Tag Archives: opsec

Scams and Fraud: How Business Owners Can Avoid All Forms of Attack

Today’s guest post was submitted by Dean Burgess from Exitepreneur. Thanks, Dean!


Scams and fraud perpetrated by thieves who want to gain access to a company’s data or content cause millions of dollars of loss each year for businesses large and small. Sadly, no matter how many precautions you take against it, it’s likely that you’ll face some form of theft over the course of your company’s lifetime. With advances in technology happening every day, scammers have many more tools than they used to, making access to your computers and payment systems much easier. When this happens, private and sensitive data can be breached, leaving you responsible for large sums of money and breaking the trust you’ve built with your client base.

Fortunately, there are things you can do to avoid some of these scams and ways you can protect yourself against being hit again if you’ve already suffered an attack. It’s important to take a look at the way your company does business, and that includes determining who has access to sensitive materials such as credit card numbers and email passwords. Even if an employee isn’t purposely being dishonest, they may be playing an unsuspecting role in allowing others to gain unrestricted access to your system and data.

To keep your company and customers safe, here are a few things to consider.

When Phishing Results in a Big Loss

Phishing scams, which are perpetrated by email and used by scammers to gain information about a business that they can exploit, can result in huge losses. Unfortunately, if your company is a small one, this can mean big trouble. If you’ve been the victim of a phishing scam, it’s a good idea to go with a professional tech support company like Secure Data Recovery to help you recover that data. This is the best option when you need to get back up and running in a short amount of time. When your business is small, that time can be crucial to minimizing loss.

Train Your Employees

It’s imperative to make sure that your employees are well-trained and thoroughly understand how to spot a scam, especially the employees who have access to your company’s email address. These emails can be difficult to spy if you aren’t sure what to look for, so it’s a good idea to make sure your business email is with a reputable and secure provider. This way, many of these email scams will be caught before you ever see them. Of course, they can still get through, so teaching your employees what to look for will be essential. Grammatical and spelling errors are a major red flag, as are emails that are not specifically addressed to someone at the business.

Stay Up on the Trends

There are always new and inventive scams making their way around the web, and for this year, the ones to look out for include emails informing you that a certain account has had a suspicious login or that your account has expired. When you click the link they provide, you’re actually taken to a faux page that records your information. You should also be on the lookout for text messages and messages within apps; fraud can occur here, too.

Don’t Be Intimidated

One common form of fraud that many business owners have faced recently is an email or visit from a pushy salesperson who insists that someone from the company ordered supplies that must be paid for. Some will call a company claiming to be with Google and try to intimidate an employee into sending them payment in order to have the company show up in searches. Don’t let these scammers intimidate you! Train your employees to recognize a fraudulent claim, and let them know what to do in the event that they are the victim of one.

Scams and fraud are more common than many business owners may know, so it’s important to remember that just because you haven’t been hit before is not a guarantee that you never will be the victim of a crime. Training your employees well and taking precautions will help you keep your company — and your clients and customers — safe.

CMS-DH Admin Login Bypass

BACKGROUND

This information is also available on Github.

CMS-DH is an old generic application created for resale, probably by Dahua or one of it’s divisions. It is used to control Digimerge security cameras. Now Flir owns Digimerge and everybody wants to forget this software exists. In reality it doesn’t matter and I don’t really care. There are configuration entries to change the name of the application in toolbar menu’s, so that should give you an idea of how generic it was meant to be.

If you lose access to CMS-DH it can be extremely difficult to connect to the DVR and make changes to it. The documentation for Digimerge hardware is practically non-existent, and the company itself doesn’t exist anymore (now absorbed into Flir Security, who don’t even have a TLS cert on their security-centric website). The lack of information presents a problem that is compounded by the fact that there seem to be different versions of documentation out there for the Digimerge equipment and not many of them seem to have accurate or useful information.

Luckily, the hardware uses CMS-DH to make configuration changes from a computer. CMS-DH is what I like to call “third world software” meaning that it was written without any consideration for security, nobody wants to own support for it, and it hangs all it’s secrets out there in the open.

GAINING ACCESS

This hack was tested to work with…..

App Version: 1.8.8.24

Service Version: 1.8.8.10

Codec Version: 3.0.2.3

Download Dll Version: 3.0.0.1

…..Although I’m not sure of a way to find this info until you log in at least once.

CMS-DH stores configuration data in C:\Users\USERNAME\Documents\CMS-DH. The “.ems” files in this folder contain the configuration data for CMS-DH and can be opened in Notepad or any other text editor.

In order for the hack to work, you must have a copy of CMS-DH installed and configured with devices and an admin connection to a DVR. This hack will only give you access to CMS-DH. If CMS-DH is connected to devices (using the device password) you will have access those devices once you gain access to CMS-DH. If CMS-DH is not connected to any devices this won’t get you anywhere. This hack is only valuable on a pre-configured CMS-DH that you do not have credentials for.

To gain access to CMS-DH without valid login credentials you must open “registry.ems” with a text editor and locating the “PASSWORD=” line.

The “PASSWORD=” line contains the user password in hashed form. If you look a little further down you’ll see another line that starts with “LOGINAC=” followed by a plain text username.

Start by backing up “Registry.ems” and then wipe out the hashed password string from the “PASSWORD=” line. So “PASSWORD=54883fsdf83nn2nb4” would become simply “PASSWORD=”. Save the file and launch CMS-DH. It will start the application and bypass the login screen.

STEALING CREDENTIALS

We know that an attacker can wipe out the cached password from CMS-DH and that it will completely skip the login screen. An attacker can leverage this to gain access to DVR’s they shouldn’t have authorization to by obtaining a copy of someone else’s CMS-DH config directory. Because all the config data for devices are stored in the CMS-DH config directory, a successful attacker would have everything they need to log into gain unauthorized access to a local security system.

Possible attack vectors for stealing the directory include…..

  1. Phishing the user and convincing them to send you CMS-DH “log files.”
  2. Misconfigured Windows Share.
  3. Boot to USB and copy/paste unencrypted HDD contents.
  4. Make the user run a script which dumps the contents of the CMS-DH directory somewhere.
  5. Gain access to the machine (physical or remote) and exfiltrate the files to a CNC server.
  6. The files are small enough to exfiltrate through a DNS TXT query.

Affordable Cybersecurity Practices for Small Business

Today’s blog post is a guest post by Lindsey Weiss from Outbounding.com. Thanks Lindsey!

Data privacy has become a huge concern for business owners small and large in recent years. Even with a growing emphasis on data protection, the number of exposed records continues to rise. In fact, 2018 saw 446.5 million exposed records, an enormous jump from the approximately 197.6 million records exposed throughout 2017.

Data privacy has become a huge concern for business owners small and large in recent years. Even with a growing emphasis on data protection, the number of exposed records continues to rise. In fact, 2018 saw 446.5 million exposed records, an enormous jump from the approximately 197.6 million records exposed throughout 2017.

Enterprises are taking significant steps to protect their data, but small businesses have been slower to catch up — only 14 percent of small businesses are highly confident in their cybersecurity. Because breaches targeting large enterprises are the ones that generally receive the most coverage, small business owners make the faulty assumption that they’re less vulnerable to a cyber attack. However, that couldn’t be further from the truth: 43 percent of all cyberattacks are aimed at small businesses.

If you store customer data, including credit card data, email addresses, billing addresses, and phone numbers, your business needs to be concerned about cybersecurity. Even if you don’t store customer data, data security should be on your radar: If a malicious actor injects ransomware into your system, you could be charged a ransom just to resume operations.

Protecting yourself against data breaches doesn’t require an enormous financial investment. There are many cost-effective ways small businesses can guard their data.

Train Employees to Recognize Social Engineering

Employee training offers the best ROI when it comes to small business data protection. That’s because employee and contractor negligence is behind nearly half of all data breaches. If an employee unwittingly clicks on a malicious attachment or shares passwords or files with a cybercriminal posing as a colleague, the integrity of your business is compromised. Social engineering attacks are constantly evolving, so business owners and managers should stay abreast of the most frequently used techniques and train employees how to recognize attacks and avoid falling victim. A few minutes of research and a meeting with your staff could save thousands in data breach recovery costs.

Step Up Your Password Policy

Are your employees using weak passwords like their birthdates, or worse, “123456” or “password”? If you reflexively answered “no,” ask yourself how confident you really are that your staff is using passwords that can’t be cracked. A strong password policy doesn’t simply require a mixture of letters, numbers, and symbols. Rather, it obligates users to create complex passwords that expire on a predetermined schedule, don’t employ common words, and are never used for multiple accounts. If you don’t want to babysit your employees’ password practices, consider using a password manager.

Keep Firewalls and Antivirus Current

Firewall protection prevents malicious actors from entering your system, whereas antivirus and anti-malware software detects and removes threats. These security solutions make up the foundation of any network’s data protection, but too often business owners let them fall out of date. Firewall and antivirus software providers regularly release updates to block new types of malware, but if you don’t update your software, your systems aren’t protected.

Backup Your Data, Then Back It Up Again

If your data is held ransom, will your business be forced to shut down? Data backups keep your business up and running when data is compromised due to a data breach, natural disaster, or another threat. A basic backup strategy for small businesses is a 3-2-1 backup. The 3-2-1 rule dictates that you keep three copies of your data (including the primary copy) and use two different mediums to store them, with one backup stored off-site. Many small businesses accomplish this by storing one backup on an on-site external hard drive and a second backup in the cloud. Both backups must be updated regularly to preserve data integrity.

These steps greatly reduce the risk to your small business’s data, but they don’t eliminate it. If you are the target of a data breach, make sure you take the appropriate steps to recover. Dealing with the fallout from a data breach isn’t pleasant, but addressing it is necessary for the continued success of your small business.

Image via Pexels

Dear Russia: Leave me alone

Dear Russia,

Please leave me alone.

I have been running this website out-of-pocket on-and-off since 2015. The things that have never changed mostly include you, Russian spammers, scammers, hackers, and bots. You bombard my comment feed, constantly try to brute force my administrator accounts, and you’d think that after nmap scanning my server every day for 3 years you’d have found all the ports I have open by now. Alas, you keep trying anyway. And honestly when was the last time you found an exposed document root? Let me save us both some time and frustration: THERE AREN’T ANY EXPOSED DOCUMENT ROOTS!

Sure China will get in on the action from time to time, too. They usually go for the short-lived, high intensity variety of proding. I can deal with that. It’s you, the Russians, who persist in spite of the fact that you’ve never been successful.

So persistent, infact, that I’ve blocked your entire country from logging into the site. This includes a handful of other Eastern Bloc proxy nations who typically never engage the site as is intended. At one point I even posted about these measures in the hopes that you would stop wasting everybody’s time. That didn’t work. So I’m going to take the sugar coating off for you and see if that helps… EVEN IF YOU FIND A CORRECT USER/PASSWORD COMBO, YOU ARE GEO-FENCED! You will not be granted access to the admin panel, no matter what. You will still be redirected to our “Oops” page. Whenever I see a spike in denied login activity all admin account passwords get changed with randomly generated ones. I think we’ve both proved by now that this dance could go on forever. Please give up.

And here I am, once again deleting hundreds of your spam comments per week for stupid stuff like “Cash Loans” or “Sports Memorabilia.” These aren’t even the kinds of ads that a sane person would approve, and I’ve never approved them so I have no idea why you continue wasting so much machine time or bandwidth. Today, with sadness in my heart, I have disabled anonymous comments. Just because of you. Good job.

And the thing that really pisses me off about all this? The fact that there are real Russians who cannot create an account with us because of your selfish actions. I don’t have a team of engineers to monitor this thing 24/7, or come up with thousands of tools for identifying your bots so that I can still serve content to Russia. Out of necessity I took the easy road of blacklisting your entire country. I really hate to do it, but serving Cloud storage and open-source content directly to Russia just isn’t worth the hassle, and I know I’m not the only one who feels this way.

You are a burden on the internet. Like a blacklisted Postfix server, your actions are affecting the innocent users around you. You’re costing your entire geographic location trust and slowly isolating yourself and, sadly, the people around you who have done nothing wrong. For every one legitimate request I get from Russia I probably get 500 from you. One user with a seemingly endless stream of proxy addresses, literally ruining the free service I offer for your country of 144 million people.

So please, do EVERYONE ON EARTH a few favors…

  1. Stop harassing the internet with your scammy, spammy crap that nobody cares about and only a small percentile are stupid enough to fall for.
  2. Get a real job and put some of that talent and passion to work making the internet better instead of worse.
  3. LEAVE ME ALONE
  4. Seriously, back off and leave me alone.