Get Started Today!  732-747-9373   

Fotolia 68929807 M new

DeckerWright Corporation Blog

DeckerWright Corporation has been serving the Red Bank area since 1984, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Social Engineering: The Human Resources Department

Criminals using social engineering techniques have been able to initiate attacks against HR departments via carefully crafted emails. The criminals use marketing techniques to identify HR professionals within a company. Once the criminals have the HR professional’s name and email address, they craft an email that looks legitimate enough to slip through spam filters and cause the HR professional to click. 

The two most common emails we have seen targeting HR professionals contain either a fake resume or a fake invoice for services provided. The links or attachments within the email cause malware to be installed on the HR professional’s computer when clicked or opened. The emails look and sound like they are real, so if the HR professional isn’t careful, they can make the click that starts the attack. Normally these attacks install Ransomware that encrypts all of the files the software can reach from the HR professional’s computer. 

Another recent trend was targeting HR with false requests for W-2 copies. By spoofing an employee’s email, criminals request a copy of the unsuspecting employee’s W-2 from the HR department. If the HR professional makes a copy of the W-2 and responds to the request, the W-2 copy is sent to the criminal–along with the employee’s payroll information, including social security number. With the stolen information, the criminals can establish credit lines in the employee’s name. As the keepers of sensitive employee information, HR professionals are prime targets for cyber-attacks.

Here are some tips on how to prevent these types of attacks:

  • Use a third party spam filter to catch suspicious emails before they reach the HR professional
  • Use a third party spam filter that checks every link in an email
  • Use a DNS service that screens web sites before allowing connections
  • Keep anti-virus and malware software updated
  • Invest in periodic training of the staff on Cyber Crime
  • Review file permissions so the HR professionals can only access what they need, which will prevent Ransomware from encrypting every file during an attack

The last and most important line of defense against these attacks is a trained and suspicious HR professional that deletes any emails that may have even the slightest chance of being malicious.

Click HERE for more information.

0 Comments
Continue reading

Social Engineering: Attack on Finance

Earlier this week I attended my quarterly peer group meetings.  At the meeting, one of the attendees shared a recent security event that had significant financial consequences for one of their clients.  The client was tricked into wiring several HUNDRED THOUSAND dollars to a bank account under criminal control. 

How did the criminals pull off this robbery?  In doing forensics on the security event, the IT company was able to identify a phishing email that tricked the client into entering their email login and password for Office 365.   The phishing email was targeted at the Chief Financial Officer (CFO) of the company.  When the CFO entered their credentials into what appeared to be a Microsoft email request, the criminals made a copy of the CFO’s credentials.  After gaining the credentials, the criminals periodically logged into the CFO’s email account watching for a legitimate Electronic Funds Transfer (EFT) transaction to be scheduled.  When they noted a transfer about to take place, the criminals “spoofed” the email that contained instructions to the CFO on where to wire the funds, substituting the criminals bank routing and account information for the vendor’s information.  The CFO believed the bank information was from their vendor, dutifully updated the EFT information and transferred the funds.  By the time the CFO and vendor realized the funds hadn’t been transferred, and the CFO followed up with their bank, the funds had moved to and from the criminal’s bank account.  In other words, the money was gone. 

This attack illustrates the increasing level of sophistication and direct marketing techniques criminals are employing to trick their victims into costly mistakes.  Using social engineering techniques, the criminals identified the target, created a plausible phishing email to cause the CFO to enter their credentials, and then the knowledge of the business and bank wire transfer procedures to execute their criminal plan.  The criminals had knowledge, patience and a plan – in this case causing a costly security event.

Best practices to avoid this problem:

  • Use a third party spam filter to catch suspicious emails before they reach their targets.
  • Use a third party spam filter that checks every link in emails.
  • Use a DNS service that screens web sites before allowing connections.
  • When doing EFT’s or wiring funds, call the receiving party to confirm the bank information verbally before hitting the send button.

Click HERE for more information.

0 Comments
Continue reading

I got a spam email...from my Pastor!

The other day I received an email from my pastor, which is not unusual; I'm fairly active in my church and we do occasionaly communicate electronically. What struck me as odd was the email itself. This email is below:

Subj: HELLO

How are you?

I need a favor from you, please email me back as soon as possible.

Hope to hear from you soon.

Thanks,

Pastor

Did anything stick out to you? Here's what my spidey-senses tingle:

  1. The Subject. I'm failry cerain that he wouldn't send an email with a subject like "hello", especially written out in all caps.
  2. The Content. Normally he addresses the recipient by name and he signs off with his own name. No names were used in the email. The email was also too vague. He would have explicitly stated and explained his request.
  3. The "From" Email Address. It was wrong. Simple as that.

I reached out to him at his real email address asking if he sent that email (it's a pretty weird feeling asking your pastor if he sent you spam). Lo and behold, he did not send it; it was fake. Minutes later the church sent a mass email alerting members that the pastor's email account was hacked and to not respond to emails from that particular address. How perfect is it that I receive a social engineering email just as Marshall starts his blog series on social engineering?

Hackers and data thieves are sneaky, and they're becoming sneakier. They're constantly seeking ways to trick you into giving them what they want. Masquerading as someone like a pastor is a slick move. See, it's all about trust. If the hacker can make their request seem like it's coming from someone you trust - a friend, family memeber, pastor - you're more likely to respond. After all, how could you ignore a request from your pastor?

You need to know the person the email is coming from. Does the email look and is it written like other emails they have sent? Is their email address correct? If any bit of the email doesn't align with what that person normally sends, ask them (via another email address or phone call) if they sent it. Do NOT respond to the email. If it's legit, you're okay. If it's not, delete the email and alert them that they have been hacked.

Hackers are becoming far too crafty and hacks are occurring far too often. It's sad that skepticism is the lens through which we must view emails from peers, but that's the unfortunate reality of the age in which we live. When it comes to the web, your need to take everything with a grain of salt. Even if it's a pastor asking for a favor. 

0 Comments
Continue reading

Social Engineering: Marketing...Getting the List

One of the great advances in cyber-crime of the past five years has been the utilization of “big data” to target market victims. You can think of the marketing similar to how businesses would look at segmenting a market. Attacks can be “horizontal”, “vertical” or “targeted” in approach. By using publicly available information and their own data stores, criminals are able to segment the market and use marketing techniques to trick victims into clicking.

Data sources for the attacks include LinkedIn, Google, Facebook, Hoovers, and dark web data sources. There are third party apps that gather data through data sharing agreements with all of the big data gatherers and reconstitute the data in more usable forms. For example, it isn’t easy to pull a list of all the employees in the US that have the title Human Resource Manager from LinkedIn. Using an app like Growbots, that data is just a few clicks away. The demographic data obtained would include name, title, address, phone number, and e-mail address. As the criminal works through their marketing campaign, they determine what type of attack they are going to initiate, and then begin the work of gathering data. For horizontal campaigns, the criminals target a specific department most companies have, like Human Resources or Accounts Payable, and get a list of managers for that department. For vertical campaigns, the criminals may select an industry, like healthcare, and get a listing of doctors and practice managers. Examples of horizontal and vertical attacks include Ransomware attacks across many departments and businesses around the globe.

State sponsored criminals are more likely to target specific companies. These companies would be of interest for military purposes, financial gain, or for top-secret information. In targeted attacks, criminals will also use physical access to the target’s offices to look for clues on how to penetrate defenses. Yes, dumpster-diving is alive and well even in this high-tech age. Criminals will pretend to be employees or vendor service representatives to gain access to facilities in search of login credentials for future attacks. In order to spend the time and resources for physical attacks, the data to be obtained has to be of very high value. The Wall Street Journal recently reported that public utilities had recently discovered they had been breached and that criminals had the ability to impact the delivery of services. Other examples include the attack by North Korea on Sony after the release of a motion picture critical of the North Korean leader. 

The question isn’t whether your company has been the target of a cyber-attack, the question is whether your company has technology in place to stop successful attacks and that your employees are trained to be on-guard for well-crafted marketing campaigns of criminals. Without these measures in place, it's only a matter of time before cyber-criminals compromise your business.

Click HERE for more details on target marking.

0 Comments
Continue reading

Social Engineering Series: How does Malware get installed?

Different articles in this series discuss how criminals use social engineering to target their victims. The end result of an attack by criminals on your computer is the installation of malware that can perform tasks silently in the background. This article focuses on how the software gets delivered for installation.

Most attacks today rely on a user doing something to initiate the software installation. Here are the primary ways the installation of malware is initiated:

  • Clicking on a link to a website where the malware gets installed on the computer.
  • Clicking on an attachment document containing malware or on a link to get malware embedded as a macro.
  • Having a "trusted" support person install the malware during a support session.
  • Direct installation by a criminal's technical support following a successful security breach.
  • Automated installation over a network exploiting weak security and poor patching procedures.
  • Physical installation from CD/DVDs or USB drives.

Each different attack initiated by a criminal combines elements of marketing, sales, and technology to distribute the malware. For example, if the criminal has expertise in email marketing campaigns, they would use either the website link or the attached document method to distribute the malware. A different approach would be if a criminal had access to a call center where a carefully crafted script tricks users into allowing a remote session with one of the criminal’s agents. Remember those phony calls from “Windows support” we warned you about? In this case, the agent simply installs the software as part of their support work. Another common method uses compromised remote access systems for the criminals to gain access directly to the remote systems to install software.

Whether the attackers are state sponsored or are criminals trying to steal money or resources, they use the same tactics to install malware on the victim’s computers. The weakest links in a company’s network defenses are its employees; users can be tricked using social engineering techniques. Once the employee is tricked to click, the methods for delivering and installing the malware are well established.

Click HERE for more details.

0 Comments
Continue reading

What should you look for in a personal computer?

You might wonder what I (an “IT professional”) use as a personal computing device. It’s a valid thought since I do have a better idea of what to look for in a PC than the average user. I have two laptops: a 13-inch MacBook Pro and a 17-inch HP Envy. Because I only recently learned how to use my Mac, I’ll save it for another time and make the HP the focus of this article.

Let me start by saying that processor and RAM alone don’t make a computer fast. The hard drive also plays a major role in the machine’s overall performance. Optical hard drives (those with spinning disks) are slower than solid-state hard drives and are often the reason a computer bogs down, even if the computer has a fast processor and oodles of RAM. When buying a PC, take the hard drive into consideration. Solid-states are fast and work well as operating system drives, whereas optical drives are great for storage (the higher the RPM, the better). Keep in mind, too, that when it comes to hard drives, larger does not necessarily mean faster.

I purchased my Envy with 16 gigabytes of RAM, an Intel i7 processor, and a 1 terabyte optical hard drive. It’s certainly not lacking for performance, though the hard drive is the weak link in the chain; it can’t keep up with the rest of the computer. I would rather have the operating system running on a faster solid-state hard drive and use the optical drive for storage. The Envy also has a touch screen and can double as a large tablet, though I have little need for that functionality. If you don’t need a touch screen, don’t bother with one.

So what should you look for in a computer? Like shopping for a car, it depends on the intended use. You don’t need 16 gigs of RAM to surf the web in much the same way you don’t need 650 horsepower to cart you 3.2 miles to the grocery store for a pint of milk. If the PC’s primary function is web browsing and emailing, your main concern should, obviously, be your internet speed. Slow internet will be slow no matter what your computer is packing under the hood. 4 gigs of RAM and an i3 processor are plenty for web surfing. Processor and RAM really only become a concern if you plan on using your PC for anything other than buying things on Amazon. In that case, look for something with a minimum of 8 gigs of RAM, at least an i5 processor, and a solid-state hard drive.

I’m not a gamer, but I do know that, for a lag-free gaming experience, you need excellent video cards. An abundance of RAM and a hefty processor also help, but the real money in gaming setups goes toward the video cards. If you are a gamer, or if you do 3D modeling, make sure you find a PC with a serious graphics card in addition to RAM and a fast processor.

Here’s one specification that matters regardless of the computer’s intended use: 64-bit. You want a 64-bit machine, not a 32-bit one. Don’t worry about what all that means, just know that 64-bit is good.

As with any other large purchase, do your homework before you buy. Compare offerings from different brands, read reviews, etc. In terms of computer brands, my personal preference is HP, though offerings from Lenovo, Dell, Asus, and Acer are safe bets, as well. Go to a store and physically look at the computers you’re interested in. How do they look and feel? Are they too big or too small? Are they too heavy? All of those questions can be answered by viewing the devices in-store.

Where did I get my computers? Best Buy. Before I purchased the Mac and the Envy, I did research online and found a few models that I liked. Then I went into the store to put my fingers on them, and that little “test drive” ultimately guided my final selection.

So, in summary:

  • Identify the computer's purpose, then set a budget.
  • Do your homework and "test drive" your options.
  • Don't buy more computer than you need - you can always upgrade later.
0 Comments
Continue reading

Social Engineering Series

DeckerWright Corporation will be kicking off a series of articles documenting various types of Social Engineering attacks being undertaken by criminals to compromise your business and your personal finances. The widespread availability of the internet has allowed criminal groups from around the world to target any entity that may have money, data or resources of interest. What do you possess as a business that criminals want? An obvious prize is any cash you may have. Depending on your business, hackers can also target client information including names, addresses, credit card information, health insurance information, and security information. If you are a high-tech company, criminals may be trying to gain access to any intellectual property or proprietary processes you may have. For companies dependent on technology (everyone), criminals can assess the nature of your network, disable it, and demand a ransom. Ransomware is the most documented example of this type of exploit, but new exploits focused on the Internet of Things (IoT) are becoming more popular. Even your computing and network resources have a value in today’s dark web. 

Who are the criminals? Some nation-states like North Korea and Iran use cybercrime as a source of funding for their government. Criminal groups thrive in African and eastern European countries where they can easily pay off local officials and law enforcement for immunity from prosecution. The theft is from “rich” countries, so the cyber-criminals in poor countries are treated like Robin Hood. Cyber criminals are also at work in the United States. Cybercrime efforts are well funded from other criminal enterprises. Organized crime has entered cybercrime as a new source of revenue and profits as other sources of revenue, like gambling and marijuana sales, are being legalized. Relatively easy to start, hard to prosecute, and very lucrative, cyber-crime is primed for rapid growth.

Social Engineering has emerged as one of the fastest growing threats facing businesses today. Driven by Voice over Internet Protocol (VoIP) phones, cheap and fast internet around the world, and vast data sources of information, criminal enterprises are starting to use advanced marketing practices to target businesses.

The series of blog posts will focus on specific social engineering strategies we have identified that criminals use to gain access to the resources they are interested in.

Click HERE for more information on Social Engineering.

0 Comments
Continue reading

Driving the Future

Driving_the_Future_BMW_i8

I drove the future. Well, only for about six minutes. A couple of weeks ago I was fortunate enough to spend a sunny Friday morning thrashing about in a selection of very fast (and very expensive) BMWs. Among the various flavors of M-badged vehicles at our disposal was a topless bronze-colored example of BMW’s plug-in hybrid sports car, the i8. The car looks like it drove straight out of a sci-fi movie. Visually, the i8 is a stunner: low, wide, and mean, with bulging fenders and a body sculpted by gracefully flowing air channels and ducts. Lower the convertible top and my goodness. Science never looked so good. 

0 Comments
Continue reading

Living with 1,000 emails a day...

Throughout the course of a normal day, I receive about 1,000 emails. Having had my email address for the past 25 years, I must be on every possible email list. Friends and business associates complain that I take forever to respond to email, but just finding the email to respond to it is a task. On any given day, I author between 50 and 100 emails. 

In an effort to be efficient with email, I employ several spam filters combined with Outlook rules to “triage” inbound emails to make it more manageable. My first line of defense is ProofPoint. A cloud based service we employ for all of our clients, ProofPoint is able to stop my unsolicited spam in the cloud before it reaches my inbox. ProofPoint eliminates about 50% of my inbound email flow. 

My second line of defense is the Outlook Junk folder. I religiously put vendor solicitations in the junk folder to help clear my “inbox”. On any given day, between 100 to 200 emails get corralled in my junk folder. Items in the junk folder get deleted once a week.

The last step in my email triage process is the use of several hundred Outlook rules that sort the emails into several hundred folders that are setup in Outlook. On a daily basis, 300 to 400 emails are processed by these rules. The folders are grouped into folders for Clients, DeckerWright staff, and Vendors. Emails going into client folders get attention first, followed by staff and vendors. Emails that don’t fit any of the rules are automatically placed in the Deleted Items folder. The Deleted Items folder serves as my “inbox”. I check Deleted Items folder throughout the day, moving good emails to the right folders, and deleting the remainder. If I am not expecting an email, this is where it can get lost. Luckily, Office 365 maintains deleted emails for about three weeks, so as long as I am made aware that someone sent an email, I normally can find it. 

Despite the rise of instant messaging, chat systems and other collaboration systems, email remains one of the most important methods for conducting business communications. How one manages this valuable tool will have a direct impact on their business.

Click HERE to watch a video on recovering deleted emails.

0 Comments
Continue reading

Long File Names Causing Problems

Having started using computers when file names had to be no longer than eight characters, a dot, and three characters for an extension (12 total characters), I have never personally experienced any issues with long filenames. Unfortunately, many of our clients weren’t forced into using short file names at an early age and as a result are bumping into some settings built into Microsoft’s operating system.

A legacy setting in Microsoft operating systems, MAX_PATH, has been causing an increasingly common problem for our clients. With Windows 95, Microsoft introduced the ability to create long file names. Then and now, there was an absolute limit to the length of a file name which includes the entire file path. Since from the operating system’s perspective the file name includes the entire path (e.g., c:\folder1\folder2\folder2\folder3\folder4\word.docx), users have been routinely exceeding the long file name length. 

Several factors are exacerbating the problem. In Windows 10 and Server 2016, the MAX_PATH value of 260 characters has been removed. In the typical mixed operating system environment we see, the removal of this MAX_PATH value has caused major headaches. When copying or moving files between Windows 10 and older operating systems like Windows 7 or Server 2008, the process often fails. Compounding the problem, many of the most common tools for moving files – like File Explorer, copy, and xcopy – only support the 260 character maximum. This has been a particular pain point for DeckerWright Corporation during server upgrades requiring the migration of thousands of files between old and new systems. 

The unfortunate reality is that we are several years away from being able to name files to the maximum allowed value of 32,767 characters. Older operating systems will need to be retired, and Microsoft will need to upgrade its built-in functions to support long file names. Once these steps are taken, applications that use these functions will need to be re-written to be compatible with the new maximum file name length – no small task. 

What do you do in the meantime? Here are some tips for how to stay within the 260 character maximum file name length:

  • Keep folder names short, six characters of less. Since folder names get added to the filename character count, the effect of a long folder name gets multiplied across every file within it.
  • Flatten directory structures and keep them no  more than three deep. Again every successive folder name in a path adds characters (including the back slashes) to the filename. Keeping the hierarchy of folders flat helps to reduce the file name length.
  • Use shorter file names. The most common problem we see in clients using long names - such as full postal addresses for folders and filenames. The extra-long names are meaningful, but quickly eat up the 260 character maximum. Either use shorter client names or use abbreviations to keep file names short, no more than 20 characters.

By combining shorter folder names, fewer layers of folders, and more intelligent and shorter file names, everyone should be able to survive until operating systems and tools catch up to long file names

CLICK HERE FOR MORE DETAILS ON LONG FILE NAMES

0 Comments
Continue reading

Latest Blog

Criminals using social engineering techniques have been able to initiate attacks against HR departments via carefully crafted emails. The criminals use marketing techniques to identify HR professionals within a company. Once the criminals have the HR professional’s...

Account Login