A critical WiFi security flaw has been discovered by security researchers in Belgium. The WPA2 WiFi vulnerability can be exploited using the KRACK (Key Reinstallation attack) method, which allows malicious actors to intercept and decrypt traffic between a user and the WiFi network in a man-in-the-middle attack. The scale of the problem is immense. Nearly every WiFi router is likely to be vulnerable.
Exploiting the WPA2 WiFi vulnerability would also allow a malicious actor to inject code or install malware or ransomware. In theory, this attack method would even allow an attacker to insert malicious code or malware into a benign website. In addition to intercepting communications, access could be gained to the device and any connected storage drives. An attacker could gain full control of a device that connects to a vulnerable WiFi network.
There are two conditions required to pull off KRACK– The WiFi network must be using WPA2-PSK (or WPA-Enterprise) and the attacker must be within range of the WiFi signal.
The first condition is problematic, since most WiFi networks use the WPA2 protocol and most large businesses use WPA-Enterprise. Further, since this is a flaw in the WiFI protocol, it doesn’t matter what device is being used or the security on that device. The second offers some protection for businesses for their internal WiFi networks since an attack would need to be pulled off by an insider or someone in, or very close to, the facility. That said, if an employee was to use their work laptop to connect to a public WiFi hotspot, such as in a coffee shop, their communications could be intercepted and their device infected.
In the case of the latter, the attack could occur before the user has stirred sugar into his or her coffee, and before a connection to the Internet has been opened. That’s because this attack occurs when a device connects to the hotspot and undergoes a four-way handshake. The purpose of the handshake is to confirm both the client and the access point have the correct credentials. With KRACK, a vulnerable client is tricked into using a key that is already in use.
The researchers explained that “our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.” The researchers also pointed out, “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations.”
The disclosure of this WPA2 WiFi vulnerability has had many vendors franticly developing patches to block attacks. The security researcher who discovered the WPA2 WiFi vulnerability – Mathy Vanhoef – notified vendors and software developers months previously, allowing them to start work on their patches. Even with advance notice, relatively few companies have so far patched their software and products. So far, companies that have confirmed patches have been applied include Microsoft, Linux, Apple, and Cisco/Aruba. However, to date, Google has yet to patch its Android platform, and neither has Pixel/Nexus. Google is reportedly still working on a patch and will release it shortly.
There is also concern over IoT devices, which Vanhoef says may never receive a patch for the WPA2 WiFi vulnerability, leaving them highly vulnerable to attack. Smartphones similarly may not be patched promptly. Since these devices regularly connect to public WiFi hotspots, they are likely to be the most vulnerable to KRACK attacks.
While the WPA2 WiFi vulnerability is serious, there is perhaps no need to panic. At least, that is the advice of the WiFi Alliance – which co-developed WPA2. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.” The WiFi Alliance also explained, “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”
The UK’s National Cyber Security Center pointed out that even with the WPA2 WiFi vulnerability, WPA2 is still more secure than WPA or WEP, also explaining that there is no need to change WiFi passwords or enterprise credentials to protect against this vulnerability. However, businesses and consumers should ensure they apply patches promptly, and businesses should consider developing policies that require all remote workers to connect to WiFi networks using a VPN.
This week, the UK government’s Culture Secretary Karen Bradley announced the publication of a new green paper outlining the government’s Internet Safety Strategy, saying the aim is to make the UK the safest place to be online.
The Internet Safety Strategy outlines the steps that the government is taking to prevent cyber-bullying, trolling and the accessing of pornography by minors. The government has come under increasing pressure in recent years to take decisive action to curb the growing problem of online abuse and harm to minors from accessing age-inappropriate websites.
In a recent press release announcing the new Internet Safety Strategy, Bradley said “In the past year, almost one fifth of 12-15-year olds encountered something online that they ‘found worrying or nasty in some way’ and 64% of 13-17-year olds have seen images or videos offensive to a particular group.” The problem is not confined to minors. Adults too have been offended or upset by material they have viewed on social media sites, and the new strategy will also help to keep adults safe and protected online.
The aim of the new proposals is not censorship of the Internet – the UK government continues “to embrace the huge benefits and opportunities the Internet has brought for British citizens.” The aimof the government’s Internet Safety Strategy is simply to make the Internet a safer place and prevent harm to vulnerable people, especially children.
Bradley said, “Behaviour that is unacceptable in real life is unacceptable on a computer screen. We need an approach to the Internet that protects everyone without restricting growth and innovation in the digital economy.”
The Internet Safety Strategy tackles a range of online issues using several different methods – a combination of improved efforts to educate children and the public about online dangers and acceptable online conduct, social media advice, the promotion of safety features for parents to use to protect their children, and the use of Internet filtering in schools.
Some of the key elements in the Internet Safety Strategy are:
- Developing a new social media code of practice to address bullying, intimidating, or humiliating online content
- An industry-wide levy so social media companies and communication service providers contribute to raise awareness and counter internet harms
- The publication of an annual Internet safety transparency report detailing the progress made at reducing abusive and harmful content and conduct
- Providing support for start-ups and tech companies to help them build safety features into their products and apps at the design stage
- Compulsory new subjects in schools: Relationship education at the primary school level and relationship & sex education at secondary level
- Encouraging social media companies to provide social media safety advice to parents and build that advice into their platforms
- Promoting the use of social media and Internet safety features by parents
- Changing the name of the UK Council for Child Internet Safety to the UK Council for Internet Safety, to show the safety of all Internet users is of concern
In the new green paper, the Keeping Children Safe in Education (KCSIE) guidance is highlighted. The guidance details the steps that schools and colleges in England should take to protect students and keep them safe online. The guidance was updated in September last year to include a new section on safeguarding children online. Schools were reminded of their responsibility to prevent children from accessing harmful and inappropriate website content, explaining Internet filtering in schools is a requirement. Solutions that allow Internet filtering in schools should block inappropriate content and also allow the monitoring of the attempted access of inappropriate material.
The use of similar controls by parents is being encouraged, first by making sure the options are available – the big four ISPs in the UK all offer Internet content filtering controls – and to improve education on the need to implement content filtering solutions to protect children at home.
Vicki Shotbolt, Chief Executive Officer at Parent Zone – an organization set up to provide expert information to families, schools and family professionals on the Internet safety – said, “It is encouraging to see the government proposing concrete steps to ensure that industry is doing everything they can to support families and make the Internet a place that contributes to children flourishing.”
A Social Community Partnership in Ireland that terminated an employee for accessing porn at work was sued for unfair dismissal; however, the Workplace Relations Commission (WRC) in Dublin upheld the decision of the company to terminate the employee, which was deemed to be the appropriate sanction under the circumstances.
The viewing of any pornographic material in the workplace is unacceptable, but for a Social Community Partnership that provides services to children and families, it is especially important to take action when employees access obscene material – In this case the webpages depicted rape, the abduction of girls, and non-consensual sex.
A statement released by the unnamed Social Community Partnership read, “[The worker’s] actions go against the grain of the organization, but has the potential to put at risk the company’s funding relationship with Government services.”
The accessing of inappropriate material was discovered during a review of the computers used by receptionists at the Partnership. That review revealed pornographic material had been accessed on a reception computer on seven occasions between September 30th and November 26th, 2015. The material was accessed between 1.28pm and 16.40pm, and while multiple employees had access to the computer, on three of the occasions, the terminated employee was the only member of staff working in the reception area.
Once that was confirmed in May 2016, the employee’s contract was terminated for gross misconduct. The employee appealed the decision internally, claiming the allegations were incorrect. She denied accessing porn at work and claimed she was not the only person to have access to the computer. Two other receptionists were employed at the firm and could have accessed the material. When the appeal was rejected, the employee sued the firm for unfair dismissal.
An independent IT consultant was brought in to conduct a scan of the computer to confirm that a malware infection was not present, which could theoretically have been responsible for the sites being accessed. The woman maintained there was no evidence against her and popups could have explained the accessing of the material. She also said other employees could have accessed the computers in the reception area, which did not require the use of secure passwords.
The WRC ruled that, on the balance of probability, the employee did access pornographic material, and the decision to terminate the employee was correct. The woman has been unable to find further work in the field, despite her 18 years’ experience, due to the nature of her dismissal.
Employees Accessing Porn at Work Is a Widespread Problem
The accessing of pornography at work is widespread, global problem – and one that acceptable Internet usage policies do not prevent.
A 2013 report from the UK government found computers in parliament were used to make an average of 800 visits to pornographic websites per day – more than 300,000 attempts were made over the period of study.
A 2014 survey by Proven Men Ministries found nearly two third of men (63%) and one third of women (36%) admitted accessing pornography at work, while a 2015 poll conducted by The Sun newspaper in the UK found 15% of women in the UK watch pornography at work.
In the United States, a Harris Poll in 2011 found 3% of Americans watch porn at work, with an earlier study by The Nielsen Company placing the figure at around 28%.
While there is some variation between the studies, it is clear that the accessing of pornography at work is a widespread problem, responsible for a significant loss of productivity, the creation of a hostile work environment, and many HR issues.
Companies Can Easily Avoid Pornography-Related HR Issues
Even though acceptable Internet usage policies are developed, and employees have to confirm that those policies have been read and understood, many employees still access porn at work. Some employees simply disregard those policies, others mistakenly believe they will not be found out.
For the company, accessing porn at work causes major HR issues. Complaints are often made by other employees who have caught a glimpse of the material, a hostile work environment can develop, HR departments have to take disciplinary action, and recruit and train replacement employees – all of which are a drain on productivity and result in many lost man hours.
As this case shows, these incidents can result in bad publicity, potentially loss of funding, and legal costs from fighting lawsuits.
However, all of these problems are easy to avoid. Companies can simply block adult website content with a web filter. A web filter allows firms to enforce acceptable Internet usage policies and prevent obscene or otherwise inappropriate material from being accessed by employees.
The Social Community Partnership would have been able to avoid all the bad publicity and paying to fight the unfair dismissal claim if a web filtering solution been put in place to enforce acceptable Internet usage policies.
If you have yet to start filtering the Internet, and are not blocking pornography and other inappropriate material from being accessed in the workplace, contact TitanHQ today and ask about WebTitan – The leading web filtering solution for enterprises.
The healthcare industry has been extensively targeted, and now Dark Overlord cyberattacks on schools have soared – The education sector is now being targeted.
The cyberattacks on healthcare institutions included threats to publish data. Those threats were often ignored, resulting in sensitive data being dumped online. While such data dumps are damaging to healthcare organizations and their patients, many attacked institutions followed the advice of the FBI and chose not to give in to the mafia-style extortion tactics.
The recent Dark Overlord cyberattacks on schools have been different. Educational institutions have not only been hacked and had sensitive data stolen, the hacking group has escalated its threats. Additionally, rather than just sending threats to the schools, parents of some of the children whose data were stolen have also been contacted by text. The aim is clear. To put pressure on schools to pay up.
The latest wave Dark Overlord cyberattacks on schools have been spread across the country. Schools in Alabama, Iowa, Montana, and Texas have all been attacked in recent weeks. The attacks have followed a similar pattern to the attacks on healthcare organizations, Gorilla Glue, and Netflix. Sensitive data have been stolen, a payment was demanded, and a threat issued to publish the data online if the payment was not made.
Payment of a ransom does not guarantee data will not be released. The latest episode of Orange is the New Black was stolen and Netflix was threatened. A $50,000 ransom was paid, but the episode was still released – It was claimed this was for contacting the FBI.
The latest attacks have got more personal. The Dark Overlord cyberattacks on schools have seen parents of children sent personalized text messages threatening violence against their children. One of those messages included the address of the family with the message “your child is still so innocent. Don’t have anyone look outside.” The Des Moines Register reported that one parent responded to the message telling the sender of the messages to stop and was told, “we are just getting started.” Other text messages threatened to kill kids at the school resulting in the school closing for a day as a precaution.
In the case of the cyberattack on Johnston Community School District in Iowa, data was dumped online. TDO allegedly said the data would help child predators.
The attack on Montana’s Columbia Falls School district was accompanied by a 7-page letter, in which Sandy Hook was referenced. Threats were issued about publishing grades, sensitive behavioral reports, details of ‘shoddy student work’, nurse reports, and private health information. While various methods of payment were offered, a ransom payment of $150,000 was demanded in Bitcoin. In exchange, TDO said all stolen data would be deleted.
Similar attacks have occurred at Alabama’s Crenshaw County Schools District and Splendora School District in Texas. The escalation in the threats was reportedly in response to the FBI telling breach victims not to respond to the messages and not to pay the ransom demands.
While these Dark Overlord cyberattacks on schools follow a similar pattern to other attacks, there are notable differences, raising the prospect that some of the attacks were performed by other hackers piggybacking on the name.
Regardless of who is conducting the attacks, the message to schools – and all other organizations – is clear. Make sure your networks are well defended. Implement layered cybersecurity defenses, patch promptly, and consider using encryption for all stored data.
Libraries are places of open learning where the Internet can be freely accessed. Acceptable internet usage policies for libraries are usually developed, but many libraries do not go as far as restricting access to certain types of Internet content. That means acceptable Internet usage policies for libraries can be easily abused. Library computers can be used for highly illegal activities and there is little to prevent minors from coming to harm.
The Importance of Free and Open Internet Access in Libraries
The provision of open access to the Internet in libraries is understandable. Libraries are places of learning where the public can gain access to information of all types. Even if information is highly controversial and causes offense to some individuals, that does not mean access to the information should be blocked.
When Charles Darwin published the Origin of Species it was hugely controversial, but it would be difficult to argue the book has no place in a library. In order for people to understand and debate Darwin’s views, they need access to his book.
Access to the Internet is now provided in most libraries. For many individuals, libraries are the only places where the Internet can be accessed freely. Children especially may be unable to access the Internet at home and view important educational information without fear of reprisals – viewing information on LGBTI issues for example or information on sex education.
Many libraries, as places of open learning, are reluctant to place any restrictions on Internet access, instead acceptable internet usage policies for libraries are used to lay down the rules on the content that is permitted and prohibited.
Typical Acceptable Internet Usage Policies for Libraries
When acceptable internet usage policies for libraries are used, they usually state that while access to website content is not blocked, library computers should not be used to access illegal web content – content such as child pornography, which is illegal in all forms.
Acceptable Internet usage policies for libraries often reference the Children’s Internet Protection Act (CIPA), which requires schools and libraries to implement controls to prevent the accessing of imagery that could be harmful to minors – pornography, child abuse, child pornography, and other potentially harmful imagery. However, schools and libraries are only required to comply with CIPA if they receive certain state or government funding. Many libraries would be reluctant to block adult pornography, because it is not illegal and would not do so if they are not required to do so by CIPA.
While acceptable internet usage policies for libraries are important for laying down the rules, not all library patrons read those policies or adhere to them. The policies will do nothing to prevent illegal content from being accessed and minors will not be prevented from accessing potentially harmful images.
Where Acceptable Internet Usage Policies for Libraries Fail
There have been numerous complaints made by members of the public in recent years of cases of patrons using library computers to access pornography, in full view of other library patrons. The past few days have seen another example covered by the media of where the use of acceptable internet usage policies for libraries has failed.
The latest compliant was made about College Terrace Library in Palo Alto, CA. The library has an acceptable Internet usage policy but does not filter the Internet in any way. The policy states “Libraries and librarians should not deny or limit access to electronic information because of its allegedly controversial content or because of the librarian’s personal beliefs or fear of confrontation.”
The complaint in question, which has led to a police investigation, concerns the actions of one of the library’s patrons, who was seen accessing images of child pornography on a library computer in full view of other patrons. That individual’s actions were illegal and contravened library AUPs, yet it was still possible for that information to be accessed.
Free and Open Internet Access in Libraries, With Certain Restrictions?
The incident shows how the decision not to impose any restrictions on Internet access has potential to cause harm to library patrons, many of whom will be minors. Acceptable internet usage policies for libraries can be ineffective; however, the use of Internet filtering software can solve this problem.
The purpose of Internet filtering software in libraries is not to limit free speech, or even police Internet as such. The aim is to protect minors and to prevent extremely harmful illegal content from being accessed by some individuals to protect all library patrons.
The American Library Association (ALA) is against filtering of Internet content in libraries. The ALA even filed a lawsuit claiming CIPA was unconstitutional and violated the first amendment rights of consumers. The ALA argued that the Internet was a public forum, and as such required strict scrutiny, but that Internet filtering technology would result in overblocking of website content. A lower court agreed, but the case was taken to the Supreme Court which ruled that public-forum principles were not applicable as the Internet is not a traditional public forum. The Court also ruled that even if there was overblocking of website content, librarians could easily disable the filtering for certain individuals or unblock sites that had been caught by the filters and that this would result in only a minimum burden on librarians. The Supreme Court also ruled that CIPA was constitutional.
While the use of Internet filters used to result in overblocking of content, today that is less of an issue. Categorization of websites is now far better and more reliable. Internet filtering software has improved considerably in the past 15 years.
Why a Content Filter for Libraries Should be Implemented
Libraries are places of learning and should provide open access to the Internet, but they are not places where it should be possible to view child pornography. Libraries have a responsibility to protect patrons from viewing such material, and other harmful website content such as phishing websites.
They should also be using content filters to prevent the downloading of malware and ransomware. In January this year, libraries in St. Louis had their computers taken out of action as the result of a ransomware download. That attack not only prevented Internet access for days, but it took out the system used to log borrowed and returned books. Patrons of 16 libraries in Missouri were prevented from borrowing books. The library had to wipe its system and rebuild it from scratch, a process that took weeks.
Provided content filtering software is used wisely, and mechanisms are introduced to allow the content filter to be lifted on sites that are not illegal or do not contravene acceptable internet usage policies for libraries, they should be applied to ensure that illegal website content cannot be accessed, systems are protected, and patrons are prevented from coming to harm.
Internet content filters can be used to block sites known to host illegal content such as images of child abuse and child pornography, and sites that have been shown to be used for phishing or to deliver malware. Blacklists for these sites are maintained by several organizations.
Internet content filtering ensures the public are prevented from engaging in illegal activity and are protected from phishing attacks. Those controls to not contravene Americans’ first amendment rights.
If you are a librarian and are interested in blocking illegal content but keeping Internet access open, or if you wish to apply for grants, funding, or discounts and must comply with CIPA, contact TitanHQ today to find out more about your Internet content filtering options.
Businesses today need to implement layered defenses to prevent malware and ransomware from being installed on their networks. A web filtering solution should be one of those defenses. At its most basic, a web filter will block access to websites known to contain malware, exploit kits, or be used for phishing.
While web filters are commonly used as an additional security measure to block malware, one of the most important reasons for implementing a web filter is to prevent employees from accessing inappropriate or illegal website content and to prevent productivity draining online activities. In some cases, employers choose to severely restrict Internet access by only allowing employees to access to whitelisted sites – websites that need to be accessed for work purposes.
Regardless of the level of control you want to apply, it is usual for different controls to be needed for different individuals or groups of employees. For example, social media sites could be blocked for the entire organizations, but not for the marketing department, which would need to access corporate social media accounts.
While it is possible to place restrictions on different computers using a virtual local area network (VLAN), using a VLAN for content control lacks flexibility. If a device is on a VLAN that prohibits Internet access entirely, there may be instances when Internet access is temporarily required.
Integrating a Web Filter with LDAP
A better, more flexible solution is to base content filtering controls on the user, or user group. Integrating a web filter with LDAP allows filtering controls to be easily applied for different users, rather than limiting controls to a particular device.
In a call center, a telemarketer could logon using their LDAP information and have one set of filtering controls, whereas a manager could logon to the same device and have far greater permissions. The use of LDAP also allows detailed reports to be generated on which users and devices have accessed certain websites or website content. If DHCP is used on workstation and mobile devices, it may only be possible to view access logs up to a day old. Integrating a web filter with LDAP will make it much easier to generate reports when performing audits of Internet use.
Oftentimes, employees will be assigned to more than one LDAP group, so while it is possible to assign web filtering controls to specific groups, rules can be set to cater for members of more than one group, such as using the most or least restrictive content filtering settings when a user is in multiple LDAP groups. Not everyone will have a LDAP account. When guests require Internet access, a default configuration can be set. If users need to take their devices off site, content filtering by IP address or VLAN would not be possible. In such cases, a client-based solution is used to capture the LDAP session. This is important for K12 Schools that issue laptops for students to take home.
Using a web filtering solution that integrates with LDAP makes content filtering much easier to manage. WebTitan integrates with LDAP allowing you to easily apply content filtering controls by user or user group, with a range of APIs also provided to integrate with Active Directory, NetIQ and other deployment, billing and management tools.
If you want to start filtering the Internet and controlling the content that your users can access, contact TitanHQ today for further information, to schedule a product demonstration, and take advantage of our free trial.
This week, news has emerged about a serious Deloitte data breach that allegedly resulted in ‘several gigabytes’ of sensitive emails sent to and from the accountancy firm’s clients being obtained by hackers.
Deloitte is one of the big four accountancy firms and provides auditing and tax consultancy services to some of the world’s biggest companies, including many banks, pharmaceutical firms, and government agencies. Deloitte also offers cybersecurity consultancy services and is one of the most widely respected firms, and was rated as the top cybersecurity consultancy firm in the world in 2012.
According to a report in The Guardian, the Deloitte data breach was detected in March, but was only announced this week. Hackers are believed to have access to the firm’s Azure cloud account for months, with the initial breach believed to have occurred in October last year. The Azure account was used to store company emails.
Access to the cloud was gained by hacking an administrator account, which was protected with a password, although allegedly did not have two-factor authentication in place.
Deloitte has confirmed it has suffered a data breach, although few details have been released about the nature of the breach other than Deloitte saying only a small number of its clients have been impacted. Deloitte also issued a statement saying, “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” The Guardian reported that just six of the company’s clients had been impacted, although Deloitte has not publicly confirmed how many clients were notified of the breach.
Deloitte hired a leading cybersecurity firm to perform a forensic analysis to determine the actions taken by the attacker(s), which information was accessed, and what clients were impacted. That analysis revealed the types of information compromised included email communications including file attachments, architectural diagrams for its clients, health information, and in some cases, sensitive security and design details. Usernames, passwords, IP addresses, and personal data of the firm’s clients were also believed to have been obtained by the attacker(s).
The cloud account allegedly contained as many as 5 million emails, although Deloitte believes only a small percentage of those emails were accessed during the time the attacker(s) had access to the account. While that is the official line, some sources close to the investigation suggest the Deloitte data breach is being downplayed. Brian Krebs wrote in a blog post that he has been informed that the attackers gained access to the firm’s entire store of emails and that all administrator accounts at the company had been compromised.
That source also said Deloitte performed a company-wide reset of its email passwords on October 17, 2016, suggesting a potential breach was suspected at the time. The source, who was close to the investigation, said several gigabytes of data had been exfiltrated from the cloud account to a server in the United Kingdom.
Investigations are continuing into a massive Sonic data breach that has potentially impacted millions of its customers.
Sonic, an Oklahoma City-based restaurant chain with more than 3,600 franchise restaurants in the United States, was alerted to a potential breach by its card payment processor after a pattern of fraudulent purchases was identified and linked to the restaurant chain.
The Sonic data breach was first reported by Brian Krebs, who linked the listing of a batch of 5 million credit and debit card numbers on the cybercrime marketplace Joker’s Stash to a potential breach at Sonic.
Krebs reported that two individuals who had agreed to purchase credit card numbers from the seller both said the cards had previously been used in Sonic locations. After contacting Sonic to report the potential breach, Krebs was notified that the restaurant chain was investigating a potential breach.
Sonic has issued a statement saying it is working with law enforcement and has hired a third-party forensics firm to confirm whether its systems have been hacked, and if so, to determine the nature and scope of the breach.
At present it is unclear how many of the restaurants chain’s locations have been impacted or the number of customer’s that have had their card details stolen. While the batch of credit and debit card numbers listed for sale indicates the breach victim count could be as high as 5 million, it has yet to be established whether all of those card numbers came from the Sonic data breach. It is possible the list could be an amalgamation of data from several breaches.
The Sonic data breach has potential to be one of the largest POS data breaches to affect the hospitality industry, and is the latest in a string of cyberattacks on restaurants. Earlier this year Chipotle Mexican Grill experienced a breach that affected most of the chain’s restaurants. Arby’s and the Select restaurant chain have also announced major data breaches. Last year, a major breach of card details was reported by Wendy’s which affected more than 1,000 of its restaurants.
Restaurant chain data breaches typically involve malware installed on point-of-sale systems that collects and exfiltrates card details. The malware infections often go unnoticed for weeks or months. It is only when card processors notice trends in credit card fraud and alert specific restaurants or restaurant chains that the breach is identified. The malicious actors behind these breaches often hold on to the stolen data until a sufficiently large batch of card numbers have been obtained, before listing the data for sale on darknet marketplaces.
In this case, the card numbers from the Sonic data breach were selling for between $25 and $50 depending on the type of card. This is much higher than the usual cost of stolen card numbers, indicating the card details have come from a recent data breach with most of the cards yet to be cancelled.
Hackers can gain access to POS systems via email phishing attacks, by exploiting vulnerabilities using exploit kits, direct attacks on unpatched and out-of-date operating systems, brute force RDP attacks, or by infiltrating the systems of vendors that have legitimate access to restaurant networks. It was the latter that enabled hackers to gain access to Target’s system and steal credit card details of 40 million customers. The same was true of the Wendy’s breach. Hackers obtained the credentials of some of its service providers and were able to login and install malware.
Restaurants can reduce the risk of data breaches by complying with the Payment Card Industry’s Data Security Standard (PCI DSS), a list of 12 requirements spread across six control objectives. Those requirements include the use of spam filtering, web filtering solutions, and securing the Wi-Fi environment – the latter two can both be achieved by implementing WebTitan.
There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the past two years have seen a massive explosion in new ransomware families. Between 2015 and 2016, Proofpoint determined there had been a 600% increase in ransomware families and Symantec identified 100 totally new ransomware families in 2016.
The development of new ransomware variants has largely been automated, allowing developers to massively increase the number of threats, making it much harder for the developers of traditional, signature-based security solutions such as antivirus and antimalware software to maintain pace.
The latest ransomware variants use a wide variety of techniques to evade detection, with advanced obfuscation methods making detection even more problematic.
Ransomware is also becoming much more sophisticated, causing even greater problems for victims. Ransomware is now able to delete Windows Shadow Volume copies, hampering recovery. Ransomware can interfere with file activity logging, making an infection difficult to detect until it is too late. Ransomware can encrypt files on removable drives – including backups – and spread laterally on a network, encrypting files on network shares and multiple end points.
Not only have the ransomware variants become more sophisticated, so too have the methods for distributing the malicious code. Highly sophisticated spam campaigns use a variety of social engineering techniques to fool end users into visiting malicious links and opening infected email attachments. Droppers with heavily obfuscated code are used to download the malicious payload and a considerable amount of effort is put into crafting highly convincing emails to maximize the probability of an end user taking the desired action.
Then, there is ransomware-as-a-service – the use of affiliates to spread ransomware in exchange for a cut of the profits. Ransomware kits are now supplied, complete with intuitive web based interfaces and instructions for crafting ransomware campaigns. Today, it is not even necessary to have any technical skill to conduct a ransomware campaign.
The profits from ransomware are also considerable. In 2016, the FBI estimated profits from ransomware would exceed $1 billion. With such high returns, it is no surprise that ransomware has become the number one malware threat for businesses.
The Evolution of Ransomware – Notorious Ransomware Variants from the Past Two Years
- Locky: Deletes volume shadow copies from the compromised system, thereby preventing the user from restoring files without paying the ransom.
- Jigsaw: An extremely aggressive ransomware variant that deletes encrypted files every hour until the ransom is paid, with total file deletion in 72 hours.
- Petya: Rather than encrypting files, Petya changes and encrypts the master boot record, preventing files from being accessed. Petya is also capable of installing other malware payloads.
- NotPetya: A wiper that appears to be ransomware, although NotPetya permanently changes the master boot record making file recovery impossible.
- CryptMix: Attackers claim they will donate the ransom payments to a children’s charity, in an effort to get victims to pay up. There is no evidence ransom payments are directed to worthy causes.
- Cerber: Now used to target users of cloud-based Office 365, who are less likely to have backed up their data. Some Cerber variants speak to their victims and tell them their files have been encrypted.
- KeRanger: One of the first ransomware strains to target Mac OS X applications.
- Gryphon: Spread via remote desktop protocol (RDP) using brute force tactics to guess weak passwords.
- TorrentLocker: A ransomware variant being used to target SMBs, spread via spam email attachments claiming to be job applications
- HDDCryptor: A ransomware variant that targets network shares, file, printers, serial ports, and external drives. HDDCryptor locks the entire hard disk
- CryptMIC: A ransomware variant that does not change file extensions, making it harder for victims to identify the threat
- ZCryptor: Ransomware with worm-like capabilities, able to rapidly spread across a network and infect multiple networked devices and external drives
- WannaCrypt: A 2017 ransomware variant with worm-like capabilities, able to spread rapidly to infect all vulnerable computers on a network.
Ransomware is most commonly spread via spam email, exploit kits and by remotely exploiting vulnerabilities. To protect against ransomware you need an advanced spam filter, a web filter such as WebTitan to block access to sites containing exploit kits, and you need to ensure software and operating systems are kept 100% up to date.
In the event that you are infected with ransomware, you must be able to recover files from a backup. Use the 321 approach to ensure you can recover files without paying the ransom – Make three backup copies, on two different media, with one copy stored securely off site. Also make sure backups are tested to ensure files can be restored in an emergency.
Cybercriminals have realized they can greatly increase the number of infections – and profits – by adopting an affiliate model – termed ransomware-as-a-service. The affiliate model works well for online retailers, who can generate sales from customers they would be unlikely to reach if they worked on their own. The same applies to ransomware developers.
Affiliates are recruited to distribute ransomware in exchange for a cut of the profits. Ransomware developers can recruit would-be cybercriminals to send out their malicious code in targeted attacks around the world, extending their reach considerably. The greater the number of affiliates, the wider ransomware can be spread and the more payments are received. The returns are substantial for relatively little effort.
In addition to developing the ransomware, kits have been created that make it simple for affiliates to launch their own campaigns. No technical skill is required, affiliates simply enter in their own parameters via an online interface and they can start conducting their own campaigns. Affiliates just need to know how to distribute the ransomware. Full instructions are usually provided.
With an army of spammers sending out the ransomware, the number of devices infected has soared. In 2017, Cerber became the most widely used ransomware variant, even surpassing Locky. The secret of the success was adopting the ransomware-as-a-service model.
For the most part, ransomware is a numbers game. The more individuals that are actively distributing ransomware, the greater the number of infections. With the threat of email and web-based attacks growing, businesses must invest in new technologies to counter the threat.
There are two key solutions that should be adopted by all businesses to improve protections against ransomware. A spam filter is a must – a fact not lost on the majority of businesses. However, even though email is the primary vector used to spread ransomware and malware, there are still businesses that have not yet purchased a spam filtering solution.
A recent survey by PhishMe indicates only 85% of businesses are using spam filtering technology to block phishing emails. That means 15% of businesses have yet to implement this most fundamental of ransomware defenses.
The second key solution is a web filter. Web filters allow employers to carefully control the websites that their employees can access, including blocking websites known to host malware. If an email makes it past a spam filter and an employee clicks on a malicious hyperlink, a web filter can prevent the malicious site from being accessed. A web filter also offers protection from malvertising – malicious adverts that direct users to phishing websites and sites hosting exploit kits.
Of course, technology can only go so far. Even layered defenses can be breached, which is why employees need to be taught how to identify potentially malicious emails. Employees should receive regular security awareness training and be encouraged to report potentially malicious emails. When those emails are reported, IT teams can add the malicious links to the web filter to prevent other individuals in the organization from visiting the malicious websites.
For further information on spam and web filtering, contact the TitanHQ today.
The cyberattack on Equifax affected almost half the population of the United States. 143 million U.S. consumers potentially had their sensitive data stolen by hackers, as did around 400,000 individuals in the United Kingdom and 100,000 consumers in Canada.
To notify victims of the Equifax data breach by mail would have been a monumental and incredibly costly task. Instead, Equifax set up a website where breach victims could check to see if their data had been exposed and also register for free credit monitoring and identity theft protection services.
The official website used for this purpose is equifaxsecurity2017.com. Visitors to the website are required to enter some personal information as identification – the last six digits of their Social Security number and their full name.
That site then directed visitors to a second site, Trustedidpremier.com – which, it has to be said, does seem somewhat phishy. The site is owned by Equifax, with the name taken from its identity theft protection service, but the site did not mention Equifax, which led to many consumers questioning whether the site was real.
These choices gave phishers with a gilt-edged opportunity to take advantage. By registering a website similar to that used by Equifax, it would be possible to fool many U.S. consumers into revealing their sensitive information. For instance, instead of asking for the last six digits of the Social Security number, criminals could ask for the full SSN, along with a date of birth and a full name. If the fake website had official Equifax logos, many consumers would be fooled.
If Equifax had put the information on a subdomain of its official website, it would be easy for consumers to verify that they were on the correct site. The decision to use a new website for this purpose has made it too easy for scammers to take advantage.
There have already been many fake Equifax domains registered and used for phishing. While these sites are being identified quickly and shut down, during the time they are online they can be used to capture large volumes of sensitive information. Some of the recently registered domains featured transposed letters and common misspellings, such as replacing the y with a u to catch out careless typists.
However, it is not only bad typists that could be fooled by such a scam. One fake site – securityequifax2017.com – was registered that would likely fool many consumers. Such a site should also have been purchased by Equifax to prevent it being purchased by a scammer.
Fortunately, the website had been purchased by a software developer called Nick Sweeting specifically to demonstrate how easy it would be to take advantage. It was made clear on the site that the website was fake, and was not actually being used for phishing, only to raise awareness of the risk of similar sites being purchased by phishers.
However, so realistic was the site that it even fooled one Equifax employee. On at least eight occasions, that individual Tweeted the fake domain via the official Equifax Twitter account. The incorrect link was tweeted on at least 8 occasions according to Sweeney.
The fake site has since been blocked and taken offline; however, for two weeks the site was active. Had this been a real Equifax phishing website, many consumers could have been fooled.
The average cost of a SMB data breach is now $117,000 per incident, according to a large study of data breach costs at small to medium sized businesses.
The study was conducted by Kaspersky Lab and B2B International, with over 5,000 businesses in 30 countries asked about the costs of resolving data breaches.
There has been a rise in the average cost of a SMB data breach again this year and some notable changes to how those costs break down, compared to last year when the study was previously conducted. There were also notable differences between the main costs for SMBs and large enterprises.
Last year, the single biggest cost of data breaches was the reallocation of staff time, although this year, respondents from SMBs said the biggest costs were the loss of business as a result of a data breach and bringing in external experts to help investigate and resolve data breaches.
Out of the $117,000 average cost of a SMB data breach, $21,000 was spend on bringing in external experts and a further $21,000 had to be covered as a result of lost business. Other major costs were additional wages for staff ($16,000), credit rating damage and increases in insurance premiums ($11,000), improving software and infrastructure ($11,000), repairing brand damage ($10,000), and employing new staff ($10,000). The lowest costs were training ($9,000) and compensation ($8,000).
Kaspersky Lab points out that the reason these costs are so high for SMBs is likely due to a lack of skilled in-house staff, meaning they have little choice but to call in the professionals. Small businesses are also particularly vulnerable to loss of business as a result of a data breach. However, the study showed that small to medium sized businesses tend not to have to dig deep to pay compensation, which has been attributed to less formal business relationships.
The cause of SMB data breaches has a significant bearing on resolution costs. Some types of attack proved much costlier to resolve. The average cost of a SMB data breach that resulted from a targeted attack was $188,000, followed by security incidents affecting non-computing connected devices (IoT) at $152,000 per incident.
Breaches caused by the loss of devices containing sensitive information cost an average of $83,000 to resolve, inappropriate use of IT resources cost $79,000, while virus and malware infections were the cheapest to resolve, costing an average of $68,000.
For enterprises, average data breach costs jumped from $1.2 million in 2016 to $1.3 million in 2017, with the main costs of a breach being additional wages for internal staff ($207,000), software and infrastructure improvements (172,000), bringing in external professionals ($154,000), training ($153,000), lost business ($148,000), and compensation ($147,000).
SMBs have increased spending on IT security in response to the increased threat of attack, devoting 19% of their IT budgets to security compared with 16% in 2017. There was a much smaller increase in security spending at very small businesses (1-49 employees), rising just 1% from 13%-14% of their IT budgets. There was no change in spending for large enterprises (1000+ employees) with 19% of IT budgets spent on security.
Popup warnings of missing fonts, specifically the Hoeflertext font, are being used to infect users with malware. The Hoeflertext warnings appear as popups when users visit compromised websites using the Chrome or Firefox browsers. The warnings flash up on screen with the website in the background displaying jumbled or unreadable text.
Hoeflertext is a legitimate font released by Apple in 1991, although popup warnings that the font is missing are likely to be a scam to fool users into downloading Locky Ransomware or other malware.
Visitors to the malicious websites are informed that Hoeflertext was not found, which prevents the website from being displayed. The popup contains an option to “update” the browser with a new font pack, which will allow the website content to be displayed.
This is not the first time the Hoeflertext font scam has been used. NeoSmart Technologies discovered the scam in February this year, although recently both Palo Alto Networks and SANS Internet Storm Center have both report it is being used in a new campaign.
Another version of the campaign is being used to deliver the NetSupport Manager remote access tool (RAT). In this case, the file downloaded is called Font_Chrome.exe, which will install the RAT if it is run. The researchers suggest the RAT is being favored as it offers the attackers a much wider range of capabilities than ransomware. The RAT is commercially available and has been used in several malware campaigns in the past, including last year’s campaign using hacked Steam accounts.
The RAT, once installed, gives the attackers access to the infected computer allowing them to search for and steal sensitive information and download other malware.
The actors behind this campaign have been using spam email to direct users to the malicious websites where the popups are displayed. The SANS Internet Storm Center says one campaign has been identified using emails that appear to have been sent via Dropbox, asking the user to verify their email address to complete the sign-up process.
Clicking on the ‘verify your email’ box will direct the user to a malicious website displaying fake Dropbox pages where the popups appear. Internet Explorer users do not have the popups displayed, instead they are presented with a fake anti-virus alerts linked to a tech support scam.
The latest campaign shows why it is so important for businesses to use an advanced spam filtering solution to block malicious messages. A web filtering solution is also beneficial to prevent end users from visiting malicious websites in case the messages are delivered and opened. Along with security awareness training for employees to alert them to the risks of email and web-based attacks such as this, businesses can protect themselves from attack.
On October 10, 2017, the European Parliament will vote on a new copyright law that could see content filtering on websites in Europe which are deemed to violate copyright laws.
These laws would apply to all websites displayed to users in Europe. The law would naturally cover websites such as torrent sites that share links to download copyright protected material, but also other websites may also be censored. Websites such as Reddit, E-bay, Wikipedia and GitHub could all easily fall foul of the Directive on Copyright in the Digital Single Market if users of the sites upload copyright protected material.
If the Directive on Copyright in the Digital Single Market is passed in its current form, all website owners would have to monitor content uploaded by site users to ensure copyright laws are not violated. Online services providers would be required by law to implement content filters to prevent pirated material from being displayed on their websites. Detection mechanisms such as the fingerprinting technology used by YouTube would need to be implemented. Platform operators would be liable for any copyrighted material uploaded to their sites.
Content filtering on websites in Europe could not be performed manually – the work involved in vetting all content would make that impractical. Therefore, content filters would need to be automatic, and if all content must be checked to determine if it is acceptable, all uploads would need to be scanned.
An alternative has been proposed to the upload filter – the “link tax” or ancillary copyright that was introduced in Spain and Germany. The link tax required sites that publish news snippets from other sites to be charged for doing so, although that measure did not work in practice so it is unlikely to be applied across all member states.
If Internet filters are applied, it would be difficult to differentiate between allowable use of copyrighted material and illegal use. It therefore has potential to affect parody websites, the use of quotes, and it could spell the end of Internet memes, at least in Europe. Also, if the new Directive is agreed in its current form, users would have no protection from unfair deletion of website content.
Raegan MacDonald, senior EU policy Manager at Mozilla said, “The proposal would make filtering and blocking of online content the norm, effectively undermining innovation, competition and freedom of expression.” He also labelled some of the elements of the new directive as “dysfunctional and borderline absurd.” Some see the Directive on Copyright in the Digital Single Market as Internet censorship akin to that used by China.
It has been argued that the use of this technology to apply content filtering on websites in Europe would violate the privacy of Internet users, as such a system would require all communications on websites to be monitored. That would potentially violate European privacy laws. A letter has been sent by six EU member states questioning the legality of the new Directive asking whether the directive is legal and whether “the proposed measures justified and proportionate.”
As it stands, if the Directive is passed, it will prove costly for businesses and as EDRi points out, the new law has potential to “undermine access to copyright-free public domain works that are for now freely available for everyone.”
A new study has been published in the Journal of Psychosocial Research on Cyberspace on the problem of cyberloafing, highlighting not only the cost to business but also the cost to individuals. Cyberloafing is a major drain on productivity, yet it is all too common. Employees who engage in cyberloafing can also seriously damage their career prospects.
The Business Cost of Cyberloafing
Employers are paying their employees to work, yet a significant amount of time is lost to cyberloafing. Cyberloafing dramatically reduces productivity and eats up company profits. The study was conducted on 273 employees and cyberloafing was measured along with the traits that led to the behaviour.
The study revealed a correlation between dark personality traits such as psychopathy, Machiavellianism and narcissism, but also showed that employees are wasting huge amounts of time simply because they can get away with it. The sites most commonly visited were not social media sites, but news websites and retail sites for online shopping.
In an ideal world, employees would be able to do their jobs and allocate some time each day to personal Internet use without any losses in productivity. Some employees do just that and curb personal Internet use and do not let it interfere with their work duties. However, for many employees, cyberfloafing is a problem and huge losses are suffered by employers as a result.
A 2013 study on cyberloafing conducted by Salary.com showed that 69% of employees waste time at work every day, with 64% visiting non-work related websites. Out of those individuals, 39% said they wasted up to an hour on the Internet at work, 29% wasted 1-2 hours, and 32% wasted more than 2 hours a day.
Cyberloafing can make a huge dent in company profits. A company with 100 employees, each of whom spend an hour a day on personal Internet use, would see productivity losses of in excess of 25,000 man-hours a year.
Productivity losses caused by cyberloafing are not the only problem – or cost. When employees use the Internet for personal reasons, their actions slow down the network resulting in slower Internet speeds for all. Personal Internet use increases the risk of malware and viruses being introduced, which can cause further productivity losses. The cost of resolving those infections can be considerable.
What Can Employers do to Reduce Productivity Losses?
First of all, it is essential that the workforce is advised of company policies relating to personal Internet use. Informing the staff about what is an acceptable level of personal Internet use and what constitutes unacceptable behaviour ensures everyone is aware of the rules. They must also be advised of the consequences of cyberloafing.
The Journal of Psychosocial Research on Cyberspace study suggests “a worker’s perceived ability to take advantage of an employer is a key part of cyberloafing.” By increasing monitoring and making it clear that personal Internet use is being noted, it serves as a good deterrent. When personal Internet use reaches problem levels there should also be repercussions for the employees concerned.
If there are no penalties in place for employees that break the rules and company policies are not enforced, little is likely to change.
As for what those penalties are is down to the employer. Action could be taken against the individuals concerned via standard disciplinary procedures such as verbal and written warnings. Controls could be put in place to curb Internet activity – such as blocks placed on certain websites – social media sites/news sites for example – when employees are spending too much time online. Those blocks could be temporary or even time-based, only allowing personal Internet use during breaks or at times when workloads are typically low.
WebTitan – An Easy Solution to Reduce Productivity Losses and Curb Cyberloafing
Such controls are easily applied with WebTitan. WebTitan is an Internet filter for enterprises that can be used to reclaim lost productivity and block access to web content that is unacceptable in the workplace.
WebTitan allows Internet controls to be easily set for individual employees, user groups, or the entire organisation, with the ability to apply time-based web filtering controls.
Preventing all employees from accessing the Internet for personal reasons may not be the best way forward, as that could have a negative impact on morale which can similarly reduce productivity. However, some controls can certainly help employers reduce productivity losses. Internet filtering can also lower legal liability by preventing illegal activities and the accessing of adult content in the workplace and can help to prevent the development of a hostile work environment.
If you are interested in improving productivity and enforcing Internet usage policies in your organization, contact TitanHQ to discuss your options.
A new Facebook Messenger malware and adware campaign has been detected by Kaspersky Lab. The malware is capable of gathering information about the user and directing them to websites that offer downloads tailored to the users’ operating system and browser. Landing pages are also customized to maximize the probability of the user taking the required actions. This advanced Facebook Messenger malware and adware campaign works on Windows PCs and Macs and is not dependent on the browser being used.
The Facebook Messenger malware and adware campaign starts with a Messenger message containing a link to a video file, with that link pointing to Google Docs. Since Facebook Messenger is used with Bitly URLs it is hard for users to determine that the links are not what they seem.
Cleverly, a picture is taken from the user’s Facebook page which is incorporated into a dynamic landing page that is tailored to the individual. The landing page appears to host a playable video file. Clicking on the video will direct the user to a website where information is gathered on their environment, including their operating system, browser type and other information. The user is then directed to another website that is tailored to the information obtained from the first website.
Windows users using Firefox are directed to one website, IE users to another, and Mac users elsewhere. Those sites offer updates such as Flash downloads and malicious Chrome extensions. At present, these campaigns are being used to download adware, although they could easily be tweaked to install malware.
The Chrome extension is adware, but also includes a downloader which will allow further payloads to be delivered to the user’s device. What is not currently known is how the messages are being sent via Messenger. David Jacoby, the Kaspersky Lab researcher who discovered the Facebook Messenger malware and adware campaign, said, “It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing.”
While the messages could be sent by unknown individuals, they may also be sent from Facebook contacts whose accounts have been compromised. Any hyperlinks sent via Messenger should therefore be treated with suspicion, especially when they appear out of the blue.
This new campaign is clever, although it is just one of many that are distributed via Messenger. Businesses can protect themselves against Facebook Messenger malware campaigns by using a Web Filtering solution such as WebTitan.
Many businesses choose not to block Facebook due to the negative impact it has on staff morale. However, with WebTitan it is possible to block Facebook Messenger without blocking the Facebook website. Employees can still access Facebook, while employers are protected from malicious messages that could result in malware downloads.
With the volume of cyberattacks increasing and heightened pressure on businesses to offer family-friendly WiFi access, a partnership with a company that offers Internet filtering for managed service providers is now a must.
Businesses that offer WiFi access to customers provide greater value and are more likely to attract customers. Younger age groups in particular are more likely to choose an establishment that allows them to connect to the Internet and not use their own data allowance. Coffee shops, restaurants, bars, and retail outlets now appreciate that providing WiFi access brings in more customers.
However, it is becoming increasingly important for secure WiFi access to be provided. Customers are now demanding more. They want reassurance that efforts are being made to make WiFi networks secure. Parents also want to make sure their children will not be exposed to harmful website content when hooking up to WiFi networks.
With demand for a filtered Internet service high, it is an easy sell for managed service providers. Further, Internet filtering brings in regular monthly revenue for next to no effort. Once the service is set up there is very little maintenance. Due to the low maintenance overhead and ease of implementation, Internet filtering for managed service providers could even be provided as part of an existing security suite to give clients even greater value for money.
Visiting clients to install solutions and perform updates is costly and eats into profits. It can also be difficult to convince businesses to pay out for an appliance to keep customers safe online. Free WiFi may increase footfall, but having to pay for a $500 appliance is a difficult sell.
However, with a cloud-based filter there is no need for any hardware purchases, no need for MSPs to visit their clients for an installation, and all settings can be changed remotely via an online administration control panel. Customers can even be given their own logins so they can tweak their own settings and whitelist and blacklist certain webpages at will.
WebTitan Cloud for WiFi – Internet Filtering for Managed Service Providers Made Simple
WebTitan Cloud for WiFi has been developed to make Internet filtering for managed service providers as simple as possible. This go-to-market content filtering solution can be set up for each client in around 20 minutes, with no need for site visits or any software downloads. WebTitan Cloud for WiFi is also supplied with a full set of APIs for easy backend integration and reports can be scheduled and sent automatically.
Each client can have their own administration control panel to tweak their content filtering settings, and since the interface is non-technical, there is no steep learning curve. Internet filtering controls are applied by category, so configuration is a quick and easy process.
Content filtering with WebTitan Cloud for WiFi has no discernible impact on Internet speed, there is no limit to the number of WiFi points that can be protected and no limit on bandwidth.
Setting different web filtering controls for different users and user groups is straightforward, since the solution integrates with LDAP and Active Directory. Filtering settings can also be set by the time of day or night.
If you want to offer your clients real-time spyware, malware and virus protection and allow them to carefully control Internet access to keep customers safe online and avoid legal liability, WebTitan Cloud for WiFi is the ideal choice.
To make it even better for MSPs, WebTitan Cloud for WiFi can be supplied in white label form ready to accept MSPs branding and there is a choice of hosting options, including the option of hosting the solution in your own environment. Add to that Industry leading customer service and you have the complete package.
If you are an MSP and are Interested in offering Internet filtering to your service stack or are looking for a lower cost service provider with better margins, contact the MSP team at TitanHQ today and find out how easy – and profitable – Internet filtering for managed service providers can be.
The cost of a malware attack is difficult to predict. There are many factors that affect the cost. The type of malware, whether data were stolen, the extent of the infection, how easy it is to mitigate, and how much business is lost while the infection is resolved. For many companies, the customer churn rate increases after a cyberattack, and certainly one in which sensitive data are stolen.
For Maersk, the NotPetya attack did not result in any theft of customer data. Consequently, there was no need to pay for credit monitoring services or mail breach notification letters to customers – Two additional and sizable costs associated with a malware attack. That said, the cost was considerable. Maersk has estimated the NotPetya wiper attack has cost as much as $300 million.
NotPetya was initially thought to be ransomware. The malware had a number of similarities to Petya ransomware – The malware overwrote and encrypted the master file table and a ransom demand was issued. However, in the case of NotPetya, paying the ransom would not result in keys being sent to unlock the encryption. The purpose of the attack was sabotage. The attackers had no intention of providing keys and allowing firms to recover their data.
For A.P. Møller – Maersk, the consequences of the attack were considerable. After its systems were taken out of action, the company was unable to load and unload its cargo ships in ports around the world. Many ships had to be rerouted as a result of the attack. Systems had to be rebuilt and the firm suffered considerable disruption while the infection was resolved.
A Model Response to A Cyberattack
Maersk was extremely quick to announce it had been attacked. The attacks occurred on June 27, 2017 and Maersk announced the following day that it had been affected. The company also maintained transparency throughout the following days and weeks while it attempted to recover, giving frequent updates on its progress in resolving the infection. The transparency has been applauded, with many security experts saying the company executed a model breach response. Not all companies were nearly as transparent.
The company recently issued an interim statement explaining how severe the attack was and how it would dent profits saying, “Business volumes were negatively affected for a couple of weeks in July. We expect that the cyberattack will impact results negatively by $200-$300 million.”
Nuance Communications was also affected, and similarly gave frequent updates to its customers on the impact of the attack and its efforts to resolve the infection. That communication undoubtedly reduced customer churn, although with its systems taken out of action for more than three weeks, many customers were forced to seek alternate vendors. Whether they will return remains to be seen. Nuance believes its Q2 profits are down about $15 million as a result of the attack, although losses are likely to be ongoing and the attack will certainly affect its Q3 profits. The manufacturer Reckitt Benckiser has estimated the NotPetya attack has cost the company around $129 million in lost revenue.
These are just three large companies to have disclosed the cost of the malware attack. Logistics firm TNT suffered considerable disruption as a result of the attack, as did FedEx, Mondelez, Merck, Heritage Valley Health System, WPP, Rosneft, DLA Piper, Saint-Gobain and many firms in Ukraine – the country worst affected by the attacks. The total cost of these malware attacks will certainly be measured in billions.
The Ponemon institute calculated the average cost of a malware attack that results in a data breach to be $3.62 million. This malware attack clearly shows the devastating effect of a malware attack and why it is so important for companies to invest improving policies, procedures and cybersecurity defenses.
From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?
The General Data Protection Regulation
GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.
GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.
Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.
Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.
Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.
In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.
Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.
Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.
How Can I Protect Personally Identifiable Information under GDPR?
GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.
A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.
GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.
Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.
Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.
Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.
To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.
Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.
The National Institute of Standards and Technology (NIST) has updated its guidance on strengthening passwords, suggesting the standard of using a combination of capital letters, lower case letters, numbers and special characters may not be effective at improving password strength. The problem is not with this method of strengthening passwords, but with end users.
Hackers and other cybercriminals attempt to gain access to accounts by guessing passwords. They try many different passwords until the correct one is guessed. This process is often automated, with many thousands of guesses made using lists of commonly used passwords, dictionary words and passwords discovered from past data breaches.
By implementing password policies that force end users to use strong passwords, organizations can improve their resilience against these brute force attacks.
By using capital and lower-case letters, there are 52 possible options rather than 26, making the guessing process much more time consuming. Add in 10 numerals and special characters and guessing becomes harder still. There is no doubt that this standard practice for creating strong passwords is effective and makes passwords much less susceptible to brute force attacks.
The problem is that in practice, that may not be the case. Creating these strong passwords – random strings of letters, numbers and symbols – makes passwords difficult to guess but also virtually impossible to remember. When multiple passwords are required, it becomes harder still for end users and they get frustrated and cut corners.
A good example is the word ‘password’, which is still – alarmingly – used to secure many accounts, according to SplashData’s list of the worst passwords of the year. Each year, ‘password’ makes it onto the list, even though it is likely to be the first word attempted in any brute force attack.
When companies update their password polices forcing users to use at least one capital letter and number in a password, many end users choose Password1, or Passw0rd or P455w0rd. All would be high up on a password list used in a brute force attack.
Attempts such as these to meet company password requirements mean security is not actually improved by password policies. If this is going to happen, it would make more sense – from a security perspective – to allow employees to make passwords easier to remember in a more secure way.
NIST Tweaks its Guidance on Strengthening Passwords
As NIST points out in its guidance on strengthening passwords, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought.” With current standard password practices, “The impact on usability and memorability is severe.” That results in end users creating weak passwords that meet company password policies.
Rather than force end users to use special characters and end up with ‘Password!’, a better way would be to increase the length of passwords and allow the use of spaces. End users should be encouraged to choose easy to remember phrases.
The use of a space does not make a password any more secure, although increasing a password from 8 characters to say, 15 or 20 characters, certainly does. It also makes passwords much easier to remember. NIST suggests passwords must have a minimum of 8 characters, and that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”
NIST also explains in its guidance on strengthening passwords that certain types of common cyberattacks involving passwords are unaffected by password strength. Take phishing for instance. It doesn’t matter whether a password is ‘12345678’ or ‘H19g46”&”^’ to a phisher. Provided the phishing email is well crafted, the password will still be disclosed. The same applies to keyloggers. A keylogger logs keystrokes and the strength of the password is irrelevant.
NIST’s guidance on strengthening passwords also suggests that rather than strengthening passwords further, there are far more effective ways of making brute force attacks much harder without frustrating end users. Limiting the number of failed login attempts before a user is blocked is one such option. Organizations should also combine this with blacklists of unacceptable passwords that should include dictionary words, other weak passwords and those revealed from past data breaches. NIST also recommends secured hashed storage of passwords
The NIST guidance on strengthening passwords can be found in – NIST Special Publication 800-63B – Appendix A – Strength of Memorized Secrets
Exploit kit activity has fallen considerably since last year, but new variants are being developed, one of the latest being the Disdain exploit kit.
An exploit kit is a web-based toolkit capable of probing web users’ browsers for vulnerabilities. If vulnerabilities are discovered, they can be exploited to silently download ransomware and malware.
All that is required for an attack to take place is for web users to be directed to the domain hosting the exploit kit and for them to have a vulnerable browser or out of date plugin. Currently, the author of the Disdain exploit kit claims his/her toolkit can exploit more than a dozen separate vulnerabilities in Firefox, IE, Edge, Flash and Cisco WebEx – Namely, CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710, CVE-2017-0037, CVE-2016-7200, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551, CVE-2016-4117, CVE-2016-1019, CVE-2015-5119, and CVE-2017-3823. Many of those exploits are recent and would have a high chance of success.
No malware distribution campaigns have so far been identified using the Disdain exploit kit, although it is likely to just be a matter of time before attacks are conducted. The Disdain exploit kit has only just started being offered on underground forums.
Fortunately, the developer does not have a particularly good reputation on the forums, which is likely to slow the use of the exploit kit. However, it is being offered at a low price which may tempt some malware distributors to start conducting campaigns. The EK can be rented for as little as $80 a day, with discounts being offered for weekly and monthly use. The Disdain exploit kit is being offered for considerably less than some of the other exploit kits currently being touted on the forums, including the Nebula EK.
All that is required is for someone to rent the kit, provide the malicious payload, and direct traffic to the domain hosting the Disdain exploit kit – such as via a malvertising campaign or botnet. The price and capabilities of the EK mean it has potential to become a major threat.
Protecting Your Business from Online Threats
Cybercriminals may be favouring spam email over exploit kits for delivering malware, although the threat of web-based attacks should not be ignored. To a large extent, good patch management practices can reduce the risk of exploit kit attacks, although not entirely. Exploit kits are frequently updated with new vulnerabilities for which patches have yet to be released. If end users are directed to domains hosting exploit kits, malware and ransomware downloads can be expected.
Along with prompt patching, businesses should consider implementing a web filtering solution. A web filter can be configured to carefully control the websites that end users can visit. A web filter will block access to all webpages known to host malware or contain exploit kits. Risky categories of website, which end users have no work purpose for visiting, can also easily be blocked reducing the risk of phishing attacks and improving employee productivity.
An appliance-based web filter can be costly to implement and can have a negative effect on Internet speed. A DNS-based web filter on the other hand requires no hardware purchases and has no latency. Internet speed is unaffected. Since a web filter can also be used to restrict access to websites that take up a lot of bandwidth, Internet speeds for all can actually improve.
WebTitan Cloud – and WebTitan Cloud for WiFi – are DNS-based web filtering solutions for enterprises that allow precision control over the sites that can be accessed by end users and offer excellent protection against web-based threats such as exploit kits and phishing websites.
The solutions require no hardware purchases, no software downloads, there is no latency, and they are highly scalable. Implementing and configuring the solutions is quick and easy and they require minimal maintenance.
WebTitan is also ideal for MSPs, being available in full white-label form with a choice of hosting options – including hosting in an MSPs environment.
If you want to improve the productivity of your workforce and effectively manage online threats – or offer web filtering to your clients – contact the TitanHQ team today to discuss your options and register for a free trial.
The importance of implementing good patch management policies was clearly highlighted by the WannaCry ransomware attacks in May. The ransomware attacks were made possible due to poor patch management policies at hundreds of companies. The attackers leveraged a vulnerability in Windows Server Message Block (SMB) using exploits developed by – and stolen from – the U.S. National Security Agency.
The exploits took advantage of SMB flaws that had, by the time the exploits were made public, been fixed by Microsoft. Fortunately for the individuals behind the attacks, and unfortunately for many companies, the update had not been applied.
In contrast to the majority of ransomware attacks that required some user involvement – clicking a link or opening an infected email attachment – the SMB flaws could be exploited remotely without any user interaction.
WannaCry was not the only malware variant that took advantage of unpatched systems. The NotPetya (ExPetr) attacks the following month also used the same EternalBlue exploit. Again, these attacks required no user involvement. NotPetya was a wiper that was used for sabotage and the damage caused by those attacks was considerable. Entire systems had to be replaced, companies were left unable to operate, and the disruption continued for several weeks after the attacks for many firms. For some companies, the losses from the attacks were in the millions.
These attacks could have easily been prevented with something as simple as applying a single patch – MS17-010. The patch was available for two months prior to the WannaCry attacks. Even patch management policies that required software to be checked once a month would have prevented the attacks. In the case of NotPetya, companies affected had also not reacted to WannaCry, even though there was extensive media coverage of the ransomware attacks and the risk of not patching promptly was clearly highlighted.
The take home message is unaddressed security vulnerabilities will be exploited. Companies can purchase a swathe of expensive security solutions to secure their systems, but companies with poor patch management policies will experience data breaches. It is no longer a case of if a breach will occur, just a matter of when.
Poor Patch Management Policies Cost Insurer More than $5 Million
This month has shown another very good reason for patching promptly. A multi-state action by attorneys general in 32 states has resulted in a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company. Nationwide has agreed to a $5.5 million settlement to resolve the investigation into its 2012 data breach.
The breach involved the theft of data relating to 1.27 million policy holders and individuals who obtained insurance quotes from the company. In that case, the data theft was possible due to an unaddressed vulnerability in a third-party application. Even though the vulnerability was rated as critical, the insurer did not update the application. The vulnerability remained unaddressed for three years. The update was only applied after data were stolen.
The investigation into the breach was jointly led by Connecticut Attorney General George Jepsen. Announcing the settlement Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”
Unaddressed vulnerabilities will be exploited by cybercriminals. Attacks will result in data theft, hardware damage, law suits filed by breach victims, attorneys general fines and fines by other regulators. These costs can all be avoided with good patch management policies.
In November last year, the San Francisco Municipal Transportation Agency (Muni) was attacked with Mamba ransomware. The attackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to unlock the encryption. Muni refused to pay up, instead opting to recover files from backups. However, the Mamba ransomware attack still proved costly. The attack took its fare system out of action and passengers had to be allowed to travel for free for more than a day. The average take on fares on a weekend day is $120,000.
It has been relatively quiet on the Mamba ransomware front since that attack, although this month has seen several Mamba ransomware attacks, indicating the gang behind the malware is back in action. Those attacks are geographically targeted with businesses in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first detected the attacks.
Mamba ransomware uses DiskCryptor for full disk encryption rather than searching for and encrypting certain file types. That means a Mamba ransomware attack will prevent the operating system from running.
Once installed, the malware forces a reboot of the system and modifies the Master Boot Record and encrypts disk partitions and reboots again, this time victims are presented with a warning screen advising data have been encrypted. The attacks share some similarities with the NotPetya (ExPetr) attacks of June.
The algorithms used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk is encrypted, victims face permanent file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the latest attacks make no mention of payment of a ransom. Victims are just instructed to email one of two email addresses for the decryption key.
The reason for this approach is it allows ransoms to be set by the attackers on an infection by infection basis. Once the extent of encryption is determined and the victim is identified, the attackers can set the ransom payment accordingly.
It is currently unclear whether the attackers hold the keys to unlock the encryption and whether payment of the ransom will result in file recovery. Kaspersky reports that the group behind this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the intention is not to obtain ransoms but to sabotage businesses.
Businesses can enhance their defences against this and other malware variants by implementing WebTitan.
WebTitan is a web filtering solution for the enterprise that allows businesses to prevent end users from visiting malicious websites, such as those used for phishing and for downloading malware and ransomware. By blocking access to malicious sites and carefully controlling access to sites known to carry a high risk of malware delivery – file sharing websites for example – businesses can prevent web-based malware attacks.
There are many reasons why businesses want to restrict Internet access at work. Allowing employees to have unrestricted access to the Internet can result in a major drain on productivity, the risk of malware and ransomware downloads must be managed and inappropriate Internet access at work can cause legal issues. However, restricting Internet access at work can also cause problems.
The Problem of Personal Internet Use at Work
Some employees spend an unreasonable amount of the working day surfing the Internet, playing games or accessing their social media accounts. Personal Internet use can see hours of the working day wasted. Multiple an hour a day by your number of employees and the losses are considerable.
There are other drains on productivity as a result of these activities. They can have a knock-on effect on Internet speed. If employees are downloading large files from file sharing websites or streaming music or videos, this can result in latency that affects all employees. Internet speed slows and important websites may become temporarily unavailable.
The Danger of Malware and Ransomware Downloads
Personal Internet use at work can cause other productivity-draining issues. If employees are accessing social media websites, downloading files or are visiting questionable websites, the risk of a malware or ransomware downloads increases significantly.
Ransomware can result in an entire network being taken out of action, as has recently been seen at companies affected by the WannaCry and NotPetya attacks. In the case of the latter, companies have experienced major disruptions for weeks following the attacks.
Even if antivirus software is installed, it may not prevent malware and ransomware downloads. Cybercriminals are getting better at obfuscation. Ransomware may not be detected until it is too late.
Accessing of Inappropriate Web Content
While most employees do not use the Internet to access unsavoury or illegal web content, there are always a few bad apples. The problem of accessing pornography at work is a real issue, and could be much worse than you think.
In 2014, a survey conducted by the Barna Group showed 63% of men and 36% of women have viewed pornography at work. A survey in Forbes in 2013 Forbes revealed 25% of adults have viewed porn at work. 28% of employees have downloaded porn at work according to another survey.
Many businesses feel the best way to tackle the problem of personal Internet use is through acceptable usage policies and greater oversight of employees by line managers. When individuals are discovered to be abusing the Internet, action can be taken against individuals without restricting Internet access at work for everyone. This does not always prove effective.
Even if policies are introduced that threaten instant dismissal for accessing pornography at work, it may not curb use. The use of anonymizer services will prevent bosses from discovering what sites are being visited. In the case of personal Internet use, differentiating between minor personal use and persistent abuse can be difficult.
The alternative is to restrict Internet access at work with a web filter. A web filter can be used to block access to specific websites or categories of website content.
Problems with Using a Web Filter to Restrict Internet Access at Work
A web filter may seem like a quick and easy solution, although companies that restrict Internet access at work with a web filter can experience problems. Those problems can be worse than the issues the web filter was installed to correct.
If you restrict Internet access at work using an appliance-based web filtering solution it can result in latency. Each website must be inspected before it is accessed. In the case of secure (HTTPS) sites, each webpage must be decrypted, inspected, and re-encrypted. This places a considerable strain on resources. The result is considerable latency. As more sites switch to SSL certification and also use 4096-bit encryption, the problem will only get worse.
If you restrict Internet access at work, employees who were only accessing the occasional personal site may be unhappy with the new restrictions. This can have an effect on productivity and create a hostile working environment. Why should all employees be made to suffer because of the actions of a few?
How to Avoid Problems and Still Restrict Internet Access at Work
The issue of latency can be avoided if a cloud-based web filter is used. Cloud-based filters allow employers to restrict Internet access at work, but since the solutions are based in the cloud, they use the service providers resources. The result is Internet control without latency. There are other benefits. Cloud-based web filters are more flexible, scalable, and do not require the purchase of any hardware.
Some cloud-based filters, WebTitan for instance, allow time-based controls to be applied. Employers can use this feature to restrict Internet access at work during busy times and relax control at others. It is easy to block access to certain sites 100% of the time, others some of the time – relaxing controls during breaks for instance – and setting different controls for different employees or groups of employees. Since the filter integrates with LDAP and Active Directory, setting controls for different user groups is simple. It is also possible to block anonymizer websites to prevent users from bypassing content filtering controls.
Speak to TitanHQ About Internet Filtering Controls
Internet content control is quick, easy and low cost with WebTitan. The solution allows you to easily restrict Internet access at work and avoid the common problems associated with web filtering. If you are Interested in curbing personal Internet use at work, contact TitanHQ today for advice. You can also sign up for a free trial and evaluate WebTitan in your own environment before you commit to a purchase.
2017 has seen a major rise in malware attacks on schools. While cybercriminals have conducted attacks using a variety of different malware, one of the biggest problems is ransomware. Ransomware is malicious code that encrypts files, systems and even master file tables, preventing victims from accessing their data. The attack is accompanied by a ransom demand. Victims are required to pay a ransom amount per infected device. The ransom payments can range from a couple of hundred dollars to more than a thousand dollars per device. Ransom demands of tens of thousands of dollars are now common.
Data can be recovered from a backup, but only if a viable backup of data exists. All too often, backup files are also encrypted, making recovery impossible unless the ransom is paid.
Ransomware attacks can be random, with the malicious code installed via large-scale spam email campaigns involving millions of messages. In other cases, schools are targeted. Cybercriminals are well aware that cybersecurity defenses in schools are often poor and ransoms are more likely to be paid because schools cannot function without access to their data.
Other forms of malware are used to record sensitive information such as login credentials. These are then relayed back to the attackers and are used to gain access to school networks. The attackers search for sensitive personal information such as tax details, Social Security numbers and other information that can be used for identity theft. With ransomware, attacks are discovered immediately as ransom notes are placed on computers and files cannot be accessed. Keyloggers and other forms of information stealing malware often take many months to detect.
Recent malware attacks on schools have resulted in entire networks being sabotaged. The NotPetya attacks involved a form of malware that encrypts the master file table, preventing the computer from locating stored data. In this case, the aim of the attacks was to sabotage critical infrastructure. There was no way of recovering the encrypted MFT apart from with a full system restore.
The implications of malware attacks on schools can be considerable. Malware attacks on schools result in considerable financial losses, data can be lost or stolen, hardware can be rendered useless and educational institutions can face prosecution or law suits as a result of attacks. In some cases, schools have been forced to turn students away while they resolve infections and bring their systems back online.
Major Malware Attacks on Schools in 2017
Listed below are some of the major malware attacks on schools that have been reported in 2017. This is just a very small selection of the large number of malware attacks on schools in the past 6 months.
Minnesota School District Closed for a Day Due to Malware Attack
Malware attacks on schools can have major consequences for students. In March, the Cloquet School District in Minnesota experienced a ransomware attack that resulted in significant amounts of data being encrypted, preventing files from being accessed. The attackers issued a ransom demand of $6,000 for the keys to unlock the encryption. The school district is technology-focused, so without access to its systems, lessons were severely disrupted. The school even had to close for the day while IT support staff restored data. In this case, sensitive data were not compromised, although the disruption caused was severe. The ransomware is understood to have been installed as a result of a member of staff opening a phishing email that installed the ransomware on the network.
Swedesboro-Woolwich School District Suffers Cryptoransomware Attack
The Swedesboro-Woolwich School District in New Jersey comprises four elementary schools and has approximately 2,000 students. It too suffered a crypto-ransomware attack that took its computer systems out of action. The attack occurred on March 22, resulting in documents and spreadsheets being encrypted, although student data were apparently unaffected.
The attack took a significant part of the network out of action, including the District’s internal and external communications systems and even its point-of-sale system used by students to pay for their lunches. The school was forced to resort to pen and paper while the infection was removed. Its network administrator said, “It’s like 1981 again!”
Los Angeles Community College District Pays $28,000 Ransom
Ransomware was installed on the computer network of the Los Angeles County College District, not only taking workstations out of action but also email and its voicemail system. Hundreds of thousands of files were encrypted, with the incident affecting most of the 1,800 staff and 20,000 students. A ransom demand of $28,000 was issued by the attackers. The school had no option but to pay the ransom to unlock the encryption.
Calallen Independent School District Reports Ransomware Attack
The Calallen Independent School District in northwestern Corpus Christi, TX, is one of the latest victims of a ransomware attack. In June, the attack started with a workstation before spreading to other systems. In this case, no student data were compromised or stolen and the IT department was able to act quickly and shut down affected parts of the network, halting its spread. However, the attack still caused considerable disruption while servers and systems were rebuilt. The school district also had to pay for improvements to its security system to prevent similar attacks from occurring.
Preventing Malware and Ransomware Attacks on Schools
Malware attacks on schools can occur via a number of different vectors. The NotPetya attacks took advantage of software vulnerabilities that had not been addressed. In this case, the attackers were able to exploit the vulnerabilities remotely with no user interaction required. A patch to correct the vulnerabilities had been issued by Microsoft two months before the attacks occurred. Prompt patching would have prevented the attacks.
Software vulnerabilities are also exploited via exploit kits – hacking kits loaded on malicious websites that probe for vulnerabilities in browsers and plugins and leverage those vulnerabilities to silently download ransomware and malware. Ensuring browsers and plugins are 100% up to date can prevent these attacks. However, it is not possible to ensure all computers are 100% up to date, 100% of the time. Further, there is usually a delay between an exploit being developed and a patch being released. These web-based malware attacks on schools can be prevented by using a web filtering solution. A web filter can block attempts by end users to access malicious websites that contain exploit kits or malware.
By far the most common method of malware delivery is spam email. Malware – or malware downloaders – are sent as malicious attachments in spam emails. Opening the attachments results in infection. Links to websites that download malware are also sent via spam email. Users can be prevented from visiting those malicious sites if a web filter is employed, while an advanced spam filtering solution can block malware attacks on schools by ensuring malicious emails are not delivered to end users’ inboxes.
TitanHQ Can Help Schools, Colleges and Universities Improve Defenses Against Malware
TitanHQ offers two cybersecurity solutions that can prevent malware attacks on schools. WebTitan is a 100% cloud-based web filter that prevents end users from visiting malicious websites, including phishing sites and those that download malware and ransomware.
WebTitan requires no hardware, involves no software downloads and is quick and easy to install, requiring no technical skill. WebTitan can also be used to block access to inappropriate website content such as pornography, helping schools comply with CIPA.
SpamTitan is an advanced spam filtering solution for schools that blocks more than 99.9% of spam email and prevents malicious messages from being delivered to end users. Used in conjunction with WebTitan, schools will be well protected from malware and ransomware attacks.
To find out more about WebTitan and SpamTitan and for details of pricing, contact the TitanHQ team today. Both solutions are also available on a 30-day no-obligation free trial, allowing you to test both products to find out just how effective they are at blocking cyberthreats.
Providing free WiFi in shops helps to attract more foot traffic and improves the shopping experience, although retailers are now realizing the benefits of providing secure WiFi access for shops. Over the past two years, there has been considerable media coverage of the dangers of public WiFi hotspots. Consumer websites are reporting horrifying cases of identity theft and fraud with increasing regularity.
With public awareness of the risks of connecting to public WiFi networks now much greater than ever before, secure WiFi access for shops has never been more important. Consumers now expect free WiFi access in shops, but they also want to ensure that connecting to those WiFi networks will not result in a malware infection or their personal information being obtained by hackers.
Fortunately, there are solutions that can easily be adopted by retailers that mitigate the risks and ensure consumers can connect to WiFi networks safely, but before we cover those options, let’s look a little more closely at the risks associated with unsecured WiFi networks.
The Risks of Unsecured WiFi Networks
If retailers provide free WiFi access in store it helps to attract more foot traffic, individuals are encouraged to stay in stores for longer, they have access to information and reviews about products and studies have shown that customers spend more when free WiFi is provided. A survey by iGT, conducted in 2014, showed that more than 6 out of ten customers spend longer in shops that provide WiFi access and approximately 50% of customers spend more money.
Connecting to a public WiFi network is different from connecting to a home network. For a start, considerably more people connect, including individuals who are intent on stealing information for identity theft and fraud. Man-in-the-middle attacks are common. Man-in-the-middle attacks involve a hacker intercepting or altering communications between a customer and a website. If login details or other sensitive information is entered, a hacker can obtain that information.
Malware and ransomware can be downloaded onto users’ devices and phishing websites can easily be accessed if secure WiFi access for shops is not provided. Consumers typically have Internet security solutions in place on home networks that block these malicious websites. They expect the same protections on retailers’ WiFi networks. Malware poses a significant threat. Alcatel-Lucent, a French telecommunications company, reports that malware attacks on mobile devices are increasing by 25% per year.
Then there is the content that can be accessed. Recently, before Starbucks took steps to block the accessing of pornography via its WiFi networks, the coffee shop chain received a lot of criticism from consumers who had caught glimpses of other customers accessing pornography on their devices.
Secure WiFi Access for Shops Brings Many Benefits
The provision of secure WiFi access for shops tells customers you are committed to ensuring they can access the Internet safely and securely on your premises. It tells parents that you are committed to protecting minors and ensuring they can access the Internet without being exposed to adult content. It tells consumers that you care, which helps to improves the image of your brand. It is also likely to result in positive online reviews.
Providing secure WiFi access for shops makes it easier for you to gain an insight into customer behavior. A web filtering solution will provide you with reports on the sites that your consumers are accessing. This allows you to profile your customers and find out more about their interests. You can see what sites they access, which can guide your future advertising programs and help you develop more effective marketing campaigns. You can also find out more about your real competitors from customers browsing habits.
The provision of secure WiFi access for shops will also help you to reduce legal liability. If you do not block illegal activities on your WiFi network, such as file sharing (torrents) sites, you could face legal action for allowing the downloading of pirated material. The failure to block pornography could result in a lawsuit if a minor is not prevented from accessing adult content.
WebTitan – Secure WiFi Access for Shops Made Simple
Secure WiFi access for shops doesn’t have to be complicated or expensive. TitanHQ offers a solution that is cost effective, easy to implement, requires no technical skill, has no effect on Internet speed and the solution can protect any number of shops in any number of locations. The filtering solution can be managed from an intuitive web-based graphical user interface for all WiFi access points, and a full suite of reports provides you with invaluable insights into customer behavior.
WebTitan Cloud for WiFi is a 100% cloud-based DNS filtering solution. Point your DNS records to WebTitan and you will be filtering the Internet in minutes and blocking undesirable, dangerous and illegal web content. You do not need any additional hardware, you do not need to download any software and configuring the filtering settings typically takes about 30 minutes.
To find out more about WebTitan Cloud for WiFi, including details of pricing and to register for a 30-day, no obligation free trial, contact TitanHQ today.
Hospitals have invested heavily in solutions to secure the network perimeter, although Internet and WiFi filtering in hospitals can easily be forgotten. Network and software firewalls have their uses, although IT security staff know all too well that cyberattacks targeting employees can see those defenses bypassed.
A common weak point in security is WiFi networks. IT security teams may have endpoint protection systems installed, but not on mobile devices that connect to WiFi networks.
A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, that signals a huge pay day for a hacker.
There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data if it is encrypted by ransomware. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its ransomware infection in February last year. It was one of several hospitals to give in to attackers’ demands.
The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals
The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, there are laptops, tablets and an increasing number of medical devices connected to the networks. As use of mobile devices in healthcare continues to grow and the explosion in IoT devices continues, the risk of attacks on the WiFi environment will only ever increase.
Patients also connect to hospital WiFi networks, as do visitors. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks.
Internet and WiFi filtering in hospitals is therefore no longer an option, it should be part of the cybersecurity strategy for all healthcare organizations.
Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats
Malware, ransomware, hacking and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.
Guest WiFi access in hospitals is provided to allow patients and visitors to gain access to the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites to ensure all users can still enjoy reasonable Internet speeds.
It is also important to prevent patients, visitors and healthcare professionals from accessing inappropriate website content. Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file sharing websites, gambling or gaming sites, or any other undesirable category of web content.
Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal and undesirable content is not just about protecting patients and visitors. It also reduces legal liability.
Internet and WiFi Filtering in Hospitals Made Simple
WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost effective to implement, the solution requires no additional hardware or software installations and there is no latency. Being DNS-based, set up is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.
WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based graphical user interface. Separate filtering controls can be applied for different locations, user groups or even individuals. Since the solution links in with Active Directory the process is quick and simple. Separate content controls can easily be set for guests, visitors and staff, including by role.
WebTitan Cloud for WiFi supports blacklists, whitelists and allows precision content control via category or keyword and blocks phishing websites and sites known to host exploit kits and malware. In Sort, WebTitan Cloud for WiFi gives you control over what happens on your WiFI network.
To find out more about WebTitan Cloud for WiFi, details of pricing and to register for a free trial, contact the TitanHQ team today.
Hotel guests used to choose hotels based on whether free WiFi was available, now free WiFi is no longer enough – secure WiFi for hotels is required to ensure the Internet can be accessed safely, a fast connection is essential and the WiFi signal must be reliable.
Even budget hotels know the attractive power of free WiFi and how much easier it is to attract guests with free, reliable Internet access. Forrester Research conducted a survey back in 2013 that showed 90% of hotel guests considered free WiFi access to be the most important hotel amenity, while 34% of respondents said when it comes to choosing a hotel, free WiFi was a deal breaker when choosing a place to stay.
Providing Free WiFi is No Longer Enough
Now that most hotels are offering free WiFi, travelers have become much more discerning. Free WiFi access is no longer sufficient. Hotel guests want reliable access, good Internet speeds, sufficient bandwidth to stream music and videos and secure WiFi for hotels is similarly important. Hotels now need to improve their WiFi networks to continue to attract business.
A quick look on TripAdvisor and other review sites is all it takes to assess the quality of the Internet connection. There are even websites dedicated to providing this information. A poor WiFi signal is one of the most common complaints about hotels.
Providing an excellent Internet connection may not mean a 5-star review is guaranteed – but one or two-star reviews can be expected if the Internet connection or WiFi coverage is poor.
If you really want to attract more guests, provide free WiFi access. If you want to gain a serious competitive advantage, ensure all rooms have an excellent signal, there is sufficient bandwidth and make sure your network is secure. Guests now expect the same protections they have at home.
Common Problems with Hotel WiFi Networks
Listed below are some of the common problems reported by guests about hotel WiFi
Problems connecting more than one device to the network – Hotels often have WiFi networks with limited bandwidth. Restrictions may be in place that only allow one device to be connected per room. For a couple or family, that is no longer sufficient. Most guests will require at least two devices to be connected simultaneously per room, without Internet speed dropping to a snail’s pace.
Parents do not want their children to be able to access porn – A night in a hotel should be a relaxing experience. Parents do not want to have to spend their time policing the Internet. They want controls in place to make sure adult content cannot be accessed by their kids.
Connecting to guest WiFi should be safe and secure – Guests should be protected from malware and ransomware infections and steps should be taken by the hotel operator to reduce the risk of man-in-the-middle attacks. Safe and secure WiFi for hotels is essential. Accessing hotel WiFi should not result in nasties being transferred to guests’ devices. Safe and secure WiFi for hotels is especially important for business travelers. They should be able to enter their usernames and passwords without risking an account compromise.
Bandwidth issues are a major bugbear – If some guests are streaming video to their devices, it should not prevent other users from accessing the Internet or enjoying reasonable Internet speeds. Even at busy times, all guests should be able to connect.
How to Resolve these Problems?
Bandwidth is a major issue. Increasing bandwidth comes at a cost. If free WiFi is provided, it is difficult to recover that expenditure. There are solutions however. Hotels can offer free WiFi access to all guests, yet block streaming sites and other bandwidth-heavy activities. If guests want to be able to stream video, they could be offered a premium service and be charged for non-standard access. The same could apply to adult content. Hotels could offer family-friendly WiFi as standard, with a paid for service having fewer restrictions.
Secure WiFi for hotels is a must. Hotels can implement solutions that block malware and prevent guests from accessing phishing websites. Providing an encrypted connection is also essential. Guests should be able to login to their accounts without being spied on.
Secure WiFi for Hotels Made Simple
A web content filter can be used to resolve the above problems and ensure safe and secure Internet access for all guests. Arranging secure WiFi for hotels is simple with TitanHQ.
TitanHQ’s WebTitan Cloud for WiFi is a content filter with a difference. The solution can be deployed on existing hardware with no need for any software installations. Once installed, it is simple to manage, with updates to the system occurring automatically. Users don’t even need any technical expertise. The solution can be implemented and accounts set up in minutes. It doesn’t matter how many hotels you operate, all can be protected with ease through a central control panel that can be accessed from any location.
Secure WiFi for Hotels from TitanHQ
WebTitan Cloud for WiFi allows hotel operators to:
- Control content and online activities without any impact on Internet speed
- Block pornography and other inappropriate content to make the WiFi network family-friendly
- Prevent users from engaging in illegal activity
- Block phishing websites
- Prevent malware and ransomware downloads
- Restrict bandwidth-heavy activities such as video and music streaming services
- Create user groups with different restrictions, allowing streaming or adult content for specific user groups
- Set web filtering controls for different access points
- Manage content filtering for multiple hotels with ease, no matter where in the world they are located
To find out more about all of the benefits of WebTitan Cloud for Wifi, how secure WiFi for hotels can be provided, details of prices and to register for a free trial, contact the TitanHQ team today. Your guests will thank you for it.
Regardless of whether you run a hotel, coffee shop or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself to considerable risk.
Why Is Providing Internet Access so Important?
In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.
With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sale will be made elsewhere.
Why is Secure Guest WiFi for Business So Important?
There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows them to collect contact details for future marketing and business can gain valuable customer insights.
However, giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be more security aware and have introduced policies covering allowable Internet usage, but guests, customers and other visitors are likely to have different views about the content that can be accessed on your WiFi network.
Guests and customers could take advantage of a lack of control over accessible website content to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities. They may accidentally or deliberately install malware or ransomware, or visit phishing websites. Secure guest WiFi for business means protecting yourself and your customers. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network, preventing man-in-the-middle attacks, malware downloads and blocking phishing attacks. You will also be protected from legal liability.
5 Things to Consider About Secure Guest WiFi for Business Customers
If you are going to open up your network to guests, security cannot be an afterthought. Before providing WiFi access be sure to consider the points below:
Segregating your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your internal network must be totally separate from the network used by guests. It should not be possible for guests to see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, it will not spread from the guest network to your internal network.
Always Change Default Passwords and SSIDs
This is one of the most basic security practices, yet because of that it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.
It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up rogue access points to conduct man-in-the-middle attacks.
Keep your Firmware Updated!
Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed on a monthly basis.
Encrypt Your Wireless Signals
You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2 encryption. You can then post the SSID and password in your business to make it easy for legitimate users to gain access to your network.
Secure Guest WiFi for Business Means Content Filtering
Secure guest WiFi for business means adding some controls over the content that can be accessed on your WiFi network. Content filtering is a must. You should block access to adult content – which includes pornography, gambling sites and other web content that is ethically or morally questionable. A web filtering solution will also protect your customers from accidental malware and ransomware downloads while blocking phishing websites. Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades.
Family-Guard offers its customers online protection by blocking access to adult website content such as pornography and stopping malware infections, ensuring the Internet can be accessed safely and securely by all family members.
Family-Guard supplies WiFi routers with pre-configured DNS settings to its customers. Plug in the router and customers are instantly protected from online threats and inappropriate content. As more families take steps to prevent their children from harm online, the company has gone from strength to strength.
However, the firm was not entirely satisfied with its previous web filtering provider and sought a partnership with a new company. Before deciding to deploy WebTitan Cloud for WiFi, Family-Guard needed to be certain that WebTitan offered the required level of protection for its customers. It was essential that all harmful and dangerous website content could be filtered out to ensure customers received the service they paid for. TitanHQ could reassure Family-Guard that its URL filtering technology was up to the task.
The problem with the firm’s previous partner was the inaccuracies in categories and site classifications. Those problems could not be overcome. WebTitan on the other hand offers accurate classification of websites, with more than 500 million web addresses present in its database, including sites in more than 200 languages. Since deploying WebTitan Cloud for WiFi through its router packages, Family-Guard has not experienced the accuracy problems of its previous provider.
Another key consideration when selecting a service provider was the ability to provide the solution in white-label form. It was essential for Family-Guard to incorporate its own branding, which includes the product as well as the user interface for setting filtering controls. With WebTitan, the solution can be supplied without any branding, ready for customization. The white label option and choice of hosting also makes WebTitan an ideal web content filter for managed service providers.
While reassurances could be provided by TitanHQ, the proof of the pudding is in the eating. Before committing, Family-Guard needed to perform extensive testing of the solution. The firm signed up for a free trial and conducted independent tests. Tanner Harman, President of Family-Guard said, “In terms of the trial everything was very straightforward, it was good to speak to an engineer that was able to answer all my questions, this is not common in the technology industry.”
WebTitan is incredibly easy to use and maintain. There are no software updates necessary as all are managed by TitanHQ. Setting up the solution is also straightforward. Once the DNS has been directed to WebTitan, it is just a case of configuring the web filtering controls. For Family Guard, it took staff around 30 minutes to become familiar and comfortable with using the solution. The company is now reaping the benefits.
“For our technical staff, it reduced the time spend on support calls as the number of support calls reduced dramatically almost immediately,” the solution has also dramatically reduced the time the support team has spent dealing with malware. Tanner said, “WebTitan Cloud blocks all the bad stuff before it hits the customers location so issues that previously occurred regularly are now avoided.”
It can take some time following deployment to fully appreciate the benefits that WebTitan brings to an organization. Family-Guard implemented the solution in April 2016. The cost saving from deploying WebTitan Cloud has been considerable. In the 12 months following the implementation of WebTitan Cloud, Family Guard has enjoyed savings of more than $10,000.
Further, as Family-Guard grows, it is not limited by its license. With WebTitan, additional licenses can be added as and when required with a dynamic pricing plan lacking the barriers and wastage typical of other web filtering solutions.
Whether you are looking for a web content filter for public hotspots, a filtering solution to package into your products and services or a content filtering solution for your business WiFi network, TitanHQ can help.
For further information on the features and benefits of WebTitan, answers to technical questions and to register for a free trial, contact the TitanHQ team today.
Customers are increasingly choosing to visit retailers based on whether free Internet access is available in store. Providing WiFi access doesn’t just attract more customers. It provides retailers with an opportunity to communicate new sales initiatives to customers and allows valuable information to be gathered on what customers do inside stores. Monitoring the websites accessed by customers also allows retailers to gain a valuable insight into customer behavior.
Retailers are increasingly offering free WiFi in-store to attract more customers, but providing access to the Internet in-store carries risks. If customers have free, unfettered access to the Internet they would be able to access inappropriate content, accidentally download malware or use the connection for illegal file downloads.
Retailers can gain huge benefits from offering customers free access to WiFi network, but without security solutions to mitigate risk, the offer of free WiFi can backfire. A web content filter for public hotspots is now essential.
Selfridges understands the benefits of providing free WiFi access to customers, but also the risks. If WiFi was to be provided in-store, it would need to be secure to prevent customers from installing malware or accessing phishing websites
Selfridges also needed protection from legal liability. Steps therefore needed to be taken to prevent customers from accessing inappropriate website content in store and to stop minors from accessing adult content.
Selfridges prides itself on providing high quality products and customer service, so it was important to ensure for its WiFi service to reflect the stores values. Alisdair Morison, IT manager at Selfridges, said “We had to ensure that guests could not access malicious sites or to view inappropriate content while in the store.”
In the case of inappropriate website content, the risks are considerable. Morison said, “We knew that if a guest accessed porn on the WiFi connection and a child or other person could inadvertently view that screen, we would be legally liable.” The same applies to illegal file downloads via its WiFi network.
Choosing a solution posed a number of challenges. Selfridges has a small, but busy IT department so a web filtering solution needed to have a small administrative burden. Technical staff are not present in each store so it was important that the solution could be managed remotely for all four locations without the need for any site visits.
Selfridges contacted TitanHQ and chose WebTitan Cloud for WiFi. “We looked at a bunch of solutions. I was really taken aback by the price point, features and functionality we were going to get with WebTitan WiFi,” said Morison, “Other solutions didn’t have all the features and functionalities we wanted; they could do some of what we now do with WebTitan WiFi, but at a higher cost.”
The solution was set up in less than half a day and the IT team can manage the solution remotely and monitor WiFi connections. All four locations are managed through a central administration management console. All that was required to get started was to add the company’s external IP address to the GUI, update DNS forwarders and set the filtering controls.
Selfridges now blocks pornography, illegal activities such as file sharing and activities that are ethically or legally questionable. The WiFi network is child-friendly, so parents need not worry about the content that their children can access in-store. The WiFi network can be used safely and securely by all its 200 million annual visitors, with both Selfridges and its customers gaining benefits from in-store WiFi.
TitanHQ has announced a new partnership agreement with the intelligent spaces firm Purple. TitanHQ will be securing the firm’s WiFi networks and providing content filtering with WebTitan Cloud for WiFi.
Purple is a leader in its field, with over 20 million users spread across 125 countries around the globe. Its solution helps businesses monitor their physical spaces and promote their brand, in addition to gaining valuable insights into customer behavior at their venues. Purple’s clients include the City of New York, Legoland, Jaguar, Pizza Express, Outback Steakhouse, the Indiana Pacers, Merlin Entertainments Group and British Land to name but a few.
Purple will be adding WebTitan to its WiFi and Analytics package to improve security for its customers. Current and new customers will benefit from a more secure WiFi package and will be protected from a wide range of web-based threats.
WebTitan is a market-leading web content filtering solution that currently blocks more than 60,000 malware variants each day, protecting end users when they venture online. WebTitan can be used to control the content that can be accessed via WiFi networks around the globe from a single administration console. Companies can protect thousands – or tens of thousands – of WiFi access points simultaneously with WebTitan without any latency. The solution is easy to set up and configure, requires no additional hardware and has an extremely low management overhead.
Protection from exploit kits, phishing websites, and malware and ransomware downloads is more important now than ever. Cybercriminals having increased their efforts and malware, phishing and ransomware attacks are becoming increasingly common.
In the case of ransomware, payment of the ransom demand may not allow data to be recovered as has clearly been demonstrated by the NotPetya attacks. Many companies that were attacked with NotPetya are still experiencing major problems and disruptions to services, with several firms forced to replace entire networks following installation of the malware.
Cyberattacks such as WannaCry and NotPetya are likely to become the new norm, with companies needing to do more to protect their networks – and their customers – from attack.
With WebTitan, malware and ransomware protection is only part of the story. WebTitan is a powerful content filter that prevents inappropriate content from being accessed by WiFi users – Something that is becoming increasingly important in the retail and hospitality industries. With Purple’s retail and hospitality sector clients growing fast, this additional protection was essential.
For Purple, it soon became clear that the partnership with TitanHQ was the perfect choice, as James Wood, Head of Integration at Purple explained, “We approached TitanHQ with a number of specific requirements that were unique to Purple. From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan was also ideal for Purple customers, Woods said, “We take guest Wi-Fi security seriously so it was important that our customers were protected in the right way. Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
Installing the new web filtering system and replacing the incumbent system was completed in the quickest possible time frame, with tens of thousands of users migrated to the new system in a matter of days. Woods said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.
The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.
Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.
The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.
Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.
Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.
TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.
WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.
SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.
Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.
Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.
“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”
The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.
The RoughTed malvertising campaign was rampant in June, causing problems for 28% of organizations around the world according to Check Point.
Malvertising is the name given to adverts that redirect users to malicious websites – sites hosting exploit kits that download malware and ransomware, phishing kits that gather sensitive information for malicious purposes or are used for a variety of scams.
Malvertising campaigns pose a significant threat because it is not possible to avoid seeing the malicious adverts, even if users are careful about the websites they visit. Malicious adverts are displayed through third party ad networks, which are used on a wide range of websites. Even well known, high traffic websites such as the BBC, New York Times, TMZ and MSN have all been discovered to have displayed malicious adverts. Cybercriminals only need to place their adverts with one advertising network to see their adverts displayed on many thousands of websites.
The RoughTed malvertising campaign was first identified in May, although activity peaked in June. By that time, it had resulted in infections in 150 countries throughout North and South America, Europe, Africa, Asia and Australasia.
It is sometimes possible to block malvertising using ad blockers, which prevent adverts from being displayed; however, the RoughTed malvertising campaign can get around these controls and can bypass ad blockers ensuring adverts are still displayed.
A web filtering solution can be useful at preventing categories of websites from being accessed that commonly host malicious adverts – sites hosting pornography for example – although due to the wide range of websites that display third party adverts, it would not be possible to eradicate risk. That said, an advanced web filtering solution such as WebTitan offers excellent protection by blocking access to the malicious sites rather than the malvertising itself.
Websites are rapidly added to blacklists when they are detected as being used for nefarious purposes. WebTitan supports blacklists and can block these redirects, preventing end users from visiting malicious sites when they click on the ads.
In addition to blacklists, WebTitan URL classification uses a multi-vector approach to deeply analyze websites. The URL classification uses link analysis, content analysis, bot detection and heuristic analysis to identify websites as malicious. These advanced techniques are used to block ad fraud, botnets, C2 servers, sites containing links to malware, phishing websites, spam URLs, compromised websites and malware distribution sites including those hosting exploit kits. The URL classification system used by WebTitan leverages data supplied by 500 million end users with the system continuously updated and optimized.
If you want to protect your organization from the actions of your end users and block the majority of online threats, contact the TitanHQ team today for further information on WebTitan and take a closer look at the web filtering solution in action.
2017 US data breaches have reached a record high, jumping an incredible 29% year over year. The mid-year data breach report from the Identity Theft Resource Center (ITRC) and CyberScout shows there were 791 reported data breaches between January 1 to June 30, 2017.
If 2017 US data breaches continue at the current pace, and there are no indications to suggest they will not, this year is set to be another record breaker. Last year smashed previous records with 1,093 data breaches reported for the year. This year looks on track to see the total reach – or exceed – 1,500 breaches. That would represent a 37% increase year over year.
The biggest cause of 2017 US data breaches is hacking according to the report. Hacking includes phishing attacks, malware infections and ransomware attacks, the latter seeing a massive increase in the past 12 months. In the first six months of 2017, 63% of incidents were attributed to hacking – a 5% increase year over year. 47.7% of those breaches involving phishing to some degree. ITRC says 18.5% of 2017 US data breaches involved malware or ransomware.
Employee error and negligence, which includes improper disposal of sensitive data, continue to cause many breaches, with those causes accounting for 9% of the total. Accidental exposure of sensitive data on the Internet was the cause of 7% of data breaches. The number of breaches in both categories decreased year over year.
Most 2017 US Data Breaches Were Reported by the Business Sector
In the first half of the year, the business sector reported the most data breaches – 54.7% – with the healthcare and medical industry in second place with 22.5% of breaches. The education sector was third with 11% of breaches followed by the banking and financial services sector with 5.8% of the total. The government and military sector rounds off the top five with 5.6% of reported breaches.
There was an increase in data breaches reported by the hospitality and fast food sector in the first half of the year, most of which involved the theft of credit card details after malware was installed on POS systems. One of the biggest breaches affected Sabre Corporation and its SynXis hotel booking service. Hard Rock Hotels, Trump Hotels, Loews hotels and Four Seasons were all among the victims. In the case of Trump hotels, it was the third payment card data breach experienced in the past 2 years.
Biggest Healthcare Data Breaches of 2017 (So far)
The healthcare industry has also seen a rise in data breaches in 2017 of 14% according to the figures published by the Department of Health and Human Services’ Office for Civil Rights. The main cause of healthcare data breaches – 37% – was hacking and IT incidents, which includes ransomware and malware attacks. Unauthorized access/disclosure came a close second with 35% of the total. Loss and theft of devices containing ePHI was in third place with 24% of the total followed by improper disposal on 4%.
The biggest healthcare data breaches of 2017 so far are:
|Organization||Entity Type||Records Exposed||Breach Type|
|Commonwealth Health Corporation||Healthcare Provider||697,800||Theft|
|Airway Oxygen, Inc.||Healthcare Provider||500,000||Hacking/IT Incident|
|Urology Austin, PLLC||Healthcare Provider||279,663||Hacking/IT Incident|
|Harrisburg Gastroenterology Ltd||Healthcare Provider||93,323||Hacking/IT Incident|
|VisionQuest Eyecare||Healthcare Provider||85,995||Hacking/IT Incident|
|Washington University School of Medicine||Healthcare Provider||80,270||Hacking/IT Incident|
|Emory Healthcare||Healthcare Provider||79,930||Hacking/IT Incident|
|Stephenville Medical & Surgical Clinic||Healthcare Provider||75,000||Unauthorized Access/Disclosure|
|Primary Care Specialists, Inc.||Healthcare Provider||65,000||Hacking/IT Incident|
The healthcare industry must report data breaches under HITECH/HIPAA regulations, including the number of individuals impacted. However, ITRC/CyberScout report that many organizations are holding back details of the number of individuals impacted. Without that information, it is difficult to obtain an accurate picture of the severity of data breaches.
Eva Velasquez, ITRC President and CEO, said, “The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts.”
Human error was to blame for a massive Verizon Communications data leak that saw the personal information, account details and PIN numbers of more than 6 million customers exposed on the Internet.
The Verizon Communications data leak is particularly serious due to the highly sensitive nature of the exposed data. In addition to customers’ names, addresses, email addresses and phone numbers, PIN numbers and account details were also exposed. Since the PIN is used to confirm the identity of customers, anyone in possession of the data could easily impersonate customers. The PINs are used to verify identities by customer service staff at the firm’s wireline call center.
The Verizon Communications data leak was caused by a misconfigured cloud server that was set to allow external access. Amazon automatically secures its servers, although changing the settings will allow data to be accessed externally. The error was made by an employee of NICE Systems, an Israeli third-party vendor contracted by Verizon to improve its wireline self-service call center portal for residential and small business customers.
As was the case with a number of recent data leaks, the misconfigured cloud server was found by Chris Vickery, security researcher and Director of Cyber Risk Research at UpGuard. The Amazon S3 storage server error was identified on June 13 and was brought to the attention of Verizon, which corrected the problem on June 22, 9 days after being notified of the security hole. Data were accessible by anyone who had the web address.
Initially, UpGuard suspected up to 14 million individuals had been affected as a result of the Verizon Communications data leak, although Verizon has since released a statement confirming the incident impacted around 6 million customers.
Vickery discovered the server had six unsecured folders. The information in the files related to customers who called Verizon customer service between January and June 2017.
A spokesperson for Verizon told ZDNet, “Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project. Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”
While the data were exposed online, the information does not appear to have been accessed by anyone other than the security researcher who discovered the error. Verizon said, “There has been no loss or theft of Verizon or Verizon customer information.”
Last month, TitanHQ conducted a survey on managed service providers that have added WebTitan Cloud for Service Providers to their service stacks and are providing web filtering and anti-malware services to their customers.
There are many reasons why service providers have started offering a web filtering service. Customers often ask service providers for a web filtering service to prevent their employees from accessing inappropriate web content in the workplace and to stop inappropriate content from being accessed via WiFi networks in public places. They also want greater protection from malware and ransomware and to control use of bandwidth.
TitanHQ is well aware of the benefits that can be gained from using WebTitan Cloud for Service Providers, but the company wanted to gather feedback from MSPs and find out why they are so happy providing the web filtering service to their customers.
The answer to that question was abundantly clear from the survey. When asked to state the number one reason why they use web filtering there was a clear winner. 89% of service providers said they use WebTitan Cloud for Service Providers because “It saves significantly on my support time and cost.”
Managed Service Providers that offer WebTitan Cloud to customers are enjoying major savings. Since WebTitan Cloud is highly effective at blocking access to malicious websites, customers experience less downtime as a result of malware infections. For service providers that means less time is spent mitigating malware infections, which is arguably the biggest expense of IT operation teams and tech support staff.
One NYC-based Managed Service Provider summed up why web filtering is so important, saying ““Web filtering is one of the, if not the greatest bang for your buck services. It’s built in anti-malware has protected our clients, and us from having to fix, thousands of hours of repair time I am absolutely certain.”
A Washington-based MSP said, “By reducing malware-related security incidents, you’re reducing your number one uncontrollable expense: the people on your IT operations team, like your help desk techs,” while a London, UK-based MSP explained that since they started providing a web filtering service, “Our Crypto calls dropped to 0.”
As well as cutting down the time spend responding to security incidents MSPs found that WebTitan Cloud for Service Providers was an easy way to improve client spending. The second most popular response was WebTitan Cloud for Service Providers is “an easy monthly recurring revenue source”.
How Can WebTitan Cloud for Service Providers Benefit Your Organization?
WebTitan Cloud for Service Providers has been developed specifically for Managed Service Providers. The solution is ideal for hotspot and WiFi providers, MSPs, ISPs and retail and public organizations that offer access to WiFi networks, including schools, universities, libraries, restaurants, cafes, shops and hotels.
The solution is highly scalable to hundreds of thousands of users and the web filtering service has no latency as it is DNS based. That also means it is not necessary to become an Internet Service Provider to offer a web filtering service.
MSPs love the fact that the solution is provided as a white label and is ready to have branding and color schemes applied. WebTitan Cloud for Service Providers also has multiple hosting options, including the option of hosting the solution within an MSPs own environment.
WebTitan Cloud for Service Providers is an API-driven, multi-tenant solution that’s easy to implement and manage. New customers can be added in minutes, there are no hardware requirements and the solution can be managed remotely without the need for site visits.
Customers benefit from an extensive list of features that help them protect their brand by blocking access to inappropriate content via WiFi networks, protect users by blocking malware and save bandwidth by restricting access to streaming services.
If you are an IT service provider and you have yet to start offering a web filtering and anti-malware service, or you are unhappy with your current solution provider, contact the TitanHQ team today to find out more about how offering or switching to WebTitan can save you time and money and improve your bottom line.
A new study conducted by the Ponemon Institute has shown that General Data Protection Regulation preparations have only been made by a small minority of companies, with almost half of surveyed organizations unsure where to even start.
The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016. Companies have been given until May 25, 2018 to comply with GDPR. When the new regulation comes into force, any company discovered not to be in compliance can face a heavy fine. The maximum fine for non-compliance will be €20 million or 4% of global annual turnover, whichever is the highest.
Many companies started their General Data Protection Regulation preparations as soon as the new legislation was approved. According to the Ponemon Institute survey, only 9% of companies have made the necessary changes comply with GDPR. 59% of surveyed organizations haven’t even started their General Data Protection Regulation preparations and don’t even know how to comply.
Interestingly, the threat of fines and the difficulty complying with GDPR has put many companies off doing business in the EU. 34% of surveyed companies have said their General Data Protection Regulation preparations have involved shutting down their European operations. However, that does not mean they will not need to comply. Compliance with GDPR is mandatory for any company doing business in the European Union, even if they do not have a physical base in one of the European member states.
Even the threat of fines has not convinced many companies to start preparing. Only 38% of companies said their senior leadership viewed compliance as a priority.
The changes for many companies to ensure compliance will be considerable. 89% of respondents said GDPR will have a significant impact on their data breach protection practices. However, there is considerable doubt about how effective GDPR will be. Only 41% of companies believe the new regulation will improve privacy protection practices while 70% said they don’t believe the new regulation will benefit victims of a data breach.
If you have yet to start preparing and updating your policies and procedures you don’t have long. The compliance date may be months away, but for many companies, preparations will take some time. If you are keen to avoid a fine for non-compliance, now is the time to start your GDPR compliance preparations.
If you are unaware of what GDPR means for your business or whether you need to comply with the regulation, you can find out more on this link.
The sharp rise in the use of smartphones by children and the increase Internet access points has prompted Friendly WiFi to launch a new campaign to promote the adoption of Internet filtering controls for public WiFi hotspots.
Businesses in the UK are being encouraged to implement web filtering controls to ensure children can connect their WiFi networks without being exposed to potentially harmful material.
Friendly WiFi is a government initiated scheme launched in 2014 to promote Internet filtering controls for public WiFi hotspots. Businesses that filter the Internet and block inappropriate content from being accessed via their WiFi networks can display the digital Friendly WiFi banner. This banner lets parents know their children can connect to the Internet safely.
Friendly WiFi is the only scheme of its kind in the world. The main aim of the initiative is to make the UK the safest place in the world for children to venture online. When the scheme was launched in 2014 there were 5.6 million WiFi hotspots in the UK; however, that number is estimated to triple by the end of next year.
A recent study has shown that nearly half the population of the UK uses public WiFi hotspots and research suggests more than 40% of children aged between 5 and 15 now have a smartphone and connect to the Internet. The growth in hotspots and smartphone usage among children makes it more important than ever for public WiFi hotspots to have harmful content filtered out.
Figures supplied by Friendly WiFi suggest the number of WiFi access points around the globe is likely to increase to 432.5 million by 2020, which represents a 700% increase from 2015. Even though many of these WiFi networks can be accessed by minors, fewer than half of those hotspots have internet filtering controls in place.
In the UK the use of Internet filtering controls for public WiFi hotspots is growing. Major high street names such as Starbucks and Tesco have already adopted Internet filtering controls, as have McDonalds and IKEA and many small businesses. The aim of the latest Friendly WiFi campaign is to accelerate adoption of Internet filtering controls.
To be able to display the Digital Friendly WiFi symbol, businesses must implement Internet filtering controls for public WiFi hotspots to block all websites and web pages that display pornographic content. Businesses must also block all webpages containing child pornography using the blacklist maintained by the Internet Watch Foundation. Organizations must also prevent advertisements or links to such content from being displayed.
Bev Smith, director of Friendly WiFi said “Now is the right time for all businesses which provide public WiFi to prove they take the same care for their customer’s online safety as they do for their physical wellbeing.”
The Anti-Phishing Working Group (APWG) has recently released a new report showing the changing trends in phishing in 2016. The report provides interesting insights into how cybercriminal activity is changing and the attack methods most commonly used by cybercriminals to fool end users into installing malware or revealing their login credentials.
The report uses data from more than 250,000 phishing attacks that were detected between 2015 and 2016; clearly showing some of the new trends in phishing and how phishers have been conducting their attacks. The report is focused on phishing rather than spear phishing, with the latter involving highly varied targeted attacks on specific individuals in an organization.
Phishing emails often contain malicious email attachments with scripts and macros used to silently download malware onto end users’ computers. However, the report shows there was a major increase in phishing domains in 2016 with criminals registering more domains than ever before. Phishing attacks also reached record levels last year. Phishing is now the number one cyber threat faced by organizations.
APWG says that almost half of new top-level domains that were available for open registration in 2016 were used for phishing. APWG suggests the increase in malicious domain registrations demonstrates that domain registrars are struggling to detect and take down malicious domains.
While it was previously thought that phishers registered domains for immediate use in phishing attacks, the study suggests domains are most commonly held for up to three weeks before they are used.
Phishing attacks were failry evenly split between domains registered by phishers and compromised websites. One in 20 attacks used a subdomain for phishing, with the number of attacks using subdomains continuing to fall. See here for phishing examples.
Brand spoofing is becoming increasingly common, with major brands are now experiencing thousands of phishing attacks a year. However, the number of targeted brands in 2016 fell to 679 from 783 the previous year. The most targeted brands – which experienced three quarters of attacks – were Apple, PayPal, Yahoo and Taobao.com. Each experienced more than 30,000 attacks each in 2016.
2016 saw a 10% increase in unique phishing attacks, rising from 230,280 in 2015 to 255,065 attacks in 2016. Those attacks were spread across 195,475 unique domain names – the most domains ever detected and almost three times the number used in 2015. While a variety of TLDs are used for phishing websites, 75% involved just four TLDs – .com; .cc, .pw and .tk. APWG says 90% of phishing domains are spread across just 16 TLDs.
Attacks in 2016 were spread across a wide range of industries although 92% of attacks affected four industries: eCommerce & software/SaaS (30%), banking and finance (25%), social networking/email (19%) and money transfer firms (18%).
The U.S. Federal Bureau of Investigation has issued its annual Internet Crime Report, showing cybercriminals have netted at least $1.3 billion last year. The figures for the report were compiled by the FBI’s Internet Crime Complaint Center, or IC3 is it is also known. Those losses came from 298,728 complaints that had been filed with IC3 in 2016.
The Internet Crime Report provides some insight into the main methods used by cybercriminals to fraudulently obtain money. Last year, the three crime types that resulted in the biggest losses were Business Email Compromise (BEC) attacks, romance/confidence fraud and non-payment/non-delivery scams.
BEC scams resulted in losses of $360.5 million last year and the scams are becoming increasingly common. Confidence and romance fraud was second, resulting in losses of $219.8 million with corporate data breaches in third place causing losses of $95.9 million. Phishing, via the web, email, SMS messages and telephone resulted in losses of $31.7 million. Losses from extortion were $15.8 million with ransomware tracked separately and causing losses of $2.4 million. Tech support fraud netted cybercriminals $7.8 million with malware and scareware losses tracked as $3.9 million.
The FBI singled out four key criminal activities in its 2016 Internet Crime Report that have become major issues in 2016: BEC, ransomware, tech support fraud and extortion.
BEC scams involve the impersonation of foreign suppliers and other vendors that are usually paid by wire transfer. A similar type of scam, referred to as email account compromise (EAC), targets individuals in a company responsible for making wire transfers.
Both scams involve the impersonation of company executives with fraudulent wire transfer requests sent to accounts department employees. Since it is the CEO that is often impersonated the scams are commonly referred to as CEO fraud. Transfers are commonly for tens or hundreds of thousands of dollars. In some cases, companies have been conned out of millions. BEC scams topped the list of losses.
BEC scams have also been rife in 2017, with the start of the year seeing an increase in BEC scams with the aim of obtaining the tax information of employees, typically W-2 forms. In 2016, there were 12,005 reported BEC scams, although this is likely just a small percentage of the real total.
Ransomware has become a major threat for businesses with criminals targeting employees using phishing emails. The FBI says Remote Desktop Protocol was also a major attack vector in 2016. The FBI suggests that security awareness training for employees is now a critical preventative measure that should be provided by all organizations. In 2016, there were 2,673 reported ransomware incidents. Similarly, many businesses choose not to report ransomware attacks.
Another major threat comes from tech support scams where criminals impersonate security companies. The attackers claim an urgent security issue must be resolved for which payment is required. These scams can involve screen-locking malware, cold calls or pop up messages. Typosquatting is also commonly used. Criminals register URLs similar to major online brands to take advantage of careless typists.
Extortion continues to be a major problem and it takes many forms. There have been numerous cases of criminals impersonating government agencies, with threats of Denial of Service attacks similarly common. Hackers have been stealing data and demanding ransoms for its return, while sextortion, hitman schemes and loan schemes are also rife.
While the Internet Crime Report provides an indication of how rampant cybercrime has become, the reports hugely underestimate the true extent of the problem. Only a small percentage of victims of cybercrime report the incident to law enforcement. The Department of Justice estimates only 15% of Internet crime is reported, while the FBI suggests only one in seven cases of Internet crime are actually reported. It is not only individuals that fail to report crimes. Many businesses that experience cyberattacks or other Internet crime-related losses fail to report the incidents. The true figures from cybercrime are likely to be several orders of magnitude worse than the Internet Crime Report suggests.
A massive global cyberattack is underway involving Petya ransomware. Ukraine has been hit particularly hard although companies all over Europe have reported that systems have been taken out of action and ransoms demanded. Social media websites are awash with reports of disruption to services across a wide range of industries and countries. The attacks appear to have started in Russia/Ukraine but spread rapidly across Europe, with reports emerging that companies in India have also been affected.
The attacks appear to involve a variant of Petya ransomware – a particularly nasty ransomware variant for which there is no kill switch or free decryptor. Petya ransomware takes the Master File Table (MFT) out of action rather than encrypting individual files. Consequently, the attacks occur faster than with other ransomware variants. Without access to the MFT, computers are unable to locate files stored on the hard drive. Those files remain unencrypted, but cannot be accessed.
The ransom demand to unlock the infection is understood to be approximately $300, although that figure will need to be multiplied by the number of devices affected.
Another WannaCry Style Global Ransomware Attack
The WannaCry ransomware attacks used exploits stolen from the NSA, which were published online by Shadow Brokers. Those exploits worked on unpatched systems, exploiting vulnerabilities to automatically download a network worm and WannaCry ransomware. The attacks spread rapidly – around the world and within organizations.
This wave of attacks appears to be similar. The attacks started happening this morning with the Russian cybersecurity firm Group-IB one of the first to suggest this was a WannaCry-style attack involving an NSA exploit. That has since been confirmed by other cybersecurity firms. Fabian Wosar of Emisoft said he has confirmed that the infection is spreading using the same EternalBlue exploit as WannaCry, as has MalwareHunterTeam.
Organizations that applied the patch issued by Microsoft in March were protected from WannaCry and will likely be protected from this Petya ransomware attack. Following WannaCry, Microsoft issued patches for unsupported operating systems to prevent further attacks from occurring. However, judging by the number of attacks that have already occurred, the WannaCry attacks did not spur some companies into action. Many have still not patched their systems.
Several well-known companies have reported they are under attack and have had servers and computers taken out of action, with companies in Russia, Ukraine, France, Spain, Denmark, India and the UK all understood to have been affected. Companies that have confirmed they have been attacked include:
Russia – Oil company Rosneft and metal maker Evraz
Ukraine – Boryspil Airport, aircraft manufacturer Antonov, two postal services, the Ukraine government, the Ukraine national bank. The Cernobyl nuclear powe plant has also been attacked, as have many other energy companies in the country.
Denmark – Shipping firm A.P. Moller-Maersk, including APM Terminals which runs shipping container ports around the world.
France – Construction firm Saint Gobain
International – Companies reportedly affected include the law firm DLA Piper, advertising firm WPP, food manufacturer Mondalez and U.S pharmaceutical firm Merck.
Time will tell whether this Petya ransomware attack will be on a similar scale to WannaCry. Since it is currently occurring it will likely be a few days before the true scale of the attack becomes known.
2016 was a bad year for data breaches, but a new analysis by the Identity Theft Resource Center (ITRC) shows 2017 data breaches figures are far worse. Year over year, data breaches have increased by 29.1%.
Last year saw record numbers of data breaches, with 1,093 incidents tracked by the ITRC; however, If breaches continue to occur at the rate seen over the past 6 months, this year is likely to be another record breaking year. 2017 is likely to see more than 1,500 breaches – a particularly worrying milestone to pass.
55.4% of 2017 data breaches have been reported by organizations in the business sector. Those 420 incidents have involved more than 7.5 million records, more than 64% of all records exposed so far in 2017. The healthcare industry has also experienced many data breaches, accounting for 22% of the total. So far this year, the protected health information of 2.5 million individuals has been exposed – 21.1% of all records exposed so far in 2017.
Education may have only experienced 87 data breaches this year – 11.5% of the year to date total – but those breaches account for 9% of exposed records, helped in no small part by a single breach at Washington State University that involved at least 1 million records.
The government/military (43 breaches) is in fourth place, accounting for 1.8% of the total with the 200,000+ exposed records. Fifth place is taken by the financial services with 41 breaches, with more than 526,000 exposed records accounting for 5.4% of the year to date figures.
The ITRC has been tracking data breaches since 2005, with the 2017 data breaches bringing the overall total number of incidents up to 7,656. The total number of exposed records has now risen to 899,792,157.
In the case of healthcare data breaches, more incidents have been reported following the clarification of HIPAA Rules covering ransomware attacks. Last year there was some confusion as to whether ransomware attacks were reportable. The Department of Health and Human Services’ Office for Civil Rights confirmed late last year that most ransomware attacks are reportable under HIPAA Rules. Consequently, there has been an increase in reports of these events in recent months.
Companies in other industries are also reporting more data breaches due to changes in state legislation and public pressure. However, ITRC points out the big jump in 2017 data breaches can also be explained by an increase in insider incidents and cyberattacks.
The increase in data breaches in 2017 clearly highlights the importance of conducting a thorough, organization-wide risk analysis to identify all potential vulnerabilities that could potentially be exploited. A risk management plan should then be put in place to address any vulnerabilities that are identified.
While organizations should consider augmenting security to protect the network perimeter, the threat from within should not be ignored. Employees are typically a weak point in security defenses, although action can be taken to reduce risk. Training should be provided to improve security awareness, technological solutions implemented to reduce the risk from phishing and other malicious email-born attacks, while web-based attacks can be limited with a web filtering solution.
2017 may be shaping up to be a particularly bad year for data breaches, but with investment in people and cybersecurity defenses, it is not too late to prevent 2017 from being another record-breaking year.
The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.
Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.
However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.
In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.
The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.
Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.
The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.
An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.
However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.
With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.
The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.
In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.
Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.
The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.
Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.
The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.
Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.
Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.
The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.
A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.
For the first time in the past seven years, the cost of a data breach has fallen, with a 10% reduction in per capita data breach costs across all industry sectors. The global study revealed the average cost of a data breach is now $141 per exposed or stolen record. The global average cost of a data breach is down to $3.62 million from $4 million last year.
The IBM Security sponsored study was conducted by the Ponemon Institute, which has been tracking the costs of data breaches for the past seven years. In every other year data breach costs have risen year over year.
The Ponemon Institute say the reduction can partly be explained by a strong dollar. In the United States, the cost of a data breach has risen from $221 to $225 per record with the total breach cost increasing to $7.35 million from $7.02 million last year.
For the study, the Ponemon Institute assessed the breach resolution costs after organizations experienced a breach and had notified affected individuals. Large data breaches – those in which more than 100,000 records were exposed or stolen – were not included in the study as they were deemed atypical. Instead, only breaches of between 5,000 and 100,000 records were included. The average size of the breaches were 28,512 records. A breach was defined as the loss or theft of a record that included an individual’s name along with either their Social Security number, financial information or medical record.
For the seventh consecutive year, the healthcare industry had the highest data breach costs. The per capita cost of a healthcare data breach was $380. The financial services, another highly regulated industry, had the second highest breach costs ($336 per record). Services sector data breaches cost $274 per record, life sciences breaches were $264 per record and the Industrial sector had a per capita breach cost of $259.
The lowest breach costs were retail ($177), hospitality ($144), entertainment ($131), research ($123) and the public sector ($110). The biggest cause of data breaches were malicious and criminal attacks, which also carried the highest resolution costs. System glitches and human error each accounted for 24% of data breaches.
An analysis of breach costs revealed there are a number of ways to reduce the cost of a data breach. Having a breach response plan in place saw companies reduce breach costs by $19 per record, while the use of encryption reduced breach costs by an average of $17 per record. Employee education helped reduce breach costs by an average of $12.50 per record.
A fast response to a data breach can also dramatically reduce the total breach cost. Organizations that were able to contain a breach within 30 days saw breach costs reduced by $1 million. On average, it takes companies more than six months to discover a breach and containing the breach takes an average of 66 days.
Following the massive WannaCry ransomware attacks there has been heightened interest in cybersecurity products. Marketers have capitalized on the fear of an imminent attack to increase downloads of fake antivirus apps.
The apps are sold to worried users promising to protect them from WannaCry and other ransomware threats. In some cases, a free scan is offered that reveals the user’s device is already infected with any number of malicious programs. Installing the app will allow users to rid their device of the malicious software.
In many cases, the fake antivirus apps misreport infections to scare users into buying and installing an unnecessary app. Some of those apps will offer no protection whatsoever, but others are more sinister. Many of the new fake antivirus apps that are sneaking their way into the Google Play store are far from benign. PUPs, Trojans and adware are packaged with the apps. Users download the fake antivirus apps to protect themselves against malware, when the reality is downloading the app results in infection.
A study of antivirus apps has recently been conducted by RiskIQ. The firm discovered almost 6,300 antivirus apps that were either an antivirus solution, reviews of antivirus software or were otherwise associated with an antivirus program. More than 700 of those apps triggered blacklist detections on VirusTotal, with many of the apps coming packaged with malware.
131 of the 655 antivirus apps on the Google Play Store triggered blacklist detections. Many of the apps are no longer active, although 55 out of 508 active AV apps on the Google Play Store were blacklisted. In total, 20% of blacklisted antivirus apps were in the Google Play store with 10.8% still active.
RiskIQ reports that some of the blacklisted apps are false positives and not all of those apps are bundled with malware. However, many of the apps were rated as malicious by multiple AV vendors and were not all they claimed to be.
While it is important to have antivirus software on mobile devices, users should exercise caution when downloading any app. Just because an app claims to protect you and your device, it does not mean that it will do as it says. Downloading the app could even result in infection.
Users can reduce the risk of downloading a fake antivirus app by only using official app stores such as Google Play, but additional checks should be performed. An app should not be installed if the developer is using a free email address such as Gmail or Outlook. RiskIQ recommends checking the descriptions of the apps, specifically looking for spelling mistakes or grammatical errors. The app should ideally be checked against VirusTotal to see if it raises any red flags and users should carefully check the permissions requested.
Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.
The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”
Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.
The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.
The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.
Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.
The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.
Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.
A new report from RSA Security has revealed 40,000 subdomains linked to the Rig exploit kit have been taken down, which is just as well considering how many enterprises are failing to update Adobe Flash promptly and are still using vulnerable Flash versions.
Exploit kits such as Rig are used to probe for vulnerabilities in browsers and plugins, with several exploits loaded to the kit. When the EK finds an exploitable vulnerability, malware is silently downloaded. The Rig EK has previously been used to distribute a variety of malicious payloads including banking Trojans and Cerber ransomware.
While the news of the shutdown of tens of thousands of subdomains used by the Rig exploit kit is good news, this week has also seen some worrying news emerge.
A recent study conducted by Duo Security has revealed the reason why exploit kits are such an effective means of malware delivery. Enterprises are failing to update software and are still using vulnerable Flash versions and other out-of-date plugins, even though those plugins and software versions contain several critical vulnerabilities that are being actively exploited.
53% of Enterprise End Points Have Vulnerable Flash Versions Installed
The study involved an analysis of key indicators of device health on 4.5 million Windows computers, Macs, Android smartphones and Apple mobiles. In the security firm’s Trusted Access Report, it was revealed that 53% of enterprise end points were running outdated versions of Adobe Flash. Last year when a similar study was run, there were 10% fewer devices running outdated Flash versions.
Far from revealing enterprise computers to be one version out of date, 21% of devices were discovered to be running Flash version 22.214.171.124, released in January 2017. That version has 13 critical code execution vulnerabilities that were addressed in February, all of which had the most severe rating for Windows, MacOS and Chrome.
Keeping up to date with the latest software releases can be difficult. New versions of software and plugins are frequently released to correct known flaws and many IT security professionals suffer from update fatigue. Updates are often delayed as a result, but that leaves the door open to cybercriminals.
Update Software and Block Malicious Domains
To protect against exploit kits and malicious downloads, organizations should ensure software versions are kept 100% up to date, especially browsers and browser plugins. It is a tiresome, never ending process, but failure to update promptly leaves organizations vulnerable to attack.
To ease the pressure on IT departments, an additional control can be implemented to block access to malicious websites containing exploit kits.
WebTitan is a web filtering that prevents downloads of malicious files by blocking access to malicious websites. Links to malicious sites are often sent in spam email, the clicking of which directs users to webpages hosting exploit kits. WebTitan blocks these links preventing the sites from being accessed. WebTitan can also be configured to prevent malicious file downloads and malvertising redirects, further protecting organizations from attack.
For full details on the capabilities of WebTitan, advice on web filtering and to register for a free 30-day trial of WebTitan, contact the TitanHQ team today.
Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.
The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.
HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.
A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.
Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.
The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.
Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.
HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.
The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.
Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.
WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.
TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple. Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.
The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.
WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.
As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.
Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”
The use of library Internet filters to protect minors from harmful web content is a hot topic that is causing much debate in the United States. Libraries promote free research and learning. Having Internet filters in libraries naturally places restrictions on the types of content that can be accessed, potentially hampering both.
Many parents argue that library Internet filters are required to protect their children from accessing harmful web content or accidentally seeing obscene content on other patron’s screens.
Pornography is one of the biggest worries. Many individuals visit libraries to use the computers to access hardcore adult material, even though it is a public place with children present. Parents argue that such actions must be prevented. There can be free research, but within limits.
It is not only parents that are concerned about the lack of library Internet filters. In many states, legislation is being considered to make it mandatory for library Internet filters to be put in place to restrict access to pornography.
Many libraries are resisting calls to restrict access to the Internet with web filters. The Library Board in Watertown, South Dakota is a good example. As a center for free research, the library board opposed the use of web filters. If library Internet filters were applied, it could potentially have an adverse effect on research and would result in the blocking of legitimate website content.
However, the library board has been under pressure to start filtering the Internet, with citizens petitioning the library board to start restricting access to inappropriate content, with city officials and law enforcement also appealing to the library board to start filtering the Internet.
The library board has now accepted that a web filter should now be used to control the content that can be accessed through its computers. A web filtering solution will be applied to block patrons from accessing obscene and illegal material. The web filtering solution is expected to be applied in the next few weeks and will be used to restrict access to certain web content via its wired and WiFi networks.
The Library Board was not opposed to the blocking of pornography, but to the other content that may accidentally be also blocked by the filtering solutions. Prior to making the decision to use liberary Internet filters, the Watertown police department assured the library board that filtering solutions are now far more sophisticated than they once were and can allow libraries to very carefully control the content that can be accessed.
The need to do something was made clear following a report that particularly concerning material had been downloaded by one patron through the library’s WiFi network. The library board is also keen to prevent its Internet connections from being used for illegal purposes, such as copyright infringing file downloads.
Additional controls will be applied to make this more difficult, such as limiting download speeds and applying timers on Internet access, with stricter controls on the wireless WiFi network since it is not possible to verify the age of the individual accessing the Internet.
In order to prevent the overblocking of website content, controls will be applied carefully and a system will be set up to allow patrons to request the unblocking of website content that has been accidently blocked by the filtering solution.
Watertown Library board is just the latest in an increasing number of libraries that has discovered it is possible to protect patrons’ First Amendment rights while also ensuring minors are protected from harmful website content. With highly granular library Internet filters such as WebTitan, it is possible to do both.
The EternalRocks worm is a new threat that comes hot on the heels of WannaCry ransomware. The self-replicating network work uses similar tactics to infect computers and spread to other connected devices; however, in contrast to the worm used to spread WannaCry ransomware, there is no kill switch. In fact, at present, there is also no malicious payload. That is unlikely to be the case for very long.
The WannaCry ransomware attacks were halted when a security researcher discovered a kill switch. Part of the infection process involved checking a nonsense domain that had not been registered. If no connection was made, the ransomware element would proceed and start encrypting files. By registering the domain, the encryption process didn’t start. Had the domain not been registered, the attacks would have been more far reaching, affecting more than the 300,000 computers believed to have been affected by the Friday 12 attacks.
New threats were predicted to be released in the wake of WannaCry, either by the same group or copycats. The EternalRocks worm therefore does not come as a surprise. That said, EternalRocks could be far more dangerous and cause considerably more harm than WannaCry.
The WannaCry ransomware attacks involved just used two exploits developed by the NSA – EternalBlue and DoublePulsar. EternalRocks uses six NSA hacking tools (EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch).
In addition to the Windows Server Message Block (SMBv1) and SMBv2 hacking tools, this threat uses a SMBv3 exploit in addition to a backdoor Trojan, the latter being used to spread infection to other vulnerable computers on a network. Two SMB reconnaissance tools have also been incorporated to scan open ports on the public Internet.
EternalRocks is also capable of hiding on the infected machine after deployment. With the WannaCry attacks, users were alerted that their computers had been compromised when the ransomware encrypted their files and a note was placed on the desktop.
Once on a computer, the EternalRocks worm waits for 24 hours before downloading the Tor browser, contacting the attackers, and replicating and spreading to other devices on the network.
The self-replicating network worm was discovered by security researcher Miroslav Stampar from CERT in Croatia. While the threat has only just been discovered, Stampar says the first evidence of infections dates back to May 3.
At present, the EternalRocks worm does not have any malicious payload. It neither installs malware nor ransomware, but that does not mean it poses no risk. Worms can be weaponized at any point, as was seen on Friday 12 May, when WannaCry ransomware was deployed.
For the time being, it is unclear how many computers have already been infected and how EternalRocks will be weaponized.
Preventing infection with EternalRocks worm and other similar yet to be released – or discovered – threats is possible by ensuring operating systems and software are patched promptly. Older operating systems should also be upgraded as soon as possible. As Kaspersky Lab reported, 95% of the WannaCry attacks affected Windows 7 devices. No Windows 10 devices were reportedly attacked.
A new Uiwix ransomware variant has been detected using EternalBlue to gain access to vulnerable systems. Businesses that have not yet patched they systems are vulnerable to this new attack.
In contrast to the WannaCry ransomware variant that was used in Friday’s massive ransomware campaign, Uiwix ransomware is a fileless form of ransomware that operates in the memory. Fileless ransomware is more difficult to detect as no files are written to the hard drive, which causes problems for many antivirus systems. Uiwix ransomware is also stealthy and will immediately exit if it has been installed in a sandbox or virtual machine.
Trend Micro reports that the new Uiwix ransomware variant also “appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”
As with WannaCry ransomware, the ransomware is not being spread via email. Instead the attackers are searching for vulnerable systems and are taking advantage of SMB vulnerabilities and attacking computers over TCP port 445. Infection with Uiwix sees the Uiwix extension added to encrypted files. The ransom demand to supply keys to decrypt locked files is $200.
The threat does not appear to be as severe as WannaCry, as the attackers are manually targeting vulnerable systems. Crucially, the ransomware lacks the wormlike properties of WannaCry. If one machine is infected, the ransomware will not then spread to other networked devices.
Since the WannaCry attacks, many businesses have now implemented the MS17-010 patch and have blocked EternalBlue attacks. Microsoft has also released a patch for Windows XP, Windows Server 2003, and Windows 8, allowing users of older, unsupported Windows versions to secure their systems and prevent attacks.
However, the search engine Shodan shows there are still approximately 400,000 computers that have not yet been patched and are still vulnerable to cyberattacks using the EternalBlue exploit.
Another threat that uses the EternalBlue and DoublePulsar exploits is Adylkuzz; however, the malware does not encrypt data on infected systems. The malware is a cryptocurrency miner than uses the resources of the infected computer to mine the Monero cryptocurrency. Infection is likely to see systems slowed, rather than files encrypted and data stolen.
Other malware and ransomware variants are likely to be released that take advantage of the exploits released by Shadow Brokers. The advice to all businesses is to ensure that software is patched promptly and any outdated operating systems are upgraded. Microsoft has issued a patch for the older unsupported systems in response to the WannaCry attacks, but patches for Windows Server 2003, Windows XP and Windows 8 are unlikely to become a regular response to new threats.
An Edmodo data breach has been reported that has impacted tens of millions of users of the education platform, including teachers, students and parents.
Edmodo is a platform used for K-12 school lesson planning, homework assignments and to access grades and school reports. There are currently more than 78 million registered users of the platform. The hacker responsible for the Edmodo data breach claims to have stolen the credentials of 77 million users.
The claim has been partially verified by Motherboard, which was provided with a sample of 2 million records that were used for verification purposes. While the full 77 million-record data set has not been checked, it would appear the claim is genuine.
The hacker, nclay, has listed the data for sale on the darknet marketplace Hansa and has asked to be paid $1,000 for the entire list. The data includes usernames, hashed passwords and email addresses. Email addresses for around 40 million users are believed to have been obtained by the hacker.
The passwords have been salted and encrypted using the bcrypt algorithm. While it is possible that the passwords can be decrypted, it would be a long and difficult process. Edmodo users have therefore been given a little time to reset their passwords and secure their accounts.
The Edmodo data breach is now being investigated and third party cybersecurity experts have been contracted to conduct a full analysis to determine how access to its system was gained. All users of the platform have been emailed and advised to reset their passwords.
Even if access to the accounts cannot be gained, 40 million email addresses would be valuable to spammers. Users of the platform are likely to face an elevated risk of phishing and other spam emails, should nclay find a buyer for the stolen data.
This is not the only large-scale data breach to affect the education sector this year. Schoolzilla, a data warehousing service for K-12 schools, also experienced a major cyberattack this year. The data breach was discovered last month and is believed to have resulted in the theft of 1.3 million students’ data. In the case of Schoolzilla, the hacker took advantage of a backup file configuration error.
The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe. The massive ransomware campaign saw 61 NHS Trusts in the UK affected.
As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.
The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.
The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.
This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.
For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.
The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.
Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.
The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.
There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.
Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.
A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.
A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.
A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.
Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.
Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.
Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.
The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:
- launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
- rm -rf ~/Library/RenderFiles/activity_agent.app
- if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.
Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.
The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.
A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.
If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.
The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.
The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.
The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.
While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk. Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment. The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.
The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.
A sophisticated new malware threat has been discovered that is being used to target a wide range of industry sectors and infect systems with RAT/malware.
The campaign is being used to spread multiple malware variants and gain full access to systems and data. While many organizations have been attacked, the threat actors have been targeting IT service providers, where credential compromises can be leveraged to gain access to their clients’ environments.
The threat actors are able to evade detection by conventional antivirus solutions and operate virtually undetected.
The campaign has been running since at least May 2016 according to a recent alert issued by the National Cybersecurity Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security.
The campaign is still being investigated, but due to the risk of attack, information has now been released to allow organizations to take steps to block the threat and mitigate risk. NCCIC categorizes the threat level as medium.
While threat detection systems are capable of identifying intrusions, this campaign is unlikely to be detected. The attack methods used by the threat actors involve impersonating end users leveraging stolen credentials. Communications with the C2 are encrypted, typically occurring over port 443 with the domains frequently changing IP address. Domains are also spoofed to appear as legitimate traffic, including Windows update sites.
Two main malware variants are being used in this campaign – the remote administration Trojan (RAT) REDLEAVES and the PLUGX/SOGU Remote Access Tool. PLUGX malware has been around since 2012, although various modifications have been made to the malware to prevent detection.
PLUGX allows the threat actors to perform a range of malicious activities such as setting connections, terminating processes, logging off the current user and modifying files. It also gives the threat actors full control of the compromised system and allows the downloading of files. READLEAVES offers the threat actors a typical range of RAT functions including system enumeration.
NCCIC has released Indicators of Compromise (IOCs) to allow organizations to conduct scans to determine whether they have been infected and further information will be published when it becomes available.
While anti-virus solutions should be used, they are unlikely to offer protection against this malware campaign. NCCIC warns organizations that there is no single security solution that can prevent infection, therefore a multi-layered defense is required. The aim of organizations should be to make it as difficult as possible for the attackers to gain access to their systems and install malware and operate undetected.
NCCIC offers several suggestions to help organizations improve their defenses against attack. Since phishing emails are used to fool end users into revealing their credentials, anti-phishing solutions should be employed to prevent the emails from reaching end users’ inboxes.
Other mitigations are detailed in NCCIC’s recent report, which can be downloaded from US-CERT on this link.
Sabotage, subversion and ransomware attacks all increased sharply in 2016, with malware-infected emails now at a five-year high according to the latest installment of Symantec’s Internet Security and Threat Report (ISTR).
For the 22nd volume of the report, the antivirus and antimalware software vendor analyzed data collected from millions of users of its security solutions – The world’s largest civilian threat collection network, consisting of 98 million attack sensors spread across 157 countries around the globe.
The 77-page Internet Security and Threat Report is one of the most highly respected publications issued by any cybersecurity company.
The Internet Security and Threat Report provides a valuable insight into the state of cybersecurity and details how global cybersecurity threats have changed over the course of the past 12 months.
Internet Security and Threat Report Shows Change in Attack Tactics
Data theft and financial fraud may be major motivators behind cyberattacks on businesses, but over the past 12 months there has been a sharp rise in politically motivated cyberattacks. Rather than steal data, the attackers are sabotaging businesses using destructive malware such as hard disk wipers.
The attacks are conducted to cause serious harm to business competitors, although nation state-backed hackers have also been targeting the critical infrastructure in many countries. Attacks on Ukrainian energy providers have been conducted to disrupt the power supply while attacks on companies in Saudi Arabia – using Shamoon malware – attempted to permanently delete corporate data.
Many attacks were conducted last year with a different aim – subversion. That was clearly demonstrated during the recent U.S presidential campaign. Sensitive data from the Democratic party was leaked in an attempt to influence the outcome of the U.S presidential election. The FBI investigation into the hacking of the presidential election is ongoing.
Sabotage is on the rise, but data theft incidents continue. The past year has seen many espionage attacks resulting in the theft of sensitive data and corporate secrets and financial attacks have increased.
The Internet Security and Threat Report shows there has been a major increase in large-scale financial heists in the past year. Attacks on consumers are occurring with increasingly regularity, although the banks themselves are now being targeted. Those attacks have resulted in the theft of many millions of dollars.
The Carbanak gang has been highly active in this area and has performed multiple attacks on U.S banks, while the Banswift group performed one of the biggest heists of the year, stealing $81 million from the central bank in Bangladesh.
While exploit kits and other web-based attacks were a major threat in 2015, attackers have returned to email as the primary method of gaining access to networks. In 2015, Symantec blocked an average of 340,000 web-based attacks per day. In 2016, the number had fallen to 229,000 – a significant reduction, although the threat of web-based attacks cannot be ignored.
The Biggest Malware Threat Comes from Email
Phishing is still a major risk for businesses, although the phishing rate has fallen over the past three years, according to the Internet Security and Threat Report. In 2014, one in 965 messages were used for phishing. In 2016, the number fell to one in 2,596 emails.
However, email spam levels have remained constant year on year. Email spam accounts for 53% of all sent messages.
Phishing email volume may be down, but email-borne malware attacks have increased. The Symantec Internet Security and Threat Report shows the volume of malicious emails now being sent is higher than any point in the past five years.
Now, one in 131 emails contain either a malicious attachment or hyperlink, up from one in 220 emails in 2015 and one in 244 emails in 2014. The number of new malware variants being released has also soared. In 2014, there were 275 million new malware variants discovered. That figure rose to 357 million last year. The number of bots sending malicious email has also increased year on year, from 91.9 million in 2015 to 98.6 million in 2016.
Ransomware Attacks Soared in 2016
Ransomware attacks also increased significantly in 2016, with the United States the most targeted country. Even though the FBI and other law enforcement agencies strongly advise against paying a ransom, 64% of U.S. companies ignore that advice and pay the attackers for keys to decrypt their data.
In 2015, the average ransom demand was for $294 per infected machine. Over the course of the past 12 months, ransom amounts have increased considerably. The Symantec Internet Security and Threat Report shows ransom demands increased by an astonishing 266% in 2016. The average ransom demand is now $1,077 per infected machine.
Symantec tracked 101 separate ransomware families in 2016 – A substantial rise from the 30 known ransomware families in 2014 and 2015. Last year, there were 463,841 ransomware detections, up from 340,655 from 2015.
One of the biggest threats comes from the cloud, although many organizations are underestimating the risk. When organizations were asked how many cloud apps are in use in their company, few provided an accurate figure. Many estimated they used around 40 cloud-based apps. Symantec reports that for the average company, the figure is closer to 1,000.
As the Internet Security and Threat Report shows, the cyberthreat landscape is constantly changing as cybercriminals develop new methods of attacking businesses. Only by keeping up to date on the latest threat indicators and bolstering cybersecurity defenses can businesses maintain a robust security posture and prevent attacks.
The GDPR impact on business practices is considerable, as is the cost of GDP compliance. A recent survey conducted by PwC revealed that 77% of large companies are expecting GDPR compliance to cost in excess of $1 million. Due to the considerable GDPR impact on business practices, many companies are already rethinking whether or not to continue doing business in Europe.
Many large multinational companies are well aware of the GDPR impact on business practices and the amount of work GDPR compliance will involve. That is not the case for SMEs, many of which are only just realizing they must comply with GDPR.
GDPR does not just apply to social media sites and global retailers. All businesses, regardless of their size, will be required to comply with the General Data Protection Regulation if they collect or process the personal information of EU citizens.
The definition of personal information is broad and includes online identifiers such as IP addresses. Even online retailers that allow EU citizens to access their websites are required to comply with GDPR.
All businesses will be required to perform a risk analysis to identify potential vulnerabilities to the confidentiality and integrity of stored data. Many large companies already have a swathe of cybersecurity protections to keep sensitive data secure, but most smaller organizations will discover they must implement more robust cybersecurity protections in order to comply with GDPR.
Companies will need to review their policies on data collection. When GDPR comes into effect, companies will need to have a valid reason for collecting personal information. Any data collected must also be limited to the minimum necessary information to perform the purpose for which data are collected.
Doing business in Europe will require privacy protections to be enhanced, new data security measures to be implemented, data collection practices to be changed, and policies and procedures to be updated. Legal teams must then assess GDPR compliance.
The GDPR impact on business practices is likely to be considerable for many companies. The time taken to perform risk analyses, assess policies and procedures, find and implement security solutions and update privacy policies will be considerable. Leaving GDPR compliance to the last minute is likely to see the deadline missed. That could prove to be very costly or even catastrophic for many businesses. Failure to comply with GDPR regulations can result in a fine of €20 million or 4% of global revenue, whichever is the greater. Non-compliance simply isn’t an option.
Kaspersky Lab has released new figures showing software exploit attacks increased by almost a quarter in 2016. In total, more than 702 million attempted software exploit attacks were performed; a rise of 24.54% year on year. Corporate users were the worst affected, registering 690,000 attacks in 2016; a rise of 28.35% year on year.
According to the report, 69.8% of software exploit attacks took advantage of flaws in web browsers, Microsoft Windows, Microsoft Office or the Android platform. Software exploit attacks involve malware leveraging flaws in software to run malicious code or install other malware. Last year, the most common exploit took advantage of the Stuxnet vulnerability on unpatched systems.
Software exploits are difficult to identify because they occur silently without alerting the user. Unlike email-based attacks, software exploits require no user interaction. A user must only be convinced to visit a website hosting an exploit kit. A hyperlink can be sent via email or users can be redirected to malicious sites using malvertising. Attacks can occur through general web browsing. Hackers often take advantage of flaws to hijack websites and install exploit kits.
While attacks on companies have increased, attacks on private users fell by around 20% to 4.3 million attacks. This has been attributed to two major exploit kits – Neutrino and Angler – being shut down. Without those exploit kits, criminal groups have lost the ability to spread malware and have had to resort to different tactic to spread malware, with spam email the delivery mechanism of choice.
Exploit kits are expensive to develop and require considerable work, and since software developers are reacting faster and patching vulnerabilities, exploit kits are no longer as profitable for cybercriminals. However, exploits are still being used by sophisticated criminal gangs in targeted attacks aimed at stealing highly sensitive data.
This year has seen an increase in exploit activity using the Rig exploit kit, while last month Checkpoint noted a major rise in software exploit attacks.
Exploit kits may not pose as big a threat as in late 2015, but they are still a significant threat for businesses. Organizations can improve their defenses against software exploits by installing patches promptly and ensuring anti-virus and anti-malware solutions are kept up to date. A web filtering solution should also form part of organizations’ defenses. Web filters prevent end users from visiting, or being redirected to, websites known to host exploit kits.
On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.
GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.
The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.
How Will GDPR Protect Consumers?
One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data. Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.
GDPR gives consumers the right to:
- Find out how their data will be used
- Discover how data were obtained if informed consent was not provided
- Access personal data
- Find out how long data will be stored
- Correct errors in stored data
- Move data to a different processor
- Restrict or prohibit the processing of data
- Find out with whom data have been or will be shared
- Have data permanently erased
- Avoid being evaluated on the basis of automated processing
Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.
While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.
What Data are Covered by GDPR?
Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.
Data Security Standards Necessary for GDPR Compliance
GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.
GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.
Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”
Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.
Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.
Data Breach Notification Requirements of GDPR
Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.
Preparing for GDPR
Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.
Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.
Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.
What are The Penalties for Non-Compliance with GDPR?
Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.
If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.
Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.
Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.
Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.
How Can TitanHQ Help with GDPR Compliance?
TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.
TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.
SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.
WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads. The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.
ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.
For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.
A recent Chipotle Mexican Grill security breach has potentially resulted in customers’ credit card details being accessed by unauthorized individuals.
A statement released by the fast casual restaurant chain confirms that unauthorized individuals gained access to its network hosting its payment processing system. The initial findings of its investigation suggest access was first gained on March 24, 2017. Customers who visited its restaurants between March 24 and April 18, have potentially been affected. The investigation into the Chipotle Mexican Grill security breach is continuing to determine how many of the chain’s 2,000+ restaurants have been affected.
Few details about the Chipotle Mexican Grill security breach have been released as the investigation is ongoing, although the threat is now believed to have been blocked.
Chipotle Mexican Grill called in external cybersecurity experts to investigate a potential breach after unusual activity was detected on the network hosting its payment processing system. Law enforcement was alerted, as was its payment processor. Additional security protections have already been installed to bolster cybersecurity defenses in response to the suspected attack. Efforts are continuing to confirm the exact dates of the attack and the restaurants that have been affected.
The Chipotle Mexican Grill security breach is one of many incidents reported by restaurant chains this year. Restaurants are being targeted by cybercriminals due to the high number of credit cards that are processed. If attackers can gain access to restaurant payment processing systems, many thousands of credit card numbers can be stolen.
There are many methods used by cybercriminals to gain a foothold in a network and gain access to payment processing systems.
Typically attacks occur as a result of an employee opening an infected email attachment or visiting a hyperlink in an email that allows malware to be downloaded. Phishing emails are also sent, which aim to get employees to reveal their login credentials. Restaurants can improve their resilience against email-borne attacks by implementing an advanced spam filtering solution.
Web-borne attacks are also common. A recent report from Symantec shows web-based attacks have increased in the past year.
If an employee can be convinced to visit a malicious website, or is directed to such a site via a malvertising campaign, malware can be silently downloaded. Exploit kits on malicious websites probe for vulnerabilities in browsers and exploit those vulnerabilities to download malware.
Web-borne attacks can be prevented by ensuring that patches are applied promptly and all vulnerabilities are plugged. However, the number of patches now being released makes it difficult for restaurants to keep up. New zero day vulnerabilities are also constantly being discovered and added to exploit kits.
Many restaurants are improving their defenses against web-based attacks by implementing a web filtering solution. A web filter can be used to carefully control the websites that can be accessed on restaurant computers.
Web filters block all known malicious websites using black lists. As soon as a website is discovered to be hosting an exploit kit, malware, or used for phishing, it is added to blacklists and the site is blocked by the web filter.
A web filter is also an excellent phishing defense. If an employee clicks on a phishing hyperlink in an email, the web filter can block the URL and prevent the user from visiting the site.
There are other important advantages to implementing a web filtering solution for restaurants. The solution can be used to carefully control the websites that customers can access. Restaurants can therefore ensure that customers do not access malicious sites or inappropriate website content such as pornography. Consumers are increasingly seeking restaurants that offer free Wi-Fi, but also those that implement controls to secure their Wi-Fi networks.
If you would like to improve your resilience against cyberattacks and offer your customers secure and safe Internet access, contact the TitanHQ team today and find out more about your options.
Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.
It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.
That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.
The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.
New Infection Method Used in Latest Locky Ransomware Attacks
The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.
The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.
If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.
The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.
The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.
The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.
One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.
Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.
Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.
The Intercontinental Hotels Group data breach previously announced in February as affecting 12 hotels in the chain has proven to have been far more extensive than was first thought.
Last week the group announced that the breach affected guests that used their credit cards to pay at franchisee hotels across the United States and in Puerto Rico between September 29, 2016 and December 29, 2016.
According to the chain’s website, the Intercontinental Hotels Group data breach potentially affected guests who stayed at its Holiday Inn, Holiday Inn Express, Crowne Plaza, Staybridge Suites, Candlewood Suites, Hotel Indigo, and InterContinental Hotels. The full list of hotels that have potentially been affected by the malware incident has been listed on the IHG website. In total, 1,184 of the group’s hotels have potentially been affected.
The Intercontinental Hotels Group data breach involved malware that had been downloaded onto its systems, which was capable of monitoring payment card systems and exfiltrating payment card data. It does not appear that any other information other than card details and cardholders’ names were stolen by the attackers.
The hotel group does not believe the data breach extended past December 29, 2016, although that cannot be entirely ruled out as it took until February/March for all of the affected hotels to be investigated and for confirmation to be received that the malware had been removed.
Prior to the malware being installed, IHG had started installing the OHG Secure Payment Solution (SPS), which provides point to point encryption to prevent incidents such as this from resulting in the theft of clients’ data. Had the process started sooner, the Intercontinental Hotel Group data breach could have been prevented.
Hotels that had implemented the SPS prior to September 29, 2016 were not affected and those that had implemented the solution between September 29, 2016 and December 29, 2016 stopped the malware from being able to locate and steal credit card data. In those cases, only clients that used their credit cards at affected hotels between September 29, 2016 and when the SPS system was installed were affected.
Intercontinental Hotels Group Data Breach One of Many Affecting the Hospitality Sector
The Intercontinental Hotels Group data breach stands out due to the extent to which the group was affected, with well over 1,100 hotels affected. However, this is far from the only hotel group to have been affected by POS malware. Previous incidents have also been reported by Hard Rock Hotels, Hilton Hotels, Omni Hotels & Resorts and Trump Hotels.
Hotels, in particular hotel chains, are big targets for cybercriminals due to the size of the prize. Many hotel guests choose to pay for their rooms and services on credit cards rather than in cash, and each hotel services many thousands – often tens of thousands – of guests each year.
Globally, IHG hotels service more than 150 million guests every year, which is a tremendous number of credit and debit cards. Such a widespread malware infection would be highly lucrative for the attackers. Credit card numbers may only sell for a couple of dollars a time, but with that number of guests, an attack such as this would be a huge pay day for the attackers.
The Hospitality Sector is a Big Target and Vulnerable to Cyberattacks
While many tactics are used to gain access to POS systems, oftentimes it is weak or default passwords that allow hackers to gain access to hotel computer systems. Stolen credentials are another common way that access is gained. The Verizon’s Data Breach Investigations Report (DBIR) for 2016 shows that in each of the reported breaches affecting the hospitality sector, access to systems was gained by the attackers in less than an hour.
Malware can also be inadvertently downloaded by employees and guests. Poor segregation of the POS system from other parts of the network is commonplace. That makes it easy for hackers to move laterally within the network once a foothold has been gained. Doubling up POS systems as workstations makes it too easy for hackers to gain access to POS systems.
Many hotels also fail to perform adequate risk assessments and do not conduct penetration tests or vulnerability scans. Even malware scans are performed infrequently. Some hotels also fail to implement appropriate security solutions to block access to malware-laden websites.
The Intercontinental Hotels Group data breach could have been prevented, and certainly discovered more quickly. The same is true for many hotel data breaches.
Unless hotels and hotel groups improve their cybersecurity posture and implement appropriate technology, policies and procedures to prevent cyberattacks, data breaches of this nature will continue to occur.
TitanHQ offers a range of products that can prevent hackers from gaining access to computers and POS systems. For further information on how you can protect your hotel or chain against cyberattacks, contact the TitanHQ team today.
Last week, the Bitglass Threats Below the Surface Report was released. The report highlights the extent to which organizations are being attacked by cybercriminals. Far from cyberattacks being a relatively rare occurrence, they are now as certain as death and taxes.
The report revealed that out of the 3,000 IT professionals surveyed for the report, 87% said they had experienced a cyberattack in the past 12 months. Many of those respondents had experienced numerous cyberattacks in the past year, with one company in three experiencing more than five cyberattacks in the last 12 months. To put that figure in perspective and show how the probability of being attacked has increased, two years ago, only half of companies were experiencing cyberattacks on that scale.
IT professionals rated mobile devices as one of the biggest problem areas. When asked to rate security posture, more respondents rated mobile as somewhat or highly vulnerable than any other system. While attacks can come from all angles, the report revealed that many companies are not actively monitoring their systems and devices for potential vulnerabilities. Only 24% monitored SaaS and IaaS apps for vulnerabilities, 36% monitored mobile devices and 60% monitored the network perimeter and laptops/desktops.
In response to the increased number of threats and the frequency of cyberattacks, companies have been forced to increase spending on cybersecurity defenses. The Bitglass Threats Below the Surface Report shows biggest spenders are the retail and technology sectors, with 39% of retail organizations and 36% of technology companies saying they are now spending a large proportion of their budgets on cybersecurity. 52% of respondents said their organization is planning on increasing cybersecurity spending.
Respondents were asked to rate their biggest concerns for the report to get a gauge of the biggest perceived threats. The biggest concern for 37% of respondents is phishing. Phishing attacks are becoming more sophisticated and harder for non-security professionals to identify. A range of social engineering techniques are used to fool end users into opening infected email attachments or clicking on malicious links and revealing their sensitive information. While effective at preventing many phishing attacks, training alone is no longer sufficient. Technological controls are now essential.
Malware is also a major concern along with insider threats, rated as a top concern by 32% and 33% of respondents, with email one of the main methods of malware delivery. Ransomware was also a major concern, although while ransomware attacks can result in significant costs and system downtime, fortunately, many companies have improved their ransomware defenses and have been able to recover without paying a ransom by restoring files from backups.
54% of companies said they had experienced a ransomware attack and were able to recover their data from backups without having to pay a ransom. That said, 33% of companies had no alternative but to pay a ransom to recover locked data, while 13% of companies said they had refused to pay a ransom and had experienced data loss as a result.
Do you have any machines running on unsupported operating systems? Is all of your software up to date with all of the latest patches applied? If you are not patching promptly or are still running outdated, unsupported operating systems or software, you are taking unnecessary risks and are leaving your network open to attack.
Hackers are constantly trawling the Internet looking for vulnerable systems to attack. Even if you are only running Windows XP or Vista on one networked machine, it could allow a hacker to exploit vulnerabilities and gain access to part or all of your network.
An alarming number of businesses are still running outdated software and are not patching promptly. For instance, 7.4% of businesses are still using Windows XP, even though Microsoft stopped issuing patches three years ago.
Hackers are discovering new vulnerabilities in software and operating systems faster than the software manufacturers can address those flaws. Zero-day vulnerabilities are regularly discovered and exploits developed to take advantage of the flaws and gain access to business networks. When a software developer stops issuing updates, the list of potential vulnerabilities that can be exploited grows fast.
Take Windows for example. Each set of updates released by Microsoft every Patch Tuesday contains patches to remediate several critical vulnerabilities that could be exploited to run code or access a system and gain user privileges. While exploits may not currently exist for those flaws at the time the patches are released, that is not the case for long. Hackers can look at the updates and reverse engineer patches to discover the vulnerabilities. Exploits can then be developed to attack unpatched machines.
Take the recent set of updates addressed by Microsoft in its March Patch Tuesday update as an example. Microsoft silently patched a slew of flaws for which exploits had been developed. Four days later, exploit tools from The Equation Group were dumped online by Shadow Brokers. Those tools could be used to exploit the flaws addressed by Microsoft a few days previously.
The exploit tools can be used to attack unpatched machines, but the patches were only issued to address flaws in supported versions of Windows. Many of those exploit tools can be used to attack unsupported Windows versions such as XP and Vista.
One of those tools, called Eternalromance, will likely work on all previous versions of Windows back to Windows XP. EasyPi, Eclipsedwing, Emeraldthread, eraticgopher and esteemaudit have all been confirmed to work on Windows XP.
Those are just the exploit tools recently discovered by The Equation Group. They represent just a small percentage of the exploits that exist for flaws in older, unpatched Windows versions. In addition to exploits for Windows flaws, there are exploits for many software programs.
There will always be zero day exploits that can be used to attack businesses, but running outdated software and unsupported operating systems makes it too easy for hackers.
Businesses of all sizes must therefore ensure that they have good patch management policies covering all software and operating systems and all devices. However, since unsupported operating systems will never be patched, continued use of those products represents a very large and unnecessary risk.
Windows-based systems are far more likely to be infected by viruses and malware; however, Mac users are far from immune to malware infections. A new report from McAfee suggests Mac malware infections increased substantially in 2016. Malware instances rose by a staggering 700% in the space of just one year.
The Threats Report by McAfee Labs shows that its anti-virus solutions detected and prevented 460,000 Mac malware infections in the final quarter of 2016 alone. That is a significant jump from the previous quarter when 150,000 Mac malware infections were detected and blocked – a rise of 247% from Q3 to Q4.
Compared to the number of infections of Windows based systems, the number of mac malware infections is still very low. McAfee detected more than 600 malware samples on Windows devices and 15 million attempted virus attacks on Android devices. At its highest, Mac malware infections were at 1.3% of the level seen on Windows-based devices.
However, the rise in Mac malware attacks should not be ignored. While Mac users are far better protected against malware attacks than Windows users, they should not be complacent. Cybercriminals are now developing more malware to target Mac users and they are no longer content with attacking Windows devices.
McAfee reports that malware developers are increasingly tailoring their malicious software to be capable of attacking multiple platforms. As more consumers and businesses use Macs and other Apple devices, attacks become more profitable. When there is potential for profit, malware developers are quick to take advantage.
The Threats Report indicates much of the new Mac malware is adware, with OSX/Bundlore one of the main malware variants discovered in Q4, 2016. Adware usually comes bundled with legitimate apps, especially apps on non-official stores. Downloading apps from the Mac app store is unlikely to result in infection.
Other forms of Mac malware have also increased in prevalence. As with Windows-based malware, the malware has been developed to steal login credentials and banking details. Remote access Trojans have also increased in number as has Mac ransomware – OSX/Keydnap being a notable example. OSX/Keydnap was bundled with the torrent client BitTorrent and even found its way onto the official download site.
To prevent Mac malware infections, businesses and consumers should be security aware and not take unnecessary risks. Apps should only be downloaded from official stores, security software should be installed, updates to software and apps should be applied promptly and strong, secure passwords should be used.
The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.
Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.
Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.
Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.
Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.
While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.
In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!
Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.
What is the Cost of a Ransomware Attack?
Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.
The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.
However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.
System downtime is one of the biggest costs. Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.
A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.
One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.
Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.
Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.
Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.
The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.
It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.
To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.
A new variant of Stampedo ransomware – called Philadelphia ransomware – is being used in targeted attacks on the healthcare sector in the United States. The ransomware variant is being spread using spear phishing emails.
Spear phishing emails have been detected that incorporate the healthcare organization’s logo along with the name of a physician at the organization. The use of a logo and a name adds credibility to the email, increasing the likelihood of the targeted individual clicking the link and downloading the malicious file. Information about organization’s and details of potential targets can easily be found on social media websites such as LinkedIn.
In recent months, cybercriminals have favored email attachments for spreading ransomware and malware, with Word documents containing malicious Word macros one of the most popular methods of ransomware and malware infection. The latest campaign, which was identified by Forcepoint, also uses malicious Word documents. However, rather than sending a malicious Word document as an attachment, the emails contain a link to a website where the Word document is automatically downloaded.
As with email attachments, the document must be opened and macros enabled in order for the ransomware to be downloaded.
Philadelphia Ransomware Attacks Likely to Increase
Philadelphia ransomware attacks are likely to increase thanks to a professional affiliate campaign. Would-be attackers are being recruited using a video that highlights the many features of the ransomware. The video calls Philadelphia ransomware “the most advanced and customizable ransomware ever,” and shows just how easy it is for someone with little technical skill to start their own ransomware campaign.
Would-be cybercriminals are able to rent out the ransomware and use it for their own spamming campaigns, provided they pay the author an initial fee of around $400. The one-off payment, so the authors claim, gives a user lifetime use of the ransomware. Affiliates will then be given a cut of any ransom payments they are able to generate.
Affiliate campaigns such as this – known as ransomware-as-a-service – are becoming increasingly popular. They allow non-technical spammers to jump on the ransomware bandwagon and start generating ransom payments. There is likely to be no shortage of takers.
Fortunately, the ransomware is not as advanced as the promotional video makes out. Furthermore, a decryptor for Philadelphia ransomware has been developed and can be downloaded for free via Softpedia. No ransom needs to be paid, although infection with Philadelphia ransomware can still result in considerable disruption. Healthcare organizations should therefore be on their guard.
Anti-pornography legislation in Alabama could be introduced from January 1, 2018, following the introduction of a new bill last month. House Bill 428 was introduced by Jack Williams (R-Montgomery) to prevent state residents from using Internet-enabled devices to view obscene material.
The anti-pornography legislation classes obscene material as material that would, to an average person, appeal to prurient interest. Pornography, child abuse images and child pornography are included in the definition of obscene content, as is any other material that depicts patently offensive sexual conduct or excretory functions, lacks artistic, political or scientific value, or facilitates or promotes prostitution, sexual cyber-harassment or human trafficking.
If the anti-pornography legislation is passed, the sale of any Internet-enabled device without a web filtering solution in place would be classed as a Class A misdemeanour and would be punishable with a maximum fine of $6,000 per incident and up to one year in jail. However, should such a device be sold to a minor, the offense would increase to a Class C misdemeanor for which the fine would rise to a maximum of $30,000 per incident and a jail term of up to 10 years.
While an Internet filtering solution must be in place at the point of sale, it would not be an offence for the purchaser of the device to remove the filter, provided a request is submitted to the seller in writing, proof that the individual is over 18 years old is supplied and a one-time filter deactivation fee of $20 is paid.
The fees will be collected by the Department of Revenue. 60% of the fees will be directed to the Alabama Crime Victims Compensation Fund, 20% will be directed to grants programs which will in part, be devoted to helping victims of human trafficking, with the remaining 20% of fees deposited in the General State Fund.
It is unclear at this stage how vendors of Internet-enabled devices would ensure that their devices are protected. The legislation describes a filter as a hardware or software solution that can be used to block websites, email, chatrooms, or other Internet-based communications based on category, content or site. The type of filter used will be left to the discretion of the seller.
Since there is a possibility that webpages or websites may be incorrectly categorized, the solution would also require a mechanism that allows websites or content to be blocked or unblocked. The vendor would be required to supply a phone number to a call center to allow requests to block/unblock content to be submitted. Failure to act on those requests in a reasonable time frame would be punishable with a $500 fine for each failure to block an obscene website or webpage.
Alabama is not the only state to propose anti-pornography legislation. Similar bills have also been introduced in New Mexico, North Dakota and South Carolina.
Researchers have identified changes to the Sundown exploit kit. Sundown is now in transition and is being actively developed. It now poses a significant threat.
Exploit kit activity has fallen over the past year as cybercriminals have turned to other methods of infecting end users. Spam email is now favored by many cybercriminals and exploit kit activity has dropped to next to nothing. However, over the past few weeks there has been an increase in exploit kit activity, with the Sundown exploit kit fast becoming a major threat.
Researchers at Cisco Talos report that the Sundown exploit kit has been upgraded and has now matured. While it was once a relatively unsophisticated exploit kit, that is no longer the case. The researchers point out that Sundown is likely to become one of the most widely used exploit kits, taking the place of the larger exploit kits that were used extensively in early 2016.
A number of upgrades have been made to the Sundown exploit kit in recent weeks. The individuals behind the Sundown exploit kit have removed many of the identifiers previously associated with the exploit kit. The exploit kit is now much harder to identify.
The Sundown exploit kit is one of a very small number that have had new exploits added in recent months. Some of the old exploits have also been removed. The actors behind Sundown have also increased the likelihood of infection. In a recent alert, Cisco Talos researchers explain that the exploit kit does not attempt to gain access to a system via a single exploit, instead the Sundown EK uses an extensive arsenal of malware tools to maximize the chance of compromising a system.
While the payload used to be downloaded via the browser, now the exploit kit uses the command line and wscript. A change has also been made to how the malicious payload is downloaded. The payload is now located on a different server to the landing page and exploit kit. The same root domain is used for both, although the subdomains are different.
The actors behind the kit are also purchasing large numbers of established domains, typically domains that are more than 6 months old. Those domains are used for a short time and are then resold. Using older domains allows the attacker to bypass screening controls that blacklist recently registered domains.
The discovery of major updates made to the Sundown EK could indicate there will soon be a major increase in exploit kit attacks. Angler, Neutrino, and Nuclear may have virtually disappeared, but exploit kits still pose a significant threat.
Businesses can protect their endpoints from malware and ransomware infections via exploit kits by using a web filtering solution. A web filtering solution can be configured to carefully control the websites that can be accessed by end users to reduce the risk of infection, and domains known to host exploit kits can be blocked.
For further information on web filtering and protecting end points from malware and ransomware, contact the TitanHQ team today.
Exploit kits have been one of the attack vectors of choice for cybercriminals, although research from Trustwave shows exploit kit activity has been in decline over the past 12 months. Trustwave reports exploit kit activity fell by around 300% over the course of 2016.
Exploit kits are used to probe for vulnerabilities in web browsers and web browser plugins. When a user visits a website hosting an exploit kit, their browser is probed for flaws. If a flaw is found, it is exploited to silently download malware and ransomware.
However, as the middle of the year approached, exploit kit activity started to fall. There are many possible reasons why exploit kit activity has declined. Efforts have increased to make browsers more secure and defenses against exploit kits have certainly been improved.
Adobe Flash vulnerabilities were the most exploited, but last year Adobe started issuing patches faster, limiting the opportunity for the attackers to exploit flaws. The fall in exploit kit activity has also been attributed to the takedown of cybercriminal gangs that extensively used and developed exploit kits. In 2016, the Russian outfit Lurk was broken up and a number of high profile arrests were made. Lurk was the outfit behind the infamous Angler exploit kit. Angler, along with Neutrino, Nuclear and Magnitude were extensively used to download malware and ransomware.
The recently published 2017 IBM X-Force Threat Intelligence Index shows spam email volume increased around the middle of 2016 and there was a marked increase in malicious email attachments. Spam email has now become the attack vector of choice, but that doesn’t mean exploit kits have died. Exploit kits are still being used in attacks, but at a much-reduced level.
Exploit kits are now being used in smaller, more targeted attacks on specific geographical regions, rather than the global attacks using Angler, Nuclear and Magnitude.
Over the past few months, exploit kit activity has started to rise and new exploit kits have been discovered. Late last year, the DNSChanger exploit kit was discovered. While most exploit kits target vulnerabilities in browsers, the DNSChanger exploit kit targets vulnerabilities in routers.
Researchers from Zscaler’s ThreatLabz report there has been an increase in exploit kit activity in the first quarter of 2017. The researchers have noticed a new KaiXin campaign and Neutrino activity has increased. The researchers also detected a new exploit kit called Terror. The Terror exploit kit has been compiled from other exploit kits such as Sundown. The RIG EK continues to be one of the most commonly used kits and has been found to be delivering the ransomware variants Cerber and Locky.
Malicious email attachments may still be the attack vector of choice for spreading ransomware and malware payloads, but the threat from exploit kits is still significant and should not be ignored.
To find out how you can improve your defenses against exploit kits, contact the TitanHQ team today.
The source code for the NukeBot Trojan has been published online on a source-code management platform. The code for NukeBot – or Nuclear Bot as it is also known – appears to have been released by the author, rather than being leaked.
To date, the NukeBot Trojan has not been detected in the wild, even though it was first seen in December 2016. The NukeBot Trojan was developed by a hacker by the name of Gosya. The modular malware has a dual purpose. In addition to it functioning like a classic virus, it also works like an anti-virus program and is capable of detecting and eradicating other installed malware. The modular design means additional components and functionality can easily be added. When attempting to sell the malware in December last year, the author said further modules would be developed.
The release of the code for the NukeBot Trojan is understood to be an effort by the author to regain trust within the hacking community. IBM says Gosya is a relatively new name in hacking circles, having joined cybercrime forums in late 2016.
While newcomers need to build trust and gain the respect of other hacking community members, Gosya almost immediately listed the malware for sale soon after joining underground communities and failed to follow the usual steps taken by other new members.
Gosya may have developed a new malware from scratch, but he failed to have the malware tested and certified. No test versions of the malware were provided and underground forum members discovered Gosya was using different monikers on different forums in an attempt to sell his creation. Gosya’s actions were treated as suspicious and he was banned from forums where he was trying to sell his malware.
While other hackers may have been extremely dubious, they incorrectly assumed that Gosya was attempting to sell a ripped malware. The NukeBot Trojan was not only real, it was fully functional. There was nothing wrong with the malware, the problem was the actions taken by Gosya while attempting to sell his Trojan.
While many new malware variants are developed using sections of code from other malware – Zeus being one of the most popular – the NukeBot Trojan appears to be entirely new. Back in December, when the malware was first detected and analyzed, researchers from Arbor Networks and IBM X-Force verified that the malware was fully functional and had viable code which did not appear to have been taken from any other malware variant. The malware even included an admin control panel that can be used to control infected computers.
Now that the source code has been released it is likely that Gosya will be accepted back in the forums. The source code will almost certainly be used by other malware developers and real-world NukeBot attacks may now start.
The Recording Industry Association of America (RIAA) wants regulations to be introduced that will force Internet Service Providers to filter pirated content, rather relying on the current system of DCMA takedowns, which the RIAA believes to be ‘antiquated.’ The RIAA claims the current DCMA notice and takedown system is ‘extremely burdensome’ and ‘ineffective’ and that the system invites abuse.
The RIAA and 14 other organizations wrote to the U.S. Copyright Office last week explaining the inadequacies of current DCMA Safe Harbors and suggesting a number of potential solutions to the problem.
Currently, Internet Service Providers are required to take down copyright-infringing content after receiving a DMCA request. The request must be acted on expeditiously and ISPs are legally protected from copyright infringement lawsuits. The legislation has so far protected Internet Service Providers from legal action. Were it not for the legislation, an ISP could potentially be sued every time one of its users uploaded content that violated copyright.
One of the main problems is while the current system protects innocent Internet service providers who have passively, or unwittingly, allowed their services to be used for copyright infringing activities, some entertainment services are protected, even though their businesses are based entirely on copyright infringement, such as the streaming of sports, entertainment and movies.
A number of suggestions have been made such as amending Digital Millennium Copyright Act to include a timeframe for processing DCMA takedowns as well as requiring Internet Service Providers to filter pirated content and use automated systems that identify pirated content and prevent it from being uploaded once the content has been flagged.
The RIAA suggests that when a DCMA request is received requiring specific content to be removed, that content should then be flagged. A system should be put in place that blocks that content from being uploaded in the future on a different webpage or website. Currently, a takedown of content just means the individual or organization can simply upload the content again on another webpage or domain and the process must start over again. The RIAA says the current system is like an endless game of Whac-A-Mole.
The proposals have been criticized as any automated process is likely to result in the removal of web content that is protected under fair use laws and that automated systems could result in the overblocking of website content.
This argument has been countered by the RIAA saying the risk has been exaggerated and that argument is often used by ISPs to avoid implementing content identification technologies. The RIAA argues that current technologies are sufficiently granular to allow them to be calibrated to filter pirated content and protect fair uses.
A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.
A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.
A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.
One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.
Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.
The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.
Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.
Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.
Another major restaurant POS breach has been detected. This time, Cleveland-based Select Restaurants Inc., has had its POS system breached. Select Restaurants owns many well-known restaurants throughout the United States.
According to Brian Krebs, restaurants known to be affected by the POS malware infection include:
- The Rusty Scupper (Baltimore, MD)
- Parkers Blue Ash Tavern (Cincinnati, OH)
- Parkers’ Restaurant & Bar (Downers Grove, IL)
- Winberie’s Restaurant & Bar (Oak Park, IL., Princeton, NJ., Summit, NJ.)
- Black Powder Tavern (Valley Forge, PA)
The restaurant POS breach does not appear to have occurred at Select Restaurants, instead it was the chain’s POS vendor that was attacked – Geneva. IL-based 24×7 Hospitality Technology. The attack occurred via a remote access application that the company uses to remotely access, update, and maintain the POS system used by its customers.
After gaining access to the POS system, the attackers installed a form of malware known as PoSeidon. The malware records and exfiltrates credit card data when cards are swiped by restaurant staff when customers pay for their meals. The malware was installed and active for around 3 months from October 2016 to January 2017.
While fraudulent use of customers’ credit card details is often quickly detected by banks and credit card companies, it can be difficult to track those fraudulent card uses back to a specific retailer or restaurant. When major restaurant chains experience POS malware infections it is far easier to detect the source of the fraud. Malware infections at smaller restaurant chains can take much longer to detect. During that time, the credit card details of all of the restaurant’s customers can be stolen.
The remote access system could have been attacked using a variety of methods. If a weak password was used, it may have been guessed or a brute force attack could have occurred. Alternatively, an employee may have revealed a password by responding to a phishing or spear phishing email.
In this case, the malware was installed via the POS system provider, although a restaurant POS breach could just as easily occur. Restaurant chains can do little to prevent attacks on their POS system provider, but they can implement cybersecurity defenses to protect them against direct attacks.
Restaurants are major targets for cybercriminals. Malware can remain undetected for many months during which time many thousands of credit cards can be stolen. The consequences for restaurant chains can be severe. While customers may not experience any losses – their credit card company will usually refund any fraudulent purchases – the effect on a restaurant chain’s reputation can be permanent.
To protect systems from attack, restaurant chains should ensure software solutions are installed to block the most common attack vectors. Software must be kept up to date and patched promptly to prevent vulnerabilities from being exploited and antivirus solutions should be kept up to date and regular scans should be scheduled on all parts of the network.
For further information on how to prevent a restaurant POS breach and malware infections, contact the TitanHQ team today.
A House of Lords report on Internet safety for children calls for ISP web filtering controls to be applied as standard.
The UK government is keen for Internet service providers to apply web filtering controls to make it harder for children to access inappropriate website content such as pornography. In 2013, the UK government called on ISPs to implement web filters as standard. Four of the leading ISPs in the UK – Sky, Talk Talk, BT and Virgin Media – responded and have offered filtering controls to their customers.
However, not all ISPs in the United Kingdom provide this level of content control and the House of Lords report suggest that many ISP web filtering controls do not go far enough to ensure children are protected. The report explains that the ‘big four’ ISPs only cover 90% of all Internet users, leaving 10% of users without any form of Internet filtering service.
It is also pointed out in the report that only Sky has opted for a default-on web filter to prevent adult content from being accessed by minors. If new customers want to access adult content they must request that the filter be taken off. The other ISPs have made the service available but do not provide a filtered Internet service that is turned on by default.
The new report calls for ISP web filtering controls to be improved and for ISPs “to implement minimum standards of child-friendly design, filtering, privacy, data collection, and report and response mechanisms for complaints.” The House of Lords report also calls for ISP web filtering controls to be put on all accounts by default, requiring users to specifically request it be turned off if required. Further, the report says the default standard of Internet control should offer the strictest privacy protections for users.
Not everyone agrees with this level of control. The Internet Service Provider Association (ISPA) says that such a move is ‘disproportionate,’ and while the association is committed to keeping children safe when online, mandating ISP web filtering controls is not the way forward. For instance, if an ISP makes it clear that it offers an unfiltered service, that should be permitted. Chairman of the ISPA, James Blessing, believes the best way forward is “a joint approach based on education, raising awareness and technical tools.”
While parents will be well aware of the risks their children face when they go online, the House of Lords report does not believe Internet safety education should be left to parents. addition to making it harder for children to access inappropriate website content, the report calls for mandatory lessons in schools on safe use of the Internet, covering risks, acceptable behavior and online responsibilities.
A health center malware infection has potentially resulted in 2,500 patients’ protected health information (PHI) being sent to unknown individuals over a period of almost a year. Lane Community College health clinic in Eugene, OR, discovered the malware during routine maintenance last month.
Further investigation determined that the malware had been installed on the computer in March 2016. The malware remained active until last month when it was discovered and removed. The malware was identified as Backdoor:Win32/Vawtrak – a Trojan backdoor that enables attackers to steal login information and take full control of an infected PC.
While data access was possible, Lane Community College health clinic uncovered no evidence to suggest patient data had been stolen, although the possibility that PHI was accessed and stolen could not be ruled out. A spokesperson for the clinic said an analysis of 20 other computers used by the clinic uncovered no further malware infections. In this case, the infection was limited as the computer was not connected to other computers on the network.
The only data exposed were those stored on the machine itself. The information potentially exposed included patients’ names, addresses, phone numbers, dates of birth and medical diagnoses.
A health center malware infection can prove costly to resolve. In this case, the infection was limited to one machine, although once access has been gained and malware installed, hackers can often move laterally within a network and spread infections to other machines. Once data have been exfiltrated and there is no further need for access, hackers commonly install ransomware to extort money from their victims.
The exposure or theft of patient data can often lead to lawsuits from patients. While many of those lawsuits ultimately fail, defending a lawsuit can be costly. Healthcare data breaches that result in more than 500 records being exposed are also investigated by the Department of Health and Human Services’ Office for Civil Rights to determine whether the breaches were caused as a result of HIPAA violations. Should HIPAA Rules be found to have been breached, covered entities may have to cover heavy fines.
Health center malware attacks are commonplace due to the value of healthcare data on the black market. Healthcare providers should therefore implement a range of defenses to protect against malware infections.
Malware is commonly inadvertently installed by end users via spam email or redirects to malicious websites. Both of these attack vectors can be blocked with low cost solutions. Backdoor:Win32/Vawtrak – also known as Trojan-PSW.Win32.Tepfer.uipc – is recognized by Kaspersky Lab – one of the dual AV engines used by the SpamTitan spam filtering solution. SpamTitan blocks 100% of known malware and blocks 99.97% of spam emails to keep end users and computers protected.
To protect against Web-borne attacks and to prevent malicious software downloads, WebTitan can be deployed. Web-Titan is a powerful DNS-based web filtering solution that can be used to block a wide range of web-borne threats to keep healthcare networks malware free.
Both solutions are available on a free 30-day trial to allow healthcare providers to experience the benefits first hand before committing to a purchase.
To find out more about TitanHQ’s cybersecurity solutions for healthcare organizations or to sign up for a free trial, give the sales team a call today.
A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.
The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.
MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.
The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.
MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.
POS Malware Infections Can be Devastating
A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.
While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.
Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.
POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.
This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.
There is a new ransomware threat that businesses should be aware of, but PetrWrap ransomware is not exactly anything new. It is actually a form of ransomware that was first discovered in May last year. PetrWarp ransomware is, to all intents and purposes, almost exactly the same as the third incarnation of Petya ransomware. There is one key difference though. PetrWrap ransomware has been hijacked by a criminal gang and its decryption keys have been changed.
The criminal organization behind PetrWrap ransomware have taken Petya ransomware, for which there is no free decryptor, and have exploited a vulnerability that has allowed them to steal it and use it for their own gain. The attackers have simply added an additional module to the ransomware that modifies it on the fly. After all, why bother going to all the trouble of developing your own ransomware variant when a perfectly good one already exists!
Petya ransomware is being offered to spammers and scammers under an affiliate model. The ransomware authors are loaning the ransomware to others and take a percentage of the profits gained from ransoms that are paid. This is a common tactic to increase overall profits, just as retailers pay affiliate marketers to sell their products for a commission. In the case of ransomware-as-a-service, this allows the authors to infect more computers by letting others do the hard work of infecting computers.
Yet the gang behind PetrWrap has chosen not to give up a percentage of the profits. They are keeping all of the ransom payments for themselves. The module modifies and repurposes the malware code meaning even the Petya ransomware authors are unable to decrypt PetrWrap ransomware infections.
Kaspersky Lab research Anton Ivenov says “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.” He pointed out the significance of this, saying “the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be.”
Petya – and PetrWrap ransomware – is not a typical ransomware variant in that no files are encrypted. While Locky, CryptXXX, and Samsa search for a wide range of file types and encrypt them to prevent users from accessing their data, Petya uses a different approach. Petya modifies the master boot record that launches the operating system. The ransomware then encrypts the master file table. This prevents an infected computer from being able to locate files stored on the hard drive and stops the operating system from running. Essentially, the entire computer is taken out of action. The effect however is the same. Users are prevented from accessing their data unless a ransom is paid. Petya and PetrWrap ransomware can spread laterally and infect all endpoint computers and servers on the network. Rapid detection of an infection is therefore critical to limit the harm caused.
When considering how much to invest in cybersecurity defenses, be sure to bear in mind the cost of a retail data breach. Poor security practices and a lack of appropriate cybersecurity defenses can cost a company dearly.
A data breach of the scale of that suffered by Home Depot in 2014 will cost hundreds of millions of dollars to resolve. The home depot data breach was massive. It was the largest retail data breach involving a point of sale system that has been reported to date. Malware had been installed that allowed criminals to steal more than 50 million credit card numbers from home depot customers and around 53 million email addresses.
The attack was made possible due to the use of stolen credentials from one of the retailer’s vendors. Those credentials were used to gain a foothold in the network. Those privileges were subsequently elevated, the Home Depot network was explored, and when access to the POS system was gained, malware was installed to capture credit card details. The malware infection went undetected for five months between April and September 2014.
Last year, Home Depot agreed to pay out $19.5 million to customers that had been affected by the breach. The payout included the costs of providing credit monitoring services to breach victims. Home Depot has also paid out at least $134.5 million to credit card companies and banks, and this week, a further $25 million settlement has been agreed to cover damages suffered by the banks as a result of the breach.
The latest settlement amount will allow banks and credit card companies to file claims for $2 per compromised credit card without having to show evidence of losses suffered. If banks can show losses, they will receive up to 60% of uncompensated losses.
The total cost of the retail data breach stands at around $179 million, although that figure does not include all legal fees that Home Deport will be forced to pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be considerably higher. It is already creeping closer to the $200 million mark.
Then there is the loss of business as a result of the breach. Following any data breach, customers often take their business elsewhere. Many consumers affected by the breach have chosen to shop elsewhere. There is, after all, not only one DIY retailer in the United States.
A number of studies have been conducted on the fallout from a data breach. One HyTrust study suggests businesses may lose 51% of customers following a breach of sensitive data!
For Home Depot, the cost of a retail data breach has been considerably more than the cost of implementing technologies to monitoring its vendor’s cybersecurity practices, scanning for malware, and implementing security best practices.
The increase in cyberattacks on law firms has prompted the American Bar Association (ABA) to start offering cyber liability insurance for law firms, in addition to its standard insurance policies.
Cyber liability insurance for law firms is becoming as important as travel, medical and dental insurance. Cybercriminals are now targeting law firms with increasing frequency and vigor due to the treasure trove of data they store on clients.
The data can be used for fraud, although the highly sensitive nature of information disclosed to attorneys makes blackmail and extortion an attractive and potentially lucrative option. However, access to sensitive data gives cybercriminals the option of insider trading. Only last year, indictments against three Chinese nationals were unsealed by the Manhattan U.S. attorney’s office showing that more than $4 million in illegal stock trades were performed following the theft of attorney’s emails. The hackers had gained access to email accounts at three Chicago law firms involved in major mergers and acquisitions.
Cybercriminals’ use of stolen data aside, cyberattacks can prove incredibly costly. Following a cyberattack, costs of mitigation can spiral. Law firms must cover the cost of forensic investigations to determine the nature and extent of an attack, and which clients and systems have been impacted. Analyses must identify malware infections and backdoors that may have been installed allowing persistent access to networks and data.
If client data are accessed, law firms must cover the cost of legal defenses and liability protection. Lawsuits will undoubtedly follow any cyberattack. Any breach of sensitive data will almost certainly have an impact on law firms’ reputations, resulting in considerable loss of revenue. Then there are the improvements to cybersecurity defenses to prevent further attacks, the cost of which can be substantial.
For large law firms, cyberattacks can make a significant dent in profits. For small law firms, a cyberattack could prove catastrophic. Given the high costs involved, it is no surprise that cyber liability insurance for law firms is now deemed a necessity.
For the past few years, the ABA has been improving awareness of the cybersecurity risks that must be mitigated by law firms. Awareness has improved as a result and many law firms have invested heavily in technologies to protect against cyberattacks. In 2013, the ABA also petitioned the government to introduce new laws specifically to protect law firms from cyberattacks and the threat of cyber-espionage. Cyber liability insurance for law firms was a natural step for the ABA.
The ABA has developed its new program during the past year to provide affordable coverage from some of the nation’s top insurance carriers. The ABA’s cyber liability insurance for law firms is underwritten by Chubb Limited – The largest publicly traded property and casualty insurer.
Cape Town’s Century City has implemented a free WiFi network for residents, although to make the network more secure and prevent bandwidth abuse, WiFi filtering for cities has been adopted.
The new service – called Let’s Connect – is provided by the telecoms company that operates the fiber-optic broadband network for the Cape Town suburb – Century City Connect – in partnership with ISP Comtel Communications.
The new WiFi network currently comprises 86 WiFi access points within the Cape Town suburb, although there are plans to increase the range of the free WiFi zone to include an extra 100 access points. At present, the WiFi network is supported by a 200 Mbps fiber-optic line which will provide users with 10Mbps speeds for uploads and downloads. Users will be required to register for the service, after which they will be limited to four hours of free WiFi access per day.
Providing a free WiFi network offers residents a host of benefits, but ensuring upload and download speeds are reasonable requires additional technology. If WiFi filtering for cities was not used, there would be considerable potential for the service to be abused by some users. At times of heavy usage, bandwidth will naturally be squeezed, but to limit this as far as is possible, it was necessary for WiFi filtering for cities to be deployed. The web filtering technology place certain limits on user activities.
The WiFi filtering solution used to control internet access is not overly restrictive. Torrent downloads have been blocked, not only because they are used or illegal file sharing, but the downloading of massive files by multiple users has potential to slow Internet speeds across Century City.
In practice, simply blocking torrent sites may not be sufficient to stop bandwidth crushing downloads. It would be possible for users to circumvent the controls. For more comprehensive blocking, the ISP has used DNS-based WiFi filtering, content filtering, and firewalls. Multiple levels of filtering controls makes it much harder for individuals to gain access to torrent sites and upload and download content.
Torrent sites are not the only drain of bandwidth. Software updates likewise suck up bandwidth. Many users have their devices set to update software only when connected to a WiFi network. Connecting to the city WiFi network could see thousands of devices updating software at the same time, further squeezing bandwidth. To reduce the impact, Century City has rate limiting in place. Updates will still be possible, but at a level that will not have a major negative impact on available bandwidth.
As with many locations around the world that use WiFi filtering for cities, Century City will also be using the technology to block adult content. This control works at the domain-level and is based on blacklists. The filters used at Century City also block botnet activity, prevent users from downloading malware and ransomware, and block phishing websites to keep users protected online.
While users will only be permitted four hours of free usage, limits will not be placed on certain categories of website. Educational sites and job websites will be accessible 24/7, even if the 4-hour quota has been used up. A number of other websites will also be whitelisted to ensure constant access is possible.
The project shows how WiFi filtering for cities can be used to ensure the maximum number of users can get the benefits of city-wide free WiFi networks, and how the Internet can be carefully filtered to keep users protected.
The final New York Department of Financial Services cybersecurity rules have now been issued. Covered entities – banks, Insurance companies, and financial service firms operating in the state of New York must now comply with new rules. The financial services cybersecurity rules are the first to be introduced at the state level in the U.S.
The purpose of the cybersecurity rules is to make it harder for cybercriminals to gain access to confidential consumer data. The new rules require companies to adopt a host of cybersecurity measures to keep consumer data confidential and secure.
The financial services cybersecurity rules were first announced last fall. Following the announcement and publication of the draft cybersecurity rules on September 13, 2016, there followed a 45-day comment period. A revised version of the DFS cybersecurity rules was published in late December, which was followed by a further 30-day comment period. The comments received have been considered and now final changes to the cybersecurity rules have been made.
The final financial services cybersecurity rules are effective as of March 1, 2017. Covered entities have up to 6 months to ensure compliance, after which non-compliance could result in a significant financial penalty and other sanctions.
New York state governor Andrew Cuomo announced the release of the final financial services cybersecurity rules saying “New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks.”
The new rules should not pose too many problems for the majority of firms in the financial sector, provided that they have already adopted best practices issued by the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC). However, where the new cybersecurity rules differ is their specificity. The FINRA and SEC guidelines do not specify the measures that must be adopted, whereas the DFS cybersecurity rules are much more specific about the measures that must be adopted to keep data secure.
The final version of the financial services cybersecurity rules has seen an easing of document retention requirements. In previous versions of the rules, covered entities were required to keep all categories of records for a period of five years. In the final version of the rules, the 5-year retention period only applies to records that are necessary to reconstruct financial transactions to support the normal operations of the company. Records of cybersecurity events that could materially harm the company need only to be kept for three years.
The new rules require the DFS to be notified of a cybersecurity event within 72 hours of it occurring, if the event has a reasonable likelihood of materially harming any part of the normal operations of the covered entity or if the entity has a pre-existing duty to notify another government or regulatory agency.
While the financial services cybersecurity rules are strict, there are many exemptions. Several security experts have suggested the new rules do not go far enough for this very reason.
Many of the exemptions apply to smaller companies. For instance, in order for a company to be a covered entity, the annual turnover must be more than 5 million dollars. Smaller firms employing fewer than 10 individuals are similarly exempt. That effectively means a company with 9 employees does not need to implement as stringent data security measures as a company that employs 10 individuals; however, a line must be drawn somewhere.
There are also exemptions for firms that do not possess or control non-public information. There are further exemptions for charitable organizations and insurance companies that operate in the state of New York, but are not chartered in New York state, and for reinsurers that accept credits or assets from an assuming insurer not authorized in the state. However, further updates of the rules may see some of the exemptions removed.
The Cybersecurity Requirements for Financial Services Companies can be viewed on this link.
In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.
2016 Will be Remembered as The Year of Ransomware
Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.
That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.
Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.
Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.
In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!
Biggest Ransomware Threats in 2016
TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.
By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.
Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.
2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.
You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.
Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?
Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.
Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.
Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.
While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.
ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.
Malware Protection at the ISP Level
Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.
ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.
ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.
An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.
The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.
The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.
The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.
If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.
ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections
Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.
ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.
WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.
If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.
In Utah, lawmakers are attempting in make it harder for pornography to be accessed, especially in libraries. A new bill has been introduced that would make it compulsory for library WiFi filtering to be implemented to block patrons from accessing pornography. That bill has now been signed off by a group of Utah senators, bringing the compulsory use of library WiFi filtering closer to being written into the state legislature.
Last year, Sen. Todd Weiler, R-Woods Cross, was heavily involved in a campaign to raise awareness of the problems related to the accessing of hardcore pornography, with the senator claiming the use of pornography had now become “a public health crisis.”
Sen. Weiler, was not alone in his thinking. Many people supported the campaign and agreed that pornography was particularly damaging for minors, that its use threatened marriages and was contributing to the rise in sexual violence.
Library WiFi filtering is a contentious issue. While many libraries across the United States have implemented a WiFi filter to block pornography and other harmful images to protect minors and obtain government grants and discounts, many librarians are opposed to library WiFi filtering.
Libraries are places of learning where individuals can come to gain access to all types of information. The use of Internet filtering in libraries is seen as excessively curbing civil liberties and undermining freedom of speech. Public opinion is similarly divided, although many individuals would not want to catch a glimpse of hardcore pornography on another patron’s computer, and even less so their children.
In Utah, the majority of libraries have already implemented library WiFi filtering software. Weiler says that there are more than 100 public libraries in the state and that the larger libraries are already filtering out pornography. However, he pointed out that there are a dozen or so smaller library branches that have yet to implement Internet filtering on WiFi networks.
In the case of small libraries, there may not be sufficient funds available for WiFi filtering solutions to be purchased, even if by implementing those solutions savings could be made through the eRate program. Sen. Weiler appreciates that the cost of implementing a software solution may be prohibitively expensive for smaller libraries, which is why he is requesting $50,000 from the state budget to be made available to smaller libraries via a grant program. Those grants could then be used to pay for Internet filtering solutions for libraries in the state that have yet to purchase a filtering solution.
Now that the bill has been signed off, it will go before the senate for debate, although there is a high probability that the bill will be written into state law. Support for Sen. Weiler’s anti-pornography campaign last year was strong and many members of the chamber and house of representatives backed Sen. Weiler’s campaign last year. The campaign also received public backing from the governor of Utah.
The email archiving cost can be avoided, but fail to use an email archiving service at your peril. Huge fines await organizations that cannot recover emails promptly.
U.S. businesses are required are required to keep emails for several years. The IRS requires all companies to keep emails for 7 years, the FOIA requires emails to be kept for 3 years, and 7 years again for Healthcare organizations (HIPAA), public companies (Sarbanes Oxley), banking and finance (Gramm-Leach-Bliley Act) and securities firms (SEC).
While large firms are able to absorb the cost of email archiving, many SMBs look at the email archiving cost and try to save money by opting for backups instead. While it is possible to save on the email archiving cost by using backups, the decision not to use an email archiving service could prove to be very costly indeed.
Email backups can serve the same purpose as email archiving in the sense that both can be used to keep old emails. However, while an email backup can help a business protect against data loss, if ever there is a need to recovery backed up emails, companies often encounter problems.
Email backups are fine for recovering entire email accounts (mostly). In the event of a malware or ransomware attack, email backups can be used to recover entire email accounts. However, what happens if only certain emails need to be found – for eDiscovery purposes in the event of a lawsuit for example?
An eDiscovery order may be received that requires all email correspondence sent to a particular client or customer to be retrieved. Such a request may require emails from 100s of employees to be located. Those emails may date back several years. Finding all emails would be an incredibly time consuming process, and it may not actually be possible to recover all correspondence. Backup files cannot easily be searched. They are just data repositories, not a well-managed archive.
An email archive on the other hand is different. Not only can individual emails be easily recovered, the entire archive can be quickly and easily searched. If an eDiscovery request is received, all requested emails can be quickly and easily recovered. The process is likely to take minutes. The recovery of files from a backup could take weeks or even months, assuming that the task is even possible.
Email backups fail surprisingly often. The recent spate of ransomware attacks has highlighted a number of examples of data backups that have been corrupted, leaving organizations little option but to pay the attackers for a key to decrypt locked data. In the case of a ransomware infection, the ransom payment may be hundreds, thousands or even tens of thousands of dollars. However, the failure to produce email correspondence for eDiscovery or a compliance audit can be even higher.
Non-compliance with the Sarbanes-Oxley Act and other industry legislation can see fines of several million dollars issued. Only last year, Scottrade was issued with a fine of $2.6 million by the Financial Industry Regulatory Authority (FINRA). Scottrade had kept records of its emails, but not a complete record. More than 168 million emails had not been retained that should have been present in an archive. As Brad Bennett, Executive Vice President and Chief of Enforcement at FINRA explained when announcing the fine, “Firms must maintain sound supervisory systems and procedures to ensure the integrity, accuracy, and accessibility of electronic books and records.” That includes email correspondence.
The cost of email archiving is not only low compared to the cost of a regulatory fine, email arching is actually inexpensive, especially when using a cloud-based email archiving solution such as ArcTitan. Being cloud-based, emails are securely stored without the need for any additional hardware. Business can rest assured that no email will ever be lost.
In the event of an eDiscovery order, any email can be retrieved almost instantly, regardless of when the email was archived. No specific software is required as emails can be archived from Office 365 and archived messages can be accessed easily using an Outlook plug-in or even directly from the browser. Furthermore, the load on an organization’s email server can be greatly reduced. Reductions of 80% have been seen by a number of TitanHQ’s clients.
To find out more about the full benefits of email archiving and the features of ArcTitan, give the TitanHQ sales team a call today. We think you will be pleasantly surprised at how low the email archiving cost can be.
A recent university cyberattack in the United States resulted in more than 5,000 systems being taken out of action.
The university cyberattack only became apparent after the IT department was flooded with complaints from staff and students that the Internet had slowed to a snail’s pace. By the time that the cyberattack was identified, the attack had spread to multiple systems and devices, resulting in major headaches for the IT department. Attempts were made to bring systems back online but they failed. Not only had IoT devices been compromised, passwords were changed by the attackers. The IT department was locked out and was prevented from gaining access to any of the compromised devices.
The attack involved a range of devices. Even campus vending machines had been loaded with malware and were under the control of the attackers. In total, 5,000 smart devices were compromised in the attack and had been added to an emerging IoT botnet.
An investigation was launched which revealed the extent of the attack. Virtually the entire IoT network had been lost to the attackers. Everything from smart lightbulbs in street lamps to drink-dispensing vending machines had been infected with malware and made part of a botnet.
The IoT devices were making hundreds of DNS lookups, preventing users from performing web searches or visiting websites. In this case, the devices were being used to make seafood-related searches. So many searches that genuine use of the Internet was prevented.
Once the first devices were compromised, the infection spread rapidly. Every IoT device connected to the network was attacked, with the devices brute-forced until the correct username and password combo was found. The devices were then loaded with malware and added to the botnet. The speed at which the IoT devices were compromised and loaded with malware was due to the use of weak passwords and default login credentials. The university, for convenience, had also made the mistake of loading all IoT devices onto one network.
Once the attackers had gained access to an IoT device and loaded their malware, they had full control of the device. To prevent removal of the malware, the attackers changed the password on the device, locking the IT department out.
Once that had occurred, the only way the IT department thought it would be possible to remove the malware and regain control would be to replace every IoT device. All 5,000 of them.
However, before such a drastic measure was taken, the university sought external assistance and was advised to use a packet sniffer to intercept clear-text passwords sent by the attackers to the malware-compromised devices. The university was able to read the new passwords and regain access to its IoT devices. Passwords were then changed on all 5,000 devices and the malware was removed.
A university cyberattack such as this can cause considerable IT headaches, major disruption for staff and students, and involves a not insignificant resolution cost. However, the university cyberattack could have been avoided. Even if an attack was not prevented, its severity could have been greatly reduced.
Had strong passwords been set, the attackers would have found it much harder to infect devices, buying the IT department time and allowing action to be taken to mitigate the attack.
While it is easy to see why all IoT devices were included on a single network, such a move makes it far too easy for cybercriminals to spread malware infections. It is never wise to put all of one’s eggs in the same basket. It is also important to ensure that networks are separated. If access to devices on one network is gained, damage will be limited.
The financial services sector and healthcare industry are obvious targets for cybercriminals, but cyberattacks on educational institutions in 2017 have risen sharply. There have been a multitude of cyberattacks on educational institutions in 2017, and February is far from over. The list paints a particularly bleak outlook for the rest of the year. At the current rate, cyberattacks on educational institutions in 2017 are likely to smash all previous records, eclipsing last year’s total by a considerable distance.
Why Have There Been So Many Cyberattacks on Educational Institutions in 2017?
Educational institutions are attractive targets for cybercriminals. They hold large quantities of personal information of staff and students. Universities conduct research which can fetch big bucks on the black market.
While some of the finest minds, including computer scientists, are employed by universities, IT departments are relatively small, especially compared to those at large corporations.
Educational institutions, especially universities, are often linked to government agencies. If hackers can break into a university network, they can use it to launch attacks on the government. It is far easier than direct attacks on government agencies.
Cybersecurity protections in universities are often relatively poor. After all, it is hard to secure sprawling systems and huge networks that are designed to share information and promote free access to information by staff, students and researchers. Typically, university networks have many vulnerabilities that can easily be exploited.
Schools are also often poorly protected due to a lack of skilled staff and funding. Further, many schools are now moving to one-to-one programs, which means each student is issued with either a Chrome tablet or a Windows 10 laptop. More devices mean more opportunities for attack, plus the longer each student is connected to the Internet, the more time cybercriminals have to conduct attacks.
Another problem affecting K12 schools is the age of individuals who are accessing the Internet and email. Being younger, they tend to lack awareness about the risks online and are therefore more susceptible to social engineering and phishing attacks. The data of minors is also much more valuable and can be used for far longer by cybercriminals before fraud is detected.
While college students are savvier about the risks online, they are targeted using sophisticated scams geared to their ages. Fake job offers and scams about student loans are rife.
The threat of cyberattacks doesn’t always come from outside an institution. School, college and university students are hacking their own institution to gain access to systems to change their grades or for sabotage. Students with huge debts may also seek data to sell on the black market to help make ends meet.
While all of these issues can be resolved, much needs to be done and many challenges need to be overcome. It is an uphill struggle, and without additional funding that task can seem impossible. However, protections can be greatly improved without breaking the bank.
Major Cyberattacks on Educational Institutions in 2017
There have been several major cyberattacks on educational institutions in 2017, resulting in huge losses – both financial losses and loss of data. Educational institutions have been hacked by outsiders, hacked by insiders and ransomware attacks are a growing problem. Then there are the email-based social engineering scams that seek the tax information of staff. Already this year there have been huge numbers of attacks that have resulted in the theft of W-2 forms. The data on the forms are used to file fraudulent tax returns in the names of staff.
Notable cyberattacks on educational institutions in 2017 include:
Los Angeles Valley College
One of the most expensive cyberattacks on educational institutions in 2017 was a ransomware infection at Los Angeles Valley College. The attack saw a wide range of sensitive data encrypted, taking its network, email accounts and voicemail system out of action. The systems could not be restored from backups leaving the college with little alternative but to pay the $28,000 ransom demand. Fortunately, valid decryption keys were sent and data could be restored after the ransom was paid.
South Carolina’s Horry County Schools
The Horry County School District serves almost 43,000 students. It too was the victim of a ransomware attack that saw its systems taken out of action for a week, even though the ransom demand was paid. While it would have been possible to restore data from backups, the amount of time it would take made it preferable to pay the $8,500 ransom demand.
South Washington County Schools
Hackers do not always come from outside an organization, as discovered by South Washington County Schools. A student hacked a server and copied the records of 15,000 students onto a portable storage device, although the incident was detected and the individual apprehended before data could be sold or misused.
Northside Independent School District
One of the largest cyberattacks on educational institutions in 2017 was reported by Northside Independent School District in San Antonio, Texas. Hackers gained access to its systems and the records of more than 23,000 staff and students.
Manatee County School District
Manatee County School District experienced one of the largest W-2 form phishing attacks of the year to date. A member of staff responded to a phishing email and sent the W-2 forms of 7,900 staff members to tax fraudsters.
Huge Numbers of W-2 Form Phishing Attacks Reported
This year has seen huge numbers of W-2 form phishing attacks on educational institutions. Databreaches.net has been tracking the breach reports, with the following schools, colleges and educational institutions all having fallen for phishing scams. Each has sent hundreds – or thousands of W-2 forms to tax fraudsters after responding to phishing emails.
- Abernathy Independent School District
- Argyle School District
- Ark City School District
- Ashland University
- Barron Area School District
- Belton Independent School District
- Ben Bolt Independent School District
- Black River Falls School District
- Bloomington Public Schools
- College of Southern Idaho
- Corsicana Independent School District
- Davidson County Schools
- Dracut Schools
- Glastonbury Public Schools
- Groton Public Schools
- Independence School District
- Lexington School District 2
- Manatee County School District
- Mercedes Independent School District
- Mercer County Schools
- Mohave Community College
- Morton School District
- Mount Health City Schools
- Neosho County Community College
- Northwestern College
- Odessa School District
- Powhatan County Public Schools
- Redmond School District
- San Diego Christian College
- Tipton County Schools
- Trenton R-9 School District
- Tyler Independent School District
- Virginian Wesleyan College
- Walton School District
- Westminster College
- Yukon Public Schools
*List updated June 2017
These cyberattacks on educational institutions in 2017 show how important it is to improve cybersecurity defenses.
If you would like advice on methods/solutions you can adopt to reduce the risk of cyberattacks and data breaches, contact TitanHQ today. TitanHQ offers cost-effective cybersecurity solutions for educational institutions to block email and web-based attacks and prevent data breaches.
There are many cybersecurity solutions for managed service providers to add to their service stacks and offer to clients. However, the failure to offer a comprehensive range of cybersecurity solutions can prove costly. There is considerable demand for managed services, and the failure to provide them could see clients effectively handed to competitors.
Furthermore, there is now increased competition. Managed service providers have offered preventative cybersecurity solutions to their clients for many years, but competition in this sphere is increasing.
IT companies that have previously relied on fixing computer problems or providing data breach investigative services as their core business have realized there is big money to be made from providing cybersecurity services to prevent problems. An increasing number of IT companies are now capitalizing on high profile data breaches and demand for preventative solutions from SMBs and are now providing these services.
In order to capitalize on the opportunity for sales and to make sure clients do not start looking elsewhere, managed service providers need to make sure that they offer a full suite of cybersecurity solutions. Solutions that will keep their clients protected from the barrage of cybersecurity attacks that are now occurring.
Fortunately, the move away from hardware-based solutions to cloud-based services is making it easier for managed services providers. Cloud-based solutions are not only cheaper for clients, they are easier for MSPs to deliver and manage. While providing solutions that prevent cyberattacks may have been impractical and provided little return for the effort, that is no longer the case.
There are many potential cybersecurity solutions for managed service providers, although one area in particular where MSPs can take advantage is to offer solutions to prevent phishing attacks. Phishing – obtaining sensitive information from employees – is one of the main ways that cybercriminals gain access to networks and sensitive data.
Companies are spending big on network security to prevent direct attacks, yet cybercriminals know all too well that even multi-million-dollar security defenses can be breached. The easiest way to gain network access is to be provided with it by employees.
It is much easier to fool an employee into downloading malware, ransomware, or revealing their email or login credentials that it is to find security vulnerabilities or use brute force tactics. All it takes is for a phishing email to reach the inbox of an employee.
Anti-phishing training companies, which provide security awareness training for employees and teach them how to identify phishing emails, know all too well that training alone is ineffective. Some employees are poor at putting training into practice.
Even if security awareness training is provided, employees will still open email attachments from strangers and click on links sent to them in emails. Furthermore, cybercriminals are getting better at crafting emails to get links clicked and malware-ridden attachments opened.
We have already seen this year (and last tax season) how effective phishing emails can be. At least 145 companies in the United States (that we know about) emailed W-2 Forms of employees to scammers via email last year. This year looks like it will be even worse.
A high percentage of malware infections occur as a result of spam emails with infection either through email attachments (downloaders) or links to malicious sites where malware is silently downloaded. The same is true of many ransomware infections.
Given the high risk of a phishing attack occurring or information-stealing malware and ransomware being installed, organizations are happy to pay for managed solutions that can block phishing emails, prevent malware-infecting emails from being delivered, and stop employees from visiting malicious links.
MSPs can take advantage by providing these services. Since cloud-based solutions are available that offer the required level of protection, adding these solutions to an MSPs service stack is a no brainer. Cloud-based solutions to protect against phishing, malware, and ransomware infections require no hardware, no site visits, and require little management overhead.
TitanHQ can provide cloud-based solutions ideal for inclusion in MSPs service stacks. TitanHQ’s email and web protection solutions – SpamTitan and WebTitan – are effective at blocking a wide range of email and web-borne threats.
SpamTitan blocks over 99.97% of spam email, has a low false positive rate and blocks 100% of known malware. Inboxes are kept spam and malware free, and an anti-phishing component prevents phishing emails from being delivered to end users.
WebTitan offers excellent protection from web-borne threats, protecting employees and networks from drive-by malware and ransomware downloads and blocking links to malicious websites.
Furthermore, these solutions can be run in a public/private cloud, can be provided in white-label format ready for MSP’s branding, have low management overhead and include generous margins for MSPs.
If you are an MSP and are looking to increase the range of cybersecurity services you can offer to clients, give TitanHQ a call today and find out more about the our cybersecurity solutions for managed service providers.
With our cybersecurity solutions for managed service providers, you can improve your cybersecurity portfolio, provide better value to your clients and boost your bottom line.
The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.
Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.
Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.
However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.
While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.
Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.
A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.
Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.
A law firm phone hacking incident has resulted in an Alexandria, VA attorney being sent a staggering $65,000 phone bill. The attorney’s phone system was hacked and used to make a slew of international phone calls in the middle of the night to numbers in Algeria and Serbia.
In total, 195 phone calls were made through the law firm’s phone system in just 45 minutes. Since the incident occurred in the middle of the night, no one noticed. The small law firm only employs three people, none of whom were in the office at the time.
Attorney David Chamowitz was informed by his service provider via email about the calls and the charges. This law firm phone hacking incident was not a one off. Even though the attorney changed the password on his system, he was attacked again suggesting the hacker had a backdoor into the system. To ensure that future calls were not made, the attorney has had to switch off long distance call capabilities.
The hacker responsible was unlikely to be looking to speak to friends and relatives abroad. This type of scam involves making calls to premium rate international numbers, with the hackers making money from those calls. The charges for the calls can be extortionate, as Chamowitz discovered. Many other small to medium sized businesses have been targeted by hackers and have had to foot the bill for the calls. Phone charges totaling tens of thousands of dollars can easily be racked up.
As was the case with Chamowitz, the attack occurred at a time when it was unlikely to be noticed. Calls are usually made outside of business hours, often in the middle of the night.
Flaws in security systems are exploited to gain access to voicemail systems, although more commonly, hackers take advantage of poor security controls such as default login credentials left active on voicemail systems. Small businesses may implement firewalls and a host of security measures to protect their computers from attack, yet do not realize that voicemail system hacks are also possible.
The default credentials can easily be found online via the search engines or they can be easily guessed. Usernames of ‘admin’ are common and passwords are often set to 1234.
As this law firm phone hacking incident shows, any system that can be accessed externally can be hacked. Whether that is a computer, server, router, IoT device or phone/voicemail system.
To protect against voicemail system hacks it is important to ensure that default credentials are changed and strong passwords are set. A PBX firewall should be employed and calls logs should be monitored. If there is no need for your business to make international or premium rate calls, speak to your service provider and try to block those calls. Also, consider setting the system to not permit outbound calls at certain times (outside of office hours) and disable external access to the phone system/voicemail when the office is closed.
A restaurant malware attack has resulted in the theft of the credit and debit card numbers of more than 355,000 customers, according to Krebs on Security. A breach was suspected to have occurred when credit unions and banks started to notice a flurry of fraudulent purchases. The breach was traced to the fast food restaurant chain Arbys.
While there have been numerous instances of credit card fraud reported in the past few days, the Arbys data breach was first identified in January. Industry partners contacted Arbys regarding a potential breach of credit/debit card numbers. At that point, the incident was only thought to have affected a handful of its restaurants.
The malware infection was soon uncovered and the FBI was notified, although the agency requested that Arby’s did not go public so as not to impede the criminal investigation. However, a statement has recently been released confirming that Arby’s is investigating a breach of its payment card systems.
Upon discovery of the breach, Arby’s retained the services of cybersecurity firm Mandiant to conduct a forensic analysis. The Mandiant investigation is continuing, although rapid action was taken to contain the incident and remove the malware from Arby’s payment card systems. The investigation revealed that the incident only impacted certain corporate-owned stores. None of the franchised stores were infected with malware. Arbys has more than 3,300 stores across the United States, more than 1,000 of which are corporate-owned.
PSCU, an organization serving credit unions, was the first to identify a potential breach after receiving a list of 355,000 stolen credit card/debit card numbers from its member banks. It is currently unclear when the restaurant malware attack first occurred, although the malware is currently thought to have been actively stealing data from October 25, 2016 until January 19, 2017, when the malware was identified and removed.
This is of course not the first restaurant malware attack to have been reported in recent months. The restaurant chain Wendys suffered a similar malware attack last year. That incident also resulted in the theft of hundreds of thousands of payment card details before the malware was discovered and removed. Similar payment card system malware infections were also discovered by Target and Home Depot and resulted in huge numbers of card details being stolen.
Details of how the malware was installed have not been released, although malware is typically installed when employees respond to spear phishing campaigns. Malware is also commonly installed as a result of employees clicking on malicious links contained in spam emails or being redirected to malicious sites by malvertising. In some cases, malware is installed by hackers who take advantage of unaddressed security vulnerabilities.
Once malware has been installed it can be difficult to identify, even when anti-virus and anti-malware solutions are in use. As was the case with the latest restaurant malware attack, data theft was only identified when cybercriminals started using the stolen payment card information to make fraudulent purchases.
Protecting against malware attacks requires multi-layered cybersecurity defenses. Good patch management policies are also essential to ensure that any security vulnerabilities are remediated promptly. Anti-spam and anti-phishing solutions can greatly reduce the volume of messages that make it through to employees’ inboxes, while malicious links and redirects can be blocked with a web filtering solution. A little training also goes a long way. All staff members with computer access should receive anti-phishing training and should be instructed on security best practices.
Regular scans should be performed on all systems to search for malware that may have evaded anti-virus and anti-malware solutions. Since a restaurant malware attack will target payment card systems, those should be frequently scanned for malware. Rapid detection of malware will greatly reduce the damage caused.
If your organization was hit with a malware or ransomware infection last year, the 2016 malware report from Malwarebytes may serve as an unpleasant reminder of 12 months best forgotten. Malware infections rose in 2016 and ransomware infections soared. In the case of the latter, there was an explosion in new variants. Malwarebytes charted a 267% increase in ransomware variants between January 2016 and November 2016. In quarter four alone more than 400 active ransomware variants were cataloged.
The 2016 malware report shows how ransomware has become the revenue-generator of choice for many cybercriminals. It is easy to understand why. Infecting computers is a relatively easy process, ransom payments are made within a matter of days, much of the process is entirely automated, and ransomware-as-a-service means no skill is even required to jump on the bandwagon and send out campaigns.
The 2016 malware report indicates ransomware accounted for 18% of malicious payloads from spam email and ransomware is the payload of choice for exploit kits, accounting for 66% of malicious downloads.
Locky was a major threat for most of the year, but in December there was a massive spike in Cerber ransomware variants, which are now the most populous ransomware family.
The cybersecurity’s company’s 2016 malware report confirms what many security professionals already know all too well. 2016 was a particularly bad year for everyone but the cybercriminals. Unfortunately, the outlook for 2017 does not look any better. In fact, it looks like it will be even worse.
Predictions have been made that will send shivers down many a system administrator’s spine. Ransomware is set to become even more aggressive. Critical infrastructures are likely to be targeted. Healthcare ransomware attacks will increase potentially placing patients’ lives at risk. Educational institutions will be targeted. No organization will be immune to attack.
Fortunately, new ransomware families will be limited in 2017. But that is only because Locky and Cerber are so effective and can easily be tweaked to avoid detection.
Then there are the botnets. The increase in use of IoT devices would not be a problem, were it not for a lack of security. Many insecure devices are coming to market which can all too easily be added to botnets. As we saw in the tail end of the year, these botnets – such as Mirai – are capable of conducting devastating DDoS attacks. Those attacks are only likely to increase in scale and frequency. As Malwarebytes correctly points out, unless manufacturers of IoT devices are better regulated and are forced to improve their security, vast sections of the Internet will come under threat.
So, it looks like all bad news for 2017. All organizations can do is purchase the technology to deal with the threats, plug security holes promptly, train staff to be aware of the threats, and shore up their defenses. The next 12 months could be a rocky ride.
You have secured your servers, you have end point protection, but have you ensured your organization is protected against printer hacking? According to one hacker, as many as 300,000 organizations have left a gaping hole in their security defenses as a result of leaving their printers open to the Internet and failing to even use any form of authentication.
Your Printer Has Been Owned!
The hacker decided to draw attention to the problem, not by publishing details of the flaws, but by attacking around 150,000 companies. The attack was rather benign. The hacker did not attempt to gain access to network resources or install malware. He just sent rogue jobs to the printers.
The printouts said “Your printer has been owned.” The hacker also claimed the printers had been added to ’a flaming botnet’ as a result of the lack of security in place. Some of the messages sent are not appropriate for reproduction. A common message was ‘everyone likes a meme, fix your bull***t.’
The claims were not true, but the hacker did prove a point. Printer hacking is a very real threat and future attacks may be much more malicious in nature. If printers are left open to the Internet with no authentication required, they could be subjected to DoS attacks. Companies would be left unable to print. Printers could also be added to botnets. Those would be best-case scenarios of course. Printer hacking could cause much more serious harm.
Hackers could take advantage of flaws and run arbitrary code. Printers could be used as a launchpad to gain access to corporate networks, sabotage systems, install malware and ransomware, and stealing corporate secrets and sensitive customer and patient data.
Following the printer cyberattack, the ‘victims’ took to social media to report the incidents. Some reported that corporate network printers were affected, others claimed their POS system printers had been owned. In the case of the former, the cyberattack could potentially have resulted in a network compromise. In the case of the latter, credit and debit card-stealing malware could have been installed.
The hacker in question claims he is a UK student with an interest in security research. He says he has access to RCE flaws that would enable him to take control of more than 300,000 printers. In this experiment, he took advantage of the lack of authentication controls on communications port 9100. The attacks involved the RAW protocol, Internet Printing Protocol (IPP) and the Line Printer Daemon (LPD).
Many of the printers susceptible to printer hacking are used by universities and other higher education establishments. In a separate ‘attack’ a different hacker also proved a point about the lack of security controls, the ease of finding computers to attack, and just how easy it was to send rogue output to printers. He chose to send anti-sematic print jobs to printers at universities in the United States for maximum coverage. After the attacks, reports started flooding social media from students at Yale, UC Berkeley, DePaul University and UMass Amherst.
Printer Hacking Mitigation Required
The two hacks come just a few days after security researchers in Germany announced they had discovered vulnerabilities in printer manufacturers by some of the big names in computer hardware, such as Samsung, HP, Dell and Lexmark. More than 20 models of printer were discovered to contain flaws that could be easily exploited. Undoubtedly many more printers are vulnerable.
If printers are left exposed and can be accessed by anyone over the Internet, it will only be a matter of time before a malicious attack occurs. Protecting against printer hacking is therefore essential. To do this, printers should be set up on a virtual private network (VPN) and organizations should make 100% sure that their printers cannot be accessed through public IP addresses. That would require access controls to be applied to routers to whitelist certain IP ranges.
Hotel malware attacks have been hitting the headlines in the past two years as cybercriminals target hotels looking for payment card information. Now, InterContinental Hotels Group Plc has announced that a malware infection has potentially resulted in the theft of customers’ payment card details from 12 of its hotels in the United States. The hotel malware attacks affected guests at InterContinental Hotels as well as Crowne Plaza and Holiday Inn hotels.
The data breach affected the payment systems used by the hotel chain’s restaurants and bars, but did not extend to the front desk system used to process guests.
Malware was installed on the hotels’ servers which searched for and obtained customer track data from credit and debit card transactions. Customers’ card data – including names, card numbers, expiry dates and verification codes – were intercepted and potentially stolen using the malware. The malware was discovered in late December when the hotel chain hired a cybersecurity firm to investigate a potential data breach following an unusual level of fraud affecting the hotel chain’s customers. That investigation revealed malware had been installed as early as August 1, 2016 which remained active until December 15, 2016.
InterContinental has not disclosed whether the malware passed on any payment card information to the attackers nor how many customers had been impacted by the incident, only that servers at 12 of the chain’s hotels had been affected. Investigations into the security breach are continuing and the investigation has now been extended to other hotels owned by InterContinental in the Americas.
Hotels are commonly targeted by cybercriminals seeking payment card information. Last summer, InterContinental’s Kimpton Hotels & Restaurants were attacked with malware and similar incidents were reported last year by Marriot International’s Starwood Hotels as well as the Hyatt, Westin, and Sheraton hotel chains. Hotel malware attacks were reported by the Hilton chain and Trump Hotels in 2015.
Cybercriminals are most interested in POS systems used by hotels. Malware is installed that is capable of capturing payment card information and those data are then transferred to the attackers. All too often, malware is installed and stays active for months before it is detected. During that time, tens of thousands of hotel guests can be impacted and have fraudulent charges applied to their accounts.
While hotel customers are often covered by their card providers’ insurance policy, the fallout from these incidents can be considerable. When guests suffer credit card and debit card fraud as a result of visiting a particular hotel, they may take their business elsewhere.
Malware can be installed by cybercriminals via a number of different attack vectors. Direct attacks take advantage of security flaws in software and hardware. Last year, Cylance’s Sophisticated Penetration Exploitation and Research Team (SPEAR) identified a zero-day vulnerability in ANTLabs InnGate routers, which are used by many of the top hotel chains to provide Internet access for guests. The flaw could be exploited to gain access to guest’s smartphones, laptops, and tablets, or potentially be used to install malware that targets POS systems on hotel servers.
According to SPEAR, the flaw was being actively exploited and 277 hotels had been targeted across 29 countries, including more than 100 hotels in the United States. Eight out of the world’s top ten hotel chains were found to have systems vulnerable to this type of attack. A patch was promptly issued to correct the flaw and hotels were able to plug the security hole.
It may not be possible to prevent attacks that exploit zero-day vulnerabilities; however, there are steps that can be taken to reduce hotel malware attacks. Malware is often downloaded as a result of employees’ or guests’ actions. Malware may be deliberately installed, although all too often downloads occur silently as a result of employees and guests visiting malicious websites.
Blocking access to these websites will protect both the hotel and its guests from web-borne malware and ransomware attacks. If a web filter – such as WebTitan – is installed, all websites known to house malware will be blocked.
If you run a hotel or hotel chain, a web filter is an additional layer of security that should be seriously considered. A web filter will help to reduce the risk of malware and ransomware infections and keep hotel networks safe and secure for all users.
A hotel ransomware attack in Austria hit the headlines in the past couple of days. The cyberattack affected the Romantik Seehotel Jägerwirt. The hotel’s computer system was infiltrated by the attacker who installed ransomware. A range of files were encrypted, which prevented the hotel from being able to check-in new guests and issue new key cards for hotel doors.
Hotel Ransomware Attack Hampers Guest Check-ins
Early reports of the hotel ransomware attack suggested hotel guests were locked out of their rooms or, in some cases, locked in their rooms. The latter is not possible as even when electronic key cards are used, locks can be opened manually from the inside. Guests who had been issued with key cards prior to the attack were also able to use their cards to get in their rooms, according to a statement issued by the hotel’s manager.
However, the cyberattack still caused considerable disruption at the 111-year old hotel. According to local news sources, the attack affected the hotel’s key card system, reservation system, and its cash desk.
Since files were encrypted that were necessary to program new key cards, any guest that had not been checked in before the cyberattack occurred experienced considerable delays. The issue was only resolved when the hotel paid the ransom demand of 1500 Euros – approximately £1,300/$1,600. Systems remained out of action for 24 hours as a result of the attack.
This was not the only attack affecting the hotel. A second attack reportedly occurred, although the hotel was able to thwart that attempt by taking its systems offline. Repeat attacks are unfortunately common. If one ransomware attack results in the payment of a ransom, other attacks may also occur as the attackers attempt to extort even more money from their victim. Backdoors are often installed during initial attacks to enable access to continue after payment has been made.
Not being able to check-in new guests for a period of 24 hours can make a serious dent in profits, not only from guests being forced to seek alternative accommodation, but also from the damage to a hotel’s reputation. Such an attack can keep future guests away.
In this case, in addition to paying the ransom demand, the manager of the Romantik Seehotel Jägerwirt confirmed that the hotel will be going old school in the impending future. Rather than continue to use an electronic key card system, the hotel will revert to using standard keys for hotel room doors. Another hotel ransomware attack would therefore not prevent guests from checking in.
Hotels Must be Prepared for Cybersecurity Incidents
This is not the first hotel ransomware attack to have occurred in 2017 and it certainly will not be the last. Hotels are attractive targets for cybercriminals because hotels cannot afford to have critical systems offline for lengthy periods of time due to the disruption they cause. Cybercriminals know that ransom demands are likely to be paid.
In this case, no lasting harm was caused, although that does not mean future attacks will be limited to reservation systems and cash desk operations. Elevator systems may be targeted or other systems that have potential to compromise the health and safety of guests.
Hotels therefore need to make sure that not only are defenses augmented to prevent ransomware attacks, but a data breach response plan is in place to ensure that in the event of a cybersecurity incident, rapid action can be taken to limit the harm caused.