PKF AvantEdge

Author: pkfavantedge (Page 27 of 37)

Guarding Yourself From Internet Intrusions

August 26, 2015 / / 0 Comments

I generally store all my customers’ project data in folders and back them up on a weekly basis. May was crazy as it was the first time for everyone filing their GST with Customs Malaysia. To cut to the story, I was so busy that I didn’t do any backups for three weeks in a row. Guess what? I got attacked! An extremely bad case of internet intrusion that made me cried tears of anguish.
I was ‘googling’ for something that I was researching on and went into a website that looked ‘harmless’. My laptop was on Norton Antivirus Program. No alert or red flag went up but 10 minutes later, I couldn’t access any of Excel or Word docs. There was an additional notepad document in each of my folders. I knew I’ve been attacked right away.

I opened the notepad to read the message – I need to know what virus I’ve been infected with to decide what my next move should be.

So, it’s Cryptowall 3.0. It’s one of the newer versions of ransomware and so far, no available ‘key’ available to decrypt. There are many others out there that have been decrypted by helpful forum-ers but not Cryptowall 3.0. They want money before my files can be decrypted. There’s never been proven that if you pay them, they would give you the key to decrypt the files and it is my belief that we should never encourage these people to bribe and threaten in this manner.

Rather than crying over spilt milk, time for me to assess how to restore and clean my laptop. This is what I did.

1) Restore
Restore from my backups that were three weeks’ ago. Unfortunately, the work that I had done after my last back-ups was a lot. Not good. However, Microsoft does have feature that is very useful – ‘Restore Previous Version’
If you right-click on each folder, there is an option to select the restoration date of your folders. It is a life saver in many ways – you may not get your latest but it saves you tons of hours of trying to figure out what you done on your documents for the past three weeks – in my case. So, it was an ardous task of right-clicking on ALL my folders and restoring them to the so-called ‘latest’ version.

2) Anti-virus program re-assessment
Many times, it could be our own fault that we don’t update the latest virus update. In my case, it is auto-updated. So, go figure. I checked that I was still on auto-update mode for the program but the virus attacked anyway. We need to know that t here are no virus-proof programs. Hackers come up with new viruses on a daily basis. If you visit AlienVault’s OpenTreatExchange (OTX) forum; the viral list grows everyday. It is to our own benefit to be preventive rather than reactive when it comes to being on the alert and to ensure that we have a reasonable Internet Security Application in place of work.

3) Cleaning up my laptop
For those not in the know, there many forums available for poor ‘infected’ souls like us, who are willing to help clean up and make sure our laptops are running back in tip-top condition. It would be very foolish ( I repeat, foolish) to not do a proper clean-up after being infected as you may risk your files being encrypted again. Using Norton to clean-up is probably the bare minimum you should do; however, I wanted to be very sure. Speaking of forums, I have always gone to two forums which has helped me answer questions about all sorts of stuff about Internet Security & etc.
a) http://www.bleepingcomputer.com
b) http://forums.whatthetech.com/index.php?showtopic=129712&hl=
In my case, I decided to go to whatthetech. If you are a registered user of any of these forums, they will go through each step to help you. You can view my thread on how the clean-up process went from the link I’ve provided. No obligation to pay but donations are most welcomed by the folks that dedicate their time on the forums. (This article is not paid or asked by whatthetech).

4) Some things to take note
• Avoid P2P file sharing programmes; they are a security risk which can make your  computer susceptible to malware. File sharing networks are thoroughly infested with malware – worms, backdoor Trojans, IRCBots, and rootkits propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages
may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. The best way to reduce the risk of infection is to avoid these types of web sites and P2P programmes
• Registry cleaners and optimization tools that claim to speed up your computer should be avoided, and are potentially dangerous. By running a registry cleaner you risk rendering your machine unbootable.
• Personal Data Sharing: Wild Tangent Games – Did you know that if you own an ACER laptop/desktop, Wild Tangent Games are PRE-INSTALLED? Apparently, ACER has a partnership with them. What you need to know is:-
The privacy policy of Wild Tangent Games; by default, will indicate that you had agree to advertisements by WildTangent, third parties and brand studies whereby you had allowed WildTangent Games to collect certain personal information.
This was discovered by whatthetech consultant that was helping me. So, if you own an ACER laptop, beware and uninstall all Wild Tangent Games. [Check out my piece about Personal Data and PDPA Malaysia – http://www.pkfavantedge.com/pdpa/the-iot-internet-of-things-my-personal-experience/]

5) Back-up Frequently
Back-up, Back-up, Back-up. I cannot emphasize the importance of this exercise. Back-up at least once a week; especially if you have done a lot of work that week. You may choose to back-up your personal and work items separately in terms of frequency, but back-up all your precious memories and work.
My viral attack drama ends here. I certainly do not wish this drama on anyone.

Be SAFE!!!

For Internet Security Applications advisory or PDPA training, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

The IOT (Internet of Things) : My Personal Experience

August 24, 2015 / / 0 Comments
ThumbPrint

ThumbPrint

Unless you have been living in a cave or on a secluded island without internet connection, you may have come across the term ‘Internet of Things’ or IoT. According to Gartner, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”

Living in an era where we have easy access to information at the tip of our fingers is now taken for granted. Going out of your home without your smart phone is absolutely unthinkable – well, at least for me. I can be connected with my friends & family members anytime and anywhere – it can’t get better than that right? Well, let’s re-think this carefully.

Security
I am a huge fan of Strava application. This mobile application uses GPS and mobile data to track your activity (be it cycling or running) – it tracks your mileage, exercise effort level (wattage), time taken to complete the activity and then, further provides data on your ranking against other Strava users on the same activity/route. As I cycle and run competitively as a ‘hobby’, Strava is a great way for me to track my improvements and also pit myself against my friends to be the Queen Of Mountain of a certain mountain anywhere in the world. Awesome! – well, maybe….

The great thing with Strava is that it is connected to Facebook. In fact, if you use your Garmin to track your activity, you can set up your Garmin to connect seamlessly to Strava on every activity tracked on Garmin. Notice the word I’ve used here: SEAMLESSLY. Yes, it is that easy. Friends on Facebook are able to know where I was or where I am currently at based on my post through Strava.  Now, my friends can like my activity and comment as well. Let’s just say that a friend of my Facebook friend intends to track me and know my current whereabouts, s/he can definitely find all that information via Facebook. If s/he intends to break-in to my home (assuming s/he knows where I live), can do so as well – because I am not at home – I’m still cycling back to my house. Dangerous? Am I inviting trouble? You bet! The internet of things have enabled different types of devices to be connected seamlessly and we love that; however, have we ever stopped to think of the danger that we’re opening ourselves up to? It doesn’t take much to be information technology savvy to track a person’s whereabouts.

We love to tell our Facebook friends where we are at by posting “Agnes Yew checked in at Mid Valley” or “Agnes Yew checked in at Madam Kwan, Mid Valley City”. Have you ever stopped to think that we’re providing information to people on our whereabouts willingly and this could be used to our disadvantage?

Time to stop and think…

Data Breach
Ashley Madison was recently hacked and it was let out that the hackers had access to its customer database and have posted the information on a public website for all to see. Ashley Madison is a discreet website which allows their customers to hook up with other folks who are interested in dabbling in a little fun outside the marriage bed. If you were a registered customer (married or attached) of Ashley Madison, you’ll be jumping or maybe peeing in your pants as the list of customers are now in the hands of hackers and shared on a public website.

Personal data is very much valued by consumer marketing companies and anyone who has access to a database has the upper hand to sell that information. I’ve been bombarded with these annoying SMS(es) on properties going on sale and what not every day. Yes, every day. I have to add these numbers under SPAM. It’s annoying as I don’t know where and how they got my mobile number. It could be when I got on the internet and signed up for some newsletter and I did not read the fine print and,or, I did not un-check a box to unsubscribe.

The Personal Data Protection Act in Malaysia was gazetted in 2010 and has been in enforcement from April 2013 on-wards. PDPA is supposed to protect consumers whereby companies holding our personal data are obligated to set up policies and a structured framework to ensure that the data is stored safely and not be leaked out. In my opinion, Malaysia is still in its infancy in comparison to US or EU, in terms setting up a stringent DPA (Data Protection Act) framework. Companies are not investing in being PDPA compliant unless they are required to by the Ministry. At the moment, the Finance, Telecommunications and health industry players are required to be PDPA compliant.

As a Malaysian consumer, we have every right to be concerned if companies managing our personal data are not enforcing a certain measure of security to ensure that our data is safely kept. Companies in Europe and US are willing to invest huge dollars in a Security Information Event Management (SIEM) solution to manage internet threat intrusions. At the moment, the Multimedia and Communication Ministry has not published any data on companies in Malaysia that are allocating budgets for SIEM or some sort of Internet Security application.
Time to stop and think….

How to Be Safe
I want to be safe. I want my family members to be safe as well. What measures am I taking to make sure that only people I want to know about me, know about me?
• I and my family members do not post our actual profile pictures on Watsapp, LINE and Facebook.
• I clean up my friends’ list in Facebook every three months. ‘Friend of Friends’ will be deleted.
• I read and uncheck boxes when I sign up for newsletter/etc. online. I read the fine print.
• I do not post my Strava activity until I get home – Announcing that I am Queen of Mountain can wait.
• I do not ‘check in’ to any location using Facebook. Yes, I may miss getting some discounts from that restaurant or shop by not checking in but I really don’t think it is worth letting people know where I am at.
• I block all sms’ numbers that are marketing in nature and park them under SPAM.

Different folks may have different appetites of risk tolerance towards being bombarded by SPAM or wanting to let the world know what they are doing or where they are at. The effort level you put into ensuring that you and your family members are safe is a choice and for me, is a very important choice.
Stop and think…..

For PDPA Training/Advisory or Internet Security Applications, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

PCI-DSS Landscape in Malaysia

August 21, 2015 / / 0 Comments

pci-compliance

2014; this was the year where PCI DSS really took off for many companies and organisations in Malaysia. More and more banks have pushed their merchants to be compliant and certified with PCI DSS.  While a few merchants require Level 1 certification or Level 2 validation, a bulk of them will fall under Level 3 and Level 4 Merchants. That means a lot of ASV scans, and a lot of Self-Assessment Questionnaire (SAQ) Advisory. I was asked this question: why are these banks, who are traditionally so dormant and make corporate decisions slower than a crippled sloth, half blind and halfway to the grave, now have suddenly become so actively engaged in PCI DSS? Perhaps this is due to the pressure they get from the card brands – especially VISA and MasterCard.

After what happened to the infamous Target retailer during the 2013 – 2014 and other high profile hacks, card brands are now in caution mode and have become more stringent to entities connecting to them. This, in line with the new PCI-DSS V3.1 means that controls are more stringent and auditees are more frustrated. Like everything in PCI – it’s a top down domino effect – VISA insists on banks being certified – banks claim that they cannot be certified but they are in the process, and they in turn insist their third party processors or merchants be compliant. I call this ‘passing the buck’ philosophy. It’s an open secret that no banks in Malaysia are certified. They will claim they are compliant, the same way my 25 year old refrigerator is compliant to green and environmental friendly regulations. It’s not.

Because banks push this compliance downstream, this “passing the buck” effect has caused many entities to start actively looking in every direction to be certified or compliant because they don’t want to lose connection with the bank. Is it fair? As one of our merchant client bluntly puts it: “It’s like being blamed by tobacco companies for polluting the planet with our smoking.” While drawing in a long drag on his Marlboro Lights and looking wistfully into space.

Should banks be certified? Of course.

However, for them to get certified in a specified period of time is difficult due to their ever changing business nature and an overly large scope of systems, people and processes under PCI requirements. Therefore they will need more time to remediate all the gaps and guess what – one of gaps would invariably be getting their third parties (like my client with his Marlboro Lights) certified.

At the end, the service providers and merchants and payment gateways are forced to be more aware that PCI is needed for them to ensure the continuity of their business especially if it involves VISA and MasterCard. So why aren’t they getting certified?

The answer lies in the implementation cost. Smaller to medium merchants, emerging payment gateways who have limited funds, limited clients – they might consider that the cost of them to pay for any breach is lower compared to certification. For example the need for an IDS/IPS (Intrusion Detection/Prevention System), the need for a system logging server, the need to perform daily log review and review reports.  All of these require either additional effort or cost in terms of time, human resource or investment to acquire new devices.

With problems, there will always be solutions. We are keenly aware not all clients can afford the expensive solutions such as having separate devices for IDS, FIM (File Integrity Monitoring), syslog and etc. Or to build a Security Operation Center ground up. We have crafted out different solutions to serve our customer’s needs, from providing an all in one system for compliance to even having them outsource their compliance headache to us. Yes, we love to transfer headaches from clients to ourselves. We call our solution PCI Panadol. Just kidding, but it’s a great name.

Our solution starts with this question: How do we get you compliant with the least effort, least time and least money possible – and to maintain compliance with these 3 LEASTS (effort, time, money)?

Overall, awareness of PCI DSS has grown a lot in Malaysia. PKF Avant Edge does monthly PCI Awareness training (HRDF Claimable) and we have served large clients through such training.  As for implementation, it is just as important to know what is UNNECESSARY for PCI than what is necessary. It starts with the scope. Start right, and you might just cross the other side of certification and celebrate with a party. Start wrong, and you are looking at a very, very, very long journey with very little happiness in it.

For PCI scoping or advisory on how we can help you in your PCI-DSS journey, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Wafiy Karim, PCI Consultant.

PDPA Training – Tropicana Medical Centre

August 3, 2015 / / 0 Comments

tropicana-medical-center-logo

We had the privilege recently to conduct our PDPA Assessment Training to Tropicana Medical Centre – to almost 40 people over 2 sessions. We touched on several topics, including a live demonstration of using software for hacking and personal data collection through the internet. Furthermore, we went through the Personal Data Protection Act – and more importantly how to implement into companies.

Each companies have different implementation – each has different DNA and risk profile. The important thing is not to just use PDPA Act as a blanket implementation, but tie the requirements of PDPA (or the spirit of it, as we say) to known standards – the General Accepted Privacy Principles (GAPP) from AICPA and the Health Insurance Portability and Accountability Act (HIPAA), as well as the well known ISO27001 and PCI-DSS for IT controls.

IT Controls are generally important to the implementation of PDPA due to the fact that in most companies, information has been digitised and stored in some database or some logical storage (as opposed to metal cabinets as days of old).

Aside from those, we went through a very useful demonstration of Alien Vault, as a way to control assets, secure the network and monitor traffic to ensure information is not breached.

AlienVault Setup 2: Deploying into your network

July 16, 2015 / / 0 Comments

Deployment of AlienVault generally will depend on your network complexity.

For us, we only have an AIO (All In One). While this is great, the lack of sensors make network visibility limited. Basically we can see traffic within the network segment we are connected to. Another issue here is that everyone can see/ping the AV server, which generally isn’t too great. Let’s call this the Invasion Approach. Everyone sees the Alien Ship invading the network.

Another scenario would be to segment your network and deploy remote sensors in each segment and sends back data to a secure segment – we call this the Mother Ship Approach, where these little alien ships send back information to the big mother ship in space – like that Independence Day movie.

Another scenario would be to have multi-server, multi-sensors. We will call this the Divide and Conquer strategy. This makes the whole SIEM infrastructure harder to compromise, lowering its visibility to other devices and also distributes workload over different areas.

Remember – anyone hacking into the SIEM has access to a whole lot of informatin so its worth defending.

For our deployment scenario, we are deploying it for IDS, network vulnerability and asset management purposes – and will be doing it on a SPAN port in our main switch.

Now, let’s get some information.

For more details on Alien Vault products and services, please drop us an email at alienvault@pkfmalaysia.com

« Older posts Newer posts »

© 2025 PKF AvantEdge

Up ↑