Quanexus October 2017 Newsletter

Quanexus October 2017 Newsletter

The bad guys have been upping their game when it comes to stealing information.

We just witnessed the Equifax breach, where the bad guys were successful because a patch was not applied to a web server. The Security and Exchange Commission’s (SEC) web site was hacked giving criminals access to confidential financial informational before being publicly released. The website of a popular computer tool that removes unwanted software was hacked and ransomware continues to proliferate.

The US Government is concerned about the popular antivirus vendor Kaspersky and is pulling Kaspersky off all government systems. NIST has issued new guidance on the complexity of passwords, which does not require mandatory periodic password change, which has created challenges for many organizations.

Now more than ever it is important for organizations to understand how to protect their systems. Quanexus is offering a free seminar “Cybersecurity 101” that highlights what every business should be doing to protect their systems.

Quanexus Lunch & Learn

Cybersecurity 101

Hearing about hacks, breaches and stolen information is all too common these days; do you know what it takes to keep your network and information secure?

Attend our Lunch & Learn on Cybersecurity and receive valuable information on the most common techniques used by the bad guys and what you need to do in case an attack occurs. You will also receive actionable items to implement immediately to increase your security posture. For more information call 937.885.7272.

The Equifax Breach and What Went Wrong

What happened?

It appears that the attack vector used to breach Equifax was from an unpatched web server. Equifax uses the Apache Struts Open Source Project to run their web servers. While Equifax is blaming the vulnerability on the Apache Struts platform, Apache Struts claims that they have had a patch out since March 7th, 2017, and that the breach was due to Equifax’s failure to install the security patch.

  A few facts about the size of this breach:

  • 143 million Americans were affected.
  • US population for 2016, according to the US Census Bureau, was 323 million.
  • Population over the age of 18 is 242 million.
  • The media has been reporting that 46% of the population is affected. The fact is, that almost 60% of the population over the age of 18 is affected.  

What you should consider doing if you are affected by the breach?

If you are among those that are affected by this breach, here are some things you should consider doing to protect yourself. There are three major credit reporting companies, so you can freeze and thaw your credit, as needed, with these companies. Whenever a new credit card application is created, bank account opened, or a major purchase is financed, a credit report is pulled. If your credit is frozen, these companies won’t be able to pull a credit report and will deny the application or purchase. You can request credit reports from these companies yourself. Last time I checked, you can request one, free report every year. With there being three companies, if you ask each company for a report every 4 months, you’ll be able to monitor your credit for free, regularly throughout the year. You should also be monitoring your banking and credit card activity on a regular basis. Many of these companies offer to send you email or even text alerts if there is any activity.

How are the criminals going to exploit the data they stole?

At a high level, the 143 million user list will be divided into many smaller lists. These lists will be sorted and classified by different demographics, and then sold on the Dark Web. The Dark Web is an area of the web where users can stay anonymous and conduct criminal activity. List pricing will be based on the demographics of the victims, where premium demographic lists will sell for more than just bulk miscellaneous lists. It is important to realize that these lists will be circulating for many years. It would be a big mistake to assume that if your identity hasn’t been stolen within a year, you are safe. It could be three, or even five years, before your name ends up on a hacker’s list that will attempt to use your identity. You need to always be monitoring your credit and bank account activity.  

The basics to protecting your network data:

If you have been following the Quanexus Blog or my newsletters, you are familiar with what I call our Q-Security Stack. What is most important to a company, is not the server or the computers, it is their data. The data is stored on a server, the server is controlled by an operating system, on which, software applications are running. It is critical to keep the servers and workstations patched. Patches (updates) fix two issues: they fix stability issues in the programs, and they fix vulnerabilities (the root cause of the Equifax breach). The next protection layer is the anti-virus/malware protection. This layer attempts to block malicious code from taking advantage of a vulnerability, such as a system missing a patch, or a patch that has not been released as of yet. The other layers include: the firewall, backup, security awareness training, and policies/procedures.

If the Equifax servers were properly patched, this breach could have been avoided.

The Quanexus Q-Stack

Complex Passwords May Be Coming To An End!

The era of incredibly hard passwords to remember, may be coming to an end. The National Institute of Standards and Technology, NIST, recently released Special Publication 800-63b. This government document titled, “Digital Identity Guidelines, Authentication and Lifecycle Management” represents some significant changes to creating difficult to crack passwords/passphrases.

Bottom line, complex passwords that require upper/lower case letters, numbers and symbols have become burdensome and impede the user’s ability to perform work. Studies have found that long passphrases are very difficult to crack and easier for the user to remember.

While this document is only 78 pages long, the key take-away for many of our clients is that you can:

Eliminate the requirement to periodically change passwords. Passwords still must be changed if there is a chance that the account was compromised.

  • Eliminate the complexity requirement (must have a mix of upper/lower case letters, numbers, and symbols). Passwords should be long. They did not state how long, but 20 plus characters would be my recommendation. Examples might be: TheOSUBuckeyesarethebest, or Quanexusforallyouritneeds, etc.

To test a password’s strength, use this web site: https://howsecureismypassword.net/. I would not use an actual password on this site, but it will give you a good feel for what a good password might be.

The document also calls for the implementation of a system/algorithm to determine if the password used is a weak password, or a password that is easily determined/found in a hash table.

Bad Guys Exploiting Natural Disasters 

With all the hurricanes and devastation caused by recent events, it is natural for many of us to want to help. The same bad guys who are trying to steal your identity or your money, by using emotional tactics (social engineering), are hard at work. They are sending out phony emails, claiming to be part of a relief effort, asking for your financial help for the poor victims. If you are serious about helping, go directly to the organization’s website that you want to support. 

Do not click on links in emails requesting your financial support. Nothing is sacred to a criminal, they will exploit anything they can to achieve their goal. Think before you click!

Apple iOS 11 Compatibility Issue with

Microsoft Email

CCleaner Hacked

Many home users and small businesses use CCleaner to remove unwanted software from their computers. CCleaner is a computer optimization program. Often, when you uninstall a program, there are some remnants left on the computer, and CCleaner is the free tool to get your system clean and running faster. In layman terms, it “un-gunk’s” your computer (sometimes I refer to this type of a tool as a computer enema).

The version that was released on August 15th , had been hacked. The hacked version collects information about your system, IP address, installed software on the computer, network adapter information and more. It did not collect credit card info, social security numbers or other personally identifiable information, so your identity is safe. The server that was collecting the data was shut down by law enforcement on September 15th.

The versions that were affected are CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. If you’ve updated your version since September 12th, you should be OK, and if you are running the cloud version you are also OK. However, if you are using CCleaner, and have not updated your version yet, Avast recommends deleting the old version and installing the new version. After you have performed the new install, you should run a malware scan to verify that there are no remnants of the affected version left on your system. There are some security experts that are recommending that if your system was affected, you should either rebuild your system with a clean operating system, or recover the system from a backup that was created prior to the August 15th release date. 

How did this happen? The criminals hacked the web site that hosts the CCleaner software download and Cloud version, and they replaced the actual download software with their hacked version. What has not been released is how the criminals were successful at hacking the download site.

The Department of Homeland Security (DHS) has issued a ban on all US government computers, and has given government agencies and departments 90 days to remove all Kaspersky products from their systems. There are concerns that there are political ties between Kaspersky officials and Russian intelligence agencies. DHS is allowing Kaspersky to present their side of the issue via a written response.

There has been no publicly provided evidence indicating that Kaspersky has done anything wrong, and this move by DHS has created wide reaching impacts on many organizations. Currently, DHS is calling for the ban on US Government systems only, but it is likely that any organization that performs work for the government may soon be affected by this ban.

On September 20th, 2017, the Security Exchange Commission (SEC) Chairman, Jay Clayton, released a statement indicating that they detected an incident in May 2016. No personal information had been stolen, but the EDGAR system was breached. EDGAR is the site where publicly traded companies file their reports. These reports are reviewed and then released to the public, after the company publicly releases its financial reports. Access to this data before the company publicly announces the results, provides the criminals with insider information to make trades, based on a company’s performance. It is ironic that the SEC has been breached, as they have been calling for publicly traded companies to invest more in their systems to prevent cyber-attacks.

Big Breaches vs A Small Company

Breach Or Incident

I am often asked by small businesses if they really have anything to worry about, thinking they are too small to be hacked. I can assure most of you reading this newsletter, you have very little in common with the breaches that are being reported by these big companies. Big companies are under advanced persistent threats (APT), and are constantly being targeted. 

There is nobody waking up in Russia or China looking at a map and identifying your company as one that should be attacked today, but the criminals have devised tools that look for low hanging fruit. The low hanging fruit are the companies that think they are too small to be hacked, so they don’t invest in any type of security protocol. 

While they might not have anything worth stealing, they still have data that is needed for the company to operate. At minimum, that data can be held for ransom. It is also possible that the client data base may have value, such as credit card information or medical records that can be stolen. There are several things that every company should be doing to elevate them off the low hanging fruit level. 

To learn more about our Quanexus Security Stack, we are having a FREE Cybersecurity seminar in October. Please consider joining us!

For a fixed monthly fee, we are revolutionizing the IT industry with our Q-Works program. Quanexus' complete "managed services" package means that you will see increased performance, security, and reliability immediately, at an affordable price.

       Your business success depends on your IT infrastructure. You need Quanexus to deliver proactive services that not only keep your network up and running, but running effectively and efficiently.

   If you have any suggestions or topics you would like to see covered, please contact us with an email at: This email address is being protected from spambots. You need JavaScript enabled to view it. or give us a call at 937-885-7272. 

We would love to hear from you.

Quanexus, Inc. | 571 Congress Park Drive | Dayton, OH  45459

Facebook Join My List Logo

Quanexus | 937.885.7272 | This email address is being protected from spambots. You need JavaScript enabled to view it. | www.Quanexus.com

Return on Investment... It Pays To Belong

When a business invests in the Xenia Area Chamber, it forms a partnership with over 400 other investors that leverage time, money, and other assets to create stronger individual businesses and a stronger community.