What to know about Meltdown & Spectre

Credit – Stu Sjouwerman of KnowBe4

“Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

So, What Are We Doing About This?

We need to update and patch all machines on the network. This is going to take some time, some of the patches are not even available yet. We also may have to replace some mission-critical computers to fix this.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click.”

Thank you Stu! You have a knack for bringing the techno-babble to layman’s terms!



Recent increase in breach attempts against remote access vectors.

Our security systems have recently detected numerous breach attempts originating from IP’s in Europe attacking remote access ports. Specifically we are seeing remote access systems targeted with DDoS and Brute Force password attacks. While these attacks are active, your staff might not be able to access their business applications.

Our threat detection systems and procedures have protected our managed services clients from breach. Just curious if others are also seeing an increase in this threat vector. I suspect many organizations may be seeing the same, but lack the systems to detect and prevent these threats.


From <https://www.linkedin.com/post/edit/6354353081727143936>

Important Notice regarding WannaCry/WannaCrypt Ransomware threat

News is spreading fast about this global ransomware threat. Over the weekend Europe, China, and Russia based computer systems were struck heavily by this new threat. We are still seeing this threat grow and it has reached the U.S. as well.

For MergerTree Managed services clients we run endpoint protection and Windows updates to protect your systems from such threats. However, there are still necessary precautions and considerations for your home systems and friends and family that may not have such system protection.
Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date. (Webroot is included with MergerTree Managed Desktop services).
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks. (Server backups are included in the MergerTree Managed Services Agreements).
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.

A Message From Webroot:

Webroot does currently protect you from WannaCry ransomware. In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before. It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.

In addition to deploying Webroot as part of a strong endpoint control strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.

Read the full Alert from US-CERT:

Cybersecurity Tips

Cyber threats continue to evolve at an alarming pace. I recently came across a couple of cybersecurity awareness tips and felt that I should pass these along. The first tips came from the SANS Institute https://www.sans.org/tip-of-the-day . I have mentioned some of these tips in previous blog posting, but repetition is the greatest form of emphasis.

Email Auto-Complete

Be careful with email auto-complete. This is an email feature that automatically completes a name for you when you begin typing it in the TO field. However, your email client can easily complete the wrong name for you. If you are emailing anything sensitive, always be sure to check the TO field a second time before hitting the send button.

To learn more, check out this OUCH! newsletter.


Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser’s plugin preferences.

To learn more, check out this OUCH! newsletter.

Patch and Update

One of the most effective ways you can protect your computer at home is to make sure both the operating system and your applications are patched and updated. Enable automatic updating whenever possible.

To learn more, check out this OUCH! newsletter.

Back up Your Files

Eventually, we all have an accident or get hacked. And when we do, backups are often the only way to recover. Backups are cheap and easy; make sure you are backing up all of your personal information (such as family photos) on a regular basis.

To learn more, check out this OUCH! newsletter.

IoT Trojan Horse

The new “Trojan Horse” loT

The IoT, Internet of Things, has been a discussion point for many security experts this year. The more technology we introduced into everyday life brings great automation and convenience. But it also brings substantial risk. Consider last Friday’s DDoS (distributed denial of service) attack on the Dyn data centers. This attack took down Netflix, Twitter, PayPal, and other online businesses. What looked like a data center issue at Dyn was really a well-orchestrated cyber-attack. But by whom? While we may not have the answer to this yet, we do know what happened.

It all begins with Chinese manufactured web cameras (IoT devices). Millions of said cameras are in operation and connected to network around the world. They are online so that the owners can connect and monitor their cameras. Everything connected to the Internet is a target for bad actors and hackers.

A new malware named Mirai was created to hunt out and breach these and many other camera systems. And it was REALLY easy. You see the cameras have security, but most users never take the time to change the default credentials. Meaning they just plug in the cameras and are happy they are working. Never giving thought to any security risk! These and all devices connected to the Internet must be secured and must not be left with default settings!

As Mirai searched the internet with a list of 60 known default credentials, it planted a Trojan Horse and reported back to the bad actors awaiting command. Last Friday the bad actors began their attack using the compromised IoT devices to send malicious traffic at the Dyn data center. This traffic hit with such a pace and volume that the data center could not keep up and resulted in service outages. No fault to Netflix or Twitter or PayPal, but it certainly appeared that their systems were down. The reality was they just could not be reached due to this DDoS.

After half a day the threat was mitigated. The Dyn security team was able to deflect traffic and restore services. But there is still a huge risk on the internet and millions of breached IoT devices. The Chinese manufacturer has offered a recall on many of the cameras, and many other models can be fixed with a firmware update. But who really will take action on this? How do people know if they have a breached camera? And would they understand how to update the firmware? There are far more questions than answers at this point.

I can’t help but consider that this could be a nation state sponsored threat. Isn’t anyone else concerned that a foreign nation propagated millions of cameras with embedded credentials that could allow them to take control of them at any time?

This time we lost Netflix and Twitter for a few hours. What if the attack had been directed at our financial institutions or national infrastructure?

A case of Corporate Spying

Oil and natural gas intellectual property (IP) includes a company’s trade secrets, proprietary information, and research. This ranges from drilling equipment to pipeline insulation, which if stolen could result in lost revenue, lost employment, damaged reputation, lost investment for research and development (R&D), and interruption in production.

Who might steal your IP?

  • Domestic and foreign commercial rivals
  • Domestic and foreign start-up companies
  • Foreign Intelligence Officers (spies)
  • Disgruntled employees (insider threat)
  • Organized criminals

A good description of actual economic espionage was reported by the FBI. In 2012, two Chinese nationals were arrested by the FBI for attempting to pay $100,000 to a Project Manager employee for “Pipeline Insulation,” a trade secret belonging to a well-known US company. The two individuals were seeking the technology to open a plant in China to compete with US companies. They solicited the company’s employee via a newspaper ad seeking “technical talent” with 10 or more years’ experience in “Pipeline Insulation” and a willingness to work in Asia.

The Chinese nationals used low-tech and careless methods of collection. Given the high risk of getting caught, these individuals displayed minimal concern for possible repercussions of their actions. Outlined below are espionage indicators noted during the course of the FBI investigation:

  • Supplying a company insider with a requirements list through unclassified e-mail.
  • Seeking specific types of information at selected companies.
  • Targeting a 24-hour operational facility with the highest production of trade secrets, allowing for more opportunities to acquire technology.
  • Providing inconsistent information when confronted by plant management for trespassing.
  • Asking that trade secrets be provided on a thumb drive.
  • Knowingly purchasing documents with proprietary markings with the intention to remove the information.
  • Seeking a consultant who can travel to China two to three times a year to support plant developments

The example above is but a brief summary of threats in today’s world. Companies hold IP in drilling fluids, pipeline testing, chemical plant unit design, waste disposal, power generation, rig automation, geoscience data and analytics and much more.   These are all valuable commodities to bad actors bent on stealing them for profit or stealing market capture. This puts companies at extreme risk of loss of market share, profit and employment of US citizens. Now is the best time to review your physical security and cybersecurity defenses.

Click here to read more.

Zero-percent cybersecurity unemployment, 1 million jobs unfilled

Given the reported shortage of cybersecurity talent, it makes sense that Managed Cyber Security providers offer numerous leveraged advantages for SMBs that want to bolster their IT security. These advantages include:

  1. Extensive resources– Many SMB owners and managers said they believe their businesses are more prone to cyber attacks because they lack the resources to maintain their defenses. Conversely, an MSP possesses the skills and know-how to minimize such issues.
  2. Better preparation– Many SMB’s note that they are unprepared to deal with insider threats, while almost half say they are unprepared for unsecured internal or external networks. An MSP can help an SMB understand and manage these problems.
  3. Specialization– One third of SMB IT staff say they juggle security along with their other IT responsibilities. However, an MSP can focus exclusively on security and ensure an SMB gets the cybersecurity support it needs at all times.

MSPs, like MergerTree Solutions, that offer platforms that leverage cloud-based security architecture are becoming increasingly important because they allow SMBs to implement protection without investing in new infrastructure or being burdened by upfront deployment and management costs.

Contact us today to learn more about the MergerTree Solutions Managed Cybersecurity Platform troy@mergertree.com

What Should You Do About the “Microsoft Tech” Support Scam?

What Should You Do About the “Microsoft Tech” Support Scam?

Anyone claiming to be from “Microsoft tech” or “Windows” should be expected to know if there was a virus on your PC, right? And when they guide you into checking the Windows Event Viewer (where harmless errors are logged) and reading out a string of numbers, they usually manage to snare you into their swindle. After all, you don’t want to lose your hard work, or be without your computer due a virus, right?

The objective of this type of scam is to talk you into installing remote software on your computer, so that they then can take control. Once control is taken, this will either allow them to steal data, introduce a Trojan horse or other malware (the remote software itself may be a malicious tool) or just perform a bit of “tech support theatrics” to make it seem as though they know what they’re doing.

Once the “virus” is discovered the scammer will, of course, demand money for their services of “removing” it. This can go a number of directions, but if you refuse, there is the possibility that the scammers have remotely changed your password or encrypted your files, transforming this into a one-on-one ransomware scam.

How do you handle a scam call?

  • Hang up the phone when you identify that the call is uninvited.
  • Do not allow remote access to your computer.
  • Never divulge passwords or pin numbers.
  • Microsoft nor anyone on their behalf will ever call you.

Last, if you paid a “Microsoft tech” support scammer to “remove” a “virus”, call your credit card company right away. Tell them you have been scammed, and they should cancel the transaction. You should also change the password for your credit card account… and all other passwords you use, too.

By giving your credit card details to the scammers to pay for their “service”, you’re also likely to give them the information they need to use your card. By sharing the 16-digit number, the valid until date and the three-digit number on the reverse, you’ve essentially given them everything they need to steal from you. Remember, they called you: this is not a safe way to conduct business!

Let the bad guys spend their money and spin their wheels.

As hackers get smarter so must we…a locked screen no longer secures a pc. There are still simple measures to secure your pc.

Don’t leave your unattended workstation logged in, especially overnight, even if you lock the screen.

Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it is no longer good enough, researchers have found recently. There is new evidence that attackers can use some USB-to-Ethernet adapters to steal credentials from locked Windows computers

Industry experts found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks. These attacks can be pulled off with cheap devices, like the Hak5 LAN Turtle, which costs $50.

The USB device can be configured to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This is not difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.

For example, if an attacker plugs a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface.

This particular vulnerability is only exposed when a pc is using a wireless connection.

Additionally, when a new network card gets installed, the OS configures it to automatically detect the network settings through the Dynamic Host Configuration Protocol (DHCP). This means that an attacker can have a rogue computer at the other end of the Ethernet cable that acts as a DHCP server.

Once an attacker controls a target computer’s network settings via DHCP, he also controls DNS (Domain Name System) responses, can configure a rogue internet proxy through the WPAD (Web Proxy Autodiscovery) protocol and more. The hacker essentially gains a privileged man-in-the-middle position that can be used to intercept and tamper with the computer’s network traffic.

According to experts, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a rogue USB device to capture credentials from a system using this attack is around 15 seconds.

Depending on the Windows version installed on the computer and its configuration, the password hashes will be in NT LAN Manager (NTLM) version 2 or NTLMv1 format. NTLMv2 hashes are harder to crack, but not impossible, especially if the password is not very complex and the attacker has access to a powerful password cracking rig.

There are also some relay attacks against network services where NTLM hashes can be used directly without having to know the user’s plaintext password.

Was all that pretty high tech, involved, and even confusing? This is a high stakes business. Investments into research and development of hacking schemes and equipment pay off. Money and time are invested and risks are taken to illegally obtain personal credentials and passwords. That should be their loss, not yours! Fortunately, despite all they have put into this clever trick, preventing this vector from stealing your personal information won’t cost you a penny or even cost you much time. You are aware and that is the first step.

  • When you leave your computer unattended, log out. SAFE
  • Stay hard wired not wireless when conducting work or using personal credentials. SAFE
  • Secure the physical environment of your workstation. SAFE

Let the bad guys spend their money and spin their wheels. As long as you are aware and prepared, they lose not you.

8 Ways to Fight Off Ransomware

8 Ways to Fight Off Ransomware

Ransomware is very damaging. In line with the evolution from viruses, to botnets and malware families that have occurred over the past 10 years, bad actors continue to find new ways of reinventing old threats. Today, the top trend in modern malware is the proliferation of ransomware.

Ransomware has come a long way from the non-encrypting lock screen FBI scare warnings like Reveton. In 2016, there has been a constant flow of new ransomware families popping up, like Locky, Cerber, Madeba and Maktub, and this is only expected to pick up steam over the balance of the year. Below are 8 tips to help you defend against ransomware.

Install the latest patches for your software, especially Adobe, Microsoft and Oracle apps

A common way in for ransomware is via exploit kits, like Angler. These bundle many application vulnerabilities into one kit, and try drive-by exploits for each one in sequence. The more your apps are outdated, the more likely, some of these exploits might work and infect you with ransomware.

Be skeptical: Don’t click on anything suspicious

Don’t click on any emails or attachments you don’t recognize, and avoid suspicious websites altogether. Most of the infections come from user action – opening attachments or visiting websites, being vigilant is the most effective way to minimize damage.

Block popups

Popups are regularly used by criminals to spread malicious software. To avoid accidental clicks on or within popups, it’s best to prevent them from appearing in the first place.

Use network protection

A very important part of a comprehensive security strategy is to use network traffic monitoring system that is based on machine learning and behavior analysis. As most of these attacks come in via internet channels, make sure your network protection can parse and analyze both email and web traffic.

Turn Windows User Access Control on

Windows has added this security feature to help you stay in control of your computer by informing you when a program makes a change that requires administrator-level permission. User Access Control works by adjusting the permission level of your user account. If you’re doing tasks that can be done as a standard user, such as reading e‑mail, listening to music, or creating documents, you have the permissions of a standard user—even if you’re logged on as an administrator. Take full advantage of it.

Use security content to detect ransomware

You’ll never entirely be able to stop people from opening a malicious email and being tricked into clicking on a phishing link. That act can open a single file that begins acting like a worm and starts propagating through your IT infrastructure or through that of your organization and wreak havoc. It’s critical to have great content so you can start detecting these bugs and squash them before it becomes a problem.

Don’t underestimate the value of continuous monitoring

Look at security vendors with a “products + services” approach. Market-leading security technologies are critical but combined with 24×7 monitoring by security experts is the best approach to securing your IT infrastructure and stopping threats like ransomware. If you have an 9-to-5 business and no one is watching your shop at night, that’s a lot of hours for a malicious bug to move through your IT infrastructure.

Have a robust, in-depth backup plan

Before your company is attacked by ransomware, it is important to have an existing backup plan in place so you can access your data. It’s imperative that an organization’s backup strategy include offline backup, this may require manual processes, but any online backups will be encrypted by attackers, making it useless to the victim. Know the pain points of restoring and recovering data, and make sure that your plan accounts for those pain points. It is important to classify your systems and data when creating your backup plan. Keep in mind which systems and data are most important to your organization and put extra care around the most critical systems in your infrastructure.

Please contact MergerTree Solutions for more information about continuous monitoring and an in-depth back up plan.