 things will look on our site and we're going to do whatever we want whether it's standard or not even if it's stuff that other projects and departments are really responsible for. Okay?"

In addition to containing a shopping list of SP2013 features to be deployed, the business case also makes assumptions about the way in which many of the features will be deployed. Now, having some insight into the organization, I can tell you unequivocally that many of those assumptions are incorrect because they don't comply with standards and guidelines that the organization has adopted. To be fair, had IT paid more attention, these deviations would have been caught and much time and money would have been saved.

I, and others, have advocated for trying to get the most out of the technology organizations have on hand. However, that doesn't mean that organizations should invent requirements that provide no discernable business benefits simply to make use of some feature that's currently sitting on a shelf. What it means is that, once real business needs and benefits have been identified, organizations should look at the tools they have on hand before going out to acquire something else. Of course, this should all be bound by an organization's standards and guidelines.

Fortunately, the business case has been approved only to get the business requirements done. The organization uses a pure waterfall, gated SDLC so I'm going to use that to our advantage and try to get things back on the right track. I'm also going to try and get the PoC descoped or killed altogether. Things aren't so far down the path that they can't be corrected, but it will take a fair bit of cajoling and coaching of the BA. We'll also have to get IT more engaged but I have a pretty decent PM to help with that bit.

Things to take away from this story:

  • 1.Only deploy technology based on identified and accepted business needs;
  • 2.Have measurable outcomes defined so you can actually determine whether or not you're succeeding;
  • 3.Business and IT are partners and must work together;
  • 4.If your BA isn't that strong, make sure they are properly coached and supported;
  • 5.Don't sign off on a business case that doesn't contain business objectives, business drivers, or success criteria;
  • 6.If you're not going to comply with corporate standards and guidelines, cool, but have solid justification for not complying[1];
  • 7.If the first sentence in your business case is something like "To enable [EE] to capture the benefits of SharePoint in our department, we need to revisit our existing 2010 [EE] Team site.", you don't actually have one;
  • 8.Shiny Object Disease is both preventable and curable.

[1] Many years ago I had a contract gig with a major airline. My sole responsibility was to evaluate non-standard IT requests to determine whether or not the provided justification was sufficient enough to warrant approving the request. I.e.: Standards and guidelines can occasionally be broken if there is valid justification.

Rate this blog entry:
698 Hits