Ransomware attacks surge in Malaysia

Ransomware has become a critical threat for small and medium sized businesses in Malaysia and across South East Asia due to the ease with which Bitcoin makes extracting ransoms from their victims.

Ransomware is simple but toxic. Malicious software is inadvertently installed on the victim’s computer by way of hoodwinking the victim into clicking on an unsafe link or attachment to an email. Once downloaded, the software then starts to encrypt files on the computer system – ranging from documents through to data sets. Once the software has encrypted enough files, these files are locked to the user and a message is displayed with instructions demanding a ransom be paid to unlock the files. A failure to pay the ransom means the files remain locked and essentially are useless.

Over the past year, Ransomware has emerged as one of the most significant attacks in the hacker arsenal to small and medium sized businesses. Unlike other forms of cyber theft, which often involve stolen credit card numbers or healthcare information, Ransomware acts directly on the victim, locking down their system or data hostage until a ransom payment is made.

Recent Ransomware Attacks
The Hollywood Presbyterian Medical Centre in Los Angeles paid around $17,000 to unlock files in February 2016, following an attack that paralysed a large amount of the hospital’s computer systems. This attack was sophisticated; cybercriminals broke into a hospital server the month before. After two weeks of reconnaissance of the system, the hackers struck on a Friday night, when the hospital’s IT staff was off for the weekend, encrypting data on 800 computers and 130 servers; rendering documents and data unreadable, ranging from patient records through to prescriptions.

In Canada, the University of Calgary paid a demanded $20,000 after a Ransomware cyberattack on its computer systems. The University IT team noticed certain files had become encrypted and managed to quarantine other files and systems from the attack. However, certain valuable files containing research data had already been locked down and so the University opted to pay the ransom to recover the files.

Ransomware Figures
According to Symantec Corporation, Malaysia ranks as 47th globally, and 12th in the Asia Pacific, for Ransomware attacks. In 2015, Malaysians experienced around 5,000 ransomware attacks – or 14 attacks per day.

Recent research conducted by a Cyber Security Research Centre indicated that around half of the victims infected with Cyptolocker agreed to pay the ransom demanded. Though it is understandable that they wanted to retrieve their locked down data files, the payment of such ransoms spurs other hackers to jump in to the activity and create new forms of Ransomware.

Once considered a consumer problem, Ransomware has morphed to target entire networks of computers at hospitals, universities and businesses. That has made it a far more serious and costly threat.

Different Types of Ransomware
Cyptolocker was the first successful Ransomware – able to be used by hackers with medium capability but managed to fleece victims of millions of dollars in 2013 and 2014.

Newer versions of Ransomware include CryZip, Locky, Zepto, Cerber and CryptXXX and UltraCrypter

Many Ransomware attacks exploit known `zero day’ errors in software on computer systems. These holes and vulnerabilities can be found in operating systems or else individual programs, such as web browsers.

The software companies often release updates and patches to close these holes but the hackers depend on owners not installing updates – so the Ransomware can squeeze through and infect the system

Common ways of Ransomware Infection
The traditional and most effective way for a hacker to infect a computer system is by way of email attachments with malware contained inside. Often these attachments are apparently benign Microsoft Office files such as Word or Excel but can include photos or PDFs.

Effective hackers spend some time researching their victim to create emails from spoofed addresses they may trust or else name documents which use a project name or location the victim is familiar with. The victim is then tricked in to opening the document as the name of the document appears real or else they trust the sender, not knowing the sending email address has been faked.

Other hackers may try to infect a computer system by way exploit kits on infected webpages which the victim may use – often on pornographic sites or other sites which pop up and attract visitors.

Once the attachment is unzipped and run or the exploit kit runs, the infection process follows these steps:

1. During the encryption process, the malware generates the public key based on the encrypted private key
2. The malicious software begins encrypting accessible files [often the targeted extensions such as .docx or .xls
3. Once enough files have been processed, the malicious software locks all encrypted files with a private key
4. The computer system still works but cannot access these locked files
5. A ransom note is presented in three formats: text, image, and web page informing the victim of the attack and the need to make a Bitcoin transfer to obtain the encryption key to unlick the targeted files

Use of Bitcoin
The utilisation of Bitcoin has also fuelled the spread of Ransomware. Bitcoin is now the preferred payment method of most Ransomware infections because it allows users to send and receive money from anywhere in the world, often anonymously.

What Can You Do If You’re Infected by Ransomware?
Unfortunately, there is little you can do to recover your files once your system is infected with a Ransomware attack and the files are encrypted. The best defence is to have a full back up stored on a separate drive so that you can reinstall the data. However, make sure to isolate your backup to prevent these files also being encrypted and locked down.
1. Isolate the infected machine
It’s important that the system is taken offline, as the hackers essentially control your computer and could use it to gain access to other systems on the network.

2. Weigh up the pros and cons of paying a ransom
As with any form of ransom, you are not guaranteed to obtain cooperation from the hackers – they may demand further payment or else you may be the target of a repeat (and potentially more costly) ransom attack in the future.

Can you be sure that the Ransomware will indeed be unlocked? If it is unlocked, can you be sure that it hasn’t been pre-programmed to repeat its encryption and demand a higher ransom?

[However, anecdotal information indicates that the hackers want their business model to work and thus do release the data upon payment].

3. Recovery
Run endpoint security software to discover and remove the Ransomware software. If it cannot detect the threat, wipe the machine and remove the operating system.

4. Restore
Review your recent data backups and restore files and operating systems with the most recent back-up.

5. Alert Law Enforcement
In Malaysia the agency is CyberSecurity Malaysia and can be contacted via website www.cybersecurity.my

In Singapore the agency is the Cyber Security Agency of Singapore – see
https://www.csa.gov.sg/singcert/about-us/faqs for details

Though they probably won’t be able to provide immediate assistance, such attacks need to be reported in an effort to track the hackers.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Digital photocopiers pose security threat for identity theft

The digital photocopier being used in your home or office may offer an identity thief or fraudster gateway direct to your personal or sensitive data. Though most users are unaware, nearly all digital copiers sold since 2002 contain a digital hard drive — similar to the one in a personal computer or laptop — that stores images of every document copied, scanned or emailed by the photocopier.

Please note that digital photocopiers differ from standard digital scanners in that digital photocopiers are usually known as a MFP (multi function product / peripheral / printer) or else as a MFD (multi function device) and are able to function as stand alone without having to be hooked up to a computer. [The main difference is that a digital scanner requires an explicit PC connection to function].

Most offices and home users are unaware of the potential risks involved with digital photocopiers. Security surveys regarding photocopiers by a University found that more than 60 percent of users were unaware that copiers store images of all documents on a hard drive which could be accessed later by technicians or outsiders.

Manufactures of the digital photocopiers do caution consumers about the default settings that result in all images being saved to the internal hard drive for later review. However, these warnings have mainly fallen on deaf ears with offices not treating the data with the proper security protocols. The digital photocopiers do also have encryption packages to protect the data but few users know to, or can be bothered to, engage the system so that the images are protected by a password. Some machines do have a product that will automatically erase images from the hard drive but these come as costly extras.

Therefore the average business or home user remains oblivious to the dangers posed by these digital copiers. As digital copiers are often used in offices to copy items such as passports, credit cards, IC cards, driving licences, utility bills etc; this data on a hard drive can be a goldmine for identity thieves and fraudsters. Investigations organised by a leading university in New York found that it’s easy to buy an old digital copier loaded with images of data such as social security numbers, driving licences, bank records and income tax forms. Two digital copiers were found to have been used in government offices including a Police Department.

The team simply pulled out the hard drives from the digital copiers and used free forensic software tools on the Internet so that tens of thousands of documents were recovered within one day. A leading expert on digital security commented that any company needs to conduct a review of all IT equipment storing data as part of the business and take steps to ensure the data is encrypted or else destroyed via standard forensic IT steps to ensure security.

Do you need to know more about our services and how Regents can assist you with preventing information loss and securing your computer network? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Mobile phone hacking scandal rumbles on

It is four years since the phone-hacking scandal at the News of the World newspaper [the leading UK Sunday newspaper] saw the newspaper’s former royal correspondent, Clive Goodman, jailed for his part in hacking into the mobile phone voicemails of Princes William & Harry. It appears that Clive Goodman was so desperate for a `story’, he resorted to engaging a Private Investigator, Glenn Mulcaire, to hack into the voicemail messages of the Princes for leads and gossip.

The two were found out when members of the Royal household noticed that messages they had yet to access were marked as `read’ plus Clive Goodman published a vanilla story in the News of the World about one of the Princes having medical treatment for his knee – almost word for word from a voice mail left for the Prince.

Four years ago the  News of the World  claimed that the phone hacking was the product of one misguided journalist and the private investigator, Glenn Mulcaire. An investigation was undertaken by the Metropolitan Police and there was enough evidence to prosecute these two. They both went to gaol. That was the end of that.

But it wasn’t. Rumours swirled around that in fact many of the journalists at the News of the World had used Glenn Mulcaire to gain access to the voicemail of celebrities and even senior politicians. Further allegations surfaced that in fact the Metropolitan Police had stacks of evidence that showed the phone hacking went far beyond the two Princes and also involved far more journalists within the News of the World. But the Metropolitan Police were flaccid in their investigation – followed by suggestions that senior Police officers had relationship with the publishers of the News of the World. Lord Prescott, Former Deputy Prime Minister and alleged victim of the phone hacking scam, is now seeking a judicial review into Scotland Yard’s handling of the investigation.

But the matter was kept alive by the Guardian and New York Times newspapers– both direct competitors to the publishers of the News of the World. Things were further complicated when Andy Coulson, former editor of the News of the World, was promoted to be a media advisor to David Cameron, the newly elected Prime Minister.

Coulson has denied knowing of the hacking but many doubt how valid this claim is. In court testimony for another matter, Andy Coulson said under oath the refrain that the phone hacking was due to one isolated journalist. However, Coulson must have known that Glenn Mulcaire was officially being paid ₤100,000 per year plus additional cash handouts – for doing what exactly? Some wonder whether any fresh evidence could disprove the sworn testimony of Andy Coulson and expose him to the charge of perjury. Stranger things have happened.

And now the stonewall put in place by the News of the World has some serious cracks in it. Each week in the UK another celebrity announces legal action against the News of the World, claiming that their privacy has been invaded by the phone hacking.

Some celebrities are taking separate legal action against Glenn Mulcaire directly for the phone hacking whilst he in turn is appealing against a decision to make him divulge which journalists on the News of the World hired him to hack the  phones.

The Police have now admitted that they had seized multiple pages of phone details from Glenn Mulcaire with first names handwritten on each – supposedly by Mulcaire indicating which journalist within the News of the World was requesting the information. Will Mulcaire declare who ordered what phones to be hacked? Will he name names? The News of the World news editor, Ian Edmondson, had been suspended amid allegations relating to the phone hacking of actress Sienna Miller’s phone.

Lawyers acting for alleged victims of the phone hacking suggest that there may have been thousands of victims. Around 3,000 phone numbers were listed in documents seized by Police back in 2006 and telephone records for Glenn Mulcaire show multiple calls from his own phone to the numbers used by celebrities – the path of evidence should be fairly easy to follow. How vigorously will the Police pursue it this time round?

This one will run and run.

How was the phone hacking conducted?
For some mobile phones, it is possible to listen to any voicemails by dialing an access number, enter the mobile phone number followed by the PIN.

Often the user either leaves the PIN as the default – usually `0000’ – or else chooses a simple PIN like 1234 or 1111. On some occasions, the hacker may get the PIN via dumpster diving or else under pretext – calling the phone provider pretending to be the owner and asking for the PIN.

How to protect yourself from phone hacking?

  • Choose an irregular PIN such as 4729 or 8147
  • Do not record the PIN in an accessible place i.e. a post-it note on your desk or in your diary
  • Change your PIN every few months
  • Observe whether any voicemail messages have been designated as accessed before you have viewed them
  • Report any suspicions you may have to your mobile phone provider and insist that they investigate the matter
  • Do not pass your PIN to anyone else

In the meantime, wasn’t it The Jam that sang the lines:

Each morning our key to the world comes through the door
More than often its just a comic, not much more
Don’t take it too serious – not many do
Read between the lines and you’ll find the truth

Read all about it, read all about it – news of the world

Read all about it, read all about it – news of the world

Do you need to know more about our services and how Regents can assist you with mobile phone forensics or computer forensics? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

When does unauthorised access to email become hacking?

In late December 2010 in the US state of Michigan, a man has been charged by Police under anti-hacking laws intended to combat the unlawful accessing and copying of data such as Intellectual Property, personal data or financial related information. However, the man is accused instead of logging into his wife’s email account without her permission and viewing her emails.

The man, Leon Walker, instead learned from the emails in his wife’s Gmail account that she was having an affair with her second husband. Walker decided to inform his wife’s first husband [this gets complicated] as there was an issue regarding the son of the first husband and Walker feared for the boy’s safety. When the first husband took action based on these emails, the wife reported Walker to the Police and he was arrested.

Walker’s arrest raises considerable queries over evidence obtained in relation to divorce and family court matters. Around half of US divorce cases centre on the disclosure of some form of electronic data such as emails, text messages or social networking posts. If the other side’s legal team can object to this data claiming that it was collected in an underhand way, then the evidence may be thrown out by the court. This could result in many family court and other civil matters being unable to proceed.

Walker has claimed that he and his wife shared the computer and that he merely looked at the emails and didn’t need consent. The wife claims that this isn’t so and that Walker had no right to look at the emails. It will be interesting to see how the court rules and whether any appeals will make precedence for future cases. Other cases have turned on whether an individual had actual or implied permission to view certain information on a computer, website or mobile phone.

Walker’s legal counsel stated that the prosecutor was using a law that was aimed at computer hackers attempting to steal data or compromise systems and instead applying it to a divorce matter. The main

This case has some similarities to that of a famous case involving the unofficial viewing of emails; that of former Governor of Alaska Sarah Palin’s Yahoo emails in 2008. In May 2010, David C Kernell was found guilty of obstruction of justice and unauthorised access to a computer. Kernell was alleged to have broken into the personal Yahoo email account of Sarah Palin by guessing her password reminder. Kernell had no relationship to Palin that could explain why he may have a reason to access her emails.

After accessing the yahoo account, Kernel then went on to post copies of Palin’s emails, addresses of her contacts, and family photos on Wikileaks. As Palin was running for Vice President at the time, this simple breach of security had serious ramifications for her campaign.

The obstruction of justice conviction related to the fact that Kernell had deleted evidence from his computer hard drive after investigations commenced in to identifying the person responsible for hacking into the Yahoo account.

When conducting an investigation that involves the viewing of electronic files and data, it is imperative that the provenance of the data be established. Does the investigator have the right or permission to copy, recover, analyse or view these files – from the owner or via a court order? Legal privilege issues should also be considered and legal advise should be sought if anything appears to uncertain. Failure to follow proper forensic computer procedures could result with the evidence being invalidated and the matter being dismissed by a court.

Do you need to know more about our services and how Regents can assist you with computer forensics? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Discarding computer hard drives can be dangerous

During a computer upgrade or computer replacement, many are tempted to toss the old hard drive on the curbside, sell them on eBay or else donate them to a local school or charity group. But if the data contained on those old drives has not been properly erased before discarding, it might be safer to smash them with a hammer.

If proper steps are not taken to sanitize the data on the hard drives, the data could end up in the wrong hands and lead to numerous damaging events including industrial espionage, cyber attack, identity theft, embarrassing leaks of information [think Wikileaks] or else contravention of sensitive data laws such as patient privacy or stock exchange disclosures.

There have been numerous studies by University IT departments whereby they buy discarded hard drives online, pick them from the trash or else find them up at garage sales or used computer stores. These drives are then examined using computer forensic tools to ascertain what data is still contained on these old hard drives.

The results in the past have been startling. Old files located on the hard drives have included credit card information, personal medical details, business plans with trade secrets, personal finance calculations and business emails. One hard drive was found to have been taken from a bank ATM and contained details of thousands of banking transaction!

A notable pioneer of this process has been Simson Garfinkel, a postdoctoral fellow at the Center for Research on Computation and Society at Harvard University. Garfinkel, a computer forensic expert, has been obtaining old hard drives since 1998 and examining them for residual information since 1998.

Garfinkel has followed up by contacting some of the organisations and inquiring as to how their data came to be left on these discarded hard drives. One organisation revealed that they had a upgraded some hundreds of computers and had let go of the old drives to be sold as spare parts. They had mistakenly assumed / presumed that the contractor would take steps to sanitize the data for them.

Another issue has been that employees weren’t properly trained or directed in data destruction techniques
. Therefore, the employees overseeing the disposal of hard drives had no guide lines as how to act or steps to take to completely delete the data held on the old hard drive. The disposal of hard drive issue is just one example of why organizations need to formalize and audit their security controls. Organizations need to understand these issues and track their data flows from beginning to end so as to preserve their security.

Data protection and security can be enhanced by following these useful tips:

  • Have the IT and Security departments formulate a suitable approach to data handling and data destruction
  • Incorporate these steps and approaches in a set of guidelines and instructions for all IT personnel and other employees to adhere to
  • Set up an audit trail tracking all hardware containing data as well as data moving across network boundaries
  • Make the general employees and management aware of data protection and the issue of leaks – apply this to mobile devices including laptops, iPhones and smart phones
  • Regularly review these guidelines and instructions along with spot checks to ensure that they are being understood and followed

Do you need to know more about our services and how Regents can assist you with preventing information loss and securing your computer network? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

More employees terminated for FaceBook postings

The divide between work place responsibilities and private time has become further blurred as employees’ FaceBook and other online postings are being monitored by their bosses. The number of terminations of employees for their inappropriate postings is expected to grow as more teenagers who have grown up on social networking move into the workforce. They have different views on what can be texted and posted in public.

Some of these employee terminations have been highlighted in the media after the terminated employee has contested the decision at employment tribunals. However, most of the decisions have gone against the employees, including:

  • A barman who was on two days sick leave over New Year posted photos of himself celebrating the New Year with friends. The boss saw the photos online and terminated him despite the barman having a medical certificate
  • A new clerical employee griping that the work was dull and mundane. A supervisor spotted the online comments on FaceBook and she was terminated

These incidents suggest that employers are beginning to pay serious attention to what their employees do and write online. A study by Proofpoint, an Internet security firm in the US, found that 17 percent of medium to large size companies in the US reported having issues with employee’s use of social media. 8 percent of these companies reported having terminated employees for their online behaviour on sites such as FaceBook and LinkedIn.

Other findings of note from the study showed that:

  • 15 percent of surveyed companies have disciplined an employee for violating multimedia sharing / posting policies
  • 13 percent of surveyed US companies investigated an exposure event involving mobile or Web-based short message services
  • 17 percent of surveyed companies disciplined an employee for violating blog or message board policies

With the advent of sites such as Wikileaks exposing thousands of confidential messages between US diplomats, we have to recognise that there is a possibility that sometime in the future our own emails, reports, photos or postings may become public. In an effort to avoid an embarrassing or career jarring incident, it is advisable to:

  • Be aware that any messages or reports created during worktime is behind the corporate firewall and there’s a good chance that anything you do write is being logged or monitored
  • Keep your comments general and do not divulge any corporate information or personal likes / dislikes which you wouldn’t discuss openly at work
  • Remember that others may retweet your comments or post photos without your knowledge [or permission] so keep the common sense flowing when you post.

Are you seeking assistance with an Employee Misconduct matter or computer misuse problem? If so, we at Regents can help you – just visit our Employee Misconduct Webpage for further information

NSW MPs or staffers viewing porn on parliament computers

Police may be instructed to investigate reports New South Wales Members of Parliament or their staffers over allegations that they viewed websites containing sexually explicit images of young people.

The allegations were contained in an independent report undertaken by consultancy firm Ernst & Young. The report was requested in September 2010 after accusations were made based on an unofficial audit of computers used by Members of Parliament and their staffers.

The audit was undertaken by the Department of Parliamentary Services and found that certain computers used by Members of Parliament had tens of thousands of hits on pornographic and gambling websites.

The audit was conducted using forensic software to determine the IP addresses of websites visited. Further analysis was made to ascertain what images were viewed or downloaded plus the time spent on each site. The data was contained in web surfing histories known as DAT files which are automatically saved on the personal computers and on back-up tapes. Further searches were made of the internet activity monitoring software installed on the gateway servers to cross reference the activity.

Earlier in 2010 following the first audit, Labor government Ports Minister Paul McLeay was fired by Premier Kristina Keneally after he admitted that he had been accessing online adult pornography and gaming sites whilst he served as a minister and as a backbencher.

The Ernst & Young report reported that nearly half of the 72 most-used websites on parliamentary computers during a 10-month period “appear to be adult-related sites”. Nine of these websites were found to contain sexually explicit images of young people. The age of those pictured in these images may be under 16 though that is the subject of further investigations.

Do you need to know more about our services and how Regents can assist you with computer forensics and data recovery? Simply go to our Contact Us page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.