Data recovery: Why is it so important?

We explain why your business needs to have a data recovery policy and how to manage data loss

Data is one of the most powerful weapons a business has. It provides key insights about employees, customers, products and competitors. It’s collected from a whole host of sources and can make or break a firm’s success.

But the world of data has also become harder to collect in the last few years and most notably with the introduction of the GDPR earlier this year, where businesses are now required to only collect the necessary information to dictate their business strategy.

A major part of the GDPR is protecting data from hackers and also, recovering that data if a loss occurs. If, by chance, your organization’s data is stolen or falls into the wrong hands, you may have to pay a huge fine and tell the Information Commissioner’s Office (ICO) as soon as you learn about the loss.

Because data is such a vital asset to the company that it belongs to (and of course the person to whom it relates), it must be viewed as such. Consider that a company’s data may have taken years – if not decades – to collect. If that data is lost, that’s not just a big fine to deal with, but also a huge part of the company’s value too. If you don’t already have a data backup and recovery solution, now’s the time to start considering the investment.

According to Clutch, 58% of businesses are not prepared for data loss, despite 60% of firms suffering a data breach being forced to close their doors six months after losing the data. The same report revealed 29% of hard drive failures are caused by accident.

As losing data is such a common occurrence, it’s vital your business is prepared should you lose that information, and the best way to do that is to implement a data recovery system to get your information back should it be lost or stolen.

What could cause a data loss?

Hardware outages are the leading cause of data loss incidents as cited by 47% of recent survey respondents. Environmental disasters, power outages and human error were also highlighted as key contributors to the occurrence of data loss.

Whether your computer has fallen victim to malware, an employee accidentally deleted some crucial files or your laptop was stolen, the result of such data loss amounts to the same miserable outcome: irreplaceable data is gone forever and productivity is stalled for the foreseeable future. Data loss disasters have the potential to create a very damaging set of circumstances for any individual or enterprise.

What is data recovery?

Data recovery is the process of recalling or recovering data from any storage media following a data loss. In technical terms, data recovery encompasses a set of methods used to recover lost data or information.

Data recovery processes can be applied to situations including accidental file deletion, incorrect hard drive or server formatting, a faulty re-installation of applications or system booting failures.

The high prevalence of data loss experienced by users of technology suggests it would be wise to consider your data recovery options before trouble begins. If, as the above statistics suggest, a crash is inevitable, plan ahead. Think of data recovery as a protective measure and have a viable plan in place. Even with the best of intentions, many users would admit to an all too casual approach with the backing up of precious data.

Depending on the nature of your situation, there are two main methods of data recovery available to assist with restoration. You can utilize data recovery software or you could employ an expert in data recovery services.

Data recovery services are often consulted when the data recovery software has failed to recover the data, or the data corruption is so complex that a specialized data recovery expert’s attention is required.

Resources of time and money will most likely dictate your response to a data loss catastrophe. Although the software option can be a more cost-effective approach in the short term, it might not have the capacity to resolve all of your issues and you may need to consult a professional service in the end anyway.

How to recover data

If you suspect a data loss has occurred, ensure you adhere to your planned recovery strategy. Make a decision about whether to apply specialist software or to consult an expert and if you opt for the first option, make sure you are confident you know what you’re doing before further damaging your files.

Recovery software has the capacity to repair data files, databases, storage media, and corrupted partitions, hopefully also returning lost data to its rightful place.

There are numerous free data recovery programs that can assist with the recovery of your lost data, but while such programs are can be useful, it’s imperative to do your homework. Check the one you opt to use is legitimate and has trustworthy reviews before unleashing it on your lost data.

In some circumstances, lost data cannot be restored by using recovery software alone. Complex data recovery requires expertise and it is best to leave this to the professionals and contact your local data recovery service for advice.

The downside of this approach is, of course, the expense and downtime without your hard drive but if the data is valuable enough, then it may be the only option – painful as it is.

Read More

Crooks Continue to Exploit GoDaddy Hole

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal.

On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion and bomb threat spam campaigns throughout 2018 — an adversary that’s been dubbed “Spammy Bear” —  achieved an unusual amount of inbox delivery by exploiting a weakness at GoDaddy which allowed anyone to add a domain to their GoDaddy account without validating that they actually owned the domain.

Spammy Bear targeted dormant but otherwise legitimate domains that had one thing in common: They all at one time used GoDaddy’s hosted Domain Name System (DNS) service. Researcher Ron Guilmette discovered that Spammy Bear was able to hijack thousands of these dormant domains for spam simply by registering free accounts at GoDaddy and telling the company’s automated DNS service to allow the sending of email with those domains from an Internet address controlled by the spammers.

Very soon after that story ran, GoDaddy said it had put in place a fix for the problem and had scrubbed more than 4,000 domain names used in the spam campaigns that were identified in my Jan. 22 story. But on or around February 1, a new spam campaign that leveraged similarly hijacked domains at GoDaddy began distributing Gand Crab, a potent strain of ransomware.

As noted in a post last week at the blog MyOnlineSecurity, the Gand Crab campaign used a variety of lures, including fake DHL shipping notices and phony AT&T e-fax alerts. The domains documented by MyOnlineSecurity all had their DNS records altered between Jan. 31 and Feb. 1 to allow the sending of email from Internet addresses tied to two ISPsidentified in my original Jan. 22 report on the GoDaddy weakness.

“What makes these malware-laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation,” MyOnlineSecurity observed. “There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.”

A “passive DNS” lookup shows the DNS changes made by the spammers on Jan. 31 for one of the domains used in the Gand Crab spam campaign documented by my online security. Image: Farsight Security.

In a statement provided to KrebsOnSecurity, GoDaddy said the company was confident the steps it took to address the problem were working as intended, and that GoDaddy had simply overlooked the domains abused in the recent GandCrab spam campaign.

“The domains used in the Gand Crab campaign were modified before then, but we missed them in our initial sweep,” GoDaddy spokesperson Dan Race said. “While we are otherwise confident of the mitigation steps we took to prevent the dangling DNS issue, we are working to identify any other domains that need to be fixed.”

“We do not believe it is possible for a person to hijack the DNS of one or more domains using the same tactics as used in the Spammy Bear and Gand Crab campaigns,” Race continued. “However, we are assessing if there are other methods that may be used to achieve the same results, and we continue our normal monitoring for account takeover. We have also set up a reporting alias at dns-spam-concerns@godaddy.com to make it easier to report any suspicious activity or any details that might help our efforts to stop this kind of abuse.”

That email address is likely to receive quite a few tips in the short run. Virus Bulletin editor Martijn Grooten this week published his analysis on a January 29 malware email campaign that came disguised as a shipping notice from UPS. Grooten said the spam intercepted from that campaign included links to an Internet address that was previously used to distribute GandCrab, and that virtually all of the domains seen sending the fake UPS notices used one of two pairs of DNS servers managed by GoDaddy.

“The majority of domains, which we think had probably had their DNS compromised, still point to the same IP address though,” Grooten wrote. That IP address is currently home to a Web site that sells stolen credit card data.

The fake UPS message used in a Jan. 29 Gand Crab malware spam campaign. Source: Virus Bulletin.

Grooten told KrebsOnSecurity he suspects criminals may have succeeded at actually compromising several of GoDaddy’s hosted DNS servers. For one thing, he said, the same pair (sometimes two pairs) of name servers keep appearing in the same campaign.

“In quite a few campaigns we saw domains used that were alphabetically close, [and] there are other domains used that had moved away from GoDaddy before these campaigns, yet were still used,” Grooten said. “It’s also interesting to note that hundreds — and perhaps thousands — of domains had their DNS changed within a short period of time. Such a thing is hard to do if you have to log into individual accounts.”

GoDaddy said there has been no such breach.

“Our DNS servers have not been compromised,” Race said. “The examples provided were dangled domains that had zone files created by the threat actor prior to when we implemented our mitigation on January 23. These domain names were parked until the threat actors activated them. They had the ability to do that because they owned the zone files already. We’re continuing to review customer accounts for other potential zone entries.”

First emerging in early 2018, Gand Crab has been dubbed “the most popular multi-million dollar ransomware of the year.” Last week, KrebsOnSecurity was contacted by a company hit with Gand Crab in late January after an employee was taken in by what appears to be the same campaign detailed by Virus Bulletin.

Charlene Price is co-owner of A.S. Price Mechanical, a small metal fabrication business in Gilbert, South Carolina. Price said an employee was tricked into infecting one of their hard drives with Gand Crab, which encrypted the drive and demanded $2,000 in bitcoin for a key needed to unlock the files.

While Price and her husband consulted with tech experts and debated what to do next, the extortionists doubled the ransom demand to $4,000.

Sites like nomoreransom.org distribute free tools and tutorials that can help some ransomware victims recover their files without paying a ransom demand, but those tools often only work with specific versions of a particular ransomware strain. Price said the tool nomoreransom.org made available for Gand Crab infections was unable to decrypt the files on her scrambled hard drive.

“It’s not fair or right and this is unjust,” Price said. “We have accepted the fact, for now, that we are just locked out our company’s information. We know nothing about this type of issue other than we have to pay it or just start again.”

Update: 2:55 p.m. ET: Added statement from GoDaddy.

Read More

New Breed of Fuel Pump Skimmer Uses SMS and Bluetooth

Fraud investigators say they’ve uncovered a sophisticated new breed of credit card skimmers being installed at gas pumps that is capable of relaying stolen card data via mobile text message, thereby enabling fraudsters to collect it from anywhere in the world. One interesting component of this criminal innovation is a small cellphone and Bluetooth-enabled device hidden inside the contactless payment terminal of the pump, which appears to act as a Bluetooth hub that wirelessly gathers card data from multiple compromised pumps at a given filling station.

A memo sent by the U.S. Secret Service last week to its various field offices said the agency recently was alerted to the discovery of a fraud device made to fit underneath the plastic cap for the contactless payment terminal attached to the exterior of a fuel pump. Here’s a look at the back side of that unwelcome parasite:

A multi-functional wireless device found attached to a contactless payment terminal at a gas station.

As we can see from the above image, it includes GSM mobile phone components, allowing it to send stolen card data wirelessly via text message. In contrast, most modern pump skimmers transmit stolen card data to the thieves via Bluetooth. The white rectangular module on the right is the mobile phone component; the much smaller, square module below and to the left is built to handle Bluetooth communications.

Bluetooth requires the fraudsters who placed the devices to return to the scene of the crime periodically and download the stolen data with a mobile device or laptop. Using SMS-based skimmers, the fraudsters never need to take that risk and can receive the stolen card data in real-time from anywhere there is mobile phone service.

Gas stations are beginning to implement contactless payments at the pump to go along with traditional magnetic stripe and chip card-based payments. These contactless payments use a technology called “near field communication,” or NFC, which exchanges wireless signals when an NFC-enabled card or mobile device is held closely to a point-of-sale device.

Because this tiny round device was found hidden inside of an NFC card reader on the outside of a gas pump, investigators said they initially thought it might have been designed to somehow siphon or interfere with data being transmitted by contactless payment cards. But this theory was quickly discarded, as contactless cards include security features which render data that might be intercepted largely useless for future transactions (or at least hardly worth the up-front investment, craftsmanship and risk it takes to deploy such skimming devices).

Mark Carl is chief executive officer at ControlScan, a company in Alpharetta, Ga. that helps merchants secure their payment card technology. Carl’s company is the one that found the skimmer and alerted local authorities, which in turn alerted the Secret Service.

Carl said his team is still trying to reverse engineer the device found inside the NFC reader at the pump, but that so far it appears its purpose is to act as a Bluetooth communications hub for other skimming devices found at the scene. Turns out, investigators also discovered traditional Bluetooth-based skimming devices attached to the power and networking cables inside various pumps at the compromised filling station.

One of several traditional Bluetooth-enabled card skimming devices found inside pumps at a compromised filling station. Investigators believe this device and others like it found at the station may have been part of a local Bluetooth network that used a device hidden inside the NFC reader on a pump to relay stolen card data via text message.

“Based on the chipsets, and that there were other traditional skimmers in other pumps at the site, we believe this device [the round gizmo found inside the NFC reader] is likely the hub for a Bluetooth local area network,” Carl told KrebsOnSecurity. “So an attacker can install multiple skimmers in different pumps, feed all of that data to this device with Bluetooth, and then relay it all via the cellular connection.”

Many readers have asked if they should be scanning fuel pumps with their smart phones using the built-in Bluetooth component or Android mobile app like Skimmer Scanner. If this seems like fun, then by all means go right ahead, but I wouldn’t count on these methods failing to detect a Bluetooth skimmer at the pump as proof that the pump is skimmer-free.

For one thing, the skimmer detection app detects only one type of Bluetooth module used in these schemes (HC-05), and there are least three other types commonly found embedded in compromised pumps (HC-06, HC-08 and FCD_1608). And trying to do this with your mobile phone alone is not likely to yield any more conclusive results.

Better advice is to patronize filling stations that have upgraded their pumps in the past few years to add more digital and physical security features. As I wrote in last summer’s “How to Avoid Card Skimmers at the Pump,” newer and more secure pumps typically feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad.

One other tip from that story: Some pump skimming devices are capable of stealing debit card PINs as wellso it’s a good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

This advice often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

Read More