Two-Factor Authentication

It’s always the way. I was meaning to write this post a couple of months ago, but as you do, you get busy. But in that time, there has been a lot of talk about two-factor authentication.

This talk has come about because of new threats arriving on a daily basis. More sophisticated than ever before.

As the name states, two-factor authentication, or 2FA for short, relies on another method of authentication rather than just the standard username and password. The second factor can be an SMS text message, a 2FA authenticator on your phone, a phone call or any number of other methods. Some of these methods are better than others.

The way 2FA works is when you log in/authenticate to your application or website, a second authentication method is sent via your preferred method. Once you approve the second authentication method, you will gain access to the application/website.

2FA has been around for a long time. Previously, the 2FA methods were quite cumbersome. Does anyone remember the hardware tokens that ANZ/BNZ use to give out? When you logged into internet banking, you’d use a token generator in order to log in. This was a very slow method (and not really used anymore). Hardware tokens are one of the stronger methods though.

You may be thinking ‘great! If I use 2FA, I won’t be compromised!’. While 2FA significantly increases your security for the application/website you are logging into, it can be compromised.

If you use the SMS or telephone method of authentication, hackers have been known to ring mobile providers and social engineer (pretending to be you) the call-in order to change your number onto their SIM card. This allows the attack to take over your number and complete the 2FA process themselves.

The other problem is that most 2FA authenticators are installed on a mobile phone. If you lose your mobile phone and your 2FA keys are not backed up somewhere, you will lose access to the applications and websites that are protected by 2FA. The process to remove 2FA on your accounts so you can gain access can be very troublesome – but there are ways to get around this listed below.

At Layer3, we’ve been using 2FA with our clients for some time. We use it when logging into your computer at work, and when using services such as Microsoft Office 365. Using 2FA on computers at work has stopped remote attackers a number of times. Using 2FA with Microsoft Office 365 makes it significantly harder for attackers to gain access to your email, especially when the option ‘always stay signed in’ is enabled.

If you’d like to start using 2FA outside of the workplace, and I highly suggest you do, there are some great applications in order to do this:

Authy: I recently moved to this application on my phone as it allows a backup of your 2FA keys to be backed up in their cloud service. Their cloud service protects your keys via strong encryption and a master key. You need the same phone number associated with your phone in order to restore your keys. Most 2FA websites and applications support Authy.

Google Authenticator: This has been the stock standard 2FA authenticator for some time. Google Authenticator works very well, but it lacks a backup feature.

Microsoft Authenticator: Same as the Google Authenticator, Microsoft Authenticator works with most Microsoft websites and Microsoft based accounts. Backup of keys is not currently available, but it is coming within the next month or two.

I highly recommend 2FA. It is not the end all solution, but it does provide significant protection over a standard username and password.

VPNFilter – A sophisticated threat to businesses

2018 has seen a lot of new cyber threats. Hackers, scammers and the like are getting smarter. VPNFilter takes me back to the famous Stuxnet virus which infiltrated Iran’s nuclear program.

VPNFilter is an advanced threat which targets predominantly home/small business routers. So far, the threat has infected over half a million routers worldwide. But this number is expected to grow as more is discovered about the threat.

The threat performs a number of hostile functions. One of these is whats called a man-in-the-middle attack. Once the router has become infected, internet traffic that passes through the router is actively spied upon and can be tampered with, without the victims knowing.

The main point of this attack at this point in time is to steal sensitive data, such as usernames and passwords or banking information. However, with more being found out about this threat from various researchers, it is becoming clear that VPNFilter has the potential to be a far greater threat.

Cisco is expected to release a report this Wednesday (14th June NZD). From Arstechica:

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

It has become apparent that more models and brands of routers are susceptible to this threat.

Layer3 provide a managed security gateways (security focused routers), among other security-focused services. Layer3 was alerted to this threat early. Currently, our security gateways are not listed as being compromised by VPNFilter. Customers with the affected routers have all been patched against the VPNFilter threat.

It is another reminder that security is the number one priority in IT and for Layer3 as a managed service provider.

What you need to know about ‘Meltdown’ & ‘Spectre’

Over the Christmas break, Intel has disclosed a security vulnerability within its processors. Google who initially found the issue, has released a statement which now shows further processor manufacturers like AMD and ARM might also be affected by a different variant of the issue, codename ‘Spectre’.

There is currently a non-disclosure agreement in place until the 9th of January until further details are known. This has expired early.

There is currently a patch which has been deployed for Linux systems. Microsoft is planning to release a patch this week. Microsoft Azure and Amazon Web Services (AWS) are patching immediately.

With the patch release for Linux, people have noticed and performed benchmarks indicating a 30% drop in performance when the patch is applied.

Until Layer3 have tested the patch(s) from Microsoft, we will not automatically release these patches to customers. This is so we can internally test the performance implications of these patches. While the performance issues won’t affect desktop/laptop computers much, the performance of servers could be a real issue.

Please bookmark this post as we will update it as this issue progresses.

Update 1 (06/01): Updates will be applied to Cloud Office v1 and v2 on 05/01/2018 at midnight. Outage window of 2 hours

Update 2 (09/01): Microsoft has pulled the update amid issues with AMD and Intel processors. Layer3 have not officially rolled out these patches yet to customers as we are waiting for our Antivirus vendor to finish testing compatibility with these new Microsoft patches. More information can be found here about Microsoft re-issuing the patches

We will begin patching our datacenter operating systems this weekend (13/01/2018). Please keep an eye on our status page for more information.

Update 3 (12/01): We are patching our virtual environments hypervisors this weekend. This does not include Microsoft patching, as we are still testing the patches and the performance impacts.

A New Phishing Threat

There is a new Phishing threat making the rounds which combine quite a bit of research on behalf of the attacker, along with a bit of social engineering.

Over the last few weeks, a number of our customers have seen what look like an internal email from either a CFO, CTO or CEO asking for funds to be released to a particular party. Normally the ‘owner’ of the company (no one likes to question the owner).

The attackers are buying domains which are very similar to the victim’s domain. As an example, the customer would by Layerr3.nz (with an extra R) and send emails imitating myself.

The emails usually contain a signature that is almost identical to the signature used by the victim. This shows the attacker has done research and possibly seen emails written from the company previously.

Because of the nature of this threat, it is almost impossible for IT/Security companies to block them effectively. However, there are steps your business can take to better protect yourself:

  • Train staff on what to look for in forged emails. This includes domain names, spelling mistakes, tones of voice etc
  • Remove key contacts from your website. The CFO and CEO are normally the main targets of this attack
  • Review your payment processes. Possibly including two levels of sign-off
  • Investigate doing an internal social engineering penetration test – this is something you can talk to Layer3 can assist with

As attackers become more sophisticated, it’s important to stay vigilant and ahead of threats. If you have any concerns about these threats, please contact us.

Petya – Not all Cryptoviruses are equal

The latest round of Cryptovirus hit yesterday. Petya, named after a similar virus, which shares very little with the original, hit with the same destructive force as the WannaCry virus last month, this time without a ‘kill switch’.

Originating in Ukraine via a company called M.E.Doc, a tax company, the cryptovirus was spread by using the auto-update feature within the tax software. I’m sure there will be more investigation on how this came to be (hacked, or inside job?).

At first, many believed this was another cryptovirus made for financial gain. However, it became quickly apparent that this virus was designed to cause as much destruction in a short amount of time as possible.

Within the first few hours, the crypto’s email address which is used to send your encryption key to unlock your files was disabled. If you look at the blockchain (effectively your BitCoin wallet) which the hackers have used, there have only been a little over 40 payments. At $300USD, that’s not a lot of money considering.

Analyzing the Petya virus further, it propagates throughout Windows networks using three different methods. First is the original method WannaCry used which was based on the leaked NSA tool, EternalBlue. The other two are more technical ways of using the Windows operating system to exploit security weaknesses where end users have ‘administrator’ privileges.

Based on the methods used, and few payments made to the cryptovirus Bitcoin wallet, coupled with the early takedown of the payment email address, I can conclude this was simply an attack to cause as much damage as possible.

We have had no reports of infection from our monitoring systems. All our customer’s devices and our own infrastructure were checked when the WannaCry virus was active. We doubled checked again today and found no issues.

This cryptovirus was well written and destructive, so what can you do to ensure to keep safe?

  • Make sure your antivirus is up to date
  • Don’t turn off Windows Updates (you’d be surprised)
  • Don’t turn off Windows UAC
  • Be vigilant when opening emails with attachment and links

If you would like a more technical explanation, Microsoft has published a great post.

Microsoft 0-Day Exploits

On Tuesday 12th April (US time) Microsoft had identified a security breach within their Microsoft Office Suites.  Microsoft has acted quickly and have rolled out a batch of updates that plug the security holes. This type of attack is known as zero-day exploits and are often attempted by hackers before or on the day that updated are released to the public. The hacker attempts to install malware on fully patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word. Zero-day attacks are a severe threat.

The security of our customer’s networks is our top priority. We have acted quickly; the Microsoft updates have been applied last night.

You may have been prompted by Microsoft to update this morning, please ignore this message and restart your device. If in doubt, please save your work and restart your device.

Our spam filter was also updated to detect these vulnerabilities within the email to stop these threats at the border.

If you have any questions, please email support.

Reference: CVE-2017-0210

Copper Services are an Endangered Species

Most businesses will by now be aware of the fibre roll out and hopefully, are now using UFB fibre Internet. However, what many do not realise, is that, as fibre rollout is completed in an area, traditional copper services which support stuff like phone lines and ADSL/VDSL Internet connections will eventually be decommissioned.

Read about the pending copper cut off here.

“…Chorus would have the option of withdrawing service and removing the copper network according to its own timeframes…”

What does this mean for you? Well, most importantly, if you are a small business and not using fibre connectivity already, it’s time to make the change. Fibre connectivity is much faster and more stable than copper connections and will help facilitate better connectivity for cloud-based services such as Microsoft Office 365 and Layer3 solutions like Filecloud (NZ-based file sharing and management platform), Cloud Office remote desktop server and VoIP (Internet-based phone systems).

Secondly, with fibre in place, it would be a very good idea to review your phone system. Analogue phone lines are expensive compared to VoIP services and offer far fewer features and benefits. And with the possible pending removal of the copper network, they are an endangered species. Switching to a VoIP system will allow your business to get the most out of its fibre Internet, cut costs or at least implement a brand new, feature-rich system on a cost-neutral basis. VoIP will also open up possibilities for your business to aggregate services (like having 3 offices share a pool VoIP ‘lines’) and be connected to your phone system from anywhere.

If you have an alarm/security system connected over a phone line, you’ll also need to contact your security provider to talk about getting you switched over to an fibre-based alarm option. This is usually a relatively easy and low cost migration. If you are being told otherwise, have a look around at new options.

Finally, think of fibre as a tether to the cloud. With fibre in place, you will have a fast, direct link to the world of cloud services. Microsoft Office 365 is a cloud-based option for your office applications (email, Word, Excel, etc). Xero is a very popular cloud-based accounting system. And services like Filecloud and Cloud Office will enable your team to access company data from anywhere. Migrating to the cloud will also fit into a prudent DR solution with your data safely backed up and accessible from anywhere.

If you would like any help reviewing your Internet services and looking at cloud options to improve your business efficiency, give us a buzz and our in-house business Internet and VoIP expert, Daniel Bohan, will be happy to have that discussion.

LAYER3 Security Alert – WannaCry Ransomware Virus

Simply having an antivirus subscription is no longer enough to protect your organisation from today’s threat landscape.

On Friday, May 12, a global cyber-attack was launched using a ransomware program called WannaCry. It is estimated so far that almost 250,000 machines have been infected in 150 countries, which according to Europol, makes it an attack on an unprecedented scale. That number is sure to grow as the attack continues to spread and more impact is reported. It is imperative that all businesses take immediate steps to ensure the integrity of their network and data – this is a very real and very imminent threat.

WannaCry highlights the true menace of ransomware, virus and malware attacks on businesses and the extreme importance of having robust, managed security systems in place.

About Ransomware

Ransomware is a particular breed of malware that carries out what is called a ‘cryptoviral extortion attack’. In simple terms, what this means is that the software, once it has found a way into your network, will generally encrypt the files or the entire hard drives of the targeted machines or lock you out of the operating system altogether.

It will then display an image with instructions on the ‘ransom’. This is the amount demanded by the perpetrator to release your files. Payments are required in BTC because this crypto-currency is untraceable. There is also usually a time limit given to comply, after which the price will either go up, or the data will be lost forever.

Ransomware can find its way onto your network through a variety of means, but most commonly by ‘phishing’, a tactic that induces the victim to click on a link in a malicious email or on a malicious website. Once that magic button is pushed, the program gets to work, worming through your files, scanning for any other machines connected to yours, encrypting them all as it goes.

More on WannaCry

Like most ransomware attacks, WannaCry spreads through phishing emails, but what makes this attack so dangerous, is that it exploits a vulnerability in Microsoft and uses a backdoor tool developed by the US National Security Agency (NSA). Once a machine is infected, it will scan and propagate to all other computers and servers on your network. All infected machines are encrypted, files are locked, and a message appears demanding a ransom be paid or the victims will lose their data.

The tools used to launch the Wannacry attack were leaked from a group within the NSA and work by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol. When the leak became known, Microsoft released a critical advisory and security patch. However, many systems did not implement that patch due to a variety of reasons such as compatibility restraints, negligence, other risk factors or just a lack of proper management and awareness. Any machines without the patch that came into contact with WannaCry were likely infected.

While the amount demanded is relatively low ($300 at the first level), the impact of WannaCry so far has been massive. The National Health Service (NHS) in England and Scotland had up to 70,000 devices hit and some NHS facilities NHS services had to re-direct ambulances and turn away non-critical cases. Other examples of large enterprises hit hard include Telefónica in Spain, Nissan Motor Manufacturing, FedEx, Renault, Deutsche Bahn railway in Germany, etc. In New Zealand information is limited so far, but one known victim so far is Lyttleton Port in Christchurch.

The Layer3 Response

Notifications on the WannaCry event came flying in via our security devices and security vendors. We quickly established that this attack was exploiting a bug in Microsoft Windows. Although all Layer3 managed services and security customers had already been patched for this exploit, our team still went through a process of verifying this patch implementation across all customer networks and our own in-house cloud infrastructure.

These checks were completed by Saturday evening with no issues encountered. Our firewalls, antivirus, and mail filtering tools were all updated as soon as the threat became known. To date our main cloud infrastructure has seen around 5,000 attempts to broadly attack our networks. We have only received a small number of emails which have been blocked through our Mail Filtering system.

What can you do to protect your business?

The days of purchasing an annual antivirus (AV) subscription – or worse, not even doing that – are long gone. Low-end antivirus tools operate by blocking threats from a list of definitions, which means that they can only stop a virus that is already known about.

When something new like WannaCry breaks out, as they do all the time, definition-based AV tools are worse than useless. At the absolute very least, you must use an AV tool that operates based on ‘behaviour’ – they identify suspicious behavior from a program and shut it down. Layer3, for example, uses BitDefender in our managed security stack. BitDefender is consistently in the top 2 ranked AV tools in the world and stopped WannaCry out of the box.

Antivirus just isn’t enough though to protect the integrity and continuity of your vital business infrastructure.

Here is a list of some important components to ensure the best possible protection for your network:

Security Gateway – a next generation firewall that guards against external attacks, fully managed and monitored by Layer3.

Managed Antivirus – Layer3’s best of breed, fully monitored antivirus service learns and watches behavioral patterns on a system which can predict malicious activity.

Managed Patching – Automated management of patching to ensure critical security and performance updates are consistently installed on all machines. Included on most Layer3 Managed Services plans.

DNS Protection – Building on from the Security Gateway product, if an attack gets through, Layer3 DNS Protection will among other features, stop the virus from ‘calling home.’

Replication and Recovery – Cloud Shadow from Layer3 will completely replicate your infrastructure offsite and allow you instant recovery in the event your servers fail or are compromised – even to an online virtual server.

Managed IT – IT security can be complex and multi-faceted. A comprehensive IT managed services plan from Layer3 will help guide your organisation safely through the many pitfalls and hazards that can plague any business in this world evolving technology and very real cyber threats. A feature-rich managed service should be the cornerstone of every organisations IT strategy.

Security Consultation

To talk about improving your security and/or IT management, contact Daniel Bohan at Layer3 on 0508 LAYER3 (0508 529373) or info@layer3.nz.

Backup; A Thing of the Past

If you are talking about backup, you’re living in the past.

The North Canterbury 7.8m earthquake on the 14th of November, 2016 was very reminiscent of the Christchurch earthquake of 2011.

Businesses in the South Island have been forced to close, with those in Kaikoura majorly affected, some irreparably so. Wellington did not escape either, of course. To date, over 50 tenancies in Wellington have been closed, which represents an astonishing 11% of the CBD.

On top of the November quake, Wellington was further hit with punishing rains and flooding in the subsequent days which severely inhibited accessibility in a number of areas and shut businesses down as staff were unable to get work.

Layer3 operates from two datacenters in Wellington and Auckland. Over the last four years, we have progressively moved the majority of our customers into some form of cloud computing, most notably, our Cloud Office platform which is hosted across that two datacenter environment. Cloud Office is what we call VDI, or Virtual Desktop Infrastructure. It allows you, the customer, to access your desktop, files, and applications from wherever you are. So on the Monday morning after the earthquake, while it was all hands on deck for Layer3, it was very refreshing to see no tickets in our queue, and all services up and running.

Many of our customers were affected in Wellington, of course,  with quite a few locked out of their buildings for 2-3 days. However, all of them were able to resume operations and work from home with full desktop services, as well as IP telephony services provided by our CloudPBX service.

So the days of having a backup, whether in the cloud or on – *gasp* – rotating portable hard drives is gone. When disaster strikes, your business needs to be able to function with little or no interruption. In light of this, businesses need to ask themselves a few poignant questions now. What good will the data in your backup system do for you if your business cannot operate in any productive manner to even make use of that data? What good is your new PABX system if no one can get into the building to answer the phones? How many days can your business survive without being operational?

Business continuity is key. Not backup. Build systems that allow you to work through a disaster, not ones that just let you hopefully reload some files after one.

For more information on how Layer3 can help you improve your IT continuity, give us a call at 0508 LAYER3.

LinkedIn data breach – Act now!

Back in June 2012, LinkedIn was hacked by Russian hackers who stole approximately 6.5 million usernames and passwords. At least that is what was reported at the time.

However, in May 2016 it was ‘discovered’ that a further 100 million email address and passwords had been taken in the attack. This reveals what was a bad security incident to actually be a really, really bad security incident.

At the time of the original lesser breach notification, the 6.5 million compromised LinkedIn users were prompted to change their passwords, and within a few months, the incident was largely forgotten. Fast forward about four years, and this breach seems to be coming back to immediate. significance. The further 100 million compromised accounts had their passwords invalidated by LinkedIn if they had not been changed since the 2012 breach.

Since the beginning of June, Layer3 has started observing issues with TeamViewer, a popular tool for remotely accessing devices such as servers. It seems that TeamViewer accounts were being compromised. When the issue was finally publicly addressed, TeamViewer has stated that this is due to LinkedIn’s hacked information becoming public.

Then, last night, that database of 100 million accounts was made public, published online. Anyone can get a copy of it with passwords in plain text. The implications of this are massive. Even if an affected user has since changed his/her LinkedIn password.

In a world with tons of logins required for a multitude of sites and services used daily, weekly, monthly or just occasionally, it is common practice for many users to simply recycle a memorable password over and over again across the board. However, when one of those sites is breached, as LinkedIn was, just getting what might seem like pretty harmless information – your email address and password for that site – can in fact, provide hackers all they need to break into every other account you have. For example, if your email account is compromised, hackers can then reset passwords to other services you may have. Password resets will be sent to your compromised email account, allowing the hackers to compromise these services as well. Imagine having a bunch of individually locked doors but using the same lock and key on all them. If some is able to get a copy of that one key, they just unlock every door with ease.

Since the release of the LinkedIn database last night, I have had multiple attempts to access internet accounts associated with my LinkedIn login credentials. Luckily, I had changed my password using long pass phrases some time ago.

What do you need to do now? We highly recommend that you change your password for all internet services, using something like pass phrases. Make sure that the password is different for every service. It might be a bit of pain, but it definitely will be less of a pain than trying to undo whatever trouble hackers are able to cause by accessing your accounts. Even if you have changed your LinkedIn password since 2012, it is possible that you may have used that old password other sites and services, so let this be your prompt to do a password refresh across the board.

If you have trouble remembering these passwords, there are services out there that store your passwords in a secure database, such as LastPass.

To see if you email address and password have been compromised, check https://haveibeenpwned.com/https://haveibeenpwned.com/