go to sections menu

The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

Search results for "schools"

Go to Homepage, contents or to navigation menu



NCSAM: Schools are no longer safe, now PII on students are out on the surface and dark Web

I was looking at twitter and found an article talking about Las Vegas schools now being targeted with ransomware. The problem with this particular attack however, is that while the school system didn’t pay the ransomware demand, the data is reported to be on the surface and dark web. The surface web is the web we browse every day. The dark web is the web that is accessed through the TOR browser which we talked a little bit in our last post.

How do we hold these schools accountable?

Let us find a way to hold the school systems responsible in the first place. While patching and keeping data safe is key, the fact is that this database of student information including names, dates of birth, grades, and school attended are publically available in a database that is not protected by a password. Today, you just can’t do that, none of my customer information is available to the public internet, it never has been. This is where the school failed.

Its OK to make that kind of mistake if you are made aware of it and close it. But then you get hit with ransomware, usually delivered by Spam Email, and the entire network is owned.

What about the criminals?

Cybercriminals behind the Clop, DoppelPaymer and Sodinokibi are really doing their jobs here, and this can’t be good.

Other articles that might be of interest in this series

In that 2019 article I relink the 2017 Valley College articles as that effected me when I was at Valley College taking some non-credit courses as part of where I was at that time. What about this 2020 article in July called This is interesting, a study of k-12 and college breaches by the numbers where school systems were surveyed? What can we do?

Lets Get to work

First, if it is at all possible, lets get articles like these out to the administrators of these schools. If they can see what is going on in the landscape, they might be wondering what they can do. Then we can ask them about what they plan to do about their own student data whether it is elementary, middle, high or college student personally identifying information. This search page from the blog has postings about schools where podcasts mentioning them, plenty of articles, and I’m sure this NCSAM article will end up going too.

The main article here which I will link to in a moment talks about the various attacks through the last little while and some background. This is definitely something we need to be concerned about, especially if this article indicates that parents may sue the district or even the school. If that is the case, the system is going to be in a lot of trouble because of their neglegance of basic security issues.

The article that braught this post about is a September 29, 2020 article from threat post entitled Las Vegas Students’ Personal Data Leaked, Post-Ransomware Attack. Let us keep the pressure on by continuing to talk about stories like this because if we don’t, we’ll have bigger problems later. Your thoughts are welcome.

Comments (0)

Online training and schools

Something has been coming to mind in regards to school and online training. I’m hoping in an upcoming podcast, we can hear from people who have done online training like I have through Universal Class. I’m wondering what you’ve found to be accessible or not through the years.

Please send your files through dropbox or We Transfer or any other file sharing service like Sendspace or You Send it. The email address is tech at menvi.org and I look forward in what you have to say!

There is no deadline, so if many files come in, I’ll play them in turn. This is where participation matters, and we’ll play any submissions.

If you want assistance taping your segment, email me and we’ll work some time out on doing things.

Comments (1)

Are schools protected from threats? Article syas not so much

Are schools prone to cyberattack? According to the article Cybersecurity: One in five schools says students have broken into computer systems indicate not so much. Lots of statistical data in this article. I’m not sure in which country this article is based under, but I do remember the email and phone call from Valley College talking about their ransomware attack.

If this is any indication, we’re going to be in for more problems later on. I am sure that there has been coverage through the years on smaller schools being attacked by ransomware and other cybersecurity threats, and a search on ransomware or school cybersecurity threats can provide tons of coverage.

Of course, if only 430 schools were surveyed in this article outside the states, what about in the states itself? Should we be concerned about this? Thoughts?

Comments (0)

Are schools next in the cyber race?

Hi folks,

Happy new year, and thanks for checking out the blog. My goal during Christmas break was to release a podcast, but I’ve been ill. Hopefully, the podcasts will return soon.

The reason why I’m writing today, is to talk about something I’ve thought about for awhile, but sadly, the 4th day of January, we’re already seeing.

I’m going to be careful, and indicate that I got an E-mail from a school I’ve attended talking about how they are investigating reports of a possible attack.

According to the E-mail, it looks like one campus of the network of various schools around the LosAngeles county was targeted.

Computers and voice mail systems, according to the E-mail and attached PDF, are effected, and no voice mail can be left at the school at this time.

School is going on as normal, and recently started its winter session which started on January 3rd.

As a precaution, the E-mail notifies us that computer experts have gotten involved and will be checking out the entire network to determine what is happening.

They are advising that many computers are possibly infected with ransomware. If you are not aware and you’re coming to the blog for the first time, ransomware is a big time problem, and it locks up your files until you pay money.

Many experts are telling people not to pay unless you have no other choice. I agree with the assessments, I know i wouldn’t pay money to someone who may or may not give me my files back.

According to the attached PDF linked, this detection and investigation started on the 31st of December, and only time will tell on what exactly happened.

I had thought about this as part of my predictions for 2017, which I never wrote because I’ve been sick. It saddens me that we’re starting out the new year on such a note like this. It does not surprise me anymore in regards to things like this.

Do I think other schools are going to be impacted? As large of a network as the school has that I got notified from, it would be possible for other large networks to be impacted at some point.

Hospitals, and other businesses have already felt the brunt of ransomware. Trend Micro has already predicted that ransomware will be a bigger threat as it becomes more prevelant as a weapon for people to be making money.

Do you think your school, or a school you’ve attended will be a target? Why or why not? Please sound off in the comments, and lets discuss this big threat of ransomware.

Hope to have a podcast real soon, thanks for reading!

Comments (0)

Brazen Brazilian hackers opening cybercrime schools

As I catch up, I find this.

Brazen Brazilian hackers opening cybercrime schools.

I find it very interesting, the fact you can go to school to learn this stuff. If i did such a thing, I’d just want to learn how it works, not necessarily wanting to do these things. I find this stuff interesting, that these hackers are going around doing things, but we really don’t know how it is done in some cases. Learning how these things are done could protect us in the first place, because we’d be able to know what is happening, and therefore, we wouldn’t be scared should something happen. Check out the article, and give me your thoughts.

Comments (0)

5,000 web sites were offline, belonged to school districts, timeline is similar to 2017 for me

Hello everyoone,

This articular article was sent to our list today, and reminds us that ransomware is still on the loose.

Similar to what happened with me indirectly in 2017 Valley College where I had attended free classes was affected then. A Cyberscoop article I blogged about in 2019 talked about this too.

Then we come to this NCSAM posting I blogged about in 2020 titled NCSAM: Schools are no longer safe, now PII on students are out on the surface and dark Web In that article, I blog about this heavily linking to those articles on top of my own thoughts on what I think we should do.

While Valley College affected me, these cases that are talked about affect more students than just your college student. I could only imagine what parents are giving the schools now even though Covid is becoming a problem again and distance learning is taking hold once again.

Now, Michael gives us this tech crunch article: Finalsite ransomware attack forces 5,000 school websites offline. It is similar to my story because it happened right after the beginning of the year, and actors know that during the holiday, this is the time they can pounce on such a target. This particular case is much larger than Valley College for me, and the numerous school attacks I’ve blogged through the years as this story covers 5,000 schools hit at once. This is a bigger deal than Valley, but similar because of the timing.

Let’s make no mistake about it, any of these stories are bad, and I don’t wish people to go through any of it.

We’re sadly in a different era now, and my email from knowb4 indicates that we’re now in nuclear ransomware 3.0. I haven’t read the email yet, but saw that this morning.

I’m not sure now what to think. I hope that we can try to get a grasp on this before it is too late. Read all of these articles, including the latest on the 5,000 schools and what might affect you. Just be aware of it.

One of the paragraphs I’m only quoting partially says:

Finalsite spokesperson Morgan Delack told TechCrunch that 5,000 of its total 8,000 global customers — including school districts in Kansas City, Illinois, and Missouri — are affected by the incident.

One reddit user claimmed that email couldn’t be sent either. Some email may still not be reaching customers (you, the parent or student) as we speak. This is now becomoing a larger problem, one that we are not yet capable of grasping quite yet. Just take a look, and be aware.

Comments (0)

The Security Box, podcast 72: A Linux vulnerability, news notes commentary and more

The Seucurity box took an interesting turn, but that is how some shows are.

Be that as it may, the rss feed has the program.

Clubhouse also has a replay, if you are on there, find me or my club and you can listen to it raw.

We’ll be back next time.


Welcome to the security box, podcast 72. On this program, we’re going to play with Linux a little bit as we discuss a vulnerability in the way it works as it can cause DNS cache poisoning. We’ll also have news, notes, commentary and more if people have things they want to share.

Our Linux Vulnerability

News Notes

More may be on the blog, thanks so much for listening and participating!

Comments (0)

We’ve got an arrest on the trickbot malware

Hello folks,

I did some reading today and saw that we have an arrest of a Latvian national who is charged with writing the Trickbot malware botnet.

We know that this malware was very prolific and caused a lot of havoc through the years. I’m so happy to see this news, I could just copy the article and post it as mine, except that it is not my article so I can’t do that.

The article comes from Cyberscoop and it was posted on the 4th.

What I think I’ll do is quote the first two paragraphs of this article which gives a little bit of what the malware is, who was arrested, and a little bit about the suspect. This is awesome news!

U.S. prosecutors have charged a 55-year-old Latvian national with helping develop the infamous malicious software known as TrickBot, which has defrauded
countless people while infecting tens of millions of computers worldwide.

The defendant, known as Alla Witte, was arraigned in a federal court in Cleveland on Friday after being arrested in Miami in February, the Justice Department said. She is accused of being part of a criminal organization that operated in Russia, Belarus, Ukraine and Suriname, and which infected the computers of hospitals, schools, public utilities and government agencies in the U.S.

The article has linked material as well, but it goes in to a lot more detail on what the suspect wrote, and describes Trickbot and what it was used for. I’ve covered a lot of this through Trend Micro’s coverage, and they don’t have this.

One paragraph says:

Witte is charged with 19 criminal counts, including with conspiracy to commit computer fraud and aggravated identify theft.

This is the most important part of the article which I can’t leave out.

Want to read the entire article? Here it is. Latvian national charged with writing notorious Trickbot malware is its title, and enjoy this great news!

Comments (0)

A Task force out there to help try to curve Ransomware

Hello folks,

I read this article that came out on Krebs on Security that talks about a task force and an 81 page report that hopes to have some idea on how to curve the ransomware problem we’ve faced in quite large numbers.

The linked article links to a Wall Street Journal report that the Department of Justice also formed their own task force to try and curve this problem. Also, according to the article, the DOJ calls for strategies that target the entire criminal ecosystem. We need to send a message to say what the Shadow has said in every program. That is: “Crime does not pay.” I like that saying and I hope that this pays off.

According to Emsisoft, a security company, almost 2400 U.S. based governments, healthcare and schools were targeted in 2020 alone.That’s a lot! We’ve covered a lot of school coverage as of late, and I think I might have said something about this when I found out that a college I had attended for free classes was effected by Ransomware.

Find something in the article you want to bring up? Task Force Seeks to Disrupt Ransomware Payments is the article, and do give it a look!

Comments (0)

The Security box, podcast 36: Choosing a good password manager

Happy Saturday folks, welcome to the security box for this week. I normally get the blog up within 24 hours, better late than never posting it at all.

The show notes are extensive as normal, and I think its the way to go so people can read my thoughts on the items as well as listening to them on the podcast.

The RSS has had the program up, Here is the link to the RSS for those who need it.

Don’t have RSS? Here is the 156.28mb file for you to get.

I hope those who listen find the shows of value, and I’ll be back this coming Wednesday on the independent channel of the mix’s suite of servers for another edition of the program.


Have you really thought on password managers lately? If not, the main topic may be of interest to you. While there were no calls this week, I feel the way I did the notations and lead the discussion, may make you think about whether its time to get one.


Welcome to podcast 36 of the security box. On this edition of the program, we’ll be talking about password managers. Herbie Allen is along with a Things to Ponder section talking about Scams, one in particular dealing with Amazon. We also have a webinar that will be of interest from F-secure. We’ll have news, notes and more. Hope you’ll enjoy the program!

Topic: Choosing a good password manager

Lastpass writes good articles, and this one is no different. How would you choose a good password manager? There are 5 different things that could make your decision that are highlighted within this article. They include:

  • How many devices do you own? 
  • What are those devices (Android, Apple)? 
  • Who do you need to share with? 
  • What other type of information would you want to store besides passwords? 
  • Are you concerned about data breaches and your personal information being at risk? 

While the article talks about Lastpass features, the heading entitled “Choosing a password manager ” goes in to detail about the different teers of Lastpass. There are definitely alternitives, and you can explore those alternitives. While Lastpass has lots of features, you don’t need all of these features, and you alone need to decide what will work for you.

Webinar: Attackers Get Personal | F-Secure Live Webcast

Over the weekend, I had decided to go through Youtube and found this very interesting webinar. It talked about three different topics by three different people.

About the webinar:

Taken from Youtube directly it states:

Get an inside view into the cyber threats that challenge our recovery from the pandemic and beyond.

Highlights from the Threat Landscape – Christine Bejerasco

2020 was an unprecedented year. But did this reflect in the threat landscape? Christine takes a look at various areas that highlight some of the threats recently encountered.

Healthcare data under attack – Mikko Hyppönen

The healthcare industry’s outdated IT and security infrastructure has caught the attention of cyber criminals, right when we need it the most. Mikko will discuss what we can do to secure our most essential industry.

Thinking like an attacker – Tomi Tuominen

The different stages of a targeted attack keep evolving. Tomi offers the latest insight into how attackers think and how to make their life more difficult.

Topic covered

  • Which threats businesses must face
  • How cyber criminals threaten the health care sector
  • Why a good cyber defense depends on seeing weaknesses through an attackers’ perspective

What to Watch

Things to ponder

Herbie Allen, main owner of the Mix, will be submitting something of interest dealing with scams and Amazon. Its a three minute listen, and we can open it up to thoughts on that. I later show a recent text message, go through the link, and show you what going on with the link.

News Notes and commentary

  • Fiserv used an unclaimned domain that sent out email to customers to do various email tasks like varifying accounts, automating password resets and other tasks that may not have been thought of. A researcher, Abraham Vegh,, contacted Krebs on Security to discuss what he found with the elicit domain which he baught to see what he was seeing. Some of what he saw included bounce messages, messages for out of office replies and even more. To read more, read the Krebs on Security article entitled Fintech Giant Fiserv Used Unclaimed Domain for all of the details.
  • Is it really time to get rid of SMS verification?I think it’ll be time sooner than later. Customer service representatives can be tricked in to changing account info, especially if they are low paid, according to the article from Krebs on Security. The article talks about a company called Sakari , who offers a $16 product that allows you to receive text messages from any phone number in the United States. The letter of authorization that needed to be signed by the customer indicated that it could not be used for harassment, inappropriate behavior, or possibly violating the law. As the researcher has indicated, people were able to sign up with the service and do what they want. When approached with more detail, the researcher in question said that it was not just this company that can do this. The article goes in to more detail on this research including Sim Swapping and possibly other tactics that might be used. The question: Can We Stop Pretending SMS Is Secure Now? should be asked and the article is well worth the read.
  • You think Joker and his stash of jokes are gone? Let’s think again. According to a Trend Micro report, not so fast. I’m not sure what happened to the article, somehow something happened where parts may be missing. We’ll link it here, but they’re back to their old tricks that may be new. This article talks about signing up for services by selecting the phone operator, put in the MSISDN (Mobile Subscriber Integrated Services Digital Network,) get a One Time Password, enter that code and bingo, you’re subscribed to services. While the text I have may have been truncated, the article should be read just the same. No Laughing Matter: Joker’s Latest Ploy is the article, take this very seriously.
  • Think using one password was absolutely safe? Better think again. According to an article by Lastpass’s Amber Steel, hackers found a username and password online, used it, and gained access to 150,000 cameras in places like schools, fire departments, offices, gyms and more. These are security cameras for some 24,000 customers. The article linked here will have more. 150,000 Security Cameras Hacked Because of One Password is the article, give it a read. Think about changing your password immediately.
  • WeLeak.Info is back in the news, but probabluy not in a good way. According to an article by Krebs on Security, the site now leaks information about the customers that were at the site buying and selling information. The first paragraph says:

    A little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com, a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. In an ironic turn of events, a lapsed domain registration tied to WeLeakInfo
    let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card.

    The article talks about putting an email address in the site, and getting all possible passwords available with that email address. There’s more, WeLeakInfo Leaked Customer Payment Info is the article, better take a look at it.

  • Finally, we’ve got some good news in two members getting arrested and charged. These two have also been sentenced as well. According to the article, “in fraud we trust” is the mantra of the group, and the two people are named Sergey Medvedev of Russia and Marko Leopard of North Macedonia. There’s more to the story, so read Two Infraud members sentenced for role in $568 million crime gang, US says and we hope that it will be called “In Fraud we don’t trust” in the future.

Thanks so much for listening to today’s program and reading the accompanying notations. We hope you’ve enjoyed the program as much as I have putting it together for you, and make it a great day!

Comments (0)

The Security Box, podcast 31 February 10, 2021

It looks like I have neglected to post some show notes for some programs, so its time to catch up on this. The Security Box has been uploaded, but I’ve neglected to post the notes.

On podcast 31, we pick up where podcast 30 left off on the domain discussion. We also covered news, notes, questions, comments and more.

Do you not want to deal with the RSS feed because you can’t or don’t know how? Here is the 103.03mb file and we hoep you enjoy it.

The podcast is much shorter than the program as we started playing less music within our program to comply with my other podcast. While podcast 32 plays some tracks, they are short tracks.

Here are the show notes for podcast 31 of the podcast, and again, thanks for listening!


Welcome to the security box, podcast 31. On this podcast, we’re going to continue the discussion of domains with several different things that we couldn’t get to from last week. Also, we’ll have news, notes, questions, comments and more. I hope you enjoy the program as much as we have putting it together for you.

Domain discussion:

Part of running a domain today is security certificates. These certs are called SSL certificates or what is now known as TLS. We have to remember that SSL and TLS are pretty much interchangable, keep that in mind.

When I first started reading Phishlabs, they were indicating that Phishing sites were not much into security as the ultimate goal was to get their wares out, not necessarily wanting to be secure. Thats when we learned through newsletters that looking for the padlock or https was the sign we’re secure. This is not the case anymore. This is because several years ago, a company called Lets Encrypt came up with an automated way of issuing the domain validated certificates that would be used for this purpose. The 200,000 web sites for August and September were unique sites according to the article. It also states that SSL encryption for phishing sites overtook SSL deployment for general websites. We also have a 10 percent increase in BEC attacks that originate from free Webmail accounts such as Hotmail, Outlook, MSN, mail.ru and possibly others.

According to the web site for Lets Encrypt, it says:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

According to the article, 80 percent of Phishing sites now have some form of SSL certificate installed up from the 74 percent I last saw. We’ve been covering this trend on the tech podcast, I remember when it indicated it was in the 50 percential. This is higher than most general websites, says the article. According to it, a survey from Q-source, 66.8 percent of web sites use SSL.

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (DV), which is the weakest form of certificate validation.” said LaCour. There are three types of SSL certificates, and DV certificates can be issued quickly, through an easy verification process. Of more than fifty-three thousand SSL certificates observed by PhishLabs, 91.3 percent were Domain-Validated.

Generally, PhishLabs found that cybercriminals are using free certificates. In Q3, 40 percent of all SSL certificates used by phishers were issued by the same free certificate authority, Let’s Encrypt.

According to the article, registrars are part to blame for the increase in phishing as there is limited action. Phishing has gone up sharply since March of 2020, and my article talking about one such phishing attack got something done. I sent the blog post linked here over to Mr. Krebs, and also called my provider I use. I called them up after doing some lookup and I mainly inquired as to whether they can help. As of Friday, February 6th, 2021: the domain emailhostsecurity.com is now suspended, and I don’t know when this officially occurred. The blog post linked here has the email that was sent to me, and I believe I talked about this on either the Security box or the main tech podcast.

According to the article, it says:

An average of 500 brands were targeted by phishing each month over the course of Q3, with SaaS remaining the most frequently attacked industry, targeted 31.4 percent of the time.

Under the Business Email Compromise section of the article it says:

The report also found 16.3 percent of BEC attacks involved domains registered by the phishers, with most originating from five registrars: Namecheap, Public Domain Registry, Google, Tucows, and NameSilo.

50 countries and 64 million dollars of potential stolen funds later, criminals have been identified in one year alone.

For the full details of the report and any links read: APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and let’s discuss.


Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

Millions of internet users are targeted with look-alike domains each year. The article has a graph that shows only a sampling of at least 50,000 threats that Phishlabs has observed.

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

The article goes on and says:

The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website.

They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams.

I believe that is why my incident was handled, as when I looked it up, it was only 4 days old!

There is much, much more in this article that we could spend a long time quoting and discussing it. I now invite you to read: The Anatomy of a Look-alike Domain Attack for all of the complete details. If something sticks out at you, please discuss it.

We aren’t going to cover this one, but another article in this series is Look-alike Domain Mitigation: Breaking Down the Steps if you wish to take a look at it. Its a long process, and I think it needs more work.

News, Notes and more

  • Looks like there are a couple of items I heard about in February 3rds episode of the Cyberwire. Looks like Solar Wind first has more problems with their software that they have fixed, but the most important thing in this episode is that the initial breach of 2020 actually could’ve started as early as December 2019 when it has been reported that Solar Winds had one of their Microsoft 365 accounts compromised. We’re continuing to hear more, and you can search this out if you wish to learn more.
  • Looks like Facebook has changed their mind about collecting Metadata for now, according to the same episode of The Cyberwire. I’m not sure I fully buy that, but if they’re going to use meta data, let them have at it I say. Besides that, it looks like Facebook is going ape because apple will be putting a feature in to IOS that will allow us to tell apps to identify us by our tracking ID. Mr. Zuckerberg says that it is apple dominating the ecosystem and if I could read between the lines during the interview of that episode, he’s not too happy as it hurts their bottom line. The person interviewed indicated that it is about time, and it has been in the works for awhile, even though Facebook and others may say that it is because of January 6, 2021’s event that sparked this.
  • Security Now, podcast 804 has a ton of stuff that might be of interest to listen to. The very first segment talks about security certificate authorities and the latest one Camafirma, being knocked off the list by Google Chrome starting with release 90 which will be released in April 2021. According to Security Now, there are multiple issues which the company said they’d fix between 2017 and 2020, yet, they were never fixed. Please listen to the Security Now program numbered 804 for complete details on some of what was wrong. Through the years, the technology podcast as well as Security Now have mentioned and talked about other authorities misbehaving. Even Symantech, the makers of Norton, sign certs and failed at times. Its ok to make a mistake, but being a security certificate signer is a privlage, not a right.
  • A company I’m not familiar called Nox, who makes some sort of player, may have been compromised with updates that were malicious in nature only making it out to a subset of its customers. The company says there is nothing wrong, according to Security Now, so people who use this player better do their due dilligance and make sure their device from this company is not infected.
  • Sans News Bites is reporting that school districts can get some help with their cybersecurity. The blurb from the newsletter says: “IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants
    to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from
    IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.”” Lets see what happens! Sans News bites links to multiple articles, see the link to the newsletter on the blog.
  • According to The Cyberwire Daily, Feb 4, 2021: Zoombomnbing is being done by high school and college students who are board and want to “piss off the teacher.” It may not have started that way, but the Cyberwire says that most of the problems now are with the kids.

Comments (0)

The Security box, podcast 31: More Domain discussion, news, notes and more

Hello folks, welcome to the show notes of the Security Box. Yes, its been a couple of days, however, its better late than never I’d say. Other stuff got delayed like the playlists for my shows for my independent stuff, so it isn’t too bad.

The RSS feed has had the program up since the podcast was done, and now its time to provide the link to the podcast as well as the extensive show notes.

You’ll notice that we only have two tracks now, and the lunch time set I play if I don’t have anything else was not broadcasted. This makes the podcast less than two hours instead of the 2 and a half hours the internet radio program took. I hope that this makes the podcast better to listen to.

Don’t want to mess with RSS? Here is the 162.57mb file for you to download. Thanks so much for listening!


Welcome to the security box, podcast 31. On this podcast, we’re going to continue the discussion of domains with several different things that we couldn’t get to from last week. Also, we’ll have news, notes, questions, comments and more. I hope you enjoy the program as much as we have putting it together for you.

Domain discussion:

Part of running a domain today is security certificates. These certs are called SSL certificates or what is now known as TLS. We have to remember that SSL and TLS are pretty much interchangable, keep that in mind.

When I first started reading Phishlabs, they were indicating that Phishing sites were not much into security as the ultimate goal was to get their wares out, not necessarily wanting to be secure. Thats when we learned through newsletters that looking for the padlock or https was the sign we’re secure. This is not the case anymore. This is because several years ago, a company called Lets Encrypt came up with an automated way of issuing the domain validated certificates that would be used for this purpose. The 200,000 web sites for August and September were unique sites according to the article. It also states that SSL encryption for phishing sites overtook SSL deployment for general websites. We also have a 10 percent increase in BEC attacks that originate from free Webmail accounts such as Hotmail, Outlook, MSN, mail.ru and possibly others.

According to the web site for Lets Encrypt, it says:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

According to the article, 80 percent of Phishing sites now have some form of SSL certificate installed up from the 74 percent I last saw. We’ve been covering this trend on the tech podcast, I remember when it indicated it was in the 50 percential. This is higher than most general websites, says the article. According to it, a survey from Q-source, 66.8 percent of web sites use SSL.

“Not surprisingly, most SSL certificates used by phishers were Domain-Validated (DV), which is the weakest form of certificate validation.” said LaCour. There are three types of SSL certificates, and DV certificates can be issued quickly, through an easy verification process. Of more than fifty-three thousand SSL certificates observed by PhishLabs, 91.3 percent were Domain-Validated.

Generally, PhishLabs found that cybercriminals are using free certificates. In Q3, 40 percent of all SSL certificates used by phishers were issued by the same free certificate authority, Let’s Encrypt.

According to the article, registrars are part to blame for the increase in phishing as there is limited action. Phishing has gone up sharply since March of 2020, and my article talking about one such phishing attack got something done. I sent the blog post linked here over to Mr. Krebs, and also called my provider I use. I called them up after doing some lookup and I mainly inquired as to whether they can help. As of Friday, February 6th, 2021: the domain emailhostsecurity.com is now suspended, and I don’t know when this officially occurred. The blog post linked here has the email that was sent to me, and I believe I talked about this on either the Security box or the main tech podcast.

According to the article, it says:

An average of 500 brands were targeted by phishing each month over the course of Q3, with SaaS remaining the most frequently attacked industry, targeted 31.4 percent of the time.

Under the Business Email Compromise section of the article it says:

The report also found 16.3 percent of BEC attacks involved domains registered by the phishers, with most originating from five registrars: Namecheap, Public Domain Registry, Google, Tucows, and NameSilo.

50 countries and 64 million dollars of potential stolen funds later, criminals have been identified in one year alone.

For the full details of the report and any links read: APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and let’s discuss.


Cybercriminals register hundreds of thousands of look-alike domains every year to impersonate reputable organizations and make a profit. These domains are used for a variety of attacks including phishing emails, fraudulent websites, web traffic diversion, and malware delivery.

Look-alike domains are intentionally misleading to give customers the false impression that they’re interacting with trusted brands, leading to significant reputation damage, financial losses, and data compromise for established enterprises. The process of creating an attack is inexpensive, and if threat actors move quickly to evade detection, they can make a large return on their time and money.

Millions of internet users are targeted with look-alike domains each year. The article has a graph that shows only a sampling of at least 50,000 threats that Phishlabs has observed.

The most common use of a look-alike domain is to set up a Website with Monetized Links. This approach is not necessarily malicious, yet it accomplishes multiple objectives:

The article goes on and says:

The registrant parks a domain and capitalizes on visiting traffic by adding monetized links. The link topics are typically related to the impersonated brand’s keywords, increasing the probability that visitors will click through to the destination website.

They let a domain “age” before using it. Most scammers typically use new domains quickly, yet some will maintain them for weeks or months. Recently registered domains garner low reputation scores and are a telltale sign of malicious activity, making them targets for security teams.

I believe that is why my incident was handled, as when I looked it up, it was only 4 days old!

There is much, much more in this article that we could spend a long time quoting and discussing it. I now invite you to read: The Anatomy of a Look-alike Domain Attack for all of the complete details. If something sticks out at you, please discuss it.

We aren’t going to cover this one, but another article in this series is Look-alike Domain Mitigation: Breaking Down the Steps if you wish to take a look at it. Its a long process, and I think it needs more work.

News, Notes and more

  • Looks like there are a couple of items I heard about in February 3rds episode of the Cyberwire. Looks like Solar Wind first has more problems with their software that they have fixed, but the most important thing in this episode is that the initial breach of 2020 actually could’ve started as early as December 2019 when it has been reported that Solar Winds had one of their Microsoft 365 accounts compromised. We’re continuing to hear more, and you can search this out if you wish to learn more.
  • Looks like Facebook has changed their mind about collecting Metadata for now, according to the same episode of The Cyberwire. I’m not sure I fully buy that, but if they’re going to use meta data, let them have at it I say. Besides that, it looks like Facebook is going ape because apple will be putting a feature in to IOS that will allow us to tell apps to identify us by our tracking ID. Mr. Zuckerberg says that it is apple dominating the ecosystem and if I could read between the lines during the interview of that episode, he’s not too happy as it hurts their bottom line. The person interviewed indicated that it is about time, and it has been in the works for awhile, even though Facebook and others may say that it is because of January 6, 2021’s event that sparked this.
  • Security Now, podcast 804 has a ton of stuff that might be of interest to listen to. The very first segment talks about security certificate authorities and the latest one Camafirma, being knocked off the list by Google Chrome starting with release 90 which will be released in April 2021. According to Security Now, there are multiple issues which the company said they’d fix between 2017 and 2020, yet, they were never fixed. Please listen to the Security Now program numbered 804 for complete details on some of what was wrong. Through the years, the technology podcast as well as Security Now have mentioned and talked about other authorities misbehaving. Even Symantech, the makers of Norton, sign certs and failed at times. Its ok to make a mistake, but being a security certificate signer is a privlage, not a right.
  • A company I’m not familiar called Nox, who makes some sort of player, may have been compromised with updates that were malicious in nature only making it out to a subset of its customers. The company says there is nothing wrong, according to Security Now, so people who use this player better do their due dilligance and make sure their device from this company is not infected.
  • Sans News Bites is reporting that school districts can get some help with their cybersecurity. The blurb from the newsletter says: “IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants
    to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from
    IBM’s Service Corps Program will “help [the selected schools] proactively prepare for and respond to cyberattacks.”” Lets see what happens! Sans News bites links to multiple articles, see the link to the newsletter on the blog.
  • According to The Cyberwire Daily, Feb 4, 2021: Zoombomnbing is being done by high school and college students who are board and want to “piss off the teacher.” It may not have started that way, but the Cyberwire says that most of the problems now are with the kids.

Comments (0)

What is going on in the security landscape, news ending January 8, 2021

Hello folks, welcome to a wrapup of what is going on in the landscape of security. In no way is this going to be a complete rundown, however, some of what I’ve read or come across, or even news that I didn’t see that comes across my desk through a digest from Trend Micro.

Let us get started with “This week in Security News” from Trend Micro. I really like covering these posts because they cover a lot, some I may have read, some I still need to read, yet others may just be interesting but yet not worth talking about in the long term.

There are two articles I’ve been meaning to cover that are in my rundown from this news digest that I mise well cover here. The first is Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration and I had to read it from the web version. This is very dangerous because it relies on people using webmail to access their mail. I’ve ditched webmail many, many, many years ago because I personally find it to be something that doesn’t interest me. Even when I signed up for gmail and I finally decided on it for youtube and even now an off site email address, I was not using the website to check my mail.

The good news is that I think that most of us who read this aren’t using this site at all that is referenced. The web site is mail2000tw[.]com or any kind of sub domain. I can’t tell what language it is, I did visit the site via private browsing to see what language it is.

Trend Micro writes:

We discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities
in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that
is widely-used in Taiwan.  With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.”
Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians
and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan,
which this report covers. 

Other headings within this article include but are not limited to:

  • Initial Access and Propagation
  • Exfiltration of the mailbox
  • Infection of email accounts
  • Service Worker script exploitation
  • and Email exfiltration

The article here is very detailed and I think people need to read this, as it could come to a web mail service near us. Luckily, it hasn’t happened as of yet, but it is definitely something that could eventually happen.


The other thing in this week’s digest of the news is also something that I wanted to cover An Overview of the DoppelPaymer Ransomware is the article and it is also a good one.

The article starts out:

DoppelPaymer uses a fairly sophisticated routine, starting off with network infiltration via malicious spam emails containing spear-phishing links or attachments
designed to lure unsuspecting users into executing malicious code that is usually disguised as a genuine document. This code is responsible for downloading
other malware with more advanced capabilities (such as Emotet) into the victim’s system.

I believe I’ve talked about Emotet on the technology podcast, and it definitely isn’t going anywhere with this new project. This also uses the Dridex malware family (website) which will either download the DoppelPaymer directly or something else.

This is definitely something that is stealthy, troublesome, and something that we should all know about.

The article goes on and says:

Once Dridex enters the system, the malicious actors do not immediately deploy the ransomware. Instead, it tries to move laterally within the affected system’s
network to find a high-value target to steal critical information from. Once this target is found, Dridex will proceed in executing its final payload,
DoppelPaymer. DoppelPaymer encrypts files found in the network as well as fixed and removable drives in the affected system.

Finally, DoppelPaymer will change user passwords before forcing a system restart into safe mode to prevent user entry from the system. It then changes
the notice text that appears before Windows proceeds to the login screen.

The new notice text is now DoppelPaymer’s ransom note, which warns users not to reset or shut down the system, as well as not to delete, rename, or move
the encrypted files. The note also contains a threat that their sensitive data will be shared to the public if they do not pay the ransom that is demanded
from them.

According to the FBI notification, DoppelPaymer’s primary targets are organizations in the healthcare, emergency services, and education. The ransomware
has already been involved in a number of attacks in 2020, including disruptions to a community college as well as police and emergency services in a city
in the US during the middle of the year.

DoppelPaymer was particularly active in September 2020, with the ransomware targeting a German hospital that resulted in the disruption of communication
and general operations. It also fixed its sights on a county E911 center as well as another community college in the same month.

The following is what is recommended by Trend Micro in regards to this one:

  • Refraining from opening unverified emails and clicking on any embedded links or attachments in these messages.
  • Regularly backing up important files using the 3-2-1 rule: Create three backup copies in two different file formats, with one of the backups in a separate physical location.
  • Updating both software and applications with the latest patches as soon as possible to protect them from vulnerabilities.
  • Ensuring that backups are secure and disconnected from the network at the conclusion of each backup session. 
  • Auditing user accounts at regular intervals — in particular those accounts that are publicly accessible, such as Remote Monitoring and Management accounts.
  • Monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.
  • Implementing two-factor authentication (2FA) for user login credentials, as this can help strengthen security for user accounts
  • and Implementing the principle of least privilege for file, directory, and network share permissions.

As with all things troublesome, making sure we have our backups is the most important thing. I personally pay for dropbox for that purpose, and I am sure glad I have!


The Hacker News has an article entitled: FBI, CISA, NSA Officially Blame Russia for SolarWinds Cyber Attack which I have not read. Cyberscoop has articles dealing with Solar Winds and some fall out. They are:

The last two go hand in hand, but all in the above list are interesting, saying that Russia has been to blame in varying paragraphs. That is why I link all of them in this section because it is the latest we have, and I can only imagine Trump going ape over his accounts being suspended. With what has gone on, its about time that the companies do something to curve his behavior, even if it indirectly was responsible for the attacks that have been in the news as of late. Read all of these articles linked above in the above list because they are all good and vary in content. several of these articles may be linked in podcast content in passing for news notes, but its all informative. articles will


Another article that is worth talking about is protecting your kids while learning at home. This article How to Protect Your Kid’s Privacy While At-Home Learning goes in to detail on this.

The beginning of this article says:

Why Trend Micro
Research
Support
Partners
Company
?
navigation region end
?
Privacy & Risks
Share
Print
article
Privacy & Risks
How to Protect Your Kid’s Privacy While At-Home Learning
Many kids now have school-supplied computer equipment away from the school network. However, with this come privacy and security concerns. Some are easy
to avoid, but others need some modifications to ensure safety.
By: Stephen Hilt, Erin Johnson December 22, 2020Read time: 5 min (1381 words)
Share
Print
?
——————————————————————————–
main region
With the pandemic forcing many people to work and attend school from home, there has been a major shift in the use of technology for many businesses and
learning institutions. And this has brought a lot of interesting findings, at least from my own.
My kids have been attending school virtually this year, and I’m glad that schools can offer options and provide a high level of education virtually during
the Covid-19 pandemic. One of these options is the use of Chromebooks. While many US school districts have been providing Chromebooks to children at school
for some time, the scale of this need changed significantly in 2020. Fortunately, some school districts have found the ability to get more computers for
students who need them at home.

While I applaud the schools for providing people who need them the computers, the article talks about how schools are locking down even the network at home because it is signed in to the same google account even though the provided computer is not even being used. This goes beyond the reach of my understanding, please read Trend Micro’s article on this.

One of the things I heard in a new podcast I just subscribed to called The CyberWire Daily mentioned software called JetBrains, another piece of software that may have been compromised. I have not read Investigation Launched into Role of JetBrains Product in SolarWinds Hack: Reports but it is interesting that yet another company may be involved in one of the biggest breaches we’ve ever known.

Here is what the clip of this article states. Again, i’ve not read this, so I have no more info except what I heard on the podcast.

Cybersecurity experts and government agencies are trying to determine whether the hackers that targeted SolarWinds may have abused software created by
JetBrains to achieve their goal. JetBrains is a software development company based in the Czech Republic that has offices in Europe, Russia and the United
States. The company claims its solutions are used by over 9 million developers across 300,000 companies around the world.


We can’t forget phishing. Email threats are going to rise, and with that legitimate domains may be used. Also, RYUK is still being used more than ever, something called Hastebin is being used to deliver fileless malware called Hastebin and much more. To read the entire article of what is going on this week from Trend Micro, please go on over to Trend Micro’s blog: This Week in Security News – Jan 8, 2021 to read all of the details.


Finally, we’ve got some great news I always like to cover. Russian man sentenced to 12 years in prison for massive JPMorgan data heist and that i good news because J.P. Morgan’s breach was one of the biggest to date for its time.

Tyurin’s breach of JPMorgan Chase alone saw data on 80 million customers stolen, according to prosecutors. The Russian man made $19 million altogether
from the hacking, the Justice Department said in a statement.

We should back up and start at the beginning though: The article states in part: A U.S. federal judge on Thursday sentenced Andrei Tyurin, a 37-year-old Russian man, to 12 years in prison for his role in a hacking scheme that prosecutors
say involved the theft of personal data from over 100 million customers of big U.S. financial firms.

The brazen hacking operation, which ran from 2012 to 2015, is one of the biggest to hit Wall Street in recent memory. It involved Tyurin allegedly working
with an Israeli man named Gery Shalon, among others, to breach big-name companies like JPMorgan Chase, ETrade and The Wall Street Journal. The scammers
then sought to inflate stock prices by marketing them to people whose data they had stolen.

There is definitely more, and more that I need to get out in regards to Solar Winds but I’ll do that in a separate article as Solar Winds is just as interesting alone as it would be in a roundup like this.

This completes the news notes, did you find something of interest? Why not get in touch? Comment on the blog! Write an Email! Use whats app, email/imessage or any other contact info you want! We’ll be waiting.

Comments (0)

Suspect that did bomb threats as well as DDOS getting almost 13 years

In the good news department, we are learning that someone who has done both bomb threats and Ddos attacks is scheduled to serve 8 years in the slammer.

Here is a section of the article in which we’re going to linkto at the end.

A 22-year-old North Carolina man has been sentenced to nearly eight years in prison for conducting bomb threats against thousands of schools in the U.S. and United Kingdom, running a service that launched distributed denial-of-service (DDoS) attacks, and for possessing sexually explicit images of minors.

Timothy Dalton Vaughn from Winston-Salem, N.C. was a key member of the Apophis Squad, a gang of young ne’er-do-wells who made bomb threats to more than 2,400 schools and launched DDoS attacks against countless Web sites — including KrebsOnSecurity on multiple occasions.

The Justice Department says Vaughn and his gang ran a DDoS-for-hire service that they used to shake down victims.

“In early 2018, Vaughn demanded 1.5 bitcoin (then worth approximately $20,000) from a Long Beach company, to prevent denial-of-service attacks on its website,” reads a statement from Nicola Hanna, U.S. attorney for the Central District of California. “When the company refused to pay, he launched a DDoS attack that disabled the company’s website.”

Dalton, whose online aliases included “WantedbyFeds” and “Hacker_R_US,” pleaded guilty last year to one count of conspiracy to convey threats to injure, convey false information concerning use of explosive device, and intentionally damage a computer; one count of computer hacking; and one count of possession of child pornography.

Federal judge Otis D. Wright II sentenced Vaughn to 95 months for possessing 200 sexually explicit images and videos depicting children, including at least one toddler, the Justice Department said. Vaughn was sentenced to 60 months in federal prison for the remaining charge. The sentences will be served concurrently.

Since the sentence is running consecutively, he’ll be serving almost 13 years (12.917 years) or 155 months. The pornogrophy is the longest at 95 months, while the hacking charges are 60. Why should one be lesser than the other? I’ll let the comment boards await you on this one. Please register and leave your comments. I don’t want to be the only one posting here.

For the full story, please read: Bomb Threat, DDoS Purveyor Gets Eight Years

Comments (0)

Oklahoma School Employee Arrested On Multiple Child Porn Charges

I normally wouldn’t post this on my tech blog, but this may be a good thing, but may sicken some. I’m deciding to go through twitter and find this article which I’m using as my title as it is just fitting.

Today, Agents from the Oklahoma State Bureau of Investigation (OSBI) Internet Crimes Against Children (ICAC) arrested 26-year-old Hansen Martin Leroy Johnson on multiple child pornography charges.

The case originated in October when the National Center for Missing and Exploited Children (NCMEC) forwarded a cyber tip they received from a social media platform to the OSBI. The tip included an image and short video showing an adult sexually abusing an infant. The OSBI ICAC Unit opened a case and began investigating Johnson, who is an employee of Tahlequah Public Schools.

The fact that this was posted on Social Media is the reason why I decided to tackle this on the tech blog, instead of a more personal blog.

First of all, if I were ever taking videos of such things, do you honestly think that I would be putting it up on the internet for people to see? If I were in to that whole thing, I would back it up, sure, like everything else, but I would not put that type of thing on the public internet.

You would have to trust your backup provider that they aren’t going to know what it is, but even if they stumble upon it, there are laws and regulations on making that type of thing available for public consumption. You just don’t put it out there for everyone to see.

For full details on this, why not read the Breaking911 coverage on this: Oklahoma School Employee Arrested On Multiple Child Porn Charges and have fun with this one! May the comment boards await you.

Comments (0)

What has been read, blogged, and talked about for the last week, security news ending October 4, 2020

In this week’s news, some of which may have been blogged about on the tech blog itself, find out what I’ve been reading including the highlights of the Security News from Trend Micro. It has been a doozie of a week with the news of UHS and I’ve got several blog posts on that and even finding one from Dark Reading through twitter which I didn’t blog about. Read on to find out what caught my attention of things within the past week.


UHS is known as United Health Care services. Many different articles on a search of this company name will yield results talking about the group which deals with hospital care in various locations being part of potential ransomware. Their reports are the typical ransomware type, but they stop short of this.

Article list:

This can’t be good in the Public Relations department, can it? I’m an outsider looking in, and trying to disperse info and pointing people to the articles so that they can be informed. Read these blog posts, accompanying articles, and come back and tell me what you think.


911 services were down in 14 different states on September 28, 2020. The particular digest of the day with that blog post ca,me back to me asking if we can cover this on the Security Box. While I’m not sure on time as of yet, it is unknown if this is caused by security problems. I bring it up here because Krebs on Security did a good job talking about this, and I feel that this is something that if it is a security problem should be talked about. I’m unsure how 911 services work, routed, and the like, so I can’t comment on this except for the article I read.

Article list:

This blog post has my thoughts with the accompanying article from Mr. Krebs. I really have nothing more to say, please refer to the article for your information on this one.


Ransomware is still hitting the news, and more than ever. One particular article that I blogged about talked about an insurance company that was hit, but it isn’t just insurance we’ve got to worry about. More recently, I read an article and just blogged on October 4th about a potential ransomware in Las Vegas. That particular article goes so far as to talk about other school systems and their problems too. Some of this may have been talked about through the Security Box program that is broadcasted through the Independent Channel of the Mix.

Article listing:

The second blog post made me wonder, and it leads really to a questionable study that I have questions on. The third is the 2nd in the NCSAM article set, and I’m sure that I’ll have more in this set as I try to get caught up.


This week in Security News from Trend Micro covers a few items in which I have read. Some of it I have not read. It talks about a cross-platform Modular Glupteba Malware how it got its name and the like. Netflicks and Amazon accounts are susceptible by a Phishing attack according to an article and it is started by a phishing attack which targets Microsoft 365 accounts. One article that we are covering this next week on the Security box covers Identity Fraud and how to protect your identity data. I blogged specifically about this one in my first NCSAM article which was sent and digested out.

The first NCSAM article linked within this section is the one that talks about the identity theft article that was linked within the news notes article linked first. Both are worth the read, there may be items that I am unable to read or doesn’t interest me.



Find something that you found of interest as part of the Security Landscape that I do not have, or I haven’t read as of yet? Please send those links! Contact info is on the blog on the “about the blog” page. Thanks so much for reading, and make it a great day!

Comments (0)

The Security Box, podcast 11 for September 23, 2020

This podcast was a little shorter than usual. That’s OK, we did cover everything I wanted to cover. Its the way it goes. Here are the show notes. A link to the RSS and a link to download follow the notes.


Welcome to podcast 11 of the Security Box.

Topic:

  • Ransomware is everywhere. Last week, Michael in Tennessee sent this article during the show, and I finally got a chance to read it. This time, Newhall schools are effected, and while the advice given in the article is sound, we can officially say that nothing is predictable in this strange year. ABC7 in Los Angeles gives us: Ransomware attack shuts down remote classes in Newhall which has some good points. The article talks about what is being done which includes getting ferenzic folks in there, law enforcement, and other people who may be needed to restore data. The article didn’t talk about training. Question, where is the training so people in the district know what to look for when something like this happens again? Ransomware starts with an email in most cases.
  • TikTok is back in the news, and this can’t be good news anyhow. The article Lame-duck versions of TikTok and WeChat are definitely a problem, security experts say is what we’re going to talk about, and we’ll play this CNET video: TikTok, WeChat ban explained. I didn’t know WEChat was a problem, but then again, I’ve not used that app at all. From what I’ve heard, its similar to apps for communication like Whats app, and other messaging apps. To top this all off, Michael in Tennessee recently sent me an article in regards to the TikTok Sale to Oracle. The TikTok deal solves quite literally nothing is the article, and it is quite interesting. This whole story aught to get interesting now, but suffice it to say, TikTok is saved, for now.
  • Open forum: what do you want to talk about? This is your time to shine.

News Notes and things

  • The biggest topic right now is TikTok and their very interesting developing story as it continues to unfold. Besides that, we’ve got some recent arrest news and other items in this blog post which has been cut short because of the fact I haden’t felt well. The news also covers a Chinese firm who is supposed to do antivirus work being part of apt41. This is going to be interesting.
  • For the first time to our knowledge, ransomware may have lead to a death for a critically ill patient. The attack was an apparent accident, as the actors gave the hospital the key after it was determined they made a mistake on their target. Hospitals have never really fixed their security problems, mainly because of the lack of funding. This could hurt them now that they know that someone died. Ransomware may have led to the death of a German hospital patientRansomware may have led to the death of a German hospital patient is the article that talks more about this very interesting story.

Want a copy but don’t want to go to the RSS feed? No problem! Use this link to download the file (136.2mb) It’;ll be available for week. Enjoy!

Comments (0)

This week in the security landscape: news ending September 12, 2020

Welcome to the news and things i’ve been reading in the landscape within the past week. I may not have read everything I’m jhighlighting, especially with Trend Micro’s stuff as of late, but it is all in passing. If there is something you want me to talk about on a podcast, please let me know. Email, imessage, text and whatsapp are all available to each and every one of you.

Purple Fox EK Relies on Cloudflare for Stability
This article really intrigued me. Relying on a cloud provider for stability is smart for a piece of softwre that is already mared as trouble. The delivery methods of this particular malware is interesting to say the least, and the read I found quite interesting.


Hartford Public Schools delay reopening amid ransomware attack
If this year hasn’t been bad enough, one school can’t even get started because they were hit with a ransomware attack.

Hartford was responsible for a lot of the research in regards to the covid-19 pandemic we continue to fight through, cup that with a glass of ransomware, and they’re having a hard time. 18,000 students in the district from pre-kindergarden through the 12th grade are needing to be notified of the delay, which I hope isn’t long.


Staffing firm hit by Ransomware, bad news for employees
If this not bad enough with the story above, my blog post talks about another ransomware I believe I’ve read about once. This ransomware is called REvil. The R is capitalized, and the first letter of Evil is capitalized and it is really bad. It did some serious damage and worth the read.


>Patch Tuesday is here, its time to update
September patch Tuesday has come and gone. Have you updated? We’ve got another month where there are over 100 patches. We approach 130 patches to be certain. This can’t be good, i fear it is only going to get worse. I link to several articles where you can read more.


Did you know there are tricky forms of phishing?
This blog post is in the form of a question for a reason. I blogged about a very interesting article talking about the different types of phishing going around now-a-days. This blog post talks about form creation tools such as Google Documents. I believe its well worth the read. The article talks about this in a light where it highlights 13 different sites which include Google. They aren’t alone for this and the article talks about the problem we now face with simple tools like this,.


The Security box, podcast 9: Typosquatting and more
Typosquatting has been known about for awhile, and as I did the podcast on a Tuesday this past week, maybe you didn’t catch the program. We link to various typosquatting articles that came out, and it looks like it will be part of the Phishing arsenal for some time now.


Chinese cyber power is neck-and-neck with US, Harvard research finds
This probably shouldn’t be any surprise to anyone. With the development of the great firewall, well before all of this hacking, China can do practically anything. China can’t be left out though, other nations like North Korea and Russia are also being noticed in this space. Thoughts on this one?


This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response
There are other things besides some of what I put here, that I may have not read from Trend Micro’s blogs. The news here talks about docker servers potentially targeting people with cryptominors, an attack called Raccoon attack that could break SSL and allow people to see what you’re doing, Linux resources having a battle for resources for Cryptominors, Zeppelin Ransomware having a new trojan on board to add to what it already offers and more.



There is more there than what I’ve highlighted and read, so feel free to bring out anything that fancies you for a podcast or two. Thanks for reading! Contact info is on the blog and podcast itself. I have Email, imessage, text messaging, whats app, and even a voice mail number and extension if you can utalize it.

Comments (0)

Let’s cover news on arrests, charges, and the like

Besides the Russian Hacker being found guilty for the most part in a bazarre case, we've got other pieces of news I didn't talk about but have here. I could've put that in the blog post about that, but these are other cases.  

Feds indict ‘fxmsp’ in connection with million-dollar hacking operation is a very interesting story I just almost decided not to cover it. A man was charged after hacking related crimes when an investigation in to scammers targeting more than 300 different companies. The companies are throughout the world according to the article.

Prosecutors in the Western District of Washington charged Andrey Turchin, who resides in Kazakhstan, with five felony counts in connection with a year-long
fraud effort. Last known to be in Kazakhstan, Turchin allegedly sold remote access hacking tools on cybercriminal forums, typically charging tens of thousands
of dollars for access to data that would cost victims tens of millions of dollars.

Turchin went by a series of aliases, including “fxmsp,” according to the Justice Department.

To see the full story, including links to other content, feel free to click on through.

The Satori Botnet has been around for quite awhile, and recently, an article came across my desk from Cyberscoop which is entitled New Charges, Sentencing in Satori IoT Botnet Conspiracy.

The U.S. Justice Department today charged a Canadian and a Northern Ireland man for allegedly conspiring to build botnets that enslaved hundreds of thousands
of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in
the United States was sentenced today to drug treatment and 18 months community confinement for his admitted role in the botnet conspiracy.

Indictments unsealed by a federal court in Alaska today allege 20-year-old Aaron Sterritt from Larne, Northern Ireland, and 31-year-old Logan Shwydiuk
of Saskatoon, Canada conspired to build, operate and improve their IoT crime machines over several years.

Prosecutors say Sterritt, using the hacker aliases “Vamp” and “Viktor,” was the brains behind the computer code that powered several potent and increasingly
complex IoT botnet strains that became known by exotic names such as “Masuta,” “Satori,” “Okiru” and “Fbot.”

Shwydiuk, a.k.a. “Drake,” “Dingle, and “Chickenmelon,” is alleged to have taken the lead in managing sales and customer support for people who leased access
to the IoT botnets to conduct their own DDoS attacks.

Krebs On Security goes on to talk about a third man in this group that links to other things, so for complete details, please feel free to go ahead and check out this story on all of the juicy details.

Finally, a FEMA employee is charged with something as you’ll see in an article also written by Krebs on Security. FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy is the article.

An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource
databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on
the dark web.

On June 16, authorities in Michigan arrested 29-year-old Justin Sean Johnson in connection with a 43-count indictment on charges of conspiracy, wire fraud
and aggravated identity theft.

Federal prosecutors in Pittsburgh allege that in 2013 and 2014 Johnson hacked into the Oracle PeopleSoft databases for UPMC, a $21 billion nonprofit health
enterprise that includes more than 40 hospitals.

According to the indictment, Johnson stole employee information on all 65,000 then current and former employees, including their names, dates of birth,
Social Security numbers, and salaries.

According to the article, the suspect also made off with W2 form data that held income tax and withholding data which he sold on the dark web.

To learn more about the Federal Emergency Management Company, visit Fema on the web. The web site was searched for the URL on July 14, 2020. There may be something of interest that you can learn from the site itself.

Are you surprised that an information technology specialist is charged with this type of thing? Why or why not?

Krebs on Security also covered a very interesting story while we’re talking about arrests and other types of good news as part of this blog. Ukraine Nabs Suspect in 773M Password ‘Megabreach’ is the article from Mr. Krebs.

I’m thinking that this must the biggest breach to date dating all the way back to 2008 according to a short blog post I posted covering the schools.

In January 2019, dozens of media outlets raised the alarm about a new “megabreach” involving the release of some 773 million stolen usernames and passwords
that was breathlessly labeled “the largest collection of stolen data in history.” A subsequent review by KrebsOnSecurity quickly determined the data was
years old and merely a compilation of credentials pilfered from mostly public data breaches. Earlier today, authorities in Ukraine said they’d apprehended
a suspect in the case.

The Security Service of Ukraine (SBU) on Tuesday announced the detention of a hacker known as Sanix (a.k.a. “Sanixer“) from the Ivano-Frankivsk region
of the country. The SBU said they found on Sanix’s computer records showing he sold databases with “logins and passwords to e-mail boxes, PIN codes for
bank cards, e-wallets of cryptocurrencies, PayPal accounts, and information about computers hacked for further use in botnets and for organizing distributed
denial-of-service (DDoS) attacks.”
M

This is only the beginning of this one to boot.

KrebsOnSecurity is covering Sanix’s detention mainly to close the loop on an incident that received an incredible amount of international attention. But
it’s also another excuse to remind readers about the importance of good password hygiene. A core reason so many accounts get compromised is that far too
many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage
of multi-factor authentication options when available.

There are other links that may be of interest, and you may want to check out this story as well.

Found anything about arrests in the cybercrime field? Feel free to pass it along to me by sending an email my way. I look forward in hearing from you!

Comments (0)

This is interesting, a study of k-12 and college breaches by the numbers

In a relatively short piece I found on twitter, the number of breaches effecting school systems whether in college or k-12 schools was a very low 135 breaches totaling only 1.2 percentof all the breaches. Some of the breaches back then were possibly not reported back then. Do you know what the alarming number is this past year? 2019 was the biggest year in school systems, according to the article. 2.49 million records were taken in 2013 in one school breach alone. Want to read the alarming facts of this short read? A link to the report is also available. US K-12 and Colleges Suffered 1,300 Data Breaches in 15 Years is the article. Have fun chewing on this one!

Comments (1)

Older Posts »

go to sections menu


navigation menu

go to sections menu