Security

New Phishing Scam Using Microsoft Office 365

*** Attention Required ***

It seems that the bad guys are at it once again with an attempt to collect information by phishing credentials from those of us using Office 365 for corporate emails.  The characteristics of this particular attack the hackers intention is to deceive Office 365 users into providing their login credentials”.

The user sees a fake Office 365 login page, which requests their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can:

  • Send emails to other users in the victim’s address book, asking them for anything, sending fake invoices, sending more phishing emails, etc.
  • Access the user’s OneDrive account, to download files, install more malware, infect files with malware, etc.
  • Access the users SharePoint account, to download files, install more malware, etc.
  • Steal company intellectual property or other customer information such as customer SSNs, credit card numbers, email addresses, etc.

One of the characteristic of this recent attack is an email being sent with an embedded image which resembles an Microsoft Office Word document containing a link back to a site with a fake Office 365 logon page.  In addition to this the site URL ends in php?userid= syntax.

I have provided the following YouTube video to illustrate the interaction of the fake Office 365 logon page.

Link: https://youtu.be/wHxkzxGF4JY

 

Advice:

It’s an important part of your responsibility to be cautious when accessing emails even from known senders to ensure its legitimate by reviewing the email to ensure that its legitimate.

If in doubt do not open the email and reach out to the sender to ensure they sent you the email.  If you self-determine an email to be suspicious immediately report incidents as soon as they happen.

 

Here are a few guidelines below that could be followed.  Please review:

 

Check the sender.

Sometimes, cybercriminals and hackers will fake (or “spoof”) the sender of an email. If the “from” address doesn’t match the alleged sender of the email, or if it doesn’t make sense in the context of the email, something may be suspicious.

Check for (in)sanity.

Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email’s content is nonsensical or doesn’t match the subject, something may be suspicious.

Check the salutation.

Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be suspicious.

Check the links.

A large number of phishing emails try to get victims to click on links to malicious websites in order to steal data or download malware. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like http://bit.ly, http://goog.le, and http://tinyurl.com. If an email links to a suspicious website, something may be suspicious.

Don’t let them scare you.

Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, something may be suspicious.

Don’t open suspicious attachments.

Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be suspicious.

Don’t believe names and logos alone.

With the rise in spear phishing, cybercriminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn’t mean that it’s trustworthy. If an email misuses logos or names, or contains made-up names, something may be suspicious.

If you still aren’t sure, verify!

If you think a message could be legitimate, but you aren’t sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings.

 

 

The Ten Immutable Laws Of Security: Version 2

You can’t patch these, but you can take steps to be more aware of these law’s.

 

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.

Law #5: Weak passwords trump strong security.

Law #6: A computer is only as secure as the administrator is trustworthy.

Law #7: Encrypted data is only as secure as its decryption key.

Law #8: An out-of-date anti-malware scanner is only marginally better than no scanner at all.

Law #9: Absolute anonymity isn’t practically achievable, online or offline.

Law #10: Technology is not a panacea.

 

Ref: https://technet.microsoft.com/en-us/library/hh278941.aspx?f=255&MSPPError=-2147217396

PowerCLI: HowTo Remove Floppy Drive From {All} Powered Off VM`s

The following simple script will iterate though your vCenter environment and remove the floppy disk from VMware guest machines that are in a powered off state.

Script text: I used Windows PowerShell ISE

Set-ExecutionPolicy RemoteSigned #may require running as administrator
Import-Module VMware.VimAutomation.Core
Connect-VIServer -Server ‘your.server.here’

$off = Get-VM | where {$_.powerstate -eq “PoweredOff”}
$floppy = Get-FloppyDrive -VM $off
Remove-FloppyDrive -Floppy $floppy -Confirm:$false

Purpose:

The purpose of removing the floppy is to remove potential attack channels to the guest VM itself. It has also been noted that removing such devices will save kernel resources.

Ref: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-600D24C8-0F77-4D96-B273-A30F256B29D4.html

 

HP Launches Web Series about Security Starring Christian Slater

Excellent video and start to a security web series about security starring actor Christian Slater. Purposed to elevate security awareness around the risks that businesses and consumers face daily. “The Wolf, highlighting how corporate networks can be hacked and what companies must do to protect themselves.”

If you’re not taking your printer security seriously, someone else might be. From director Lance Acord comes The Wolf starring Christian Slater.
To learn more about how to protect your business visit http://www.hp.com/go/ReinventSecurity

Fix for Checkpoint VPN tunneling Option being grayed out on Check Point Endpoint Security Client

I noticed that my Windows VPN client on my computer was forcing all traffic through the gateway of my VPN endpoint. Something that in most cases would be find however this limited my ability to access local network resources in addition to browsing the internet via my local internet provider (Split Tunneling).

What I soon noticed was that I could not remove the setting that encrypted all traffic, routing it to the gateway

To make these changes to the client the following needs to be done.

Step 1: Modify configuration allowing for trac.config to be edited as its obscured for security purpose.

  1. Exit the Check Point Endpoint Security Client
  2. Stop the “Check Point Endpoint Security” service
  3. Edit c:\program files (x86)\checkpoint\endpoint connect\trac.defaults

Change the top line from:

OBSCURE_FILE INT 1 GLOBAL 0

to

OBSCURE_FILE INT 0 GLOBAL 0

Step 2:

  1. Start the “Check Point Endpoint Security” service
  2. Start the Check Point Endpoint Security client
  3. Verify that the c:\program files (x86)\checkpoint\endpoint connect\trac.config file is de-obscured.
  4. Shutdown the Check Point Endpoint Security Client
  5. Stop the “Check Point Endpoint Security” service
  6. Edit c:\program files (x86)\checkpoint\endpoint connect\trac.config

Search and edit the following line:

From: <PARAM neo_route_all_traffic_through_gateway=”false”></PARAM>

To: <PARAM neo_route_all_traffic_through_gateway=”true”></PARAM>

Step 3:

  1. Delete c:\program files (x86)\checkpoint\endpoint connect\trac.config.bak
  2. Start the “Check Point Endpoint Security” service
  3. Start the Check Point Endpoint Security Client

Notes: Pros and Cons of Split VPN you should know about

Pros

If you are going to split tunnel, then you are going to reduce the overall bandwidth impact on your Internet circuit. Only the traffic that needs to come over the VPN will, so anything a user is doing that is not “work related” will not consume bandwidth. In addition, anything external to your network that is also latency sensitive will not suffer from the additional latency introduced by tunneling everything over the VPN to the corporate network. Users will get the best experience in terms of network performance, and the company will consume the least bandwidth.

Cons

If security is supposed to monitor all network traffic, and protect users from malware and other Internet threats by filtering traffic, users who are split tunneling will not get this protection and security will be unable to monitor traffic for threats or inappropriate activity. Traffic to websites that use HTTPS will still be protected, but other traffic will be vulnerable.

Ref: https://www.cpug.org/forums/archive/index.php/t-14545.html