My Phone Is Held Hostage By Ransomware, Now What?


Ransomware is a type of malware that holds your data hostage. It has been a problem with computers for many years, but it’s only recently started showing up on mobile devices. When you activate the program or app, it blocks you from accessing the data on the device and displays a message demanding payment by untraceable methods like Bitcoin or MoneyPak.

How does it spread?

On mobile devices, ransomware usually spreads via email, from visiting malicious web sites that host pornography or installing pirated apps. Recently malware developers have gotten smarter. Some ransomware apps can now spread via text message. When a device is infected, the malicious app will send an SMS to everyone in the device’s contact list with a message tricking the recipients into clicking on a link. When the reader opens the link, they are directed to install the malware on their devices, thus repeating the process with a new round of victims.

What should you do if you do if your device is infected?

First of all, don’t pay the ransom. If you do send money all you’re doing is rewarding criminals, and there are no guarantees you’ll get your information back anyway.

Reboot the device into safe mode. Just like a computer, safe mode boots the Android device with just the bare minimum operating system. This prevents the malicious software from running at startup and allows you to remove it. The instructions on activating safe mode vary from device to device, so check the manual and the manufacturer’s web page for specific instructions.

Once you have access to the operating system, you can uninstall the malware or run an antivirus app that will remove it for you.

How do you prevent malware from attacking your Android device?

Do not click on any links you were not expecting in emails or text messages. If the message comes from someone you know, contact them before opening the link.

Make sure the “Unknown sources” check box is left blank. The option is usually disabled by default, but sometimes users enable it to install legitimate apps that are not available from Google. The location can vary, but it is usually found under Settings > Security. Disabling this option will prevent the device from installing apps from sources other than Google’s Play Store.

Keep backups of your local data. With many apps, the data is stored on a remote server instead of your device. When you open the app, it downloads the information it needs through your data connection. If you do have applications that store data on the device or memory card, make sure to keep a backup of the information on your computer.

For rooted Androids, there are applications that will create an image of everything on the device and save it in a file you can transfer to your computer or upload to cloud storage.

To learn more about ransomware, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit for more terms and definitions.

Can The FBI Attract Ethical Hackers?


In today’s online world, cyber attacks can be nearly as devastating as traditional warfare. In addition to cyber terrorism, hackers have stolen identification and credit card information from millions of Americans in cyber attacks on large businesses. Local law enforcement often doesn’t have the skills or manpower to handle these cyber crimes, and jurisdiction becomes a problem when the victimized organization has locations in several areas. When the scale of the problem is too big or too complex for the target organization or local law enforcement to handle, they often turn to the Federal Bureau of Investigation for help.

The FBI has recognized the increased demand for agents trained in cybersecurity and has posted a job listing on The listing is open until January 20th, and while it doesn’t specify the number of positions open, a statement released alongside the listing stated there were “many.”

Why is the FBI seeking cyber special agents?

Tracking down sophisticated cyber criminals and terrorists with foreign government backing requires totally different skills than solving the offline crimes the FBI has always handled in the past. For example, if a gang of criminals robs a bank the agents might interview witnesses, review surveillance footage and look for physical evidence. But what if the gang of criminals stole the money electronically using a computer in another country? No one stuck a gun in a teller’s face, but the bank still lost money and the criminals need catching.

What kind of people is the FBI looking for?

The job listing gives a long list of experience requirements related to cybersecurity, including network administration, ethical hacking or white hat, computer programming, database administration and digital forensics. The applicant must have a minimum four-year degree from an accredited college or university or foreign equivalent. It lists degrees relating to computers, mechanical engineering or information security but does not bar applicants with non-technical degrees as long as they can demonstrate technical work experience.

In addition to the computer-related skills and background, applicants must be eligible for Top Secret security clearance and be between the age of 23 and 37, though some military veterans are exempt from the age restriction. The applicant must meet the same physical requirements and pass the fitness tests required of all FBI Special Agents.

What does this mean for us?

It’s a positive move for the businesses, organizations and local law enforcement agencies that rely on the FBI’s assistance for solving cyber crimes. More agents with better training and a wider pool of specialized skills to draw on means faster resolutions and a greater chance of cyber criminals and terrorists being brought to justice.

To learn more about FBI’s relationship with hackers, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

ISIS Hacks CENTCOM And You Are Next

Cyber Caliphate
On Monday, January 12th, the official Twitter account & YouTube channel for US Central Command or CENTCOM were hacked by ISIS supporters. Pro-ISIS propaganda appeared on @CENTCOM Twitter homepage warning “American Soldiers, we are coming, watch your back. ISIS.”
@CyberCaliphate account is currently suspended but claims to have hacked the US Central Command Twitter account. Besides the typical threats, there were links to documents that appeared to be confidential files stolen from American military computers. One of the Tweets was a list of US military personnel including a phone number listed as belonging to the former General of the former chief of both CENTCOM and the National Security Agency. The hackers also published a document from MIT referring to U.S. intelligence, surveillance, and reconnaissance regarding China.
All of the accounts involved have been suspended until an investigation concludes they can be safely re-activated. You might remember that just 1 week earlier, Cyber Caliphate  hacked the Twitter accounts of Fox & CBS News claiming there would be more attacks in the future.
You Are Next
By all accounts, terrorist groups like ISIS as well as anarchist hacktivist groups like Anonymous are waging a successful war against the powers that be. This might not directly affect your average citizen or small business but the methods they use to wage war all come back to best security practices that we all need to follow. Anyone on the grid or internet is vulnerable to the same kinds of attacks from these or any groups.
Here are a set of tips to follow that apply to Twitter as well as any password protected account on the internet you would like to keep private.
1) Use Strong Passwords to prevent being the victim of hacks. Twitter encourages a Minimum of 10 characters but longer is better. I recommend 15 characters minimum using upper/lower/numbers/symbols. Do not use common dictionary words and do not reuse passwords across multiple web sites.
2) NEVER use personal information such as phone numbers or birthdays.
3) Use login verification (also called two step authentication) whenever available. This additional step can be annoying but is another layer of security protection.
For many more tips like these, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

Sony’s Dirty Laundry Reveals MPAA Attack Plans


Most of the information from the Sony Pictures Entertainment hack leaked so far has been embarrassing for the company, but not directly related to Internet security. However, last week some leaked emails revealed the Motion Picture Association of America (MPAA) is trying to find ways to effectively delete sites that host pirated content from the Internet using Domain Name Server (DNS) takedowns. To understand why this is a security concern, you need to know a little bit about how the DNS system works.

What is a Domain Name Server?

The Internet functions using IP addresses, a string of numbers that is easy for machines to understand but not very user-friendly for humans. Your computer or mobile device needs the help of a server that can match these IP addresses to a name of the destination you can remember. The DNS is usually maintained by internet service providers, but some organizations such as Google offer a public DNS anyone can use.

When you type an address like into your browser or click on a link in our newsletter, your computer or mobile device queries a DNS and receives the IP address it needs to get here. If the DNS cannot match the URL to an address, you get an error message instead of the page you expected.

What is a DNS Takedown?

Currently copyright holders can take down pirated content by ordering the hosting site to remove it. An example would be requesting YouTube take down a copyrighted video or a web hosting company to delete a user’s account. A DNS takedown would go a step further, ordering the DNS owner to remove the site from the server’s IP address tables. Servers at different companies communicate freely with one another, so changes made on one DNS could propagate to other servers across the Internet in as little as a few hours.

Removing the listing is the equivalent of removing the building address numbers off a business. Someone trying to locate the place would find it very difficult unless they knew the exact location, or in this case the IP address.

Are DNS Takedowns Legal?

The legal grounds for DNS takedowns are shaky. The Digital Millennium Copyright Act (DMCA) of 1998 both makes it illegal to distribute copyrighted material without permission and protects the sites hosting pirated content as long as they respond immediately to takedown requests. The Stop Internet Piracy Act (SOPA) of 2011 would have made DNS takedowns legal, but it was defeated in Congress after a major outcry from both private businesses and the general public.

The MPAA is working on an argument that would include DNS filtering under the DMCA, forcing DNS operators to remove the DNS entries of sites hosting pirated content without a court review.

The Problem with DNS Takedowns

The major concern is this system could be ripe for abuse, with organizations or individuals filing false copyright infringement claims to harm their opponents or silence critics. Smaller DNS operators may be overwhelmed with the number of requests and just rubber stamp them out of concern for losing their protection.

Imagine if your biggest competitor could make your web site disappear overnight, and there was nothing you could do about it. It could be devastating for businesses that rely extensively on their web sites for income or leads.

Visit Berkeley’s for more terms and subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

FBI Officially Names North Korea as Source of Sony Hack


To the surprise of practically no one, the Federal Bureau of Investigation has officially announced the involvement of the North Korean government in last month’s hack on Sony Pictures Entertainment. While the FBI announcement stated it could not list all of the reasons for the link due to the need to protect “sensitive sources and methods” it listed several links that will be familiar to regular readers of this blog.

  • Infrastructure associated with IP addresses known to be used by the North Korean government communicated with computers with IP addresses written directly into the malware used in the attack.
  • The malware had significant similarities with malware employed in previous attacks linked to North Korea.
  • The tools used in the Sony hack were similar to an attack on South Korean banks and media organizations in March of last year that was traced back to North Korea.

The FBI report also expressed concern that the attack was aimed at a private entity not connected to government activity, since most officially sanctioned hacking is limited to targeting foreign governments or their contractors.

While the North Korean government continues to maintain it is not behind the attack, in a press conference on Friday President Obama stated, “We’ve got no indication that North Korea was acting in conjunction with another country.”

Even though North Korea is a nation of poverty with very limited Internet access and the citizens are practically isolated from the rest of the world, the government maintains a cyber-espionage department called Bureau 121. According to North Korean defectors, positions in Bureau 121 are highly sought after, and the people admitted are hand-picked and trained at an age as young as 17. This gives the North Korean government the ability to wage cyber-warfare at a level far beyond what most third-world countries are capable of. In fact, North Korea considers cyber-attacks an effective method of making up for its lack of traditional military strength.

Unlike most countries that engage in cyber-espionage, Bureau 121 will target any public or private entity that raises the ire of the North Korean government. The most likely reason for the attack on Sony Pictures was the upcoming (and now cancelled) release of The Interview, an action-comedy movie based around a fictional plot to assassinate leader Kim Jong-Un. The state-controlled media called the film “an act of war” and messages from the hackers who claimed responsibility for the attack lauded Sony’s decision to pull the film.

While the United States government has promised a response to the attack, it’s not clear what it will be. A military response is unlikely, and severe trade restrictions against North Korea are already in place. This situation definitely bears watching.

Visit Berkeley’s for more terms and subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

Sony Screams About Hackers But They’ve Invaded Our Privacy For Years

Sony make believe security

The hack attack on Sony Pictures Entertainment that’s been making headlines over the last couple of weeks is just the latest in a line of security breaches at Sony that stretch back to 2011. Many companies get attacked just because they are vulnerable targets, but Sony seems to have raised the special ire of the hacktivist community. Let’s look at how that happened, and go through a timeline of the company’s major security breaches.

Subscribe to my weekly video podcast for this Sony story and much more

Why is Sony such a juicy target for hackers?

In 2005, Sony began producing audio CDs with intrusive digital rights management (DRM) software included on the disc. If someone loaded the disc into their computer, it automatically installed a rootkit that made changes to the computer’s operating system and prevented it from copying the CD. The disc also installed software that would track the user’s listening habits and made the computer vulnerable to hackers. Worst of all, there was no easy way to uninstall it.

Another event that ticked off the hacking community occurred in 2010, when a well-known hacker named George Hotz broke the copy-protection on the PlayStation 3 and made it possible for users to play pirated games. Sony took the hacker to court, and even got a judge to order the company hosting the hacker’s web site to turn over server logs that would allow them to identify the IP addresses of people who accessed his site. The same month Sony settled with Hotz out of court, the first major attack occurred.

APRIL 2011 Attack

  • Attack on PlayStation Network (PSN).
  • Perpetrated by the hactivist group Anonymous.
  • Personal details of 77 million PSN users stolen.
  • PSN service knocked offline for 23 days.
  • Cost to the company: A minimum of $171 million.

MAY 2011 Attack

  • Attack on Sony Online Entertainment.
  • Unknown perpetrators.
  • Personal details and credit card information of 24.6 million customers stolen

JUNE 2011 Attack

  • Attack on Sony Pictures Entertainment.
  • Perpetrated by the hactivist group LulzSec.
  • Personal details of over a million accounts stolen.
  • The hackers claimed passwords were stored in plain text, unencrypted and were easy to find.

AUGUST 2014 Attack

  • Distributed Denial of Service (DDoS) attack on PSN (along with other online gaming networks).
  • Perpetrated by hactivist group Lizard Squad.
  • No customer data compromised.
  • Lizard Squad called in a bomb threat against American Airlines to force a jet carrying a Sony executive out of the sky.

NOVEMBER 2014 Attack

  • Another attack on Sony Pictures Entertainment.
  • Perpetrated by Guardians of Peace (GoP).
  • Possible North Korean government involvement.
  • Widespread knockdown of Sony’s internal network.
  • So far the hackers have concentrated on releasing embarrassing and damaging information about the company and its executives.
  • Details still coming to light, including executive emails, pay disparities, and personal feuds with actors, actresses and employees.

Visit Berkeley’s for more definitions and subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.

Feds Caution Large Companies About New Malware Threat


On December 2nd, the Federal Bureau of Investigation sent a confidential notice about the recent hacking attack on Sony Pictures Entertainment to security staff at some large U.S. companies. While the notice did not specify Sony Pictures, it provided details on how the hack was pulled off. It also warned that data destroyed by the malware could be impossible or too costly to recover by current forensic data retrieval methods.

The malware can reportedly overwrite data and destroy the master boot record on the computer’s hard drive data. Sony Pictures has not confirmed whether this is true in their case.

Details on how the attack began are also sketchy, but these kinds of attacks usually start with inside help or a successful phishing attempt. Once hackers have found their way into the system, they can move through the network.

Sony Pictures Still Struggling to Recover

More than a week after the hack attack that brought down Sony Pictures Entertainment, some services have been restored while others remain offline. Employees regained access to email and telephone services last Monday, but only in certain buildings.

The hackers responsible claimed to have up to 100 terabytes of data stolen from the company during the attack. This data includes sensitive information such as executive salaries, employee social security numbers and server security keys. A short time after the attack digital copies of five unreleased Sony Pictures movies were leaked to illegal file sharing sites, though it’s not clear if the films were stolen by the hackers or leaked through other means.

Malware Used by the Hackers Linked to Previous North Korean Attacks

Authorities have yet to determine who is behind the attacks, but some security experts feel North Korea is a strong possibility. A web site run by the North Korean government blasted Sony Pictures for creating an upcoming action comedy with a plot centered around an assassination attempt on North Korean leader Kim Jong Un. The movie in question was not one of the films leaked. When asked whether North Korean hackers were responsible, a spokesman for the country’s United Nations mission cryptically responded with, “I kindly advise you to just wait and see.”

The malware the FBI warned about was written in Korean and has similarities to malware used in a malware attack on South Korean banks and television broadcasters in 2013. The two countries are hostile neighbors, and South Korea is a frequent target of North Korean hacking attacks.

According to an undisclosed source, Sony Pictures has hired the Mandiant division of FireEye to assist with the investigation and recovery. Both companies and the FBI are continuing to pursue the matter.

Subscribe to my 2 Minute Cyber Security Briefing podcast on iTunes or Youtube.

Sony Pictures Shut Down by Hack Attack

Sony Pictures Hacked by North Korea

Last week Sony Pictures Entertainment experienced every network administrator and business owner’s worst nightmare. On November 24th, anonymous sources inside Sony Pictures claimed the entire network was compromised. This part of the company is responsible for marketing and distribution of motion picture and TV programs.

One of the sources posted a picture of a crude CGI a skeleton to the online message board Reddit. The image contained message threatening to release company secrets if the hackers’ demands were not met. The message also indicated the group Guardians of Peace (#GOP) was behind the attack, and included links to files containing classified financial information, employee social security numbers and private network keys. The hackers also gained control over several Twitter channels linked to various Sony Pictures movie properties such as The Amazing Spider-Man and Starship Troopers.

Possible Foreign Involvement

The hackers’ demands and motivation were are not clear, but there could be a link to the North Korean government. On November 27th, a web site controlled by the government criticized an upcoming action comedy film by Sony Pictures Entertainment. In “The Interview” tabloid television reporters played by James Franco and Seth Rogen become involved in a CIA plot to assassinate North Korean leader Jim Kong Un.

Sony Pictures has not confirmed or denied the link, but the North Korean government is known to employ a large cyber espionage team. Hackers linked to the regime have been linked to attacks on non-government targets such as foreign banks and other private businesses.

Entire Network Paralyzed

The company released a statement calling it an “IT matter” but multiple news organizations reported their response was to completely shut down the network, leaving employees unable to get on the Internet or even check their email. Sony administrators advised employees not to turn on their computers and to disconnect mobile devices from the company WiFi network. Some employees were told to work from home. While the company has not released specific details, some sources indicate the hack was an inside job and began with a single server.

A History of Hacks

This isn’t the first time the Japanese technology company has had a major network security breach. Sony Pictures was hacked in June of 2011, exposing the data of approximately 37,000 users. This attack was particularly embarrassing, partly because sensitive account information such as passwords was stored in a plain text file. Anyone with access to the database could open it and read the contents.

In April of the same year, Sony’s video game division suffered a devastating attack that knocked the PlayStation Network offline for weeks and leaked the account information of hundreds of millions of users. In August of this year the PlayStation Network was forced offline again by a distributed denial of service attack.

While Sony isn’t the first company to suffer a major data breach and it certainly won’t be the last, the attack serves as a reminder of what can happen when companies let their guard down.

Learn more about hacked government and corporate interests from our downloadable WHITEPAPERS and by SUBSCRIBING to my 2 Minute Cyber Security Briefing video podcast.

Dirtboxes – Cellular Spies in the Sky


Last week the Wall Street Journal broke a story on cellular spying that has troublesome implications for wireless security experts and privacy advocates. According to anonymous sources cited by the paper, the United States government is mounting devices known as dirtboxes on small planes and using them to sweep up cell phone data on innocent citizens. The aircraft are currently flying out of five major airports, covering an area that encompasses most of the continental United States.

What are Dirtboxes?

The odd name comes from the acronym of the company that originally developed the devices, Digital Receiver Technology Inc. The company is currently owned by the aerospace manufacturer Boeing.

Dirtboxes are devices that take advantage of a feature built into every cellular device. Cell phones are designed to seek out and connect with the strongest tower on the carrier’s network. This ensures the user has the best possible signal at all times. The user has no way of selecting which tower the phone chooses, even if the device is hacked and rooted.

A dirtbox impersonates a tower with a stronger signal and tricks the cellular device into connecting to it instead. The user doesn’t have to be using the phone when the dirtbox flies within range. Any phone that is powered on and not in airplane mode will connect automatically. When the phone connects to the dirtbox or tower, it transmits its location information, unique identifier and phone number.

How Are Dirtboxes Used?

Dirtboxes are not a new technology. They’ve been used in ground-based surveillance operations and to keep inmates in prisons from making calls on contraband phones for years.

The difference here is the scope. While a ground-based system might pick up a few dozen phones, a dirtbox mounted on an aircraft flying over a densely-populated area might pick up registration data on hundreds of thousands of devices. They could also be used to pinpoint a user’s location and to pull data off their device such as photos and text messages.

In addition to the sticky privacy issues, dirtboxes can cause problems for cell phone carriers and users. They disrupt the carrier’s cellular network and can cause dropped calls. According to one of the WSJ’s anonymous sources, calls to 911 are not affected.

The major question is, what is happening to the data gathered on citizens who are not the subject of a criminal investigation? In the past, federal judges have ruled that stockpiling data on unintended targets for later use is unconstitutional. The WSJ quoted someone close to the program as saying, “What is done on U.S. soil is completely legal. Whether it should be done is a separate question.”

Learn more about cell phone detection and interception technologies from our downloadable WHITEPAPERS and by SUBSCRIBING to my 2 Minute Cyber Security Briefing video podcast.

Penetration Testing Basics


As computer networks become more complex, they become more vulnerable to hackers. These weak points can take the form of hardware, operating system bugs, software and users who don’t adhere to security policies. One of the best ways to uncover them is to get a hacker to break in.

What is Penetration Testing?

It’s essentially a legal form of hacking carried out as a test of the target organization’s defenses. The target company either has their IT staff try to break into the system or hires an outside security firm that specializes in this form of attack. While the attacker may be just one person or an entire team, for ease of reading let’s stick to referring to them as a single individual.

The main goal of the test is to see if a hacker can get in, and if they can how far into the system they can get. The testing process itself is either done manually or by using automated software. Penetration testing generally breaks down into several categories, depending on the conditions of the test being performed.

Types of Penetration Testing

White box testing gives the hacker access to information about the internal details of the network. The goal is to provide them with as much information as possible so they can base their test around knowledge of the network’s strengths and weaknesses. This approach minimizes testing time and provides a deeper, more comprehensive test. The drawback is it doesn’t mimic the (lack of) information a real hacker would have.

Black box testing is the closest to a typical hack. The attacker receives no information about the network and must figure it out and gain access on their own. The drawback here is testing times are more unpredictable, and some parts of the network may not get thoroughly tested.

Gray box falls between these two extremes, with the attacker getting certain information such as they might receive by breaking into a normal user’s account.

Penetration testers can also run scenarios based on whether or not someone on the opposing team is aware of the attack and can take steps to thwart the intrusion.

Once the test is complete, the attacker compiles a complete report, including all the steps they took and vulnerabilities they noticed. Companies can then assess these vulnerabilities and prioritize getting them fixed.

Is Penetration Testing for Me?

If your business network is connected to the Internet, odds are hackers have at the very least made attempts to get in. There are crawler applications out there that allow hackers to systematically find vulnerable networks. Some company servers receive thousands of attacks an hour.

Some industries have regulations that require penetration testing on a regular schedule for security purposes. Other do them sporadically when requested. The most unfortunate ones do them after they’ve been attacked and had their systems compromised and they’re facing a PR nightmare. You don’t want your business in the last group.

Visit for wireless security products and subscribe to our 2 Minute Cyber Security Briefing video podcast on Youtube & iTunes.