TitanHQ has announced its award-winning anti-spam solution, SpamTitan, has been updated and now has two powerful new features to better protect users from phishing, spear phishing, malware, ransomware, botnets, and APT threats.
SpamTitan has long been the go-to solution for SMBs to improve email security and the solution is popular with managed service providers serving the SMB market. SpamTitan is quick and easy to install, simple to use, and provides excellent protection against a wide range of email threats.
As email threats have become more sophisticated and zero-day attacks and new malware variants have skyrocketed, new features are needed to keep end users protected.
To maintain pace and better protect SpamTitan users, two important new features have now been rolled out with the latest release of SpamTitan: Sandboxing and DMARC authentication.
Sandboxing Feature Added to SpamTitan Product Suite
Blocking known threats is one thing, but detecting and blocking brand new threats that evade AV solutions is another matter, yet businesses need protection from these zero-day threats as well. SpamTitan already incorporates a range of mechanisms to detect these new threats but the latest feature takes protection to the next level.
SpamTitan now incorporates a new next-gen sandboxing feature. The Bitfedender-powered sandbox is a virtual environment that is totally separate from other systems. When an email is sent to a SpamTitan user, the message will be subjected to a range of checks to determine whether it is genuine, benign, and should be delivered or if it is malicious and needs to be rejected. If the message contains a suspicious attachment that is not picked up as a threat from those checks, it is sent to the sandbox.
The SpamTitan sandbox service has been designed to appear as a normal endpoint. Malicious files are opened or executed in the sandbox and any malicious code is run as it would on a standard machine. Its actions are logged and subjected to an in-depth analysis, including its self-protection mechanisms and attempts to evade detection. All actions are then assessed by advanced machine learning algorithms and the results of the analysis are then checked against a wide range of online repositories.
Opening potentially malicious files on an endpoint is dangerous, but in the isolated sandbox all risks are eliminated. Once the analysis is complete, which takes just a few minutes, if the file is determined to be benign it will be released and can be delivered to the end user. If it is malicious, the sandbox solution will automatically report the file to Bitdefender’s cloud threat intelligence service. That threat will then be blocked for all SpamTitan users, so the file will not need to be analyzed again.
This new feature greatly increases detection of elusive threats, provides end users with even greater protection, and it also helps to ensure that more genuine messages are delivered.
Businesses that want sandboxing technology usually need to purchase a separate solution. With SpamTitan, advanced emulation-based malware analysis is provided free of charge.
DMARC Email Authentication Now Included in SpamTitan
Email impersonation attacks are a major threat. They abuse trust in a known contact, company, or government organization to fool end users into taking a specific action – disclosing sensitive information, installing malware, or visiting a phishing webpage, for instance.
While SpamTitan already incorporates several mechanisms to identify email impersonation attacks, DMARC authentication has now been added to block even more threats. DMARC is a powerful tool for identifying the true sender of an email to determine if that individual is authorized to use a particular domain.
Detailed checks of the email header are performed and the sender is checked against DMARC records. If the checks are passed, the message can be delivered. If DMARC authentication fails, the message is rejected.
The new anti-spoofing feature protects SMBs and MSPs against data loss, date breaches, zero-day threats, and highly sophisticated email threats, while the sandboxing feature protects against malware, advanced persistent threats (APTs), malicious URLs, and offers insight into new threats to help mitigate risks.
Both of these features have been made available to current and new TitanHQ customers at no extra charge.
The poor state of cybersecurity in K-12 schools is making it too easy for criminals to conduct cyberattacks. As 2018 figures show, attacks are coming thick and fast. Action is needed to shore up security and keep cybercriminals at bay.
2018 Cyberattacks on K-12 Schools
Education has long been one of industries most commonly targeted by cybercriminals and 2018 was no exception. Last year there were several major cyberattacks on K12 schools that resulted in data theft and huge financial losses.
The 2018 State of K-12 Cybersecurity report from the K12 Cybersecurity Resource Center revealed 122 cyberattacks on K-12 schools were reported in 2018. 119 public K-12 education agencies in 38 states reported attacks. 60% of those cyberattacks resulted in the personal data of students being compromised.
North Dakota schools were hit particularly hard. In February 2018, one third of schools in the state experienced malware attacks. In many cases, the malware infections were the result of staff and students clicking on links in emails, visiting malicious websites, or opening malware-laced email attachments.
The 2019 State of Malware report from Malwarebytes reveals that in 2018, education was the number one industry targeted with Trojans and was second for ransomware attacks. Business email compromise scams are also common and many K12 school districts suffered W-2 phishing attacks and were fooled into sending scammers copies of employees’ tax information.
There have also been several successful email scams that have resulted in staff being fooled into making fraudulent transfers of school funds to criminals’ accounts. A school district in Texas was scammed out of $2 million in construction funds as a result of a phishing attack that fooled a staff member into making payments to fraudulent accounts. The high number of these types of scams prompted the FBI to issue a warning to schools in September 2018 about phishing scams that attempt to steal employees’ credentials.
K-12 schools are an attractive target for cybercriminals because attacks are relatively easy and the potential rewards are high. Student information sells for big bucks on the black market. Personal information along with Social Security numbers can be used for identity theft. It typically takes longer for identity theft to be detected with minors. If student data are stolen, thieves can rack up huge debts in students’ names over the course of several years before fraud is detected.
The State of Cybersecurity in K-12 Schools
Even though the risk of cyberattacks is high, many school leaders fail to appreciate the seriousness of the problem and how even simple changes to improve cybersecurity in K-12 schools can prevent most cyberattacks.
A Consortium for School Networking/Education Week Research Center survey in late 2017 showed that only 48% of school leaders considered the threat from phishing to be significant or very significant, with the numbers falling to under 30% for malware and ransomware attacks. Only 15% of K-12 schools have implemented a cybersecurity plan, just 29% have purchased cybersecurity products and services, and 31% had not provided end-user training.
The high value of student data, the opportunity to conduct multiple types of fraud, and poor cybersecurity defenses is a winning combination for cybercriminals. Unfortunately, there is no single solution that can be implemented to improve cybersecurity and prevent costly cyberattacks and data breaches. What is needed is an effective cybersecurity plan, policies and procedures, training, and technology.
How to Improve Cybersecurity in K-12 Schools
School budgets are usually stretched so it can be difficult to find the funds to improve cybersecurity in K-12 schools. It is therefore important to choose cybersecurity solutions wisely and select products that provide protection against the most common methods used by cybercriminals to attack schools.
Many of the attacks start with a single phishing email. It is therefore critical for K12 schools to improve email security, and for that, an advanced spam filtering solution is essential. SpamTitan blocks more than 99.9% of spam and phishing emails and is an ideal, low-cost, easy-to-implement spam filtering solution for K12 schools.
A web filtering solution is also an important cybersecurity measure. In addition to blocking students’ access to obscene content, as required for CIPA compliance, web filters can prevent users from visiting phishing websites and will block ransomware and malware downloads. The cost of a web filter can be partially offset by discounts obtained through the E-rate program.
End user training is also important. K12 schools need to include cybersecurity awareness training as part of their staff development program. Rather than providing a one-off or annual training session, training needs to be conducted regularly to keep staff up to speed on the latest threats.
Doing nothing to improve cybersecurity in K-12 schools is now simply not an option. If costly cyberattacks are to be avoided, is not improved, cybersecurity in K-12 schools must be improved.
If you want to find out more about email and web security and just how affordable these solutions can be for schools, contact the TitanHQ team today.
Businesses that want to start content filtering have a choice: A DNS filter or appliance, but which is best? In this post we explain the benefits of DNS filtering over on-premise solutions.
Traditionally, businesses that wanted to restrict Internet access and block web-based threats would purchase a physical appliance through which all internet traffic would flow. The appliance would be installed on-premise and controls would be applied to cover anyone connected to the network. The appliance would prevent employees and guest users from accessing certain types of web content, block malicious traffic, and ensure malware is not downloaded onto endpoints.
Today, businesses have a choice. They can purchase a physical appliance or they can install a virtual appliance. A virtual appliance performs the same functions as a physical appliance, but it is software-based solution that is installed on existing hardware. This means it is not necessary to purchase any hardware and businesses can save money. In this article we will treat physical and virtual appliances as one.
Another alternative is a DNS filter. A DNS filter requires no hardware purchases or software downloads. The filter works at the DNS level and all filtering takes place in the cloud.
Both types of content filtering solutions allow businesses to prevent users from accessing malicious websites when connected to the network and restrict the types of content that can be accessed.
DNS Filter or Appliance?
If you are unsure whether to opt for a DNS filter or appliance, consider the following benefits of DNS filtering over appliances.
No costly appliance to purchase and quick and easy filtering
Appliances can be costly and they need to be ordered, delivered, and installed. That means the IT team will need to be on site to complete the install. The hardware will also need to be maintained. With a DNS filter deployment is quick and easy. Simply point the DNS to the service provider and you can be up and running in minutes.
Avoid scalability issues
An appliance can be used for a limited number of users. If the business grows or if more devices need to connect the internet, it may be necessary to upgrade the appliance or buy multiple appliances. Similarly, if the number of users falls, you will be left with an expensive appliance that is surplus to requirements. With a DNS filter, you just pay for the number of users and can scale up and down as necessary.
Appliances require content to be downloaded
With an appliance the filtering takes place on the appliance itself, which means any malicious content must be accessed and downloaded before it is blocked. A connection must be made to a malicious site before any filtering takes place, however briefly. Further, since content is downloaded, that has an impact on bandwidth. With a DNS filter, the filtering takes place at the DNS level before a connection to a site is established which means threats are eliminated before any malicious code reaches the perimeter. A DNS filter can also block command and control center callbacks and data exfiltration attempts and protects all ports and protocols, not just port 53.
DNS filters inspect SSL traffic using the service providers resources
Most websites are now SSL enabled, which means web traffic must be decrypted, inspected, then re-encrypted. That requires a lot of processing power which can have a negative impact on end users. During heavy usage, slow downs are inevitable and CPU usage can be intensive. With a cloud-based DNS filter, the service provider performs the processing and, regardless of traffic volume, the user experience is the same.
DNS Filters make it easy to filter at multiple locations
If you buy an appliance, protecting remote workers and satellite offices is a problem. You need to backhaul traffic to the location where the appliance is located, so regional offices and remote workers will have slower internet speeds. With a DNS filter, it is possible to filter in multiple locations and to protect remote workers no matter where they are located, without the need to backhaul traffic. That means no latency.
DNS filters allow managed service providers to offer filtering to their clients
A DNS filter makes it easy for managed service providers to add content filtering to their service stacks. There is no need for an appliance to be sent to a client and installed by MSP staff. A cloud-based DNS filter is a turnkey solution that can easily be set up and managed remotely. All clients can be managed through a single pane of glass, making monitoring and management simple with little time investment required.
In short, for the majority of businesses considering a DNS filter or appliance, a DNS filter wins hands down. It is quick, easy, simple, efficient, and is the most cost-effective way of content filtering and blocking web-based threats.
Further, you can try DNS filtering before committing to a purchase. With TitanHQ’s WebTitan Cloud, you can have a two-week trial of the full product to evaluate it in your own environment.
To register for a trial, for a product demonstration, and to have any questions answered, contact the TitanHQ team today.
The threat of malware downloads from visiting adult websites has long been thought to be a major risk; however, not all studies on the subject have demonstrated that the risk is any higher than visiting other types of websites. The owners of adult websites, as legitimate business owners, have a vested interest in keeping their sites malware free.
However, new research from Kaspersky suggests the threat of malware downloads from visiting adult websites is real, and adult-themed phishing attacks increased in 2018.
Is There a High Risk of Malware Downloads from Visiting Adult Websites?
According to its latest report, there is a real risk of malware downloads from visiting adult websites. Naturally for consumers who visits adult websites, the risk is theirs to take. For businesses however, risks taken by employees can prove incredibly costly.
One of the major stories to be covered in the media on this theme in 2018 involved a government employee with a prolific thirst for such content. He was discovered to have accessed more than 9,000 adult websites and had inadvertently downloaded malware onto his work computer and the network. After visiting so many sites, that is perhaps understandable, but there have been many such malware downloads from far less prolific surfing of adult sites.
Kaspersky Lab’s research indicates that most malware downloads from malicious websites involves malware disguised as videos. Oftentimes, users are required to download a supposedly benign but malicious file in order to access the video.
Cybercriminals are also using black-hat techniques to poison the search results and get malicious sites appearing high up in the listings. The top 20% of porn-related search terms accounted for 80% of malware disguised as porn. Kaspersky’s tracking indicated 87,227 users had downloaded malware-disguised as porn and 8% of those did so via their work network.
The use of these porn tags is also common to get users to download non-malware threats such as adware and downloaders, although the latter are often capable of downloading much more malicious files. While the number of these attacks decreased by 36% year-over-year, attacking people searching for adult content is still common.
The most common threats associated with adult content were Trojan downloaders (45%) and Trojans (20%), followed by adware (9%) and worms (8%).
Adult-Themed Phishing Attacks Increased by 1,000% in Q4, 2018
While it was previously uncommon for phishing scams to use porn as a lure, that changed in 2018. It is still common for cybercriminals to use impersonate or create fake hookup sites to lure people into divulging credentials but there was also a 1,000% increase in phishing attacks using websites that masquerade as porn websites. Most commonly these were spoofed versions of the top 10 adult sites on the web. The rise in these types of phishing scams could be indicative of a trend that will grow in 2019.
The research shows that malware downloads from visiting adult websites is still a risk and the threat from adult-themed phishing attacks has grown at an alarming rate. Businesses should take note and take steps to limit risk.
The easiest way to do that is with a DNS web filter – A solution that allows businesses to carefully control the web content that can be accessed on work devices and via their wireless networks. With a DNS web filtering solution in place, businesses can block access to adult websites, commonly spoofed hookup and dating sites, and web-based phishing threats.
Not only will a DNS web filter provide protection against phishing, ransomware, and malware downloads, by blocking access to these adult sites, legal liability can be reduced and staff issues can be avoided.
If you have yet to start filtering the internet and preventing your users from accessing adult websites, other NSFW web content, and sites that are a drain on productivity, TitanHQ can help.
For a very low cost, businesses can protect all users of their wired and wireless networks and block a wide range of web-based threats. MSPs can also start providing filtered internet service to better protect their clients.
For further information, contact TitanHQ today and ask about WebTitan Cloud and WebTitan Cloud for WiFi – TitanHQ’s award winning web filtering solution for businesses.
TitanHQ has launched a busy campaign of MSP roadshows and conferences with two Valentine’s Day events in London and Tampa, Florida.
Over the coming five months, the TitanHQ team will be attending 15 events in Ireland, the Netherlands, the UK, and the USA, and will be meeting with managed service providers (MSPs), Wi-Fi providers, ISPs, and technology partners to introduce and explain about TitanHQ’s award-winning suite of email security, web filtering, and email archiving solutions.
The 2019 roadshow campaign started in London where Alliance Manager Eddie Monaghan met with current and prospective MSP partners at the IT Nation Q1 EMEA Meeting. Eddie will be at the event all week and will be discussing TitanHQ’s MSP solutions and finding out more about what is happening in the MSP world. TitanHQ has learned a great deal since joining the IT Nation community two years ago and has really enjoyed the experience thus far.
TitanHQ Alliance Manager, Eddie Monaghan
On the other side of the Atlantic, Alliance Manager Patrick Regan has been meeting with MSPs from Florida and beyond at the TitanHQ-sponsored Datto Roadshow in Tampa. Since joining the Datto community as a strategic partner, TitanHQ has worked closely with Datto MSP partners helping them to integrate email security, DNS filtering, and email archiving into their product offerings and providing tips and tricks to help them to get the most out of the products.
TitanHQ has been increasing its technology partners over the past year and is now working closely with industry giants Comcast, BitDefender, Microsoft, Kaseya, and ViaSat and is a proud member of IT Nation (HTG Peer Groups), Datto Roadshows, COMPTIA, and ASCII.
From humble beginnings as an indigenous Irish company providing anti-spam appliances to the local market, over the following 20 years TitanHQ has developed an innovative range of cloud-based solutions and has matured into a global provider of network security solutions for enterprises, SMBs, and MSPs. TitanHQs award-winning cybersecurity solutions are now offered by a network of more than 1,500 MSP partners and have been adopted by several thousand businesses in 200 countries around the globe.
The TitanHQ product suite has been developed to meet the exacting needs of MSP partners and are delivered via the TitanShield Program. The products help MSPs to protect themselves and their clients, while saving valuable time and effort by blocking threats at source before they can cause any harm.
TitanHQ’s spam filtering solution – SpamTitan – and web filtering solution – WebTitan – help MSPs keep their clients protected from malware, ransomware, viruses, botnets, phishing attacks and other email and web-based threats.
The cloud-based solutions are easy for MSPs to slip into their service stacks to build a high-margin security practice offering clients world-class network security services.
If you are already a TitanHQ TitanShield partner or want to find out more about the MSP program and TitanHQ products, be sure to attend one of the upcoming events and come and meet the TitanHQ team.
We look forward to meeting you at one of the upcoming roadshow events in 2019.
Web filtering at multiple locations can be a headache but it is a necessity. Human error can easily result in an email account breach, malware download, or ransomware attack. Every employee is a potential security risk, so it is important for controls to be implemented to reduce the risk of mistakes leading to a costly security incident.
One of the main ways that data breaches occur is through phishing. The web pages used in phishing attacks host phishing kits that collect login credentials and send them to the scammers. The web pages usually contain identical copies of the login boxes used by the likes of Microsoft Office 365, Google, and Facebook. The web pages are incredibly realistic and can be difficult for employees to identify as malicious.
Hyperlinks in emails also direct employees to websites containing exploit kits which probe for vulnerabilities and silently download malware. A user could visit a website for a couple of seconds, yet still trigger a malware download. Even general web surfing can see users redirected to malicious websites.
The solution is to implement a web filter. A web filter allows businesses to control the web content that users can visit, and it also blocks access to malicious web sites.
Web Filtering at Multiple Locations
While a web filter is easy to implement on premises, protecting mobile workers and multiple offices can be more of a challenge. Traditionally, web filters were physical appliances through which all Internet traffic flowed. Rules were applied to the appliance to control what sites can be visited by employees.
One of the main disadvantages when web filtering multiple locations, is a separate appliance needs to be used at each location. Not only is this costly, installing and maintaining the appliance requires technicians to be available on site. For many businesses running multiple offices, IT is managed remotely. IT staff are not available at each site. An appliance-based filter at each site is far from ideal.
An alternative is to backhaul Internet traffic to the corporate office, but this has a major impact on Internet speed. The latency issued can cause major problems for remote offices so this option is also not ideal.
The best solution is a cloud-based DNS web filter. A DNS web filter can be applied, configured and maintained remotely without the need for site visits or on-site support staff. No hardware is required and no software needs to be downloaded. All that is required is for a change be made to internal DNS servers or DNS settings.
Not only does this approach eliminate the need for any costly hardware purchases, with a cloud-based DNS filter there is no latency. The DNS-filter can be applied for all locations and managed through a single web-based interface. Controls can also be applied for different locations via an AD/LDAP client.
A cloud-based DNS filter is ideal for web filtering multiple locations, but what about protecting employees on the move? When employees travel for business, their mobile devices similarly need to be protected. A DNS filter can protect those employees online no matter where they access the Internet without the need to backhaul traffic.
Cloud-based DNS web filters are also the ideal solution for managed service providers (MSPs) who want to offer web filtering to their clients. The filters are highly scalable, and they offer multitenant management for MSPs and allow all clients settings to be configured and managed through a single pane of glass. Separate polices can be applied for each clients and reports can be easily generated. There is no need for any site visits, no need for patching, and web filtering can be offered no matter where the client is based.
WebTitan Cloud – Web Filtering Multiple Locations Made Simple
TitanHQ is a leading provider of DNS-based web filtering for businesses. WebTitan Cloud is an enterprise-class DNS-based web filtering solution that makes web filtering multiple locations effortless. The solution takes minutes to implement and requires no training to use. All web filtering controls can be applied remotely via an intuitive user interface.
If you run a business in multiple geographical locations, want to protect remote workers, or if you are a managed service provider that wants to add web filtering to your service stack, contact TitanHQ for further information on WebTitan Cloud.
A phishing campaign has been detected that uses Google Translate to make phishing web pages appear legitimate when visited through mobile browsers. The novel tactic makes it harder for end users to see that the website they have been directed to is not an official website.
The phishing attack starts with an email that indicates the user’s password has been used to access their Google account from an unfamiliar device. Many users will be familiar with these messages. They are generated when a user logs into their own account using a different device or from an unfamiliar location. The messages are also triggered when a user attempts to login to their account using a VPN.
In this campaign, the standard Google Security Alert has been copied exactly and includes the Google logo, standard formatting, and text that users will be familiar with. The message tells the user to click on a link – A button below the warning message – to visit their account to review the activity and take action to secure their account.
If the user is on a desktop or laptop, they will be directed to a standard phishing page which has a copy of the Google login. It should be apparent that the user is not on the legitimate Google site as the URL clearly nothing to do with Google.
However, if the user has opened the email on a mobile device and clicks the hyperlink button, the URL displayed in the browser will be different. The phishing webpage uses Google Translate to display a URL containing a random string of characters, but crucially, the visible part of the URL displayed in the browser starts with translate.googleusercontent.com/translate_
The URL does contain the web page which the user is on, which is a page on mediacity.co.in, but it is detailed much later in the URL so will not be displayed to the user unless they click the address bar to check it. Many users will not do that since the visible part of the URL appears genuine.
While the phishing campaign is unlikely to work on desktops or laptops, many mobile users will likely be fooled by the scam and will provide their Google credentials. They may not fall for the Facebook login request, as being redirected to Facebook from Google is odd, but by that time it is too late. The attacker will have full access to the user’s Google account.
Google accounts can contain a wealth of sensitive data. Gmail accounts can also be used for further phishing attacks on contacts.
Security awareness training will help to prevent employees from falling for phishing scams such as this. By conditioning employees to always check the sender of an email before taking any action, and to always take the time to carefully check the full URL of a website before disclosing any sensitive information, scams like this can be easily identified.
Even with security awareness training, employees make mistakes. To improve protection against phishing attacks, businesses should deploy an advanced spam filter to prevent malicious messages from being delivered to corporate inboxes. A web filter is also strongly recommended. A cloud-based web filter can prevent users from accessing phishing webpages, even when they are using mobile devices.
For further information on spam filtering and web filtering for businesses, contact the TitanHQ team today and ask about SpamTitan and WebTitan: TitanHQ’s leading spam filtering and web filtering solutions for businesses.
Anatova ransomware is a new cryptoransomware variant that appears to have been released on January 1, 2019. It is stealthy, can infect network shares, has already been used in attacks in many countries around the world. It could well prove to become a major ransomware threat in 2019.
Ransomware has somewhat fallen out of favor with cybercriminals as cryptocurrency mining malware offers greater potential for profit. The development of new ransomware variants has slowed, but new variants are still emerging and the threat from ransomware is not going away any time soon. Ransomware attacks are still profitable for cybercriminals and as long as that remains the case the attacks will continue.
Anatova ransomware was identified and named by security researchers at McAfee. The name was taken from the name on the ransomware note. The previously unknown ransomware variant has been used in at least 10 countries, with over 100 Anatova ransomware attacks identified in the United States, more than 65 in Belgium, and over 40 in France and Germany.
Not only does the ransomware variant employ a range of techniques to avoid detection, infection can cause major damage and widespread file encryption. Further, the modular design allows the developers to easily add new functionality in the future.
Most of the strings in Anatova ransomware have been encrypted and different keys are required to decrypt them. Those keys have been embedded in the executable. 90% of calls are dynamic and use non-suspicious Windows APIs and standard C-programming language.
Once downloaded and executed, the ransomware performs a check of the name of the logged in user against a list of encrypted names and will exit if there is a match. Names that prompt an exit include tester, lab, malware, and analyst. These names are commonly used on virtual machines and sandboxes. A check will also be performed to determine the country in which the device is located. The ransomware will exit if the device is in any CIS country, Egypt, Syria, Morocco, Iraq, or India.
Anatova ransomware scans for files smaller than 1MB and checks for network shares, although care is taken not to disrupt the operating system during this process and raise a flag before files are encrypted. Once files have been identified, the encryption routine starts. The ransomware uses its own key, so each victim requires a separate key to unlock the encryption.
Once the encryption process has run, the ransom note is dropped on the desktop, the memory is cleaned, and volume shadow copies are overwritten 10 times to ensure files cannot be recovered from local backup files.
The ransom demand is relatively high – Around $700 (10 DASH) per infected machine. Since multiple devices can be infected with a single installation, the total ransom demand could well be considerable.
What is not 100% certain is how the ransomware is being distributed. McAfee detected one sample on a P2P file sharing network which masquerades as a free software program complete with game/application icon to encourage users to download and run the installer. Other attack vectors may also be used. Based on the current distribution vector, a web filter will offer protection against attacks if P2P file sharing/torrents sites are blocked.
The researchers believe Anatova ransomware has been created by highly skilled malware authors who are currently distributing a prototype of the ransomware. More widespread attacks are to be expected once this testing phase has been completed.
Hackers are taking advantage of poor Wi-Fi security to attack small businesses. This post covers simple steps to take to improve Wi-Fi security to block cyberattacks.
Small businesses can implement a robust firewall to protect against cyberattacks, but the Wi-Fi router is often a weak point. A Wi-Fi router providers wireless coverage for your business and it is a likely attack vector if security is lax. By attacking wireless routers, hackers can bypass your firewall.
Fortunately, there are simple steps you can take to improve Wi-Fi security and block attacks. Seven simple steps to take to improve Wi-Fi security have been listed below.
Simple Steps for Small Businesses to Take to Improve Wi-Fi Security
Some of the steps below are obvious security measures, but there have been many instances when small businesses have overlooked these simple protections, only for them to be exploited by hackers.
Change Router Admin Credentials
Changing default credentials is one of the easiest but most important steps to take to improve Wi-Fi security. Because it is so simple, no business should be guilty of this security faux pas, but many are, even large businesses. In November, a school system discovered that its WAN provider had not changed the passwords on routers that had been in use for years. This is not the login for Wi-Fi, but the password for the router itself. These default administrator passwords can be found with a simple Internet search.
Disable Remote Administration on Your Router
Many wireless routers allow users to access and change router settings from outside the network. For the majority of businesses, remote administration is not necessary so it should be disabled. While this setting can be convenient, there are other more secure ways to access router settings remotely such as using a VPN. Allowing remote administration makes it far too easy for hackers to access your router.
Monitor Your DNS Settings
In January 2019, the U.S. Department of Homeland Security issued an emergency directive to all government agencies instructing them to perform an urgent audit of their DNS records after it was discovered that a threat group was targeting government agencies and changing their DNS records. By hijacking the DNS, all employees could be directed to malicious websites – clones of legitimate sites. Businesses that do not have an internal DNS server often use their wireless routers for this. Businesses should regularly monitor their DNS settings to ensure that no changes have been made.
Limit the Range of Your Wi-Fi Signal
You will want to make sure that everyone on the premises can access your Wi-Fi network, but it is important that no one outside your offices can do so too. If your Wi-Fi signal is too strong, it could be accessed by someone outside your offices and out of sight – In a car parked in your lot for instance. An overly strong Wi-Fi signal makes it easy for an attacker to conduct brute force attacks without being seen.
Keep Firmware Updated
New router firmware will be periodically released by the manufacturer and, as with all other software updates, they should be applied as soon as possible. Firmware updates are issued to improve security and functionality. They address known vulnerabilities for which exploits exist. Some routers will be set to update automatically, others may require a manual update through the web-based interface. Be sure to check the manufacturers web page, as your router may no longer be supported, which means it is time for an upgrade.
Make Use of Your Guest Network
One of the most important security measures is to segment your network and this is especially important for Wi-Fi. You should not allow any untrusted device to connect to your network, such as those used by visitors. You should have a separate SSID for your employees and guests. This will keep guests away from your primary network.
Ensure Your Wi-Fi Network is Encrypted
You should ensure that your Wi-Fi network is encrypted with WPA as an absolute minimum. Without encryption your network will be open and hackers will be able to intercept wireless traffic. Currently the encryption standard is WPA2, although this will change to WPA3 in 2019. If you are planning on replacing your Wi-Fi router, make sure the new model supports WPA3. If your router only supports WEP it is time to upgrade.
Hackers are increasingly targeting small businesses. These 10 cybersecurity tips for small businesses can be implemented to improve security, prevent successful cyberattacks, and avoid costly data breaches.
Many small business owners misguidedly think that their company is too small to be a target for hackers but cyberattacks on small businesses are common and they are increasing. A successful attack on a Fortune 500 company is likely to be far more profitable for the hacker, but also much harder. Small businesses are relatively easy targets and attacks can be highly profitable.
Small business owners cannot afford to take cybersecurity lightly. A successful cyberattack could prove catastrophic. With this in mind, we have compiled 10 cybersecurity tips for small businesses that can easily be implemented to improve security.
Top Cybersecurity Tips for Small Businesses
Implement a Robust Firewall
A firewall is a cybersecurity solution that sits between a small business network and the outside world and prevents unauthorized individuals from gaining access to the network and stored data. Not all firewalls are created equal. Extra investment in a next generation firewall is money well spent. Don’t forget to also protect remote workers. Ensure that they are also protected by a firewall.
Create and Enforce Password Policies
You should implement password policies that require all users to set strong, secure passwords. A strong, unique password should be used for all systems. Passwords should include capitals, lower-case letters, a number, and a special character, and should be at least 10 digits long. Teach employees how to create secure passwords and enforce your password policies. Consider using a password manager so passwords do not need to be remembered. Consult NIST for the latest password guidance.
Security Awareness Training
Make sure you provide the workforce with regular security awareness training. This is the only way that you can create a culture of cybersecurity. Be sure to cover the security basics, safe Internet use, how to handle sensitive data, creation of passwords, and mobile device security. You should provide training to help employees avoid phishing attacks and consider phishing simulation exercises to test the effectiveness of your training program.
Multi-factor authentication involves the use of a password and at least one other method of authentication. If login credentials are compromised, an additional factor is required to gain access to an account or the network such as an SMS message to a user’s smartphone.
It is essential to have a good backup policy. In the event of disaster, such as a ransomware attack, you need to be able to recover critical data. Backups must also be tested to make sure files can be recovered. Don’t wait until disaster strikes to test whether data can be recovered. A good strategy is the 3-2-1 approach. Three backup copies, on two different types of media, with one copy stored securely offsite.
Software and Firmware Updates
Vulnerabilities are regularly found in computer software. Patches are released to correct those vulnerabilities, including those that are being actively exploited. Make sure patches are applied promptly, software is kept 100% up to date, and the most up to date firmware has been installed. Implement automatic updates where possible and create a schedule for updates if they need to be performed manually.
It is a standard best practice to segment networks and split them into subnetworks. Not only will this improve security it can also improve performance. By preventing access between segments, if one part of the network is compromised, an attacker will not have access to all systems and data. Also make sure you limit access to sensitive data and restrict the use of admin credentials. Apply the rule of least privilege. Do not give employees access to data, networks, and software that they do not need for day to day work duties.
Implement a Spam Filter
Arguably the biggest cyber threat that small businesses face is phishing. A single phishing email could allow an attacker to bypass your perimeter defenses and obtain login credentials or install malware. An advanced spam filter will allow you to improve productivity by blocking non-malicious spam emails and prevent phishing emails from being delivered to inboxes.
Secure Wi-Fi Networks
If you have a wireless network in your workplace it needs to be protected. Ensure that it is secured, data are encrypted, and that it is hidden and does not broadcast its SSID. Use WPA2 for encryption (or WPA3 if possible). Change default passwords and ensure your wireless router cannot be accessed from outside the network.
Consider Implementing a Web Filter
A web filter provides protection against web-based attacks by preventing employees from visiting phishing websites and sites that host malware. A DNS-based web filter can protect wired and wireless networks and even remote workers. It will block malware downloads and prevent users from accessing dangerous websites and those that serve no work purpose thus improving productivity.
Email archiving for small businesses is now more important than ever. Not only do state and federal laws require data to be retained for long periods, the EU’s General Data Protection Regulation (GDPR) has introduced new requirements for businesses covering email retention. These requirements for email are best met by using an email archive, although many small businesses are still relying on email backups.
Are Email Backups and Email Archives the Same?
In basic terms, an email backup and an email archive serve the same purpose. They allow emails to be stored so they can be recovered if needed. However, there are important differences between an email backup and an email archive, which have become even more important since the introduction of the GDPR.
Emails may need to be recovered for a variety of reasons. If an important email is lost, if emails have been corrupted, in the event of an audit, for legal discovery, in order to resolve customer disputes, or to find and delete emails when a customer exercises their right to be forgotten under GDPR rules.
Backups are useful, but they are far from ideal for most of the above reasons. Backups allow email data to be restored in the event of loss or if email has been corrupted – Due to a ransomware attack or a hardware failure for instance. In such cases, email backups allow the email system to be quickly restored to the point when the backup was made.
A backup is simply a copy of email data and is a snapshot of data in the email system at any given time. It is ideal as a short-term solution to protect against data loss. However, each time a backup is made, it typically replaces a previous copy. This means that it is possible for emails to be lost. If an email is deleted or corrupted, and a new backup is made that overwrites the last copy, deleted and corrupted emails may be lost forever. Restoring backups may require the entire database to be restored, even when only a few emails need to be recovered. That is hardly an ideal situation.
How Does an Email Archive Differ from an Email Backup?
An email archive is not a copy of email data. With an email archive, emails are moved from the mail system into the archive for long term storage. In addition to emails, tasks, email attachments, and calendars can be archived. Many companies choose to implement an archive not for disaster recovery as backups are still used for that purpose, but to decreases the workload of an email server, improve performance, and eliminate the need for mailbox limits.
One of the most important differences between a backup and an email archive is an archive is searchable, which makes it a quick and easy process to find a specific email or set of email messages that need to be recovered. They could be emails sent to or from a specific person or those that contain an individual’s personal data.
Backup allows emails to be retained and restored, but backups are not searchable. If an email is lost or needs to be recovered, finding messages can be a very time-consuming process.
In the event of legal action against a company, as part of the discovery process an organization will have to produce emails related to the case. A limited amount of time is provided to respond, so it is essential that information can be found quickly and efficiently. The same is true for compliance audits, GDPR requests, and to settle customer disputes.
In contrast to a backup, emails that are archived cannot be lost as no data is overwritten. Archives are also tamperproof and an audit trail is maintained.
Failure to retain data, missing deadlines for producing data, and accidental deletion of email data can attract major financial penalties. Those fines can prove catastrophic for small businesses. Email archiving for small businesses ensures that these issues never arise.
With an email archive, emails are instantly encrypted to prevent data from being intercepted or accessed by unauthorized individuals and with cloud-based archives there is no limit on storage space. Users can continue to use their mail clients or browsers and can easily access archived emails. Email archives are easy to use, manage, maintain, and it is quick and easy to recover emails on demand.
In short, email archiving for small businesses:
Adds legal safeguards
Ensures protection against data loss
Maintains an audit trail
Ensures emails can be quickly found and recovered
Eliminates the need for mailbox quotas
Increases efficiency and productivity
Allows long term storage of emails to meet compliance requirements
TitanHQ has developed ArcTitan to meet the needs of small to medium sized businesses and managed service providers. ArcTitan is email archiving solution for small businesses that is cost effective, secure, easy to use, effortless to maintain, and ensures businesses meet their legal responsibilities with respect to email retention. The solution works with all major email clients and Office 365.
If you have any questions about email archiving for small businesses, if you want to set up an email archive, or would like information on the best solution to meet the needs for your business, contact the TitanHQ team today.
The news headlines frequently warn businesses of the need to improve cybersecurity protections to thwart hackers, but not all threats come from outside the company. There are various types of insider threats that need to be managed and mitigated, yet these are all too often overlooked or insufficient controls are put in place to reduce the risk of a deliberate or accidental breach.
What are Insider Threats?
An insider threat is one that comes from within the company, typically an employee who accidentally or deliberately takes an action that causes harm or loss to the company.
Hackers attack companies to gain access to their networks to spy on companies, obtain secrets, steal data or sabotage systems. Breaking through perimeter defenses can be time consuming and difficult but if an insider wants to steal data or sabotage a system, it is far easier as they already have network access.
Not all insider threats involve intentional malicious actions by employees. An employee can also act in a way that negatively affects their company without intending to cause any harm.
This could be intentionally violating company policies in a non-malicious manner. An example would be the installation of software to save the employee time or to allow them to work more efficiently. Installing unauthorized software carries a risk of a malware or spyware infection. An employee could violate company policies which could lead to an accidental data breach. Then there is human error, such as sending an email containing sensitive information to the wrong person. Such actions could prove costly.
Businesses need to protect against all insider threats if they are to avoid costly data breaches. A great many data breaches result from too little focus on cybersecurity defenses to block the threat from within.
Malicious Acts by Employees
Anyone that has access to sensitive company data could potentially abuse their access rights to view or steal data. There is no particular profile of a malicious insider. Everyone could decide one day to steal information or sabotage systems, but you can protect against malicious insiders and manage the risk.
Cover insider threats in security awareness training and encourage employees to be vigilant and report suspicious activity. Provide them with an easy way to report their concerns.
Implement tools that monitor for anomalous behavior
Implement controls to prevent the use of portable storage devices such as thumb drives
Implement tools that prevent employees from downloading and running certain files types – Executable files for instance.
Apply the rule of least privilege – Don’t let employees access data/systems that they do not need to access to complete their day to day work duties
Accidents Will Happen…
The insider threats that can be the hardest to defend against are mistakes by employees. These types of insider threats include responding to a phishing email and disclosing login credentials, sending sensitive data to the wrong email recipient, accidentally visiting malicious websites, and inadvertently downloading malware. These threats need to be managed and mitigated through policies and procedures, training, and software solutions.
…But You Can Minimize Risk!
Phishing is arguably the biggest threat. Hackers know all too well that people make mistakes and can easily be fooled. Priority number one should be blocking phishing emails and making sure they are not delivered. For that you need an advanced spam filter. The more phishing emails that are blocked, the lower the risk of a click.
Security awareness training is also essential. When a phishing email lands in an inbox, employees need to have the skills to recognize it as such. Provide training and make the training interesting to engage employees. Interactive training courses can help in that respect. Make sure you test your employees’ knowledge afterwards with phishing email simulations. They will let you know who has taken the training on board and who needs further training.
Training needs to cover all security threats, not just phishing. Teach employees security best practices, including checking badges before allowing someone into the building, password security, keeping credentials private, and safe use of WiFi.
Another important technical control to implement is a web filter. A web filter allows businesses to control what employees can do online. They block access to phishing websites, block drive-by malware downloads, and prevent employees from visiting questionable websites that carry a high risk of malware infections or malvertising redirects: Adult sites and torrents/P2P file sharing sites for instance. Some web filters will also keep employees safe and secure when working remotely.
The important thing for businesses is not to leave things to chance or to assume they are too small to worry about insider threats and data breaches. Every business is at risk, regardless of size.
For further information on software solutions that can protect against data security threats give the TitanHQ team a call.
A new form of MongoLock ransomware is actively being used in a global campaign. A 0.1 BTC ransom is demanded, although file recovery may not be possible. The ransomware immediately deletes files and formats backup drives and a recoverable copy may not be retained by the attackers.
MongoLock ransomware was first detected in January 2017. A major campaign involving the ransomware was detected in September 2018 with the latest attacks having been ongoing since December 2018. The attackers are gaining access to unprotected or poorly protected MongoDB databases and are deleting data and replacing the databases with a new database. Inside the database is a file called readme that contains the ransom demand.
The attackers claim to have exported the database before encrypting it. Victims are required to make a 0.1 BTC payment to a supplied Bitcoin wallet or contact the attackers via email. Many victims have chosen to pay the ransom; however, there is no guarantee that data can be recovered. It is unclear whether the attackers are making a copy of the database or are simply deleting it.
The attacks are automated and scripts are used to delete the database and create the ransomware note, but the scripts are not always effective. Even if it is the intention of the attackers to obtain a copy of the database, that may not always happen.
The latest version of MongoLock ransomware also conducts a scan of local drives and deletes important data, including files saved to the Desktop, My Documents folder, Recent files, favorites, and any backup files that can be located. The drives are then formatted. This makes payment of the ransom all the more likely. Users are advised they have just 24 hours to make payment before the database is permanently deleted.
The file deletion routine is executed after the files have been uploaded to the attackers’ C2 server, so they can potentially be recovered if the ransom payment is made. However, if the computer is taken offline, file deletion continues but no copy of the file will be obtained by the attackers.
These attacks are primarily conducted on exposed MongoDB databases, which can easily be found using the Shodan search engine. Any businesses that uses MongoDB should ensure that the databases are properly secured, and that authentication is required to gain access. It is also important to ensure the databases cannot be accessed remotely over the Internet.
It is also essential to adopt a good backup strategy. The 3.2.1 approach is recommended. Make three backups, stored on two separate devices, with one copy stored securely off site on a non-networked device.
A malvertising campaign has been detected that delivers two forms of malware: The new, previously unknown Vidar information stealer and subsequently, the latest version of GandCrab ransomware.
The packaging of multiple malware variants is nothing new of course, but it has become increasingly common for ransomware to be paired with information stealers. RAA ransomware has been paired with the Pony stealer, njRAT and Lime ransomware were used together, and Reveton ransomware is used in conjunction with password stealers.
These double-whammy attacks help threat actors increase profits. Not everyone pays a ransom, so infecting them with an information stealer can make all infections profitable. In many cases, information can be obtained and sold on or misused and a ransom payment can also be obtained.
The latest campaign uses the Vidar information stealer to steal sensitive information from a victim’s device. The Vidar information stealer is used to obtain system information, documents, browser histories, cookies, and coins from cryptocurrency wallets. Vidar can also obtain data from 2FA software, intercept text messages, take screenshots, and steal passwords and credit/debit card information stored in browsers. The information is then packaged into a zip file and sent back to the attackers’ C2 server.
The Vidar information stealer is customizable and allows threat actors to specify the types of data they are interested in. It can be purchased on darknet sites for around $700 and is supplied with an easy to use interface that allows the attacker to keep track of victims, identify those of most interest, find out the types of data extracted, and send further commands.
Vidar also acts as a malware dropper and has been used to deliver GandCrab ransomware v5.04 – The latest version of the ransomware for which no free decryptor exists.
While many ransomware variants are delivered via spam email or are installed after access to systems is gained using brute force tactics on RDP, this campaign delivers the malicious payload through malvertising that directs traffic to a websites hosting the Fallout or GrandSoft exploit kits. Those EKs exploits unpatched vulnerabilities in Internet Explorer and Flash Player. The campaign targets users of P2P file sharing sites and streaming sites that attract large amounts of traffic.
Infection with the Vidar information stealer may go undetected. New malware variants such as this may be installed before AV software malware signatures are updated, by which time highly sensitive information may have been stolen, sold on, and misused. If GandCrab ransomware executes, files will be permanently encrypted unless a ransom is paid or files can be recovered from backups.
Businesses can protect against attacks such as these by ensuring that all operating systems and software are promptly patched. Drive-by downloads will not occur if the exploits for vulnerabilities used by the exploit kit are not present.
An additional, important protection is a web filter. Web filters prevent users from visiting websites known to host exploit kits and also sites that commonly host malicious adverts – torrents sites for instance. By carefully controlling the sites that employees can access, businesses can add an extra layer of protection while avoiding legal liability from illegal file downloads and improving productivity by blocking access to non-work-related websites.
For further information on web filters for businesses and MSPs, contact the TitanHQ team today.
The U.S. government has issued a warning following a spate of MSP cyberattacks by nation-state sponsored hackers.
Homeland Security Warns of Targeted MSP Cyberattacks
Managed service providers (MSPs), cloud service providers (CSPs), and managed security service providers (MSSPs) have been warned about an increase in malicious cyber activity and targeted attacks on IT service providers. Nation-state sponsored hackers are targeting IT service providers in an attempt to gain access to their networks, and ultimately, those of their clients.
It is not difficult to see why MSPs, CSPs, and MSSPs are such an attractive target. These IT service providers usually have administrator access to their clients’ networks or certainly elevated privileges that could allow an attacker to gain access to servers, security appliances, and databases of multiple clients.
The threat of attack is theoretical. There has been an increase in MSP cyberattacks in recent months, so much so that the U.S. Department of Homeland Security (DHS) has issued a warning to all IT service providers specifically due to an increase in attacks on IT service providers by Chinese government-backed hackers.
The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued cybersecurity guidance for IT service providers on steps that need to be taken to improve security, detect attacks quickly, and prevent threat actors from gaining access to their clients’ networks. Since companies that use IT service providers have also been warned of the risk of attack through their IT companies, MSPs, MSSPs and CSPs are likely to be contacted by clients wanting reassurances.
IT service providers should therefore be proactive and n ensure that CISA guidance is being followed to better protect themselves and their clients.
Feds Launch Campaign to Raise Awareness of Cyber Risks
CISA is not the only government agency to issue a warning in the past few days. The Trump administration has launched a new campaign to raise awareness of cyber risks in all industry sectors. The “Know the Risk, Raise your Shield campaign is being spearheaded by the National Counterintelligence and Security Center (NCSC) at the Office of the Director of National Intelligence. The campaign has been launched in response to increased cyberattacks from state sponsored hackers in Russia, China, Iran, and North Korea and independent hackers.
The aim of the campaign is to ensure that cybersecurity best practices are being followed to make it much harder for the attackers to succeed. The NCSC is aware that improved cybersecurity comes at a cost, but explains that investment in cybersecurity defenses is money very well spent and reminds businesses that an ounce of security equates to a pound of protection.
How Can Businesses and MSPs Improve Their Defenses?
With MSP cyberattacks on the increase it is essential that defenses are improved. While there are many ways that MSPs and businesses can be attacked, one of easiest ways is phishing. Phishing targets a weak link in security defenses: Employees. If a phishing email is delivered to an inbox and an employee responds, credentials will be obtained by the attacker that gives them a foothold to launch further attacks on other employees and MSP clients.
It is therefore important to improve awareness of the risks and train employees how to recognize email threats and how to react. It is also important to ensure that technical spam defenses are implemented to make sure phishing threats are blocked on the server and are not delivered to end users’ inboxes or local spam folders. SpamTitan is an ideal solution for MSPs to implement to block these phishing attacks on their employees and their clients.
A DNS based web filter should also be implemented to ensure that should a malicious email make it past the spam defenses, employees are prevented from visiting malicious websites. A DNS-based web filter blocks attempts to access malicious sites during the DNS lookup process and adds an extra layer of security against phishing.
For further information on spam filtering and web filtering for businesses and MSPs, speak to the TitanHQ team today.
Other important steps to take to improve security include:
Use of strong password policies
Applying the principle of least privilege
Ensuring network and host-based monitoring systems are implemented and logs are regularly checked for signs of malicious activity
Performing regular vulnerability scans to identify security weaknesses before they are exploited.
New figures released by anti-virus firms McAfee and Symantec have shown the extent to which hackers are using cryptocurrency mining malware in attacks on consumers and businesses.
Cryptocurrency mining malware hijacks system resources and uses the processing power of infected computers to mine cryptocurrencies – Validating transactions so they can be added to the blockchain public ledger. This is achieved by solving difficult computational problems. The first person to solve the problem is rewarded with a small payment.
For cryptocurrency mining to be profitable, a lot of processing power is required. Using one computer for mining cryptocurrency will generate a few cents to a few dollars a day; however, hackers who infect thousands of computers and use them for cryptocurrency mining can generate significant profits for little work.
The use of cryptocurrency mining malware has increased considerably since Q4, 2017 when the value of Bitcoin and other cryptocurrencies started to soar. The popularity of cryptocurrency mining malware has continued to grow steadily in 2018. Figures from McAfee suggest cryptocurrency mining malware has grown by 4,000% in 2018.
McAfee identified 500,000 new coin mining malware in the final quarter of 2017. In the final quarter of 2018, the figure had increased to 4 million. Figures from Symantec similarly show the scale of the problem. In July 2018, Symantec blocked 5 million cryptojacking events. In December, the firm blocked 8 million.
There are many different ways of infecting end users. Hackers are exploiting unpatched vulnerabilities to silently download the malware. They package coin mining malware with legitimate software, such as the open-source media player Kodi, and upload the software to unofficial repositories.
One of the easiest and most common ways of installing the malware is through email. Spam emails are sent containing a hyperlink which directs users to a website where the malware is silently downloaded. Links are similarly distributed through messaging platforms such as Slack, Discord, and Telegram. One campaign using these messaging platforms included links to a site that offered software that claimed to fix coin mining malware infections. Running the fake software installer executed code on the computer which silently downloaded the malware payload.
Unlike ransomware, which causes immediate disruption, the presence of cryptocurrency mining malware may not be noticed for some time. Computers infected with coin mining malware will slow down considerably. There will be increased energy usage, batteries on portable devices will be quickly drained, and some devices may overheat. Permanent damage to computers is a possibility.
The slowdown of computers can have a major impact for businesses and can result in a significant drop in productivity if large numbers of devices are infected. Businesses that have transitioned to cloud computing that are charged for CPU usage can see their cloud bills soar.
Anti-virus software can detect known coin mining malware, but new malware variants will be unlikely to be detected. With so many new malware variants now being released, AV software alone will not be effective. It is therefore important to block the malware at source. Spam filters, such as SpamTitan, will help to prevent malicious emails from reaching end users’ inboxes. Web filters, such as WebTitan, prevent users from accessing infected websites, unofficial software repositories, and websites with coin-mining code installed that uses CPU power through browser sessions.
A new variant of capitalinstall malware is being used in targeted attacks on a variety of organizations, in particular those in the healthcare and retail industries.
The main purpose of capitalinstall malware is to install an adware package named Linkury that is used to hijack browser sessions on Windows devices. When Linkury adware has been installed, web search results can be altered to display results which would otherwise not be displayed. An infected machine will display unwanted adverts but could also download unwanted programs, some of which may pose a security risk.
Capitalinstall malware has been linked to various malicious websites, although the adware package is actually being hosted on Azure blog storage which is often trusted by organizations and is often whitelisted.
The malware is installed via an executable file that has been packaged inside an ISO file, with the ISO file hosted on websites that offer keys to unlock popular software such as Adobe Creative Cloud.
Upon running the file, a crack for the software claims to be installing and the user is directed to a website where they are urged to install other programs and browser add-ons, such as cryptocurrency miners, with various enticing reasons provided for installing those programs.
This method of distributing unwanted and potentially harmful software is likely to grow in popularity as it offers a way of bypassing security solutions by taking advantage of inherent trust in cloud storage providers.
A web filtering solution can offer protection against downloads of unwanted programs by preventing end users from visiting potentially malicious websites. WebTitan scans and assesses web pages in real time and prevents users from accessing malicious websites and other sites that violate corporate Internet usage policies. With WebTitan in place, users can be prevented from visiting websites that are used for distributing potentially unwanted programs (PUPs) and malware.
In addition to technical controls, it is important to cover the risks of installing unauthorized software in security awareness training, especially the use of software license cracks. These executable files commonly have spyware, adware, and other forms of malware packaged into the installers.
Managed Service Providers can spend a significant amount of time dealing with phishing attacks and other security breaches. While MSPs provide an invaluable service and help their clients deal with cyberattacks, by providing security services, MSPs can not only protect their clients and prevent attacks, but also save themselves a considerable amount of time and improve their bottom lines.
The Devastating Consequences of an SMB Cyberattack
Successful cyberattacks on businesses can be catastrophic. The average cost of a data breach has now risen to $3.86 million, according to the Ponemon Institute. Such a high cost means many SMBs struggle to stay in business following a major breach.
A data breach can cause a significant drop in share price. While many businesses see share prices return to near pre-breach levels around 6 months after a major breach, many SMBs do not survive that long. Figures from the National Cyber Security Alliance show that up to 60% of SMBs permanently close their doors within 6 months of suffering a data breach.
Not only do businesses have to cover the cost of remediating a breach, they can lose market share which can be difficult to recover. Customers can also be very unforgiving. If customers’ personal information is exposed as a result of a data breach, the loss of business can be considerable. The damage caused to the reputation of a business by a cyberattack can take a very long time to repair.
Many SMBs believe they are too small to be worth hacking, yet the National Cyber Security Alliance’s figures show that is far from the case. 70% of cyberattacks target small businesses, and while not all of those attempts are successful, nearly 50% of SMBs around the globe report that they have experienced at least one successful cyberattack.
Cybersecurity Solutions for MSPs
MSPs that start offering cybersecurity to their clients can prevent the majority of these cyberattacks, providing the right solutions are chosen. Businesses will naturally need a robust firewall to prevent direct attacks, but many attackers are able to bypass this perimeter control by targeting the weakest link in security: Employees.
Cybercriminals are able to bypass perimeter controls by sending phishing emails to employees. Two recent examples have clearly demonstrated this. The San Diego School District discovered a hacker had gained access to its network and a database of 500,000 staff and student records with phishing emails. 50 email accounts were compromised in that attack. Cape Cod Community College also experienced a phishing attack targeting the finance department, the end result of which was fraudulent transfers being made to criminal-controlled bank accounts totaling more than $800,000. End user training could have made all the difference, as could an advanced spam filtering solution – both of which could easily be provided by MSPs.
Why Web Filtering Should be Part of Your Security Stack
Email security is an area often lacking at SMBs, even though email is the most common attack vector. Web-based attacks are also common, and this is an area where many SMBs are particularly vulnerable. This is another area where MSPs can help improve security.
Web filtering is often overlooked as traditionally this has been a security control that is difficult for MSPs to implement. Appliance-based filters require hardware purchases and site visits. Standard web filters require content to be downloaded before access is blocked and that they can cause major latency problems. DNS filtering solves these problems. Since filtering takes place at the DNS level, controls are applied before any content is downloaded and latency issued are avoided and web-based threats are blocked at source. Since there is no need for hardware to be purchased, it is cost effective for most businesses to implement. There are also no software downloads and deploying the solution is a quick and easy Process. Everything can be set up remotely in a matter of minutes and clients can be protected from malware attacks, phishing, and ransomware downloads while also controlling content and blocking illegal and unacceptable web activity.
WebTitan: MSP-Friendly Web Filtering to Protect Wired and Wireless Networks
In contrast to many DNS-based web filtering solutions, WebTitan has been developed to meet the needs of MSPs. One of the main problems with most DNS-based web filters for MSPs is the inability to add MSP branding. It is abundantly clear it is a third-party solution.
WebTitan can be totally rebranded, allowing MSPs to add their own logos and reinforce their brand image. WebTitan can be hosted on TitanHQ’s servers or within an MSPs own environment. WebTitan also has a well-established channel program and offers special pricing packages specifically for MSPs with generous margins and monthly billing. No other web filtering solution is as MSP friendly.
Other key features of WebTitan include:
Highly granular filtering controls: Filter by category, content, and keyword
Supports whitelists and blacklists
Intuitive control panel requiring no user training
Highly scalable solution with virtually no upper limit on number of clients or users
Embedded malware filter supported by dual AV engines
Extensive reporting suite and ability to brand and schedule client reports
Real time view of web activity
Remote management and monitoring via APIs and easy integration into billing and auto-provisioning systems
Flexible polices for different environments and users
Protection for wired and WiFi networks
Ability to provision new clients in minutes
Full product available on a free trial
Industry leading customer support
For further information on TitanHQ’s cybersecurity solutions for MSPs including WebTitan Cloud, WebTitan Cloud for WiFi, and the TitanHQ spam filter, SpamTitan Cloud, contact the MSP Program Team today.
Local authorities and private sector bus companies are now adding Wi-Fi services to their bus fleets, but without appropriate Wi-Fi security for busses, bus fleet operators can run into problems.
There is no doubt that Wi-Fi is a big hit with passengers, especially for long distance travel. Business commuters can connect to email and their work network without having to use their own data and all passengers can enjoy a variety of digital entertainment, such as Internet-based games, online crosswords, YouTube videos, or all manner of Internet based applications, all without eating into their monthly data allowance.
In locations where people have a choice of different transport, the provision of a reliable Wi-Fi network can be a big attraction that can win more business.
Wi-Fi Security for Busses
There are some considerations when providing Wi-Fi on busses. Wi-Fi security for busses is important to ensure that the Wi-Fi network cannot be used for malicious purposes. Over the summer, it was clearly demonstrated how this can easily happen. A hacker was able to hack into the Wi-Fi network on planes and view the Internet activity of passengers, as well as gain access to other important devices on airplanes – All from the ground.
Appropriate Wi-Fi security for busses should be implemented to protect the privacy of passengers, but also to ensure they can use the Wi-Fi network safely. Bus companies should be taking steps to protect passengers from harmful content, such as sites hosting malware and phishing websites.
Content Control for Busses
A third-party Wi-Fi network offers anonymity and some users take advantage and access types of content that they would not access on their home networks. Bus fleet operators have a responsibility to block illegal activity on their Wi-Fi networks.
If a passenger accesses adult content on the Wi-Fi network of a bus, there is a risk that other passengers will catch a glimpse of the screen and children could be exposed to obscene content. It is the responsibility of bus fleet operators to implement content controls to prevent passengers from accessing inappropriate content.
Controlling Bandwidth Use on Busses
There is also the issue of bandwidth. Ensuring all users have decent bandwidth and can connect to the network and enjoy reasonable Internet speeds comes at a cost. If several passengers are using applications or visiting websites that require a considerable amount of bandwidth, that will naturally have an impact on other users of the Wi-Fi network. Limiting what users can do while connected to Wi-Fi networks can save bandwidth and costs. Preventing, or restricting, high bandwidth applications such as video streaming, online games such as Fortnite, and large file downloads can help to conserve bandwidth.
DNS-Level Content Filtering
All of the above issues can be easily solved with a single, cost effective solution – A web filter. A web filter allows network administrators to carefully control what users can do online. It offers both content control and Wi-Fi security for busses by blocking access to illegal content, preventing malware downloads, and offering protection from phishing. Categories of web content can be blocked to create a family-friendly Wi-Fi network and control bandwidth use.
Traditional web filters require an appliance through which Internet traffic is routed. This is a costly way of adding Wi-Fi security for busses. A DNS-level filter on the other hand is a low cost, flexible solution that serves the same purpose. When a user connects to the Wi-Fi network, the DNS process sends domain names to the name server and the name server returns the IP address associated with the application server. When content is filtered at the DNS level, no software needs to be downloaded and no appliances need to be purchased.
Not only do DNS-level filters offer excellent Wi-Fi security for busses, they also save on bandwidth as content is not downloaded before the decision is taken to block the content.
WebTitan Cloud for Wi-Fi – Content Filtering and Wi-Fi Security for Busses
WebTitan Cloud for Wi-Fi is an ideal web filtering solution for bus fleets. Since it is DNS-based it is easy to implement, highly scalable, and is cost-effective to set up and run. WebTitan Cloud for Wi-Fi can protect entire bus fleets, in multiple cities, and licenses can be easily scaled up and down to meet bus operators’ needs.
Some of the key features of WebTitan Cloud for Wi-Fi are detailed below:
No hardware purchases or software downloads required
No patching or software updates required
Protects multiple Wi-Fi routers from a single, web-based administration control panel
Protects against malware with dual anti-virus engines
Protects users from phishing and other malicious websites
Allows network administrators to protect the Wi-Fi network from unauthorized users
Highly granular controls allow precise content control without overblocking content
Block content by category with a single click
No latency – Internet speeds are unaffected
Supports static and dynamic IPs
Supports whitelists and blacklists
No restriction on bandwidth, number of devices, or the number of hotspots
Full suite of reports gives network administrators full visibility into their Wi-Fi networks and user activity
If you are looking to improve Wi-Fi security for busses and want to implement content controls to keep your Wi-Fi networks family-friendly, contact TitanHQ today for further information on WebTitan Cloud for Wi-Fi.
Many businesses now offer their customers free access to their Wi-Fi networks, but if guest Wi-Fi best practices are not followed, opening up Wi-Fi networks to guest users is not without risk. You may have provided security awareness training to your employees, but guest users are unlikely to be as careful while connected to your network. Customers and guests may accidentally download malware or visit malicious websites, or even engage in illegal activities due to the anonymity offered by someone else’s Wi-Fi network.
If guest Wi-Fi best practices are not followed, there will be people that take advantage of your lax security. They could launch an attack on your business network, explore your network assets, change router settings, or even gain access to confidential data.
If you run a hotel, restaurant, shop, or another business that provides Wi-Fi access to customers, it is important to create a safe browsing environment for all Wi-Fi users and take steps to secure your access points and control the activities that users can engage in while connected.
Guest Wi-Fi Best Practices for Hotspot Providers
Create A Separate Wi-Fi Network for Guests and Employees
You will no doubt have a Wi-Fi network that is used by your employees. It is important that this is totally separate from the one used by guests and customers. Guest users should access a totally separate network. Ideally, there should be a network firewall that separates guest users from employees. If you use enterprise switches, create a separate VLAN for access points that broadcast the guest wireless SSID. Also make sure you use a software firewall to block traffic from the guest network from your company’s servers and computers. Also make sure guest users can only access the Internet while connected.
Naming Your SSID
An SSID is the name you give to your Wi-Fi network that identifies it as belonging to your business. Care should be taken when choosing a name. Your choice should depend on the nature of your business and who the Wi-Fi network serves. If you run a coffee shop, for instance, you should make it clear which is your Wi-Fi network and prominently display that information. That will make it harder for rogue hotspots to be created to fool customers into connecting to an evil twin – A hotspot set up and controlled by a hacker to fool customers into connecting in the belief it is your hotspot.
Encrypt your Wireless Signals
Unsecured Wi-Fi networks may be easier to set up and use, but they also allow anyone within range to connect, even if they are not in your establishment. To connect, it should be necessary for a password to be entered. You should also encrypt your wireless network to make it harder for hackers to intercept users’ data. Secure your wireless network with WPA2 encryption or, even better, WPA3 if it is supported by your access point.
Create a Safe Browsing Experience and Control the Internet Content That Can be Accessed
You should develop and implement a guest Wi-Fi access policy covering what is and is not permitted on your Wi-Fi network. You should also enforce that policy with technical controls. A cloud-based web filter is ideal for this.
It is easy to deploy and configure and will allow you to carefully control the content that can be accessed while connected. You should block access to known malicious sites and illegal web content through blacklists. Category based filters are useful for blocking access to inappropriate content such as pornography and restricting bandwidth-heavy activities that can slow down Internet speeds for all users. By filtering content, not only will you keep your Wi-Fi users protected, you will also reduce legal liability and ensure that your Wi-Fi network is family friendly.
Adopt these guest Wi-Fi best practices to improve safety and security, keep your customers protected, and make it harder for cybercriminals to attack your network or your guest users.
It’s the time of year when the poor password practices of users are highlighted. This month has seen the list of the worst passwords of 2018 published and a list of 2018’s worst password offenders.
The Worst Passwords of 2018
So, what were the worst passwords of 2018? SplashData has recently published a list of the worst passwords of 2018 which shows little has changed since last year. End users are still making very poor password choices.
To compile the list, SplashData analyzed passwords that had been revealed through data dumps of passwords obtained in data breaches. More than 5 million exposed passwords were sorted to find out not only the weakest passwords used, but just how common they were. The list of the top 100 worst passwords of 2018 was published, although we have only listed the top 25 worst passwords of 2018:
Unsurprisingly, there has been no change in the top two passwords this year. 123456 and password have held number 1 and 2 spots for the past five years. Donald is a new addition but would not keep a user’s account secure for long, even if their name isn’t Donald. 654321 is also new this year but offers little more protection than 123456.
Other new entries include qwerty123 and password1 – Clear attempts to get around the requirement of including numbers and letters in a password.
How common are the worst passwords of 2018? According to SplashData, 3% of users have used 123456 and 10% of people have used at least one password in the list of the top 25 worst passwords of 2018!
Poor Password Practices and the Worst Password Offenders of 2018
DashLane has published its list of the worst password offenders of the year. In addition to the list containing users who have made very poor password choices by selecting some of the worst passwords of 2018, the report highlights some of the terrible password practices that many individuals are guilty of. Poor password practices that render their passwords absolutely useless.
This year has seen many major password failures, several of which came from the White House, where security is critical. Topping the list was a password faux pas by a visitor to the oval office – Kanye West. Not only was ‘Ye’ guilty of using one of the worst possible passwords on his phone ‘000000’, he also unlocked his phone in full view of an office full of reporters who were filming his meeting with President Trump. Ye’s poor password was broadcast to the nation (and around the world). This incident highlights the issue of ‘shoulder surfing.’ Looking over someone’s shoulder at their screen to see passwords being entered. Something that can easily happen in public places.
Another White House password failure concerned a staffer who committed the cardinal password sin of writing down a username and password to make it easier to remember. It is something that many employees do, but most do not write it on White House stationary and then leave the document at a bus stop.
Password security should be exemplary at the White House, but even more so at the Pentagon. Even staff at the Pentagon are guilty of poor password hygiene, as was discovered by Government Accountability Office (GAO) auditors. GAO auditors discovered default passwords were used for software associated with weapons systems. Default passwords are publicly available online which renders them totally useless. GAO auditors were also able to guess admin passwords with full privileges in only 9 seconds.
These are just three examples of terrible password practices. While they are shocking given the individuals concerned, they are sadly all too common.
Password Best Practices to Keep Accounts Secure
A password prevents other individuals from gaining access to an account and the sensitive information contained therein. Choose a strong password or passphrase and it will help to make sure that personal (or business) information remains confidential. Choose a weak password and an account can easily get hacked. Choose an exceptionally weak password and you may as well have no password at all.
To ensure passwords are effective, make sure you adopt the password best practices detailed below:
Make sure you set a password – Never leave any account open
Always change default passwords – They are just placeholders and are next to useless
Never reuse old passwords
Use a unique password for all accounts – Never use the same password for multiple accounts
Do not use names, dictionary words, or strings of consecutive numbers or letters
Ensure passwords are longer than 8 characters and contain at least one number, lowercase letter, uppercase letter, and a symbol – Long passphrases that are known only to you are ideal
Use a random mix of characters for passwords and use a password manager so you don’t have to remember them. Just make sure you set a very strong password for your password manager master password.
Set up multi-factor authentication on all of your accounts
Never write down a password
Never share passwords with others, no matter how much you trust them
Password Best Practices for Businesses
Verizon’s 2018 Data Breach Investigations Report revealed 81% of hacking-related data breaches were due to weak passwords or stolen credentials. It is therefore critical that businesses adopt password best practices and ensure users practice good password hygiene. Businesses need to:
Train end users on good password hygiene and password best practices
Enforce the use of strong passwords: Blacklist dictionary words, previously exposed passwords, previously used passwords, and commonly used weak passwords
Set the minimum password length to 8 characters (or more) and avoid setting a maximum length to encourage the use of passphrases.
Follow the password advice published by the National Institute of Standards and Technology (NIST)
Don’t enforce password changes too often. End users will just reuse old passwords or make very minor changes to past passwords.
Implement multi-factor authentication
Encrypt all stored passwords
Consider the use of other authentication methods – Fingerprint scanners, facial recognition software, voice prints, or iris scans
Educational institutions are being targeted by cybercriminals for all manner of nefarious purposes: To obtain the personal information of staff and students for identity theft and tax fraud, to steal university funds, and to steal university research.
University research theft is an easy income stream for hackers. Research papers can command high prices on the black market and are highly sought after by nation state governments and businesses.
This fall, the UK’s Daily Telegraph revealed Iranian hackers were selling research papers that had been stolen from top British Universities including Oxford and Cambridge. Several Farsi websites were identified advertising free access to university research papers, including an offer of university research theft to order. Provide the details and, for a price, the research be found and sent through an encrypted channel.
There were papers for sale on highly sensitive subjects such as nuclear research and cybersecurity defenses. Even less sensitive subjects are valuable to foreign businesses. The research could help them gain a competitive advantage at the expense of universities. In the case of Iran, universities are being used to gain access to Western research that would otherwise be off limits due to current sanctions.
It is not just British universities that are being targeted. The hackers are infiltrating university research databases the world over, and it is not just Iranian hackers that have tapped into this income stream. University research theft is a growing problem.
How Are University Databases Breached?
One of the main ways access to research databases is gained is through phishing – A simple method of attack that requires no programming know-how and no malicious software. All that is required is a little time and the ability to create a website.
Phishing emails are sent to staff and students that request a visit a webpage where they are required to enter their credentials to academic databases. If the credentials are disclosed, the phishers have the same access rights as the user. The phishers then download papers or advertise and wait for requests to roll in. They then just search the database, download the papers, and provide them to their customers.
Various social engineering techniques are used to entice users to click the links. Requests are sent instructing the user that they need to reset their password, for instance. The web pages they are directed to are exact copies of the sites used by the universities. Apart from the URL, the websites appear perfectly genuine.
Unfortunately, once credentials have been obtained it can be difficult for universities to discover there has been a breach since genuine login credentials are used to access the research databases.
How to Prevent University Research Theft
No single cybersecurity solution will protect universities from all phishing attacks. The key to mounting an effective defense against phishing is layered phishing defenses.
The primary cybersecurity solution to implement is an advanced spam filter to ensure as many phishing emails as possible are blocked and messages containing malicious attachments do not reach inboxes. SpamTitan for instance, blocks more than 99.9% of spam and phishing messages and 100% of known malware. Even advanced spam filtering solutions will not block all phishing emails, so additional controls are required to deal with the <0.1% of phishing emails that are delivered.
While a web filter can be used to block access to categories of web content such as pornography, it will also block access to known malicious websites: Websites used for phishing and those that host malware.
End user security awareness training is also essential. End users are the last line of defense and will remain a weak link unless training is provided to teach them how to identify malicious emails. Staff and students should be conditioned to report threats to their security teams to ensure action can be taken and to alert first responders when the university is under attack.
Multi-factor authentication should also be implemented. If credentials are stolen and used to access a database, email account, computer, or server, from an unfamiliar device or location, a further form of authentication is required before access is granted.
Universities should have security monitoring capabilities. Logs of access attempts and should generated and network and user activity should be monitored for potential compromises.
For further information on anti-phishing defenses and cybersecurity solutions that can help prevent university research theft, contact the TitanHQ team today.
There has been much debate over the use of web filters for libraries. On one side are those that believe that as places of learning, there should be no restrictions placed on the types of information that can be accessed through libraries. Libraries house books that are sexually explicit, racist, or contain material some may find distasteful or offensive, but banning those books would be inappropriate.
That same thinking has been applied to the Internet, access to which is often provided in libraries. The application of a web filter to block certain types of content is viewed as unacceptable by some people, even if as a result of a lack of technical controls library computers are used to access hardcore pornography. The American Library Association does not advocate the use of web filters for libraries, instead suggesting acceptable usage policies and educational programs are more appropriate.
The other camp considers the use of web filters in libraries to be a necessity to ensure libraries can be used by children and adults without others subjecting them to obscene and potentially harmful web content. Acceptable usage policies only discourage users from accessing pornography. Policies do not prevent such activities.
New Hampshire Library Considers Using Web Filtering Technology to Block Porn
The use of public library computers for viewing offensive sexual content is common. There have been many cases of library patrons discovering other users accessing adult content on computers in full sight of other users, as was recently the case at the Lebanon Public Library in New Hampshire.
A complaint was made to Lebanon Public Library about two children (of middle school age) who are alleged to have used the library computers to access pornography. Jim Vanier, youth center coordinator for the Carter Community Building Association, overheard the children discussing pornography at the computers, although they denied accessing adult content.
Vanier’s complaint prompted the Library Board of Trustees to form a task force to investigate current internet usage policies and the task force will consider whether a web filter is appropriate for the library.
While web filters for libraries are available to prevent obscene videos and images from being accessed, relatively few libraries have started implementing even the most basic content controls. The Children’s Internet Protection Act requires the use of web filters in libraries and schools, but only as a condition to obtain e-rate discounts and federal grants. In order to qualify for funds, obscene images, child pornography, and other information deemed harmful to minors must be blocked.
The municipal libraries in Lebanon have taken steps to curb Internet misuse and have introduced policies that prohibit computers from being used for any disruptive or inappropriate behavior, including the viewing of images of a pornographic nature. However, policies alone are insufficient to prevent all cases of inappropriate Internet use.
The reason why many libraries choose not to apply filters is often because web filters for libraries are not perfect, and as a result, they could filter out unintended content.
Accuracy of Content Blocking by Web Filters for Libraries
While there have been issues with web filters for libraries overblocking content in the past, there have been major advances in web filtering technology over the past 10 years. Web filters can now more accurately assess and categorize content.
WebTitan Cloud, for instance, has highly granular controls and allows libraries to carefully control the content that can be accessed without overblocking.
While there is potential for user error when setting policies, WebTitan Cloud solves this issue by having an easy to use user interface that requires no technical skill to use. This helps to eliminate user error that often leads to overblocking of web content.
With WebTitan Cloud, libraries can easily filter out pornography, child pornography, and other obscene and harmful content to comply with CIPA and meet parents’ expectations without restricting access to valuable, educational websites.
WebTitan Cloud also blocks access to websites that host malware to prevent malicious software from being downloaded onto library computers, as well as blocking a wide range of Internet threats such as phishing.
WebTitan Cloud – An Accurate and Easy to Use Web Filter for Libraries
WebTitan Cloud is an ideal web filter for libraries. It is 100% cloud-based so not costly hardware purchases are required. It is easy to implement, simple to use, and allows Internet content to be carefully controlled without blocking access to valuable educational material.
Some of the key features in TitanHQ’s web filters for libraries have been detailed below:
WebTitan Cloud Features
Highly granular controls to allow precise filtering of Internet content
Unmatched combination of coverage, accuracy, and flexibility
Real-time classification of more than 500 million websites and 6 billion web pages in 200 languages
100% coverage of the Alexa 1 million most visited websites
Easy to use interface requiring no technical skill
100% cloud-based filtering – No hardware purchases or software downloads required
Supports Safe Search and YouTube for Schools
Supports whitelists and blacklists for creating exceptions to allow/block content outside general policy controls
Category-based filtering allows blocking through 53 pre-defined website categories and 10 customizable categories
Customizable block pages
Supports time-controlled cloud keys to allow certain users to bypass filtering controls – for research purposes for instance
Provides full visibility into network usage
Full reporting suite including real-time Internet activity
For further information on TitanHQ’s web filter for libraries, to arrange a product demonstration, and to register for a free trial to evaluate WebTitan Cloud in your own environment, contact the TitanHQ team today.
Are you looking for a Cisco OpenDNS alternative that is both easier to use and much more cost effective? On Wednesday December 5, 2018, you can discover how you can save money on web filtering without cutting any corners on protection.
A web filter is now an essential cybersecurity solution to protect against web-based threats such as phishing, viruses, malware, ransomware, and botnets. A web filter also allows businesses to carefully control the online activities of employees by restricting access to NSFW web content such as pornography and curb productivity-draining Internet use.
In addition to offering threat protection and content control on wired networks, a DNS-based web filter offers protection for BYOD and company owned devices regardless where they connect to the Internet. Multiple locations can be protected through a central web-based console.
A DNS-based web filter is cost effective to implement as no hardware purchases are required and no software needs to be installed. A DNS-based filter is also easy to maintenance and requires no software updates or patches.
With DNS-based filters, content control and online threat protection is simple; but what about cost? Many businesses have looked at Cisco OpenDNS to meet their web filtering requirements but are put off due to the high cost. Fortunately, there is a more cost-effective way of filtering the Internet.
TitanHQ and Celestix are hosting a webinar on a WebTitan-powered Cisco OpenDNS alternative, Celestix WebFilter Cloud.
Celestix will be joined by by TitanHQ EVP of Strategic Alliances, Rocco Donnino, and Senior Sales Engineer, Derek Higgins, who will explain how Celestix WebFilter Cloud works, why it is an ideal Cisco OpenDNS alternative, and how you can have total protection against web-based threats at a fraction of the cost of running OpenDNS.
The webinar will be taking place on Wednesday December 5, 2018 at 10:00 AM US Pacific Time
A massive Marriott data breach has been detected which could affect as many as 500 million individuals who previously made bookings at Starwood Hotels and Resorts. While the data breach is not the largest ever reported – The 2013 Yahoo breach exposed around 3 billion records – it shares second place with the 2014 Yahoo data breach that also impacted around half a billion individuals.
Largest Ever Hotel Data Breach
The Marriott data breach may not have affected as many people as the 2013 Yahoo data breach but due to the types of information stolen it is arguably more serious. Approximately 173 million individuals have had their name, mailing address, email address stolen and around 327 million individuals have had a combination of their name, address, phone number, email address, date of birth, gender, passport number, booking data, arrival and departure dates, and Starwood Guest Program (SPG) account numbers stolen. Further, Marriott also believes credit card details may have been stolen. While the credit card numbers were encrypted, Marriott cannot say for certain whether the two pieces of information required to decrypt the credit card numbers was also obtained by the hacker.
In addition to past guests at Starwood Hotels and Resorts and Starwood-branded timeshare properties, guests at Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Aloft Hotels, Element Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, and Four Points by Sheraton have been affected, along with guests at Design Hotels that participate in SPG program.
The data breach was detected by Marriott on September 8, 2018, following an attempt by an unauthorized individual to access the Starwood database. The investigation revealed the hacker behind the attack first gained access to the Starwood database in 2014. It is currently unclear how access to the database was gained.
The Marriott hotels data breach is naturally serious and will prove costly for the hotel group. Marriott has already committed to offering U.S. based victims free enrollment in WebWatcher, has paid for third party experts to investigate and help mitigate the data breach, and the hotel group will be bolstering its security and phasing out Starwood systems.
Even though the Marriott hotels data breach has only just been announced, two class action lawsuits have already been filed. One of the lawsuits seeks damages totaling $12.5 billion – $25 per breach victim.
There is also a possibility of a E.U. General Data Protection Regulation (GDPR) fine. Fines of up to €20 million are possible, or 4% of global annual turnover, whichever is greater. That could place Marriott at risk of a $916 million (€807 million) fine. The UK’s Information Commissioner’s Office – the GDPR supervisory authority in the UK – has been notified of the breach and is making enquiries.
Harder to calculate is the damage to the Marriott brand. Share prices dropped by 8.7% following the Marriott data breach announcement, and they are currently around $5 down. While share prices will likely recovery over time, the breach will almost certainly result in loss of business.
Risk of Marriott Data Breach Related Phishing Attacks
Email notifications sent to breach victims by Marriott came from the domain: email-marriott.com. Rendition Infosec/FireEye researchers purchased the domains email-marriot.com and email.mariott.com shortly after the announcement to keep them out of the hands of scammers. Other similar domains may be purchased by less scrupulous individuals to be used for phishing.
A breach on this scale is also ideal for speculative phishing attempts that spoof the email domain used by Marriott. Mass email campaigns are likely to be sent randomly in the hope that they will reach breach victims or individuals that have previously stayed at a Marriott hotel or one of its associated brands.
Consequently, any email received that is related to the breach should be viewed as potentially malicious.
In 2016, Starbucks agreed to filter out pornography from its WiFi networks, but two years on and a Starbuck WiFi filter has yet to be applied anywhere other than the UK.
The 2016 promise came in response to public pressure to take action to prevent customers from abusing its free WiFi network to view pornography. While Starbucks had an acceptable use policy and prohibited the viewing of pornography on its WiFi network, there were no controls in place to prevent customers from accessing such content.
Leading the campaign for a Starbucks WiFi filter was the Internet safety group Enough is Enough. Back in 2016, as part of its Porn Free WiFi Campaign (since renamed SAFE WiFi Campaign) the group stepped up its efforts to convince big businesses to take the lead and implement filtering technology to enforce acceptable internet usage policies on their free WiFi networks. McDonalds and Starbucks were two such brands that were petitioned by the group – a coalition of 75 partner organizations.
More than 50,000 petitions were sent to Starbucks and McDonald’s in 2016, and in response, both agreed to start filtering pornographic web content on their WiFi networks. While McDonald’s acted quickly and started blocking adult content, the Starbucks WiFi filter failed to materialize. The coffee shop chain did implement a WiFi filter in its UK locations, but the Starbucks WiFi filter was not rolled out in other countries.
Since McDonalds took the lead and created a family-friendly free WiFi network, Chick-fil-A has followed suit and has implemented a WiFi filter in its 2,200 restaurants, as have many other restaurant and coffee shop chains. However, two years on and Starbucks has not made good on its promise. The lack of apparent action prompted Enough is Enough to issue a new call for the coffee shop chain to take action.
Enough is Enough Issues Fresh Call for Starbucks WiFi Filter Rollout
“Starbucks has had a tremendous opportunity to put its best foot forward in protecting its customers from images deemed obscene and illegal under the law, but they haven’t budged, despite their promise two years ago and despite the fact that they voluntarily filter this same content in the UK,” said Enough is Enough president and CEO, Donna Rice Hughes. “By breaking its commitment, Starbucks is keeping the doors wide open for convicted sex offenders and others to fly under the radar from law enforcement and use free, public WiFi services to access illegal child porn and hard-core pornography.”
Despite the promise, there has been little news issued on the Starbucks WiFi filter front. “To date, no action has taken place to suggest Starbucks has moved forward with its public commitment. EIE has made repeated attempts to reach out to Starbucks executives by phone, e-mail and certified mail since 2016. Starbucks has remained unresponsive with the exception of a form letter from customer relations,” explained Donna Rice Hughes on November 26, 2018.
Enough is Enough has called for members of the public to petition Starbucks once again and demand a WiFi filtering solution be applied to prevent customers from accessing inappropriate content in its coffee shops.
Starbucks has now confirmed to Business Insider that the chain has been taking action and has been evaluating WiFi filtering solutions to determine whether they can be applied to block access to pornography without inadvertently blocking other types of content. A solution has now been chosen at last and it will be rolled out in 2019.
WiFi Filtering Made Simple with WebTitan Cloud for WiFi
While web filters have been criticized in the past for overblocking web content, today, web filters such as TitanHQ’s WebTitan Cloud for WiFi allow fine control of Internet content thanks to highly granular controls. Blocking access to pornography, or any other category of Internet content, requires just a couple of clicks of a mouse.
WebTitan Cloud for WiFi includes 53 preset categories of Internet content that can be filtered out in seconds once the solution has been implemented. Implementing WebTitan Cloud for WiFi, configuring the filter, and protecting customers (and employees) takes just a few minutes. No hardware purchases are required, and no software downloads are necessary. Simply change the DNS to point to WebTitan and controls can easily be applied.
In addition to blocking pornography, illegal content such as child pornography and copyright-infringing file downloads via P2P file sharing sites and be blocked. WiFi users will also be protected from malicious sites that download malware, phishing websites, and other web-based threats.
WebTitan Cloud for WiFi is highly scalable and can be used to protect multiple WiFi access points, regardless of where they are located, through an easy-to-use web-based interface. With WebTitan Cloud for WiFi, filtering the Internet and protecting customers could not be any easier.
If you run a business and you offer your customers free, unfiltered WiFi access, now is the perfect time to make a change and send a message to your customers that you are leading the fight against online pornography and are taking action to protect customers by creating a family-friendly WiFi environment.
Contact TitanHQ today for more information, to book a product demonstration, or to sign up for a free WebTitan Cloud for WiFi trial.
Managed Service providers that want to start offering WiFi filtering to clients should contact the TitanHQ MSP Program team to find out how WebTitan (and other TitanHQ products) can be integrated into their security stacks.
Business email compromise (BEC) attacks cost businesses billions of dollars each year, and business email account compromises are soaring.
What is a Business Email Compromise Attack?
As the name suggests, these attacks involve the hijacking of business email accounts. The primary aim is to compromise the account of the CEO or CFO, which is usually achieved through a spear phishing attack. Once the email account has been compromised, it is used to send phishing emails to other employees in the company, most commonly, employees in the accounts, finance, and payroll departments.
The emails commonly request wire transfers be made to accounts under the control of the attackers. Requests are also made for sensitive information such as the W-2 Forms of employees.
Since the emails are sent from the CEO or CFO’s own account, there is a much higher chance of an employee responding to the request than to a standard phishing attempt from an external email address. Since the emails come from within an organization, they are also much harder to detect as malicious – a fact not lost on the scammers.
With access to the email account, it is much easier to craft convincing messages. The signature of the CEO can be copied along with their style of writing from sent messages. Email conversations can be started with employees and messages can be exchanged without the knowledge of the account holder.
Fraudulent transfers of tens or hundreds of thousands of dollars may be made and the W-2 Forms of the entire workforce can be obtained. The latter can be used to submit fake tax returns in victims’ names to obtain tax refunds. The profits for the attackers can be considerable, and with the potential for a massive payout, it is no surprise that these attacks are on the rise.
Business Email Account Compromises Have Increased by 284% in a Year
FBI figures in December 2016 suggest $5.3 billion had been lost to BEC scams since October 2013. That figure had now increased to $12.5 billion. More than 30,000 complaints of losses due to BEC attacks were reported to the FBI’s Internet Crime Complaints Center (IC3) between June 2016 and May 2018.
The specialist insurance service provider Beazley has been tracking business email account compromises. The firm’s figures show business email account compromises have increased each quarter since Q1, 2017. In the first quarter of 2017, 45 business email account compromises were detected. In Q2, 2018, 184 business email account compromises were detected. Between 2017 to 2018, there was a 284% increase in compromised business email accounts.
While the CEO’s email credentials are often sought, the credentials of lowlier employees are also valuable. Any email account credentials that can be obtained can be used for malicious purposes. Email accounts can be used to send phishing messages to other individuals in an organization, and to business contacts, vendors, and customers.
Beazley notes that once one account has been compromised, others will soon follow. When investigating business email account compromises, businesses often discover that multiple accounts have been compromised. Typically, a company is only aware of half the number of its compromised accounts.
The High Cost of Resolving Business Email Account Compromises
Business email account compromises can be extremely costly to resolve. Forensic investigators often need to be brought in to determine the full extent of the breach. Each breached email account must then be checked to determine what information has been compromised. While automated searches can be performed, manual checks are inevitable. For one client, the automated search revealed 350,000 document attachments had potentially been accessed, and each of those documents had to be checked manually to determine the information IT contained. The manual search alone cost the company $800,000.
How to Protect Your Organization from Business Email Compromise Attacks
A range of measures are required to protect against business email compromise attacks. An advanced spam and anti-phishing solution is required to prevent phishing and spear phishing emails from being delivered to inboxes.
SpamTitan is an easy-to-implement spam filtering solution that blocks advanced phishing and spear phishing attacks at source. In contrast to basic email filters, such as those incorporated into Office 365, SpamTitan uses heuristics, Bayesian analysis, and machine learning to identify highly sophisticated phishing attacks and new phishing tactics. These advanced techniques ensure more than 99.9% of spam and malicious messages are blocked.
The importance of security awareness training should not be underestimated. End users should be trained how to recognize phishing attempts. Training should be ongoing to ensure employees are made aware of current campaigns and new phishing tactics. Phishing simulation exercises should also be conducted to reinforce training and identify weak links.
Multi-factor authentication is important to prevent third parties from using stolen credentials to access accounts. If a login attempt is made from an unfamiliar location or unknown device, an additional form of identification is required to access the account.
Password policies should be enforced to ensure that employees set strong passwords or passphrases. This will reduce the potential for brute force and dictionary attacks. If Office 365 is used, connection to third party applications should be limited to make it harder for PowerShell to be used to access email accounts. A web filtering solution should also be implemented to block access to phishing accounts where email credentials are typically obtained.
Defense in depth is the key to protecting against BEC attacks. For more information about email and web security controls to block BEC attacks, give the TitanHQ team a call. Our experienced advisers will recommend the best spam and web filtering options to meet the needs of your business and can book a product demonstration and set you up for a free trial.
A massive malvertising campaign has been detected that has so far hijacked at least 300 million browser sessions in the space of just 48 hours.
What is Malvertising?
Malveristing is a method of generating traffic to websites that would otherwise be unlikely to be visited by Internet users. The technique involves using code in adverts submitted to advertising networks to redirect users to a specific website. Clicking a link in one of the adverts can trigger multiple redirects, first to the site detailed in the Ad code, then onto another web page.
Malvertising is often used to direct Internet users to malicious websites, such as those hosting exploit kits that probe for vulnerabilities and silently download malware or phishing websites, tech support scams, and other scam sites.
As spam filtering technology has improved, fewer spam emails are being delivered to inboxes, which means fewer individuals click links in emails and visit malicious websites. Malvertising is a suitable alternative that generates huge volumes of traffic.
Users Directed to Phishing Websites
The latest malvertising campaign is being used to direct Internet users to a variety of web pages, including adult websites and ‘You’ve Won a Gift Card’ scams.
Malvertising is nothing new and there are more than a dozen threat actors that are primarily using this method to generate traffic to web pages, but this campaign stands out due to its scale and the volume of visitors that have been redirected to malicious websites.
How to Protect Your Business from Malvertising Attacks
As with spam email, malvertising is a serious risk for businesses. The majority of businesses now use a spam filtering solution to prevent malicious messages from reaching inboxes, but fewer businesses have protections in place to prevent their employees from malvertising and other web-based attacks.
Anti-virus and anti-malware solutions may identify malware downloads that take place through these malicious websites, but usually only once the malware has been downloaded. Since most AV solutions are signature-based, if a new malware variant is downloaded it will not be detected.
The most effective way of blocking malvertising is a web filtering solution. A web filter is most commonly used to control the types of content that can be accessed by employees and serves a similar purpose to parental control software. However, in contrast to parental control solutions, enterprise class-web filtering solutions also prevent network users from accessing malicious websites such as those used for phishing and to distribute malware.
WebTitan Cloud – An Easy to Use, Powerful Web Filtering Solution
WebTitan Cloud is an enterprise-class web filtering solution that has been developed to offer protection against web-based attacks, including malvertising.
WebTitan Cloud is a 100% cloud-based web filtering solution. As such, it requires no hardware purchases or software downloads. Implementation is quick and easy and only takes a few minutes. No technical skill is required to start filtering the Internet and start protecting your business from web-based threats.
In addition to blocking access to malicious websites, WebTitan Cloud allows users to restrict internet activity through 53 category-based filters. More than 700 million URLs are crawled, analyzed, and categorized every day, and the solution provides 100% coverage of the Alexa top 1 million most visited websites and blocks more than 3 million malicious URLS at any one time. More than 7,500 businesses around the world trust WebTitan to protect them from malicious web content.
WebTitan Cloud is also an ideal web filtering solution for managed service providers (MSPs), allowing them to easily add web filtering to their security stacks. WebTitan Cloud comes with a variety of hosting options, including the option of hosting the solution within an MSP’s own data center. The solution can also be provided as a white-label ready to take MSP branding.
For further information on WebTitan Cloud for managed service providers and SMBs, details of pricing, and to book a product demonstration, contact the TitanHQ team today.
WiFi networks are a potential security weak point for businesses, although the introduction of WPA3 will improve Wi-Fi security. WPA3 Wi-Fi security enhancements address many WP2 vulnerabilities, but WPA3 alone is not enough to block all WiFi threats.
WiFi Security Protocols
The WPA WiFi security protocol was introduced in 1999, and while it improved security, cracking WPA security is far from difficult. Security enhancements were introduced with WPA2 in 2004, but while more secure, WPA2 does not fix all vulnerabilities. Little has changed in the past 14 years, but at long last, WPA3 is here. Use WPA3 and Wi-Fi security will be significantly enhanced, as several important WP2 vulnerabilities have been fixed.
WPA3 WiFi Security Enhancements
One of the biggest WiFi security threats is open networks. These are WiFi networks that require no passwords or keys. Users can connect without entering a pre-shared key. All a user needs to know is the SSID of the access point to connect. These open networks are used in establishments such as coffee shops, hotels, and restaurants as it is easy for customers to connect. The problem is users send plain text to the access point, which can easily be intercepted.
WPA3 spells an end to open networks. WPA3 uses Opportunistic Wireless Encryption (OWE). Any network that does not require a password, will encrypt data without any user interaction or configuration. This is achieved through Individualized Data Protection or IDP. Any device that attempts to connect to the access point receives its own key from the access point, even if no connection to the AP has been made before. This control means the key cannot be sniffed and even if a password is required, having access to that password does not allow the data of other users to be accessed.
Another security enhancement that has been made in WP3 reduces potential for password cracking attacks such as the WPA2 KRACK Attack. WPA2 is vulnerable to brute force and dictionary-based attacks. That is because security relies on the AP provider setting a secure password and many establishments don’t. With WPA3, the Pre-Shared Key (PSK) exchange protocol is replaced with Simultaneous Authentication of Equals (SAE) or the Dragonfly Key Exchange, which improves security of the initial key exchange and offers better protection against offline dictionary-based attacks.
WPA3 also addresses security vulnerabilities in the WiFi Protected Setup (WPS) that made it easy to link new devices such as a WiFi extender. In WPA3, this has been replaced with Wi-Fi Device Provisioning Protocol (DPP).
Configuring IoT devices that lack displays has been made easier, the 192-bit Commercial National Security Algorithm is used for enhanced protection for government, defense and industrial networks, and better controls have been implemented against brute force attacks. These and other enhancements mean WPA3 is far more secure.
Unfortunately, at present, very few manufacturers support WPA3, although that is likely to change in 2019.
WPA3 WiFi Security Issues
Even with WPA3 WiFi security enhancements, WiFi networks will still be vulnerable. WPA3 includes encryption for non-password-protected networks, but it does not require authentication. That is up to hotspot providers to set. WPA3 it is just as susceptible to man-in-the-middle attacks and offers no protection against evil twin attacks. The user must ensure they access the genuine access point SSID.
The connection to the AP may be more secure, but WPA3 does not offer protection against malware downloads. Users will still be at risk from malicious websites unless a DNS filtering solution is used – A web filter to protect WiFi networks.
Improve WiFi Security with a DNS-Based WiFi Filtering Solution
A DNS-based WiFi filtering solution such as WebTitan Cloud for WiFi protects users of a WiFi network from malware attacks, ransomware downloads, and phishing threats. The cloud-based filter also allows businesses that provide WiFi access points to carefully control the content that can be accessed by employees, customers, and other guest users.
By upgrading to WPA3 WiFi security will be improved. With WebTitan Cloud for WiFi, users will also be protected once they are connected to the network.
Further information on WebTitan Cloud for WiFi is detailed in the video below. For further information on WiFi security, including WebTitan pricing and to book a product demonstration, contact the TitanHQ team today.
Businesses that fail to secure their WiFi networks are taking a huge risk, and one that could prove catastrophic. In this article we explain why WiFi security is so important and cover the main WiFi filtering security benefits for businesses.
What are the Consequences of Poor Cybersecurity?
Customers often feel loyal to a particular brand. The company gives them what they want, the prices are reasonable, the quality of products/services are good. One of the most important factors influencing customer loyalty is trust in a brand. If trust in a brand is lost, it can be difficult win customers back. They may be permanently lost. Those customers then speak to their friends and colleagues and word spreads and further business can be lost.
One of the easiest ways to lose the trust of customers is a data breach. Ask customers why they love a particular brand, and “The company keeps my data safe” will not make the top ten list. That said, if a company experiences a data breach, customers will leave in droves.
Some industries are more prone to high customer churn rates following a data breach than others. The healthcare and insurance industries do experience customer loss, but many breach victims are tied to those providers and leaving is not straightforward. The banking and retail industries on the other hand see high churn rates. There is usually plenty of choice and customers explore other options after a breach.
A study of 10,000 consumers by Gemalto in November 2017 showed 70% of customers would stop doing business with a company after a data breach. Could your business cope with an overnight loss of 70% of your customers?
Further, the cost of a data breach report revealed the average cost of a data breach has now risen to $3.86 million. A 70% loss of customers and a $3.86 million data breach bill would prove catastrophic for many businesses. It is therefore no surprise that the National Cyber Security Alliance reports that 60% of SMBs go out of business within 6 months of a data breach.
Defense in Depth is Essential
The Gemalto study found that 62% of consumers felt that a company that holds their data is responsible for security, highlighting the importance customers place on the privacy of their data.
For businesses, ensuring systems and data are kept secure can be a major challenge. The only way to meet that challenge is through defense in depth. A range of cybersecurity solutions are required to secure systems and data, block cyberattacks, and prevent data breaches.
The best place to start is by performing a risk assessment to highlight all potential risks to your systems and data. Consider all possible ways that an attack can occur, assess the risk of each, and develop a risk management plan to address those risks, addressing the highest risk areas first.
While many companies implement a host of network and email security solutions, one area of security that is often overlooked is the WiFi network, even though WiFi poses a considerable risk, not only to the business but also to customers that are allowed to connect to the WiFi network. Some of the important WiFi filtering security benefits are detailed in the section below.
Important WiFi Filtering Security Benefits for Businesses
There are many WiFi filtering security benefits for businesses. Implementing a WiFi filter will not only improve security for the business and its customers, it can also help to improve the productivity of the workforce.
Some of the most important WiFi security benefits are detailed below:
Block Malware and Ransomware Downloads
One of the most important WiFi filtering security benefits for businesses is protection from malware and ransomware downloads. Malware allows hackers to steal customer data, intellectual property, and obtain credentials to plunder corporate bank accounts. Malware infections can prove incredibly costly to resolve and ransomware attacks can bring businesses to a grinding halt. A WiFi filter help improve security by blocking access to sites hosting exploit kits and preventing drive-by malware downloads.
Prevent WiFi Users from Visiting Phishing Websites
Phishing is a major risk for all businesses. While most phishing attacks start with an email, they invariably link to websites that harvest credentials. A WiFi filter ensures that employees and guest users cannot access websites known to be used for phishing.
Stop Users from Accessing Illegal Website Content
Businesses have a responsibility to ensure that their WiFi networks cannot be used to access illegal content such as child pornography or to perform copyright-infringing file downloads. In addition to the potential for these actions to lead to legal problems for employers, these illegal online activities increase the risk of a malware infection.
Prevent Users from Accessing Inappropriate Websites
Businesses should take steps to prevent employees and guest WiFi users from accessing inappropriate websites – Websites that have no work purpose and those that are likely to cause offense to other individuals – adult content for example. Inappropriate internet use is a major drain of productivity and poses a security risk.
Other Important WiFi Filtering Benefits
All companies must take steps to reduce legal liability and employee Internet access is one area where companies can experience legal problems. Web content that seems funny to some employees could be highly offensive to others and lead to the creation of a hostile working environment and subsequent legal action by employees. Any company that fails to block illegal online activities such as copyright-infringing downloads, could be found to be vicariously liable for the actions of its WiFi users.
Businesses can use a WiFi filter to control bandwidth use. By blocking access to bandwidth heavy activities such as video streaming at busy times, business can ensure all users can enjoy fast Internet speeds.
WebTitan Cloud for WiFi: WiFi Filtering Made Simple
Gaining the above WiFi filtering security benefits is easy with TitanHQ’s innovative WiFi filtering solution – WebTitan Cloud for WiFi.
WebTitan Cloud for WiFi is easy to implement, simple to use, and effortless to maintain. WebTitan Cloud for WiFi allows businesses to carefully control Internet access, reduce risk, make important productivity gains, and improve their security posture.
WebTitan Cloud for WiFi can be implemented in minutes, requires no hardware purchases and needs no software downloads. An intuitive user interface can be accessed from anywhere with an internet connection and no technical skill is required to configure and maintain the solution.
WebTitan Cloud for WiFi allows business of all sizes to gain the WiFi filtering security benefits with no slowing of Internet speeds.
WebTitan WiFi Filtering Security Benefits
Blocks access to web pages hosting malware
Blocks ransomware, malware, virus, and botnet downloads
Prevents employees and guests from accessing phishing websites
Requires no user updates or patches
Blocks the use of anonymizers
Inspects all Internet traffic, including encrypted content
Reports can be generated to show which employees are attempting to bypass filtering controls
Policies can be created for different users, departments, or locations
Different filtering controls can be set for employees and guest WiFi users
For further information on WebTitan Cloud for WiFi, details of pricing, to book a product demonstration, or to sign up for a free 14-day trial of the full solution, contact the TitanHQ team today.
Many employees access their work emails and work networks via public Wi-Fi hotspots, even though there is a risk that sensitive information such as login credentials could be intercepted by hackers. Many employees are unaware of the Wi-Fi security threats that lurk in their favorite coffee shop and fail to take precautions. Even employees who are aware of the Wi-Fi security threats often ignore the risks.
This was highlighted by a 2017 survey by Symantec. 55% of survey participants said they would not hesitate to connect to a free Wi-Fi hotspot if the signal was good and 46% said they would rather connect to a free, open wireless network than to wait to get a password to a secure access point.
60% of survey participants believed public Wi-Fi networks are safe and secure but even though 40% are aware of the Wi-Fi security threats, 87% said that they would access financial information such as their online banking portal or view their emails on public Wi-Fi networks.
The majority of users of public Wi-Fi networks who were aware of the Wi-Fi security threats said they ignored the risks. Millennials were the most likely age group to ignore Wi-Fi security threats: 95% of this age group said they had shared sensitive information over open Wi-Fi connections.
Consumers may be willing to take risks on public Wi-Fi networks, but what about employees? According to a 2018 Spiceworks survey, conducted on 500 IT professionals in the United States, employees are also taking risks.
61% of respondents to the survey said their employees connect to public Wi-Fi hotspots in coffee shops, hotels, and airports to work remotely. Only 64% of respondents said their employees were aware of the Wi-Fi security threats. A similar percentage said their employees were aware of the risks and connect to their work networks using a VPN, which means that 4 out of 10 workers were unaware of the importance of establishing a secure connection.
Even though 64% of respondents were confident that employees were aware of the risks, only half were confident that data stored on mobile devices was adequately protected against threats from public Wi-Fi hotspots. 12% of respondents said they have had to deal with a public Wi-Fi related security incident, although a further 34% were not sure if there had been a security breach as many incidents are never reported.
WiFi Security Threats Everyone Should be Aware of
All employers should now be providing security awareness training to their employees to make the workforce more security aware. Employees should be trained how to identify phishing attempts, warned of the risk from malware and ransomware, and taught about the risks associated with public Wi-Fi networks.
Five threats associated with open public Wi-Fi hotspots are detailed below:
Evil Twins – Rogue Wi-Fi Hotspots
One of the most common ways of obtaining sensitive information is for a cybercriminal to set up an evil twin hotspot. This is a fake Wi-Fi access point that masquerades as the legitimate access point, such as one offered by a coffee shop or hotel. An SSID could be set up such as “Starbuck Guest Wi-Fi” or even just state the name of the establishment. Any information disclosed while connected to that hotspot can be intercepted.
Using a packet sniffer, a hacker can identify, intercept, and monitor web traffic over unsecured Wi-Fi networks and capture personal information such as login credentials to bank accounts and corporate email accounts. If credentials are obtained, a hacker can gain full control of an account.
Many people have file-sharing enabled on their devices. This feature is useful at home and in the workplace, but it can easily be abused by hackers. It gives them an easy way to connect to a device that is connected to a Wi-Fi hotspot. A hacker can abuse this feature to drop malware on a device when it connects to a hotspot.
Not all threats are hi-tec. One of the simplest methods of obtaining sensitive information is to observe someone’s online activities by looking over their shoulder. Information such as passwords may be masked so the information is not visible on a screen, but cybercriminals can look at keyboards and work out the passwords when they are typed.
Malware and Ransomware
When connecting to a home or work network, some form of anti-malware control is likely to have been installed, but those protections are often lacking on public Wi-Fi hotspots. Without the protection of AV software and a web filter, malware can be silently downloaded.
Employers can reduce risk by providing comprehensive training to employees to make sure they are aware of the risks from public Wi-Fi hotspots and make sure that employees are aware they should only connect to public Wi-Fi networks if they use a VPN. Employers can further protect workers with WebTitan Cloud – An enterprise-class web filter that protects workers from online threats, regardless of where they connect.
Hotspot providers can protect their customers by securing their Wi-Fi hotspots with WebTitan Cloud for Wi-Fi. WebTitan Cloud for Wi-Fi is a powerful web filter that protects all users of a hotspot from malware and phishing attacks, and can also be used to control the types of sites that can be accessed. If you offer Wi-Fi access, yet are not securing your hotspot, your customers could be at risk. Contact TitanHQ today to find out how you can protect your customers from online threats, control the content that can be accessed, and create a family-friendly Wi-Fi environment.
In this post we explain the importance of WiFi filtering and brand protection. It can take years of hard work for businesses to develop trust in their brand. That trust can easily be lost if customers are not protected while connected to business WiFi networks and come to harm or suffer losses.
If Trust is Lost in a Brand it Can Take Years to Recover
Trust is a cornerstone of all successful brands, but it is not something that can be developed overnight. Developing trust in a brand takes an extraordinary amount of time and money, but once established, companies will be rewarded by customer loyalty.
While trust can be difficult to earn, it is certainly not difficult to lose. One of the easiest ways for consumers to lose trust in a brand is through privacy breaches and cyberattacks. If the personal data of customers is exposed or stolen, customers will lose faith in the brand and are likely to take their business elsewhere.
A 2017 study by Gemalto revealed 70% of customers would stop doing business with a company that failed to protect their personal data and suffered a data breach. Regaining customers trust after a data breach can take years. Protecting customer data is therefore essential if a business is to succeed and continue to enjoy success.
Wi-Fi Security and Brand Protection
One aspect of security that is often overlooked is protecting customers who connect to Wi-Fi networks. Many businesses offer free Wi-Fi access to their customers yet fail to implement controls over what customers can do while connected. Consequently, customers may be exposed to malware, phishing, and other harmful content.
Even businesses that claim to be family friendly often do not always filter the Internet and block access to adult and other age-inappropriate web content. It was only relatively recently that McDonald’s started filtering its WiFi networks to protect customers. Starbucks has also agreed to implement WiFi filters to block porn next year.
How are Wi-Fi filtering and brand protection related? Imagine someone uses your WiFi network to access pornography and a child views their screen? Or a parent finds out their child has been viewing adult content on the establishment’s Wi-Fi network? It only takes one person to complain via a social media network for the story to go viral and for the company’s reputation to be tarnished. The same goes for a malware infection as a result of an establishment failing to implement anti-malware controls on its WiFi network.
Implementing a WiFi filter shows customers that you are doing all you can to protect them from online threats and harmful content. WiFi security is therefore important for brand protection.
There have also been cases of businesses temporarily losing Internet access over illegal Internet activity – Employees who have used a corporate WiFi network to engage in illegal activities such as downloading pirated content. ISPs can terminate internet access if complaints are received and loss of Internet access can cripple a business. Legal action can also be taken by the copyright holder against the business.
WebTitan Cloud for WiFi: The Easy Way to Secure Wi-Fi Networks
TitanHQ has been protecting SMBs from cyber threats for more than 20 years and has expanded its portfolio of solutions to cover WiFi security and brand protection solutions.
TitanHQ has developed WebTitan Cloud for WiFi to make it easy for businesses to secure their WiFi networks and for MSPs to offer WiFi filtering to their clients.
WebTitan Cloud for WiFi is a 100% cloud based WiFi filtering solution that is quick and easy to implement and requires no hardware purchases or software downloads. The solution blocks malware downloads, access to malicious websites, lets businesses carefully control the content that can be accessed via their Wi-Fi networks and control bandwidth use by employees and customers. In short, WebTitan Cloud for WiFi lets businesses create a safe environment to access the Internet.
To find out more about WebTitan Cloud for WiFi, including details on pricing, contact TitanHQ today. All businesses can book a product demonstration and sign up for a free WebTitan Cloud for WiFi trial to evaluate the solution in their own environment.
On May 25, 2018, the EU’s General Data Protection Regulation came into effect. While all businesses should now be compliant, there are still GDPR opportunities for MSPs. Smart MSPs see GDPR as an opportunity for profit and are winning business by helping companies streamline their data management processes. The compliance deadline may have already passed, but there are many GDPR opportunities for MSPs. MSPs can help companies stay compliant, reduce the time their clients have to spend on compliance-related tasks, improve security, and save businesses money.
Key GDPR Opportunities for MSPs
GDPR compliance and security services are a potential gold mine for MSPs. MSPs will have had to go through the GDPR compliance process themselves, so they should already be well versed in what is required. They will have gained valuable insights into GDPR through that process, which can be passed on to their clients.
GDPR compliance solutions that MSPs use could be offered to clients as a service. GDPR also provides an opportunity to sell clients additional security services to ensure the data of their customers are properly protected. With fines up to €20 million or 4% of global income possible, there is a major incentive for ensuring continued compliance with the GDPR.
There are security opportunities such as data encryption, spam filtering, and web filtering, which can be grouped together and sold as a GDPR security package. MSPs can offer auditing services to ensure their clients are fully compliant with GDPR.
It is a requirement of GDPR for companies to appoint a Data Protection Officer (DPO), but many SMBs lack the internal talent. While a DPO may have been assigned, the time that is spent on that role could be put to better use. One of the GDPR opportunities for MSPs is offering a DPO-as-a-service to fulfil that aspect of GDPR compliance for their clients.
Email Archiving for MS Exchange – An Easy Win for MSPs
Any business that collects or processes the data of EU citizens must have mechanisms in place that allow them to find all data related to an individual. An EU citizen can contact a company and request a copy of the information that is held on them, and if they so wish, can request that the processing of their data is stopped and have their data deleted.
When individuals exercise their right to erasure – or right to be forgotten – a company is required to honor that request within 30 days. In order to be able to process those requests efficiently, a company must know the location of all its data. Companies should therefore have conducted an audit of their systems to identify all locations where personal data are stored. When a request is received, the individual’s data can then be quickly found and deleted.
Personal data may also be detailed in emails and locating those emails can be a major challenge. Any company that does not use an email archive is likely to face problems finding all emails in backups. Since an email archive is searchable, it is a quick and easy process to locate all emails related to a specific individual. The introduction of GDPR creates a compelling case for purchasing an email archiving solution – which is another of the GDPR opportunities for MSPs.
By offering email archiving for MS Exchange or other mail services, MSPs can help their clients comply with GDPR requirements for security, data retention, auditing, and the right to erasure.
ArcTitan: An Easy Email Archiving Service for MSPs
ArcTitan is an easy to use and easy to manage email archiving service that has been developed to meet the needs of businesses and managed service providers.
ArcTitan is a cloud-based secure archive deployed on AWS that is compliant with GDPR for email retention and auditing as well and all major regulatory standards. ArcTitan is compatible with all major mail servers and email services and will meet the requirements of the most demanding clients.
The solution provides almost instant access to data, gives instant search results, and allows instant archiving. A search of 30 million emails takes less than a second and messages are archived at a rate of more than 200 per second. The solution is also scalable to more than 60,000 users.
To meet the needs of MSPs, ArcTitan is available with a range of hosting options – In the TitanHQ Cloud, a dedicated private cloud, or ArcTitan can be deployed in an MSP’s own data center. API integration allows MSPs to provision customers through their own centralized management system, there is a growth-enabling licensing program, and usage-based pricing and monthly billing. ArcTitan is also rebrandable and can be supplied as a white label ready to take an MSP’s logos and corporate colors.
If you have yet to offer email archiving to your clients or you are unhappy with your current provider’s service or the margin, contact the TitanHQ team today.
A new phishing campaign is bypassing Office 365 anti-phishing defenses and arriving in employees’ inboxes; one of several recent campaigns to slip through the net and test end users’ security awareness knowledge.
The aim of this campaign is not to obtain login credentials or install malware. It is a sextortion scam that aims to get email recipients to make a payment to the scammers.
The scam itself is straightforward. The sender of the email claims to be a hacker who has gained access to the victim’s computer and has installed malware. That malware allowed full access to the user’s device, including control of the webcam. The email claims that the webcam was used to record the victim while he/she was accessing adult web content. The attacker claims to have spliced the webcam recording with the images/videos that were being viewed at the time. The attacker claims the video will be sent to the user’s contacts on social media and via email.
Several similar sextortion scams have been conducted in the past few months, but what makes this campaign different is the extent of the deception. In this campaign, the attacker includes the user’s password in the email body.
I’m a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password from [user’s email]on moment of hack: [user’s password]”
The password may not be the one currently used, but it is likely to be recognized as it has been taken from a previous data breach. However, its inclusion will be especially worrying for any user who does not regularly change their password and for users that share passwords across multiple sites or reuse old passwords. Changing the password will not block access, according to the email
“Of course, you can and will change it, or already have changed it.
But it doesn’t matter, my malware updated it every time.”
For anyone who has viewed adult content on a laptop or other device with a webcam, this message will no doubt be extremely concerning. Especially, as the email contains ‘evidence’ of email compromise. The From field of the email displays the user’s own email address, indicating that the attacker has sent it from the user’s email account.
The attacker notes in the email, “Do not try to contact me or find me, it is impossible, since I sent you an email from your account.”
While scary, the attacker does not have access to the user’s email account. The From field has been spoofed. This is actually straightforward with a Unix computer set up with mail services. Mass emails can be sent out using the same email address in the From field as the Address field, giving the impression that the messages have been sent from the users’ accounts.
The hacker notes that this is not his/her usual modus operandi. “You are not my only victim, I usually lock computers and ask for a ransom. But I was struck by the sites of intimate content that you often visit.” That will be a particular worry for some users.
To prevent distribution of the video, the user must pay $892 in Bitcoin to the specified address and many email recipients have chosen to pay to avoid exposure. The Bitcoin wallet used for the scam has received 450 payments totaling 6.31131431 BTC – around $27,980. Multiple Bitcoin wallets are often used by scammers, so the actual total is likely to be far higher.
Bypassing of Office 365 Anti-Phishing Defenses a Cause for Concern
This scam may not have any direct impact on a business, as no credentials are compromised, and malware is not installed; however, what is of concern is how the messages have bypassed Office 365 phishing defenses and are arriving in inboxes. The scam was first identified in late September and the messages continued to be delivered to Office 365 inboxes, even those with Advanced Threat Protection that companies pay extra for to provide greater protection against spam and phishing emails.
This is of course just one scam. Others have similarly breached Office 365 anti-phishing defenses, many of which are much more malicious in nature and pose a very real and direct threat to businesses. Office 365 anti-phishing protections do block a lot of threats, and protection is improved with Advanced Threat Protection, but the controls are not particularly effective at blocking sophisticated phishing attempts and zero-day attacks.
The volume of phishing attacks on businesses that are now being conducted, the sophisticated nature of those attacks, and the high cost of mitigating a phishing attack and data breach mean businesses need to improve Office 365 anti-phishing defenses further. That requires a third-party spam solution.
For more than 20 years, TitanHQ has been developing security solutions to protect inboxes and block web-based attacks. During that time, our spam filtering solution, SpamTitan, has been gathering threat intelligence, analyzing spamming and phishing tactics, and protecting end users. Over the years, SpamTitan has receive many updates to improve protection against new threats and phishing tactics. Independent tests have shown SpamTitan now has a catch rate in excess of 99.9%.
The incorporation of a range of predictive techniques ensure SpamTitan is not reliant on signatures and can detect never-before seen phishing attempts and zero-day attacks, and provide superior protection against spam, phishing, malware, viruses, ransomware, and botnets for Office 365 users.
To better protect your email channel and keep your Office 365 inboxes threat free, contact TitanHQ today to schedule a full personalized demo of SpamTitan and to find out just how cost effective the solution is for SMBs and enterprises.
If you are using Umbrella and are finding the web filtering solution to be a drain of your time or your budget, consider making the switch from Umbrella to WebTitan.
Web Filtering Doesn’t Have to be Complicated
There are many factors that need to be considered when choosing a web filtering solution. Aside from allowing you to identify and block threats and control the content that can be accessed by network users, a web filter should be easy to configure and maintain.
To get the most benefit from your chosen solution, you will need to have all the information you need at your fingertips. You should be able to tweak settings, block/unblock sites, and get the reports you need on users that are attempting to, or succeeding in, accessing dangerous web content.
All too often, it is only when the solution is set up that the discovery is made that it is a pig to use. The information you need is not easily accessible and maintaining and managing the solution is headache inducing. However, it needn’t be that way.
Usability is one area where WebTitan excels. WebTitan is powerful, feature rich, yet simple to use. WebTitan can be used by anyone, regardless of their level of IT knowhow. The user interface is crisp, clean, and provides all the important information in one place.
Complex interfaces mean more time is spent making minor changes and accessing reports, which takes time away from more important tasks. Further, if Your IT team hates using a solution, they will spend as little time as possible using it, and that could jeopardize security.
That is exactly what was happening with Saint Joseph Seminary College, which, after experiencing problems, made the switch from Cisco Umbrella to WebTitan.
Benefits of Switching from Umbrella to WebTitan: A Case Study
Web filter usability was a key issue for Saint Joseph Seminary College, which had been using Cisco Umbrella to control the web content staff and students could access. While Umbrella did allow content controls to be applied, using the solution was time consuming and difficult. Finding information, generating reports, and changing settings was just taking too much time. So much time that IT department avoided using the solution as far as possible. Hardly an ideal situation for such an important college cybersecurity control.
“I prefer an interface to be simple while giving me as much information as possible in one place. I don’t need rounded corners and elegant fonts when I am trying to see who has been visiting dangerous websites. I need to clearly see domain names and internal IPs,” explained Saint Joseph’s IT Director, Todd Russell. Russell went on to explain that it wasn’t always that way. “In my opinion, after Cisco bought OpenDNS, they made some major changes to the UI which made it virtually useless for quickly looking through blocked traffic for signs of particular types of usage.”
This is sadly a common problem. In an attempt to cram in as many features as possible into a user interface, too little consideration is given to the people that have to use and manage the solution. For busy IT departments, it is important to make things as simple as possible. Sysadmins have more than their fair share of complexity as it is.
It was the complexity of Umbrella – and the cost – that led Saint Joseph’s to see an Umbrella alternative.
An Easy to Use, More Cost-Effective Alternative to Umbrella
When looking for an Umbrella alternative, several solutions were considered; however, TitanHQ’s feature-rich web filter, WebTitan, stood out from the crowd and warranted closer inspection.
“It didn’t take long to realize that WebTitan was the best alternative for an efficient, cost-effective, and easy to use filtering solution to replace Cisco Umbrella,” explained Russell.
WebTitan has been developed with usability at the heart of the design process. Before UI changes are made, they are extensively tested to make sure they do not negatively impact the user experience.
After switching from Umbrella to WebTitan, the benefit was immediately gained. The IT department had easy access to actionable insights into threat traffic and web activity. Reports could be generated and viewed with two clicks of the mouse, The IT department liked using the solution, and further, an enormous amount of time was saved, and costs were slashed.
“WebTitan immediately gave us visibility into our users’ traffic. Within days, the UI allowed us to see clear signals of dangerous activity. Thanks to the easily accessible and understandable data available on the WebTitan UI, we have been able to launch investigations more quickly and work on remediation.” Said Russell. “The whole experience with WebTitan has been terrific.”
Benefits Gained from the Switch from Umbrella to WebTitan
By changing from Umbrella to WebTitan, Saint Joseph’s was able to:
Have easy access to actionable insights on threats and web activity
Remediate issues far more quickly
Quickly generate basic and advanced reports
Secure data and users more effectively
Slash administration and remediation time
Reduce the cost of web security by 50%
Block thousands more threats per hour
Time to Change from Umbrella to WebTitan?
If you want to gain the above benefits, it could not be simpler. Contact the TitanHQ team to schedule a product demonstration to see just how easier WebTitan is to use. You can also trial WebTitan before you make a decision to confirm the benefits for yourself. You will get access to the full product in the trial, assistance will be provided to get you up and running, and full support is available through out the trial period.
Why is DNS filtering for MSPs so important? Find out how you can better protect your clients against web-based attacks and the MSP benefits of offering this easy to implement cybersecurity solution.
A recent survey conducted by Spiceworks has revealed that DNS filtering is now considered an essential element of cybersecurity defenses at the majority of large firms. A survey was conducted on companies with more than 1,000 employees which revealed 90% of those firms are using a solution such as a DNS filter to restrict access to the internet to protect against malware and ransomware attacks.
89% of firms use DNS filters or other web filtering technology to improve productivity by blocking access to sites such as social media platforms, 84% of firms block access to inappropriate websites, and 66% use the technology to avoid legal issues.
Given the risk of a malware or ransomware download over the Internet and the high cost of mitigating such an attack, it is no surprise that so many large firms are using web filtering technology to reduce risk.
Why DNS Filtering is so Important for SMBs
Phishing attacks and ransomware/malware downloads are major risks for large businesses, but SMBs face the same threats. SMBs are also less likely to have the resources to cover the cost of such an attack. For example, the average cost of a ransomware attack on an SMB is $46,800, according to Datto, and many SMBs fold within 6 months of experiencing a data breach.
DNS filtering is an important control to prevent malware and ransomware attacks over the Internet, both by blocking downloads and preventing employees from visiting malicious websites where malware is downloaded. Web filters are also essential as part of phishing defenses.
According to the Spiceworks survey, 38% of organizations have experienced at least one security incident as a result of employee Internet activity. By restricting access to certain categories of website and blocking known malicious websites, SMBs will be much better protected against costly attacks.
Add to that the amount of time that is lost to casual internet surfing and web filtering is a no-brainer. 28% of employees waste more than 4 hours a week on websites unrelated to their work, but the percentages rise to 45% in mid-sized businesses and 51% of employees in small businesses.
There is no latency with DNS filtering, plus controls can be implemented to restrict certain bandwidth heavy activities to improve network performance.
DNS Filtering for MSPs – The Ideal Web Filtering Solution
DNS web filtering is a low-cost cybersecurity solution that actually pays for itself in terms of the productivity gains and the blocking of cyber threats that would otherwise lead to data breaches. Further, in contrast to appliance-based web filters, DNS filtering requires no hardware purchases or software installations which means no site visits are required. DNS filtering can be set up for clients remotely in a matter of minutes.
DNS filtering is ideal for MSPs as it is hardware and software independent. It doesn’t matter what devices and operating systems your clients have because DNS filtering simply forwards web traffic to a cloud-based filter without the need to install any clients or agents on servers or end points.
TitanHQ’s DNS filtering for MSPs has a low management overhead, so there is little in the way of ongoing maintenance required. A full suite of customizable reports can be automatically generated and sent to clients to show them what threats have been blocked, and who in the organization has been trying to access restricted content, and the employees who are the biggest drain on network performance.
MSPs can easily add in web filtering to existing security packages to provide greater value or offer web filtering as an add-on service to generate extra, recurring monthly revenue and attract more business.
If you are yet to offer web filtering to your clients, call TitanHQ today for more information on our DNS filtering for MSPs and for further information on the MSP Program program.
One of the ways that threat actors install malware is through malvertising – The placing of malicious adverts on legitimate websites that direct visitors to websites where malware is downloaded. The HookAds malvertising campaign is one such example and the threat actors behind the campaign have been particularly active of late.
The HookAds malvertising campaign has one purpose. To direct people to a website hosting the Fallout exploit kit. An exploit kit is malicious code that runs when a visitor lands on a web page. The visitor’s computer is probed to determine whether there are any vulnerabilities – unpatched software – that can be exploited to silently install files.
In the case of the Fallout exploit kit, users’ devices are checked for several known Windows vulnerabilities. If one is identified, it is exploited and a malicious payload is downloaded. Several malware variants are currently being delivered via Fallout, including information stealers, banking Trojans, and ransomware.
According to threat analyst nao_sec, two separate HookAds malvertising campaigns have been detected: One is being used to deliver the DanaBot banking Trojan and the other is delivering two malware payloads – The Nocturnal information stealer and GlobeImposter ransomware via the Fallout exploit kit.
Exploit kits can only be used to deliver malware to unpatched devices, so businesses will only be at risk of this web-based attack vector if they are not 100% up to date with their patching. Unfortunately, many businesses are slow to apply patches and exploits for new vulnerabilities are frequently uploaded to EKs such as Fallout. Consequently, a security solution is needed to block this attack vector.
HookAds Malvertising Campaign Highlights Importance of a Web Filter
The threat actors behind the HookAds malvertising campaign are taking advantage of the low prices offered for advertising blocks on websites by low quality ad networks – Those often used by owners of online gaming websites, adult sites, and other types of websites that should not be accessed by employees. While the site owners themselves are not actively engaging with the threat actors behind the campaign, the malicious adverts are still served on their websites along with legitimate ads. Fortunately, there is an easy solution that blocks EK activity: A web filter.
TitanHQ has developed WebTitan to allow businesses to carefully control employee Internet access. Once WebTitan has been installed – a quick and easy process that takes just a few minutes – the solution can be configured to quickly enforce acceptable Internet usage policies. Content can be blocked by category with a click of the mouse.
Access to websites containing adult and other NSFW content can be quickly and easily blocked. If an employee attempts to visit a category of website that is blocked by the filter, they will be redirected to a customizable block screen and will be informed why access has been prohibited.
WebTitan ensures that employees cannot access ‘risky’ websites where malware can be downloaded and blocks access to productivity draining websites, illegal web content, and other sites that have no work purpose.
Key Benefits of WebTitan
Listed below are some of the key benefits of WebTitan
No hardware purchases required to run the web filter
No software downloads are necessary
Internet filtering settings can be configured in minutes
Category-based filters allow acceptable Internet usage policies to be quickly applied
An intuitive, easy-to-use web-based interface requires no technical skill to use
No patching required
WebTitan Cloud can be applied with impact on Internet speed
No restriction on devices or bandwidth
WebTitan is highly scalable
WebTitan protects office staff and remote workers
WebTitan Cloud includes a full suite of pre-configured and customizable reports
Reports can be scheduled and instant email alerts generated
Suitable for use with static and dynamic IP addresses
White label versions can be supplied for use by MSPs
Multiple hosting options are available
WebTitan Cloud can be used to protect wired and wireless networks
For further information on WebTitan, for details of pricing, to book a product demonstration, or register for a free trial, contact the TitanHQ team today.
Further information on WebTitan is provided in the video below:
Hackers are targeting healthcare organizations, educational institutions, hotels, and organizations in the financial sector, but restaurants are also in hackers’ cross-hairs. If restaurant cybersecurity solutions are not deployed and security vulnerabilities are not addressed, it will only be a matter of time before hackers take advantage.
Cyberattacks on restaurants can be extremely profitable for hackers. Busy restaurant chains process hundreds of credit card transactions a day. If a hacker can gain access to POS systems and install malware, customer’s credit card details can be silently stolen.
Cheddar’s Scratch Kitchen, Applebee’s, PDQ, Chili’s, B&BHG, Zaxby’s, Zippy’s, Chipotle, and Darden restaurants have all discovered hackers have bypassed restaurant cybersecurity protections and have gained access to the credit card numbers of large numbers of customers.
One of the biggest threats from a data breach is damage to a restaurant’s reputation. The cyberattack and data breach at Chipotle saw the brand devalued by around $400 million.
A restaurant data breach can result in considerable loss of customers and a major fall in revenue. According to a study by Gemalto, 70% of the 10,000 consumers surveyed said that they would stop doing business with a brand if the company suffered a data breach. Most restaurants would not be able to recover from such a loss.
Restaurant Cybersecurity Threats
Listed below are some of the common restaurant cybersecurity threats – Ways that hackers gain access to sensitive information such as customers’ credit card numbers.
The primary goal of most restaurant cyberattacks is to gain access to customers’ credit card information. One of the most common ways that is achieved is through malware. Malicious software is installed on POS devices to silently record credit card details when customers pay. The card numbers are then sent to the attacker’s server over the Internet.
Phishing is a type of social engineering attack in which employees are fooled into disclosing their login credentials and other sensitive information. Phishing emails are sent to employees which direct them to a website where credentials are harvested. Phishing emails are also used to install malware through downloaders hidden in file attachments.
Whenever an employee or a customer accesses the Internet they will be exposed to a wide range of web-based threats. Websites can harbor malware which is silently downloaded onto devices.
Restaurants often have Wi-Fi access points that are used by employees and guests. If these access points are not secured, it gives hackers an opportunity to conduct attacks and gain access to the restaurant network, install malware, intercept web traffic, and steal sensitive information.
Restaurant Cybersecurity Tips
Listed below are some of the steps you should take to protect your customers and make it harder for hackers to gain access to your systems and data.
Conduct a risk analysis to identify all vulnerabilities that could potentially be exploited to gain access to networks and customer data
Develop a risk management plan to address all vulnerabilities identified during the risk assessment
Ensure all software and operating systems are kept up to date and are promptly patched
Become PCI compliant – All tools used to accept payments must comply with PCI standards
Implement security controls on your website to ensure customers can use it securely. Sensitive data such as loyalty program information must be protected.
Ensure you implement multi-factor authentication on all accounts to protect systems in case credentials are compromised
Ensure all default passwords are changed and strong, unique passwords are set
Ensure all sensitive data are encrypted at rest and in transit
Secure Wi-Fi networks with a web filter to block malware downloads and web-based threats
Implement a spam filter to block phishing attempts and malware
Provide cybersecurity training to staff to ensure they can recognize the common restaurant cybersecurity threats
Restaurant Cybersecurity Solutions from TitanHQ
TitanHQ has developed two cybersecurity solutions that can be implemented by restaurants to block the main attack vectors used by hackers. SpamTitan is a powerful email security solution that prevents spam and malicious emails from reaching end users’ inboxes.
WebTitan is a cloud-based web filtering solution that prevents staff and customers from downloading malware and visiting phishing websites. In addition to blocking web-based attacks, WebTitan allows restaurants to prevent customers from accessing illegal and unsuitable web content to create a family-friendly Wi-Fi zone.
Both solutions can be set up in a matter of minutes on existing hardware and require no software downloads.
To find out more about TitanHQ’s restaurant cybersecurity solutions, call the TitanHQ sales team today.
TitanHQ has expanded its partnership with Z Services, the leading SaaS provider of cloud-based cybersecurity solutions in the MENA region.
UAE-based Z Services operates 17 secure data centers in the UAE, Saudi Arabia, Qatar, Egypt, Jordan, Kuwait, Oman, Bahrain, and Morocco and is the only company in the Middle East and North Africa to offer an in-country multi-tenant cloud-based cybersecurity architecture.
In February 2017, Z Services partnered with TitanHQ and integrated TitanHQ’s award-winning email filtering technology into its service stack and started offering SpamTitan-powered Z Services Anti-Spam SaaS to its clients. TitanHQ’s email filtering technology now helps Z Services’ clients filter out spam email and protect against sophisticated email-based threats such as malware, viruses, botnets, ransomware, phishing and spear phishing.
The integration has proved to be a huge success for Z Services, so much so that the firm has now taken its partnership with TitanHQ a step further and has integrated two new TitanHQ-powered SaaS solutions into its service stack. TitanHQ’s award-winning web filtering technology – WebTitan – and its innovative email archiving solution – ArcTitan have both been incorporated into Z Services’ MERALE SaaS offering. MERALE is a suite of cybersecurity, threat protection, and compliance solutions specifically developed to meet the needs of small to medium sized enterprises.
“With cybersecurity growing as a critical business concern across the region, there is a clear need to make security an operational rather than a capital expense. Hence the paradigm shift in the delivery of effective security solutions from the traditional investment and delivery model to an agile SaaS model through the primary connectivity provider of SMEs – the ISPs,” said Nidal Taha, President – Middle East and North Africa, Z Services. “MERALE will be a game-changer in how small and medium businesses in the region ensure their protection, and as a subscription-based service, it removes the need for heavy investments and long-term commitments.”
“We are delighted to continue our successful partnership with Z Services and share their vision for serving the SME segment with leading edge SaaS based security solutions,” said Ronan Kavanagh, CEO of TitanHQ. “With this development Z Services is strengthening its leadership position as an innovative cloud-based cybersecurity solutions provider in the Middle East and North Africa.”
TitanHQ’s cloud-based cybersecurity solutions have been developed from the ground up specifically to meet the needs of Managed Service Providers. The email filtering, web filtering, and email archiving solutions are currently being used by more than 7,500 businesses around the world and more than 1,500 MSPs are now offering TitanHQ solutions to their clients.
In contrast to many cybersecurity solution providers, TitanHQ offers its products with a range of hosting options – including within an MSP’s own infrastructure – as full white label solutions ready for MSPs to apply their own branding. By protecting clients with TitanHQ solutions MSPs are able to significantly reduce support and engineering costs by blocking a wide range of cyber threats at source. MSPs also benefit from generous margins and industry-leading customer service and support.
If you are a managed service provider and have yet to incorporate email filtering, web filtering, and email archiving solutions into your service stack, if you are unhappy with your current providers, or are looking to increase profits while ensuring your clients have the best protection against email and web-based threats, contact TitanHQ today for further information.
DNS filtering for businesses is essential for all companies to protect against web-based threats such as phishing and malware and is particularly important for any business that allows employees to work remotely. In this post we explain the risks, features, and benefits of DNS filtering and how a DNS filter can protect employees and their portable devices from Wi-Fi threats.
Why is DNS Filtering for Businesses so Important?
DNS filtering for businesses can no longer be considered an optional cybersecurity solution due to the high risk of web-based attacks. Phishing attacks on businesses are increasing with many thousands of new phishing web pages created each day. Exploit kits probe for vulnerabilities and silently download malware, and ransomware attacks are rife. DNS filtering for businesses offers an additional layer of protection that prevents employees from visiting websites known to be used for malicious purposes.
DNS filters also allow businesses to enforce acceptable Internet usage policies and block access to illegal website content, websites containing content unsuitable for the workplace and categories of sites that are a major drain on productivity.
It is easy to set up DNS filtering for businesses’ internal networks and apply content controls and block online threats; however, a DNS filter is not restricted to one physical location. DNS filtering for businesses is not bound to a single location and works on wired networks, internal WiFi networks and even public WiFi hotspots.
The Dangers of Public WiFi Networks
A recent survey conducted by Purple revealed more than 90% of businesses that offer Wi-Fi have open networks without any filters or security applied. Connecting to open Wi-Fi networks without any filtering controls in place increases the risk of virus, malware, and ransomware downloads.
To a certain extent, risk can be reduced if anti-malware software is installed on mobile devices. However, the software is only capable of detecting malware variants if their signatures are in the database. If the database is out of date, malware will not be detected. Anti-malware software also does not provide protection against zero-day malware – new malware variants that have yet to be identified – and offers no protection against phishing attacks.
Further, hackers take advantage of open Wi-Fi networks to conduct man-in-the-middle attacks to intercept sensitive data such as banking credentials and other login information. Mobile workers often connect to their work networks and on portable devices via open Wi-Fi networks such as those offered in coffee shops, even though doing so may be a violation of company policy.
DNS Filtering for Businesses Protects Off-Site Workers from Wi-Fi Threats
A business that issues mobile devices such as smartphones, tablets or laptops to employees can struggle to secure those devices outside the office. DNS filtering for businesses is one solution that can be used to improve security.
DNS filtering solves the security challenge as it acts as a barrier between the end user’s device and the Internet that blocks web-based threats. When a remote worker uses their laptop to connect the Internet through a web browser, a DNS lookup must be performed. Before the website can be loaded it must be found. That requires the fully qualified domain name (FQDN) – google.com for instance – to be matched with an IP address by a DNS server. Only then can the content be displayed.
With DNS filtering, instead of the IP address being identified and the web browser displaying the content of a web page, before any content is displayed certain checks are performed. The requested site/web page is checked against Real Time Blacklists (RBLs). RBLs contain lists of websites and web pages that host illegal web content, are used for phishing, or host malware or exploit kits. Content controls are also applied. If content violates corporate policies or a match is found in an RBL, the content will not be downloaded. Instead the user will be directed to a block page where they are informed that access to the web page/site has been blocked.
Any business that fails to implement DNS filtering is taking a significant risk if workers can use company-issued smartphones and laptops to access the Internet and web applications outside the protection of the office environment.
WebTitan Cloud – DNS Filtering for Businesses Made Simple
TitanHQ offers DNS filtering for businesses and MSPs through WebTitan Cloud and WebTitan Cloud for Wi-Fi. WebTitan requires no software downloads or hardware purchases and can be used to protect wired and wireless business networks and remote workers using portable devices on public Wi-Fi hotspots.
WebTitan uses six Real Time Blacklists that are constantly updated with new malicious webpages. Any request to access a web page must pass checks on all six RBLs before the URL can be accessed. These checks are performed with no latency – the speed of accessing web content is unaffected.
Once businesses are signed up they can quickly and easily configure the solution to match their requirements through a web-based interface, through which content controls can be applied. WebTitan uses 53 different categories of web-content and has 10 customizable categories. Those categories include 100% of Alexa’s 1 million most visited websites and more than 500 million websites in 200 languages – which equates to 6 billion web pages.
The solution supports whitelists – for companies that want maximum control – and additional blacklists. It is also easy to set custom controls for different workers and user groups, as well as apply controls at the organization level.
An extensive suite of reporting options keeps businesses 100% up to date on user behavior, including sites that have been visited and attempts by employees to access restricted web content.
In short, WebTitan is an invaluable tool that provides protection from web-based threats and allows businesses to have total control over the content that can be accessed on desktop computers and portable devices, regardless of where the employee is located.
Contact TitanHQ for a Product Demonstration and No-Obligation Free Trial
If you are not yet using DNS filtering to block web-based threats and exercise control over the content your employees can access, contact the TitanHQ team today. TitanHQ’s experienced sales staff will answer your questions, provide details of pricing, and can book you in for a product demonstration.
You can also sign up for a 14-day free trial to evaluate WebTitan in your own environment. The free trial includes full use of the product and experienced sales engineers are on hand to help make sure you get the most out of your free trial.
TitanHQ has announced that the leading satellite operator EutelSat is now protecting its corporate and guest Wi-Fi networks with WebTitan Cloud for Wi-Fi.
Eutelsat is one of the world’s leading satellite operators and provides video, data, broadband, and government services through its high-performance satellites. The company is the leading satellite operator in more than 150 countries throughout Europe, Africa, and the Middle East and employs more than 1,000 commercial and technical staff in 44 countries around the globe.
With so many staff members able to access the Internet at work through company Wi-Fi hotspots, it is essential that cybersecurity solutions are deployed to block access to malicious websites where cybercriminals can phish for sensitive information or malware and ransomware downloads can occur.
In order to protect against these threats, companies need to deploy a powerful and flexible web filtering solution. Eutelsat chose WebTitan Cloud for Wi-Fi – The leading Wi-Fi web filtering solution for enterprises. WebTitan Cloud for Wi-Fi has enabled Eutelsat to crease a safe and secure online environment for all users of its Wi-Fi access points.
With WebTitan Cloud for Wi-Fi deployed, employees are prevented from accessing inappropriate website content and access to websites known to be used for phishing or drive-by malware downloads are blocked.
Naturally different user groups require different levels of content control. Since WebTitan Cloud for Wi-Fi integrates with Active Directory, it is easy for different levels of filtering to be applied by department, user group or individual, in addition to organization-wide controls.
“TitanHQ continues to expand its customer base with the ongoing addition of new customers across multiple industries,” explained TitanHQ CEO Ronan Kavanagh. “Our current levels of achievement and growth, including what we’ve seen in the past six months, prove that companies are recognizing the value of our commitment to Wi-Fi security across our offerings and our customer-first culture. We are extremely excited to see what 2019 will bring for both our newly signed customers and our existing client base.”
If you are interested in securing your wired or wireless networks and blocking access to undesirable and malicious web content, contact the TitanHQ team today for details of pricing, to book a product demonstration, or to sign up for a free trial to see WebTitan in action.
Business and leisure travelers looking for secure hotel Wi-Fi access in addition to fast and reliable Internet access. If you take steps to secure hotel WiFi access points, you can gain a significant competitive advantage.
The Importance of Hotel Wi-Fi to Guests
The number one hotel amenity that most travelers can simply not do without is fast, free, reliable, Internet access. In 2013, a joint study conducted by Forrester Research and Hotels.com revealed that 9 out of ten gusts rated Wi-Fi as the top hotel amenity. 34% of respondents to the survey said free Wi-Fi was a ‘deal breaker.’ Now four years on, those percentages will certainly have increased.
Wi-Fi access is essential for business travelers as they need to be able to stay in touch with the office and be able to communicate with their customers. Leisure travelers need free Internet access to keep in touch with friends, look up local attractions, and enjoy cheap entertainment in the comfort of their rooms. Younger travelers need constant access to social media accounts and online games such as Fortnite as they get at home.
It doesn’t matter whether you run a small family bed and breakfast or a large chain of hotels, Wi-Fi access for guests is essential. Any hotel that doesn’t have reliable and fast Wi-Fi will lose business to establishments that do.
It is now easy for potential guests to check if an establishment has Wi-Fi and even find out about the speed and reliability of the connection. The hotelwifitest.com website lets travelers check the speed of Internet access in hotels before booking.
Guests don’t post rave reviews based on the speed of Internet connections, but they will certainly make it known if Internet access is poor or nonexistent. Many of the negative comments on hotel booking websites and TripAdvisor are related to Wi-Fi. Put simply, you will not get anywhere near the same level of occupancy if your Wi-Fi network isn’t up to scratch.
Secure Hotel Wi-Fi is Now as Important as Offering Wi-Fi to Guests
Businesses are now directing a considerable percentage of their IT budgets to cybersecurity to prevent hackers from gaining access to their networks and sensitive data. Securing internal systems is relatively straightforward, but when employees have to travel for work and access networks remotely, hackers can take advantage.
When employees must travel for business, their hotel is often the only place where they can connect to the office network and their email. They need to know that they can login securely from the hotel and that doing so will not result in the theft of their credentials or a malware infection. A hotel will be failing its business customers if it does not offer safe and secure Wi-Fi access.
All it takes is for one malware infection or cyberattack to occur while connected to a hotel Wi-Fi network for the reputation of the hotel to be tarnished. Hotels really cannot afford to take any risks.
Multiple Levels of Wi-Fi Access Should be Offered
Parents staying in hotels will want to make sure that their children can access the Internet safely and securely and will not accidentally or deliberately be able to gain access to age-inappropriate websites. If a hotel claims to be family-friendly, that must also extend to the Wi-Fi network. Any hotel that fails to prevent minors from accessing obscene images while connected to hotel Wi-Fi cannot claim it is family-friendly.
Hotels can offer Wi-Fi access for families that blocks adult websites and anonymizers, which are commonly used to bypass filtering controls. Safe Search can also be enforced, but not all users will want that level of control.
To cater to the needs of all guests, different levels of Wi-Fi access are likely to be required. Some guests will want to be able to access the types of websites they do at home without restrictions and business travelers will certainly not want anonymizers to be blocked. Some customers insist on the use of VPNs when employees connect to their business network or email.
Hotels that implement a web filtering solution can easily create different tiers of Internet access. One for families and a less restrictive level for other users. Free internet access could be limited to a basic level that includes general web and email access but blocks access to video streaming services such as YouTube and Netflix. Those services could be offered as part of a low-cost Wi-Fi package to generate some extra revenue. These tiers can easily be created with a web filtering solution.
How to Easily Secure Hotel Wi-Fi
Offering secure hotel Wi-Fi to guests does not require expensive hardware to be purchased. While appliance-based web filters are used by many businesses, there is a much lower cost option that is better suited for hotel use.
A cloud-based web filter for Wi-Fi – such as WebTitan for Wi-Fi -is the easiest to implement secure hotel Wi-Fi solution. With WebTitan Cloud for Wi-Fi, your Wi-Fi network can be secured with just a simple change to your DNS records. No hardware is required and there is no need to install any software. One solution will protect all Wi-Fi access points and can be up and running in a matter of minutes. There is no limit on the number of access points that can be protected by WebTitan Cloud for Wi-Fi.
Once your DNS is pointed to WebTitan, you can apply your content controls – which is as simple as clicking on a few checkboxes to block categories of web content that your guests shouldn’t be allowed to access.
You can create multiple accounts with different controls – one for business users, one for families, and one for employees for example. No training is required to administer the solution as it has been developed to require no technical skill whatsoever. All of the complex elements of web filtering are handled by TitanHQ.
If you run a hotel and you are not currently filtering the internet, talk to TitanHQ about how you can your secure your hotel Wi-Fi access points, protect your guests, and ensure all users can access the Internet safely and securely.
An IT security audit conducted by the U.S. Geological Survey (USGS) at its Earth Resources Observation and Science Center has highlighted the importance of implementing technical solutions to control employee internet use.
Most organizations and businesses have strict rules covering acceptable use of the Internet on work computers. Those rules are usually explained when a new employee starts work. A document must be signed that confirms that the Rules have been understood and the employee is aware of the repercussions if the rules are violated.
For many organizations and businesses, those measures are deemed to be sufficient. Most employees understand the rules and adhere to them, but even though rule violations will likely result in termination, some employees take the risk as they believe they will not be caught.
During a recent USGS IT security audit, suspicious Internet traffic was identified. The discovery prompted an investigation by the U.S. Department of the Interior Office of Inspector General (OIG) to determine the source of the suspicious traffic.
The OIG investigation revealed malware had been installed on an employee’s computer and that the malware was the source of the suspicious communications. Further investigation revealed the employee had been routinely visiting adult websites, which routed through Russian websites that hosted malware. As a result of visiting those websites, the employee had inadvertently downloaded malware onto the work computer. Pornographic images had been downloaded, which were then transferred to an Android mobile and portable USB drive. The mobile was similarly infected with malware.
The employee was discovered to have viewed over 9,000 adult websites, even though USGS Rules of Behavior had been explained and a document was signed confirming those rules had been understood. Annual security training had also been provided in which the Rules of Behavior were reinforced.
Had USGS implemented a technical solution to control employee internet use and enforce its Rules of Behavior, the malware infection would have been avoided.
OIG made several recommendations to prevent future malware infections and similar abuses of its Rules of Behavior, which included enforcing a strong blacklist of URLs and to regularly monitor employee Internet use. Additionally, it was recommended that USGS implement controls that prevent employees from using unauthorized USB devices on their work computers.
In addition to implementing an advanced intrusion detection system and firewall, USGS is now enhancing its preventative countermeasures by detecting and blocking known pornographic websites and other websites with suspicious origins.
This is not the first time that the U.S. government has discovered employees have accessed pornography at work and it certainly will not be the last.
The problem is believed to be so widespread that Rep. Mark Meadows (R-NC11) proposed the Eliminating Pornography from Agencies Act on three occasions. The Act was prompted by the discovery that an Environmental Protection Agency had been accessing pornography at work. In that case, the employee had viewed pornography for 252 hours in a single year without detection.
The Easy Way to Control Employee Internet Use and Block Web-Based Threats
These cases show that organizations and businesses that rely on internal policies to control employee internet use are taking a considerable risk. It is not just the visiting of adult websites that carries an increased risk of malware infections. Malware can be downloaded from an extensive range of websites, even seemingly ‘legitimate’ sites.
Only by implementing a web filtering solution to control employee internet use will organizations and businesses be able to effectively reduce risk. A web filter is an appliance, virtual appliance, or cloud-based solution that prevents employees from accessing website content that violates acceptable Internet usage policies and blocks the accessing of websites that are known to be used for malicious purposes or have been infected with malware and exploit kits.
Control Employee Internet Use with WebTitan
WebTitan is a lightweight but powerful web filtering solution that allows organizations and businesses to carefully control employee internet use and block access to websites known to host pornography and other unsuitable for work content. A comprehensive reporting suite also allows employee internet use to be carefully monitored, including attempts to view prohibited content even if those attempts are not successful.
WebTitan can be deployed as a gateway solution on existing hardware or hypervisors or as a cloud-based solution hosted on TitanHQ servers. The solution is quick and easy to implement and configure and can be up and running in a matter of minutes. In addition to category-based filtering controls, the solution can block by keyword or keyword score and supports whitelists and blacklists.
If you want to control employee internet use and manage risk, call TitanHQ today for further information on WebTitan and find out how it can reduce the risk from web-based threats at your place of work.
A new ransomware threat has been detected called FilesLocker which is currently being offered as ransomware-as-a-service (RaaS) on a TOR malware forum. FilesLocker ransomware is not a particularly sophisticated ransomware variant, but it still poses a significant threat.
FilesLocker ransomware is a dual language ransomware variant that displays ransom notes in both Chinese and English. MalwareHunterTeam has identified a Chinese forum on TOR where it is being offered to affiliates to distribute for a cut of the ransom payments.
Unless advertised more widely, the number of affiliates that sign up may be limited, although it may prove popular. There are several features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will increase to 75% if sufficiently high numbers of infections can be generated.
While relatively small and simple, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it deletes Windows shadow copies to hamper attempts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.
No server is required and the ransomware is effective on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily monitor infections through a tracking feature which displays infections by country.
There is no free decryptor for FilesLocker ransomware. Recovery will only be possible by restoring files from backups.
While news of a new RaaS offering is never good, there has at least been some good news on the ransomware front this week, at least for some victims.
Free Decryptor Developed for GandCrab Ransomware
GandCrab ransomware is another RaaS offering that has been available since January 2018. It has been widely adopted, with many affiliates signing up to distribute the ransomware over the past 10 months.
A GandCrab ransomware decryptor was developed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were leaked online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been several further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.
This week, Bitdefender has announced that after collaboration with the Romanian Police, Europol and other law enforcement agencies, a new decryption tool has been developed that allows GandCrab ransomware victims to decrypt files for free, provided they have been attacked with version 1, 4, or 5 of the ransomware.
The version can be determined by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a random 10-character extension.
The free GandCrab ransomware decryptor has been uploaded to the NoMoreRansom Project website. Bitdefender is currently working on a free decryptor for v2 and v3 of GandCrab ransomware.
The past few months have seen an increase in new, versatile malware downloaders that gather a significant amount of data about users’ systems before deploying a malicious payload. That payload is determined on the users’ system.
Marap malware and Xbash are two notable recent examples. Marap malware fingerprints a system and is capable of downloading additional modules based on the findings of the initial reconnaissance. XBash also assesses the system, and determines whether it is best suited for cryptocurrency mining or a ransomware attack and deploys its payload accordingly.
Stealthy sLoad Downloader Used in Highly Targeted Attacks
A further versatile and stealthy malware variant, known as the sLoad downloader, can now be added to that list. SLoad first appeared in May 2018, so it predates both of the above malware variants, although its use has been growing.
The primary purpose of sLoad appears to be reconnaissance. Once downloaded onto a system, it will determine the location of the device based on the IP address and performs several checks to ascertain the type of system and the software that is running and will determine whether it is on a real device or in a sandbox environment. It checks the processes running on the system, compares against a hardcoded list, and will exit if certain security software is installed to avoid detection.
Provided the system is suitable, a full scan of all running processes will be performed. The sLoad downloader will search for Microsoft Outlook files, ICA files associated with Citrix, and other system information. sLoad is capable of taking screenshots and searches the browser history looking for specific banking domains. All of this information is then fed back to the attackers’ C2 server.
Once the system has been fingerprinted, further malware variants are downloaded, primarily banking Trojans. Geofencing is used extensively by the threat actors using sLoad which helps to ensure that banking Trojans are only downloaded onto systems where they are likely to be effective – If the victim uses one of the banks that the Trojan is targeting.
In most of the campaigns intercepted to date, the banking Trojan of choice has been Ramnit. The attacks have also been highly focused on specific countries including Canada, and latterly, Italy and the United Kingdom – Locations which are currently being targeted by Ramnit. Other malware variants associated with the sLoad downloader include the remote desktop tool DarkVNC, the Ursnif information stealer, DreamBot, and PsiBot.
The sLoad downloader is almost exclusively delivered via spam email, with the campaigns often containing personal information such as the target’s name and address. While there have been several email subjects used, most commonly the emails relate to purchase orders, shipping notifications, and missed packages.
The emails contain Word documents with malicious macros in ZIP files, or alternatively embedded hyperlinks which will download the ZIP file if clicked.
The sLoad downloader may be stealthy and versatile, but blocking the threat is possible with an advanced spam filter. End user training to condition employees never to click on hyperlinks from unknown senders nor open attachments or enable macros will also help to prevent infection. Web filtering solutions provide an additional layer of protection to block attempts to download malicious files from the Internet.
Find out why WiFi filters for coffee shops are so important and how the failure to filter the Internet could prove to be extremely harmful to your brand.
Serving the best coffee in town will certainly bring in the crowds, but there is more to a successful coffee shop than providing patrons with a morning jolt of caffeine and comfy chairs. Coffee is big business and there is stiff competition when it comes to providing jitter juice to the masses.
In addition to free newspapers, high quality flapjacks and a fine blend of beans, patrons look for the other necessity of modern life: Free Internet access. Establishments that offer free, reliable WiFi access with decent bandwidth stand a much better chance of attracting and retaining customers.
However, simply setting up a WiFi router is no longer enough. Coffee shops also need to make sure that the WiFi network that their customers connect to is safe and secure. Just as the provision of free WiFi can translate into positive TripAdvisor and Yelp reviews, coffee shops that fail to secure their connections and exercise control over the content that can be accessed can easily get the reverse. WiFi filters for coffee shops ensure that customers’ activities online can be carefully controlled.
Why Unfiltered WiFi Networks Can Result in Bad Reviews
It is important for all shops to ensure that their WiFi networks cannot be used for any illegal or unsavory activities. If a webpage is not suitable for work, it is not suitable for a coffee shop. While there all manner of sites that should be blocked with WiFi filters for coffee shops, one of the most important categories of content is Internet porn.
While enjoying a nice coffee, patrons should not be subjected to obscene videos, images or audio. All it takes is for one patron to catch a glimpse of porn on another customer’s screen to trigger a bad review. The situation would be even worse if a minor caught a glimpse or even deliberately accessed adult content while connected to the WiFi network. A bad TripAdvisor review could easily send potential customers straight to the competition and a social media post could all too easily go viral.
What are the chances of that happening? Well, it’s not just a hypothetical scenario, as Starbucks discovered. In 2011, Starbucks received a warning that minors had been subjected to obscene content in its coffee shops and the chain did little about the complaints. The following year, as the bad feedback continued, the story was picked up by the media.
The bad feedback mounted and there were many calls for the public to boycott Starbucks. In the UK, Baroness Massey announced to the House of Lords that she had boycotted the brand and heavily criticized the chain for failing to set an example. Naturally, competitors – Costa Coffee for example – were more than happy to point out that they had been proactive and already provided filtered Internet to prevent minors from accessing adult content on their WiFi networks.
It was not until 2016 when Starbucks took action and implemented WiFi filters for coffee shops in the UK and started providing family-friendly WiFi access. A chain the size of Starbucks could weather the bad press. Smaller coffee shops would no doubt fare far worse.
WiFi Filters for Coffee Shops are Not Only About Blocking Adult Content
WiFi filters for coffee shops are important for blocking obscene content, but that is far from the only threat to a brand. The Internet is home to all manner of malicious websites that are used to phish for sensitive information and spread malicious software such as malware and ransomware. WiFi filters for coffee shops can be used to carefully control the content that can be accessed by consumers, but they can also keep them protected from these malicious sites.
Just as users have safe search functionality on their home networks, they expect the same controls on public WiFi access points. Phishing attacks and malware infections while connected to coffee shop WiFi networks can also be damaging to a brand. With WiFi filters for coffee shops, instead of being phished, a user will be presented with a block screen that explains that the business has blocked access to a malicious site to keep them protected and that will send a positive message that you care about your customers.
Once WiFi filters for coffee shops have been implemented, it is possible to apply to be assessed under the government’s Friendly Wi-Fi scheme. That will allow a coffee shop to display the friendly WiFi symbol and alert potential customers that safe, secure, family-friendly filtered Internet access is provided.
WebTitan – TitanHQ’s Easy to Implement WiFi Filters for Coffee Shops
Fortunately, WiFi filters for coffee shops are not expensive or difficult to implement. If you use a cloud-based solution such as WebTitan Cloud for WiFi, you will not need to purchase any hardware or install any software. Your WiFi network can be secured in a matter of minutes. A simple change to point your DNS to WebTitan is all that is required (you can be talked through that process to get you up and running even faster).
Since the controls are highly granular, you can easily block any type of web content you wish with a click of a mouse, selecting the categories of content you don’t want your users to access through the web-based control panel. Malicious sites will automatically be blocked via constantly updated blacklists of known malicious and illegal web pages.
With WebTitan you are assured that customers cannot view adult and illegal content, you can block illegal file sharing, control streaming services to save bandwidth, and enforce safe search on Google and apply YouTube controls.
To find out more about the features and benefits of WebTitan, details of pricing, and to sign up for a demo and free trial, contact the TitanHQ team today.
The U.S. midterm elections have been attracting considerable attention, so it is no surprise that cybercriminals are taking advantage and are running a midterm elections SEO poisoning campaign. It was a similar story in the run up to the 2016 presidential elections and the World Cup. Whenever there is a major newsworthy event, there are always scammers poised to take advantage.
Thousands of midterm elections themed webpages have sprung up and have been indexed by the search engines, some of which are placing very highly in the organic results for high-traffic midterm election keyword phrases.
The aim of the campaign is not to influence the results of the midterm elections, but to take advantage of public interest and the huge number of searches related to the elections and to divert traffic to malicious websites.
What is SEO Poisoning?
The creation of malicious webpages and getting them ranked in the organic search engine results is referred to as search engine poisoning. Search engine optimization (SEO) techniques are used to promote webpages and convince search engine algorithms that the pages are newsworthy and relevant to specific search terms. Suspect SEO practices such as cloaking, keyword stuffing, and backlinking are used to fool search engine spiders into rating the webpages favorably.
The content on the pages appears extremely relevant to the search term to search engine bots that crawl the internet and index the pages; however, these pages do not always display the same content. Search engine spiders and bots see one type of content, human visitors will be displayed something entirely different. The scammers are able to differentiate human and bot visitors through different HTTP headers in the web requests. Real visitors are then either displayed different content or are redirected to malicious websites.
Midterm Elections SEO Poisoning Campaign Targeting 15,000+ Keywords
The midterm elections SEO poisoning campaign is being tracked by Zscaler, which notes that the scammers have managed to get multiple malicious pages ranking in the first page results for high traffic phrases such as “midterm elections.”
However, that is just the tip of the iceberg. The scammers are actually targeting more than 15,000 different midterm election keywords and are using more than 10,000 compromised websites in the campaign. More sites are being compromised and used in the campaign each day.
When a visitor arrives at one of these webpages from a search engine, they are redirected to one of many different webpages. Multiple redirects are often used before the visitor finally arrives at a particular landing page. Those landing pages include phishing forms to obtain sensitive information, host exploit kits that silently download malware, or are used for tech support scams and include various ruses to fool visitors into installing adware, spyware, cryptocurrency miners, ransomware or malicious browser extensions. In addition to scam sites, the campaign is also being used to generate traffic to political, religious and adult websites.
This midterms elections SEO poisoning campaign poses a significant threat to all Internet users, but especially businesses that do not control the content that can be accessed by their employees. In such cases, campaigns such as this can easily result in the theft of credentials or malware/ransomware infections, all of which can prove incredibly costly to resolve.
One easy-to-implement solution is a web filter such as WebTitan. WebTitan can be deployed in minutes and can be used to carefully control the content that can be accessed by employees. Blacklisted websites will be automatically blocked, malware downloads prevented, and malicious redirects to phishing websites and exploit kits stopped before any harm is caused.
For further information on the benefits of web filtering and details of WebTitan, contact the TitanHQ team today.
A new and improved version of Azorult malware has been identified. The latest version of the information stealer and malware downloader has already been used in attacks and is being distributed via the RIG exploit kit.
Azorult malware is primarily an information stealer which is used to obtain usernames and passwords, credit card numbers, and other information such as browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities added.
Azorult malware was first identified in 2016 by researchers at Proofpoint and has since been used in a large number of attacks via exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more commonly, malicious Word files containing malware downloaders.
Back in 2016, the malware variant was initially installed alongside the Chthonic banking Trojan, although subsequent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen multiple threat actors pair the information stealer with a secondary ransomware payload.
Campaigns have been detected using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the initial aim is to steal login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been obtained, the ransomware is activated, and a ransom payment is demanded to decrypted files.
A new version of the Azorult was released in July 2018 – version 3.2 – which contained significant improvements to both its stealer and downloader functions. Now Proofpoint researchers have identified a new variant – version 3.3 – which has already been added to RIG. The new variant was released shortly after the source code for the previous version was leaked online.
The new variant uses a different method of encryption, has improved cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and an updated admin panel. The latest version has a lower detection rate by AV software ensuring more installations.
If your operating systems and software are kept fully patched and up to date you will be protected against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many companies are slow to apply patches, which need to be extensively tested. It is therefore strongly advisable to also deploy a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan prevents end users from visiting malicious websites such as those hosting exploit kits.
The latest version of Azorult malware was first listed for sale on October 4. It is highly probable that other threat actors will purchase the malware and distribute it via phishing emails, as was the case with previous versions. It is therefore strongly advisable to also implement an advanced spam filter and ensure that end users are trained how to recognize potentially malicious emails.
TitanHQ, the leading provider of spam filtering, web filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.
The partnership has seen TitanHQ’s advanced web filtering technology incorporated into the Datto Networking Appliance to provide secure internet access to all users connected the network.
The new technology providing enhanced protection against web-based threats while allowing administrators to carefully control the web content that can be accessed by employees and guest users.
On October 18, 2018, Datto and TitanHQ will be hosting a webinar that will explain the new functionality of the Datto Networking Appliance to MSPs, including a deep dive into the new web filtering technology.
The use of fake software updates to spread malware is nothing new, but a new malware campaign has been detected that is somewhat different. Fake Adobe Flash updates are being pushed that actually do update the user’s Flash version, albeit with an unwanted addition of the XMRig cryptocurrency miner on the side.
The campaign uses pop-up notifications that are an exact replica of the genuine notifications used by Adobe, advising the user that their Flash version needs to be updated. Clicking on the install button, as with the genuine notifications, will update users’ Flash to the latest version. However, in the background, the XMRig cryptocurrency miner is also downloaded and installed. One installed, XMRig will run silently in the background, unbeknown to the user.
The campaign was detected by security researchers at Palo Alto Network’s Unit 42 team. The researchers identified several Windows executable files that started with AdobeFlashPlayer that were hosted on cloud servers not controlled by Adobe.
An analysis of network traffic during the infection process revealed most of the traffic was linked to updating Adobe Flash from an Adobe controlled domain, but that soon changed to traffic through a domain associated with installers known to push cryptocurrency miners. Traffic was later identified over TCP port 14444 that was associated with the XMRig cryptocurrency miner.
Further analysis of the campaign revealed it has been running since mid-August, with activity increasing significantly in September when the fake Adobe Flash updates started to be distributed more heavily.
End users are unlikely to detect the downloading and installation of the XMRig cryptocurrency miner, but there is likely to be a noticeable slowdown in the speed of their computer. The installation of the XMRig cryptocurrency miner may be stealthy, but when it runs it uses almost all of the computer’s CPU for cryptocurrency mining. Any user that checks Task Manager will see Explorer.exe hogging their CPU. As with most cryptocurrency miners, XMRig mines Monero. What is not currently known is which websites are distributing the fake Adobe Flash updates, or how traffic is being generated to those sites.
Any notification about a software update that pops up while browsing the internet should be treated as suspicious. The window should be closed, and the official website of that software provider should be visited to determine if an update is necessary. Software updates should only ever be downloaded from official websites, in the case of Adobe Flash, that is Adobe.com.
The Palo Alto researchers note “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”
In May, security researchers at Proofpoint discovered a spam email campaign that was distributing a new banking Trojan named DanaBot. At the time it was thought that a single threat actor was using the DanaBot Trojan to target organizations in Australia to obtain online banking credentials.
That campaign has continued, but in addition, campaigns have been identified in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was conducted targeting U.S. banks.
The DanaBot Trojan is a modular malware written in Delphi that is capable of downloading additional components to add various different functions.
The malware is capable of taking screenshots, stealing form data, and logging keystrokes in order to obtain banking credentials. That information is sent back to the attackers’ C2 server and is subsequently used to steal money from corporate bank accounts.
An analysis of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly suggests that the campaigns in each region are being conducted by different individuals and that the DanaBot Trojan is being offered as malware-as-a-service. Each threat actor is responsible for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates running campaigns. In total, there appears to currently be 9 individuals running distribution campaigns.
The country-specific campaigns are using different methods to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to distribute the Trojan in the United States.
The U.S. campaign uses a fax notice lure with the emails appearing to come from the eFax service. The messages look professional and are complete with appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message.
Clicking on the button will download a Word document with a malicious macro which, if allowed to run, will launch a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.
Proofpoint’s analysis of the malware revealed similarities with the ransomware families Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group responsible for both of those ransomware threats.
The U.S. DanaBot campaign is targeting customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase. It is likely that the campaigns will spread to other countries as more threat actors are signed up to use the malware.
Preventing attacks requires defense in depth against each of the attack vectors. An advanced spam filter is required to block malspam. Users of Office 365 should increase protection with a third-party spam filter such as SpamTitan to provide better protection against this threat. To prevent web-based attacks, a web filtering solution should be used. WebTitan can block attempts by end users to visit websites known to contain exploit kits and IPs that have previously been used for malicious purposes.
End users should also trained never to open email attachments or click on hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are genuine. Businesses in the United States should also consider warning their employees about fake eFax emails to raise awareness of the threat.
Its conference season and the TitanHQ team is hitting the road again. The TitanHQ team will be travelling far and wide and will be attending the major MSP industry events in the United States and Europe throughout October and November.
The conferences give new and current MSP partners the chance to meet the TitanHQ team face to face, get answers to questions, pick up tips and tricks to get the most out of TitanHQ products, and find out about the latest innovations for MSPs from TitanHQ.
Conference season kicks off with the third annual Kaseya Connect Europe Conference in Amsterdam (October 2-4) at the NH Collection Amsterdam Grand Hotel Krasnapolsky in Amsterdam. Kaseya is the leading provider of complete IT infrastructure management solutions for MSPs, offering best-in-class solutions to help MSPs efficiently manage and secure IT environments for their clients.
TitanHQ is an Emerald Sponsor for the event and will be showcasing its SpamTitan spam filtering and WebTitan web filtering solutions for MSPs. TitanHQ will be at booth 4 at the event, next to Datto and Bitdefender – both of which are TitanHQ partners.
Next stop for the TitanHQ tour bus is the CompTIA EMEA Member & Partner Conference at Etc. Venues County Hall on the south bank of the Thames in London (October 16-17). The Computing Technology Industry Association is the world’s leading tech association, providing education, training, certification, advocacy, philanthropy and market research. The conference brings together members and thought leaders from the entire tech industry with panel discussions, keynote speeches, and the latest news and advice about the key trends and topics impacting the tech industry.
TitanHQ is a key sponsor of the event and will be on hand give product demonstrations and explain about the opportunities that exist for MSPs to add web filtering, spam filtering, and email archiving services to their client offerings.
At the end of October, the TitanHQ team will be heading to sunny Spain for DattoCon18 at the Fairmont Rey Juan Carlos I in Barcelona (October 29-31). The conference is focused on helping business owners run their businesses more effectively through the use of Autotask + Datto solutions. There will be a host of educational sessions and keynote speeches at the event, with plenty of opportunities for networking. TitanHQ will be showcasing its security solutions for MSPs at the conference.
At the start of November, TitanHQ will be in attendance at the leading conference for the WiFi industry. The WiFi Now Europe conference is being held in Berlin ((November 6-8) at the Holiday Inn Berlin City-West. The event offers three full days dedicated to all things WiFi. Attendees will find out about key developments in WiFi and the latest industry trends, with opportunities to learn from industry experts, meet key industry influencers, and discover new business opportunities.
TitanHQ will be showcasing its WebTitan Cloud for WiFi solution at the event and will be explaining how MSPs can incorporate web filtering into their service stacks to provide greater value to their clients and improve their bottom lines
Next comes a quick hop across the Atlantic to the HTG Peer Groups Q4 conference in at the Omni Orlando Resort in Orlando, Florida (October 10-16). HTG is an international consulting, coaching and peer group organization that helps business by igniting personal, leadership, business and legacy transformation to get companies to achieve their full potential.
There will be a full program of events throughout the week including peer group meeting and opportunities for learning and building relationships. TitanHQ will be in attendance and will be showcasing its innovative business security solutions.
Summary of TitanHQ Conference Schedule 2018
October 2-4: Kaseya Connect Europe, Amsterdam, Netherlands. Booth #4
October 16-17: CompTia EMEA Member & Partner Conference; London, UK. Booth #28
October 29-31: DattoCon18, Barcelona, Spain.
November 6-8: WiFi Now, Berlin, Germany.
November 10-16: HTG Peer Groups Q4 Conference, Orlando, FL, USA.
A new version of GandCrab ransomware (GandCrab v5) has been released. GandCrab is a popular ransomware threat that is offered to affiliates under the ransomware-as-a-service distribution model. Affiliates receive a cut of the profits from any ransoms payed by individuals they manage to infect.
GandCrab was first released in January 2018 and fast grew into one of the most widely used ransomware variants. In July it was named the top ransomware threat and is regularly updated by the authors.
There have been several changes made in GandCrab v5, including the change to a random 5-character extension for encrypted files. The ransomware also uses an HTML ransom note rather than dropping a txt file to the desktop.
Bitdefender released free decryptors for early versions of the ransomware, although steps were taken by the authors to improve security for version 2.0. Since version 2.0 was released, no free decryptors for GandCrab ransomware have been developed.
Recovery from a GandCrab v5 infection will only be possible by paying the ransom – approximately $800 in the Dash cryptocurrency – or by restoring files from backups. Victims are only given a limited time for paying the ransom before the price to decrypt doubles. It is therefore essential that backups are created of all data and for those backup files to be checked to make sure files can be recovered in the event of disaster.
Since this ransomware variant is offered under the ransomware-as-a-service model, different vectors are used to distribute the ransomware by different threat actors. Previous versions of the ransomware have been distributed via spam email and through exploit kits such as RIG and GrandSoft. GandCrab v5 has also been confirmed as being distributed via the new Fallout exploit kit.
Traffic is directed to the exploit kit using malvertising – malicious adverts that redirect users to exploit kits and other malicious websites. These malicious adverts are placed on third party advertising networks that are used by many popular websites to provide an extra income stream.
Any user that clicks one of the malicious links in the adverts is redirected to the Fallout exploit kit. The Fallout exploit kit contains exploits for several old vulnerabilities and some relatively recent flaws. Any user that has a vulnerable system will have GandCrab ransomware silently downloaded onto their device. Local files will be encrypted as well as files on all network shares, not just mapped drives.
Whenever a new zero-day vulnerability is discovered it doesn’t take long for an exploit to be incorporated into malware. The publication of proof of concept code for a Task Scheduler ALPC vulnerability was no exception. Within a couple of days, the exploit had already been adopted by cybercriminals and incorporated into malware.
The exploit for the Task Scheduler ALPC vulnerability allows executable files to be run on a vulnerable system with System privileges and has been incorporated into GandCrab v5. The exploit is believed to be used to perform system-level tasks such as deleting Windows Shadow Volume copies to make it harder for victims to recover encrypted files without paying the ransom. Microsoft has now issued a patch to correct the flaw as part of its September Patch Tuesday round of updates, but many companies have yet to apply the patch.
The most important step to take to ensure that recovery from a ransomware attack is possible is to ensure backups are created. Without a viable backup the only way of recovering files is by paying the ransom. In this case, victims can decrypt one file for free to confirm that viable decryption keys exist. However, not all ransomware variants allow file recovery.
Preventing ransomware infections requires software solutions that block the main attack vectors. Spam filtering solutions such as SpamTitan prevent malicious messages from being delivered to inboxes. Web filters such as WebTitan prevent end users from visiting malicious sites known to host exploit kits. Remote desktop services are often exploited to gain system access, so it is important that these are disabled if they are not required, and if they are, they should only be accessible through VPNs.
Patches should be applied promptly to prevent vulnerabilities from being exploited and advanced antimalware solutions should be deployed to detect and quarantine ransomware before files are encrypted.
A new malware threat – named Viro botnet malware – has been detected that combines the file-encrypting capabilities of ransomware, with a keylogger to obtain passwords and a botnet capable of sending spam emails from infected devices.
Viro botnet malware is one of a new breed of malware variants that are highly flexible and have a wide range of capabilities to maximize profit from a successful infection. There have been several recently discovered malware variants that have combined the file-encrypting properties of ransomware with cryptocurrency mining code.
The latest threat was identified by security researchers at Trend Micro who note that this new threat is still in development and appears to have been created from scratch. The code is dissimilar to other known ransomware variants and ransomware families.
Some ransomware variants are capable of self-propagation and can spread from one infected device to other devices on the same network. Viro botnet malware achieves this by hijacking Outlook email accounts and using them to send spam email containing either a copy of itself as an attachment or a downloader to all individuals in the infected user’s contact list.
Viro botnet malware has been used in targeted attacks in the United States via spam email campaigns, although bizarrely, the ransom note dropped on the victims’ desktops is written in French. This is not the only new ransomware threat to include a French ransom note. PyLocky, a recently detected new ransomware threat that masquerades as Locky ransomware, also had a French ransom note. This appears to be a coincidence as there are no indications that the two ransomware threats are related or are being distributed by the same threat group.
With Viro botnet, Infection starts with a spam email containing a malicious attachment. If the attachment is opened and the content is allowed to run, the malicious payload will be downloaded. Viro botnet malware will first check registry keys and product keys to determine whether its encryption routine should run. If those checks are passed, an encryption/decryption key pair will be generated via a cryptographic Random Number Generator, which are then sent back to the attacker’s C2 server. Files are then encrypted via RSA and a ransom note is dropped on the desktop.
Viro botnet malware also contains a basic keylogger which will log all keystrokes on an infected machine and send the data back to the attacker’s C2 server. The malware is also capable of downloading further malicious files from the attacker’s C2.
While the attacker’s C2 server was initially active, it has currently been taken down so any further devices that are infected will not have data encrypted. Connection to the C2 server is necessary for the encryption routine to start. Even though the threat has been neutralized this is expected to only be a brief hiatus. The C2 is expected to be resurrected and larger distribution campaigns can have been predicted.
Protecting against email-based threats such as Viro botnet malware requires an advanced spam filtering solution such as SpamTitan to prevent malicious messages from being delivered to end users. Advanced antimalware software should be installed to detect malicious files should they be downloaded, and end users should receive security awareness training to help them identify security threats and respond appropriately.
Multiple backups should also be created – with one copy stored securely offsite – to ensure files can be recovered in the event of file encryption.
Xbash malware is one of several new malware threats to be detected in recent weeks that incorporate the file-encrypting properties of ransomware with the coin mining functionality of cryptocurrency mining malware.
This year, several cybersecurity and threat intelligence companies have reported that ransomware attacks have plateaued or are in decline. Ransomware attacks are still profitable, although it is possible to make more money through cryptocurrency mining.
The recent Internet Organized Crime Threat Report released by Europol notes that cryptojacking is a new cybercrime trend and is now a regular, low-risk revenue stream for cybercriminals, but that “ransomware remains the key malware threat”. Europol notes in its report that a decline has been seen in random attacks via spam email, instead cybercriminals are concentrating on attacking businesses where greater profits lie. Those attacks are highly targeted.
Another emerging trend offers cybercriminals the best of both worlds – the use of versatile malware that have the properties of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the opportunity to obtain ransom payments as well as the ability to mine for cryptocurrency. If the malware is installed on a system that is not ideally suited for mining cryptocurrency, the ransomware function is activated and vice versa.
Xbash malware is one such threat, albeit with one major caveat. Xbash malware does not have the ability to restore files. In that respect it is closer to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and demands a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not result in keys being supplied to unlock encrypted files, as currently files are not encrypted. The malware simply deletes MySQL, PostgreSQL, and MongoDB databases. This function is activated if the malware is installed on a Linux system. If it is installed on Windows devices, the cryptojacking function is activated.
Xbash malware also has the ability to self-propagate. Once installed on a Windows system it will spread throughout the network by exploiting vulnerabilities in Hadoop, ActiveMQ and Redis services.
Currently, infection occurs through the exploitation of unpatched vulnerabilities and brute force attacks on systems with weak passwords and unprotected services. Protection against this threat requires the use of strong, unique non-default passwords, prompt patching, and endpoint security solutions. Blocking access to unknown hosts on the Internet will prevent communication with its C2 if it is installed, and naturally it is essential that multiple backups are regularly made to ensure file recovery is possible.
Kaspersky Lab determined there has been a doubling of these multi-purpose remote access tools over the past 18 months and their popularity is likely to continue to increase. This type of versatile malware could well prove to be the malware of choice for advanced threat actors over the course of the next 12 months.
A Bristol Airport ransomware attack has resulted in its customer display screens being taken offline for two days. Staff at the airport have had to resort to using dry markers and whiteboards to display flight arrival and departure information while the malicious software was removed and files were decrypted.
Ransomware was installed on its administrative computer system in the early hours on Friday, 14 September. As a result of the attack, several applications had to be taken offline as part of the airport’s efforts to contain the attack and prevent critical airport systems from being affected. The application used to display arrival and departure information throughout the airport was one of the casualties.
A statement was provided to the media confirming that a ransom demand had been received but the decision was taken not to give in to the attacker’s demand. Instead, IT staff at the airport chose to restore affected systems from backups. That process continued throughout the weekend. Screens in key locations throughout the airport were slowly brought back online on Sunday and efforts are continuing to restore files on all other affected computers at the airport.
Bristol Airport spokesman, James Gore, said initial investigations suggest this was a speculative rather than a targeted attack on the airport and that it was an online attack on its administrative systems. The exact nature of the Bristol Airport ransomware attack has not yet been disclosed and it is not known what variant of ransomware was used.
The recovery process has taken longer than was expected as the airport has adopted a particularly cautious approach due to the number of critical and security systems at the airport which could potentially have been affected. As it was, customer and airport safety were not affected by the ransomware attack and flights were not delayed.
Ransomware Still Poses a Major Threat to Businesses
Ransomware attacks have declined in recent months as many cybercriminals have turned to cryptocurrency mining as an easier way of generating an income, but the Bristol Airport ransomware attack shows that the threat of ransomware attacks is ever present. Cybercriminals have certainly not totally abandoned ransomware and it remains a serious threat.
Online attacks are also common. Ransomware is still widely distributed via exploit kits – Software loaded onto compromised websites that probes for vulnerabilities in browsers and plugins. When vulnerabilities are identified, they are exploited and ransomware is silently downloaded.
How to Prevent Ransomware Attacks
Protecting against ransomware attacks requires layered security solutions to block the key attack vectors. Spam filtering software will block the majority of malicious emails and prevent them from being delivered to end users’ inboxes. Security awareness training will help to ensure that employees can identify any malicious emails than make it past perimeter email security controls.
One of the most effective solutions for blocking web-based attacks is a web filter. Web filters can be configured to prevent end users from visiting malicious websites and will block drive-by downloads of malware. Naturally, all software, including browsers and browser plugins, should be kept up to date and fully patched to prevent vulnerabilities from being exploited. Anti-virus software on all servers and end points is also a must.
As was the case with the Bristol airport ransomware attack, files could be recovered from backups without the need to pay the ransom demand. To ensure file recovery is possible, regular backups must be made.
A good backup practice will see at least three backup copies created, on at least two separate media, with one copy stored securely offsite on a device that is not connected to a network or the Internet.
For more information on anti-ransomware solutions for businesses, speak to TitanHQ today. TitanHQ offers award-winning spam filtering and web filtering technology that blocks malware and ransomware attacks and other email and web-based threats.
There are many new services that managed service providers (MSPs) can add to their service stacks, such as cloud migration and digitization services, but the biggest area for growth is currently cybersecurity services.
The number of cyberattacks on SMBs and enterprises has increased substantially in recent years. More attacks are now being conducted than ever before, and many of those attacks are succeeding.
A successful attack can prove extremely profitable for an attacker and extremely costly for an enterprise. When a network or email account is breached, sensitive information can be stolen, such as the personal data of customers and employees and corporate secrets and proprietary data.
When customer information is stolen, the damage to a company’s reputation can be considerable. Customer churn rate increases, business is lost, and there may be regulatory fines to cover and lawsuits to fight. Notifications need to be issued and credit monitoring and identity theft protection services may need to be provided to customers. When proprietary data is stolen, a company’s competitive advantage can easily be lost.
Following any security breach, hours must be committed to forensic analyses to search for possible backdoors and malware. The breach cause must be identified and security holes must be plugged. All those costs (and more) add up. This year’s Cost of a Data Breach study conducted by the Ponemon Institute/IBM Security revealed the average cost of a data breach of up to 100,000 personal records has risen to $3.86 million in 2018 – a 6.4% increase since 2017.
The massive disruption to businesses caused by cyberattacks and the considerable cost of mitigating data breaches means SMBs and enterprises need to take precautions and invest in cybersecurity defenses. However, the shortage of skilled staff in this area and already overworked IT departments has meant many companies have had to turn to MSPs and managed security service providers (MSSPs) to help shore up their defenses, monitor for potential intrusions, and respond to breaches when they occur.
Many MSPs have responded to the demand and are now offering security services to their clients to meet the demand. That demand is so great, that managed security services are now a huge growth area for MSPs.
Each year, Channel Futures conducts its MSP 501 survey, which evaluates the revenue growth, service deliverables, and business models and strategies adopted by the most progressive and forward-thinking MSPs around the globe. This year, the survey revealed that the biggest growth area is security services. 73% of all surveyed MSPs said security was their fastest growing service. As a point of comparison, the next biggest growth area was professional services (55%), followed by Office 365 (52%) and consulting (51%).
With huge demand for managed security services, it is no longer a question of whether they should be added to MSPs service stacks, but more a question of how they can be integrated, how to architect those services, and how to package security services together to meet customers’ needs.
What Security Services are Being Offered by MSPs?
Many enterprises and SMBs that attempt to go it alone end up deploying dozens of different security solutions at considerable cost, only to discover they are still attacked and suffer network breaches. Most businesses do not have the staff to commit to implementing, monitoring, and managing large numbers of cybersecurity solutions. This creates an opportunity for MSPs.
Some MSPs have opted to provide clients with a suite of cybersecurity solutions from a single provider, as the solutions work seamlessly together and there is less potential for security gaps to exist. While this has worked for some MSPs, the problem with this approach is clients could approach that vendor and decide to go direct. MSPs that have succeeded with this model are adding considerable value – such as their expertise in running those solutions.
Logicalis, ranked #10 in the MSP 501 list, has taken a different approach and is bundling together a range of solutions that can be easily managed together and match customers’ needs exactly. “We pick our swim lanes, we pick our areas that are most relevant to our skills, to our customers, and we make sure we have the disciplines and domain expertise to deliver against that,” said Logicalis’ chief sales officer Mike Houghton.
Clients often get the best value – and protection – when MSPs package together cybersecurity products from a wide range of cybersecurity solution providers to provide a comprehensive security service, as Tom Clancy, CEO of Valiant Technology and #206 in Channel Future’s MSP 501 list explained. “Providing a bundle of offerings from different vendors that work well together is the most effective way for an MSP to retain its role as a trusted adviser.”
Valiant Technology has even taken this a step further and is moving towards making security a ‘non-optional’ offering. Clancy explained to Channel Futures that, “Our managed services plans will say, ‘It costs this much per seat, and it’s this much if you want the security package. And by the way, you really want the security package, otherwise here’s my limitation of liability.”
Naturally, putting together a package of security services requires considerable research and planning, new staff may need to be hired, and training on the products must be provided. It is a lot of work, but the potential rewards are considerable.
How Can TitanHQ Help?
TitanHQ has developed a suite of security products that are ideally suited for MSPs, offering a winning combination of easy deployment, remote management, superb protection against a wide range of threats, and excellent margins. The solutions mitigate the threat from web and email-based attacks integrate seamlessly into MSPs existing service stacks.
SpamTitan provides world-class protection from spam and malicious emails, preventing malware, ransomware, and phishing emails from reaching end users’ inboxes. The solution is complimented by WebTitan, a powerful web filtering solution that prevents end users from visiting malicious websites, blocks drive-by downloads of malicious software, and enforces acceptable Internet usage policies.
To find out more about how these two solutions benefit MSPs and their clients, and the tools available to seamlessly integrate these technology-agnostic security services into MSPs security packages, contact the TitanHQ team today.
Vulnerabilities in the VPNs NordVPN and ProtonVPN have been identified that allow execution of arbitrary code with system level privileges, highlighting the risk that can be introduced if VPN software is not kept fully patched and up to date.
VPNs May Not be As Secure as You Think
One common method used to securely access the Internet on public WiFi networks is to connect through a VPN. A VPN helps to prevent man-in-the-middle attacks and the interception of data by creating a secure tunnel through which data flows. Using VPN software means a user’s data is encrypted preventing information from being accessed by malicious actors.
While the connection is secured using a VPN, that does not always mean that a user is well protected. VPNs may not be quite as secure as users believe. Like any software, there can be vulnerabilities in VPNs that can be exploited. If the latest version of VPN software is not used, data may be vulnerable.
High Severity Vulnerabilities Identified in Popular VPNs
Recently, two of the most popular VPN clients have been found to contain a privilege escalation bug that could be exploited to allow an attacker to execute arbitrary code with elevated privileges.
The bug is present in NordVPN and ProtonVPN clients, both of which use the open-source OpenVPN software to create a tunnel through which information passes. In April, a flaw was identified which allowed an attacker with low level privileges to run arbitrary code and elevate their privileges to system level. Further, the flaw was not difficult to exploit.
A change could easily be made to the OpenVPN configuration file, adding parameters such as “plugin”, “script-security”, “up”, and “down”. Files specified within those parameters would be executed with elevated privileges. The flaw was identified by security researcher Fabius Watson of VerSprite Security, and prompt action was taken to patch the flaw.
However, while patches were issued by NordVPN and ProtonVPN that prevented the “plugin”, “script-security”, “up”, and “down” parameters from being added to the configuration file by standard users, the flaw had only been partially corrected.
Researchers at Cisco Talos discovered the same parameters could still be added to the configuration file if they were added in quotation marks. Doing that would bypass the mitigations of the patches. These vulnerabilities have been tracked under separate CVE codes – CVE-2018-3952 for ProtonVPN and CVE-2018-4010 for NordVPN. Both flaws are considered high-severity and have been assigned a CVSS v3 base score of 8.8 out of 10.
NordVPN and ProtonVPN have now released an updated patch which prevents the addition of these parameters using quotation marks, thus preventing threat actors from exploiting the vulnerability. Both vendors have tackled the problem in different ways, with ProtonVPN opting to put the configuration file in the installation directory to prevent standard users from making any changes, while NordVPN used an XML model to generate the configuration file. Standard users are not able to modify the template.
Securing Connections on Public WiFi Access Points
VPNs are an excellent way of improving security when connecting to public WiFi networks, but policies and procedures should be implemented to ensure that patches are applied promptly. It is not always possible to configure VPN clients to automatically update to the latest version. If vulnerabilities in VPNs are not addressed, they can be a major security weak point.
An additional protection that can be implemented to protect remote workers when connecting to WiFi networks is a web filtering solution such a WebTitan. WebTitan allows businesses to carefully control the web content that can be accessed by employees no matter where they connect – through wired networks, business WiFi networks, and when connecting to the Internet through public WiFi networks.
By controlling the types of sites that can be accessed, and using blacklists of known malicious sites, the potential for malware downloads can be greatly reduced.
If you want to improve WiFi security or implement web filtering controls for remote workers, contact the TitanHQ team today to find out more about WebTitan and the difference it can make to your security posture.
A new exploit kit has been detected that is being used to deliver Trojans and GandCrab ransomware. The Fallout exploit kit was unknown until August 2018, when it was identified by security researcher Nao_sec. Nao_sec observed the Fallout exploit kit being used to deliver SmokeLoader – a malware variant whose purpose is to download other types of malware.
Nao_sec determined that once SmokeLoader was installed, it downloaded two further malware variants – a previously unknown malware variant and CoalaBot – A HTTP DDoS Bot that is based on August Stealer code. Since the discovery of the Fallout exploit kit in August, it has since been observed downloading GandCrab ransomware on vulnerable Windows devices by researchers at FireEye.
While Windows users are being targeted by the threat group behind Fallout, MacOS users are not ignored. If a MacOS user encounters Fallout, they are redirected to webpages that attempt to fool visitors into downloading a fake Adobe Flash Player update or fake antivirus software. In the case of the former, the user is advised that their version of Adobe Flash Player is out of date and needs updating. In the case of the latter, the user is advised that their Mac may contain viruses, and they are urged to install a fake antivirus program that the website claims will remove all viruses from their device.
The Fallout exploit kit is installed on webpages that have been compromised by the attacker – sites with weak passwords that have been brute-forced and those that have out of date CMS installations or other vulnerabilities which have been exploited to gain access.
The two vulnerabilities exploited by the Fallout exploit kit are the Windows VBScript Engine vulnerability – CVE-2018-8174 – and the Adobe Flash Player vulnerability – CVE-2018-4878, both of which were identified and patched in 2018.
The Fallout exploit kit will attempt to exploit the VBScript vulnerability first, and should that fail, an attempt will be made to exploit the Flash vulnerability. Successful exploitation of either vulnerability will see GandCrab ransomware silently downloaded.
The first stage of the infection process, should either of the two exploits prove successful, is the downloading of a Trojan which checks to see if certain processes are running, namely: filemon.exe, netmon.exe, procmon.exe, regmon.exe, sandboxiedcomlaunch.exe, vboxservice.exe, vboxtray.exe, vmtoolsd.exe, vmwareservice.exe, vmwareuser.exe, and wireshark.exe. If any those processes are running, no further action will be taken.
If those processes are not running, a DLL will be downloaded which will install GandCrab ransomware. Once files are encrypted, a ransom note is dropped on the desktop. A payment of $499 is demanded per device to unlock the encrypted files.
Exploit kits will only work if software is out of date. Patching practices tend to be better in the United States and Europe, so attackers tend to rely on other methods to install their malicious software in these regions. Exploit kit activity is primarily concentrated in the Asia Pacific region where software is more likely to be out of date.
The best protection against the Fallout exploit kit and other EKs is to ensure that operating systems, browsers, browser extensions, and plugins are kept fully patched and all computers are running the latest versions of software. Companies that use web filters, such as WebTitan, will be better protected as end users will be prevented from visiting, or being redirected to, webpages known to host exploit kits.
To ensure that files can be recovered without paying a ransom, it is essential that regular backups are made. A good strategy is to create at least three backup copies, stored on two different media, with one copy stored securely offsite on a device that is not connected to the network or accessible over the Internet.
The CamuBot Trojan is a new malware variant that is being used in vishing campaigns on employees to obtain banking credentials.
Cybercriminals Use Vishing to Convince Employees to Install CamuBot Trojan
Spam email may be the primary method of delivering banking Trojans, but there are other ways of convincing employees to download and run malware on their computers.
In the case of the CamuBot Trojan the method used is vishing. Vishing is the voice equivalent of phishing – The use of the telephone to scam people, either by convincing them to reveal sensitive information or to take some other action such as downloading malware or making fraudulent bank transfers.
Vishing is commonly used in tech support scams where people are convinced to install fake security software to remove fictitious viruses on their computers. The campaign used to install the CamuBot Trojan is a variation on this theme and was uncovered by IBM X-Force researchers.
The attack starts with some reconnaissance. The attackers identify a business that uses a specific bank. Individuals within that organization are then identified that are likely to have access the bank accounts used by the business – payroll staff for example. Those individuals are then contacted by telephone.
The attackers claim that they are calling from the bank and are performing a check of security software on the user’s computer. The user is instructed to visit a webpage where a program will run a scan to find out if they have an up-to-date security module installed on their computer.
The fake scan is completed, and the user is informed that their security module is out of date. The caller then explains that the user must download the latest version of the security module and install it on their computer.
Once the file is downloaded and executed, it runs just like any standard software installer. The user is advised of the minimum system requirements needed for the security module to work and the installer includes the bank’s logo and color scheme to make it appear genuine.
The user is guided through the installation process, which first requires them to stop certain processes that are running on their computer. The installer displays the progress of the fake installation, but in the background, the CamuBot Trojan is being installed. Once the process is completed, it connects to its C2 server.
The user is then directed to what appears to be the login portal for their bank where they are required to enter their login credentials. The portal is a phishing webpage, and the credentials to access the users bank account are captured by the attacker.
Many banks require a second factor for authentication. If such a control is in place, the attackers will instruct the user that a further installation is required for the security module to work. They will be talked through the installation of a driver that allows a hardware-based authentication device to be remotely shared with the attacker. Once that has been installed and approved, the attackers are able to intercept any one-time passwords that are sent by the bank to the user’s device, allowing the attackers to take full control of the bank account and authorize transactions.
The CamuBot Trojan shows that malware does not need to be stealthy to be successful. Social engineering techniques can be just a effective at getting employees to install malware.
The CambuBot Trojan campaign is primarily being conducted in Brazil, but the campaign could be rolled out and used in attacks in other countries. The techniques used in this campaign are not new and have ben used in several malware campaigns in the past.
Consequently, it is important for this type of attack to be covered as part of security awareness training programs. Use of a web filter will also help to prevent these attacks from succeeding by blocking access to the malicious pages where the malware is downloaded.
A massive MagnetoCore malware campaign has been uncovered that has seen thousands of Magneto stores compromised and loaded with a payment card scraper. As visitors pay for their purchases on the checkout pages of compromised websites, their payment card information is sent to the attacker’s in real time.
Once access is gained to a website, the source code is modified to include the MagnetoCore malware, which is hidden among legitimate files in the Magnetocore.net domain.
The hacking campaign was detected by Dutch security researcher Willem de Groot. Over the past six months, the hacker behind the campaign has loaded MagnetoCore malware on at least 7,339 Magneto stores. The number of compromised websites is believed to be increasing at a rate of around 50 or 60 new stores per day.
Site owners have been informed of the MagentoCore malware infections, although currently more than 5,170 Magneto stores still have the script on the site.
The campaign was discovered when de Groot started scanning Magneto stores looking for malware infections and malicious scripts. He claims that around 4.2% of Magneto stores have been compromised and contain malware or a malicious script.
While a high number of small websites have been infected, according to de Groot, the script has also been loaded onto the websites of multi-million-dollar publicly traded companies, suggesting the hacker behind the attack has been able to steal tens, or most likely, hundreds of thousands of payment cards.
With a full set of payment card data selling for between $5 and $30 per card on darknet marketplaces, the individual(s) or hacking group behind the campaign has likely made a substantial profit.
Further information on the threat actor(s) responsible for the attacks has come from RiskIQ, which reports that the MagnetoCore malware campaign is part of much larger payment card scraping campaign known as MageCart. RiskIQ reports that MageCart has been in operation since at least 2015 and says the campaign being run by three groups. One of the groups was responsible for the TicketMaster breach reported in June that affected 5% of its customers.
All three groups are using the same tactics as part of a single campaign. It is likely the MagnetoCore malware campaign is being run by the same individuals responsible for MageCart.
Access to the sites is gained through a simple but time-consuming process – Conducting a brute force attack to guess the password for the administrator account on the website. According to de Groot, it can take months before the password is guessed. Other tactics known to be used are the use of malware such as keyloggers to obtain the login credentials and the exploitation of vulnerabilities in unpatched content management systems.
Preventing website compromises requires the use of very strong passwords and prompt patching to ensure all vulnerabilities are addressed. CMS systems should also be updated as soon as a new version is released.
It is also important for site owners to conduct regular scans of website CMSs to search for malicious scripts or code alterations, and to use a security solution that alerts the webmaster when a code change is detected on a website.
Unfortunately, finding out that a site has been compromised and removing the malicious code will not be sufficient. A painstaking check of the codebase is required as multiple backdoors are often added to compromised websites to ensure access can still be gained should the malicious code be discovered and removed.
An email archive is a store for old emails which may need to be accessed from time to time but are not needed on a day to day basis. An email archive securely preserves all email conversations in a searchable format that allows companies to satisfy state, federal, and industry requirements.
Email Archives Save on Storage Space
While messages could be left in personal mailboxes, the number of emails received on a daily basis means the storage space required for each mailbox would be considerable, especially considering the requirement in many industries to retain emails for several years. Even if employees exercised strict control over their inboxes and mailbox folders and diligently deleted spam and non-official emails, storage space will still likely become an issue in a short space of time.
Archives are Searchable Email Stores
One common solution to preserve emails is a mailbox backup. Email backups allow an entire mailbox to be restored in the event of disaster or could be used to recover emails that have been accidentally deleted.
However, as with any store, be it a storeroom at work, or your attic or garage at home, knowing that an item is in storage does not mean it is easy to find. While you may need to invest a little time to find a particular item in your garage, it can be a gargantuan task to find a single email in an email backup containing thousands or even tens of thousands of messages, as backups are not searchable.
An email archive differs from a backup as messages are indexed to allow searches to be performed. Finding a message in a backup file can take hours or even days. Finding a message in an archive takes a matter of seconds or a minute or two. When an email needs to be produced for any reason, an email archive allows it to be quickly found.
Typically, IT staff have much more pressing things to attend to than recovering accidentally deleted emails. An archive can be accessed and searched by employees without any IT department involvement. Further, if a cloud-based archive is used, emails can be accessed from any location and emails found even when the mail server is down.
There are naturally situations when more formal searches are required, such as when issues are identified with an employee and HR needs further information on the matter. Legal eDiscovery requests require large quantities of emails to be found and provided to attorneys, and customer disputes require email conversations to be quickly found. An archive significantly reduces the time taken for these tasks to be performed. A company-wide search of emails typically takes 80% less time when an archive is used.
Email Archives are Important for GDPR Compliance
Since the General Data Protection Regulation has come into effect, email archives are even more important. When a request is received from an individual who wants to exercise their right to be forgotten, all data must be erased, which includes data contained in email accounts. An email archive allows emails to easily be found and deleted.
The email archive serves as a black box recorder for email ensuring that come what may, all emails can be located. Emails in the archive are also tamper-evident and court admissible. This makes email archives important for compliance with state, federal, and industry regulations.
An Email Archive Saves Companies Time and Money
Mail server efficiency is improved by using archives, server management costs are reduced, and storage costs are slashed. Typically, companies can save up to 75% on storage space when an archive is used. Further, when emails need to be migrated to new mail servers, it is a much quicker process when the majority of emails have been placed in an archive. The cost savings from using an email archive are considerable.
In summary, an email archive maintains an audit trail, ensures emails are never lost or deleted, provides a failsafe in the event of disaster, and ensures emails can be found quickly. An email archive saves companies time, money, and helps with compliance with state, federal, and industry regulations.
ArcTitan: A Fast, Efficient, Low Cost Email Archiving Solution for Businesses
If you have not yet started using an email archiving solution, TitanHQ has an ideal solution. ArcTitan is a fast, convenient, scalable, and low-cost archiving solution for SMBs and enterprises.
ArcTitan is a cloud-based email archiving solution that integrates seamlessly with Outlook. ArcTitan allows emails to be quickly and easily archived and retrieved on demand via super-fast, user-friendly search screens.
All emails are de-duplicated and compressed to reduce storage space and all messages and attachments are stored securely in IL5 certified datacenters.
If you want an easy to use email archiving solution that can be implemented in minutes, contact the TitanHQ team today for further information.
Security awareness training best practices to help your organization tackle the weakest link in the security chain: Your employees.
The Importance of Security Awareness Training
It doesn’t matter how comprehensive your security defenses are and how much you invested on cybersecurity products, those defenses can all be bypassed with a single phishing email. If one such email is delivered to an end user who does not have a basic understanding of security and they respond to that message, malware can be installed, or the attacker can otherwise gain a foothold in your network.
It is the risk of such an attack that has spurred many organizations to develop a security awareness training program. By teaching all employees cybersecurity best practices – from the CEO to the lowest level workers – security posture can be greatly enhanced and susceptibility to phishing attacks and other cyberattacks will be greatly reduced.
However, simply providing employees with a training session when they join the company is not sufficient. Neither is it enough to give an induction in cybersecurity followed by an annual refresher training session. Employees cannot be expected to retain knowledge for 12 months unless frequent refresher training sessions are provided. Further, cybercriminals are constantly developing new tactics to fool end users. Training programs must keep up with those changing tactics.
To help organizations develop an effective security awareness training program we have compiled a list of security awareness training best practices to follow. Adopt these security awareness training best practices and you will be one step closer to developing a security culture in your organization.
Security Awareness Training Best Practices
Listed below are some security awareness training best practices that will help you develop an effective training program that will ultimately help you to prevent data breaches.
C-Suite Involvement is a Must
It is often said that the weakest link in the security chain are an organization’s employees. While that is undoubtedly true, the C-Suite is also a weak link. If the C-Suite does not take an active interest in cybersecurity and does not realize the importance of the human element in security, it is unlikely that sufficient support will be provided and unlikely that appropriate resources are made available. C-suite involvement can also help with organization-wide collaboration. It will be very difficult to create a security culture in an organization if there is no C-Suite involvement in cybersecurity.
An Organization-Wide Effort is Required
A single department will likely be given the responsibility for developing and implementing a security awareness program, but it will not be easy in isolation. Assistance will be required from other departments. The heads of different departments can help to ensure that the security awareness training program is given the priority it deserves.
To ease the burden on the IT department, members of other departments can be trained and can assist with the provision of support or may even be able to assist with the training efforts. Other departments, such as marketing, can help developing content for newsletters and other training material. The HR department can help by setting policies and procedures.
Creation of Security Awareness Training Content
There is no need to develop training content for employees from scratch as there are many free resources available that can give you a head start. Many firms offer high quality training material for a price, which is likely to be lower than the cost of developing training material in-house. Take advantage of these resources but make sure that you develop a training program that is specific to the threats faced by your organization and the sector in which you operate. Your training program must be comprehensive. If any gaps exist, they are likely to be exploited sooner or later.
Diversity of Training
A one-size-fits-all approach to training will ultimately fail. People respond differently to different training methods. Some may retain more knowledge through classroom-based training, others may need one-to-one training, and many will benefit more from CBT training sessions. Your training program should include a wide range of different methods to help with different learning styles. The more engaging your program is, the more likely knowledge will be retained. Use posters, newsletters, email security alerts, games, and quizzes and you will likely see major improvements in your employees’ security awareness.
You can develop a seriously impressive training program for your employees that looks perfect on paper, but if your employees only manage to retain 20% of the content, your training program will not be very effective. The only way you can determine how effective your training program is through attack simulations. Phishing simulation exercises and simulations of other attack scenarios should be conducted before, during, and after training. You will be able to assess how effective all elements of the training program have been, and it will give you the feedback you need to identify weak links and take action to improve your training program.
Security Awareness Training Needs to be a Constant Process
Security awareness training is not a checkbox item that can be completed and forgotten about for another year. Your program should be running constantly and should consist of an annual training session for all employees, semi-annual training sessions, and other training efforts spread throughout the year. The goal should be to make sure security issues are always fresh in the mind.
Cybersecurity best practices for restaurants that you can adopt to make your network more secure and prevent hackers from gaining access to your POS system and customers’ credit card information.
Cybercriminals are Targeting Restaurants’ POS Systems
If you run a busy restaurant you will most likely be processing thousands of credit and debit card transactions every month. Every time someone pays with a card you have a legal responsibility to ensure that the card details that are read through your point of sale (POS) system remain private and cannot be stolen by your employees or obtained by cybercriminals.
So far this year there have been several major cyberattacks on restaurants that have resulted in the credit and debit card numbers of customers being stolen. In August, Darden Restaurants discovered that hackers gained access to the POS system used in its Cheddar’s Scratch Kitchen restaurants and potentially stole over half a million payment card numbers.
Applebee’s, PDQ, Zippy’s, and Chili’s have all experienced cyberattacks in 2018 which have resulted in hackers gaining access to customers’ payment cards. Last year also saw several cyberattacks on restaurants, including attacks on Shoney’s, Arby’s, Chipotle, and the Sonic Drive-In chain. These restaurant cyberattacks are notable due to the amount of card numbers that were stolen. The cyberattack on Cheddar’s is thought to have resulted in the theft of more than half a million payment card numbers, expiry dates and CVV codes, while the Sonic data breach has been estimated to have impacted millions of customers.
Not all cyberattacks on restaurants are conducted on large restaurant chains. Smaller restaurants are also being attacked. These smaller establishments may not process anywhere near as many payment card transactions as a chain the size of Applebee’s, but the attacks can still prove profitable for criminals. Card details sell for upwards of $7, so the theft of 1,000 card numbers from a small restaurant will still generate a decent profit and the effort required to conduct cyberattacks on small restaurants is often far less than an attack on a large chain.
All restaurants are at risk of hacking. Steps must therefore be taken by all restaurants to make it as hard as possible for hackers to gain access to the network, POS systems, and customer data. With this in mind we have listed cybersecurity best practices for restaurants to adopt to avoid a data breach.
Cybersecurity Best Practices for Restaurants
Listed below are some cybersecurity best practices for restaurants to adopt to make it harder for hackers to gain access to your network and data. There is no silver bullet that will stop all cyberattacks, but these cybersecurity best practices for restaurants will help to improve your security posture.
Network Segmentation is a Must
You will most likely have multiple computers in use in your restaurant as well as many other devices that connect to your network via an ethernet connection or WiFi. Every device that connects to your network is a possible entry point that could be exploited by a hacker. It is therefore important to stake steps to ensure that if one device is compromised, access cannot be gained to your entire network. Your POS system needs to be segregated from other parts of the network and users should only be permitted to access parts of the network that are required to complete their assigned duties.
Patch Management and Vulnerability Scanning
All it takes is for one vulnerability to remain unaddressed for you to be vulnerable to attack. It is therefore essential to maintain an inventory of all devices that connect to your network and ensure that patches and software updates are applied on all those devices as soon as they are released. You should also conduct regular vulnerability scans to identify possible weak points and take prompt action to ensure those weak points are addressed.
Secure the Perimeter with a Firewall
One of the most important cybersecurity solutions to implement to prevent hackers from gaining access to your network is a firewall. A firewall monitors and controls incoming and outgoing network traffic and serves as a barrier between a trusted internal network and an untrusted external network. A firewall is also an important element of PCI compliance.
Implement a Spam Filter to Block Malicious Emails
Email is the most common vector used to install malware. Phishing attacks are commonplace and are an easy way for hackers to gain login credentials and get a foothold in the network. Use a spam filter such as SpamTitan to prevent malicious messages from being delivered to end users’ inboxes and block all malware-laced emails.
Protect Your WiFi Network with a Web Filtering Solution
Your WiFi network is a potential weak spot and must be secured. If you provide WiFi access to your customers, ensure they are only provided with access to a guest network and not the network used by your staff. Implement a web filter to control what users can do when connected to your network. A web filter will help to prevent malware from being downloaded and can be configured to block access to risky websites. WebTitan is an ideal web filter for restaurants to improve WiFi security.
Purchase Antivirus Software
Antivirus software is one of the most basic software solutions to protect against malware. Malware is commonly installed on POS systems to record and exfiltrate payment card information. Not only should you ensure that a powerful antivirus solution is installed, you should also ensure regular scans of the network are performed.
Provide Security Awareness Training to Staff
Your employees are a potential weak point in your security defenses. Don’t assume that your employees are security aware. Teach your staff cybersecurity best practices for restaurants, provide anti-phishing training, and explain about risky behaviors that could easily lead to a data breach.
Backup and Backup Again
You should perform regular backups of all your essential data to protect against saboteurs and provide protection against ransomware attacks. If disaster strikes, you will need to record all your data. Adopt the 3-2-1 approach to creating backups. Create three copies, on two separate media, and store one copy securely off site on an air-gapped device that is not connected to the Internet.
Vet your Vendors
Access to your network may be gained through your vendors. The cyberattack on PDQ restaurants occurred via a remote access tool used by one of its technology vendors. If a vendor is able to connect to your network, it is essential that they have appropriate security controls in place. Be sure to check how secure your vendor is and what controls they have in place to prevent hacking before giving them network access.
Adopt these cybersecurity best practices for restaurants and you will make it harder for hackers to gain access to your network and you should be able to avoid a costly data breach.
A recent Cheddar’s Scratch Kitchen data breach is believed to have affected more than half a million of the restaurant chain’s customers and resulted in their credit/debit card details being obtained by hackers.
Darden Restaurants acquired Cheddar’s Scratch Kitchen in March 2017. The newly acquired restaurant chain was using a legacy point-of-sale (POS) system which was disabled and replaced by April 10, 2018 as part of Darden’s integration process.
However, prior to the system being replaced, hackers gained access to the POS system and customers’ credit/debit card details. There are 163 Cheddar’s Scratch Kitchen restaurants spread across 23 states – Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin. All locations were affected by the breach.
The Cheddar’s Scratch Kitchen data breach affects all customers who visited those restaurants between November 3, 2017 and January 2, 2018 and paid for their meal using a debit or credit card. Determining how many of its customers have been affected is likely to take some time, although current estimates suggest that as many as 567,000 customers could be affected.
Restaurants are an attractive target for cybercriminals. If access can be gained to the network containing the POS system, malware can be installed to intercept and record credit card numbers as diners pay for their meals.
Once installed, malware can silently steal credit card numbers for months. Typically, it is only when banks and credit card companies detect a pattern of credit card fraud and link it to a particular establishment that an investigation is launched and malware is detected.
While the value of credit card numbers on the black market has dropped due to the constant availability of stolen credentials, full sets of credit card information can still fetch at least $7. At that price, the Cheddar’s Scratch Kitchen data breach could have netted the attackers $4 million. With such a massive potential payday it is no surprise that restaurants are such a big target for hackers.
The Cheddar’s Scratch Kitchen data breach is one of many attacks on restaurant chains in recent months. In March 2018, RMH Franchise Holdings announced that malware had been discovered on the POS system used in 160 Applebee’s restaurants. The malware had been programmed to record names, credit and debit card numbers, expiry dates, and CVV codes and was present on the system for a month between December 2017 and January 2018.
In May, a cyberattack was detected at Zippy’s Restaurants which affected 25 of the Hawaii restaurant chain’s locations. Malware had been installed on its POS system for 4 months before it was detected. Also in May, Chili’s restaurants announced that malware had been discovered on the POS system used in some of its restaurants. The malware was active between March and April 2018.
In June, the PDQ restaurant chain discovered it had been attacked and customers’ credit and debit card information had been stolen. The attackers had access to the POS system for almost a year between May 2017 and April 2018. In that attack, access was gained through a remote connection tool used by a technology vendor.
Last year also saw numerous cyberattacks on restaurant chains. Shoney’s, Arby’s, Chipotle, and Sonic Drive-In all experienced major cyberattacks, with the latter estimated to have impacted millions of customers.
If you own a restaurant it is essential to implement a range of cybersecurity solutions to keep hackers out of your network and ensure your customers credit and debit card numbers remain secure.
There has been a significant increase in healthcare phishing attacks in recent weeks, both in frequency and the severity of attacks. In July alone, more than 1.6 million healthcare records were exposed due to healthcare phishing attacks and the attacks show no sign of slowing.
Healthcare phishing attacks are to be expected. The email accounts of healthcare employees often contain highly sensitive information – Information that can be used for a multitude of nefarious purposes such as tax fraud, medical identity theft to obtain prescription medications, and identity theft to obtain credit cards and loans. If access can be gained to the email account of one healthcare employee, messages can be sent to other employees in the organization from the compromised account. Since those messages come from a genuine email account within the organization, they are less likely to be blocked and are more likely to elicit a response. When one email account is compromised there is a high probability that access will be gained to other email accounts.
In the United States, a summary of all healthcare data breaches of more than 500 records is published by the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach portal lists hundreds of email-related data breaches have been reported since summaries first started being published in 2009, although there has been a significant increase in phishing-related data breaches in recent months. July 2018 saw two of the largest and most serious healthcare phishing attacks ever reported.
The largest healthcare phishing attacks in July were reported by the Iowa Health System (UnityPoint Health), Boys Town National Research Hospital, and Confluence Health. These healthcare phishing attacks resulted in the exposure of 1,421,107 records, 105,309 records, and 33,821 records respectively.
In July alone, there were 33 large data breaches reported to OCR. Those breaches include unauthorized accessing of health records by employees, lost devices containing electronic health information, improper disposal of medical records, and unauthorized disclosures of health records by employees. While unauthorized disclosures are often behind the majority of breaches, in July it was email-related hacking incidents were behind 39% of all reported data breaches. Those email account breaches resulted in the exposure and possible theft of 1,620,318 patients’ health and personal information. Not only was email the most common location of breached health information in July, it was the same story in March, April, May and June.
The large-scale healthcare phishing attacks have continued in August. This month, Augusta University Health reported a phishing attack had resulted in the exposure and possible theft of the PII and PHI of 417,000 individuals. In that attack hackers gained access to the email accounts of 24 members of staff. 38,000 records were also potentially accessed by hackers following a phishing attack on Legacy Health.
With the threat of healthcare phishing attacks greater than ever and the high cost of mitigating those breaches, it is more important than ever for healthcare organizations to improve their defenses against phishing.
TitanHQ offers healthcare organizations two vital cybersecurity solutions that can help to prevent phishing attacks, which along side ongoing security awareness and anti-phishing training for staff can greatly reduce the potential for a successful phishing attack to occur.
SpamTitan is an advanced spam filtering solution that blocks 100% of known malware and more than 99.97% of malicious emails, preventing them from reaching end users inboxes. Occasional emails may be delivered to inboxes, which is where WebTitan helps. WebTitan is a powerful DNS web filtering solution that blocks attempts by employees to access known phishing websites, stopping them from reaching websites where they would otherwise disclose their login credentials.
To find out more about these solutions and how they can be deployed in a healthcare environment, contact the TitanHQ sales team today and take an important first step towards improving the resilience of your organization to phishing attacks.
A new SharePoint phishing scam has been detected that attempts to steal Office 365 credentials. The scam emails being sent in this campaign are similar to those used in countless Google Docs phishing attacks, which appear at face value to be attempts to collaborate through the sharing of files. These scams are often used to spread malware, with the documents often containing malicious macros or links to websites where malware is silently downloaded.
These brand impersonation attacks use an email format that is identical to those used in genuine messages. The phishing emails contain logos, formatting and links that makes the messages identical to legitimate messages requesting collaboration on a project.
This SharePoint phishing scam includes a hyperlink to a genuine SharePoint document, which may not be flagged as malicious since the file itself does not contain malware.
The SharePoint file advises the user that the content they are looking for has been uploaded to OneDrive for Business and a further click is necessary to access the file. A hyperlink named “Access Document” is included in the SharePoint file along with the genuine OneDrive for Business logo and appropriate graphics. At face value the document does not appear malicious, although checking the destination URL of the link will reveal that it directs the user to a suspect website.
It is that website where the phishing attempt takes place. After clicking the link the user is presented with a login window for Office 365 and their Microsoft login details must be entered. Entering Office 365 credentials at this point will pass them to the criminals behind this campaign. The user is unlikely to realize that they have been successfully phished as after entering credentials they will be directed to a genuine Office site.
This SharePoint phishing scam appears to target businesses. Business users are likely to be used to collaborating using SharePoint and are therefore more likely to respond. Gaining access to a business Office 365 account is more lucrative for the attackers, allowing them to access to email accounts to use in further phishing campaigns and access to data stored in those accounts and other sensitive data.
Email addresses for business users can easily be located through sites such as LinkedIn or lists of business email addresses could be purchased on the dark web and hacking forums.
This SharePoint phishing scam, Google Docs phishing scams, and similar campaigns spoofing Dropbox are commonplace and highly effective. They take advantage of familiarity with these collaboration services, trust in the brands, a lack of security awareness, and business employees that do not stop and think before clicking.
Preventing these attacks requires technological solutions to stop the messages from being delivered. Security awareness training can be highly effective at conditioning employees to stop and think before taking any action, while web filters can block these attacks by preventing malicious URLs from being visited. Without these controls in place, businesses will be vulnerable.
A recent study in the United Kingdom conducted by researchers at the Oxford Internet Institute at the University of Oxford on the effectiveness of parental controls suggests that they may not be as effective as was thought at preventing minors from accessing online pornography.
While the study certainly adds to the body of evidence on the effectiveness of parental controls, such as those provided by Internet Service Providers, care should be taken interpreting the findings, especially comparing ISP parental controls with commercial web filtering solutions for schools.
The researchers suggest that their study “Delivered conclusive evidence that filters were not effective for protecting young people from online sexual material,” and such bold claims have naturally been reported in the media as ‘Internet controls not being effective’.
However, the study only assessed whether minors had encountered a single image of nudity or of a sexual nature. No internet filtering solution can be expected to block every single sexual image. The goal of parental controls is not to ensure that pornographic content cannot ever be accessed, only that the chance of it being accessed is reduced to a very low level.
Further, while controls can be put in place to block direct accessing of pornography, parental control filers can easily be bypassed through the use of VPNs and anonymizer services. If a minor wishes to gain access to pornography, it is easy to do so via an anonymizer service. Parental control filters put in place by Internet Service Providers do not block access to anonymizer services.
Search for “free anonymizer” in Google, access the site, and enter the URL of an adult site on a home network with parental controls in place, and you will discover exactly how easy it is to access adult content. Even easier, search for “bypass parental controls” and you will get a long list of options.
Commercial filters, such as those offered to schools and businesses, allow adult content to be blocked but also the use of anonymizer services to prevent filtering controls from being bypassed, providing greater protection – which is necessary in places of business and in schools. If an anonymizer is used and a commercial web filter is in place that blocks anonymizers, access will be denied, and the attempt will be recorded.
What is particularly worrying, is the suggestion that the findings of this study on the effectiveness of parental controls should be applied to schools. The researchers suggest in the paper “Our findings raise the question of whether mandatory state-funded Internet filtering in schools should still be regarded as a cost-effective intervention,” instead, the use of age verification tools or simply boosting educational strategies to support responsible online behavior should be explored.
Commercial web filtering solutions and parental controls solutions are not the same, and it is worth considering the following scenario. If a parent was to discover their child had viewed pornography at school and no filtering controls were in place to prevent access, would that parent agree with the school’s decision not to block pornography because a filter could potentially be bypassed? Or would a parent prefer a filter be put in place to make it harder for such content to be viewed?
The researchers do point out that more research is required to solidify the findings, specifically “to test Internet filtering in an experimental setting, done in accordance to Open Science principles.”
One thing is for certain, the use of web filters and parental controls to protect minors is certainly likely to continue to involve considerable discussion and the solution to the problem of minors accessing online material of a sexual nature is likely to involve a combination of technological controls, monitoring of internet access, and educational efforts.
The importance of web filtering for businesses cannot be understated. Businesses can install a range of perimeter defenses, but if controls are not implemented to restrict the activities of employees, malware can easily be downloaded onto work devices. The cost of mitigating malware infections can be considerable. The NotPetya malware attacks last year cost Maersk around $300 million. The Ponemon Institute annual cost of a data breach study suggests the average cost of a data breach is now $3.6 million for large businesses.
There is no single software solution that can provide total protection for businesses. A range of security solutions are required to reduce risk to an acceptable level, and web filters are one such control that should now be used by all businesses.
A new campaign has been detected this week that demonstrates the importance of web filtering for businesses, highlighting one of the methods used to install malicious software on corporate devices. In this case, the aim of the campaign is to install adware, unwanted browser extensions, and PuPs, although this tactic is often used to install much more malicious software.
The individuals behind this campaign are using autogenerated content to create large quantities of websites that incorporate commonly used keywords related to popular celebrities and adult industry actors. The aim of the campaign is to get these webpages indexed by the search engines and appearing in the organic search engine listings. Individuals who search for these keywords are likely to be presented with these webpages.
Upon opening these webpages, a popup is launched that advises the user that their computer lacks the codecs and software necessary to play the video. To get the videos to play, they need to install a media player. If the end user chooses to install the media player, rather than the media player being installed, a bundle of other programs is downloaded and installed on their device. The campaign also directs users to webpages where they are encouraged to install browser extensions.
If an employee is actively searching for inappropriate website content, it is easy to see how that individual would proceed with a download, and in doing so, install any number of potentially malicious programs.
This is not a hypothetical situation – many employees do just that. A recent survey conducted by Spiceworks delved into the reasons why companies are increasingly using web filters. The primary reason was to prevent the installation of malware. Further, when asked about whether employees had caused problems by accessing inappropriate website content, 38% of respondents said they had experienced a data breach in the past 12 months as a result of employees visiting websites that were not necessary for work.
The survey also revealed the extent that employees are using the Internet for personal reasons. Out of the companies that had not implemented a web filter, it was estimated that 58% of employees were wasting more than 4 hours a week on personal internet use, while 26% of employees were wasting 7 or more hours on non-work-related websites. That adds up to 26 days a year lost by each of those employees.
A web filter can allow a company to improve the productivity of the workforce. Employees will always slack off from time to time, but web filters can help to reduce the number of lost hours. The survey showed that the percentages fell to 43% spending more than 4 hours a week on non-work-related sites and 18% spending more than 7 hours a week slacking off online when a web filter was deployed – a significant reduction in lost hours. Further, blocking social media websites saw the figure fall to 30% of employees wasting more than 4 hours a week on personal internet use.
Another important benefit of web filtering is to prevent the accessing of illegal website content. Companies can be legally liable for illegal activities by their employees, such as the downloading of copyright protected material through peer-to-peer file sharing networks. The survey revealed two thirds of companies were using their web filter to avoid legal liability and 84% were using a web filter to stop illegal activity online. Data leakage is also a serious concern. 57% of companies use web filters to prevent data leakage and hacking.
If you want to improve your security posture, reduce the potential for productivity losses, and reduce legal liability, a web filter and at least some form of content control is essential.
If you have yet to implement a web filter, are unhappy with your current provider, or would like further information on the importance of web filtering for businesses, call the TitanHQ team today for further information. A free trial is also available for WebTitan, the leading web filtering solution for businesses, to allow you to find out first hand the benefits that content control offers.
What is a Botnet? How are they used? What harm can be caused, and how can you prevent a computer from becoming part of a botnet? These and other questions answered.
What is a Botnet?
A botnet is simply a collection of computers and other Internet-connected devices that are controlled by a threat actor. Usually that control is achieved via a malware installation, with the malware communicating with the threat actor’s command and control server.
Once malware has been installed on one device, potentially it can propagate to other devices on the same network, creating a mini-army of slave devices under the threat actor’s control. Any computer with the malware installed is part of the botnet and can be used on its own or collectively with other compromised devices for malicious purposes.
What are Botnets Used For?
Botnets are often used to conduct Distributed Denial of Service (DDoS) attacks, with the devices in the botnet used to access a particular service simultaneously and flooding it with traffic making that service temporarily unavailable. The Mirai botnet, which mostly consists of vulnerable IoT devices, was used to take down large sections of the Internet, including some of the most popular websites such as Twitter and Netflix. DDoS attacks are now being conducted that exceed 1 terabits per second, largely due to sheer number of devices that are part of the botnet.
One of the biggest botnets ever assembled was made possible with Zeus malware, a banking Trojan that was particularly difficult to detect. In the United States, an estimated 3.6 million computers had been infected with the malware, making Zeus one of the biggest botnets ever created.
In addition to DDoS attacks, botnets are also used to send huge quantities of spam and phishing emails. The Necurs botnet is the world’s largest spamming botnet, delivering 60% of all spam emails. The Gamut spam botnet delivers around 37% of spam botnet traffic. These two spamming botnets are primarily used to send malicious messages containing email attachments with malicious macros that download malware such as the Dridex banking Trojan, and the ransomware variants Locky, Globelmposter, and Scarab.
Recently, the rise in the value of cryptocurrencies has made it highly profitable to use the processing power of botnets to mine cryptocurrency. When processing power is used for cryptocurrency mining, the performance of the computers will reduce significantly.
How Are Botnets Created?
Botnets can be created through several different methods. In the case of IoT devices, attackers often take advantage of weak passwords and default credentials that have not been changed. Since IoT devices are less likely to be updated automatically with the latest software and firmware, it is easier to exploit flaws to gain access to the devices. IoT Devices also rarely have antivirus controls, making infection easier and detection of malware much harder.
Computers are most commonly recruited into botnets through malware sent via spam email campaigns – such as those sent out by the spamming botnets. Malware is delivered via infected email attachments or links to malicious websites where malicious code is hosted. Messages can be sent via social media networks and chat apps, which also direct users to malicious websites where malware is downloaded.
Drive-by downloads are also common – Malware is downloaded by exploiting vulnerabilities in browsers, add-ons or browser plug-ins, often through exploit kits loaded on compromised websites.
Prevent a Computer from Becoming Part of a Botnet
It is much easier to prevent a computer from becoming part of a botnet than identifying a malware infection and eradicating it once it has been installed. To prevent a computer from becoming part of a botnet, it is necessary to use technological controls and adopt security best practices.
Businesses need to ensure all staff are trained to be more security aware and are told about the risks of opening email attachments or clicking links in emails from unknown senders. They should also be told not to automatically trust messages from contacts as their email accounts could have been compromised. Employees should be taught security best practices and risky behavior, such as connecting to public WiFi networks without using a VPN, should be eradicated.
All software must be kept up to date with patches applied promptly. This will reduce the risk of vulnerabilities being exploited to deliver malware. Antivirus software should be installed and configured to update automatically, and regular AV scans should be performed.
Firewalls should be used to implemented to prevent unauthorized network access and allow security teams to monitor internet traffic.
Spam filtering solutions should be implemented to block the majority of malicious messages from being delivered to end users’ inboxes. The more messages that are blocked, the less chance there is of an employee responding to a phishing email and inadvertently installing malware.
One way to prevent a computer from becoming part of a botnet that is often forgotten, is the use of a web filtering solution. A web filter, such as WebTitan, will prevent malware and ransomware downloads and block access to malicious websites sent via email or through web browsing.
Implement these controls and it will make it much harder for your organization’s computers to be infected with malware and added to a botnet.
Austin, Texas-based managed services provider Acumera has successfully integrated the WebTitan web filtering solution into their service offerings and are now providing advanced web filtering to their clients.
Acumera provides managed security services to a wide range of companies throughout the United States across hundreds of thousands of locations, including healthcare providers, automated parking garages and some of the best-known retailers in the country such as 7-Eleven, Circle K, Subway, Pluckers, Benetton, and Valero service stations.
Many of the companies that have chosen Acumera to provide fully managed security services operate in hundreds or thousands of locations – 7-Eleven has more than 7,700 stores in the United States. Acumera secures payment systems and provides network security, connectivity, and visibility services across these widely distributed networks.
Acumera’s expertise in securing large highly distributed networks ensures its customers have the peace of mind that their networks and systems are fully secured, while avoiding the security headaches that many highly distributed companies face. Acumera’s customers certainly get an excellent return on their investment and tremendous value for money.
The Acumera Team with TitanHQ Alliances Director Mr. Eddie Monaghan in Austin, Texas.
Now, following the integration of WebTitan, Acumera’s customers can now benefit from advanced malware and ransomware protection both on and off corporate networks. WebTitan provides excellent protection from a wide range of web-based threats and allows companies to carefully control the websites that their employees can access. Highly granular controls ensure accurate content control without overblocking.
WebTitan Cloud is an easy to use, multi-tenant solution that MSPs can quickly set up and configure. There is no need for any hardware purchases, software installations of site visits. The 100% cloud-based solution can integrate seamlessly with existing client packages to increase revenue and attract more business.
The solution can be hosted on TitanHQ’s servers or within MSPs own environments, with a full white label version ready to take MSPs own branding.
Thanks to the WebTitan Application Programming Interface (API), managed services providers can easily incorporate WebTitan into their service offerings and provide DNS filtering to their customers.
If you are a managed service provider and you are interested in adding DNS filtering to your service stack and would like to become a TitanHQ Alliance partner, contact the TitanHQ team today for more information.
TitanHQ has announced as part of its strategic alliance with networking and security solution provider Datto, WebTitan Cloud and WebTitan Cloud for Wi-Fi have been incorporated into the Datto networking range and are immediately available to MSPs.
Datto is the leading provider of enterprise-level technology to small to medium sized businesses through its MSP partners. Datto offers data backup and disaster recovery solutions, cloud-to-cloud data protection services, managed networking services, professional services automation, and remote monitoring and management tools.
The addition of WebTitan to its range of security and networking solutions means its MSP partners can now offer their clients another level of security to protect them from malware and ransomware downloads and phishing attacks.
WebTitan is a 100% cloud-based DNS web filtering solution developed with MSPs in mind. In addition to allowing businesses to carefully control the types of websites their employees can access through corporate wired and wireless networks, the solution provides excellent protection against phishing attacks and web-based threats.
With phishing now the number one threat faced by SMBs and a proliferation of ransomware attacks, businesses are turning to their MSPs to provide security solutions to counter the threat.
Businesses that implement the solution are given real-time protection against malicious URLs and IPs, and employees are prevented from accessing malicious websites through general web browsing and via malicious URLs sent in phishing emails.
“We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers,” said TitanHQ CEO, Ronan Kavanagh.
“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
At the upcoming TitanHQ-sponsored DattoCon 2018 conference in Austin, TX – the largest MSP event in the United States – MSPs will be able to see WebTitan in action. TitanHQ’s full team will be in attendance, including Ronan Kavanagh – TitanHQ’s CEO, Conor Madden – Sales Director, Dryden Geary – Marketing Manager, and Eddie Monaghan – Alliance Manager.
MSPs can visit the TitanHQ team at booth #66 in the exhibition hall for a demonstration of WebTitan, SpamTitan – TitanHQ’s award -winning spam filtering solution – and ArcTitan, TitanHQ’s email archiving solution. All three solutions are MSP friendly and are easily added to MSP’s service stacks.
DattoCon 2018 runs all week from June 18, 2018. The TitanHQ team will be present all week and meetings can be arranged in advance by contacting TitanHQ ahead of the conference.
A hacking group has succeeded in infecting hundreds of thousands of routers with VPNFilter malware. The scale of the malware campaign is astonishing. So far more than half a million routers are believed to have been infected with the malware, prompting the FBI to issue a warning to all consumers and businesses to power cycle their routers.
Power cycling the router may not totally eradicate the malware, although it will temporarily disrupt communications and will help to identify infected devices, according to a May 25 public service announcement issued by the FBI.
All users have been advised to change the password on their router, install firmware updates if they are available, and disable the router’s remote management feature.
According to the U.S. Department of Justice, the malware campaign is being conducted by the Sofacy Group, also known as Fancy Bear and APT28. The hacking group has ties to the Russian government with some believing the hacking group is directed by Russia’s military intelligence agency.
While most of the infected routers and NAS devices are located in Ukraine, devices in more than 50 countries are known to have been infected with the malware. VPNFilter malware is a modular malware with a range of different functions that include the ability to capture all information that passes through the router, block network traffic and prevent Internet access, and potentially, the malware can totally disable the router. The infected routers could also be used to bring down specific web servers in a DDoS attack.
Many common router models are vulnerable including Linksys routers (E1200, E2500, WRVS4400N), Netgear routers (DGN2200, R6400, R7000, R8000, WNR1000, WNR2000), Mikrotik RouterOS for Cloud Core Routers (V1016, 1036, 1072), TP-Link (R600VPN), QNAP (TS251, TS439 Pro and QNAP NAS devices running QTS software).
The motive behind the malware infections is not known and neither the method being used to install the malware. The exploitation of vulnerabilities on older devices, brute force attacks, and even supply chain attacks have not been ruled out.
The FBI has taken steps to disrupt the malware campaign, having obtained a court order to seize control of a domain that was being used to communicate with the malware. While communications have now been disrupted, if a router has been compromised the malware will remain until it is removed by the router owners.
How to Update Your Router
While each router will be slightly different, they can be accessed by typing in 192.168.1.1 into the browser and entering the account name and password. For many users this will be the default login credentials unless they have been changed during set up.
In the advanced settings on the router it will be possible to change the password and disable remote management, if it is not already disabled. There should also be an option to check the firmware version of the router. If an update is available it should be applied.
You should then either manually power cycle the router – turn it off and unplug it for 20 seconds – or ideally use the reboot settings via the administration panel.
DrayTek Discovers Actively Exploited Zero Day Vulnerability
The Taiwanese broadband equipment manufacturer DrayTek has discovered some of its devices are at risk due to a zero-day vulnerability that is being actively exploited in the wild. More than 800,000 households and businesses are believed to be vulnerable although it is unknown how many of those devices have been attacked to date.
The affected devices are Vigor models 2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220 and BX2000, 2830nv2; 2830; 2850; and 2920.
The vulnerability allows the routers to be compromised via a Cross-Site Request Forgery attack, one where a user is forced to execute actions on a web application in which they are currently authenticated. While data theft is possible with this type of attack, the attackers are using this attack to change configuration settings – namely DNS settings. By making that change, the attackers can perform man in the middle attacks, and redirect users from legitimate sites to fake sites where credentials can be stolen.
A firmware update has now been released to correct the vulnerability and all users of vulnerable DrayTek devices are being encouraged to check their DNS settings to make sure they have not been altered, ensure no additional users have been added to the device configuration, and apply the update as soon as possible.
When accessing the router, ensure no other browser windows are open. The only tab that should be open is the one used to access the router. Login, update the firmware and then logout of the router. Do not just close the window. Also ensure that you set a strong password and disable remote access if it is not already disabled.
Many small businesses purchase a router and forget about it unless something goes wrong and Internet access stops. Firmware updates are never installed, and little thought is given to upgrading to a new model. However, older models of router can be vulnerable to attack. These attacks highlight the need to keep abreast of firmware updates issued by your router manufacturer and apply them promptly.
TitanHQ has announced its 100% cloud-based web filtering platform, WebTitan, has been fully integrated into the Kaseya IT Complete Platform.
The IT Complete platform helps MSPs deliver invaluable cybersecurity and IT services to their clients quickly and efficiently. By using the platform, MSPs can save valuable time, allowing them to concentrate on IT projects strategic to their business.
The addition of a web filtering solution to the IT Complete platform allows MSPs to provide a more comprehensive range of cybersecurity solutions to their clients to help protect against a wide range of web-based threats. The web filtering solution joins cybersecurity solutions developed by Bitdefender, Cisco, and Dell and is now available to all MSPs who use Kaseya VSA.
WebTitan is a powerful DNS-based web filtering solution ideally suited to MSPs. The solution provides proven protection against malware and ransomware downloads, and complements existing anti-virus, email filtering, data backup solutions, and firewalls.
Being 100% cloud-based it is easy to deploy without the need for any hardware purchases, software installations, or site visits. With the new integration, WebTitan can be accessed directly through Kaseya VSA, and can be deployed and configured in minutes, providing near instant protection against web-based threats.
The integration of WebTitan into the Kaseya IT Complete platform is particularly timely, as some of the world’s leading MSPs will be attending the Kaseya Connect conference in Las Vegas, NV this week.
“Kaseya is a partner we have admired for a long time and I’m delighted to announce this integration. With over 10 million endpoints under their management it represents a massive opportunity for our business,” said Ronan Kavanagh, CEO of TitanHQ. “We look forward to working with Kaseya’s MSP partners and adding our personal touch and renowned focus on great customer support.”
The massive increase in cyberattacks on businesses in recent years has made cybersecurity a key area of growth for MSPs. Companies need to implement layered defenses to protect an ever-increasing attack surface and turn to MSPs to help them secure their networks.
“Security is a critical service that all MSPs must deliver,” said Frank Tisellano, Jr., vice president product management and design. “Adding WebTitan to our open ecosystem of partner solutions means our customers now have even greater access to best of breed technologies to meet the needs of their business. With growing concerns over malware, ransomware and phishing as key threats to MSP customers, WebTitan adds a highly effective layer of protection.”
TitanHQ’s WebTitan is a powerful web filtering solution that helps businesses control the web content that can be accessed by its employees, but how does WebTitan work and how can the solution improve an organization’s security posture?
Why Are Web Filters Necessary?
Many businesses choose to implement a web filtering solution to prevent employees from accessing inappropriate web content such as pornography or to stop work computers from being used to download illegal content such as pirated films, music, and TV shows. A category-based web filter allows businesses to block certain types of web content with ease, such as adult material and P2P file sharing websites.
While content filters can achieve those aims, perhaps a more important function of web filters is to block web-based threats such as malware and phishing websites. Many businesses choose to deploy WebTitan to block these threats, but how does WebTitan work?
How Does WebTitan Work?
WebTitan Cloud is a 100% cloud-based web filtering solution that serves as a semi-permeable membrane between an organisation’s users and the Internet. When an end user attempts to access a particular URL that does not violate an organization’s acceptable Internet use policy, the request is honoured. Since there is no latency, the speed at which the website is loaded is the same as if no filtering mechanism is in place.
Unknown to the user, when an attempt is made to access a webpage, the DNS request is sent to WebTitan Cloud which determines whether the request should be allowed or denied.
If the user attempts to access a gambling website and the gambling category has been blocked through WebTitan Cloud, the user will be advised that their request has been denied and access to the site will be prevented. But how does WebTitan work as far as malicious websites are concerned? How are malicious URLs identified and blocked?
How Does WebTitan Block Access to Malicious Websites?
How does WebTitan determine which URLs are benign and which ones are malicious, and how are those checks performed in real-time?
To block malicious sites, WebTitan uses a crowd-sourced approach and obtains a constant stream of URLs for analysis. These ActiveWeb URLs come from websites actively visited by a global network of customers through high traffic markets such as subscriber analytics, networks security, IOT, and ad tech.
This traffic is used to train WebTitan’s human-supervised Machine Learning Systems to detect, monitor, and categorize threats. Using in house and third-party tools, WebTitan performs link, content, static, heuristic, and behavioural anomaly analyses to categorize threats. When threats are detected, the WebTitan team profiles, tests and validates those threats. Once threats have been validated, they are blocked with false positives used to train the system to improve future accuracy.
In contrast to many DNS-based systems, which only work at the domain level, WebTitan works at the path level and is capable of blocking individual webpages rather than entire domains. The majority of malicious URLs in the WebTitan database are marked as malicious at the path level – 99.7% of IP-based URLs and 88.35% of non-IP-based URLs.
WebTitan performs checks of websites that have previously been marked as malicious to determine whether they still contain malware or other threats. The WebTitan Malicious Detection Solution revisits up to 300,000 sites to check whether they are still infected or have been cleaned, and the database is updated accordingly. Sites previously marked as malicious can be accessed once they have been determined to be safe.
What Web-Based Threats Does WebTitan Block?
There are ten main web-based threats that WebTitan protects against:
Malware distribution points
Spyware and questionable software
Phishing and other fraudulent sites
Command and Control (C2) servers
Malware call-home addresses
Compromised sites and links to malware
With WebTitan, businesses not only have highly granular control over the types of sites that can be visited by their employees, a wide range of malicious sites are also blocked, preventing malware and ransomware infections, data theft, data exfiltration and fraud.
Many businesses have moved from wired to wireless technologies which has had a negative impact on their security posture. Wired networks are easier to secure than wireless networks, and if vulnerabilities exist they can be exploited by cybercriminals. Because of these security flaws, and the ease of exploiting them, wireless networks attacks are common. In this post we explore some of the common wireless network attacks and offer advice on simple steps that can be taken to secure wireless networks and prevent costly data breaches.
Wi-Fi is Ubiquitous, Yet Many Businesses Neglect Security
Wi-Fi access used to be something you had to pay for, but now free WiFi is something that is taken for granted. Visitors to a hotel, coffee shop, bar, retail outlet, or restaurant now expect WiFi to be provided. The decision to use a particular establishment is often influenced by whether free WiFi is available, but increasingly the quality of the connection is a factor in the decision process.
The quality of the WiFi on offer is not just a question of there being enough bandwidth and fast internet speeds.
Parents often choose to visit establishments that provide secure WiFi with content control, such as those that have been verified under the Friendly WiFi scheme. In order to be accredited under the scheme, businesses must have implemented appropriate filtering controls to ensure that minors are prevented from accessing age-inappropriate material. The massive rise in cyberattacks via public WiFi networks has seen many consumers choose establishments that offer secure WiFi access.
If you run a business and are providing WiFi to customers or have yet to provide WiFi and are considering adding a WiFi hotspot to attract more customers, be sure to consider the security of your network. The past couple of years have seen many major attacks on WiFi networks and customers who use wireless services.
Some of the most common wireless network attacks are detailed below.
What are the Most Common Wireless Network Attacks?
Some of the most common wireless network attacks are opportunistic in nature. Businesses that fail to secure their WiFi networks leave the door wide open to scammers and hackers who would otherwise look for easier targets. Those scammers are happy to take advantage of poor security controls to steal sensitive information from WiFi users and distribute malware. Unsecured WiFi networks are also targeted by sophisticated cybercriminals and organized crime groups to gain a foothold in the network. The attacks can be extremely lucrative. If malware can be installed on POS systems, the credit/debit card numbers of tens or hundreds of thousands of customers can be stolen.
Fake WiFi Access Points, Evil Twins, and Man in the Middle Attacks
Visitors to hotels, coffee shops and malls often connect to the free WiFi on offer, but various studies have shown that care is not always taken when connecting. Customers often choose the WiFi access point based on the name without checking it is the wireless network set up by a particular establishment for customer use.
Criminals can easily set up fake WiFi access points, often using the name of the establishment in the SSID name. Calling it ‘Free Airport WiFi’ is a common ploy to get people to connect. When customers connect to these rogue WiFi networks they can still access the Internet and are likely to be unaware that anything is wrong. However, everything they do online is being monitored by cybercriminals. Sensitive information entered online, such as email addresses and passwords, credit card numbers, or banking credentials can be stolen.
How is this done? The attacker simply creates a hotspot on a smartphone and pairs it with a tablet or laptop. The hacker can then sit in the coffee shop drinking a latte while monitoring the traffic of everyone that connects. Alternatively they can use a router with the same name and password as the one currently in use. This may also have a stronger WiFi signal, which may see more people connect to it but it is an “evil twin” through which man in the middle attacks occur – the interception of data sent over the network.
This is one of the most common wireless network attacks and it is surprisingly effective. One study indicated more than a third of WiFi hotspot users take no precautions when accessing WiFi hotspots and frequently connect to unsecured networks.
Packet Sniffing: Interception of Unencrypted Traffic
Research by Kaspersky Lab in 2016 showed more than a quarter of public Wi-Fi hotspots set up in malls were insecure and lacked basic security controls. A quarter did not encrypt traffic at all, while research conducted by Skycure showed that five of the 10 busiest malls in the USA had risky WiFi networks. One mall in Las Vegas was discovered to be operating 14 risky WiFi access points. Hackers can use programs called packet sniffers to intercept traffic on unencrypted WiFi networks. These common wireless network attacks are easy on older routers, such as those using WEP encryption. WPA offers better security, although as a minimum WPA2 should be used, or better still, the recently released WPA3. Packet sniffing is one of the most common wireless network attacks.
Examples of WiFi Network Attacks
Listed below are some examples of common wireless networks attacks that have resulted in the installation of malware or theft of sensitive information. These attacks could easily have been prevented had appropriate security controls been implemented.
Tel Aviv Free WiFi Network Hacked
One notable example of how easy it can be for a hacker to take over a WiFi network comes from Tel Aviv. Tel Aviv offers a city-wide free WiFi network, which incorporates basic security controls to keep users secure on the network. However, it did not prove to be as secure as city officials thought.
While commuting home, Tel Aviv resident Amihai Neiderman noticed a new WiFi access point had appeared. The FREE_TLV access point was provided by the city and Neiderman decided to test its security controls. After determining the IP address through which WiFi clients accessed the Internet, he disconnected, scanned the router, and discovered the web-based login interface was run through HTTPS port 443.
While he found no major vulnerabilities, after extensive analysis he identified a buffer overflow vulnerability which he successfully exploited to take full control of the router. By doing so, if he was so inclined, he could have intercepted the traffic from tens of thousands of users.
Toasters Used to Hack Unsecured WiFi Networks
Perhaps not one of the most common WiFi network attacks, but notable none the less due to the rise in use of IoT devices. IoT capability has been incorporated into all manner of devices from toasters to washing machines. These devices can be vulnerable to supply chain attacks – Where hardware is altered to allow the devices to be used to attack WiFi networks. In 2016, Russian officials discovered chips imported from China had been altered and were being used to spread malware that could eavesdrop on unsecured WiFi networks from a range of 200 meters. They were used to infect those networks with malware that could steal information.
In Flight WiFi Network Hacked from the Ground
Cybersecurity expert Ruben Santamarta has demonstrated it is possible to hack into airline WiFi networks from the ground and view the internet activity of passengers and intercept their information. More worryingly, he was also able to gain access to the cockpit network and SATCOM equipment. He claims the same technique could be used for ships, industrial facilities and even military installations. He explained how he did it in his “Last Call for SATCOM security” presentation at the 2018 blackhat hacker conference.
WiFi Networks Used to Gain Access to Business Data
Creating a WiFi network for guests is simple. Ensuring it is secure and cannot be used for attacks on the business network or customers requires more thought and effort. Any business that allows customers to make purchases using credit and debit cards is a major target for hackers and poor WiFi security is likely to be exploited sooner or later. The past few years have seen many major attacks that have resulted in malware being installed on POS systems. These are now some of the most common wireless network attacks.
How Can Businesses Prevent the Most Common Wireless Network Attacks?
How can businesses protect against some of the most common wireless network attacks? While it is difficult to prevent the creation of fake WiFi hotspots, there are steps that can be taken to prevent many common wireless network attacks.
Isolate the Guest Network
If your business network is not isolated from your guest WiFi network, it could be used to gain access to business data and could place your POS at risk of compromise. Use a router that offers multiple SSIDs – most modern routers have that functionality. These routers often have a guest SSID option or separate guest portal. Make sure it is activated when it is deployed. Alternatively, your wireless router may have a wireless isolation feature which will prevent WiFi users from accessing your internal network and other client devices. If you require multiple access points throughout your establishment, you are likely to need a VLAN or EoIP tunnel configuration – A more complicated setup that will require you to seek professional advice on security.
Encrypt WiFi Traffic with WPA2 or WPA3
If you have an old router that does not support WPA2 encryption its time for an upgrade. WPA2 is the minimum standard for WiFi security, and while it can still be cracked, it is time consuming and difficult. WPA3 has now been released and an upgrade should be considered. You should also make sure that WPS is turned off.
Update Firmware Promptly
All software and devices contain vulnerabilities and require updating. Software should be patched and devices such as routers will need to have their firmware upgraded when new versions are released. Check your device manufacturers website periodically for details of firmware updates and ensure your device is updated.
Create a Secure SSID
Your router will have a default SSID name, but this should be changed to personalize it to your business. If you make it easily identifiable, it will reduce the potential for rogue access points to be confused with your own. Ensure that you enforce WPA2 encryption with a shared key and post that information for your customers along with your SSID in a prominent place where they can see it.
Restrict WiFi Access
If your wireless router or access point is too powerful, it could be accessed from outside your premises. Choose a router that allows you to alter the strength of your signal and you can ensure only your customers will use your connection. Also ensure that your WiFi access point is only available during business hours. If your access points are left unsupervised when your business is closed, it increases the risk of an attack.
Secure Your Infrastructure
Administrator access can be abused, so ensure that your login name and your passwords are secure. If the default credentials are not changed, it will only be a matter of time before they are abused. Change the username from ‘admin’ or any other default username. Set a strong password that includes upper and lower-case letters, at least one number, and a special character. The password must be at least 8 characters although more is better. Alternatively use a 14-character+ passphrase.
Use a Web Filter
A web filtering solution is an essential protection for all WiFi networks. Web filters will prevent users from visiting websites and web pages that are known to have been compromised or have been confirmed as malicious. This will protect your customers from web-based threats such as drive by downloads, exploit kits and phishing. A web filter will also allow you to prevent your network from being used to download or view unacceptable content such as pornography and lets you control bandwidth usage to ensure all customers can enjoy decent Internet speeds.
TitanHQ offers a scalable, easy to deploy, granular web filter for WiFi networks. WebTitan Cloud for WiFi requires no hardware purchases or software downloads, and being 100% cloud-based, can be managed and monitored from any location.
A web-based malware distribution network that was redirecting around 2 million website visitors a day to compromised websites hosting exploit kits has been disrupted, crippling the malware distribution operation. The web-based malware distribution network – known as EITest – was using compromised websites to redirect web visitors to sites where exploits were used to download malware and ransomware, as well as redirect users to phishing websites and tech support scams that convinced visitors to pay for fake software to remove non-existent malware infections.
Due to the scale of the operation, removing the redirects from compromised websites is a gargantuan task. Efforts to clean up those sites are continuing, with national CERTs notified to provide assistance. However, the web-based malware distribution network has been sinkholed and traffic is now being redirected to a safe domain. Proofpoint researchers were able to seize a key domain that was generating C&C domains, blocking the redirects and re-routing them to four new EITest domains that point to an abuse.ch sinkhole.
The sinkhole has only been in operation for a month – being activated on March 15 – yet already it has helped to protect tens – if not hundreds of millions – of website visitors. In the first three weeks alone, an astonishing 44 million visitors had been redirected to the sinkhole from around 52,000 compromised websites and servers.
The majority of the compromised websites were running WordPress. Malicious code had been injected by taking advantage of flaws in the CMS and plugins installed on the sites. Vulnerabilities in Joomla, Drupal, and PrestaShop had also been exploited to install the malicious code.
The web-based malware distribution network has been in operation since at least 2011, although activity increased significantly in 2014. While previous efforts had been made to disrupt the malware distribution network, most failed and others were only temporarily successful.
The malicious code injected into the servers and websites primarily redirected website visitors to an exploit kit called Glazunov, and to a lesser extent, the Angler exploit kit. Those exploit kits probed for multiple vulnerabilities in software to download ransomware and malware.
The threat actors behind EITest are believed to have responded and have attempted to gain control of the sinkhole, but for the time being those efforts have been thwarted.
How to Improve Security and Block Web-Based Malware Attacks
While it is certainly good news that such a major operation has been disrupted, the scale of the operation highlights the extent of the threat of web-based attacks. Spam email may have become the main method for distributing malware and ransomware, but organizations should not ignore the threat from web-based attacks.
These attacks can occur when employees are simply browsing the web and visiting perfectly legitimate websites. Unfortunately, lax security by website owners can easily see their website compromised. The failure to update WordPress or other content management systems and plugins along with poor password practices makes attacks on the sites a quick and easy process.
One of the best cybersecurity solutions to implement to reduce the risk of web-based attacks is a web filter. Without a web filter in place, employees will be permitted to visit any website, including sites known to host malware or be used for malicious purposes.
With a web filter in place, redirects to malicious websites can be blocked, downloads of risky files prevented, and web-based phishing attacks thwarted.
TitanHQ is the leading provider of cloud-based web filtering solutions for SMBs and enterprises. WebTitan Cloud and WebTitan Cloud for WiFi allow SMBs and enterprises to carefully control the website content that can be accessed by their employees, guest network users, and WiFi users. The solution features powerful antivirus protections, uses blacklists of known malicious websites, and incorporates SSL/HTTPS inspection to provide protection against malicious encrypted traffic.
The solution also allows SMBs and enterprises to enforce their acceptable internet usage policies and schools to enforce Safe Search and YouTube for Schools.
For further information on how WebTitan can protect your employees and students and prevent malware infections on your network, contact TitanHQ today.
Phishing is commonly associated with spam emails, but it is not the only method of phishing as the PayPal text phishing scam below shows. Phishers use various methods to obtain sensitive information. Phishing threats could arrive by email, text message, instant messenger services, over the phone or even in the mail.
Phishing is arguably the biggest threat to businesses and consumers and can result in a malware infection, the encryption of files via ransomware, an email account being compromised, the theft of sensitive data such as credit/debit card numbers or bank account information. A successful phishing attack could prove incredibly costly as bank accounts could be easily emptied. For businesses, malware infections can be catastrophic and billions are lost to business email compromise phishing scams each year.
There are approximately 200 million PayPal users, which makes the online payment service particularly attractive for phishers. PayPal is one of the most world’s most commonly spoofed brands. If the brand is spoofed, there is a relatively high percentage that the phishing email or text message will be received by a person who has a PayPal account. Further, PayPal accounts usually contain money and they are linked to a bank account and/or credit card. Gaining access to PayPal credentials can see the account and linked bank account emptied.
Phishers use a variety of social engineering techniques to fool end users into installing malware or disclosing their login credentials and other sensitive information. Spam email may be the main method of attack, although the use of text (SMS) messages – often referred to as SMiShing – is growing. This method of phishing can prove more successful for the attackers. The PayPal text phishing scam below is much harder to identify as malicious as many of the PayPal email phishing scams that have been detected in recent weeks.
Beware of this Credible PayPal Text Phishing Scam
This PayPal text phishing scam, and several variants along the same theme, have been detected in recent weeks. The text message appears to have been sent from PayPal from a short code number.
The message reads:
Your account is currently under review. Please complete the following security form to avoid suspension: http://bit[dot]ly/PayPal_-no-sms.eu
Another message reads:
Your account is under review. Please fill in the following security form to avoid lockout: http://bit[dot]ly/_payPal__
This PayPal text phishing scam works because many people do not carefully check messages before clicking links. Click the link on either of these two messages and you will be directed to a website that appears to be the official PayPal website, complete with branding and the normal web layout. However, this is a PayPal text phishing scam. The websites that the messages direct recipients to are scam sites.
Those sites naturally require the user to enter their login credentials. Doing so just passes those credentials to the scammer. The scammer will then use those credentials to access an account, empty it of funds, and plunder the bank account(s) linked to the PayPal account. The password for the account may also be changed to give the attacker more time to make transfers and lock the genuine account holder out.
These scams are particularly effective on smartphones as the full URL of the site being visited is not displayed in the address bar due to the small screen size. It may not be immediately apparent that an individual is not on the genuine PayPal website.
This PayPal text phishing scam shows that you need to be always be on your guard, whether accessing your emails, text messages, or answering the telephone.
Don’t Become a Victim of an SMS Phishing Scam
The PayPal text phishing scam detailed above is just one example of how cybercriminals obtain sensitive information via text message. Any brand could be impersonated. Shortlinks are often used to hide the fact that the website is not genuine, as is altering the link text to mask the true URL.
To avoid becoming a victim of a SMiShing scam, assume any text message correspondence from a retailer or company could be a scam. If you receive a message – typically a warning about security – take the following steps.
Access your account by typing in the correct URL into your web browser. Do not use the link in the message.
Check the status of your account. If there is a freeze on your account, your account is under review, or it has been suspended, this will be clear when you log in.
If in doubt, contact the vendor by telephone or send an email, again using verified contact information and not any contact details supplied in the text message (or email).
Before logging in or disclosing any sensitive information online, check the entire URL to make sure the domain is genuine.
PayPal Email Phishing Scams
This PayPal text phishing scam is one of thousands of phishing campaigns targeting PayPal users, most of which arrive in inboxes.
PayPal email phishing scams can be highly convincing. The emails contain the familiar PayPal logo, the text in the message body is often well written with no grammatical errors or spelling mistakes, the footers contain all the information you would expect, and the font is the same as that used in genuine PayPal messages.
The purpose of PayPal phishing emails will vary depending on the campaign, although typically the aim is:
To fool someone into disclosing their PayPal username/email address and password combination
To obtain a credit/debit card number, expiry date, and CVV code
To obtain bank account information and other personal information to allow account access
To obtain a Social Security number and date of birth
To install malware – Malware can capture all the above information and more
To install ransomware – Ransomware encrypts files and prevents them from being accessed unless a ransom payment is made
PayPal phishing emails can be very convincing and virtually indistinguishable from genuine communications; however, there are often signs that suggest all may not be what it seems.
Some of the common identifiers of PayPal phishing emails have been detailed below:
The messages contain questionable grammar or spelling mistakes.
The hyperlink text suggests one domain, when hovering the mouse arrow over the link shows it directs the user to a different domain.
The message does not address the account holder personally and starts with dear PayPal user, user, or PayPal member instead of using the first and last name or the business name.
A link in the email directs the recipient of the message to a website other than the genuine paypal.com domain or local site – paypal.ca, paypal.co.uk for example.
The website the user is asked to visit does not start with HTTPS and/or does not have the green padlock symbol in the address bar.
The email requests personal information be disclosed such as bank account details, credit card numbers security questions and answers.
A user is requested to download or install software on their device.
HTTPS Does Not Mean a Website is Genuine
There has been a general push to get businesses to make the switch from HTTP to HTTPS by installing an SSL certificate. The SSL certificate binds a cryptographic key to an organization’s details and activates both the padlock sign and changes a website to start with HTTPS. This ensures that the connection between the browser and the web server is encrypted and secured.
If the website has a valid SSL certificate installed, it reduces the potential for snooping on information as its entered in the browser – credit card information for example. However, what an SSL certificate will not offer is a guarantee that information is safe and secure.
A website owned by or controlled by a cybercriminal could have valid SSL certificate and start with HTTPS and have a green padlock. Disclosing information on that site could see sensitive information handed to a scammer.
As more and more businesses have made the transition to HTTPS, so have cybercriminals. According to the Anti-Phishing Working Group’s (APWG) Q1, 2018 phishing activity trends report, 33% of all phishing websites now use HTTPS and have valid SSL certificates. HTTPS and a green padlock do not mean that a website is genuine.
Anti-Phishing Best Practices to Adopt
Exercise caution when someone sends you a hyperlink in a text message or email. The sender may not be who you think it is. A contact or family member’s email account may have been compromised or their phone stolen or the email address may have been spoofed.
Never open email attachments in unsolicited emails from unrecognized senders.
Beware of any email that suggests urgent action must be taken, especially when there is a threat of negative consequences – your account will be limited or deleted for example.
If in doubt about the genuineness of an email, do not click or open any attachments. Simply delete the message.
Businesses should implement an advanced spam filter to prevent the majority of phishing emails from reaching inboxes.
Businesses should also implement DMARC to prevent spoofing of their brands.
Businesses should provide ongoing security awareness training to employees to teach the skills required to identify phishing emails and smishing attempts such as this PayPal text phishing scam.
Lawmakers are considering a new bill that calls for mandatory web filtering in Rhode Island. More than a dozen U.S states are considering similar laws which make it necessary for the manufacturers or distributors of Internet enabled devices to use web filters to block access to adult content by default.
In other states the bill goes under the banner of the Human Trafficking Prevention Act. The aim of the legislation is to reduce the availability of online pornography, which is often claimed to represent ‘a public health crisis’ in the United States.
The purpose of the bill – sponsored by Senators Frank Ciccone (D-Providence) and Hannah Gallo (D-Cranston) – is not to make it illegal to view online pornography but to make state residents pay a fee if they want to view such material on their laptops, computers, and smartphones.
Bill Proposes Web Filtering in Rhode Island on All Internet-Enabled Devices
As in other states, the wording of the legislation means that web filtering in Rhode Island would be mandatory on all Internet-enabled devices, not only smartphones, laptops and desktops. This would require web filtering controls to also cover IoT devices and routers, which would be applied at the ISP level.
If the bill is passed, web filtering in Rhode Island would cover online pornography and any shows, motion pictures, performances, or images that “taken as a whole, lack serious literary, artistic, political, or scientific value.” The web filter would also need to block access to websites or hubs that facilitates human trafficking and prostitution and ensure child pornography and revenge porn cannot be accessed.
The move would certainly make it harder for minors to access adult content since in order to remove the filtering controls the device owner would be required to prove they are over 18 years of age. Any device sold in the state would need to be supplied with a warning about the removal of the filtering mechanism and the repercussions of doing so.
Any individual who wishes to remove the filtering would be allowed to do so by paying a one-off fee of $20. The fee would be added to a fund that supports the victims of human trafficking.
Any such technological control is unlikely to be 100% accurate, so a mechanism must be introduced that ensures requests can be submitted to add websites and webpages to the filter when obscene content has escaped the filtering controls. Conversely, when content is blocked that is not sexual in nature or is not patently offensive, a request can be submitted to add the page to a whitelist of allowable websites or have the site recategorized. Such requests would need to be processed no later than 5 days after the request has been submitted.
The failure to act on such requests would be punishable with a financial penalty of up to $500 per piece of content that was reported but not blocked. In its current form the bill does not call for similar fines to be imposed when requests are submitted to unblock legitimate content that has been inadvertently blocked by the filtering controls.
If you have yet to implement a web filtering solution to control the content that your employees can access at work, you are taking an unnecessary risk that could result in a costly malware infection, ransomware being installed on your network, or a lawsuit that could have been prevented by implementing basic web filtering controls. Many SMBs have considered implementing a web filter yet have not chosen a solution due to the cost, the belief that a web filter will cause more problems than it solves, or simply because they do not think it offers enough benefits. In this post we explain some of the common misconceptions about web filtering and attempt to debunk some common web filtering myths.
Common Web Filtering Myths
Antivirus Solutions Provide Adequate Protection from Web-Based Malware Attacks
Antivirus software is a must, although products that use signature-based detection methods are not as reliable as they once were. While antivirus companies are still quick to identity new malware variants, the speed at which new variants are being released makes it much harder to keep up. Further, not all malware is written to the hard drive. Fileless malware remains in the memory and cannot easily be detected by AV software. Antivirus software is still important, but you now need a host of other solutions to mount a reasonable defense against attacks. Layered defenses are now a must.
Along with AV software you should have anti spam software in place to block email-based threats such as phishing. You need to train your workforce to recognize web and email threats through security awareness training. Firewalls need to be set with sensible rules, software must be kept updated and patches must be applied promptly, regular data backups are a must to ensure recovery is possible in the event of a ransomware attack, and a web filtering solution should be installed.
A web filter allows you to carefully control the web content that can be accessed by employees. By using blacklists, websites known to host malware can be simply blocked, redirects via malvertising can be prevented, and controls can be implemented to prevent potentially malicious files from being downloaded. You can also prevent your employees from visiting categories of sites – or specific websites – that carry a higher than average risk.
There are other benefits to web filtering that can help you avoid unnecessary costs. By allowing employees to access any content, organizations leave themselves open to lawsuits. Businesses can be held liable for activities that take place on their networks such as accessing illegal content and downloading/sharing copyright-protected material.
Web Filtering is Prohibitively Expensive
Many businesses are put off implementing a web filtering solution due to the perceived cost of filtering the Internet. If you opt for an appliance-based web filter, you need to make sure you have an appliance with sufficient capacity and powerful appliances are not cheap. However, there is a low-cost alternative that does not require such a major cash commitment.
DNS filtering requires no hardware purchases so there is no major capital expenditure. You simply pay for the licenses you need and you are good to go. You may be surprised to find out just how low the price per user actually is.
Web Filtering is Too Complicated to Implement
Some forms of web filters are complex, and hardware-based filters will take some time to install and configure, which will take IT staff away from important duties. However, DNS based filters could not be any easier to implement. Implementing the solution is a quick process – one that will take just a couple of minutes. You just need to point your DNS to your web filtering service provider.
Even configuring the filter is straightforward. With WebTitan you are given a web-based portal that you can use to configure the settings and apply the desired controls. In its simplest form, you can simply use a checkbox option to select the categories of websites that you want to block.
Since WebTitan includes a database of malicious websites, any request to visit one of those websites will be denied. You can also easily upload third party blacklists, and for total control, use a whitelist to only allow access to specific websites.
Employees Will Just Bypass Web Filtering Controls
No web filtering solution is infallible, although it is possible to implement some basic controls that will prevent all but the most determined and skilled workers from accessing prohibited websites. Simple firewall rules can be easily set and you can block DNS requests to anything other than your approved DNS service. You can also set up WebTitan to block the use of anonymizers.
IT Support Will be Bombarded with Support Calls from Employees Trying to Access Blocked Websites
If you decide to opt for whitelisting acceptable websites, you are likely to be bombarded with support calls when users discover they are unable to access sites necessary for work. Similarly, if you choose to heavily filter the Internet and block most categories of website, then your helpdesk could well be swamped with calls.
However, for most companies, filtering the internet is simply a way of enforcing acceptable usage policies, which your employees should already be aware of. You are unlikely to get calls from employees who want access to porn at work, or calls from employees who want to continue gambling and gaming on the clock. Restrict productivity draining sites, illegal web content, phishing websites, and sites that are not suitable in the workplace, and explain to staff your polices in advance, and your support calls should be kept to a minimum.
Find Out More About DNS Filtering
If you have yet to implement DNS filtering in your organization, it is possible to discover the benefits of Internet filtering before committing to a purchase. TitanHQ offers a free trial of WebTitan Cloud (and WebTitan Cloud for WiFi) so you can try before committing to a purchase.
If you would like further information on getting started with web filtering, have technical questions about implementation, would like details of pricing or would like a demo or a free trial, contact the TitanHQ team today.
It has taken some time, and Google did not want to have to take action, but finally the Google Chrome Ad blocker has been released. The new feature of Chrome means intrusive adverts can now be blocked by users if they so wish.
What Will the Google Chrome Ad Blocker Block?
Google makes a considerable amount of money from advertising, so the Google Chrome Ad blocker will not block all adverts, only those that are deemed to be intrusive and annoying. Those are naturally subjective terms, so how will Google determine what constitutes ‘intrusive’?
One of the first checks performed by Google is whether adverts on a webpage violate the standards set by the Coalition for Better Ads – A groups of trade organizations and online media companies committed to improving the online experience for Internet users.
The Coalition for Better Ads has identified ad experiences that rank the lowest across a range of experience factors and has set a bar for what is acceptable. These standards include four types of ads for Desktop users: Popup ads, auto-playing videos with sound, prestitial ads with countdowns, and large sticky ads. There are eight categories covering mobile advertising: Popup ads, prestitial ads (where ads are loaded before content), prestitial ads with countdowns, flashing animated ads, auto-playing videos with sound, full screen scrollover ads, large sticky ads, and an ad density higher than 30%.
Google Chrome assesses webpages against these standards. If the page has none of the above ad categories, no action will be taken. Google says when 7.5% of ads on a site violate the standards the filter will kick in. If the above standards are violated the site get a warning and will be given 30 days to take action. Site owners that ignore the warning and fail to take action will have their sites added to a list of failed sites. Those websites will have the adverts blocked, although visitors will be given the option of loading adverts on that site.
The aim of the Google Chrome Ad blocker is not to block advertisements, but to urge site owners to adhere to Better Ads standards. Google reports that the threat of ad blocking has already had a positive effect. Before the Google Chrome Ad blocker was even released, Google says 42% of sites with intrusive adverts have already made changes to bring their sites in line with Better Ads standards.
The move may not have been one Google wanted to make, but it is an important step to take. Intrusive adverts have become a major nuisance and web users are taking action by installing ad blockers. Ad blockers do not rate ads based on whether they are annoying. They block all adverts, which is obviously bad for companies such as Google. Google made $95.4 billion dollars from advertising last year and widespread use of ad blockers could make a serious dent in its profits. According to figures from Deloitte, 31% of users in the United States have already installed ad blockers and the figure is expected to rise to a third of all computers this year.
So, will the Google Chrome ad blocker mean fewer people will use ad blocking software? Time will tell, but it seems unlikely. However, the move may mean fewer people will seriously consider blocking adverts in the future if companies start adhering to Better Ads standards.
Why Businesses Should Consider Using a Web Filter
For businesses, adverts are more than a nuisance. Some adverts pose a serious security risk. Cybercriminals use malicious adverts to direct end users to phishing websites and webpages hosting exploit kits and malware. Termed malvertising, these adverts are a major risk. While it is possible to use an adblocker to prevent these malicious adverts from being displayed, adblockers will not prevent other serious web-based threats. For greater web security, a web filter is required.
By carefully controlling the web content that can be accessed by employees, businesses can greatly improve web security and block the majority of web-based threats.
For more information on blocking malicious and undesirable content, contact the TitanHQ team today for advice.
The multi-award-winning email and web filtering solution provider TitanHQ has announced an exciting new partnership with the international consulting, coaching, and peer group organization HTG.
The new partnership – announced at the HTG Peer Groups Q1 quarterly meeting at the Pointe Hilton Squaw Peak Resort in Phoenix AZ – will see TitanHQ join HTG Peer Groups as a Gold vendor, which gives the HTG community immediate access to TitanHQ’s leading web filtering solution WebTitan.
Currently, service providers are being called upon to provide costly support to their clients to help them defend against ransomware and malware attacks. They are also required to spend a considerable proportion of the time allocated to each client under service level agreements mitigating malware and ransomware infections caused by careless employees.
By implementing WebTitan, service providers can easily provide an additional layer of Internet security to their clients, helping to protect them against ransomware and malware attacks. With WebTitan in place, they will also avoid the costly and time-consuming task of mitigating attacks and removing malicious software.
By deploying WebTitan, managed service providers quickly and easily secure their clients’ networks. Once protected, instead of accessing the Internet directly, all Internet requests are made through WebTitan, which serves as a protective barrier preventing malicious websites from being accessed. WebTitan scans websites and webpages searching for malicious content and when harmful webpages are identified they are added to block lists. Any request made by a user to access a malicious website will blocked before a connection to the site is made.
Additionally, WebTitan is a powerful content filter that can be controlled by the MSP or their clients. Once the content filter is applied, any attempt to access a webpage or website that contravenes the organization’s acceptable Internet usage polices will be blocked. WebTitan also provides visibility into Internet usage via detailed reports that are automatically sent to security/HR teams.
HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right)
The new partnership between TitanHQ and HTG will make it even easier for the HTG community to add this important security protection to their service stacks and provide better value to their clients.
“We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said Arlin Sorensen, founder of HTG Peer Groups.
In contrast to many web filtering solutions that have been developed for enterprises and subsequently tweaked to make the products suitable for MSPs, WebTitan was developed specifically with MSPs in mind.
“The WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process,” said Ronan Kavanagh, CEO of TitanHQ. “It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web security vendor. Our goal is to successfully engage with HTG members to build strong and long-lasting relationships.”
In addition to being given access to WebTitan, the HTC community will also have access to TitanHQ’s email archiving platform ArcTitan and will be able to offer spam and phishing protection to their clients through SpamTitan, the leading email filtering solution for MSPs.
The Rockingham school district in North Carolina discovered Emotet malware had been installed on its network in late November. The cost of resolving the infection was an astonishing $314,000.
The malware was delivered via spam emails, which arrived in multiple users’ inboxes. The attack involved a commonly used ploy by cybercriminals to get users to install malware.
The emails appeared to have been sent by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attachment. The emails were believable and were similar to many other legitimate emails received on a daily basis.
The emails asked the recipient to open and check the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s computer.
Soon after those emails were received and opened, staff started to experience problems. Internet access appeared to have been blocked for some users. Reports from Google saying email accounts had been shut down due to spamming started to be received. The school district investigated and discovered several devices and servers had been infected with malware.
Emotet malware is a network worm that is capable of spreading across a network. Infection on one machine will see the virus transmitted to other vulnerable devices. The worm drops a type of banking malware on infected devices that is used to steal victims’ credentials such as online banking details.
Emotet is a particularly advanced malware variant that is difficult to detect and hard to remove. The Rockingham school district discovered just how problematic Emotet malware infections can be when attempts were made to remove the worm. The school district was able to successfully clean some infected machines by reimaging the devices; however, the malware simply re-infected those computers.
Mitigating the attack required assistance from security experts, but even with expert help the recovery process is expected to take up to a month. 10 ProLogic ITS engineers will spend around 1,200 on site reimaging machines. 12 servers and potentially up to 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup will be $314,000.
Attacks such as this are far from uncommon. Cybercriminals take advantage of a wide range of vulnerabilities to install malware on business computers and servers. In this case the attack took advantage of gaps in email defenses and a lack of security awareness of employees. Malware can similarly be installed by exploiting unpatched vulnerabilities in software, or by drive-by downloads over the Internet.
To protect against Emotet malware and other viruses and worms layered defenses are required. An advanced spam filtering solution can ensure malicious emails are not delivered, endpoint detection systems can detect atypical user behavior, antivirus solutions can potentially detect and prevent infections, while web filters can block web-based attacks and drive-by downloads. End users are the last line of defense and should therefore be trained to recognize malicious emails and websites.
Only a combination of these and other cybersecurity defenses can keep organizations well protected. Fortunately, with layers defenses, it is possible to avoid costly malware and phishing attacks such as the one experienced by the Rockingham school district.
15 years after the launch of the wireless security protocol WPA2, the Wi-Fi Alliance has announced this year will see the release of the WPA3 protocol. The transition period from the WPA2 to WPA3 protocol is expected to take several months.
WPA2 was released in 2003, bringing with it a number of key security enhancements to its predecessor WPA. WPA2 fast became the accepted Wi-Fi CERTIFIED security technology and is now used in more than 35,000 certified Wi-Fi products, including smartphones, tablets, and IoT devices.
Since its launch, WPA2 has received several enhancements and the protocol will continue to be updated this year. The Wi-Fi alliance says updates will be applied over the coming weeks and months and will occur ‘under-the-hood’ and will be unnoticeable to users. The enhancements will address configuration, authentication, and encryption.
The first major update to WPA2 is for Protected Management Frames (PMF) in Wi-Fi devices, which ensure the integrity of network management traffic on Wi-Fi networks. The update concerns when devices are required to use PMF, refining configurations for Wi-Fi CERTIFIED devices to ensure the highest possible level of security.
The second enhancement requires companies to conduct additional checks of their devices to ensure best practices for using the Wi-Fi security protocols have been adopted. This will reduce the potential for the misconfiguration of networks and devices, further safeguarding managed networks with centralized authentication services.
The third major update standardizes 128-bit level cryptographic suite configurations, which will deliver more consistent network security configurations. The Wi-Fi Alliance VP, Kevin Robinson, said, “Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security.” This update will ensure all cryptographic components used are of the required standard, ensuring there are no weak links in the encryption chain.
By adding these enhancements to its Wi-Fi certification program, users can be sure all certified Wi-Fi devices will have the highest level of security.
The Wi-Fi Alliance says WPA2 will continue to be deployed in Wi-Fi devices, although following the launch of the WPA3 protocol later this year there will be a gradual transition to the WPA3 protocol. During the transition period, both WPA2 and WPA3 will be run concurrently. The process of changeover is expected to take several months, as it is necessary for all hardware to be certified to make sure the new protocol can be supported.
The WPA3 protocol will incorporate several important enhancements to improve Wi-Fi security. The full specifications have not yet been published but are expected to include increased privacy protections for users of open networks with individualized data encryption.
Controls to prevent malicious actors from undertaking multiple login attempts via commonly used passwords is expected, as well as more simplified configuration for IoT devices that do not have a display. The new WPA3 protocol will also use 192-bit security or the Commercial National Security Algorithm to improve security for government, defense, and industrial networks.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.”
The Children’s Internet Protection Act (CIPA) requires Internet filtering controls in schools to be applied to block obscene images, child pornography, or other images that could be harmful to minors.
Compliance with the Children’s Internet Protection Act is not mandatory, but a lack of Internet filtering controls in schools means that it is not possible to receive discounts under the e-rate program – an initiative that makes telecommunications and Internet services more affordable for schools. The discounts are considerable. Schools can reduce their telecommunications costs by up to 90%.
Consequently, many schools choose to comply with CIPA and apply Internet filtering controls to block inappropriate website content. However, Internet filtering controls in schools are often overly restrictive, and are not only used to block obscene content, but other material with important educational value.
A recent report by the American Civil Liberties Union (ACLU) of Rhode Island, has revealed that many schools are choosing to use their Internet filters to block a broad range of website content – Far more than is necessary to comply with CIPA.
The latest report is a follow-on study from a 2013 investigation into Internet filtering controls in schools in Rhode Island. Four years ago, the ACLU study found that teachers were being hampered by Internet filters and prevented from using the Internet to educate students. Students were also blocked from accessing information relevant to their studies.
Since that initial report was released, the Rhode Island Department of Education (RIDE) released guidance for schools on Internet filtering, following the passage of a new state law that required Internet filtering controls in schools to foster academic freedom.
For the latest report, ACLU requested copies of Internet filtering policies from school districts to determine whether state laws were being followed and if Internet filtering controls in schools had improved following the model policy issued by RIDE.
33 school districts responded to the request, but only five of the schools had an Internet filtering policy in place, and out of those five, three were not in compliance with the new state law.
Critics of Internet filtering controls in schools often point out that in an effort to block obscene and sexual content, topics such as sex education are accidentally blocked. However, the report suggests that the blocking of such content by Rhode Island schools was not always accidental.
It is important for children to be able to have their questions answered on sex. Schools are often the only places where children can access such educational content. UCLU found that it was common for sex education content to be blocked by filters in Rhode Island schools.
Other topics that were commonly blocked were material related to drugs, tobacco, alcohol, terrorism, and religion. ACLU pointed out that the Internet filtering controls prevented students from researching topics such as the medicinal use of marijuana, fetal alcohol syndrome, abortion, or the opioid epidemic in the United States.
Some schools had even more restrictive filers in place that prevented students and staff from accessing topics such as hobbies, dictionaries, news and political websites, humor and information about alternative sexual lifestyles.
The Internet filtering law in Rhode Island requires schools to have an Internet filtering policy that explains why a particular category of website content is blocked to ensure transparency, and to list who is responsible for making the decision about blocking that category.
A mechanism must also be put in place that allows staff and students to request the lifting of a block (whitelisting a website for example) to allow educational content to be accessed. Yet the report showed that in many cases, staff and students had to wait for excessively long periods before their request was honored.
The law requires a list to be maintained of all requests and for those lists to be assessed annually to determine whether filtering controls need to be altered. RIDE’s model Internet filtering policy must also be adopted to ensure academic freedom.
ACLU said, “Without adoption and implementation of strong policies across the board, we will continue to see an array of issues involving the over-filtering of our schools’ Internet systems, which will continue to negatively impact students from accessing information and teachers from making use of helpful educational tools.”
Using a clunky system that blocks valuable content will be damaging to children’s education. Internet content filtering in schools is important, but it is also important for a technological control to be implemented that is not overly restrictive.
With WebTitan, it is possible to block obscene content and to comply with CIPA, without restricting access to important educational content. Category filters are accurate, and thanks to highly granular controls, adjusting filtering settings is a quick and straightforward process. With WebTitan, schools can quickly fine tune their filters and process staff and student requests to unblock content and comply with both CIPA and state laws.
If you are looking for an alternative solution that allows you to carefully control the content that can be accessed over the Internet by staff and students, that allows different controls to be applied for different users and user groups and is easy to use, contact the TitanHQ team today and find out about the difference WebTitan can make.
Passwords should be complex and difficult to guess, but that makes them difficult to remember, so what about using password managers to get around that problem? Are password managers safe and secure? Are they better than attempting to remember passwords for every one of your accounts?
First of all, it is worth considering that most people have a great deal of passwords to remember – email accounts (work and personal), social media accounts, bank accounts, retail sites, and just about every other online service. If you rarely venture online and do not make online purchases, that means you will need to learn a handful of passwords (and change them regularly!).
Most people will have many passwords. Far too many to remember. That means people tend to choose easy to remember – and easy to guess – passwords and tend to reuse passwords on multiple sites.
These poor security practices are a recipe for disaster. In the case of password reuse, if one password is guessed, multiple accounts can be compromised. So, are password managers safe? If that is the alternative, then most definitely.
With a password manager you can generate a strong and impossible to remember password for every online account. That makes each of those accounts more secure. Emmanuel Schalit, CEO of Dashline, a popular password manager, said, “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own.”
That does mean that if the server used by the password manager company is hacked, you do stand to lose all of your passwords. Bear in mind that no server can ever be 100% secure. There have been hacks of password manager servers and vulnerabilities have been discovered (see below). Password managers are not risk-free. Fortunately, password managers encrypt passwords, so even if a server is compromised, it would be unlikely that all of your passwords would be revealed.
That said, you will need to set a master password to access your password manager. Since you are essentially replacing all of your unique passwords with a single password, if the master password is guessed, then your account can be accessed and with it, all of your passwords. To keep password managers safe and secure, it is important to use a strong and complex password for your account – preferably a passphrase of upwards of 12 characters and you should change that password every three months.
If you use a cloud-based password manager, it is possible that when that service goes down, you will not be able to access your own account. Fortunately, downtime is rare, and it would still be possible to reset your passwords. You could also consider keeping a local copy of your passwords and encrypting that file. In a worst-case scenario, such as the password manager company going bust, you would always have a copy. Some services will also allow you to sync your encrypted backups with the service to ensure local copies are kept up to date.
Flaws Discovered in Password Managers
Tavis Ormandy, a renowned researcher from the Google Project Zero team, recently discovered a flaw in Keeper Password Manager that could potentially be exploited to gain access to a user’s entire vault of stored passwords. The Keeper Password Manager flaw could not be exploited remotely without any user interaction. However, if the user was lured onto a specially crafted website while logged into their password manager, the attacker could inject malicious code to execute privileged code in the browser extension and gain access to the account. Fortunately, when Keeper was alerted to the flaw, it was rapidly addressed before the flaw could be exploited.
Last year Ormandy also discovered a flaw in LastPass, one of the most popular password managers. Similarly, that flaw could be exploited by luring the user to a specially crafted webpage via a phishing email. Similarly, that flaw was rapidly addressed. The LastPass server was also hacked the year before, with the attackers gaining access to some users’ information. LastPass reports that while it was hacked, users’ passwords were not revealed.
These flaws do go to show that while password managers are safe, vulnerabilities may exist, and even a password manager can potentially be hacked.
Are Password Managers Safe to Use?
So, are password managers safe? They can be, but as with any other software, vulnerabilities may exist that can leave your passwords exposed. It is therefore essential to ensure that password manager extensions/software are kept up to date, as is the case with all other software and operating systems.
Security is only as good as the weakest link, so while your password manager is safe, you will need to use a complex master password to prevent unauthorized individuals from accessing your password manager account. If that password is weak and easily guessable, it will be vulnerable to a brute force attack.
In addition to a complex master password, you should take some additional precautions. It would be wise not to use your password manager to save the password to your bank account. You should use two-factor authentication so if a new device attempts to connect to any of your online accounts, you will receive an alert on your trusted device or via email.
As an additional protection, businesses that allow the use of password managers should consider implementing a web filtering solution that prevents users from visiting known malicious websites where vulnerabilities could be exploited. By restricting access to certain categories of website, or whitelists of allowable sites, the risk of web-based attacks can be reduced to a low and acceptable level.
Password managers should also be used with other security solutions that provide visibility into who is accessing resources. Identity and access management solutions will help IT managers determine when accounts have been breached, and will raise flags when anomalous activity is detected.
HTTPS phishing websites have increased significantly this year, to the point that more HTTPS phishing websites are now being registered than legitimate websites with SSL certificates, according to a new analysis by PhishLabs.
If a website starts with HTTPS it means that a SSL certificate is held by the site owner, that the connection between your browser and the website is encrypted, and you are protected from man-in-the-middle attacks. It was not long ago that a green padlock next to the URL, along with a web address starting with HTTPS, meant you could be reasonably confident that that the website you were visiting was genuine. That is no longer the case, yet many people still believe that to be true.
According to PhisLabs, a recent survey showed that 80% of respondents felt the green padlock and HTTPS indicated the site was legitimate and/or secure. The truth is that all it means is traffic between the browser and the website is encrypted. That will prevent information being intercepted, but if you are on a phishing website, it doesn’t matter whether it is HTTP or HTTPS. The end result will be the same.
Over the past couple of years there has been a major push to move websites from HTTP to HTTPS, and most businesses have now made the switch. This was in part due to Google and Firefox issuing warnings about websites that lacked SSL certificates, alerting visitors that entering sensitive information on the sites carried a risk. Since October, Google has been labelling websites as Not Secure in the URL via the Chrome browser.
Such warnings are sufficient to see web visitors leave in their droves and visit other sites where they are better protected. It is no surprise that businesses have sat up and taken notice and made the switch. According to Let’s Encrypt, 65% of websites are now on HTTPS, compared to just 45% in 2016.
However, it is not only legitimate businesses that are switching to secure websites. Phishers are taking advantage of the benefits that come from HTTPS websites. Namely trust.
Consumer trust in HTTPS means cybercriminals who register HTTPS sites can easily add legitimacy to their malicious websites. It is therefore no surprise that HTTPS phishing websites are increasing. As more legitimate websites switch to HTTPS, more phishing websites are registered with SSL certificates. If that were not the case, the fact that a website started with HTTP would be a clear indicator that it may be malicious and cybercriminals would be at a distinct disadvantage.
What is a surprise is the extent to which HTTPS is being abused by scammers. The PhishLabs report shows that in the third quarter of 2017, almost a quarter of phishing websites were hosted on HTTPS pages. Twice the number seen in the previous quarter. An analysis of phishing sites spoofing Apple and PayPal showed that three quarters are hosted on HTTPS pages. Figures from 2016 show that less than 3% of phishing sites were using HTTPS. In 2015 it was just 1%.
While checks are frequently performed on websites before a SSL certificate is issued, certification companies do not check all websites, which allows the scammers to obtain SSL certificates. Many websites are registered before any content is uploaded, so even a check of the site would not provide any clues that the site will be used for malicious purposes. Once the certificate is obtained, malicious content is uploaded.
The PhishLabs report also shows there is an approximate 50/50 spread between websites registered by scammers and legitimate websites that have been compromised and loaded with phishing webpages. Just because a site is secure, it does not mean all plugins are kept up to date and neither that the latest version of the CMS is in use. Vulnerabilities exist on many websites and hackers are quick to take advantage.
The rise in HTTPS phishing websites is bad news for consumers and businesses alike. Consumers should be wary that HTTPS is no guarantee that website is legitimate. Businesses that have restricted Internet access to only allow HTTPS websites to be visited may have a false sense of security that they are protected from phishing and other malicious sites, when that is far from being the case.
For the best protection, businesses should consider implementing a web filter that scans the content of webpages to identify malicious sites, and that the solution is capable of decrypting secure sites to perform scans of the content.
For more information on how a web filter can help to protect your organization from phishing and malware downloads, give the TitanHQ sales team a call today.
The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code.
The Terdot Trojan is not new, having first appeared in the middle of last year, although a new variant of the credential-stealing malware has been developed and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the UK.
The new variant includes several new features. Not only will the Terdot Trojan steal banking credentials, it will also spy on social media activity, and includes the functionality to modify tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also modify emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself spread.
Further, once installed on a device, Terdot can download other files. As new capabilities are developed, the modular Trojan can be automatically updated.
The latest variant of this nasty malware was identified by security researchers at Bitdefender. Bitdefender researchers note that in addition to modifying social media posts, the Trojan can create posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, spelling further misery for victims.
Unfortunately, detecting the Terdot Trojan is difficult. The malware is downloaded using a complex chain of droppers, code injections and downloaders, to reduce the risk of detection. The malware is also downloaded in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently picked up by many AV solutions.
“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” warns Bitdefender.
Protecting against threats such as banking Trojans requires powerful anti-malware tools to detect and block downloads, although businesses should consider additional protections to block the main attack vectors: Exploit kits and spam email.
Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials.
Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example.
Combosquatting is so named because it involves the purchasing of a domain that combines a trademarked name with another word – yahoofiles.com, disneyworldamusement.info, facebook-security.com or google-privacy.com for example.
The technique is not new, but the extent that it is being used by hackers was not well understood. Now researchers at Georgia Tech, Stony Brook University and London’s South Bank University have conducted a study that has revealed the extent to which hackers, spammers, and scammers are using this technique.
The research, which was supported by the U.S. Department of Defense, National Science Foundation and the U.S. Department of Commerce, was presented at the 2017 ACM Conference on Computer and Communications Security (CCS) on October 31, 2017.
For the study, the researchers analyzed more than 468 billion DNS records, collected over 6 years, and identifed combosquatting domains. The researchers noted the number of domains being used for combosquatting has increased year over year.
The extent to which the attack method is being used is staggering. For just 268 trademarks, they identified 2.7 million combosquatting domains, which they point out makes combosquatting more than 100 times as common as typosquatting. While many of these malicious domains have been taken down, almost 60% of the domains were active for more than 1,000 days.
The team found these domains were used for a wide variety of nefarious activities, including affiliate abuse, phishing, social engineering, advanced persistent threats, malware and ransomware downloads.
End users are now being taught to carefully check domain names for typos and transposed letters to detect typosquatting, but this technique fools users into thinking they are on a website that is owned by the brand included in the domain.
First author of the study, Georgia Tech researcher Panagiotis Kintis, said, “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”
In order to prevent these types of trademark use attacks, many companies register hundreds of domains that contain their trademark. The researchers found that many of the domains being used by hackers had previously been owned by the holders of the trademark. When the domains were not renewed, they were snapped up by hackers. Many of the malicious domains that had been previously purchased by hackers, had been re-bought by other scammers when they came up for renewal.
Users are being lured onto the domains using a variety of techniques, including the placing of adverts with the combosquatting domains on ad-networks, ensuring those adverts are displayed on a wide variety of legitimate websites – a technique called malvertising. The links are also distributed in spam and phishing emails. These malicious URLS are also frequently displayed in search engine listings, and remain there until complaints are filed to have the domains removed.
Due to the prevalence of this attack technique, organizations should include it in their cyber awareness training programs to alert users to the attack method and ensure they exercise caution.
The researchers also suggest an organization should be responsible for taking these domains down and ensuring they cannot be re-bought when they are not renewed.
TitanHQ Sales Director Conor Madden will be talking enterprise Wi-Fi security at this year’s Wi-Fi Now Europe 2017, explaining some of the key innovations in Wi-Fi security to keep enterprise Wi-Fi networks secure.
This will be the fourth time in two years that Conor has provided his insights into Wi-Fi security developments at Wi-Fi Now conferences. Conor will be giving his presentation – Four Great Innovations in Enterprise Wi-Fi – Part One – on the first day of the conference between 12:00 and 12:30.
Conor will explain how DNS-based Wi-Fi security adds an essential layer of security to keep enterprise Wi-Fi networks secure, and will offer insights into how enterprises can easily create customized Wi-Fi services. In addition to Conor’s headline speech, the TitanHQ team will be in attendance and will be demonstrating WebTitan Cloud for Wi-Fi at Stand 23 over the three days of the event. The team will also demonstrate some of the big-ticket deployments from the past 18 months. The team will also explain some of the new refinements and updates that have made WebTitan even more useful and user friendly, including the new API capability that is proving so popular with product managers and engineers.
Wi-Fi Now Europe 2017 – The Premier Conference for the Wi-Fi Industry
The Wi-Fi Now Europe 2017 event brings together leaders, entrepreneurs, innovators, and experts from all areas of the Wi-Fi industry. This year there will be more than 50 speakers including analysts, thought leaders, technology leaders, carriers and service providers. More than 40 companies from all areas of the Wi-Fi industry will be demonstrating their products and services to attendees.
The conferences are a highlight in the calendar for anyone involved in the Wi-Fi industry and provide attendees with an incredible networking opportunity and the chance to learn about the latest advances in Wi-Fi, exciting new products and new services on offer.
The Wi-Fi Now Europe 2017 Conference will be taking place between October 31st and November 2nd at the NH Den Haag Hotel atop The Hague’s World Trade Center Building.
Gold passes give attendees complete access to all events at the 3-day conference, with day passes also available. Advance registration is required for all attendees.
TitanHQ On the Road
It has been a busy few weeks for TitanHQ. The team has been traveling across Europe and the United States, showcasing its web filtering, spam filtering and email archiving solutions.
The Wi-Fi Now Europe 2017 comes hot on the heels of the DattoCon17 conference in London, where the team met with more than 400 MSPs and the ASCII Summit in Washington D.C., where TitanHQ explained how Managed Service Providers can grow their business and easily increase monthly recurring revenues. Earlier this month, TitanHQ attended the Kaseya Connect Europe IT Management Event and explained about the new integration of WebTitan with Kaseya.
The road trip continues into November in the United States, with TitanHQ attending both the upcoming HTG Meeting in Orlando, FL (Oct 30-Nov 3) and the IT Nation, ConnectWise Conference at the Hyatt Regency, Orlando, between November 8-10, 2017.
Last month saw a significant rise in healthcare data breaches, clearly demonstrating that healthcare providers, health plans, and business associates are struggling to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was introduced to ensure that healthcare organizations implement a range of safeguards to ensure the confidentiality, integrity, and availability of healthcare data. It has now been more than decade since the Security Rule was introduced, and data breaches still occurring with alarming frequency. In fact, more data breaches are occurring than ever before.
September Data Breaches in Numbers
The Protenus Breach Barometer Report for September, which tracks all reported healthcare data breaches, showed there were 46 breaches of protected health information (PHI) in September, with those breaches resulting in the exposure of 499,144 individuals’ PHI. Hacking and IT incidents were cited as the cause of 50% of those breaches, with insiders causing 32.6% of incidents. Loss and theft of devices was behind almost 11% of the month’s breaches. Previous monthly reports in 2017 have shown that insiders are often the biggest cause of healthcare data breaches.
HIPAA Compliance Will Not Prevent Healthcare Data Breaches
HIPAA compliance can go some way toward making healthcare organizations more resilient to cyberattacks, malware and ransomware infections, but simply complying with the HIPAA Security Rule does not necessarily mean organizations will be impervious to attack.
HIPAA compliance is about raising the bar for cybersecurity and ensuring a minimum standard is maintained. While many healthcare organizations see HIPAA compliance as a goal to achieve a good security posture, the reality is that it is only a baseline. To prevent data breaches, healthcare organizations must go above and beyond the requirements of HIPAA.
Detect Insider Breaches Promptly
Preventing insider data breaches can be difficult for healthcare organizations. Healthcare employees must be given access to patient records in order to provide medical care, and there will always be the occasional bad apple that snoops on the records of patients who they are not treating, and individuals who steal data to sell to identity thieves.
HIPAA Requires healthcare organizations to maintain access logs and check those logs regularly for any sign of unauthorized access. The term ‘regularly’ is open to interpretation. A check every six months or once a year could be viewed as regular and compliant with HIPAA regulations. However, during those 6 or 12 months, the records of thousands of patients could be accessed. Healthcare organizations should go above and beyond HIPAA requirements and should ideally implement a system that constantly monitors for unauthorized access or at least conduct access log reviews every quarter as a minimum. This will not prevent healthcare data breaches, but it will reduce their severity.
Close the Door to Hackers
50% of breaches in September were due to hacking and IT incidents. Hackers are opportunistic, and while targeted attacks on large healthcare organizations do occur, most of the time hackers take advantage of long-standing vulnerabilities that have not been addressed. In order to correct those vulnerabilities, they must first be identified, hence the need for regular risk analyses as required by the HIPAA Security Rule. An organization-wide risk analysis should take place at least every year to remain HIPAA compliant, but more frequently to ensure vulnerabilities have not crept in.
Additionally, a check should be performed at least every month to make sure all software is up to date and all patches have been applied. There have been numerous examples recently of cloud storage instances being left unprotected and accessible by the public. There are free tools that can be used to check for exposed AWS buckets for example. Scans should be regularly conducted. Cybercriminals will be doing the same.
Prevent Impermissible Disclosures of PHI
One of the leading causes of PHI disclosures occurs when laptop computers, zip drives, and other portable devices are lost or stolen. While employees can be trained to take care of their devices, thieves will seize any opportunity if devices are left unprotected. HIPAA does not demand the use of encryption, and alternative measures can be used to secure devices, but HIPAA covered entities and their business associates should use encryption on portable devices to ensure that in the event of loss or theft, data cannot be accessed. If an encrypted device is stolen or lost, it is not a HIPAA breach. Using encryption on portable devices is a good way to prevent healthcare data breaches.
Small portable storage devices such as pen drives are convenient, but they should never be used for transporting PHI – They are far too easy to lose or misplace. Use HIPAA-compliant cloud storage services such as Dropbox or Google Drive as they are more secure.
Block Malware and Ransomware Attacks
Malware and ransomware attacks are reportable breaches under HIPAA, and can result in major data breaches. Email is the primary vector for delivering malware, so it is essential for an effective spam filtering solution to be implemented. HIPAA requires training to be provided to employees regularly, but a once-a-year training session is no longer sufficient. Training sessions should take place at least every 6 months, with regular security alerts on the latest phishing threats communicated to employees as and when necessary. Ideally, training should be an ongoing process, involving phishing simulation exercises.
Malware and ransomware can also be downloaded in drive-by attacks when browsing the Internet. A web filtering solution should be used to prevent healthcare employees from visiting malicious sites, to block phishing websites, and prevent drive-by malware downloads. A web filter is not a requirement of HIPAA, but it is an important extra layer of security that can prevent healthcare data breaches.
Cybercriminals are delivering Smoke Loader malware via a new malvertising campaign that uses health tips and advice to lure end users to a malicious website hosting the Terror Exploit Kit.
Malvertising is the name given to malicious adverts that appear genuine, but redirect users to phishing sites and websites that have been loaded with toolkits – exploit kits – that probe for unpatched vulnerabilities in browsers, plugins, and operating systems.
Spam email is the primary vector used to spread malware, although the threat from exploit kits should not be ignored. Exploit kits were used extensively in 2016 to deliver malware and ransomware, and while EK activity has fallen considerably toward the end of 2016 and has remained fairly low in 2017, attacks are still occurring. The Magnitude Exploit it is still extensively used to spread malware in the Asia Pacific region, and recently there has been an increase in attacks elsewhere using the Rig and Terror exploit kits.
The Smoke Loader malware malvertising campaign has now been running for almost two months. ZScaler first identified the malvertising campaign on September 1, 2017, and it has remained active throughout October.
Exploit kits can be loaded with several exploits for known vulnerabilities, although the Terror EK is currently attempting to exploit two key vulnerabilities: A scripting engine memory corruption vulnerability (CVE-2016-0189) that affects Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also attempted.
Patches have been released to address these vulnerabilities, but if those patches have not been applied systems will be vulnerable to attack. Since these attacks occur without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious adverts.
Smoke Loader malware is a backdoor that if installed, will give cybercriminals full access to an infected machine, allowing them to steal data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not new – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to prevent detection. Smoke Loader malware has also been associated with the installation of the TrickBot banking Trojan and Globelmposter ransomware.
To protect against attacks, organizations should ensure their systems and browsers are updated to the latest versions and patches are applied promptly. Since there is usually a lag between the release of a new patch and installation, organizations should consider the use of a web filter to block malicious adverts and restrict web access to prevent employees from visiting malicious websites.
For advice on blocking malvertisements, restricting Internet access for employees, and implementing a web filter, contact the TitanHQ team today.
Last year, the Mirai botnet was used in massive DDoS attacks; however, the IoT Reaper botnet could redefine massive. The Mirai botnet, which mostly consisted of IoT devices, was capable of delivering DDoS attacks in excess of 1 terabit per second using just 100,000 malware infected devices.
The IoT Reaper botnet reportedly includes almost 2 million IoT devices, and infections with Reaper malware are growing at an alarming rate. An estimated 10,000 new IoT devices are infected and added to the botnet every day.
Researchers at Qihoo 360, who discovered the new botnet, report that the malware also includes in excess of 100 DNS open resolvers, making DNS amplification – DNS Reflection Denial of Service (DrDoS) – attacks possible.
Check Point has also been tracking a new botnet that includes an estimated 1 million devices, with 60% of the devices the firm tracks infected with the botnet malware. Check Point has called the botnet IoTroop, although it is probable that it is the same botnet as Qihoo 360 has been tracking. Check Point says it is “forming to create a cyber-storm that could take down the Internet.”
While the IoT Reaper botnet has existed for some time, it was not identified until September this year. Previously, the malware used to enslaves IoT devices was installed by taking advantage of default and weak passwords. However, that has now changed, and infections have been growing at an alarming rate as a result.
IoT Reaper is using nine different exploits for known vulnerabilities that have yet to be patched, with routers, cameras, and NVRs being targeted from more than 10 different manufacturers including router manufacturers Netgear, D-Link, Linksys, and surveillance camera manufacturers AvTech, Vacron, and GoAhead.
Unfortunately, while PC users are used to applying patches to keep their computers secure, the same cannot be said for routers and surveillance cameras, which often remain unpatched and vulnerable to infection.
At present the intentions of the actors behind the botnet are not known, but it is highly likely that the botnet will be used to perform DDoS attacks, as has been the case with other IoT botnets. Even though the number of enslaved devices is substantial, researchers believe the botnet is still in the early stages of development and we are currently enjoying the quiet before the storm.
If a botnet involving 100,000 devices can deliver a 1 terabit per second attack, the scale of the DDoS attacks with IoT Reaper could be in the order of tens of terabits per second. Fortunately, for the time being at least, the botnet is not being used for any attacks. The bad news is those attacks could well start soon, and since the malware allows new modules to be added, it could soon be weaponized and used for another purpose.
A critical WiFi security flaw has been discovered by security researchers in Belgium. The WPA2 WiFi vulnerability can be exploited using the KRACK (Key Reinstallation attack) method, which allows malicious actors to intercept and decrypt traffic between a user and the WiFi network in a man-in-the-middle attack. The scale of the problem is immense. Nearly every WiFi router is likely to be vulnerable.
Exploiting the WPA2 WiFi vulnerability would also allow a malicious actor to inject code or install malware or ransomware. In theory, this attack method would even allow an attacker to insert malicious code or malware into a benign website. In addition to intercepting communications, access could be gained to the device and any connected storage drives. An attacker could gain full control of a device that connects to a vulnerable WiFi network.
There are two conditions required to pull off KRACK– The WiFi network must be using WPA2-PSK (or WPA-Enterprise) and the attacker must be within range of the WiFi signal.
The first condition is problematic, since most WiFi networks use the WPA2 protocol and most large businesses use WPA-Enterprise. Further, since this is a flaw in the WiFI protocol, it doesn’t matter what device is being used or the security on that device. The second offers some protection for businesses for their internal WiFi networks since an attack would need to be pulled off by an insider or someone in, or very close to, the facility. That said, if an employee was to use their work laptop to connect to a public WiFi hotspot, such as in a coffee shop, their communications could be intercepted and their device infected.
In the case of the latter, the attack could occur before the user has stirred sugar into his or her coffee, and before a connection to the Internet has been opened. That’s because this attack occurs when a device connects to the hotspot and undergoes a four-way handshake. The purpose of the handshake is to confirm both the client and the access point have the correct credentials. With KRACK, a vulnerable client is tricked into using a key that is already in use.
The researchers explained that “our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.” The researchers also pointed out, “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations.”
The disclosure of this WPA2 WiFi vulnerability has had many vendors franticly developing patches to block attacks. The security researcher who discovered the WPA2 WiFi vulnerability – Mathy Vanhoef – notified vendors and software developers months previously, allowing them to start work on their patches. Even with advance notice, relatively few companies have so far patched their software and products. So far, companies that have confirmed patches have been applied include Microsoft, Linux, Apple, and Cisco/Aruba. However, to date, Google has yet to patch its Android platform, and neither has Pixel/Nexus. Google is reportedly still working on a patch and will release it shortly.
There is also concern over IoT devices, which Vanhoef says may never receive a patch for the WPA2 WiFi vulnerability, leaving them highly vulnerable to attack. Smartphones similarly may not be patched promptly. Since these devices regularly connect to public WiFi hotspots, they are likely to be the most vulnerable to KRACK attacks.
While the WPA2 WiFi vulnerability is serious, there is perhaps no need to panic. At least, that is the advice of the WiFi Alliance – which co-developed WPA2. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.” The WiFi Alliance also explained, “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”
The UK’s National Cyber Security Center pointed out that even with the WPA2 WiFi vulnerability, WPA2 is still more secure than WPA or WEP, also explaining that there is no need to change WiFi passwords or enterprise credentials to protect against this vulnerability. However, businesses and consumers should ensure they apply patches promptly, and businesses should consider developing policies that require all remote workers to connect to WiFi networks using a VPN.
This week, the UK government’s Culture Secretary Karen Bradley announced the publication of a new green paper outlining the government’s Internet Safety Strategy, saying the aim is to make the UK the safest place to be online.
The Internet Safety Strategy outlines the awareness campaign that the government is taking to prevent cyber-bullying, trolling and the accessing of pornography by minors. The government has come under increasing pressure in recent years to take decisive action to curb the growing problem of online abuse and harm to minors from accessing age-inappropriate websites.
In a recent press release announcing the new Internet Safety Strategy, Bradley said “In the past year, almost one fifth of 12-15-year olds encountered something online that they ‘found worrying or nasty in some way’ and 64% of 13-17-year olds have seen images or videos offensive to a particular group.” The problem is not confined to minors. Adults too have been offended or upset by material they have viewed on social media sites, and the new strategy will also help to keep adults safe and protected online.
The aim of the new proposals is not censorship of the Internet – the UK government continues “to embrace the huge benefits and opportunities the Internet has brought for British citizens.” The aimof the government’s Internet Safety Strategy is simply to make the Internet a safer place and prevent harm to vulnerable people, especially children.
Bradley said, “Behaviour that is unacceptable in real life is unacceptable on a computer screen. We need an approach to the Internet that protects everyone without restricting growth and innovation in the digital economy.”
The Internet Safety Strategy tackles a range of online issues using several different methods – a combination of improved efforts to educate children and the public about online dangers and acceptable online conduct, social media advice, the promotion of safety features for parents to use to protect their children, and the use of Internet filtering in schools.
Some of the key elements in the Internet Safety Strategy are:
Developing a new social media code of practice to address bullying, intimidating, or humiliating online content
An industry-wide levy so social media companies and communication service providers contribute to raise awareness and counter internet harms
The publication of an annual Internet safety transparency report detailing the progress made at reducing abusive and harmful content and conduct
Providing support for start-ups and tech companies to help them build safety features into their products and apps at the design stage
Compulsory new subjects in schools: Relationship education at the primary school level and relationship & sex education at secondary level
Encouraging social media companies to provide social media safety advice to parents and build that advice into their platforms
Promoting the use of social media and Internet safety features by parents
Changing the name of the UK Council for Child Internet Safety to the UK Council for Internet Safety, to show the safety of all Internet users is of concern
In the new green paper, the Keeping Children Safe in Education (KCSIE) guidance is highlighted. The guidance details the steps that schools and colleges in England should take to protect students and keep them safe online. The guidance was updated in September last year to include a new section on safeguarding children online. Schools were reminded of their responsibility to prevent children from accessing harmful and inappropriate website content, explaining Internet filtering in schools is a requirement. Solutions that allow Internet filtering in schools should block inappropriate content and also allow the monitoring of the attempted access of inappropriate material.
The use of similar controls by parents is being encouraged, first by making sure the options are available – the big four ISPs in the UK all offer Internet content filtering controls – and to improve education on the need to implement content filtering solutions to protect children at home.
Vicki Shotbolt, Chief Executive Officer at Parent Zone – an organization set up to provide expert information to families, schools and family professionals on the Internet safety – said, “It is encouraging to see the government proposing concrete steps to ensure that industry is doing everything they can to support families and make the Internet a place that contributes to children flourishing.”
A Social Community Partnership in Ireland that terminated an employee for accessing porn at work was sued for unfair dismissal; however, the Workplace Relations Commission (WRC) in Dublin upheld the decision of the company to terminate the employee, which was deemed to be the appropriate sanction under the circumstances.
The viewing of any pornographic material in the workplace is unacceptable, but for a Social Community Partnership that provides services to children and families, it is especially important to take action when employees access obscene material – In this case the webpages depicted rape, the abduction of girls, and non-consensual sex.
A statement released by the unnamed Social Community Partnership read, “[The worker’s] actions go against the grain of the organization, but has the potential to put at risk the company’s funding relationship with Government services.”
The accessing of inappropriate material was discovered during a review of the computers used by receptionists at the Partnership. That review revealed pornographic material had been accessed on a reception computer on seven occasions between September 30th and November 26th, 2015. The material was accessed between 1.28pm and 16.40pm, and while multiple employees had access to the computer, on three of the occasions, the terminated employee was the only member of staff working in the reception area.
Once that was confirmed in May 2016, the employee’s contract was terminated for gross misconduct. The employee appealed the decision internally, claiming the allegations were incorrect. She denied accessing porn at work and claimed she was not the only person to have access to the computer. Two other receptionists were employed at the firm and could have accessed the material. When the appeal was rejected, the employee sued the firm for unfair dismissal.
An independent IT consultant was brought in to conduct a scan of the computer to confirm that a malware infection was not present, which could theoretically have been responsible for the sites being accessed. The woman maintained there was no evidence against her and popups could have explained the accessing of the material. She also said other employees could have accessed the computers in the reception area, which did not require the use of secure passwords.
The WRC ruled that, on the balance of probability, the employee did access pornographic material, and the decision to terminate the employee was correct. The woman has been unable to find further work in the field, despite her 18 years’ experience, due to the nature of her dismissal.
Employees Accessing Porn at Work Is a Widespread Problem
The accessing of pornography at work is widespread, global problem – and one that acceptable Internet usage policies do not prevent.
A 2013 report from the UK government found computers in parliament were used to make an average of 800 visits to pornographic websites per day – more than 300,000 attempts were made over the period of study.
A 2014 survey by Proven Men Ministries found nearly two third of men (63%) and one third of women (36%) admitted accessing pornography at work, while a 2015 poll conducted by The Sun newspaper in the UK found 15% of women in the UK watch pornography at work.
In the United States, a Harris Poll in 2011 found 3% of Americans watch porn at work, with an earlier study by The Nielsen Company placing the figure at around 28%.
While there is some variation between the studies, it is clear that the accessing of pornography at work is a widespread problem, responsible for a significant loss of productivity, the creation of a hostile work environment, and many HR issues.
Companies Can Easily Avoid Pornography-Related HR Issues
Even though acceptable Internet usage policies are developed, and employees have to confirm that those policies have been read and understood, many employees still access porn at work. Some employees simply disregard those policies, others mistakenly believe they will not be found out.
For the company, accessing porn at work causes major HR issues. Complaints are often made by other employees who have caught a glimpse of the material, a hostile work environment can develop, HR departments have to take disciplinary action, and recruit and train replacement employees – all of which are a drain on productivity and result in many lost man hours.
As this case shows, these incidents can result in bad publicity, potentially loss of funding, and legal costs from fighting lawsuits.
However, all of these problems are easy to avoid. Companies can simply block adult website content with a web filter. A web filter allows firms to enforce acceptable Internet usage policies and prevent obscene or otherwise inappropriate material from being accessed by employees.
The Social Community Partnership would have been able to avoid all the bad publicity and paying to fight the unfair dismissal claim if a web filtering solution been put in place to enforce acceptable Internet usage policies.
If you have yet to start filtering the Internet, and are not blocking pornography and other inappropriate material from being accessed in the workplace, contact TitanHQ today and ask about WebTitan – The leading web filtering solution for enterprises.
The healthcare industry has been extensively targeted, and now Dark Overlord cyberattacks on schools have soared – The education sector is now being targeted.
The cyberattacks on healthcare institutions included threats to publish data. Those threats were often ignored, resulting in sensitive data being dumped online. While such data dumps are damaging to healthcare organizations and their patients, many attacked institutions followed the advice of the FBI and chose not to give in to the mafia-style extortion tactics.
The recent Dark Overlord cyberattacks on schools have been different. Educational institutions have not only been hacked and had sensitive data stolen, the hacking group has escalated its threats. Additionally, rather than just sending threats to the schools, parents of some of the children whose data were stolen have also been contacted by text. The aim is clear. To put pressure on schools to pay up.
The latest wave Dark Overlord cyberattacks on schools have been spread across the country. Schools in Alabama, Iowa, Montana, and Texas have all been attacked in recent weeks. The attacks have followed a similar pattern to the attacks on healthcare organizations, Gorilla Glue, and Netflix. Sensitive data have been stolen, a payment was demanded, and a threat issued to publish the data online if the payment was not made.
Payment of a ransom does not guarantee data will not be released. The latest episode of Orange is the New Black was stolen and Netflix was threatened. A $50,000 ransom was paid, but the episode was still released – It was claimed this was for contacting the FBI.
The latest attacks have got more personal. The Dark Overlord cyberattacks on schools have seen parents of children sent personalized text messages threatening violence against their children. One of those messages included the address of the family with the message “your child is still so innocent. Don’t have anyone look outside.” The Des Moines Register reported that one parent responded to the message telling the sender of the messages to stop and was told, “we are just getting started.” Other text messages threatened to kill kids at the school resulting in the school closing for a day as a precaution.
In the case of the cyberattack on Johnston Community School District in Iowa, data was dumped online. TDO allegedly said the data would help child predators.
The attack on Montana’s Columbia Falls School district was accompanied by a 7-page letter, in which Sandy Hook was referenced. Threats were issued about publishing grades, sensitive behavioral reports, details of ‘shoddy student work’, nurse reports, and private health information. While various methods of payment were offered, a ransom payment of $150,000 was demanded in Bitcoin. In exchange, TDO said all stolen data would be deleted.
Similar attacks have occurred at Alabama’s Crenshaw County Schools District and Splendora School District in Texas. The escalation in the threats was reportedly in response to the FBI telling breach victims not to respond to the messages and not to pay the ransom demands.
While these Dark Overlord cyberattacks on schools follow a similar pattern to other attacks, there are notable differences, raising the prospect that some of the attacks were performed by other hackers piggybacking on the name.
Regardless of who is conducting the attacks, the message to schools – and all other organizations – is clear. Make sure your networks are well defended. Implement layered cybersecurity defenses, patch promptly, and consider using encryption for all stored data.
Libraries are places of open learning where the Internet can be freely accessed. Acceptable internet usage policies for libraries are usually developed, but many libraries do not go as far as restricting access to certain types of Internet content. That means acceptable Internet usage policies for libraries can be easily abused. Library computers can be used for highly illegal activities and there is little to prevent minors from coming to harm.
The Importance of Free and Open Internet Access in Libraries
The provision of open access to the Internet in libraries is understandable. Libraries are places of learning where the public can gain access to information of all types. Even if information is highly controversial and causes offense to some individuals, that does not mean access to the information should be blocked.
When Charles Darwin published the Origin of Species it was hugely controversial, but it would be difficult to argue the book has no place in a library. In order for people to understand and debate Darwin’s views, they need access to his book.
Access to the Internet is now provided in most libraries. For many individuals, libraries are the only places where the Internet can be accessed freely. Children especially may be unable to access the Internet at home and view important educational information without fear of reprisals – viewing information on LGBTI issues for example or information on sex education.
Many libraries, as places of open learning, are reluctant to place any restrictions on Internet access, instead acceptable internet usage policies for libraries are used to lay down the rules on the content that is permitted and prohibited.
Typical Acceptable Internet Usage Policies for Libraries
When acceptable internet usage policies for libraries are used, they usually state that while access to website content is not blocked, library computers should not be used to access illegal web content – content such as child pornography, which is illegal in all forms.
Acceptable Internet usage policies for libraries often reference the Children’s Internet Protection Act (CIPA), which requires schools and libraries to implement controls to prevent the accessing of imagery that could be harmful to minors – pornography, child abuse, child pornography, and other potentially harmful imagery. However, schools and libraries are only required to comply with CIPA if they receive certain state or government funding. Many libraries would be reluctant to block adult pornography, because it is not illegal and would not do so if they are not required to do so by CIPA.
While acceptable internet usage policies for libraries are important for laying down the rules, not all library patrons read those policies or adhere to them. The policies will do nothing to prevent illegal content from being accessed and minors will not be prevented from accessing potentially harmful images.
Where Acceptable Internet Usage Policies for Libraries Fail
There have been numerous complaints made by members of the public in recent years of cases of patrons using library computers to access pornography, in full view of other library patrons. The past few days have seen another example covered by the media of where the use of acceptable internet usage policies for libraries has failed.
The latest compliant was made about College Terrace Library in Palo Alto, CA. The library has an acceptable Internet usage policy but does not filter the Internet in any way. The policy states “Libraries and librarians should not deny or limit access to electronic information because of its allegedly controversial content or because of the librarian’s personal beliefs or fear of confrontation.”
The complaint in question, which has led to a police investigation, concerns the actions of one of the library’s patrons, who was seen accessing images of child pornography on a library computer in full view of other patrons. That individual’s actions were illegal and contravened library AUPs, yet it was still possible for that information to be accessed.
Free and Open Internet Access in Libraries, With Certain Restrictions?
The incident shows how the decision not to impose any restrictions on Internet access has potential to cause harm to library patrons, many of whom will be minors. Acceptable internet usage policies for libraries can be ineffective; however, the use of Internet filtering software can solve this problem.
The purpose of Internet filtering software in libraries is not to limit free speech, or even police Internet as such. The aim is to protect minors and to prevent extremely harmful illegal content from being accessed by some individuals to protect all library patrons.
The American Library Association (ALA) is against filtering of Internet content in libraries. The ALA even filed a lawsuit claiming CIPA was unconstitutional and violated the first amendment rights of consumers. The ALA argued that the Internet was a public forum, and as such required strict scrutiny, but that Internet filtering technology would result in overblocking of website content. A lower court agreed, but the case was taken to the Supreme Court which ruled that public-forum principles were not applicable as the Internet is not a traditional public forum. The Court also ruled that even if there was overblocking of website content, librarians could easily disable the filtering for certain individuals or unblock sites that had been caught by the filters and that this would result in only a minimum burden on librarians. The Supreme Court also ruled that CIPA was constitutional.
While the use of Internet filters used to result in overblocking of content, today that is less of an issue. Categorization of websites is now far better and more reliable. Internet filtering software has improved considerably in the past 15 years.
Why a Content Filter for Libraries Should be Implemented
Libraries are places of learning and should provide open access to the Internet, but they are not places where it should be possible to view child pornography. Libraries have a responsibility to protect patrons from viewing such material, and other harmful website content such as phishing websites.
They should also be using content filters to prevent the downloading of malware and ransomware. In January this year, libraries in St. Louis had their computers taken out of action as the result of a ransomware download. That attack not only prevented Internet access for days, but it took out the system used to log borrowed and returned books. Patrons of 16 libraries in Missouri were prevented from borrowing books. The library had to wipe its system and rebuild it from scratch, a process that took weeks.
Provided content filtering software is used wisely, and mechanisms are introduced to allow the content filter to be lifted on sites that are not illegal or do not contravene acceptable internet usage policies for libraries, they should be applied to ensure that illegal website content cannot be accessed, systems are protected, and patrons are prevented from coming to harm.
Internet content filters can be used to block sites known to host illegal content such as images of child abuse and child pornography, and sites that have been shown to be used for phishing or to deliver malware. Blacklists for these sites are maintained by several organizations.
Internet content filtering ensures the public are prevented from engaging in illegal activity and are protected from phishing attacks. Those controls to not contravene Americans’ first amendment rights.
If you are a librarian and are interested in blocking illegal content but keeping Internet access open, or if you wish to apply for grants, funding, or discounts and must comply with CIPA, contact TitanHQ today to find out more about your Internet content filtering options.
Businesses today need to implement layered defenses to prevent malware and ransomware from being installed on their networks. A web filtering solution should be one of those defenses. At its most basic, a web filter will block access to websites known to contain malware, exploit kits, or be used for phishing.
While web filters are commonly used as an additional security measure to block malware, one of the most important reasons for implementing a web filter is to prevent employees from accessing inappropriate or illegal website content and to prevent productivity draining online activities. In some cases, employers choose to severely restrict Internet access by only allowing employees to access to whitelisted sites – websites that need to be accessed for work purposes.
Regardless of the level of control you want to apply, it is usual for different controls to be needed for different individuals or groups of employees. For example, social media sites could be blocked for the entire organizations, but not for the marketing department, which would need to access corporate social media accounts.
While it is possible to place restrictions on different computers using a virtual local area network (VLAN), using a VLAN for content control lacks flexibility. If a device is on a VLAN that prohibits Internet access entirely, there may be instances when Internet access is temporarily required.
Integrating a Web Filter with LDAP
A better, more flexible solution is to base content filtering controls on the user, or user group. Integrating a web filter with LDAP allows filtering controls to be easily applied for different users, rather than limiting controls to a particular device.
In a call center, a telemarketer could logon using their LDAP information and have one set of filtering controls, whereas a manager could logon to the same device and have far greater permissions. The use of LDAP also allows detailed reports to be generated on which users and devices have accessed certain websites or website content. If DHCP is used on workstation and mobile devices, it may only be possible to view access logs up to a day old. Integrating a web filter with LDAP will make it much easier to generate reports when performing audits of Internet use.
Oftentimes, employees will be assigned to more than one LDAP group, so while it is possible to assign web filtering controls to specific groups, rules can be set to cater for members of more than one group, such as using the most or least restrictive content filtering settings when a user is in multiple LDAP groups. Not everyone will have a LDAP account. When guests require Internet access, a default configuration can be set. If users need to take their devices off site, content filtering by IP address or VLAN would not be possible. In such cases, a client-based solution is used to capture the LDAP session. This is important for K12 Schools that issue laptops for students to take home.
Using a web filtering solution that integrates with LDAP makes content filtering much easier to manage. WebTitan integrates with LDAP allowing you to easily apply content filtering controls by user or user group, with a range of APIs also provided to integrate with Active Directory, NetIQ and other deployment, billing and management tools.
If you want to start filtering the Internet and controlling the content that your users can access, contact TitanHQ today for further information, to schedule a product demonstration, and take advantage of our free trial.
This week, news has emerged about a serious Deloitte data breach that allegedly resulted in ‘several gigabytes’ of sensitive emails sent to and from the accountancy firm’s clients being obtained by hackers.
Deloitte is one of the big four accountancy firms and provides auditing and tax consultancy services to some of the world’s biggest companies, including many banks, pharmaceutical firms, and government agencies. Deloitte also offers cybersecurity consultancy services and is one of the most widely respected firms, and was rated as the top cybersecurity consultancy firm in the world in 2012.
According to a report in The Guardian, the Deloitte data breach was detected in March, but was only announced this week. Hackers are believed to have access to the firm’s Azure cloud account for months, with the initial breach believed to have occurred in October last year. The Azure account was used to store company emails.
Access to the cloud was gained by hacking an administrator account, which was protected with a password, although allegedly did not have two-factor authentication in place.
Deloitte has confirmed it has suffered a data breach, although few details have been released about the nature of the breach other than Deloitte saying only a small number of its clients have been impacted. Deloitte also issued a statement saying, “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” The Guardian reported that just six of the company’s clients had been impacted, although Deloitte has not publicly confirmed how many clients were notified of the breach.
Deloitte hired a leading cybersecurity firm to perform a forensic analysis to determine the actions taken by the attacker(s), which information was accessed, and what clients were impacted. That analysis revealed the types of information compromised included email communications including file attachments, architectural diagrams for its clients, health information, and in some cases, sensitive security and design details. Usernames, passwords, IP addresses, and personal data of the firm’s clients were also believed to have been obtained by the attacker(s).
The cloud account allegedly contained as many as 5 million emails, although Deloitte believes only a small percentage of those emails were accessed during the time the attacker(s) had access to the account. While that is the official line, some sources close to the investigation suggest the Deloitte data breach is being downplayed. Brian Krebs wrote in a blog post that he has been informed that the attackers gained access to the firm’s entire store of emails and that all administrator accounts at the company had been compromised.
That source also said Deloitte performed a company-wide reset of its email passwords on October 17, 2016, suggesting a potential breach was suspected at the time. The source, who was close to the investigation, said several gigabytes of data had been exfiltrated from the cloud account to a server in the United Kingdom.