How to detect RDP connections to your PC, with GlassWire!

RDP (remote desktop connection) is a way for people to fully control their PC or server remotely. Unfortunately this technology is now being used as an attack vector on Windows PCs and servers.

Bleeping Computer reports that right this minute a botnet is trying to hack millions of PCs with RDP enabled.

Fortunately GlassWire 2.1.158 now detects RDP connections in real-time. Just install GlassWire’s latest version, then GlassWire will alert you instantly if your PC is connected to remotely.

If you don’t plan to use RDP on your PC or server you can also disable it. Go to the search bar in Windows and look for “remote settings” then open the window.  Remote desktop should be switched to “off” if you aren’t using this feature. 

If you do have to use RDP and have no choice UC Berkley has a list of best practices on how to secure RDP.  Also, go to the top left GlassWire menu and choose settings/security to turn this RDP connection feature on, or off.

Get GlassWire 2.1.158Change list


DNS Hijacking: How To Stop It

Did you know there is a type of hacking that can take over an entire website without encountering it directly?

DNS hijacking is dangerous because it can siphon your visitors, incoming emails, and other services before they reach your network.

DNS stands for “Domain Name System”. A good way to think about a DNS is like an online phone book, or collection of phone books. The DNS essentially provides a series of tools a browser checks, before it finally reveals the location of the server that hosts the website the user seeks to visit.

In other words, DNS is your name in the massive universe that is the Internet. It helps people find you.

How DNS Hijacking Works

DNS hijacking can subvert the resolution of Domain Name System (DNS) queries. It is often done by using malware to override a computer’s TCP/IP configuration. Then, it redirects the rogue DNS server to the control of a cyber attacker.

Another method of DNS hijacking is to modify the behavior of a trusted DNS server which then makes it not comply with internet standards.

DNS hijacking is used for both malicious purposes, such as phishing and spear phishing, or for self-serving purposes of the ISP (internet service provider) and public router-based online DNS server providers.

When used for malicious purposes, hackers can travel upstream in the digital lines of communication to build false entries, which then point visitors intending to visit a website to a false destination.

While a website typically identifies a website by its .com or .net address, the DNS must also translate the fully qualified domain name into an IP address. During this exchange of information, redirects can harm a website.

How to Protect Yourself from DNS Hijacks

Part of the problem with DNS hijacking is the hacking attempt is often difficult to detect, then combat. This type of hijacking has witnessed a bit of a reemergence of late which is unfortunate as many thought it was a thing of the past.

The good news is that while preventing some DNS hijacking is challenging, it is not impossible to stay away from. The techniques you can use to guard against DNS hijacking is comparable to other kinds of cyber attacks.

Basic preventive measures include:

●      Using well regarded security software.

●      Installing the updates and security patches as soon as they become available.

●      Avoiding clicking on suspicious links in emails or on social media.

●      Avoiding sending or receiving personal information on public Wi-Fi.

●      Leaving websites immediately that seem untrustworthy.

●      Exercising caution with Wi-Fi networks that don’t start with a terms of service before browsing the web.

Furthermore, one can protect their router by making sure the default admin username and password for the router is changed.

Improve Your DNS Security

Though some of the more basic forms of DNS hijacking are avoidable, there are other kinds that are more difficult to detect. For example, there is little you can do about a website that becomes compromised.

Consequently, there are additional measures you can take to protect your personal information. It includes the ability to implement Domain Name System Security Extensions (DNSSEC) on all your devices.

The security program allows domain owners to monitor traffic on their own domains, and therefore check for suspicious activity. A DNSSEC also presents control over registering domain zones and enabling DNS resolvers.

Change the DNS Server

Another security measure is to change the default DNS server. Computers and routers, by default, connect to the global DNS service related to the local internet service provider (ISP). A third-party DNS server, meanwhile, can take over responsibilities for routing.

Google DNS and OpenDNS are two third-party DNS routing providers, and free of charge to use. If you select another alternative make sure it is from a reputable company or nonprofit organization, because allowing control to the wrong DNS server could actually expose you to more threats, not fewer.

How do you protect mobile devices? Have you ever considered anything like a Firewall for your Android device? This should be a first line of defense any time you go online.

Encrypted Connections

Virtual Private Networks (VPNs) are software applications that encrypt web traffic, keeping your data private when connected to a network. The VPN connection takes place through an encrypted “tunnel” to ensure secure web browsing, and helps with DNS hijacking protection.

A VPN serves as a tunnel between your ISP and the host, where the information between the two endpoints cannot get hacked or stolen. A VPN is similar to third-party DNS providers.

A word of caution: not all commercial VPNs are created equal. The unfortunate misconception is that they’re all the same, but some VPNs are more effective than others. The best VPNs should have stellar reputation (which is easily discoverable online with a little searching), definitive no-logging policy, and no trace of government ties or state ownership. You should also remain aware that some VPN providers will log your browsing habits, filter network traffic, and block certain websites.

OpenVPN has one of the better reputations on the market. L2TP/IPSec is another common configuration that some invest in. There are other ways you can stop recording network activity.

Cross-Site Scripting (XSS)

When a local network gets infiltrated there are several noticeable differences. Web pages will load slower, and have a different looking presentation. It may even include replacing a popular website, such as Amazon or Google, with a fake, look-alike page.

Along with DNS hijacking, cross-site scripting (XSS) is another type of attack that is common with DNS hijacking. XSS enables criminals to obtain private information through a web browsing session.

Therefore, vigilance is crucial. Users should remain mindful of what URL the browser is pointing toward. If the domain portion of the address (which contains .net, or .com) looks unfamiliar then you need to immediately shut down the browser and double check the DNS settings.

A Final Thought

Lastly, you can get further confirmation that the website is legitimate by making sure it has a valid secure sockets layer (SSL) certificate. The SSL is indicated by the green “lock” icon in the address bar. Never enter personal information or credit card numbers to a website missing an SSL.


The Ultimate Secret Data Hog – Cryptomining Malware

Are you already a victim of this data hog?

Are you a victim of this data hog?
Sam Bocetta puts the word out about a new type of data hog and how to spot it.    Sam Bocetta is a former naval contractor and security analyst. He’s now (mostly) retired and spends his days reading the classics and fly fishing with his grandkids. Sam can be reached on Linkedin:

The Ultimate Secret Data Hog – Cryptomining Malware
Malware development, like many non-malicious types of software, is subject to certain trends that are impacted by a variety of external factors outside the tech industry.

Ransomware, for example, was the cyber bogeyman of 2017 and 2018 for the following reasons:

  • Spectacular attacks on high-value targets.
  • News media headlines.
  • The modernization of traditional crimes such as hijacking, extortion and ransom.
  • Availability of leaked cyber warfare weapons and techniques developed by American intelligence agencies.
  • The use of cryptocurrencies to deliver ransom payments.
  • Ransomware-as-a-Service platforms.

In early 2019, ransomware has thankfully lost some of its shine thanks to law enforcement intervention, prosecution and reaction by the information security community; in other words, this particular malware threat is on a downtrend cycle.

As can be expected, a new threat has emerged to take ransomware’s spot on the malware scoreboard, and it goes by the names of cryptojacking or crypto mining malware.

Understanding Cryptojacking

Speaking of IT trends, let’s talk about Bitcoin trading: despite cryptocurrencies having endured more than a year of bear market conditions, they are still being bought, sold, exchanged, and mined for various reasons.

In the case of Bitcoin, the most valuable digital currency in the world, the market cap of $60 billion is sizable enough to ignore that it has plunged from an all-time high near $20,000 in late 2017 to around $3,500 and lower in early 2019. Some investors remain hopeful that a rally similar to the one experienced in 2017 could materialize this year, and miners are holding even greater hopes.

As volatile as the cryptocurrency markets are, they present significant opportunities for profit, especially for those who engage in mining of tokens. In essence, mining entails putting considerable processing power and bandwidth to work on behalf of the blockchain that supports cryptocurrencies such as Bitcoin, Ethereum, Monero, Stellar, and many others.

The blockchain is a decentralized and distributed ledger where transactions are verified and cleared through very complex cryptographic calculation; miners who perform this service can present the blockchain with “proof-of-work” performed in exchange for the potential of earning a few tokens.

Cryptocurrency mining is not a “get rich quick” scheme by any means. With valuable tokens such as bitcoin, the barriers to entry include powerful hardware with efficient cooling systems, electricity, and broadband connections. These factors are combined into rigs that feature plenty of hash power and are fully dedicated to blockchain mining work.

It should be noted that hash power can be distributed in a manner somewhat similar to the distributed ledger of blockchain networks, which means that a single computing device can generate some hash power to contribute towards a mining operation.

IMAGE: Mining Rig

In the early days of Bitcoin mining, some individuals were able to mine a few tokens by means of running mining software on their laptops; once greed kicked in and blockchain transactions became increasingly difficult because of market volatility, mining cartels emerged.

By the time malicious hackers and cybercrime groups latched onto digital currencies, the development of cryptojacking was imminent. With cryptojacking, hackers inject malicious code into computing devices for the purpose of stealing hash power, meaning processing power, bandwidth and electricity, all with the goal of surreptitiously mining tokens.

Bitcoin is not a popular cryptocurrency among cryptojacking attackers; privacy tokens such as Cardano and Monero are preferred.

How Cryptojacking Malware Works
To a certain extent, crypto mining malware shares many of the characteristics of legacy spyware in the sense that injection may take place through click-and-bait strategies or Trojan horse attacks; in other words, victims often believed that they were installing software or executing code that was not malicious.

In some cases, remote code injection of cryptojacking malware may be conducted through old-school network intrusion, which is often a more sophisticated and aggressive approach since it may involve defeating a firewall.

The most common types of cryptojacking target personal computing devices such as desktops, laptops, tablets, and smartphones. It is not unreasonable to think that smart home appliances like the Samsung Family Hub refrigerators could be next since they are equipped with a motherboard running Android and many connectivity services. These devices can be infected with in-script cryptojacking code or through JavaScript browser extensions.

As can be expected, cryptojacking attacks against business targets tend to be more powerful while at the same time being stealthier. A sophisticated cybercrime group targeting office networks or enterprise data centers may forego browser extensions and go with rootkits, remote code execution, and virtual machine hijacking. The most trailblazing and brazen attacks may utilize social engineering to gain credentials and set up fake intranet pages.

Once installed, cryptojacking malware will transform GPU and CPU resources into hash power to conduct transaction verification. According to a report published by a respected information security firm, 37 percent of corporate networks were impacted by cryptojacking activity in 2018.

More than 20 percent of business IT security departments are detecting cryptojacking attempts on a weekly basis. Companies that implement “bring your own device” policies are at greater risk.

Cryptojacking Detection

The first line of defense against cryptojacking involves monitoring network connections between devices and the internet.

Network monitoring is a security strategy widely used in the enterprise world, but it is also available on a personal computing level with smart firewall apps that notify users of suspicious activity, intrusions, high CPU usage, and unusual data. It is important to note that cryptojacking crews will not ignore mobile devices since they are powerful enough to generate hash power and contribute to their wicked trade.

Aside from monitoring and detection, cryptojacking can also be prevented with safe computing practices such as the use of virtual private networking technology. It is not unreasonable to think of public Wi-Fi hotspots being taken over by hackers for the purpose of distributing mining malware.

To this effect, always protect your computer by using standard security measures when accessing public networks: firewall protection (such as GlassWire), antivirus scanners, and any no-logging VPN service. This is especially when connecting to an enterprise network using your personal computing device, so as to avoid exposing the entire network to remote attack.

Recent Entries