Mobile Security

Web-borne threats are not exclusive to wired network systems, and mobile security is an element often ignored by organizations and mobile users alike. With the increased use of mobile devices in the workplace, mobile security is an issue that should feature uppermost in the consciousness of IT security professionals.

Mobile security is not just an issue for employers and employees. Visitors using an organization´s WiFi network to stay connected should also be subject to an acceptable use policy to ensure that they do not visit websites that may result in malware being downloaded onto a WiFi router – and subsequently onto every device that connects with the WiFi router.

Stay up-to-date with the latest news about mobile security and mitigate the risk of malware infecting users´ devices by implementing a WiFI Internet filter. A WiFi Internet filter can do much more than enhance online security. It has been seen to enhance productivity in the workplace, increase custom and even introduce new marketing opportunities for organizations in the retail sector.

Crackdown on Fake News Shines Light on Typosquatting and Cybersecurity Risks

The proposed crackdown on fake news websites has shone a light on the use of typosquatting and cybersecurity risks for businesses from employees visiting fake news websites.

Over the past few weeks there has been considerable media attention focused on fake news websites and the harm that these fake news stories can cause.

Just as newspapers and news networks can earn big money from being the first to break a new story, there is big money to be made from posting fake news items. The problem is growing and it is now becoming harder to separate fact from fiction. 2016 has seen fake news stories hit the headlines – Both the problem and the republishing of fake news in the mainstream media.

Fake News Websites are a Serious Problem

This year’s U.S. presidential election has seen the Internet awash with propaganda and fake news posts, especially – but not exclusively – about support for Donald Trump and criticism of Hillary Clinton. Fake news sites such as the Denver Guardian (the periodical doesn’t actually exist) posted news about rigging of the election. Genuine news organizations notably picked up on a story about Denzel Washington supporting Trump; however, the original story was taken from a fake news site. Of course, these are just two of many hundreds of thousands of fake news stories published throughout the year.

All too often fake news stories are silly, satirical, or even humorous; however, they have potential to cause considerable harm and influence the public. Potentially, they could change the outcome of an election.

Consumers are now increasingly basing their opinions on fiction rather than fact. Fake news is nothing new of course, but the U.S. presidential election has brought it to the forefront and has highlighted the extent to which it is going on – on a scale never before seen.

Worldwide governments are now taking action to crackdown on the problem. Germany and Indonesia have joined the U.S. in the fight against fake news stories and there have been calls for greater regulation of online content.

Facebook has received considerable criticism for failing to do enough to prevent the proliferation of fake news. While CEO Mark Zuckerberg dismissed the idea that fake news on Facebook was influential in the election – “the idea that fake news on Facebook, which is a very small amount of the content, influenced the election in any way, I think is a pretty crazy idea.” However, last month he confirmed a new initiative to address hoaxes and fake news. Facebook is to make it easier for users to report fake news stories, third-party fact checkers will be enlisted, news websites will be analyzed more closely, and stories will be pushed down the rankings if they are getting fewer shares.

All of the attention on fake news sites has highlighted a tactic that is being used to spread fake news – a tactic that has long been used by cybercriminals to spread malware: Typosquatting.

Typosquatting and Cybersecurity Risks

Typosquatting – otherwise known as URL hijacking – is the use of a popular brand name with authority to fool web surfers into thinking a website is genuine. The fake news scandal brought attention to the tactic after fake news items were posted on spoofed news websites such as usatoday.com (usatoday.com.com) and abcnews (abcnews.com.co).

To the incautious or busy website visitor, the URL may only get a casual glance. The slightly different URL is unlikely to be spotted. This may only result in website visitors viewing fake news, although in many cases it can result in a malware download. Cybercriminals use this tactic to fool web surfers into visiting malicious websites where malware is automatically downloaded.

Typosquatting is also used on phishing websites and for fake retail sites that relieve visitors of their credit card information or other sensitive credentials.

Even fake news sites are a problem in this regard. They often contain third-party adverts – this is one of the ways that fake news stories generate income for the posters. Those adverts are often malicious. The site owners are paid to display the adverts or send visitors to malicious websites. Adverts are also used to direct visitors to fake retail sites – zappoos.com or Amazoon.com for example. Many fake news sites are simply used as phishing farms.

While consumers can be defrauded, businesses should also take note. Since many of these sites are used to either spread malware or direct users to malicious sites where malware is downloaded, fake news sites are a serious cybersecurity risk.

Governments and social media networks may be taking a stand against these malicious sites, but businesses should also take action. All it takes is for one user to visit a malicious site for malware or ransomware to be downloaded.

Fortunately, it is possible to reduce risk with a web filtering solution. Web filtering solutions such as WebTitan can be used to block access to websites known to contain malware. Malicious websites are rapidly added to global blacklists. If a web filtering solution is used, an employee will be prevented from visiting a blacklisted site, which will prevent a malware download.

Malicious adverts can also be blocked and prevented from being displayed. Malicious links on fake news sites can also easily be blocked. Users can also be prevented from visiting websites when clicking on links to the sites in emails or on social media websites.

For further information on the full range of benefits of WebTitan and to find out how you can sign up for a free 30-day trial of WebTitan, contact TitanHQ today.

Anti-Phishing Solutions for Businesses Required to Tackle Growing Phishing Risk

Anti-phishing solutions for businesses are now an essential element of cybersecurity defenses. The risk from phishing websites has grown considerably in 2016, and 2017 is likely to see the problem become much more severe. 

Anti-Phishing Solutions for Businesses Now a Necessity

Cybercriminals are using increasingly sophisticated tactics to infect end users with malware and ‘phish’ for sensitive information such as credit card details, email login credentials, and other sensitive data that can be used for identity theft and fraud. Cybercriminals have changed their tactics to infect more end users and bypass traditional cybersecurity defenses.

In the past it was common for domains to be registered by cybercriminals and only used for phishing or to spread malware. Sooner or later the websites would be reported as malicious in nature, and those domains would be added to global blacklists. As the sites were blocked, the cybercriminals would simply buy another domain and repeat the process. Phishing websites used to remain active for weeks or even months before they ceased to be effective. However, cybersecurity firms are now faster at detecting malicious websites and adding them to blacklists.

Cybercriminals are aware that phishing websites and malicious webpages have a very short shelf life and will only remain effective for a few days before they are blocked. In response, they have changed tactics and are now creating webpages which are only used for very short periods of time.

New webpages are now being created faster and in higher volumes. Those webpages now remain active for less than 24 hours in the majority of cases. Cybercriminals are hijacking legitimate websites with poor security controls or unaddressed vulnerabilities. Malicious URLS are then created and hidden on those domains. Cybercriminals have now all but abandoned malicious websites in favor of single URLs on otherwise benign websites.

The volume of phishing websites has also increased considerably in 2016. Studies now suggest that around 400,000 phishing websites are being detected every month of the year.

Web Filtering Solutions Can Significantly Reduce Risk

There are many anti-phishing solutions for businesses that can be adopted to reduce risk, although one of the most effective tools is an advanced web filter. A web filter can be used to prevent users from visiting malicious websites and webpages that are used to phish for sensitive information or infect end users with malware.

While it was possible for standard web filtering solutions to protect against the risk from phishing by comparing domains against blacklists, it is now essential for each webpage to be checked to determine whether it is malicious. Each URL must also be checked each time it is visited to make sure that it has not been hijacked and used for phishing or to spread malware. For that an advanced web filtering solution is needed, such as WebTitan.

WebTitan checks each webpage that an end user attempts to visit in a fraction of a second, with no noticeable latency – slowing of webpage loading. If a website or webpage is identified as malicious the end user will be prevented from accessing that webpage.

WebTitan allows businesses to further protect their networks by restricting access to certain categories of websites which are commonly used by cybercriminals to spread malware. Since these websites have no legitimate work purpose, they can be easily blocked without any negative impact on the business. In fact, businesses are likely to see significant increases in employee productivity as a result.

Cybercriminals are also increasingly using third party advertising blocks on legitimate websites to display malicious adverts. Those adverts redirect visitors to malicious websites containing exploit kits. Some of those adverts require no user interaction at all – visitors are automatically redirected to websites where drive-by malware downloads occur. WebTitan can be configured to prevent these adverts from being displayed, thus neutralizing the risk.

Cybercriminal activity has been steadily increasing, yet employing an advanced web filtering solution such as WebTitan can help businesses stay one step ahead of cybercriminals and keep their networks malware free.

For further information on the capabilities of WebTitan, to find out how easy it is to protect your end users and networks from attack, and to register for a free 30-day trial of WebTitan, contact TitanHQ today.

Zuckerberg Twitter Hack Shows Danger of Password Reuse

The Zuckerberg Twitter hack has clearly demonstrated the danger of password reuse. Zuckerberg used the same password for Twitter as he did for his Pinterest and LinkedIn accounts. In spite of the Facebook founder, chairman, and CEO’s lofty position at the top of the world’s most popular social media network, he is guilty of poor data security practices like many others.

In addition to reusing passwords, Zuckerberg also chose a password of 6 digits with no capital letters, symbols, or numbers and did not change it for at least three years. The password was revealed to be “dadada.”

Mark Zuckerberg Twitter Hack Stemmed from the LinkedIn Data Breach

A collective known as OurMine was responsible for the Mark Zuckerberg Twitter hack. The collective, which is understood to hail from Saudi Arabia, gained access to data from the LinkedIn breach. The data were listed for sale a few days previously by a hacker operating under the name of “Peace”.

The LinkedIn passwords were not stored as plaintext, so a little effort was required to reverse the hash to obtain the password. While SHA-1 was thought to be impossible to reverse, it has since been shown to be a relatively straightforward task unless the passwords are also salted. In the case of LinkedIn, they were not.

Simply enter in the SHA-1 hash of a password into one of many reverse hash calculators and the plaintext password will be revealed. A search of the keyword phrase “how to reverse a sha1 password” will reveal many online options for doing so. Once the password had been obtained, access to online accounts was possible.

The Zuckerberg Twitter hack did not appear to cause anything other than some embarrassment. The group notified Zuckerberg of the hack by tweeting him using his own account, saying “we are just testing your security.” While the tweet said that Zuckerberg’s Instagram account was compromised, it has since been confirmed that this account was secure all along, as was Zuckerberg’s Facebook account.

While it is embarrassing, it should be pointed out that Zuckerberg was not a regular Twitter user, having only sent 19 tweets from his account in the past four years. His compromised Pinterest account was similarly rarely used.

Spate of Account Hacks Reported After Major Data Leaks

Other individuals were not quite so fortunate. Since the data from the LinkedIn breach was made available online, numerous celebrity social media accounts have been compromised. The Twitter accounts of celebrities such as Keith Richards and Kylie Jenner were hacked, as was the account of Tenacious D. The latter’s account was used to send a tweet saying Jack Black had died.

While these hacks have not been confirmed as stemming from the LinkedIn breach (or the MySpace or Tumblr breaches) the spate of account hijacks suggest as much.

TeamViewer GmbH was also a victim, having had numerous accounts compromised recently. The company provides remote desktop software and a number of users claim that the hacking of GmbH employee accounts enabled attackers to compromise their computers and authorize PayPal and Amazon transactions. This was attributed to “password mismanagement” by GmbH rather than any flaws in their software.

All of these account hacks show how common the reuse of passwords is, and the danger of doing so. What should be particularly worrying for businesses, is many people use their LinkedIn passwords for work accounts, or vice versa. If that password is obtained via a data breach, malicious actors could do a considerable amount of damage.

Important Online Security Best Practices

To improve security and reduce the risk of more than one account being compromised….

  • Never reuse passwords
  • Create a complex password for each platform – use symbols, capitals, and numerals
  • Change your passwords regularly – every month or three months
  • Use 2-factor authentication if available
  • Use a password manager to help keep track of passwords
  • Don’t store your passwords in your browser
  • Regularly check your email address/username against the Have I Been Pwned? database

Healthcare Data Privacy and Security: Ponemon Releases Results of New Benchmark Study

Each year, the Ponemon Institute conducts a benchmark survey on healthcare data privacy and security. The surveys give a picture of the state of healthcare data security, highlight the main threats faced by the healthcare industry, and offer an insight into the main causes of healthcare data breaches. This week, the Ponemon Institute released the results of its 6th annual benchmark study on healthcare data privacy and security.

Over the past 6 years, the main causes of healthcare data breaches have changed considerably. Back in 2010/2011 when the two healthcare data privacy and security surveys were conducted, the main causes of healthcare data breaches were lost and stolen devices, third party errors, and errors made by employees.

Breaches caused by the loss and theft of unencrypted devices such as laptops, smartphones, tablets, and portable storage devices such as zip drives has fallen considerably in recent years. Due to the high risk of loss and theft – and the cost of risk mitigation following a data breach and compliance fines – healthcare organizations are keeping tighter controls on portable devices. Staff have been trained to be more security conscious and many healthcare organizations have chosen to use data encryption on portable devices. However, lost/stolen devices and mistakes by employees and third parties are still the root cause of 50% of healthcare data breaches.

Healthcare Data Privacy and Security Study Shows Criminals Caused 50% of Healthcare Data Breaches

Data breaches caused by the loss and theft of portable devices may be in decline, but the same cannot be said of cyberattacks, which have increased considerably. When the first benchmarking study was conducted in 2010, 20% of data breaches were caused by hackers and other cybercriminals. By 2015, the figure had risen to 45%. This year criminals have been responsible for 50% of healthcare data breaches.

Healthcare data breaches have increased in volume, frequency, and severity. Prior to 2015, the largest healthcare data breach exposed 4.7 million patient health records. Data breaches that exposed more than 1 million healthcare records were very rare. However, in 2015, the Anthem Inc. breach exposed 78.8 million healthcare records, Premera BlueCross recorded a cyberattack that exposed 11 million records, and Excellus Blue Cross Blue Shield reported a breach of 10 million records. These data breaches were caused by criminals who gained access to systems using phishing techniques.

Phishing remains a major cause for concern, as is malware, although over the course of the past 12 months a new threat has emerged. Ransomware is now the second biggest cause for concern for healthcare security professionals. DDoS attacks remain the biggest worry as far as cyberattacks are concerned.

The purpose of ransomware and DDoS attacks is to cause widespread disruption. Healthcare IT professionals are right to be concerned. Both of these types of cyberattack have potential to have a hugely detrimental effect on the care that is provided to patients, potentially disrupting healthcare operations to such a degree that patients can actually come to physical harm.

Healthcare organizations have been investing more heavily in data security technologies to prevent breaches, yet these measures have not been sufficient to stop breaches from occurring. The report indicates that 89% of healthcare organizations suffered a data breach in the past two years, 79% suffered more than one breach, and 45% experienced more than five data breaches.

The cost of healthcare data breaches is considerable. The Ponemon Institute calculates the average cost to resolve a data breach to be $2.2 million for healthcare providers. The average cost of a business associate data breach is $1 million. The total cost each year, to mitigate risk and resolve data breaches, has been estimated by Ponemon to be $6.2 billion for the industry as a whole.

Healthcare Organizations Need to Increase Cybersecurity Efforts

Cybersecurity budgets may have increased over the years, but too little is being spent on healthcare data privacy and security data. Even with the increased risk, 10% of healthcare organizations have actually decreased their cybersecurity budgets, and more than half (52%) said their budgets have stayed the same this year.

Further investment is needed to tackle the growing threat and to prevent criminals from gaining access to data and locking it with ransomware.

Education also needs to be improved and greater care taken by healthcare employees to prevent accidental disclosures of data and mistakes that open the door to cybercriminals. Employee negligence was rated as the top cause for concern by both healthcare providers and business associates of healthcare organizations. Unless greater care is taken to prevent data breaches and healthcare organizations are held more accountable, the data breach totals will only rise.

FTC to Investigate Security Update Practices of Mobile Device Manufacturers

The Federal Trade Commission (FTC) is conducting a study to investigate the security update practices of mobile device manufacturers. The study is being conducted amid concern that mobile device manufacturers are not doing enough to ensure owners of mobile devices are protected from security threats.

Security Update Practices of Mobile Device Manufacturers Leave Mobile Users Exposed to Attack

A number of new and highly serious threats have emerged in recent years which allow attackers to remotely execute malicious code on mobile devices if users visit a compromised website. One of the most serious threats comes from the Stagefright vulnerability discovered last year.

The Stagefright vulnerability could potentially be exploited to allow attackers to gain control of Android smartphones. It has been estimated that as many as one billion devices are prone to attack via this vulnerability. Google released an Android update to fix the vulnerability, yet many mobile phone users were unable to update their devices as the manufacturer of their device, or the mobile carrier they used, did not allow the updates to be installed. Because of this, many smartphone owners are still vulnerable to attack.

Even when device manufacturers do update their devices there are often long delays between the issuing of the fix and the rolling out of updates. When a rollout is executed, it can take a week or more before all device owners receive their updates. During that time users are left vulnerable to attack.

The FTC wants to find out more about the delays and the rationale behind the slow rolling out of updates.

FTC and FCC Join Forces and Demand Answers from Carriers and Device Manufacturers

The FTC has joined forces with the Federal Communications Commission (FCC) for the study and has ordered smartphone manufacturers and developers of mobile device operating systems to explain how security updates are issued, the reasoning behind the decision to delay the issuing of security updates, and for some device manufacturers, why security updates are not being issued.

While the study is primarily being conducted on manufacturers of devices running the Android platform, although Apple has also been ordered to take part in the study, even though its devices are the most secure. Apple’s security update practices are likely to serve as a benchmark against which other manufacturers will be judged. Manufacturers that use the Android platform that will take part in the study include Blackberry, HTC, LG, Motorola and Samsung. Google and Microsoft will also take part.

The FTC is asking operating system developers and mobile manufacturers to disclose the factors that are considered when deciding whether to issue updates to correct known vulnerabilities. They have been asked to provide detailed information on the devices they have sold since August 2013, if security vulnerabilities have been discovered that affect those devices, and if and when those vulnerabilities have been – or will be – patched.

The FCC has asked questions of mobile phone carriers including the length of time that devices will be supported, the timing and frequency of updates, the process used when developing security updates, and whether device owners were notified when the decision was taken not to issue a security update for a specific device model.

Whether the study will result in better security update practices of mobile device manufacturers remains to be seen, although the results of the study, if published in full, will certainly make for interesting reading.

Healthcare Industry Faces Highest Risk of Cyberattacks

A new study has confirmed that the healthcare industry faces the highest risk of cyberattacks. Healthcare providers and health plans are being targeted by cybercriminals due to the value of patient data on the black market. A full set of medical records, along with personally identifiable information and Social Security numbers, sells for big bucks on darknet marketplaces. Health data is far more valuable then credit cards for instance.

Furthermore, organizations in the healthcare industry store vast quantities of data and cybersecurity protections are still less robust than in other industry verticals.

The survey was conducted by 451 Research on behalf of Vormetric. Respondents were asked about the defenses they had put in place to keep sensitive data secure, how they rated their defenses, and how they planned to improve protections and reduce the risk of cyberattacks occurring.

78% of respondents rated their network defenses as very or extremely effective, with network defenses having been prioritized by the majority of healthcare organizations. 72% rated data-at-rest defenses as extremely or very effective. While this figure seems high, confidence in data-at-rest defenses ranked second from bottom. Only government industries ranked lower, with 68% of respondents from government agencies rating their data-at-rest defenses as very or extremely effective.

Even though many IT security professionals in the healthcare industry believe their network and data-at-rest defenses to be robust, 63% of healthcare organizations reported having experienced a data breach in the past.

The Risk of Cyberattacks Cannot Be Effectively Managed Simply by Becoming HIPAA-Compliant

Many organizations have been prioritizing compliance with industry regulations rather than bolstering defenses to prevent data breaches. Many healthcare organizations see compliance with the Health Insurance Portability and Accountability Act (HIPAA) as being an effective way of ensuring data are protected.

HIPAA requires all covered-entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to implement administrative, technical, and physical safeguards to keep confidential patient data secure. By achieving “HIPAA-compliance” covered entities will improve their security posture and reduce the risk of cyberattacks, but compliance alone will not ensure that data are protected.

One only needs to look at the Department of Health and Human Services’ Office for Civil Rights breach portal to see that healthcare data breaches are commonplace. Many of the organizations listed in the breach portal have implemented defenses to protect data and are HIPAA-compliant. Compliance has not prevented data breaches from occurring.

The 451 Research survey asked respondents their views on compliance. 68% said it was very or extremely effective at ensuring data were secured. The reality is HIPAA only requires healthcare organizations to implement safeguards to achieve a minimum level of data security. In order to prevent data breaches and effectively manage the risk of cyberattacks, organizations need to invest more heavily in data security.

HIPAA does not, for example, require organizations to protect data-at-rest with encryption. If the network perimeter is breached, there is often little to prevent data from being stolen. Healthcare organizations are focusing on improving network protection but should not forget to protect data-at-rest with encryption. 49% said network security was still the main spending priority over the next 12 months, which was the highest rated security category for investment.

Healthcare organizations did appreciate that investment in technologies to protect data-at-rest was important, with 46% of respondents saying spending would be increased over the next 12 months on technologies such as disk and file encryption to help manage the risk of cyberattacks.

Mobile Device Data Breaches Experienced by 21 Percent of Companies

Employers are enjoying the benefits of mobile devices but IT security professionals are concerned about the security risk that that comes from the use of Smartphones and tablets. The more devices that are allowed to connect to company networks, the higher the risk, but are mobile device data breaches actually occurring?

There is widespread concern that the devices pose a major security risk, but little data on the extent to which mobile data breaches occur. A new survey sheds some light on just how frequently mobile devices are implicated in data breaches.

Six data security firms* sponsored a survey conducted by Crowd Research Partners which set out to shed some light on the matter. 882 IT security professionals from a wide range of industries were asked a number of questions relating to mobile security and data breaches experienced at their organizations.

More than a Fifth of Companies Have Suffered Mobile Device Data Breaches

The results show that 21% of companies have experienced a mobile device data breaches at some point in the past that affected either devices supplied by their company or used by employees under BYOD policies. However, a further 37% of respondents could not say whether mobile device data breaches had actually occurred, indicating many are at risk of data theft or loss, but would not be able to determine if a data breach had in fact occurred.

Malicious Wi-Fi networks continue to be a problem. 24% of respondents said that BYOD or corporate-supplied devices have connected to malicious Wi-Fi networks at some point in the past. Many companies cannot say whether this has actually happened. Almost half of respondents (48%) could not say with any degree of certainty whether their employees had connected to malicious Wi-Fi networks.

Cybercriminals are developing malware at an alarming rate and mobile devices are now being targeted by many cybercriminal gangs. While the majority of threats affect Android phones, iPhone users are also being targeted. A number of new iOS malware have been discovered in the past year.

Mobile malware is a major problem for businesses. 39% of respondents said users of their networks had, at some point in the past, downloaded malware onto their devices. 35% of respondents were unaware whether this had happened. This suggests more than a third of companies are not monitoring the mobile devices that are allow to connect to corporate networks.

Respondents were asked what measures they were using to protect the mobile devices they allowed to connect to their networks. Only 63% of respondents said they used password protection to keep the devices secure. 49% said they had implemented solutions that enable them to remotely wipe devices that are lost, stolen, or reach the end of their life. 43% use encryption for sensitive data and only 38% said they have policies covering data removal at employee separation or device disposal.

34% said that when an employee leaves their organization ensures data is wiped from mobile devices 100% of the time. 13% said this occurred more than half of the time, and 16% said this happened less than half of the time.  Most alarmingly, 23% were unaware if they wiped devices and 14% said they never wipe data from employees’ devices when they leave the company.

43% reported using mobile device management (MDM), 28% used endpoint security tools such as anti-malware programs, and 27% used network access controls.

Many IT security professionals are worried about the risk posed by mobile devices and are concerned about mobile device data breaches. The survey results show there is good reason for them to be concerned. Many companies are failing to implement policies and procedures to effectively manage mobile device security risks.

*The online survey was sponsored by Bitglass, Blancco Technology Group, Check Point Technologies, Skycure, SnoopWall and Tenable Network Security. The survey was conducted on members of the LinkedIn Information Security Community.  

AceDeceiver iPhone Malware Attacks Non-Jailbroken Phones

AceDeceiver iPhone malware can attack any iPhone, not just those that have been jailbroken. The new iOS malware has recently been identified by Palo Alto Networks, and a warning has been issued that the new method of attack is likely to be copied and used to deliver other malware.

Malware Exploits Apple DRM Vulnerability

Many iPhone users jailbreak their phones to allow them to install unofficial apps, yet the act can leave phones open to malware infections. One of the best malware protections for iPhones is not to tamper with them. Most iPhone malware are only capable of attacking jailbroken phones. However, AceDeceiver is different.

The new malware exploits a vulnerability in Apple’s Digital Rights Management (DRM) mechanism allowing it to bypass iPhone security protections. AceDeceiver iPhone malware is capable of fooling FairPlay into thinking it is a legitimate app that has been purchased by the user.

Users that have installed a software tool called Aisi Helper to manage their IPhones are most at risk of infecting their phones. While Aisi Helper can be used to manage iPhones and perform tasks such as cleaning devices and performing backups, it can also be used to jailbreak phones to allow users to install pirated software. To date more than 15 million iPhone owners have installed Aisi Helper and face a high risk of an AceDeceiver malware attack.

The software tool has been around since 2013 and is mainly used as a method of distributing pirated apps. While the software has been known to be used for piracy, this is the first reported case of it being used to spread malware. Palo Alto Networks reports that some 6.6 million individuals are using the software tool on a regular basis, many of whom live in China. This is where most of the AceDeceiver iPhone malware attacks have taken place to date.

The software tool can be used to install AceDeceiver onto iPhones without users’ knowledge. The malware connects the user to an app store that is controlled by the attackers. Users must enter in their AppleID and password and the login credentials are then sent to the attackers’ server. While Palo Alto Networks has discovered that IDs and passwords are being stolen, they have not been able to determine why the attackers are collecting the data.

AceDeceiver Malware Attacks Non-Jailbroken iPhones

Protecting against AceDeceiver iPhone malware would appear to be simple. Don’t install Aisi Helper. However, that is only one method of delivery of AceDeceiver iPhone malware. In the past 7 months three different AceDeceiver malware variants have been uploaded to the official Apple App store. The three wallpaper apps managed to get around Apple’s code reviews initially to allow them to be made available on the Apple App store. They also passed subsequent code reviews.

Once Apple was made aware of the malicious apps the company removed from the App store. However, that is not sufficient to prevent users’ devices from being infected. According to Palo Alto’s Claud Xiao, an attack is still possible even though the apps have been removed from the App store. Apparently, all that is required is for the malicious apps to gain authorization from Apple once. They do not need to be available for download in order for them to be used for man-in-the-middle attacks. The vulnerability has not been patched yet, but Palo Alto has warned that even patching the problem will still leave users of older iPhones open to attack.

AceDeceiver iPhone Malware Attack Method Likely to be Copied

Xiao warned that this new method of malware delivery is particularly worrying because “it doesn’t require an enterprise certificate. Hence, this kind of malware is not under MDM solutions’ control, and its execution doesn’t need the user’s confirmation of trusting anymore.” Palo Alto believe the attack technique is likely to be copied and used to spread new malware to iPhone users.

United States Ransomware Attacks Conducted by Chinese Hacking Groups?

Security firms are reporting that some of the United States ransomware attacks conducted over the past few months have demonstrated a level of sophistication that suggest they are the work of hacking groups previously backed by the Chinese government.

Ransomware attacks have previously been associated with low level cybercriminals who use spam email to send millions of messages out to random targets in the hope that some individuals will install the malicious file-locking software. In many cases, ransomware-as-a-service is being offered to cybercriminals via darknet marketplaces. Cybercriminals therefore do not need to have an extensive knowledge of hacking, and do not need to be highly skilled at conducting intrusions. However, due to the fact that ransomware can be incredibly lucrative, attacks are now being conducted by a wide range of individuals, including skilled hackers.

United States Ransomware Attacks Appear to Have Been Conducted by Former Chinese Government-Backed Hacking Groups

In some cases, the tactics used in the attacks bear the hallmarks of hacking groups known to have previously been involved in state-sponsored attacks on U.S. companies. The ransomware may not have been developed by foreign-government-backed hackers, but the methods and software used to gain entry to company networks and move around certainly appears to be.

Security firms Dell SecureWorks, InGuardians, G-C Partners, and Attack Research have all been called upon to investigate United States Ransomware attacks recently. The Dell team have investigated three highly sophisticated attacks, and the other companies have similarly been called upon to investigate security breaches involving ransomware.

All of the companies have come to the conclusion that these attacks were not the work of run-of-the-mill cybercriminals, and believe a well-known Chinese hacking group was behind the attacks. In one case, an attack on a U.S. company resulted in over 100 computers being locked with the file-encrypting software. Another attack involved 30 computers being locked. Similar large-scale ransomware attacks have also been investigated by the security firms. These attacks, like many conducted on large U.S. companies, have not previously been reported.

APT Tactics Used in Ransomware Attacks

Some of the attacks took advantage of security vulnerabilities in application servers, other used login credentials that were obtained in past Advanced Persistent Threat (APT) attacks on U.S companies. Rather than APT attacks taking place for espionage, the same methods appear to be used to gain access to networks in order to install ransomware.

None of the security firms are able to say with 100% certainty that the attacks were conducted by Chinese hacking groups, although it does appear to be the most logical answer. One theory put forward is that with China now pulling out of cyber-espionage after last year’s agreement with the U.S government, many Chinese hackers who were previously funded by the government are now out of work or are looking for additional income. Since the potential payoff from ransomware attacks is so high, they are now performing attacks on their own.

In some cases, where U.S companies have been compromised by government-sponsored attacks, it has been hypothesized that the hackers are cashing in as they pull out.

Even if Chinese hacking groups are not involved, it is clear is there is considerable money to be made by performing these attacks. Cybercriminal gangs who have previously targeted credit card numbers may now be switching to ransomware due to big potential payoffs.

Since most companies do not declare that they have suffered an attack and paid a ransom, it is difficult to tell exactly how bad the current situation is. But until ransomware ceases to be profitable, United States ransomware attacks are likely to continue.

Mobile Malware Threat Increasing According to Recent Studies

Two new studies indicate the mobile malware threat is increasing at an unpresented rate. Any enterprise that allows smartphones to connect to its network, such as those operating a BYOD policy, faces an increased risk of a cyberattack via those devices.

G DATA Report Warns of Rapidly Increasing Mobile Malware Threat

According to the recent G DATA survey, the mobile malware threat has increased substantially over the course of the past 12 months and shows no sign of abating. The number of new malware variants discovered in 2015 is 50% higher than 2014. In 2015, 2.3 million malware samples targeting Android devices were collected, with a new variant being identified, on average, every 11 seconds. In the final quarter of the year, an alarming 758,133 new malware samples were collected, which represents an increase of 32% from the third quarter.

The main risk is older devices operating outdated versions of Android, although G DATA reports that hackers are developing exploits for security vulnerabilities far faster than in past years. Unless Android operating systems are kept totally up to date, vulnerabilities will exist that can be exploited. Unfortunately, phone manufacturers often delay rolling out operating system updates leaving all devices prone to attack.

Mobile Malware Infections Increasing According to Nokia Threat Intelligence Lab

Earlier this month, a report issued by the Nokia Threat Intelligence Lab suggested that 60% of malware operating in the mobile space targets Android smartphones. While iOS malware was a rarity, that has now changed. Nokia reports that for the first time ever, iOS malware has made the top 20 malware list, which now includes the iOS Xcodeghost and FlexiSpy malware. These two malware account for 6% of global smartphone infections.

Mobile ransomware is also increasing. In 2015, several new mobile ransomware variants were identified. Ransomware is used to lock devices with file-encrypting software. Users are only able to recover their files if a ransom is paid to the attackers. With an increasing number of individuals using their smartphones to store irreplaceable data, and many users not backing up those files, individuals are often given no choice but to pay attackers for a security key to unlock their data.

Nokia reports that the malware now being identified has increased in sophistication and has been written by hackers that know the Android system inside out. Malware is getting harder to detect, and once identified it can be extremely difficult to remove. Nokia reports that many malware variants are highly persistent and can even survive a factory reset.

How to Mitigate Mobile Malware Risk

With the mobile malware threat increasing, organizations must implement new security measures to keep devices secure and protect their networks. Anti-virus and anti-malware solutions should be installed on all devices allowed to connect to business networks to reduce the risk of a malware infection.

Many mobile devices are used for work purposes such as accessing business email accounts. Android malware infections could all too easily result in business data being compromised, while keyloggers could give attackers access to business networks.

Enterprises may not yet be majorly concerned about the rising mobile malware threat, but they should be. With the growing sophistication of today’s mobile malware, a business network compromise is a very real threat.

Enterprises that permit the use of mobile devices for work purposes should limit the actions that can be performed on Wi-Fi networks by implementing a web filtering solution. They should ensure that all BYOD policies stipulate a minimum Android version that can be used, and all devices should be kept up to date with app updates installed promptly. Enterprises should also monitor for jailbroken or rooted devices, and prevent them from being used for work purposes or from connecting to business Wi-Fi networks.

Ransomware Mitigation Policies Essential to Protect Against Rampant Ransomware

A new report issued by the Institute for Critical Infrastructure highlights the need for organizations to develop ransomware mitigation policies due to the high risk of cyberattacks involving the malicious file encrypting software. The report warns that 2016 will be a year when ransomware wreaks havoc on businesses in the United States, in particular on the U.S critical infrastructure community.

Ransomware is being used by cybercriminals as it is a highly effective method of extorting money from businesses. Businesses need data in order to function, and ransomware prevents them from accessing it. If ransomware is installed on a computer, or worse still spreads to a computer network, critical data needed by the business is encrypted. A ransom demand is issued by the attackers who will not release the decryption keys until the ransom is paid. Without those keys data will remain locked forever. Business are often given no alternative but to give in to the attackers’ demands.

Rampant Ransomware Prompts ICIT to Issue Warning

The report warns organizations of the current dangers, and says that in 2016, “Ransomware is rampant.” Organizations of all sizes are being targeted. The criminal gangs behind the campaigns are targeting healthcare providers, even though their actions place the lives of patients in danger. Police and fire departments have also been targeted, as have educational institutions and businesses. The greater the need for access to data, the bigger incentive organizations have to pay the ransom.

According to the report, “In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.” The cost of that downtime can be considerable. Far more than the ransom demand in many cases.

Unfortunately, as pointed out in the report, it is too difficult and time consuming to track down attackers. They are able to cover their tracks effectively and they take payment in Bitcoin or use other online payment methods that give them a degree of anonymity. Often attacks are conducted across International borders. This makes it simply too difficult for the perpetrators to be found and brought to justice by law enforcement agencies.

Even the FBI has said that it advises companies to pay the ransom in many cases, unless the victims can live without their data. The report says, “no security vendor or law enforcement authority can help victims recover from these attacks.” It is therefore up to each individual organization to put measures in place to protect against ransomware.

Ransomware Mitigation Policies are Essential

Recovering from a ransomware infection can be expensive and difficult. It is therefore imperative that defenses are put in place to prevent ransomware from being installed on computers and networks.

The report suggests four key areas that can help with ransomware mitigation.

  • Forming a dedicated information security team
  • Conducting staff training
  • Implementing layered defenses
  • Developing policies and procedures to mitigate risk

An information security team should conduct risk assessments, identify vulnerabilities, and ensure defenses are shored up. Security holes must be plugged to prevent them being exploited. The team must also devise strategies to protect critical assets. They are an essential element of a ransomware mitigation strategy.

Staff training is essential. Employees must be instructed how to identify threats. Employees are often targeted as they are the weakest link in the security chain. It is easiest to get an employee to install ransomware than to attempt a hack in many cases. According to the report, this is one of the most important ransomware mitigation steps to take.

Layered defenses should be implemented to make it harder for attackers to succeed. Organizations should not rely on one form of defense such as a firewall.  Antivirus and antimalware solutions should be used, anti-spam filters employed to prevent email attacks, and web filtering solutions should be used to prevent web-borne attacks.

With the threat now having reached critical levels, ransomware mitigation policies are essential. Administrative policies can help reduce the likelihood of an attack being successful. Employees must be aware who they can report suspicious emails and network activity to, and those individuals must be aware how they should act and deal with threats.

Marcher Trojan: Yet Another Reason to Use a Web Filter

The Marcher Trojan was first discovered in the wild around three years ago; however, malware does not remain the same for very long, so it is no surprise to see yet another Marcher Trojan variant appear. This time the method of attack differs substantially from previous incarnations of this money-stealing malware.

Marcher Trojan Delivered Using Fake Adobe Flash Update

This time, attackers are targeting users of online pornography and are attempting to trick them into installing the Marcher Trojan on their Android phones by disguising the malware as an Adobe Flash installer package. Adobe Flash may be on its last legs, but a considerable number of porn websites host Flash videos. Users of pornographic websites therefore need Adobe Flash in order to view adult videos.

The attackers are targeting users of pornographic websites by sending links to new porn sites via SMS messages and spam email. Clicking the links contained in those messages will direct the user to a malicious website where they are asked to download an update to Adobe Flash.

Adobe Flash updates are frequently released due to the high number of zero-day vulnerabilities discovered in the software. Users are therefore likely to think there is nothing untoward about the update. The attackers have named it AdobeFlashPlayer.apk to make the download appear genuine.

After downloading the update, the user is required to change settings on the phone to allow apps from unknown sources to be installed. They are then asked to give the fake Adobe Flash update administrator privileges. Once installed, the owner of the device will be unaware that they have just compromised their Android phone.

The malware will then start communicating with the attackers C&C server and will send a list of the apps installed on the device to the attackers. That information is then used to display the appropriate fake login screens for apps installed on the device. Those login screens record bank and credit card details and send them to the attackers.

Another method of attack used by the malware is to send a MMS message to the user asking them to download the X-Video porn app from the Google Play store. The X-Video app is not malicious and can be installed for free; however, after installing the app the user receives a fake prompt asking them to update their Google Play credit card information.

The Marcher Trojan can also prevent users from visiting the real Google Play store without first entering their payment card details into the fake Google Play payment screen.

Fortunately, the malware is easy to remove. The app can be deactivated and then uninstalled. But the user would need to know they have been infected in order to do that.

Blocking Adult Content to Protect WiFi Network Users

Any business that allows employees to access WiFi network can improve network security by blocking access to adult websites. Preventing WiFi network users from accessing adult sites and other websites commonly used to deliver malware can greatly improve security posture.

The Marcher Trojan is being used to steal money from Android users, although the malware has been used to deliver at least 50 different payloads. Other Trojan downloaders deliver ransomware and other nasty malware. Once on a network the malicious software can cause a considerable amount of damage.

WebTitan can be used to prevent the downloading of files commonly used by hackers to hide malware such as SCR, EXE, and ZIP files. It can also be used to block access to risky websites and those known to contain malware.

For business WiFi networks, a web filter is now becoming less of an option and more of a necessity to prevent malware and ransomware downloads and keep users’ devices and networks malware free.

The Healthcare Ransomware Threat is Increasing

The healthcare ransomware threat is not new, but the threat of attack is growing. Last week, a healthcare provider in the United States found out just how damaging a ransomware attack can be. Hollywood Presbyterian Hospital experienced a ransomware attack on February 5, resulting in part of its computer network being taken out of action for more than a week.

The healthcare provider’s electronic health record system (EHR) was locked by ransomware and a demand of $17,000 was made by the attackers to supply the security keys. This is not the first time that a healthcare provider has had to deal with a ransomware infection, but attacks on healthcare organizations have been relatively rare.

What makes this attack stand out is the fact that the ransom was actually paid. CEO Allen Stefanek said “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom.”

The Healthcare Ransomware Threat is Very Real

Many businesses in the country have been attacked and have been forced to pay sizable ransoms in order to get a security key to decrypt their locked data. If data is encrypted by attackers, and no backup exists, there is little choice but to pay the ransom and hope that the attackers make good on their promise to supply the security keys.

There is no guarantee that the attackers will pay of course. They could just demand even more money. There have also been cases where the attackers have “tweaked” their ransomware, but accidentally broke it in the process. Even if a ransom was paid, it would not be possible to unlock the data.

Paying a ransom does not therefore guarantee that the security keys will be supplied. In this case, the attackers did make good on their promise and supplied the keys allowing business to return to normal.

The public announcement about the ransomware attack, and the disclosure of the payment of the $17,000 ransom, could potentially lead to even more attacks taking place. That is a big payment for a hacker, yet orchestrating a ransomware campaign is relatively easy, and does not require a major financial outlay. The return on investment will be significant if a healthcare provider is forced to pay a ransom. Since the ransom was paid, this may prompt many more hackers to attack healthcare providers.

Ransomware Attack Raises a Number of Questions

This attack does raise a number of questions. What many security professionals will be asking is why the hospital paid at all. In the United States, healthcare providers are required to make backups and store those data off-site. In event of emergency, such as this, a healthcare provider must be able to restore patient data. This is a requirement of the Health Insurance Portability and Accountability Act (HIPAA). It doesn’t matter what the emergency is, if computers or networks are taken out of action, the protected health information of patients cannot be lost.

The reality however, is that restoring computer systems after a ransomware attack may not be quite as straightforward. It would depend on the extent of the ransomware attack, the number of systems that were compromised, the difficulty of restoring data, and how much data would actually be lost.

Backups should be performed daily, so it is possible that 24 hours of data may have been lost, but unlikely any more. Even if data loss had occurred, it is probably that the data were stored elsewhere and could be recovered. The payment of the ransom suggests that there may have actually been an issue with the backups, or that the cost of recovering data from the backups would have been more than the cost of paying the ransom.

Dealing with the Healthcare Ransomware Threat

Regardless of the reasons why data restoration was not possible, or paying the ransom seemed preferable, other healthcare providers should be concerned. Further attacks are likely to take place, so it is essential that backups are performed regularly, and critically, those backups are tested. A backup of data that cannot be restored is not a backup. It is a false hope.

Furthermore, healthcare providers must ensure employees are trained how to spot a malware and ransomware, and software solutions should be implemented to prevent spam emails from being delivered to inboxes. Staff should be prepared, but it is best not to put the malware identification skills to the test.

Not all ransomware is delivered via spam email. Additional protections must also be put in place to prevent drive-by attacks and malvertising should be blocked. A web filtering solution, such as WebTitan, should also be installed to reduce the risk of ransomware downloads and to enforce safe use of the Internet.

There is no silver bullet that can totally negate the healthcare ransomware threat. It is impossible to make any system 100% secure, but by implementing a range of protections the risk of a ransomware infection can be reduced to an acceptable level. A disaster recovery plan must also exist that will allow data to be restored in the event that an attack does prove to be successful.

California Data Breach Report: Majority of Cyberattacks Easily Preventable

According to a February 2016 California data breach report issued by the California attorney general’s office, the majority of data breaches are easily preventable if basic security measures are adopted. Had companies doing business in the state of California implemented industry best practices and adhered to federal and state regulations, the privacy of millions of Californians would have been protected.

However, that was not the case and over the course of the past 4 years close to 50 million state residents have had their private data exposed as a result of data breaches suffered by government and private organizations.

The California data breach report includes a summary of data breaches reported to the attorney general’s office between 2012 and 2015. From 2012, the California Attorney general’s office needed to be notified of a breach of personally identifiable information if more than 500 state residents were affected.

Between 2012 and 2015, 657 data breaches were reported. 49.6 million state residents had their personally identifiable information exposed.

In almost half of cases, Social Security numbers were obtained by cybercriminals or were exposed as a result of the loss or theft of devices used to store personal information.

2015 was a Bad Year for Data Breaches in California

The California data breach report was compiled following a particularly bad year for Californians. In 2015, 24 million state residents had their personal information exposed. That equates to one in three Californians. To put the figure into perspective, in 2012 only 2.6 million state residents were affected by data breaches.

The California data breach report was compiled to show just how bad the current situation is. According to State attorney general Kamala D. Harris, the report should serve as a “starting point and a call to action for all of us.” The situation must improve.

Harris points out in the introduction to the 2016 Californian data breach report that “many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers,” she goes on to say that if a company chooses to store private and confidential data on state residents, that company has a “legal obligation to adopt appropriate security controls.”

California Data Breach Report Summary

The main findings of the 2016 California data breach report are listed below:

  • The biggest data security threats are malware and hacking
  • Malware and hacking exposed 54 percent of records and accounted for the most data breaches (365)
  • Malware and hacking attacks have grown by 22% in 4 years and caused 58% of breaches in 2015
  • Malware and hacking caused 90% of retail data breaches
  • Physical breaches (loss and theft of devices) accounted for 27% of all reported breaches.
  • Physical breaches are declining: They fell from 27% in 2012 to 17% in 2015
  • Errors and employee/employer negligence accounted for 17% of data breaches
  • Medical records were exposed or stolen in 19% of reported breaches
  • Payment card information was stolen in 39% of data breaches
  • Small businesses reported 15% of data breaches

According to the new California data breach report, the retail sector suffered the most, accounting for a quarter of all data breaches reported in the past four years. Those security incidents resulted in the exposure of 42% of the total number of records exposed in the past four years. The financial sector was in second place with 18% of breaches, while the healthcare sector was third being involved in 16% of data breaches.

Data Breach Prevention – Improve Protection Against Malware

The prevention of cyberattacks requires multi-layered security systems, although in the majority of cases data breaches were found to be the result of a failure to update software and apply patches. The security vulnerabilities that were exploited by hackers or used to install malware had been discovered and patched. In the majority of cases, patches had existed for over a year but had not been installed.

Malware is commonly used as a way of gaining access to computer systems used to store valuable consumer data. Malware is often delivered via spam email campaigns. A robust and powerful anti-spam solution should be implemented to catch malicious emails and prevent them from being delivered to user inboxes.

If staff are also trained to identify malware and potentially harmful emails and attachments, a great deal of malware infections can be prevented. However, email is not the only malware delivery mechanism. Cybercriminals are increasingly using exploit kits to probe for security weaknesses in browsers and browser plugins. Those vulnerabilities can be exploited and used to download malware without any user interaction required.

These infections are referred to as drive-by attacks, and they can occur if a user can be directed to a malicious website or a site that has been compromised by cybercriminals.

Third party advertising networks can contain adverts with malicious links that direct visitors to sites where drive-by attacks can take place. Those adverts can appear on legitimate websites. Even some of the biggest sites on the Internet have been discovered to display malvertising. These threats must be dealt with to prevent data breaches from occurring.

Protecting against malware delivery via the Internet requires a different solution: a web filter.

Protect End Users from Web-Borne Malware Threats with WebTitan

WebTitan offers a range of web filtering solutions for the enterprise to protect end users from web-borne threats such as malware, ransomware, viruses, Trojans, and memory-resident malware threats. Solutions have also been developed to keep Wi-Fi networks and hotspots free from malware.

By implementing a web filtering solution, end users can be prevented from visiting websites known to contain malware and from engaging in risky online behavior. By restricting access to potentially dangerous websites, the risk of a malware or ransomware infection can be greatly reduced.

For further information on the benefits of WebTitan’s web filtering solutions contact the Sales team today:

US Sales +1 585 973 5080

UK/EU Sales +44 (0)247 699 3641

IRL +353 91 54 55 00

Alternatively send an email to sales@webtitan.com or visit the webpages below:

http://www.webtitan.com/webtitan/

http://www.webtitan.com/webtitan-cloud-for-wifi/

What is the Motivation Behind Cyberattacks? Study Offers New Insights

Many security professionals would like to know what is the motivation behind cyberattacks? How much do hackers earn? What actually motivates hackers to attack a particular organization? How long do hackers try before giving up and moving on, and how profitable is cybercrime for the average hacker?

A recent survey commissioned by Palo Alto Networks provides some answers to these questions and offers some insight into the minds of hackers. The results of the survey suggest that cybercrime is not as profitable as many people think. In fact, “the big payday” is actually something of a myth, certainly for the majority of hackers.

There is a common misconception that cyber attackers are tirelessly working to breach the defenses of organizations and are raking in millions from successful attacks; however, the survey results indicate otherwise.

The Ponemon Institute asked 304 threat experts their opinions on the motivation behind cyberattacks, the money that can be made, the time invested by hackers, and how attackers choose their targets.

The respondents, based in Germany, the United States, and the United Kingdom, were all involved in the threat community to varying degrees. 79% of respondents claimed to be involved in the threat community, with 21% of respondents saying they were “very involved.”

What is the motivation behind cyberattacks?

The study cast some light on what is the motivation behind cyberattacks, as well as offering some important insights into the minds of hackers. There is a threat from hacktivists and saboteurs but, in the majority of cases, attackers are not intent on causing harm to organizations. The majority of cybercriminals are in it for the money. The motivation behind 67% of cybercrime is money.

However, in the majority of cases, it would appear that there is not actually that much money to be made. If hackers were to find employment as security professionals and use their skills to protect networks from hackers, they would likely earn a salary four times as high, and they would get sick pay, holiday pay, and medical/dental insurance.

How much do hackers earn?

Anyone interested in how much hackers earn may be surprised to find out it is not actually that much. The study determined that a technically proficient hacker would be able to conduct just over 8 cyberattacks per year, and an average of 41% of those attacks would not result in the attacker receiving any compensation.

The profits from cybercrime were found to be fairly constant regardless of where the criminals were based. In the United States a single cyberattack netted the perpetrator an average of $15,638. In the United Kingdom attackers earned an average of $12,324, and in Germany it was $14,983.

So how much to hackers earn? Take away the cost of the toolkits they purchase – an average of $1,367 – and the Ponemon institute calculated the average earnings for a cyber attacker to be in the region of $28,744 per year. That figure was based on 705 hours spent “on the job” – around 13.5 hours per week. While it is clear that some hackers earn considerably more, the average hacker would be better off getting a real job. IT security practitioners earn 38.8% more per hour.

How can the survey data be used to prevent cyberattacks?

The survey probed respondents to find out how determined hackers were at breaching the defenses of companies. Surprisingly, it would appear that even if the potential prize is big, hackers tend not to spend a great deal of their time on attacks before moving on to easier targets.

72% of hackers are opportunistic and 69% of hackers would quit an attack if a company’s defenses were discovered to be strong. Ponemon determined that an attack on a typical IT security infrastructure took around 70 hours to plan and execute, whereas a company with an excellent infrastructure would take around 147 hours.

However, if a company can resist an attack for 40 hours (less than two days) 60% of attackers would move on to an easier target. Cybercriminals will not waste their time attacking organizations that make it particularly difficult to obtain data. There are plenty of much easier targets to attack.

Install complex, multi-layered defenses and use honeypots to waste hackers’ time. Make it unprofitable for attackers and in the majority of cases attackers will give up and move on to easier targets.

WiFi Hotspot Security Top Concern for Security Industry Professionals

A survey recently conducted by the Cloud Security Alliance (CSA) has shed light on the biggest fears of security professionals, with WiFi hotspot security ranking as one of the major concerns. Unsecured WiFi hotspots and rogue WiFi access points ranked as the two of the biggest threats to mobile computing in 2016.

Over 210 security experts took part in the CSA survey, with respondents from all around the world sharing their opinions on the top threats to mobile computing in 2016. It will come as no surprise that WiFi hotspot security is keeping many IT professionals awake at night. The security threats from public WiFi hotspots have long been known to security pros. Unfortunately, more employees are now using their work devices to connect to unsecured public WiFi hotspots.

Unsecured WiFi hotspots are often a hive of criminal activity, with hackers and other cybercriminals quick to take advantage and spy on Internet users. Login names and passwords are stolen, man-in-the-middle attacks take place, and installing malware on mobile devices couldn’t be any easier.

Employees are increasingly using public WiFi in coffee shops and restaurants to check work emails on mobile phones, many professionals work on trains on their commute to work, and hotel WiFi is used by executives on business trips.

If malware can be installed on these workers’ mobile devices, those infections can all too easily be transferred to business networks. Unfortunately, while employers can implement allowable use policies and train staff to be more security aware, preventing employees from using their devices on public WiFi networks is a difficult task. That task is made all the more difficult for organizations with a BYOD policy that permits the use of personal Smartphones and laptops.

81% of Security Pros Concerned about WiFi Hotspot Security

Eight out of ten IT security professionals ranked WiFi hotspot security as one of their biggest concerns, with the risk of data theft and network compromise only likely to get worse as portable device use grows. One of the biggest problems is rogue WiFi hotspots set up by cybercriminals. Hackers know all too well that a great many Internet users will connect to WiFi automatically, without even checking the legitimacy of a free WiFi network.

To protect users’ devices and keep corporate networks secure, security training must be provided to staff. It is imperative that employees are trained on basic security measures and are made aware of the considerable risk of using unsecured WiFi networks. As security awareness improves, secure WiFi networks will be sought.

Consequently, any business offering a secure WiFi network for customers is likely to win more business. Hotel chains offering secure WiFi are likely to attract more business customers if they provide a secure WiFi network with safeguards to prevent malware infections, man-in-the-middle attacks, and make Internet browsing more secure.

Improving WiFi Hotspot Security with WebTitan Cloud for WiFi

At WebTitan, we are well aware of the risks to device and network security from the use of unsecured WiFi hotspots, and the opportunities that exist for businesses and service providers that can offer safer WiFi access. This is why we developed WebTitan Cloud for WiFi.

WebTitan Cloud for WiFi offers service providers and businesses a low cost method of securing WiFi networks, allowing a safe browsing environment to be created for clients, guests, and customers.

WebTitan Cloud for WiFi allows providers of WiFi hotspots to restrict the sites that can be visited, reducing the risk of malware infections and the nefarious activity often associated with unsecured wireless WiFi.

Many wireless WiFi providers are deterred from implementing a web filtering solution due to the complexity of the task, especially when multiple routers are used across a number of different locations. However, our 100% cloud-based solution makes securing multiple WiFi hotspots a quick, easy, and painless process.

WebTitan Cloud for WiFi Benefits

  • 100% cloud-based web filtering solution requiring no software installation
  • Secure WiFi hotspots even with dynamic or changing IP’s
  • Straightforward management with an easy to follow cloud-based administration control panel
  • Central control of a limitless numbers of routers in any number of locations
  • A full suite of reporting functions to gather valuable customer intel
  • Secure WiFi access for any device that joins the network
  • No impact on broadband speed

 

Find out how you can benefit from improving your WiFi hotspot security by calling the WebTitan team today

Worst Passwords of 2015 Revealed

If you want to keep your accounts secure, it is probably best not to use the word password as your password. However, you could do worse according to a list of the worst passwords of 2015 that has recently been published. 123456 is a much worse choice.

The list of the worst passwords of 2015 would be comical were it not for the fact that so many people actually use these words, phrases, and numerical sequences to (barely) secure their accounts. Send the list around your organization and you may even hear a few gasps as users open the document to discover that their cunning password has been revealed to the masses.

The worst passwords of 2015 list contains some absolute howlers, but also some that users may think are actually quite. Sadly though, passw0rd is not that difficult for a hacker to guess. 1qaz2wsx is better, but not by much. That also makes it onto this year’s top 25 list.

Unsurprisingly with a new Star Wars film having just been released there are a few new entries along that theme. Solo makes it on the list, as does Princess, and StarWars. Minus the capital letters of course. Leia is not on there, but that does not mean it is a good choice either.

People are very bad at choosing passwords

The list of the worst passwords of 2015 serves as a reminder that we are very bad at choosing passwords. We would all like a password that is easy to remember and can be used across all accounts, especially hackers.

Even if a password does not make it into the top 25 list of the worst passwords of 2015, instead it earned place 499, it would not keep an account secured for long if a hacker attempts to crack it. Password dictionaries are compiled, updated, and used by hackers to gain access to accounts, and it doesn’t take long to run through a list of the top 1000 password choices and try them all. If a word is in the Oxford or Merriam Webster English dictionary it will be on a hackers list as well.

The best approach to take when choosing a password is to make sure it can’t actually be remembered very easily. The longer and more complicated the password is, the harder it will be for a hacker to crack it. Special characters must be used, numbers, capital letters, and lower case as well. Since some end users will ignore this advice, it is essential to enforce the minimum number of characters and the use of capitals, numbers, and special characters.

According to SplashData, the company that compiled the list of the worst passwords of 2015, in order to keep accounts secure it is essential to create one that is hard to remember for all accounts, and to use a password manager so they do not need to be remembered. The company suggests the use of its own one of course.

However, the most popular password manager – LastPass – was recently shown not to be as secure as people may think. Hackers could all too easily spoof the viewport and obtain even the most difficult-to-guess password.

A complex, difficult-to-guess password for each site along with a password manager to help remember it is a good option, and it will help to keep accounts secure and will save sys admins from having to keep resetting user passwords.

However, the password itself is the problem really. That is what really needs to be changed. Any password-based security system is vulnerable and even two-factor authentication is not infallible.

The best choice for keeping accounts secure is to use biometric factors to verify identity, but sadly, at present the technology is too expensive for many companies to implement. The good news is the technology is becoming cheaper and before the decade is out an alternative to passwords could well be affordable enough for many businesses to implement. We will then finally be well on our way to consigning passwords to the history books.

SpashData’s List of list of the worst passwords of 2015

Listed below is SpashData’s list of the worst passwords of 2015, together with the list for 2014 for comparison. You can see that even with the increase in reported hacking incidents, many people are still choosing unsecure passwords.

the worst passwords of 2015

Microsoft Fixes Critical Windows Security Flaws

The first security update of the year for Microsoft may have only included 9 security bulletins, but six of them have been marked as critical. The critical Windows security flaws include 7 bugs that permit the remote execution of code, one that allows elevation of privileges. A vulnerability affecting Microsoft Exchange Server has also been discovered and patched to prevent spoofing.

The updates include patches for 25 separate vulnerabilities. These critical Windows security flaws should be addressed as soon as possible to keep systems protected. While not all of these security flaws have been published, it is possible for a patch to be reverse engineered to allow a hacker to take advantage of the vulnerabilities in unpatched machines.

Critical Windows security flaws patched in latest Microsoft security update

Although seven critical Windows security flaws have been identified and addressed, one of the most serious is the MS16-005 security bulletin. This is one of the remote code execution vulnerabilities, but it is the one most likely to be exploited by hackers as the vulnerability has been publicly disclosed. The vulnerability affects Windows’ kernel-mode drivers and makes it possible for a hacker to trigger an Address Space Layout Randomization (ASLR) bypass. All that would be required would be to get the user to visit a malicious website.

MS16-001 is critical for users of Internet Explorer. This security flaw affects versions 8, 9 and 10 of the web browser. This will be the last security update for Internet Explorer 8 and 10, with Microsoft now having stopped providing security support. Internet Explorer 9 security updates will continue to be provided for Windows Vista and Windows Server 2008 SP2, but users of IE 8 and 10 should now upgrade to IE 13 to ensure continued support is received.

This memory corruption vulnerability affects VBScript engine and could be exploited by getting an individual to visit a malware-compromised website. This would allow an attacker to gain the same privileges as the current user. If that user had administrative privileges, and attacker would be able to gain control of the computer and install programs, or delete or modify data. The same vulnerability has been addressed for VBScript in MS16-003.

While not marked as critical, any user of Outlook Web Access (OWA) should ensure that MS16-10 is applied. This patch addresses four separate vulnerabilities that could potentially be exploited and used for a business email compromise (BEC).

While only marked as important, Outlook administrators are likely to disagree. An attacker could exploit this vulnerability to make a phishing email appear as if it had been sent from within an organization. This would make the phishing email difficult for employees to identify, and would likely result in a large number of employees compromising their computers.

Microsoft has also patched a bug in Silverlight (MS16-006), which was identified by Kaspersky Lab. The bug is particularly risky for anyone operating Microsoft Silverlight across multiple platforms. The patch plugs a runtime remote code execution vulnerability.

Rovnix Malware Being Used to Attack Japanese Banks

Security researchers at IBM’s X-Force have identified a worrying new Rovnix malware strain that is being used in a spate of cyberattacks on Japanese banks.

Rovnix malware is nothing new. It has been around for a couple of years but it is now ranking as one of the top ten most popular malware strains to be used for attacks on financial institutions. It may not be used nearly as often as Dyre, Neverquest, Dridex, Zeus or Gozi, – the top 5 malware currently being used by cybercriminals – but it is particularly nasty and is highly persistent. Worse still, the new strain of the malware is only recognized by 7% of anti-virus software vendors.

New Rovnix Malware Strain Is Particularly Worrying for Japan’s Banks

The latest wave of attacks on Japanese banks signal a major departure from the usual attacks being conducted by cybercriminal gangs in Europe. Previously, they have concentrated on attacking European banks and Japan has been left well alone. That is no longer the case. In fact, IBM’s X-Force has described the latest wave of attacks as “an onslaught.” The criminal gang behind the latest Rovnix malware attack has already targeted 14 Japanese banks since the start of December last year.

The language barrier has prevented cybercriminal gangs from targeting Japans banks in the past, but they have now got around the problem and have developed their campaign in Japanese. Each campaign has been tailored for each of the banks under attack.

As with campaigns conducted in Europe, the primary means of malware delivery is spam email. A spam message contains a zip file with a fairly innocuous waybill detailing the delivery of a parcel from a courier company. Opening the attachment and viewing the waybill will result in a downloader being launched that will load Rovnix malware onto a device.

Highly Sophisticated Rovnix Malware Defeats Two-Factor Authentication

One of the most worrying features of Rovnix malware is its elaborate web injection mechanism which mimics the banks web pages. When an end user visits the bank’s webpage the malware injects Javascript and shows the user modified sections of the banks webpage. Login credentials are stolen, but crucially, so is the second password which enables a transaction to be conducted.

More worrying is some users are being prompted to download an app to their mobile phone. Doing that will result in their SMS messages being compromised. When the bank sends an authorization code to the mobile device, the cybercriminals will use that code to authorize a fraudulent transfer, defeating the two-factor authentication used by the bank.

Rovnix malware tends to be used to target one country at a time, but that may not necessarily always be the case. It can be quickly and easily adapted to attack any country’s banks. Rovnix malware is highly sophisticated and can be tailored to attack different institutions and evade detection. Even before the malware is installed, it can scan a device and determine which security protections are installed. It then uses a wide range of mechanisms to evade detection.

Hackable Bug Found In World’s Most Secure Smartphone

What is arguably the world’s most secure Smartphone may not be quite as secure as users have been led to believe. A hackable bug has been discovered that allows Silent Circle’s Blackphone 1 to be hijacked.

On its release, Silent Circle’s Blackphone was billed as being the first Smartphone designed with privacy at the core of its design. The phone looks like any other Smartphone and functions just like an Android device. However, it runs on Silent OS, a custom-designed Android OS that to all intents and purposes closes all possible backdoors. At least, that was the plan. It turns out that not all backdoors have actually been closed.

Backdoor Exists in World’s Most Secure Smartphone

Researchers at SentinalOne have discovered that one backdoor exists that allows the ultra-secure Smartphone to be hijacked by hackers. While the user will believe their phone calls and text messages are perfectly secure, a hacker could be listening in to calls and monitoring the numbers that are being dialed or received. The security flaw would also allow an attacker to read text messages sent or received, change caller ID settings, mute the modem speaker, kill the modem, silently check numbers, make calls via the phone, or force conference calls with other individuals.

A person attempting to call the user of a hijacked Blackphone could have that phone call directed to the attacker without the Blackphone user being aware that the call is taking place.

The Blackphone security vulnerability is not in the software, but is a security flaw in the device’s inbuilt modem. The modem contains an open socket which potentially allows a hacker to run radio commands. The open port could potentially have been used by the developers of the phone for debugging functions, yet the internal port was not secured before its release. A simple oversight maybe, but one which potentially leaves the phone wide open to attack by hackers.

The vulnerability could potentially be exploited via a malicious app, or it is conceivable that the owner of the phone could be targeted with a phishing campaign and convinced to run malicious code.

Researchers do not believe that the vulnerability has been exploited in the wild, and a software update has now been issued to address the vulnerability. All users must update to 1.1.13 RC3 or above to secure their device. Now that the vulnerability has been disclosed the update is critical.

A bug in a Smartphone is to be expected, but for one to exist in what is supposedly one of the world’s most secure Smartphone is something of a worry. Furthermore, this is not the only Blackphone bug discovered. Last year a Blackphone security vulnerability was uncovered in its secure messaging application. The memory corruption vulnerability could be exploited remotely by a hacker and used to gain the privileges of the messaging application. This would enable the attacker to decrypt the Blackphone’s encrypted messages, read contact information, run code, or write to external storage.