SASBO Bank Strike

SASBO has threatened to disrupt the South African Banking by 40,000 to 50,000 union members by ‘downing-tools’. 4IR (Fourth Industrial Revolution) which is embraced by the Unions but no retrenchments should be allowed. These two options are mutually exclusive based on historical events.

SASBO states “We will continue with the strike on Friday. South Africans need to know what is happening at the banks, how employees are being treated. We will make sure that ATMs don’t operate. We will make sure that internet banking service is not working.”

Banks worldwide are being pushed out of their comfort zones by smaller digital-only startups such a Thyme Bank, N26, Bank Zero, and numerous others. They have to adapt or die similar to the industrial revolution. The six largest banks in South Africa is still one of the largest employers with more than 150,000 employees in 2018.

Getting back to the statement by SASBO We will make sure that internet banking service is not working.” can only be accomplished by sabotage of ATMs as well as the computer and network infrastructure. As a staff member, there is the risk of dismissal due to a criminal act and possible a charge laid. With statements like “Ensure you have enough money as ATMs will be down” it is part of the scaremongering to place more stress on the infrastructure.

Banks should ensure that the safety of staff is the priority and an action plan should be in place already. The monitoring of critical network paths to indicate possible tampering is critical and a ‘play-book’ done for incident management.

Citizens should be aware that a criminal element will take advantage of the planned strike such as this and should stay away from possible hotspots such as ATMs, banks and their branches due to possible violence. Unconfirmed reports from Springs shows the bomb-disposal unit disabling three explosive devices at ATMs.

The final takeaway from the event is that South Africa is a small part of a global economy and if we do not pull together to be part of the exponential growth of the 4IR, we will sit on the sidelines cheering on the players after we have paid the entrance fee at the gates.

APT10 Breach Managed Service Providers

An alleged Chinese APT (Advanced Persistent Threat) known by the name APT10. This group is also known as:

  • Red Apollo by PwC UK
  • CVNX by BAE Systems
  • Stone Panda by CrowdStrike
  • POTASSIUM by Microsoft
  • and menuPass Team by Trend Micro

The group behind the attacks has targeted Canada, Brazil, France, Norway, Finland, Switzerland, South Africa, Australia, Japan, and India for intellectual property and other sensitive information, according to a recent PricewaterhouseCoopers (PwC) UK and BAE Systems report and the technical annexure.

You need to take cognizance of the fact that if your MSP is in the list of compromised service providers, and you are sitting in a different country, you need to assume that you have been compromised.

The following companies are noted to have been breached by a hacking campaign called ‘Cloud Hopper’.

  • IBM
  • Ericsson
  • Fujitsu
  • HPE
  • Tata Consultancy Services
  • NTT Data
  • Dimension Data
  • Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.
  • Sabre
  • Huntington Ingalls Industries
  • And many of their clients….

Some evidence of the breach at the compromised MSPs (Managed Service Providers) dates back as early as 2010.

If you feel you may have been compromised through a 3rd-party service provider. I recommend that you engage with an independent expert for an investigation and NOT the same MSP as we have found that it is easy to ‘hide’ evidence.

RDP – ‘Really Do Patch’

With the release of security notice CVE 2019-0708 on the 14th of May 2019, a sudden increase in port 3389 scanning on our external honeypot as can be seen from the image below.

So far I have seen that there are more than 1 million IP addresses exposed to the Internet that are vulnerable to “BlueKeep” exploit.

If we look at victimology, we need to understand the reason and also look at the source of the attacks. As we can see from the image below, Russia is the largest ‘culprit’ just after the exploit was made known. As a low-level cyber-war is taking place under our noses, we may have been compromised without realizing it. It is also said that a system compromise is normally detected after 150 days. I have worked on a breach that has been active for more than 240 days.

RDP – Attacks by Country

The following image to me is a bit more worrying as a very small percentage on the left diagram is ‘anonymizer’. A source using an anonymizer may be a more sophisticated attacker which may have tools to exploit your system. The problem with a system that has been breached, it still stays breached after you apply the patch.

RDP – Attack Source Reputation

As a CIO/CSO of your organization, you should have a handle on the assets internal as well as external facing. Many companies are allowing for RDP (Terminal Services), TCP 3389 to be accessible from the Internet which in fact should not be allowed. It is a high risk to the organisation and usually, I do not find any logging and monitoring on such systems.

If you need access to any system, this should be done via a secure VPN with a proper authentication solution such as a 2FA (Two-Factor-Authentication) scheme.

It is time to do a system check!

Dunning-Kruger Effect in the Workplace

Information Security, IT Auditing, IT Risk Management, and many of these types of functions within an organization lend itself to many traits that can be classed as psychological egoism and can have a negative impact in the work environment. One of the most dangerous users you may encounter suffers from the Dunning-Kruger Effect. Let me explain what I have seen in some organisations and some of the attributes exhibited by the ‘problematic’ users.

Egocentric Superman

There could be many reasons why we find these users in our work environment. But before we try and classify others we need to also look at ourselves critically to make sure we do not fall into that category.

A challenge with a ‘CIO’ made me take a step back and have an independent subject-matter expert review my work as well as legal discovery to make sure that I am not at fault or lacking in my delivery. Let me describe what I have seen in the workplace over the years.

  • To hide laziness or incompetence, you will find the user shouting and complaining with a curse-words thrown in as a matter of expression. He will hide mistakes by moving the blame in public communication to create conflict. This conflict is used to direct attention away from the actual problem. His co-workers would mostly avoid the conflict and he would feel satisfied as he managed the ‘expectation’ but alas only in his eyes.
  • The next user is a parasite leaching of his co-workers to climb the corporate ladder and exhibit knowledge that he actually do not have. In the book 40 Rules of Power by Robert Greene , rule 7 states ‘Get others to do the work for you, but always take the credit’. You know the guy… asking in email, or any other communication, for solutions to a problem and then publish it to management as his own. He will not share information with co-workers and if there is a team-effort he will treat it as a one-way street.. to his benefit.
  • The last one for this topic, there are more, is the user that exhibits the Dunning-Kruger Effect. This is a total lack of empathy and a self-fulfilling attributes a person can have. Decisions are made without consideration of any data but a believe that he is right beyond any doubt. If he is challenged, he would use others that he has convinced to be in his circle to do the ‘dirty-work’ to support his decisions. Examples include writing reports or emails that are filled with half-truths or deflecting from the evidence at hand. The company he works for is not important, just his existence.

Recommended action is that you must always document any interaction with co-workers to ensure that conflict is managed before it escalates where it becomes a Human Resources problem. I suggest reading ’40 Rules of Power’ and try to analyse yourself and your co-workers as a start.

‘Evidence trumps Dunning-Kruger’

Takes these challenges and make sure they feed your growth as a person with your primary focus on delivery for the organisation. One challenge I experienced triggered me to complete a task that has been on the back-burner for a while. Everything is a learning experience.

Do you have a view of the attacks in your network?

All traffic in and out of your environment MUST be monitored for unknown traffic and reviewed by skilled staff and if required incident response initiated.  In the following image (clickable for

Struts Attack to targeted server

large view) you can see that there are attacks from Indonesia on the Apache Struts exploit.  I can note here that the server being attacked is a Hikvision security DVR.  This server is targeted based and preliminary reconnaissance (high port) and sometimes a random attack hoping for the best (port 80) on the fact that it is seen as a DVR and there are admin elevation attacks for a number of these devices.

The lesson that I want a person to take away here is to think about if you have a continuous viewpoint of your network of all the ‘weird’ traffic in-and-out?  The following checklist would be helpful to pick some low-hanging fruits.

I would also look at the first step in your IT risk management landscape is the asset management process.  If you do not know what you have, you have no control on the actual risks present in your environment.  Assets include, hardware, software, data-flow, data, users (internal and external), configuration of devices and many more.

  • Do you monitor all traffic in and out of your network?
  • Do you review the data using a review methodology (policies, standards, procedures and guidelines)?
  • The staff reviewing the data, are they skilled based on the requirements?
  • In case of an incident, what is your incident response plan?
  • Is the data trustworthy for evidence selection in case of an investigation?
  • Do you test your team by injecting some alerts at random times? (example: http://testmyids.com should trigger an event)
  • What reports are available and how is this presented as part of your management pack?

One recommendation I can give you is NOT to have a knee-jerk reaction and spend money without having a proper PoC (Proof-of-Concept) as well as solution evaluations.  If you are suspicious of your environment, there are many opensource tools as well as inherent (you already own it as part of your hardware OS or other Operating Systems).

If you would like to get additional information on services and solutions feel free to leave a message with your email address in the form below.

Websites want me to remove my Ad-blocker

More and more sites I visit is detecting that I use an ad-blocker and asking me to either pay a daily or monthly fee to access their content, or whitelist the site in my system.  If the content is valuable which is not available free from other sites I would not mind having a small subscription and get a regular feed.  To remove my ad-blocker or white-list a site may result in your 

Possible threat from an ad being delivered

system being compromised. This is due to ads being delivered may contain harmful code from fraudsters and users with malicious intent buying ad space from ad re-sellers.  As can be seen from the image, anti-virus is blocking a potential risk from an ad delivering site trying run run a java-script on the workstation.

Websites wanting ad to be displayed on your system have no clue on what risk they are deliver to the unsuspecting users.

In the future, ads will be blocked more at the enterprise level on all platforms as it is realized that the threat is bigger than thought before.  This is all to the fraud syndication embracing technology for another compromise to the defense layer.

I would recommend to not allow any ads while browsing the Internet or at least have current and good anti-virus on your system and do not log onto your system with a privileged account.