Signs Your System Has Been Compromised

Signs Your System Has Been Compromised

Users need to be on the alert for signs that your system has been compromised. Let us look at some of the signs. One that often occurs is that icons on the desktop have been moved, or new icons have appeared. If new icons have appeared, and no software has been installed, as far as is known, it is a red flag that the system has been compromised.

Hackers will often install new software when they gain access to a system, to give them further control, or the ability to gather additional information from the system. Most times, there is no obvious trace of this additional software, but many times they are sloppy, and those surprising new icons are an indication.

Icons being moved is often also an indication. This is often due to the hacker going through and clearing those new icons. However, those icons moved some of your old icons when they were installed, and the hacker does not know exactly where the old icons were on the desktop. Or, the icons were subsequently auto-arranged, and are thus not in the location on the desktop that users had moved them to.

Another big indicator is that your system suddenly slows down. The screen may lag when you are typing, or processes that used to take a second or two, now take many seconds, to even minutes. This is due to the system having an increased load, due to the additional software that has been installed, and what it is doing to steal information or use the computing power for other nefarious activity, such as cryptocurrency mining. Cryptocurrency mining is using computing power to unlock cyber currency, such as Bitcoin. This takes a great deal of computing power, cybercriminals are farming this activity out to compromised systems, rather than using their own.

Basically, be alert to any change in the way that your system looks, or responds. While it may be due to legitimate changes, often it is a sign that unwanted people have gained access to your system.

CCS provides IDS products.  Contact our Sales Department to discuss the right solution for your operations.

Dave.

The threat of Attack on Point-Of-Sale (POS) systems

The threat of Attack on Point-Of-Sale (POS) systems

In the retail world, the threat of attack on Point-Of-Sale (POS) systems is always high, as they are a prime target for the bad actors trying to get credit card information. There is always new malware being created to try to get that information. There are, however, steps that can be taken to reduce the risk, even with regards to the latest attack software.

The best thing that you can do is to isolate your servers and workstations as much as possible. In an ideal world, these would be completely isolated, and not interact with any other systems. The reality is that this is very rarely the case. With that in mind, let’s look at some things that can be done.

The first step is to make sure that your firewall is as restrictive as possible. Your POS workstations and server if needed should only be restricted to accessing what is absolutely needed. In most cases, this is only your credit card processor. In no case, should your firewall allow either the workstations or the server, unrestricted access to the internet? The firewall will eliminate the chance for drive-by downloads, or users browsing to malicious sites.

Along those lines, any computers that are used for general internet browsing, and also email, should be on a separate network. If it is not possible to implement workstations on a separate physical network, at least use a different logical network as in a different network address range. Even just the different logical network, will stop the majority of malware infections.

If remote access is needed, and it should be restricted to those cases where it truly is needed such as your support company, then it should be restricted to only those addresses that have a legitimate reason to connect. Also, any such connections should be closely monitored. One such method is to disable the remote access software, and only enable it when your support personnel is actively connecting. Of course, it is again disabled as soon as they are finished.

Those cover the basics of securing your POS system. It is a good place to start, but it is only a start. Keeping software updated, training personnel, and keeping vigilant are always key components, also.

Dave

Security and Encryption Malware

Security and Encryption Malware

Despite one’s best intent, systems can be infected by viruses, hacked, or crashed due to various reasons and through various sources. Having good security programs, and redundant data/program backup functions in place should be considered a must-have. However, even with these policies and procedures in place, sometimes things can go very wrong.

As a recent example:

A company’s application server was infected with a file encryption ransomware program during the middle of the day. Most of the operating system, and various programs where encrypted.

Doing a repair installation attempt was unsuccessful in correcting the issues, and ultimately, a recovery required pulling selected programs and data from multiple backups. Because the back-ups were incomplete, this created a number of residual issues related to some operating system files/features and selected programs.

This infection was later determined to be the result of all of the following:

  • Failure to restart the server after an anti-virus software update.
  • open RDP Internet ports on the server’s firewall.
  • An un-patched known security flaw on the application server that was known to be vulnerable to remote brute force connection attempts.

In this particular case, the saving grace was…

Their core application software programs and data on at least some of the redundant back-ups were undamaged by the encryption Malware infection.

The end result here was… a recovery project that could have taken weeks or months of work to complete or that could have resulted in massive irreversible data loss, ended up causing only several days of disruption and only a couple of days’ worth of data loss

While all of this might seem like a no-brainer to some, a focused plan that has built-in redundancy should be considered a must for any business.

If you would like a review of your current system for either security or and/or backup integrity, please contact CCS Retail Systems Support Department to schedule your System Security and Recovery evaluation.

– John

New TLS Patch Coming for 8.5.2.1

 

ViewPoint Newsletter | NCR
New TLS Patch Coming for V8.5.2.1 March 6th

Payment Card Industry Data Security Standards (PCI DSS) require all PA-DSS validated payment applications to discontinue the use of “early TLS” (i.e., all versions of SSL and TLS 1.0) by June 30th, 2018. For more information on this, please refer to the TLS 1.2 transition document. 

To comply with this requirement, NCR Secure Pay will no longer accept early TLS connections after 2:30 A.M. on June 5th, 2018. In addition to the previously mentioned updates to NCR Counterpoint V8.5.4 and V8.4.6, we will also be releasing a patch for V8.5.2.1 . Releases will are scheduled as follows: 

  • V8.5.4 Patch 002: Scheduled for 2/20/2018
  • V8.4.6.19 Service Pack: Scheduled for 3/6/2018
  • V8.5.2.1 Patch: Scheduled for 3/6/2018

We do not plan to release patches or Service Packs to support TLS 1.2 in other versions of NCR Counterpoint.

To prepare for the transition to TLS 1.2, you must first ensure that TLS 1.2 is supported and enabled on your workstations by following the appropriate steps for your operating system, as outlined in our TLS 1.2 transition document. 

Marilyn.

Getting Ready For Transport Security Layer (TLS) 1.2

GETTING READY FOR TLS 1.2

Payment Card Industry Data Security Standards (PCI DSS) require all PA-DSS validated payment applications to discontinue the use of “early TLS” (i.e., all versions of SSL and TLS 1.0) by June 30th, 2018.

To comply with this requirement, NCR Secure Pay will no longer accept early TLS connections after 2:30 A.M. on June 5th, 2018. In addition, updates to NCR Counterpoint V8.5.4 and V8.4.6 that will require the use of TLS 1.2 for payment transactions processed through NCR Secure Pay will be released as follows:

  • V8.5.4 Patch 002: Scheduled for 2/20/2018
  • V8.4.6.19 Service Pack: Scheduled for 3/6/2018

We do not plan to release patches or Service Packs to support TLS 1.2 in other versions of NCR Counterpoint. To prepare for the transition to TLS 1.2, you must first ensure that TLS 1.2 is supported and enabled on your

workstations by following the appropriate steps for your operating system, as outlined below.

 Do NOT disable early TLS on your workstations, as NCR Counterpoint Services (CPServices) requires TLS 1.0 for internal communications. Because PCI DSS prohibits the use of early TLS for the external communication of payment transactions only, using TLS 1.0 with CPService does not violate PCI-DSS compliance.

CPServices will be updated to use TLS 1.2 in a future NCR Counterpoint release.

Once TLS 1.2 is enabled, you can install V8.5.4 Patch 002 or the V8.4.6.19 Service Pack—depending on which version of NCR Counterpoint you are using—to begin using TLS 1.2 for all communications with NCR Secure Pay.

  V8.5.4 Patch 002 and the V8.4.6.19 Service Pack will only work with TLS 1.2. If you install these updates on a workstation for which TLS 1.2 is not supported and enabled, NCR Counterpoint will be unable to connect to NCR Secure Pay and you will be unable to process payments.

W I N D O WS 8. 1/ W I N D O W S 1 0 / W I N D O W S  S E R V E R 2 01 2 R 2

By default, TLS 1.2 is supported and enabled in Windows 8.1, Windows 10, and Windows Server 2012 R2. Thus,

no additional configuration is required to use TLS 1.2 with these operating systems.

W I N D O S 7/ W I N D O W S  E M B E D D E D  P O S  R EA D Y  7 / W I N D O W S  S E R V E R  2 0 0 8 R 2

If your NCR Counterpoint workstations are running Windows 7, Windows Embedded POSReady 7, or Windows

Server 2008 R2, first ensure that you have installed all current Service Packs, updates, and security patches.

To enable TLS 1.2, create the registry setting entries (in the Client subkey) that are specified in the TLS 1.2

section of the Transport Security Layer (TLS) registry settings page in the Microsoft documentation library

(https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12).

Every effort has been made to ensure the accuracy of this document. NCR makes no representations or warranties with respect to any of the information contained in this document and specifically disclaims any express or implied warranties of merchantability or fitness for a particular purpose with respect to such information. NCR shall not be liable for any errors or for incidental, indirect or consequential damages in connecting with the furnishing, performance or use of this document.

V E R I FY I N G  T H A T  T L S 1 .2  I S  E N A B L E D

If you are using Windows 7, Windows Embedded POSReady 7, or Windows Server 2008 R2, you can verify whether TLS 1.2 is supported and enabled on each of your NCR Counterpoint workstations by using Microsoft Internet Explorer to access the How’s My SSL? Website (https://howsmyssl.com).

Only use Internet Explorer to verify that your workstation is using TLS 1.2; other browsers do not use the Windows TLS system and may display incorrect results.

The Version section of the page should indicate that your client is using TLS 1.2, as illustrated below.

W I N D O W S  E M B E D D E D  P O S  R E A D Y  2 0 0 9

NCR does not currently plan to test or support TLS 1.2 with Windows Embedded POSReady 2009. Although Microsoft has indicated that an update will be made available to support TLS 1.2 with Windows POSReady 2009 (https://cloudblogs.microsoft.com/microsoftsecure/2017/10/05/announcing-support-for-tls-1-1-and-tls-1-2-in- xp-posready-2009/), merchants who wish to continue using POSReady 2009 must do so at their own risk.

We strongly recommend upgrading any workstation that is running Windows POSReady 2009 to a newer, supported operating system.

Marilyn.

GDPR – The General Data Protection Regulation Compliance Requirements

GDPR – The General Data Protection Regulation

The GDPR imposes rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where those businesses are located. Among the key elements of the GDPR are the following:

Enhanced personal privacy rights – strengthened data protection for residents of the EU by ensuring that they have the right to access their personal data, to correct inaccuracies in that data, to erase that data, to object to processing of their personal data, and to move it

Increased duty for protecting personal data – reinforced accountability of organizations that process personal data, providing increased clarity of responsibility in ensuring compliance

Mandatory personal data breach reporting – organizations that control personal data are subject to stringent reporting and notification requirements in the event of a personal data breach

Significant penalties for non-compliance – steep sanctions, including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply November Accelerate Your GDPR Journey 2017 13

As you might anticipate, the GDPR may have a significant impact on your business, potentially requiring you to update privacy policies, implement and strengthen data protection controls and breach notification procedures, deploy highly transparent policies, and further invest in IT and training.

If your company has business transactions that involve European Union (EU**) Companies or customers, you can contact CCS Retail Systems to help you plan how to avoid GDPR penalties before this regulation is enacted on May 25th, 2018.

**EU Austria, Belgium, Croatia, Bulgaria, Cyprus, CzechRepublic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxemburg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom
 
 

Marilyn McCormick

Recovering From a Ransomware Attack

Recovering From a Ransomware Attack

Ransomware attacks are on the rise. It is getting more common to get random emails with subjects indicating they are package tracking, voice mails, photo edits, and so on. Many of these are attempts to get you to take the bait, click the link, and ultimately install ransomware. Much has been written about recognizing malicious emails, not opening mail from unknown users, and other good advice. What happens, however, if you are unfortunate and do get hit with ransomware?

We are assuming this is a true Ransomware infection, where an active payload of malware has been added to your system. Another type of Ransomware is Scareware masquerading as Ransomware. This latter Ransomware has no payload but threatens you with data encryption as well. It is best to assume any Ransomware threat includes a payload, at first. A safe mode reboot investigation can help you check if a payload is active. If the infection is just Scareware, you may be safe with a reboot and comprehensive malware scan to confirm there is no infection active.

First, be very suspicious of any unusual activity. One of the first signs, even before the ransom notice pops up, is that programs will stop working, or documents will disappear. This activity is due to the malicious software starting to encrypt your files. If anything like that happens, take immediate action. First, disconnect your computer from your network. That is, physically disconnect the network cable, or if you use a wireless connection, turn it off. Also, immediately shut down your computer. I do not usually advocate just turning off the power, but this is one time that it is not a bad idea. The idea is that if ransomware has started on your system, to limit the damage occurring.

Try to start your computer in safe mode, and begin investigating. Make sure you lookup entering safe mode in Windows on your version to MAKE SURE you do NOT get a normal boot or the Ransomware will be active again. Check for those programs or documents that suddenly disappeared. If there is a file with the same name, but the extension has changed, most likely ransomware is the culprit. In that case, be prepared to do some research, and possibly still lose some work. It depends on the active Ransomware variant since some have been Ransomware payloads have been cracked and there are recover utilities available.

Other Ransomware payloads do not have removal utilities, and you will have to go to your back copies. Before that, however, you need to make sure that the machine is cleaned of the ransomware programs or your system will be reinfected and you will need to start over again. If utilities exist to clean the Ransomeware for your system, they should be used immediately. If not, a lot of digging and experimenting will be required. If there is no cleaning utility you may need to reformat the infected drives, reinstall the operating system, and then restore from a full image backup, NOT just a file backup. In either case, spend a lot of time checking your system, before putting it back on your network and getting on with your work. You want to be very, very, sure that the Ransomware is gone, or you will be exposing the rest of the computers on your network to Ransomware infections.

Recovering from Ransomware is a critical task that can be very complex.  This blog is just a simple overview.  We recommend you contact CCS Retail Systems Support for further guidance and services to ensure the Ransomware is properly eliminated from your systems. Remember that if you comply with the Ransomware demands there is NO guarantee that your payment will result in any recovery of your system.  The best course of action is to defeat the Ransomware request NOT honor it.

Dave.

Be Safe, Not Sorry

Be Safe, Not Sorry

An acquaintance of mine, who is a creative device engineer, has been using his laptop in his office to develop his designs. He has put years of effort into his work and likes the convenience of using his laptop “on the fly” when he gets a creative thought that he needs to record.

Last week, the shop was burglarized and the laptop was stolen. Although the thieves were caught the very next day, when the laptop was recovered, the designs stored in it were over-written with computer games.

Sadly, everything was lost because he hadn’t taken the time to set up a backup system, even though he had been told to do so countless times. Nothing was recoverable.

There are many options available for backup, including copying to an external drive or sending your backup to a remote, cloud-based server for storage. Cloud storage services like Dropbox or Google Drive are also available for those who want to use them. Which option you choose depends on what it is you want to back up—your entire system, certain devices, files and folders, or your entire hard disk.

Remember that there are many events that can affect your precious information. Fires, floods, tornados, earthquakes, random-ware, power outages, hardware or software damage, and theft. Although we all like to think that these disasters can’t happen to us, they can. Being prepared for a catastrophe will eliminate the agony of reconstruction.

If you have backup questions, we are here to help you. Give us a call at 425-672-4806 or email us and we can help you with solutions to keep you safe, not sorry.

Marlene.

 

Summer Time Security

Summer is here, and as most people spend vacation in hotels/motels here are some security tips to keep in mind.

The Secret Service has confirmed what you’ve probably suspected for a long time: Public computers at hotels are ridiculously insecure, and you’re taking a gamble with your personal data each time you use one.
 
Security expert Brian Krebs shared a private Secret Service bulletin directed toward the hotel industry. The American government warns hotel managers that public computers in their establishments are, by and large, vulnerable to simplistic attacks that can compromise some of their patrons’ most sensitive details.
 
Hotel computers are obscenely easy for hackers to get ahold of, considering that attackers can have more-or-less unrestricted physical access to public computers (many hotels have a “business center,” where visitors can browse the Internet, check e-mail and print documents) for the cost of a single night’s stay.
 
Hacking computers remotely takes a little know-how, but compromising physical computers is usually as simple as installing a surreptitious keylogger via a USB stick. Keyloggers are what they sound like: They keep track of everything that users type into a computer, then transmit this information back to the hacker.
 
Given that users at hotels use public computers to check email, print boarding passes, pay for travel arrangements and download private business information, it’s not too hard to imagine what an imaginative hacker could do with this information. Worse still, there isn’t much that even a savvy hotel operator can do to prevent this misuse.
 
As usual, users will have to take responsibility for their own safety when it comes to hotel computers. Using your own computer or mobile device is much more secure than using a hotel machine, so bring a device and use hotel Wi-Fi or mobile data when possible. If you need to print documents, it’s probably safer to save them on a mobile device or USB stick and transfer them to the hotel machine.
 

Not every hotel is compromised, of course; the Secret Service did not provide estimates on how prevalent hacking hotel machines was, just that it happens and that it’s very easy to do. Still, a little caution is probably wise; nothing ruins a vacation quite like having your identity stolen.

If you have any system question or concerns, contact the CCS Retail Support Department at 800.672.4806 or email us.

-Bryan

Using Strong Passwords

I am seeing more and more where different websites are requiring stronger passwords. Passwords are considered strong when the consist of 8 or more characters, include at least 1 capital letter, a number and some type of punctuation and not used at another site.   

Well if you’re like me, trying to remember a strong password is not easy with all the different websites that require a password.  But there is a way!  Password managers allow you create 1 password that will remember all of your other passwords.  

There are may different ones out there now a days, so do some research to see what will work best for you.  Things you should look at is if it will work with your favorite browser, does it include a password generator (this is helpful for creating strong passwords), and does it work across all your devices. 

With a little re-training of yourself to start using a password manager, you will only need to remember 1 password for access to all of your important sites. 

Some possible password managers to look at are: Dashlane, Keepass, and DriodPass (Android).  There are many others – just Google “password managers”.

-Bryan