Purple Post – Nov 11


Week 2, November, 2019

This week's insight from Purple Team

Dear  *|FNAME|*

Let us discover what we can learn in cybersecurity this week:

Insider Threats

Two news items this week highlight the tricky nature of insider threats.

The Incidents

Trend Micro has revealed a "security incident" leading to the theft of personal data from 120,000 customers caused by a former employee.  And, on the other hand, Saudi Arabia bribed two Twitter employees to access confidential information of twitter users as a spying exercise.
The two cases demonstrate a key tenet of security: Any and all security measures that are implemented are only as good as the people using the systems.

The Threat

Consider it. It is far easier and more effective to bribe someone who already has privileged access to get you the information you want. (I daresay it would ultimately be cheaper too!).  In a similar vein, it is easier to hire away your employee to get your confidential information rather than go through the complex process of hacking your systems and accessing your information. And it has the added benefit of not having to take a legal risk as an organization!  The risk is entirely the employee’s as the Waymo-Uber case amply demonstrates.

The Learning

While a lot of security advisers will tell you how to set up processes, security policies and technical gates to ‘prevent’ insider threats, I think the answer lies in how well you understand your employees. At the end of the day, you have to trust them with the information in order for them to do their jobs.  It is also inevitable that a few of them go bad despite how well you treat them. After all, it is easy enough to build leverage on or play on a person’s greed. 
The problem is how do you to understand what their ‘normal’ behaviour is and catch any anomalous behaviour when it does happen.  It is not possible, ethical or even legal to know all the actions of your employees and catch it when they seem off. (It is called ‘stalking’ if you do it!).  
One necessary step is to ensure that you log all activities of everybody on your systems without fail, and immutably.  Once you have that, there are plenty of AI / ML tools that can highlight anomalies.  Without that, you have nothing.  Over time, you would be able get the tool to highlight only the salient anomalies.
Understanding what your employees are up to is one of the most important aspects of security. Do not ignore the first step in doing that.


- Sridhar Parthasarathy, CEO, Purple Team

Quick Links

Purple Team Insight

Learning News this week

Interesting News Threat Intelligence

Learning News this Week


The FBI as put out a public service announcement about a scam that has cost companies, by FBI’s estimates, $ 26 Billion!  The FBI calls it BEC (Business Email Compromise) and essentially it is a scam where the attacker tricks the organization into transferring money to a wrong account by sending instructions from what appears to be a legitimate email id of the person sending the instruction. For example it could look like a mail from the CEO asking for a sum to be transferred to close a deal; or a vendor changing payment instructions.


BEC is different from regular phishing mails in that it is targeted and requires a high level of understanding of your processes and the identity of the purported sender.  You need to ensure that the people processing payments are first aware of this scam. You then need train people on adequately validating  instructions for change of payment – these mails are crafted to look genuine for any but the most sceptical person. And finally, you need to ensure that no one ever suffers any blowback if they follow those instructions.  The full list of recommendations from FBI:
  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Don't supply login credentials or PII in response to any emails.
  • Monitor financial accounts regularly
  • Keep all software patches on and all systems updated.
  • Verify the email address used 
  • Ensure that full email extensions are viewed.

So  you found out that you have been infected by ransomware, like seems to be the norm.  What do you do next?

Here’s what 1,180 adult individuals did:

Restarted Computer 30%
Online Tool 18%
Restored from backup 22%
Removed 13%
Reformatted Computer 5%
Removed using AV 5%
Paid Ransom 4%
Other 3%

What should you do next?


First thing to remember – do not reboot off your computer!!   That sometimes enables a malware which is stuck to complete the job. Typically, if you have a ransomware attack, you have to do two things - The first is finding the ransomware's artifacts -- such as processes and boot persistence mechanisms -- and removing them from an infected host.
The second is restoring the data if a backup mechanism is available.  If the first step is not completed, then it is possible that rebooting the computer often restarts the ransomware's process and ends up encrypting the recently-restored files.
So, your best bet is to disconnect the computer from the network and then hibernate your computer because it saves a copy of the memory, where some shoddy ransomware strains may sometimes leave copies of their encryption keys.
Call for expert help immediately after that, instead of trying to restore your backup.
To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware's first response guide on dealing with a ransomware attack.


Interesting News


Cybersecurity for women
The Indian Police Service & a set of IT professionals have launched a site,   https://cybersafegirl.com/ that educates women on how to stay safe in the cyber world. And, if they do get into trouble, what to do about it. They have a free e-booklet that can be downloaded from the site.

What is a good password?

Is a password that even you cant remember good?  "Not really." say experts.
Unreadable passwords lead you to repeat passwords, which means that a hacker cracking one account can crack multiple accounts. 
Shift to pass phrases.  Turn on two factor authentication. Install a good password manager.
IOT Security
IOT is setting the world ablaze with its myriad use cases. One forecast  predicts that there’ll be almost 41.6 billion connected things in 2025 that will generate 79.4 zettabytes of data.  However, the same use cases increase the attack surface and enable novel attacks to materialize. 
Technopedia has aggregated various expert's views on how this threat can be handled and the risk limited
Cybersecurity Excuse Generator
As we have been saying, it is inevitable that you will get attacked. When that does happen, how to you tell the world that you got hacked?
The site linked above comes to your rescue and gives you plenty of tongue-in-the-cheek excuses you can use. 
Strictly for recreational use!




Amazon Echo, Google Home Laser Hackable

Researchers discovered that precisely modulated lasers could silently send "voice" commands to smart speakers from hundreds of feet away. The attack also worked on smartphones and on an iPad, but only at short distances.

How can you defend yourself if this starts happening in real life? The best bet is to make sure your Amazon Echo, Google Home, Facebook PortalAmazon Fire TV Cube and other smart speakers aren't facing windows. 

Pwn2Own is a bi-annual hacking contest held at the CanSecWest security conference.  Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. This year's Tokyo contest was won by Team Fluoroacetate (researchers Amat Cama and Richard Zhu) taking home the Master of Pwn title for the third year in a row.  Amazon, Sony, Xiaomi, Samsung Devices were successfully hacked this year.
The highlights of  Day 1 & Day 2 linked.

Advisory on Holidays, Phishing & Malware
As this holiday season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online. A few dos & donts from CISA!

Threat Intelligence

My Purple Team
My Purple Team
Purple Team
Copyright © 2019, Purple Team Cyber Security Consultants  All rights reserved.
Padmam, 1816, 13th Cross, 22nd Main, 1st Sector, HSR Layout, Bengaluru 560102
Mail: sridhar@purpleteam.in
Website: www.purpleteam,in 
Forward to a friend

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

This email was sent to *|EMAIL|*
why did I get this?    unsubscribe from this list    update subscription preferences