Were you a Phishing Victim?

Were you a Phishing Victim?

If you were directed from a remote logon system such as a OWA (Outlook for Web Access) or any other logon page, you possibly were duped and missed tell tale signs of a phishing attempt and you clicked a link you should not have followed.

No confidential data was taken and no data moved from the system internal system.

What could be the impact?

  • If you have clicked on a link and the remote site has a script that downloads a payload (some virus or malware) that infects your computer.
  • Once the virus has been downloaded, it will have many possible attack paths including encrypting your data, stealing your data or be used as an attack point against other computers.

What should you look for?

  • Have a look at the web site address and the exact spelling. For example ‘Apple’ and ‘App1e’ (see the number one being used which will be missed if you scan quickly)
  • Look for proper spellings and fonts used as internal mail should

What should you do?

  • You should have trusted and up-to-date anti-virus software
  • Make sure you know the person and expect email from him or her
    • If you are unsure and you can make a call, make a phone call.
    • You can also email the person if the person is in your email. Not using a reply but a new separate email.
  • When you receive an email with a link you should float over the link with your mouse pointer and it will reveal the actual link.  Criminals can use coding to hide the actual link
  • You should also make your Information Security staff (IT/Security/Risk) aware of the email that you have received if it is a phishing attempt
    • One of the main reason of giving feedback is that your company may be using anti-virus software and phishing prevention solutions and it may not be up to date or has to be fine tuned.

Microsoft Windows Device Monitor

Microsoft Windows Device Monitor

One of the biggest risks we have in an enterprise is the introduction of viruses which can have many adverse effects in your network and related resources.  Some of them include and are not limited to:

  • Create a backdoor into your environment which a bad actor (hacker) will use for his benefit and your losses;
  • Allow for malware ‘loader’ to download the actual payload from a Command and Control (C2C) centre
  • Waste resources
  • and more…

This is normally introduced by privileged users such as Administrator that brings in an infected USB drive and plugs it into a workstation or a server with anti-virus software not running or not properly updated.  Now the malware is inside your network and you are a pawn in the cyberwar game.  Your system can be a springboard for criminal activities. your data can be sold on the dark-web or you can be a victim of ransomware.  There are a few steps you can such as locking down USB ports as part of your DLP implementation. You should have an Acceptable Use Policy that users have acknowledged and signed.  This does not stop the action and it is also recommended to monitor activity of users’ transgressions.

Enter the SACS Device Monitor

SACS Device Monitor is a tiny Windows Service that is configurable which allows you to monitor Microsoft Windows devices such as USB and Bluetooth ports and log this using a SYSLOG message format to your logging servers.  There are four (4) attributes that can be configured via the registry and they are:

  1. The SYSLOG server address.  Either FQDN or the IP address. (If a small office environment this can be set as a broadcast address i.e.
  2. The port on the remote server, default is UDP 514
  3. Verbose logging – True or False
  4. Monitor Bluetooth – True or False

Sample output of Device Monitor to a SYSLOG server


Download version 1.0 from this website. DOWNLOAD

The hash signature: MD5: 857d39768d274b22bfceee5c34cebdb0

Release history:

  • 25 June 2017 – Initial Release – Version 1.


Device monitor is one of the utilities that will allow you to monitor your environment without installing ‘bloatware’.  You do not need any additional libraries such as .NET.  It is as small and light on traffic as possible.

If you need a setup with specific IP or FQDN, send an email and I will assist.  Send an email to be included for any news and updates.  A subscription page is coming.

Ransomware in the Machine

Ransomware in the Machine

“Have not done your homework?  Do not past BEGIN, go straight to the crying room!”

The latest attack (12 May 2017) on your data known as WannaCrypt a.k.a WannaCry is the result of the WikiLeak release of NSA hacking tools.  This blog entry is not to talk about the intricacies of the exploit and what you should do about it to control the damage as if you do not have staff on your team that averted this, you need to relook at the skill level as well as the controls you have in place.

Credit to anonymous on the Internet...

Have not done your homework? Do not pass begin, go straight to the crying room.

For those who have not patched against the exploit, I have seen an excellent image on the web for them.  This sounds insincere however there was ample time to address many issues.

The Microsoft patch (MS17-10) was released on the 14th of March which is a patch addressing one of the zero-day NSA leaked attack vectors and the world-wide attack started the 12th of May. (This is 59 day window of opportunity to patch).

Latest data on wcrypt is available at the following link and it will be outdated but there were nearly 220,000 infections noted.  Many companies have been crippled or seriously affected including NHS (UK), Telefonica Spain, Renault and other motor vehicle production lines.

My comment for any company that were paralyzed need to look at the following actions to be performed:

  • Do you have a procurement policy to ensure that your hardware and software is currently in a support contract?
  • Do you have a security officer/analyst/CSO/CISO on staff address the risks to your resources?
  • Do you have a patch management and reporting mechanism in place?

If you do not… the board needs to be taken to task! If you do, your security officer (or related role) should be taken to task.  There is no excuse. Someone should be fired!

Practice safe HEX!