Ransomware Lessons

USB Hacks - @SeniorDBA

Ransomware is malicious software that attacks a computer or your entire network to force you to pay a fee (ransom) to regain access to your systems. If the fee is not paid within a set timeframe, the criminals who now has access to your systems will wipe the data. Since those systems are unavailable to your organization most businesses are faced with a decision to pay the ransom and get back to business or refuse to pay the ransom and risk forever losing customer data.

Like any other virus or malware the ransomware is usually downloaded from the internet, most often by clicking a suspicious link in an email or on a website.

Continue reading “Ransomware Lessons”


How to disable macros in Microsoft Office

Macro Virus - SeniorDBA

Not everyone has the level of technical expertise to understand why macros are dangerous, or how to disable them. Macros are a really powerful feature in Microsoft Office, allowing you to do many difficult things with the click of a button. These complicated tasks might be formatting a spreadsheet, inserting a standard block of text in Word documents, etc. The problem is malicious code, like a macro virus, can automatically be executed as a standard macro when the user opens a document from an untrusted source.

The creators of these malicious code segments attempt to prevent users from catching on by disguising their malicious document, usually sent as an email attachment,  as something seemingly routine. There are active malware efforts that are actively infecting user computers right now, with examples like PowerSniff! or other examples that have been around in one form or another for many years.

There are three things will prevent almost 100% of all infections:

  • Disable macros in Microsoft Office. This is fairly easy for even non-technical users to accomplish.
  • Another great way to prevent infections is to never open an attachment from an untrusted source.
  • You should also be running anti-virus and anti-malware software on your computer.

These three things will prevent almost 100% of infections.

Disabling Macros in Microsoft Office

  1. Click File > Options.
  2. Click Trust Center, and then click Trust Center Settings.
  3. In the Trust Center, click Macro Settings, where you can make any changes you want and approve them by clicking OK.

Microsoft Office Trust Center - SeniorDBA

Enterprise Efforts

As a technical person, there are several things you can do at your company to help prevent a successful malware attack.

  • Security Training – Make sure you create a policy that outlines user responsibilities for cybersecurity. This includes be aware of potential cyber threats, not opening attachments from untrusted sources, selecting strong passwords, etc. This includes the potential risks of opening macro-enabled office documents.
  • Anti-Malware and Anti-Virus – While software will never be 100% effective in detecting and blocking infections, it can be more effective than nothing.
  • Anti-Spam – Build rules in your spam tool to automatically restrict email attachments with a .zip extension.
  • Default Microsoft Office Security – Use the default setting of “High” for Macro security on all Microsoft Office applications.
  • PowerShell – Publish a Group Policy Object that restricts the use of PowerShell for most users. Allow PowerShell for specific power users on a case-by-case basis.
  • Monitor Activity – Look for unexpected pings from internal computers and keep an eye on unusual network activity.


Enterprise Security Tips


Network security is increasingly important. Private and public enterprises have already spent billions of dollars to bolster security over the past several years, yet attackers consistently succeed in evading whatever roadblocks are erected to block their access to sensitive data.

This issue has led many organizations to embrace a simpler approach focused on securing people, processes, and technology. You can’t view security functions as a nuisance,  but as a strategic enabler of new initiatives and a way to make your company more competitive in a global market.

These simple steps might help your company return to basic security techniques.

1.  Alerts and Response Documentation

A vast majority of the attacks against enterprises these days are targeted strikes carried out by organized criminal gangs, hacktivists, or nation-state actors. The random attacks of the past have been replaced by serious campaigns that are designed to carefully extract corporate information, acquire intellectual property, disclose trade secrets, and steal financial data. Rather than an old school smash and grab style attack the technique most often used today is more covert and focused siphoning large quantities of data in small unnoticeable increments over a lengthy period of time.

With this harder to detect technique comes the need for better detection and response paired with traditional prevention. Augmenting existing log-centric monitoring with network packet capture and endpoint-monitoring technologies will enable security administrators to get a more complete picture of network traffic, allowing detection of hacker activity. Most serious administrators will use identity management, identity governance, and behavioral analytics tools to spot and limit the impact of compromised credentials and identities.

You want to document the process of detection, test that it works, and document the response to each alert.

2. Strong Network Perimeter

Traditional perimeter technologies like firewalls, antivirus tools, and intrusion-detection software still have a place in your modern enterprise security strategy. These tools work by looking for specific signatures of known viruses and other types of malware and then block the malicious programs in near real time. Most compliance requirements outline the expectations around this type of security.

Based on recent breaches at major organizations we now understand that these signature-based perimeter tools are ineffective against the highly targeted attacks of the type launched by organized and educated malicious hackers. It’s important for enterprises to view perimeter-based defenses as just one of the necessary tools of the trade from a strategic and tactical standpoint.

You want to document the perimeter security settings, test that it works, and document the response to issue or alert that can be generated.

3. Secure Development

Common, well-understood shortcomings like SQL Injection errors, cross-site scripting flaws and broken authentication and session management functions have tripped up numerous organizations. But the recent wave of intrusions at major organizations has really driven home the need for secure code. Vulnerable applications have often provided hackers with relatively easy access to corporate networks and data, so securing them is vital to ensuring data integrity and confidentiality.

For many large organizations, manual code review would be prohibitively expensive. So a viable alternative would be to automate the code-review process by combining static and dynamic program analysis and by making the code analysis process an integral part of application development. Developers and operations teams need to recognize that security must be a shared responsibility and work to integrate controls earlier in the product life cycle.

You want to document the development security requirements, review the requirements periodically, and document the procedures are be followed with all in-scope development efforts.

4. Educate People

People are usually easier to compromise than machines. Many of the biggest attacks in recent years have started with attackers gaining entry into networks using log-in credentials belonging to legitimate users such as employees, business partners, or vendors. Hackers use well known and effective social engineering techniques and even phishing emails to help users disclose passwords and usernames to accounts with access to a corporate networks. The hackers then use that initial foothold to find and access critical enterprise systems and data stores. In most cases the people with access to sensitive data don’t feel personally obligated to protect system access, usually because it is seen as an IT function.

You want to provide formal education to all in-scope users, review the training periodically, and document who has gotten the training as part of new hire or required annual re-training.

5.  Secure Business Processes

Process and procedure mistakes can compromise corporate security technology. Written policies and procedures, communicated and enforced, can help reduce errors where sensitive data is emailed to vendors, shared on personal hard drives, or uploaded to shared internet drives.

This could also include third parties and security firms come in periodically to do penetration tests and mock attacks where nothing is off limits. This should probably also be pushed out to all vendors and suppliers so that your requirements are communicated to them, so they implement the same requirements when they have access to your sensitive data.

You want to create and maintain written polices and procedures, review the documentation periodically, and verify the requirements are being followed through testing and training of employees.

Windows Power User Setting


The default settings for Windows is to hide known file extensions. Unfortunately, hiding extensions makes many users more vulnerable to viruses and Trojan horses that can compromise the entire network. The problem is that through phishing attacks and other means, hackers may send files that look like harmless PDFs or images, but are actually executables. The attacks are more successful because Windows allows files to appear with icons normally associated with other kinds of files, regardless of the extension. But if the user saw the actual file extension, they might be less likely to click on the file.

With Active Directory, you can use GPO to force all machines to show file extensions. (Although users may change the settings, they’re reset when the GPO refreshes.) Just set the folder options for all users with the following steps:

  1. Run gpedit.msc or go to Start menu | Programs | Administrative Tools | Group Policy Management
  2. Go to User Configuration | Preferences | Control Panel Settings.
  3. Right-click and create a new folder option with the hide extensions option unchecked.

If you’re given a requirement from management to force users to hide extensions it may be a good idea to explain why doing so is not only a potential productivity killer, but a security risk as well. As a professional IT member, your job is to provide information on how to avoid these potential security risks.

How bots and zombies work, and why you should care


If you don’t read the Naked Security blog, you should. They have great security-related information and news, and the site is regularly updated as world events change or threats become more serious. Paul Ducklin has an article on bots and zombies, how they work, and why you want to make sure they don’t exist on your system.

Some malware is pre-programmed for one specific criminal act, such as ransomware that scrambles your data and demands a fee to get it back.

But most bots or zombies are kitted out with a wide range of “features.”

Any of these can be controlled across the internet by a crook.

Common crimeware functions built into bots include:

  • Logging your keystrokes to steal online usernames and passwords.
  • Searching through your files for interesting data to steal.
  • Tricking you into clicking on ads to generate pay-per-click revenue.
  • Posting “recommendations” for your friends on your social networks.
  • Acting as a proxy, or relay, and charging rent to other crooks so they can use your internet connection to cover their tracks.
  • Mapping out your network from the inside to assist with future attacks.
  • Attacking other people’s websites, making you look like the crook.
  • Sending out spam, often in vast quantities.
  • Updating the running malware to add new features and stay ahead of your defences.
  • Downloading more malware at the whim of the crook who is in control.

The last function, downloading more malware, is the reason why it is difficult to give an exhaustive list of what might have happened to your computer while it was infected. The controlling crook, known as a bot-herder or botmaster, can add and remove other malware programs at will.

The reason why a zombie can do all of these things without you realising is, quite simply, that you could do any or all of them yourself if you wanted.