Expert(s):
CEO feature_status*/ ?>
Lucy Security

Comments Dotted : 36
December 14, 2020

Subway Customers Receive ‘Malware’ Emails – Expert Advice
People in the UK are going to get more than their lunchtime “sarnie”* delivered.
This is an elaborate attack. People in the UK are going to get more than their lunchtime “sarnie”* delivered. It's another reminder that security awareness training, with macro downloads and ransomware simulations, can considerably reduce the risk of social engineering attacks. To stay one step ahead, security teams should also look to war-game ransomware attacks, i.e. test what happens if an employee falls for an attack like the Subway one. By running "what-if" scenarios, where.....Read More
This is an elaborate attack. People in the UK are going to get more than their lunchtime “sarnie”* delivered. It's another reminder that security awareness training, with macro downloads and ransomware simulations, can considerably reduce the risk of social engineering attacks. To stay one step ahead, security teams should also look to war-game ransomware attacks, i.e. test what happens if an employee falls for an attack like the Subway one. By running "what-if" scenarios, where companies simulate the hundreds of tools employed by hackers, security teams can discover exactly what happens if an employee executes a malicious file, and proactively address system vulnerabilities in their network infrastructure before a real malware attack occurs." *(colloquial English for sandwich  Read Less
December 03, 2020

Security Expert Re: Non-Profit Philadelphia Food Bank Loses Nearly A Million Dollars To BEC Scam
The good news is that with investment and training, employees can become your strongest defense.
Unfortunately, scammers are drawn to the money trail with no regard for ethics, so this means non-profits are also vulnerable to attack. The Philabundance attack checks all the boxes of a successful BEC scam: in-depth research to identify the target, social engineering exploits to penetrate the network, creation of a fake invoice from a known email address, and the request to wire funds to a (phony) bank account. BEC scams cleverly play on two glaring human vulnerabilities: an.....Read More
Unfortunately, scammers are drawn to the money trail with no regard for ethics, so this means non-profits are also vulnerable to attack. The Philabundance attack checks all the boxes of a successful BEC scam: in-depth research to identify the target, social engineering exploits to penetrate the network, creation of a fake invoice from a known email address, and the request to wire funds to a (phony) bank account. BEC scams cleverly play on two glaring human vulnerabilities: an employee’s susceptibility to social engineering, and their unquestioning trust in the chain of command. The best way to help prevent these types of attacks is to provide regular security training for employees, and establish specific business and financial policies for company payments. Companies that conduct ongoing and varied security training of their employees – starting at onboarding and continuing with regularly scheduled simulated phishing attacks, stand the greatest chance of keeping invaders out of their network. Interactive, relevant, and ongoing training can reduce the percentage of successful phishing attempts from 30 percent to less than 5 percent. To successfully defend against BEC scams, companies should also implement specific business and financial policies for all payments. The most effective policies limit the number of individuals authorized to make payments, call for additional authorizations above a pre-determined amount, require vendor validation, and treat any urgent requests or new payment methods as a suspect. Criminals know that employees can be the weakest link in a cyber attack. The good news is that with investment and training, employees can become your strongest defense.  Read Less
November 11, 2020

Security Expert Re: Scammers Impersonate IRS, Threaten Legal Action As Tax Payment Deadline Looms
The emails themselves are ludicrous, of course, but unfortunately someone is going to fall for them.
To make this scam even more credible, it coincides with the IRS sending out real written demands for outstanding taxes. Tax reporting --and therefore tax payment -- season was pushed back six months, with taxes due October 15th. That sets an “impending event” in place – pay up by November 15th. The scammers know this, just as CPAs know it. The IRS is a fearsome beast to contend with, so the scammers get to leverage the trepidation that Americans feel when they receive an email that\'s .....Read More
To make this scam even more credible, it coincides with the IRS sending out real written demands for outstanding taxes. Tax reporting --and therefore tax payment -- season was pushed back six months, with taxes due October 15th. That sets an “impending event” in place – pay up by November 15th. The scammers know this, just as CPAs know it. The IRS is a fearsome beast to contend with, so the scammers get to leverage the trepidation that Americans feel when they receive an email that\'s apparently from the IRS. By combining heightened emotions with a sense of urgency, the attackers created a powerful call to action. Not to mention that since most likely, more people are going to be behind on their taxes due to the pandemic, the scammers will have an even higher hit rate. The emails themselves are ludicrous, of course, but unfortunately someone is going to fall for them. It\'s a good reminder to consumers that they should always be cautious when they receive an email asking for payment. Here are three simple questions to consider: Ask yourself --is the sender really who they claim to be? Start by checking the domain name – it’s easy to miss a one-letter mismatch between the sender’s domain and the company domain. Does the email contain suspicious content? Improper use of grammar or language, multiple spelling mistakes, or a strange layout are all red flags. Hover over any links in the email to see if the links are unusual. If so, don’t click on them! What are they asking me to do? Always be suspicious anytime an email asks you to do something unexpected, such as provide payment info or confidential log-in credentials. Take a closer look at the sender’s address or content and you’ll usually catch the attack.  Read Less
July 16, 2020

Experts Insight On Major US Twitter Accounts Hacked in Bitcoin Scam
The wider question is: what else has been accessed? Is there more info to be released, like DMs?
It appears to be a highly targeted attack on a Golden Key Holder – a highly authorized Admin with access to the Twitter Authenticated “Blue Check Mark” users via the User Admin console. Many of these Twitter accounts use third-party solutions to manage, schedule and push out tweets – we believe that a spoof email pretending to be from one of these third parties could have been used to spearphish the Admin, or perhaps that Admin opened a spoof internal Twitter email with a payload.....Read More
It appears to be a highly targeted attack on a Golden Key Holder – a highly authorized Admin with access to the Twitter Authenticated “Blue Check Mark” users via the User Admin console. Many of these Twitter accounts use third-party solutions to manage, schedule and push out tweets – we believe that a spoof email pretending to be from one of these third parties could have been used to spearphish the Admin, or perhaps that Admin opened a spoof internal Twitter email with a payload designed to harvest his credentials. The targets will not garner much sympathy from the wider Twitterati, as we already see on social media. The world waits to see if The Donald’s account was hacked. The wider question is “what else has been accessed? Is there more info to be released, like DMs?” It is highly unlikely that Biden or Obama run their Twitter accounts – they have operatives to do that, so probably not much private gold to be mined at that level. Black eye for @Jack.  Read Less
July 13, 2020

Cyber Experts Comment On US Secret Service Creates New Cyber Fraud Task Force
One tends to associate this type of activity with the FBI, which is, of course, part of the Dept.
This move makes sense. We do, however, have a lot of duplication of tasks among the various arms of America’s intelligence community. One tends to associate this type of activity with the FBI, which is, of course, part of the Dept. of Justice. With the US Secret Service being part of Homeland Security, perhaps this is part of a re-alignment of responsibilities.
July 07, 2020

Personal Details of 1M Dating App Customers Leaked – Security expert comments
ElasticSearch databases are probably the primary sources of data leaks, because of misconfigurations when set up.
ElasticSearch databases are probably the primary sources of data leaks, because of misconfigurations when set up. For example, the front end UI is often secured with authentication, but admins forget that the default port 9200 is also visible and accessible online, meaning that unprotected ElasticSearch databases can leak data via the backdoor. Having built the database, the developers probably forgot all about patching it, focusing on the front end’s ease-of-use to drive user engagement and.....Read More
ElasticSearch databases are probably the primary sources of data leaks, because of misconfigurations when set up. For example, the front end UI is often secured with authentication, but admins forget that the default port 9200 is also visible and accessible online, meaning that unprotected ElasticSearch databases can leak data via the backdoor. Having built the database, the developers probably forgot all about patching it, focusing on the front end’s ease-of-use to drive user engagement and subscriber growth. Or perhaps the original architect is no longer employed. Regardless – they dropped the ball.  Read Less
June 23, 2020

Comment: Potentially Sensitive Data From Over 200 US Police Departments Exposed Online By ‘BlueLeak’s
The Feds have been living off their reputation and believing their own propaganda for far too long now.
At the heart of cyber-risk is convenience – making it easy to upload files and build a website has also enabled the hackers to score a spectacular win against US law enforcement. The Netsential website is barebones right now, but checking out the Wayback Machine for the Netsential website shows a consistent typo: “Netsential builds sites with as much or as customer involvement that is desired.” For me that would be a red flag – a sign that I should take a closer look at the company,.....Read More
At the heart of cyber-risk is convenience – making it easy to upload files and build a website has also enabled the hackers to score a spectacular win against US law enforcement. The Netsential website is barebones right now, but checking out the Wayback Machine for the Netsential website shows a consistent typo: “Netsential builds sites with as much or as customer involvement that is desired.” For me that would be a red flag – a sign that I should take a closer look at the company, especially since Netsential advertise the fact that the FBI and DoJ are customers. My point being that Fusion Centers were set up as a Homeland Security initiative post-9/11 in order to facilitate information sharing at all levels of law enforcement – an obvious target for China, Russia, Iran or organized crime. You would expect the FBI to have identified this potential point of entry and remedied it. The Feds have been living off their reputation and believing their own propaganda for far too long now. My heart goes out to those many people whose information is compromised.  Read Less
June 10, 2020

Expert Insight On Dark Basin – Uncovering A Massive Hack-For-Hire Operation
The University of Toronto’s Citizen Lab’s report reads like a movie script.
The University of Toronto’s Citizen Lab’s report reads like a movie script. Half the time I’m thinking that the bad guys left so many trails that it must be an exercise in misdirection. Only State actors could pull something like this together. The quality of the phishing site landing pages is excellent, and the English grammar is very good - too good, unless you were running a very professional well-financed and targeted operation. The subdomains are also well designed, especially for.....Read More
The University of Toronto’s Citizen Lab’s report reads like a movie script. Half the time I’m thinking that the bad guys left so many trails that it must be an exercise in misdirection. Only State actors could pull something like this together. The quality of the phishing site landing pages is excellent, and the English grammar is very good - too good, unless you were running a very professional well-financed and targeted operation. The subdomains are also well designed, especially for mobile users. The URL shorteners, the 5 and a half-hour time zone difference, and the different email address which tie back to BellTroX are all very interesting.  Read Less
June 09, 2020

Security Expert Re: Maze Ransomware Attacks ST Engineering’s U.S. Aerospace Subsidiary
Treat people as part of a holistic defense strategy.
The fact that “ a compromised Administrator account” was the entry point for the Maze ransomware breach will be lost on most people. The truth is that hackers breached VT SAA’s defenses by bypassing their Maginot Line, or, perhaps more appropriately for the shareholders of ST Aerospace - the guns were pointing the wrong way. In other words, the hackers succeeded by going around VT’s cyber defense, probably by phishing the human owner of the Admin account. The enemy is waging the war.....Read More
The fact that “ a compromised Administrator account” was the entry point for the Maze ransomware breach will be lost on most people. The truth is that hackers breached VT SAA’s defenses by bypassing their Maginot Line, or, perhaps more appropriately for the shareholders of ST Aerospace - the guns were pointing the wrong way. In other words, the hackers succeeded by going around VT’s cyber defense, probably by phishing the human owner of the Admin account. The enemy is waging the war in front of them while most security teams are fighting the last war, the one where anti-virus software, encryption, 2FA and firewalls save the day. Post attack, the focus of the story is always on encrypted data, “securing our systems”, buying more tech, retaining a well-known outside security advisory team and managing the PR. So the lesson is rarely learned: Patch People. Treat people as part of a holistic defense strategy. For a fraction of the cost of cyber defenses, CISOs can teach employees how to be part of the defense. It’s not as sexy as big-budget security tech but it can work far better.  Read Less
May 29, 2020

Michigan State University hit By Ransomware Gang – Cybersecurity Experts Insight
The hackers have learned how valuable that approach can be in aid of their extortion.
More and more, we see that ransomware is not a technology issue per se. This is about human behavior. Exerting pressure, exploiting human weaknesses. Applying psychology to gain advantage. We have learned how the FBI leaked the dossier story, to create news, establish momentum and pressure Trump. The hackers have learned how valuable that approach can be in aid of their extortion. When you are in a knife fight, bring a gun! CISOs and their security teams keep turning up with penknives......Read More
More and more, we see that ransomware is not a technology issue per se. This is about human behavior. Exerting pressure, exploiting human weaknesses. Applying psychology to gain advantage. We have learned how the FBI leaked the dossier story, to create news, establish momentum and pressure Trump. The hackers have learned how valuable that approach can be in aid of their extortion. When you are in a knife fight, bring a gun! CISOs and their security teams keep turning up with penknives. Hackers are turn up with guns. Last week, we saw an attack on a law firm, in which the attackers took a page out of the media playbook, throwing Donald Trump into the mix to get maximum publicity, doubling the ransom demand and teasing out a few details. Now we see the attackers leaking and leading the news again, forcing the MSU attack onto the public forum. This increases the general fear of ransomware, at no cost to the hackers. Every university will now be checking their insurance for ransomware payments, which makes it more likely that ransoms can be paid in the future. We are not dealing with ethics here – it’s all about the money, with a side-helping of chaos. Incidentally, universities have HIPAA obligations, PCI obligations, PII obligations – so this could get messy.  Read Less