How Can I Protect Personally Identifiable Information Under GDPR?

From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?

The General Data Protection Regulation

GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.

GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.

Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.

Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.

Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.

In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.

Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.

Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.

How Can I Protect Personally Identifiable Information under GDPR?

GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.

A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.

GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.

Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.

Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.

Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.

To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.

Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.

Guidance on Strengthening Passwords Updated by NIST

The National Institute of Standards and Technology (NIST) has updated its guidance on strengthening passwords, suggesting the standard of using a combination of capital letters, lower case letters, numbers and special characters may not be effective at improving password strength. The problem is not with this method of strengthening passwords, but with end users.

Hackers and other cybercriminals attempt to gain access to accounts by guessing passwords. They try many different passwords until the correct one is guessed. This process is often automated, with many thousands of guesses made using lists of commonly used passwords, dictionary words and passwords discovered from past data breaches.

By implementing password policies that force end users to use strong passwords, organizations can improve their resilience against these brute force attacks.

By using capital and lower-case letters, there are 52 possible options rather than 26, making the guessing process much more time consuming. Add in 10 numerals and special characters and guessing becomes harder still. There is no doubt that this standard practice for creating strong passwords is effective and makes passwords much less susceptible to brute force attacks.

The problem is that in practice, that may not be the case. Creating these strong passwords – random strings of letters, numbers and symbols – makes passwords difficult to guess but also virtually impossible to remember. When multiple passwords are required, it becomes harder still for end users and they get frustrated and cut corners.

A good example is the word ‘password’, which is still – alarmingly – used to secure many accounts, according to SplashData’s list of the worst passwords of the year. Each year, ‘password’ makes it onto the list, even though it is likely to be the first word attempted in any brute force attack.

When companies update their password polices forcing users to use at least one capital letter and number in a password, many end users choose Password1, or Passw0rd or P455w0rd. All would be high up on a password list used in a brute force attack.

Attempts such as these to meet company password requirements mean security is not actually improved by password policies. If this is going to happen, it would make more sense – from a security perspective – to allow employees to make passwords easier to remember in a more secure way.

NIST Tweaks its Guidance on Strengthening Passwords

As NIST points out in its guidance on strengthening passwords, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought.” With current standard password practices, “The impact on usability and memorability is severe.” That results in end users creating weak passwords that meet company password policies.

Rather than force end users to use special characters and end up with ‘Password!’, a better way would be to increase the length of passwords and allow the use of spaces. End users should be encouraged to choose easy to remember phrases.

The use of a space does not make a password any more secure, although increasing a password from 8 characters to say, 15 or 20 characters, certainly does. It also makes passwords much easier to remember. NIST suggests passwords must have a minimum of 8 characters, and that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”

NIST also explains in its guidance on strengthening passwords that certain types of common cyberattacks involving passwords are unaffected by password strength. Take phishing for instance. It doesn’t matter whether a password is ‘12345678’ or ‘H19g46”&”^’ to a phisher. Provided the phishing email is well crafted, the password will still be disclosed. The same applies to keyloggers. A keylogger logs keystrokes and the strength of the password is irrelevant.

NIST’s guidance on strengthening passwords also suggests that rather than strengthening passwords further, there are far more effective ways of making brute force attacks much harder without frustrating end users. Limiting the number of failed login attempts before a user is blocked is one such option. Organizations should also combine this with blacklists of unacceptable passwords that should include dictionary words, other weak passwords and those revealed from past data breaches. NIST also recommends secured hashed storage of passwords

The NIST guidance on strengthening passwords can be found in – NIST Special Publication 800-63B – Appendix A – Strength of Memorized Secrets

New Disdain Exploit Kit Being Rented on the Cheap on Darknet Forums

Exploit kit activity has fallen considerably since last year, but new variants are being developed, one of the latest being the Disdain exploit kit.

An exploit kit is a web-based toolkit capable of probing web users’ browsers for vulnerabilities. If vulnerabilities are discovered, they can be exploited to silently download ransomware and malware.

All that is required for an attack to take place is for web users to be directed to the domain hosting the exploit kit and for them to have a vulnerable browser or out of date plugin. Currently, the author of the Disdain exploit kit claims his/her toolkit can exploit more than a dozen separate vulnerabilities in Firefox, IE, Edge, Flash and Cisco WebEx – Namely, CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710, CVE-2017-0037, CVE-2016-7200, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551, CVE-2016-4117, CVE-2016-1019, CVE-2015-5119, and CVE-2017-3823. Many of those exploits are recent and would have a high chance of success.

No malware distribution campaigns have so far been identified using the Disdain exploit kit, although it is likely to just be a matter of time before attacks are conducted. The Disdain exploit kit has only just started being offered on underground forums.

Fortunately, the developer does not have a particularly good reputation on the forums, which is likely to slow the use of the exploit kit. However, it is being offered at a low price which may tempt some malware distributors to start conducting campaigns. The EK can be rented for as little as $80 a day, with discounts being offered for weekly and monthly use. The Disdain exploit kit is being offered for considerably less than some of the other exploit kits currently being touted on the forums, including the Nebula EK.

All that is required is for someone to rent the kit, provide the malicious payload, and direct traffic to the domain hosting the Disdain exploit kit – such as via a malvertising campaign or botnet. The price and capabilities of the EK mean it has potential to become a major threat.

Protecting Your Business from Online Threats

Cybercriminals may be favouring spam email over exploit kits for delivering malware, although the threat of web-based attacks should not be ignored. To a large extent, good patch management practices can reduce the risk of exploit kit attacks, although not entirely. Exploit kits are frequently updated with new vulnerabilities for which patches have yet to be released. If end users are directed to domains hosting exploit kits, malware and ransomware downloads can be expected.

Along with prompt patching, businesses should consider implementing a web filtering solution. A web filter can be configured to carefully control the websites that end users can visit. A web filter will block access to all webpages known to host malware or contain exploit kits. Risky categories of website, which end users have no work purpose for visiting, can also easily be blocked reducing the risk of phishing attacks and improving employee productivity.

An appliance-based web filter can be costly to implement and can have a negative effect on Internet speed. A DNS-based web filter on the other hand requires no hardware purchases and has no latency. Internet speed is unaffected. Since a web filter can also be used to restrict access to websites that take up a lot of bandwidth, Internet speeds for all can actually improve.

WebTitan Cloud – and WebTitan Cloud for WiFi – are DNS-based web filtering solutions for enterprises that allow precision control over the sites that can be accessed by end users and offer excellent protection against web-based threats such as exploit kits and phishing websites.

The solutions require no hardware purchases, no software downloads, there is no latency, and they are highly scalable. Implementing and configuring the solutions is quick and easy and they require minimal maintenance.

WebTitan is also ideal for MSPs, being available in full white-label form with a choice of hosting options – including hosting in an MSPs environment.

If you want to improve the productivity of your workforce and effectively manage online threats – or offer web filtering to your clients – contact the TitanHQ team today to discuss your options and register for a free trial.

Poor Patch Management Policies Result in Cyberattacks and Huge Settlement

The importance of implementing good patch management policies was clearly highlighted by the WannaCry ransomware attacks in May. The ransomware attacks were made possible due to poor patch management policies at hundreds of companies. The attackers leveraged a vulnerability in Windows Server Message Block (SMB) using exploits developed by – and stolen from – the U.S. National Security Agency.

The exploits took advantage of SMB flaws that had, by the time the exploits were made public, been fixed by Microsoft. Fortunately for the individuals behind the attacks, and unfortunately for many companies, the update had not been applied.

In contrast to the majority of ransomware attacks that required some user involvement – clicking a link or opening an infected email attachment – the SMB flaws could be exploited remotely without any user interaction.

WannaCry was not the only malware variant that took advantage of unpatched systems. The NotPetya (ExPetr) attacks the following month also used the same EternalBlue exploit. Again, these attacks required no user involvement. NotPetya was a wiper that was used for sabotage and the damage caused by those attacks was considerable. Entire systems had to be replaced, companies were left unable to operate, and the disruption continued for several weeks after the attacks for many firms. For some companies, the losses from the attacks were in the millions.

These attacks could have easily been prevented with something as simple as applying a single patch – MS17-010. The patch was available for two months prior to the WannaCry attacks. Even patch management policies that required software to be checked once a month would have prevented the attacks. In the case of NotPetya, companies affected had also not reacted to WannaCry, even though there was extensive media coverage of the ransomware attacks and the risk of not patching promptly was clearly highlighted.

The take home message is unaddressed security vulnerabilities will be exploited. Companies can purchase a swathe of expensive security solutions to secure their systems, but companies with poor patch management policies will experience data breaches. It is no longer a case of if a breach will occur, just a matter of when.

Poor Patch Management Policies Cost Insurer More than $5 Million

This month has shown another very good reason for patching promptly. A multi-state action by attorneys general in 32 states has resulted in a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company. Nationwide has agreed to a $5.5 million settlement to resolve the investigation into its 2012 data breach.

The breach involved the theft of data relating to 1.27 million policy holders and individuals who obtained insurance quotes from the company. In that case, the data theft was possible due to an unaddressed vulnerability in a third-party application. Even though the vulnerability was rated as critical, the insurer did not update the application. The vulnerability remained unaddressed for three years. The update was only applied after data were stolen.

The investigation into the breach was jointly led by Connecticut Attorney General George Jepsen. Announcing the settlement Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”

Unaddressed vulnerabilities will be exploited by cybercriminals. Attacks will result in data theft, hardware damage, law suits filed by breach victims, attorneys general fines and fines by other regulators. These costs can all be avoided with good patch management policies.

Mamba Ransomware Attacks Resume

In November last year, the San Francisco Municipal Transportation Agency (Muni) was attacked with Mamba ransomware. The attackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to unlock the encryption. Muni refused to pay up, instead opting to recover files from backups. However, the Mamba ransomware attack still proved costly. The attack took its fare system out of action and passengers had to be allowed to travel for free for more than a day. The average take on fares on a weekend day is $120,000.

It has been relatively quiet on the Mamba ransomware front since that attack, although this month has seen several Mamba ransomware attacks, indicating the gang behind the malware is back in action. Those attacks are geographically targeted with businesses in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first detected the attacks.

Mamba ransomware uses DiskCryptor for full disk encryption rather than searching for and encrypting certain file types. That means a Mamba ransomware attack will prevent the operating system from running.

Once installed, the malware forces a reboot of the system and modifies the Master Boot Record and encrypts disk partitions and reboots again, this time victims are presented with a warning screen advising data have been encrypted. The attacks share some similarities with the NotPetya (ExPetr) attacks of June.

The algorithms used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk is encrypted, victims face permanent file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the latest attacks make no mention of payment of a ransom. Victims are just instructed to email one of two email addresses for the decryption key.

The reason for this approach is it allows ransoms to be set by the attackers on an infection by infection basis. Once the extent of encryption is determined and the victim is identified, the attackers can set the ransom payment accordingly.

It is currently unclear whether the attackers hold the keys to unlock the encryption and whether payment of the ransom will result in file recovery. Kaspersky reports that the group behind this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the intention is not to obtain ransoms but to sabotage businesses.

Businesses can enhance their defences against this and other malware variants by implementing WebTitan.

WebTitan is a web filtering solution for the enterprise that allows businesses to prevent end users from visiting malicious websites, such as those used for phishing and for downloading malware and ransomware. By blocking access to malicious sites and carefully controlling access to sites known to carry a high risk of malware delivery – file sharing websites for example – businesses can prevent web-based malware attacks.

How Can I Restrict Internet Access at Work?

There are many reasons why businesses want to restrict Internet access at work. Allowing employees to have unrestricted access to the Internet can result in a major drain on productivity, the risk of malware and ransomware downloads must be managed and inappropriate Internet access at work can cause legal issues. However, restricting Internet access at work can also cause problems.

The Problem of Personal Internet Use at Work

Some employees spend an unreasonable amount of the working day surfing the Internet, playing games or accessing their social media accounts. Personal Internet use can see hours of the working day wasted. Multiple an hour a day by your number of employees and the losses are considerable.

There are other drains on productivity as a result of these activities. They can have a knock-on effect on Internet speed. If employees are downloading large files from file sharing websites or streaming music or videos, this can result in latency that affects all employees. Internet speed slows and important websites may become temporarily unavailable.

The Danger of Malware and Ransomware Downloads

Personal Internet use at work can cause other productivity-draining issues. If employees are accessing social media websites, downloading files or are visiting questionable websites, the risk of a malware or ransomware downloads increases significantly.

Ransomware can result in an entire network being taken out of action, as has recently been seen at companies affected by the WannaCry and NotPetya attacks. In the case of the latter, companies have experienced major disruptions for weeks following the attacks.

Even if antivirus software is installed, it may not prevent malware and ransomware downloads. Cybercriminals are getting better at obfuscation. Ransomware may not be detected until it is too late.

Accessing of Inappropriate Web Content

While most employees do not use the Internet to access unsavoury or illegal web content, there are always a few bad apples. The problem of accessing pornography at work is a real issue, and could be much worse than you think.

In 2014, a survey conducted by the Barna Group showed 63% of men and 36% of women have viewed pornography at work. A survey in Forbes in 2013 Forbes revealed 25% of adults have viewed porn at work. 28% of employees have downloaded porn at work according to another survey.

Many businesses feel the best way to tackle the problem of personal Internet use is through acceptable usage policies and greater oversight of employees by line managers. When individuals are discovered to be abusing the Internet, action can be taken against individuals without restricting Internet access at work for everyone. This does not always prove effective.

Even if policies are introduced that threaten instant dismissal for accessing pornography at work, it may not curb use. The use of anonymizer services will prevent bosses from discovering what sites are being visited. In the case of personal Internet use, differentiating between minor personal use and persistent abuse can be difficult.

The alternative is to restrict Internet access at work with a web filter. A web filter can be used to block access to specific websites or categories of website content.

Problems with Using a Web Filter to Restrict Internet Access at Work

A web filter may seem like a quick and easy solution, although companies that restrict Internet access at work with a web filter can experience problems. Those problems can be worse than the issues the web filter was installed to correct.

If you restrict Internet access at work using an appliance-based web filtering solution it can result in latency. Each website must be inspected before it is accessed. In the case of secure (HTTPS) sites, each webpage must be decrypted, inspected, and re-encrypted. This places a considerable strain on resources. The result is considerable latency. As more sites switch to SSL certification and also use 4096-bit encryption, the problem will only get worse.

If you restrict Internet access at work, employees who were only accessing the occasional personal site may be unhappy with the new restrictions. This can have an effect on productivity and create a hostile working environment. Why should all employees be made to suffer because of the actions of a few?

How to Avoid Problems and Still Restrict Internet Access at Work

The issue of latency can be avoided if a cloud-based web filter is used. Cloud-based filters allow employers to restrict Internet access at work, but since the solutions are based in the cloud, they use the service providers resources. The result is Internet control without latency. There are other benefits. Cloud-based web filters are more flexible, scalable, and do not require the purchase of any hardware.

Some cloud-based filters, WebTitan for instance, allow time-based controls to be applied. Employers can use this feature to restrict Internet access at work during busy times and relax control at others. It is easy to block access to certain sites 100% of the time, others some of the time – relaxing controls during breaks for instance – and setting different controls for different employees or groups of employees. Since the filter integrates with LDAP and Active Directory, setting controls for different user groups is simple. It is also possible to block anonymizer websites to prevent users from bypassing content filtering controls.

Speak to TitanHQ About Internet Filtering Controls

Internet content control is quick, easy and low cost with WebTitan. The solution allows you to easily restrict Internet access at work and avoid the common problems associated with web filtering. If you are Interested in curbing personal Internet use at work, contact TitanHQ today for advice. You can also sign up for a free trial and evaluate WebTitan in your own environment before you commit to a purchase.

2017 Sees Huge Rise in Malware Attacks on Schools

2017 has seen a major rise in malware attacks on schools. While cybercriminals have conducted attacks using a variety of different malware, one of the biggest problems is ransomware. Ransomware is malicious code that encrypts files, systems and even master file tables, preventing victims from accessing their data. The attack is accompanied by a ransom demand. Victims are required to pay a ransom amount per infected device. The ransom payments can range from a couple of hundred dollars to more than a thousand dollars per device. Ransom demands of tens of thousands of dollars are now common.

Data can be recovered from a backup, but only if a viable backup of data exists. All too often, backup files are also encrypted, making recovery impossible unless the ransom is paid.

Ransomware attacks can be random, with the malicious code installed via large-scale spam email campaigns involving millions of messages. In other cases, schools are targeted. Cybercriminals are well aware that cybersecurity defenses in schools are often poor and ransoms are more likely to be paid because schools cannot function without access to their data.

Other forms of malware are used to record sensitive information such as login credentials. These are then relayed back to the attackers and are used to gain access to school networks. The attackers search for sensitive personal information such as tax details, Social Security numbers and other information that can be used for identity theft. With ransomware, attacks are discovered immediately as ransom notes are placed on computers and files cannot be accessed. Keyloggers and other forms of information stealing malware often take many months to detect.

Recent malware attacks on schools have resulted in entire networks being sabotaged. The NotPetya attacks involved a form of malware that encrypts the master file table, preventing the computer from locating stored data. In this case, the aim of the attacks was to sabotage critical infrastructure. There was no way of recovering the encrypted MFT apart from with a full system restore.

The implications of malware attacks on schools can be considerable. Malware attacks on schools result in considerable financial losses, data can be lost or stolen, hardware can be rendered useless and educational institutions can face prosecution or law suits as a result of attacks. In some cases, schools have been forced to turn students away while they resolve infections and bring their systems back online.

Major Malware Attacks on Schools in 2017

Listed below are some of the major malware attacks on schools that have been reported in 2017. This is just a very small selection of the large number of malware attacks on schools in the past 6 months.

Minnesota School District Closed for a Day Due to Malware Attack

Malware attacks on schools can have major consequences for students. In March, the Cloquet School District in Minnesota experienced a ransomware attack that resulted in significant amounts of data being encrypted, preventing files from being accessed. The attackers issued a ransom demand of $6,000 for the keys to unlock the encryption. The school district is technology-focused, so without access to its systems, lessons were severely disrupted. The school even had to close for the day while IT support staff restored data. In this case, sensitive data were not compromised, although the disruption caused was severe. The ransomware is understood to have been installed as a result of a member of staff opening a phishing email that installed the ransomware on the network.

Swedesboro-Woolwich School District Suffers Cryptoransomware Attack

The Swedesboro-Woolwich School District in New Jersey comprises four elementary schools and has approximately 2,000 students. It too suffered a crypto-ransomware attack that took its computer systems out of action. The attack occurred on March 22, resulting in documents and spreadsheets being encrypted, although student data were apparently unaffected.

The attack took a significant part of the network out of action, including the District’s internal and external communications systems and even its point-of-sale system used by students to pay for their lunches. The school was forced to resort to pen and paper while the infection was removed. Its network administrator said, “It’s like 1981 again!”

Los Angeles Community College District Pays $28,000 Ransom

Ransomware was installed on the computer network of the Los Angeles County College District, not only taking workstations out of action but also email and its voicemail system. Hundreds of thousands of files were encrypted, with the incident affecting most of the 1,800 staff and 20,000 students. A ransom demand of $28,000 was issued by the attackers. The school had no option but to pay the ransom to unlock the encryption.

Calallen Independent School District Reports Ransomware Attack

The Calallen Independent School District in northwestern Corpus Christi, TX, is one of the latest victims of a ransomware attack. In June, the attack started with a workstation before spreading to other systems. In this case, no student data were compromised or stolen and the IT department was able to act quickly and shut down affected parts of the network, halting its spread. However, the attack still caused considerable disruption while servers and systems were rebuilt. The school district also had to pay for improvements to its security system to prevent similar attacks from occurring.

Preventing Malware and Ransomware Attacks on Schools

Malware attacks on schools can occur via a number of different vectors. The NotPetya attacks took advantage of software vulnerabilities that had not been addressed. In this case, the attackers were able to exploit the vulnerabilities remotely with no user interaction required. A patch to correct the vulnerabilities had been issued by Microsoft two months before the attacks occurred. Prompt patching would have prevented the attacks.

Software vulnerabilities are also exploited via exploit kits – hacking kits loaded on malicious websites that probe for vulnerabilities in browsers and plugins and leverage those vulnerabilities to silently download ransomware and malware. Ensuring browsers and plugins are 100% up to date can prevent these attacks. However, it is not possible to ensure all computers are 100% up to date, 100% of the time. Further, there is usually a delay between an exploit being developed and a patch being released. These web-based malware attacks on schools can be prevented by using a web filtering solution. A web filter can block attempts by end users to access malicious websites that contain exploit kits or malware.

By far the most common method of malware delivery is spam email. Malware – or malware downloaders – are sent as malicious attachments in spam emails. Opening the attachments results in infection. Links to websites that download malware are also sent via spam email. Users can be prevented from visiting those malicious sites if a web filter is employed, while an advanced spam filtering solution can block malware attacks on schools by ensuring malicious emails are not delivered to end users’ inboxes.

TitanHQ Can Help Schools, Colleges and Universities Improve Defenses Against Malware

TitanHQ offers two cybersecurity solutions that can prevent malware attacks on schools. WebTitan is a 100% cloud-based web filter that prevents end users from visiting malicious websites, including phishing sites and those that download malware and ransomware.

WebTitan requires no hardware, involves no software downloads and is quick and easy to install, requiring no technical skill. WebTitan can also be used to block access to inappropriate website content such as pornography, helping schools comply with CIPA.

SpamTitan is an advanced spam filtering solution for schools that blocks more than 99.9% of spam email and prevents malicious messages from being delivered to end users. Used in conjunction with WebTitan, schools will be well protected from malware and ransomware attacks.

To find out more about WebTitan and SpamTitan and for details of pricing, contact the TitanHQ team today. Both solutions are also available on a 30-day no-obligation free trial, allowing you to test both products to find out just how effective they are at blocking cyberthreats.

Secure WiFi Access for Shops to Attract More Repeat Business

Providing free WiFi in shops helps to attract more foot traffic and improves the shopping experience, although retailers are now realizing the benefits of providing secure WiFi access for shops. Over the past two years, there has been considerable media coverage of the dangers of public WiFi hotspots. Consumer websites are reporting horrifying cases of identity theft and fraud with increasing regularity.

With public awareness of the risks of connecting to public WiFi networks now much greater than ever before, secure WiFi access for shops has never been more important. Consumers now expect free WiFi access in shops, but they also want to ensure that connecting to those WiFi networks will not result in a malware infection or their personal information being obtained by hackers.

Fortunately, there are solutions that can easily be adopted by retailers that mitigate the risks and ensure consumers can connect to WiFi networks safely, but before we cover those options, let’s look a little more closely at the risks associated with unsecured WiFi networks.

The Risks of Unsecured WiFi Networks

If retailers provide free WiFi access in store it helps to attract more foot traffic, individuals are encouraged to stay in stores for longer, they have access to information and reviews about products and studies have shown that customers spend more when free WiFi is provided. A survey by iGT, conducted in 2014, showed that more than 6 out of ten customers spend longer in shops that provide WiFi access and approximately 50% of customers spend more money.

Connecting to a public WiFi network is different from connecting to a home network. For a start, considerably more people connect, including individuals who are intent on stealing information for identity theft and fraud. Man-in-the-middle attacks are common. Man-in-the-middle attacks involve a hacker intercepting or altering communications between a customer and a website. If login details or other sensitive information is entered, a hacker can obtain that information.

Malware and ransomware can be downloaded onto users’ devices and phishing websites can easily be accessed if secure WiFi access for shops is not provided. Consumers typically have Internet security solutions in place on home networks that block these malicious websites. They expect the same protections on retailers’ WiFi networks. Malware poses a significant threat. Alcatel-Lucent, a French telecommunications company, reports that malware attacks on mobile devices are increasing by 25% per year.

Then there is the content that can be accessed. Recently, before Starbucks took steps to block the accessing of pornography via its WiFi networks, the coffee shop chain received a lot of criticism from consumers who had caught glimpses of other customers accessing pornography on their devices.

Secure WiFi Access for Shops Brings Many Benefits

The provision of secure WiFi access for shops tells customers you are committed to ensuring they can access the Internet safely and securely on your premises. It tells parents that you are committed to protecting minors and ensuring they can access the Internet without being exposed to adult content. It tells consumers that you care, which helps to improves the image of your brand. It is also likely to result in positive online reviews.

Providing secure WiFi access for shops makes it easier for you to gain an insight into customer behavior. A web filtering solution will provide you with reports on the sites that your consumers are accessing. This allows you to profile your customers and find out more about their interests. You can see what sites they access, which can guide your future advertising programs and help you develop more effective marketing campaigns. You can also find out more about your real competitors from customers browsing habits.

The provision of secure WiFi access for shops will also help you to reduce legal liability. If you do not block illegal activities on your WiFi network, such as file sharing (torrents) sites, you could face legal action for allowing the downloading of pirated material. The failure to block pornography could result in a lawsuit if a minor is not prevented from accessing adult content.

WebTitan – Secure WiFi Access for Shops Made Simple

Secure WiFi access for shops doesn’t have to be complicated or expensive. TitanHQ offers a solution that is cost effective, easy to implement, requires no technical skill, has no effect on Internet speed and the solution can protect any number of shops in any number of locations. The filtering solution can be managed from an intuitive web-based graphical user interface for all WiFi access points, and a full suite of reports provides you with invaluable insights into customer behavior.

WebTitan Cloud for WiFi is a 100% cloud-based DNS filtering solution. Point your DNS records to WebTitan and you will be filtering the Internet in minutes and blocking undesirable, dangerous and illegal web content. You do not need any additional hardware, you do not need to download any software and configuring the filtering settings typically takes about 30 minutes.

To find out more about WebTitan Cloud for WiFi, including details of pricing and to register for a 30-day, no obligation free trial, contact TitanHQ today.

Why is Internet and WiFi Filtering in Hospitals is so Important?

Hospitals have invested heavily in solutions to secure the network perimeter, although Internet and WiFi filtering in hospitals can easily be forgotten. Network and software firewalls have their uses, although IT security staff know all too well that cyberattacks targeting employees can see those defenses bypassed.

A common weak point in security is WiFi networks. IT security teams may have endpoint protection systems installed, but not on mobile devices that connect to WiFi networks.

A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, that signals a huge pay day for a hacker.

There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data if it is encrypted by ransomware. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its ransomware infection in February last year. It was one of several hospitals to give in to attackers’ demands.

The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals

The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, there are laptops, tablets and an increasing number of medical devices connected to the networks. As use of mobile devices in healthcare continues to grow and the explosion in IoT devices continues, the risk of attacks on the WiFi environment will only ever increase.

Patients also connect to hospital WiFi networks, as do visitors. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks.

Internet and WiFi filtering in hospitals is therefore no longer an option, it should be part of the cybersecurity strategy for all healthcare organizations.

Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats

Malware, ransomware, hacking and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.

Guest WiFi access in hospitals is provided to allow patients and visitors to gain access to the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites to ensure all users can still enjoy reasonable Internet speeds.

It is also important to prevent patients, visitors and healthcare professionals from accessing inappropriate website content.  Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file sharing websites, gambling or gaming sites, or any other undesirable category of web content.

Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal and undesirable content is not just about protecting patients and visitors. It also reduces legal liability.

Internet and WiFi Filtering in Hospitals Made Simple

WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost effective to implement, the solution requires no additional hardware or software installations and there is no latency. Being DNS-based, set up is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.

WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based graphical user interface. Separate filtering controls can be applied for different locations, user groups or even individuals. Since the solution links in with Active Directory the process is quick and simple. Separate content controls can easily be set for guests, visitors and staff, including by role.

WebTitan Cloud for WiFi supports blacklists, whitelists and allows precision content control via category or keyword and blocks phishing websites and sites known to host exploit kits and malware. In Sort, WebTitan Cloud for WiFi gives you control over what happens on your WiFI network.

To find out more about WebTitan Cloud for WiFi, details of pricing and to register for a free trial, contact the TitanHQ team today.

Secure WiFi for Hotels Demanded by Guests

Hotel guests used to choose hotels based on whether free WiFi was available, now free WiFi is no longer enough – secure WiFi for hotels is required to ensure the Internet can be accessed safely, a fast connection is essential and the WiFi signal must be reliable.

Even budget hotels know the attractive power of free WiFi and how much easier it is to attract guests with free, reliable Internet access. Forrester Research conducted a survey back in 2013 that showed 90% of hotel guests considered free WiFi access to be the most important hotel amenity, while 34% of respondents said when it comes to choosing a hotel, free WiFi was a deal breaker when choosing a place to stay.

Providing Free WiFi is No Longer Enough

Now that most hotels are offering free WiFi, travelers have become much more discerning. Free WiFi access is no longer sufficient. Hotel guests want reliable access, good Internet speeds, sufficient bandwidth to stream music and videos and secure WiFi for hotels is similarly important. Hotels now need to improve their WiFi networks to continue to attract business.

A quick look on TripAdvisor and other review sites is all it takes to assess the quality of the Internet connection. There are even websites dedicated to providing this information. A poor WiFi signal is one of the most common complaints about hotels.

Providing an excellent Internet connection may not mean a 5-star review is guaranteed – but one or two-star reviews can be expected if the Internet connection or WiFi coverage is poor.

If you really want to attract more guests, provide free WiFi access. If you want to gain a serious competitive advantage, ensure all rooms have an excellent signal, there is sufficient bandwidth and make sure your network is secure. Guests now expect the same protections they have at home.

Common Problems with Hotel WiFi Networks

Listed below are some of the common problems reported by guests about hotel WiFi

Problems connecting more than one device to the network – Hotels often have WiFi networks with limited bandwidth. Restrictions may be in place that only allow one device to be connected per room. For a couple or family, that is no longer sufficient. Most guests will require at least two devices to be connected simultaneously per room, without Internet speed dropping to a snail’s pace.

Parents do not want their children to be able to access porn – A night in a hotel should be a relaxing experience. Parents do not want to have to spend their time policing the Internet. They want controls in place to make sure adult content cannot be accessed by their kids.

Connecting to guest WiFi should be safe and secure – Guests should be protected from malware and ransomware infections and steps should be taken by the hotel operator to reduce the risk of man-in-the-middle attacks. Safe and secure WiFi for hotels is essential. Accessing hotel WiFi should not result in nasties being transferred to guests’ devices. Safe and secure WiFi for hotels is especially important for business travelers. They should be able to enter their usernames and passwords without risking an account compromise.

Bandwidth issues are a major bugbear – If some guests are streaming video to their devices, it should not prevent other users from accessing the Internet or enjoying reasonable Internet speeds. Even at busy times, all guests should be able to connect.

How to Resolve these Problems?

Bandwidth is a major issue. Increasing bandwidth comes at a cost. If free WiFi is provided, it is difficult to recover that expenditure. There are solutions however. Hotels can offer free WiFi access to all guests, yet block streaming sites and other bandwidth-heavy activities. If guests want to be able to stream video, they could be offered a premium service and be charged for non-standard access. The same could apply to adult content. Hotels could offer family-friendly WiFi as standard, with a paid for service having fewer restrictions.

Secure WiFi for hotels is a must. Hotels can implement solutions that block malware and prevent guests from accessing phishing websites. Providing an encrypted connection is also essential. Guests should be able to login to their accounts without being spied on.

Secure WiFi for Hotels Made Simple

A web content filter can be used to resolve the above problems and ensure safe and secure Internet access for all guests. Arranging secure WiFi for hotels is simple with TitanHQ.

TitanHQ’s WebTitan Cloud for WiFi is a content filter with a difference. The solution can be deployed on existing hardware with no need for any software installations.  Once installed, it is simple to manage, with updates to the system occurring automatically. Users don’t even need any technical expertise. The solution can be implemented and accounts set up in minutes. It doesn’t matter how many hotels you operate, all can be protected with ease through a central control panel that can be accessed from any location.

Secure WiFi for Hotels from TitanHQ

WebTitan Cloud for WiFi allows hotel operators to:

  • Control content and online activities without any impact on Internet speed
  • Block pornography and other inappropriate content to make the WiFi network family-friendly
  • Prevent users from engaging in illegal activity
  • Block phishing websites
  • Prevent malware and ransomware downloads
  • Restrict bandwidth-heavy activities such as video and music streaming services
  • Create user groups with different restrictions, allowing streaming or adult content for specific user groups
  • Set web filtering controls for different access points
  • Manage content filtering for multiple hotels with ease, no matter where in the world they are located

To find out more about all of the benefits of WebTitan Cloud for Wifi, how secure WiFi for hotels can be provided, details of prices and to register for a free trial, contact the TitanHQ team today. Your guests will thank you for it.

Why Secure Guest WiFi for Business is So Important

Regardless of whether you run a hotel, coffee shop or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself to considerable risk.

Why Is Providing Internet Access so Important?

In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.

With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sale will be made elsewhere.

Why is Secure Guest WiFi for Business So Important?

There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows them to collect contact details for future marketing and business can gain valuable customer insights.

However, giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be more security aware and have introduced policies covering allowable Internet usage, but guests, customers and other visitors are likely to have different views about the content that can be accessed on your WiFi network.

Guests and customers could take advantage of a lack of control over accessible website content to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities. They may accidentally or deliberately install malware or ransomware, or visit phishing websites. Secure guest WiFi for business means protecting yourself and your customers. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network, preventing man-in-the-middle attacks, malware downloads and blocking phishing attacks. You will also be protected from legal liability.

5 Things to Consider About Secure Guest WiFi for Business Customers

If you are going to open up your network to guests, security cannot be an afterthought. Before providing WiFi access be sure to consider the points below:

Network Segregation

Segregating your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your internal network must be totally separate from the network used by guests. It should not be possible for guests to see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, it will not spread from the guest network to your internal network.

Always Change Default Passwords and SSIDs

This is one of the most basic security practices, yet because of that it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.

It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up rogue access points to conduct man-in-the-middle attacks.

Keep your Firmware Updated!

Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed on a monthly basis.

Encrypt Your Wireless Signals

You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2 encryption. You can then post the SSID and password in your business to make it easy for legitimate users to gain access to your network.

Secure Guest WiFi for Business Means Content Filtering

Secure guest WiFi for business means adding some controls over the content that can be accessed on your WiFi network. Content filtering is a must. You should block access to adult content – which includes pornography, gambling sites and other web content that is ethically or morally questionable. A web filtering solution will also protect your customers from accidental malware and ransomware downloads while blocking phishing websites. Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades.

Family-Guard Saves Tens of Thousands of Dollars by Deploying WebTitan Cloud for WiFi

Family-Guard offers its customers online protection by blocking access to adult website content such as pornography and stopping malware infections, ensuring the Internet can be accessed safely and securely by all family members.

Family-Guard supplies WiFi routers with pre-configured DNS settings to its customers. Plug in the router and customers are instantly protected from online threats and inappropriate content. As more families take steps to prevent their children from harm online, the company has gone from strength to strength.

However, the firm was not entirely satisfied with its previous web filtering provider and sought a partnership with a new company. Before deciding to deploy WebTitan Cloud for WiFi, Family-Guard needed to be certain that WebTitan offered the required level of protection for its customers. It was essential that all harmful and dangerous website content could be filtered out to ensure customers received the service they paid for. TitanHQ could reassure Family-Guard that its URL filtering technology was up to the task.

The problem with the firm’s previous partner was the inaccuracies in categories and site classifications. Those problems could not be overcome. WebTitan on the other hand offers accurate classification of websites, with more than 500 million web addresses present in its database, including sites in more than 200 languages. Since deploying WebTitan Cloud for WiFi through its router packages, Family-Guard has not experienced the accuracy problems of its previous provider.

Another key consideration when selecting a service provider was the ability to provide the solution in white-label form. It was essential for Family-Guard to incorporate its own branding, which includes the product as well as the user interface for setting filtering controls. With WebTitan, the solution can be supplied without any branding, ready for customization. The white label option and choice of hosting also makes WebTitan an ideal web content filter for managed service providers.

While reassurances could be provided by TitanHQ, the proof of the pudding is in the eating. Before committing, Family-Guard needed to perform extensive testing of the solution. The firm signed up for a free trial and conducted independent tests. Tanner Harman, President of Family-Guard said, “In terms of the trial everything was very straightforward, it was good to speak to an engineer that was able to answer all my questions, this is not common in the technology industry.”

WebTitan is incredibly easy to use and maintain. There are no software updates necessary as all are managed by TitanHQ. Setting up the solution is also straightforward. Once the DNS has been directed to WebTitan, it is just a case of configuring the web filtering controls. For Family Guard, it took staff around 30 minutes to become familiar and comfortable with using the solution. The company is now reaping the benefits.

“For our technical staff, it reduced the time spend on support calls as the number of support calls reduced dramatically almost immediately,” the solution has also dramatically reduced the time the support team has spent dealing with malware. Tanner said, “WebTitan Cloud blocks all the bad stuff before it hits the customers location so issues that previously occurred regularly are now avoided.”

It can take some time following deployment to fully appreciate the benefits that WebTitan brings to an organization. Family-Guard implemented the solution in April 2016. The cost saving from deploying WebTitan Cloud has been considerable. In the 12 months following the implementation of WebTitan Cloud, Family Guard has enjoyed savings of more than $10,000.

Further, as Family-Guard grows, it is not limited by its license. With WebTitan, additional licenses can be added as and when required with a dynamic pricing plan lacking the barriers and wastage typical of other web filtering solutions.

Whether you are looking for a web content filter for public hotspots, a filtering solution to package into your products and services or a content filtering solution for your business WiFi network, TitanHQ can help.

For further information on the features and benefits of WebTitan, answers to technical questions and to register for a free trial, contact the TitanHQ team today.

Selfridges Provides Secure WiFi Access In-Store with WebTitan

Customers are increasingly choosing to visit retailers based on whether free Internet access is available in store. Providing WiFi access doesn’t just attract more customers. It provides retailers with an opportunity to communicate new sales initiatives to customers and allows valuable information to be gathered on what customers do inside stores. Monitoring the websites accessed by customers also allows retailers to gain a valuable insight into customer behavior.

Retailers are increasingly offering free WiFi in-store to attract more customers, but providing access to the Internet in-store carries risks. If customers have free, unfettered access to the Internet they would be able to access inappropriate content, accidentally download malware or use the connection for illegal file downloads.

Retailers can gain huge benefits from offering customers free access to WiFi network, but without security solutions to mitigate risk, the offer of free WiFi can backfire. A web content filter for public hotspots is now essential.

Selfridges understands the benefits of providing free WiFi access to customers, but also the risks. If WiFi was to be provided in-store, it would need to be secure to prevent customers from installing malware or accessing phishing websites

Selfridges also needed protection from legal liability. Steps therefore needed to be taken to prevent customers from accessing inappropriate website content in store and to stop minors from accessing adult content.

Selfridges prides itself on providing high quality products and customer service, so it was important to ensure for its WiFi service to reflect the stores values. Alisdair Morison, IT manager at Selfridges, said “We had to ensure that guests could not access malicious sites or to view inappropriate content while in the store.”

In the case of inappropriate website content, the risks are considerable. Morison said, “We knew that if a guest accessed porn on the WiFi connection and a child or other person could inadvertently view that screen, we would be legally liable.” The same applies to illegal file downloads via its WiFi network.

Choosing a solution posed a number of challenges. Selfridges has a small, but busy IT department so a web filtering solution needed to have a small administrative burden. Technical staff are not present in each store so it was important that the solution could be managed remotely for all four locations without the need for any site visits.

Selfridges contacted TitanHQ and chose WebTitan Cloud for WiFi. “We looked at a bunch of solutions. I was really taken aback by the price point, features and functionality we were going to get with WebTitan WiFi,” said Morison, “Other solutions didn’t have all the features and functionalities we wanted; they could do some of what we now do with WebTitan WiFi, but at a higher cost.”

The solution was set up in less than half a day and the IT team can manage the solution remotely and monitor WiFi connections. All four locations are managed through a central administration management console. All that was required to get started was to add the company’s external IP address to the GUI, update DNS forwarders and set the filtering controls.

Selfridges now blocks pornography, illegal activities such as file sharing and activities that are ethically or legally questionable. The WiFi network is child-friendly, so parents need not worry about the content that their children can access in-store. The WiFi network can be used safely and securely by all its 200 million annual visitors, with both Selfridges and its customers gaining benefits from in-store WiFi.

TitanHQ Partners With Intelligent Spaces Firm Purple

TitanHQ has announced a new partnership agreement with the intelligent spaces firm Purple. TitanHQ will be securing the firm’s WiFi networks and providing content filtering with WebTitan Cloud for WiFi.

Purple is a leader in its field, with over 20 million users spread across 125 countries around the globe. Its solution helps businesses monitor their physical spaces and promote their brand, in addition to gaining valuable insights into customer behavior at their venues. Purple’s clients include the City of New York, Legoland, Jaguar, Pizza Express, Outback Steakhouse, the Indiana Pacers, Merlin Entertainments Group and British Land to name but a few.

Purple will be adding WebTitan to its WiFi and Analytics package to improve security for its customers. Current and new customers will benefit from a more secure WiFi package and will be protected from a wide range of web-based threats.

WebTitan is a market-leading web content filtering solution that currently blocks more than 60,000 malware variants each day, protecting end users when they venture online. WebTitan can be used to control the content that can be accessed via WiFi networks around the globe from a single administration console. Companies can protect thousands – or tens of thousands – of WiFi access points simultaneously with WebTitan without any latency. The solution is easy to set up and configure, requires no additional hardware and has an extremely low management overhead.

Protection from exploit kits, phishing websites, and malware and ransomware downloads is more important now than ever. Cybercriminals having increased their efforts and malware, phishing and ransomware attacks are becoming increasingly common.

In the case of ransomware, payment of the ransom demand may not allow data to be recovered as has clearly been demonstrated by the NotPetya attacks. Many companies that were attacked with NotPetya are still experiencing major problems and disruptions to services, with several firms forced to replace entire networks following installation of the malware.

Cyberattacks such as WannaCry and NotPetya are likely to become the new norm, with companies needing to do more to protect their networks – and their customers – from attack.

With WebTitan, malware and ransomware protection is only part of the story. WebTitan is a powerful content filter that prevents inappropriate content from being accessed by WiFi users – Something that is becoming increasingly important in the retail and hospitality industries. With Purple’s retail and hospitality sector clients growing fast, this additional protection was essential.

For Purple, it soon became clear that the partnership with TitanHQ was the perfect choice, as James Wood, Head of Integration at Purple explained, “We approached TitanHQ with a number of specific requirements that were unique to Purple. From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”

WebTitan was also ideal for Purple customers, Woods said, “We take guest Wi-Fi security seriously so it was important that our customers were protected in the right way. Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”

Installing the new web filtering system and replacing the incumbent system was completed in the quickest possible time frame, with tens of thousands of users migrated to the new system in a matter of days. Woods said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”

WebTitan at the Kaseya Connect Europe User Conference

The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.

The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.

Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.

The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.

Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.

Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.

TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.

WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.

SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.

Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.

Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.

“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”

The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.

RoughTed Malvertising Campaign Impacts 28% of Organizations

The RoughTed malvertising campaign was rampant in June, causing problems for 28% of organizations around the world according to Check Point.

Malvertising is the name given to adverts that redirect users to malicious websites – sites hosting exploit kits that download malware and ransomware, phishing kits that gather sensitive information for malicious purposes or are used for a variety of scams.

Malvertising campaigns pose a significant threat because it is not possible to avoid seeing the malicious adverts, even if users are careful about the websites they visit. Malicious adverts are displayed through third party ad networks, which are used on a wide range of websites. Even well known, high traffic websites such as the BBC, New York Times, TMZ and MSN have all been discovered to have displayed malicious adverts. Cybercriminals only need to place their adverts with one advertising network to see their adverts displayed on many thousands of websites.

The RoughTed malvertising campaign was first identified in May, although activity peaked in June. By that time, it had resulted in infections in 150 countries throughout North and South America, Europe, Africa, Asia and Australasia.

It is sometimes possible to block malvertising using ad blockers, which prevent adverts from being displayed; however, the RoughTed malvertising campaign can get around these controls and can bypass ad blockers ensuring adverts are still displayed.

A web filtering solution can be useful at preventing categories of websites from being accessed that commonly host malicious adverts – sites hosting pornography for example – although due to the wide range of websites that display third party adverts, it would not be possible to eradicate risk. That said, an advanced web filtering solution such as WebTitan offers excellent protection by blocking access to the malicious sites rather than the malvertising itself.

Websites are rapidly added to blacklists when they are detected as being used for nefarious purposes. WebTitan supports blacklists and can block these redirects, preventing end users from visiting malicious sites when they click on the ads.

In addition to blacklists, WebTitan URL classification uses a multi-vector approach to deeply analyze websites. The URL classification uses link analysis, content analysis, bot detection and heuristic analysis to identify websites as malicious. These advanced techniques are used to block ad fraud, botnets, C2 servers, sites containing links to malware, phishing websites, spam URLs, compromised websites and malware distribution sites including those hosting exploit kits. The URL classification system used by WebTitan leverages data supplied by 500 million end users with the system continuously updated and optimized.

If you want to protect your organization from the actions of your end users and block the majority of online threats, contact the TitanHQ team today for further information on WebTitan and take a closer look at the web filtering solution in action.

2017 US Data Breaches at Record Breaking Level

2017 US data breaches have reached a record high, jumping an incredible 29% year over year. The mid-year data breach report from the Identity Theft Resource Center (ITRC) and CyberScout shows there were 791 reported data breaches between January 1 to June 30, 2017.

If 2017 US data breaches continue at the current pace, and there are no indications to suggest they will not, this year is set to be another record breaker. Last year smashed previous records with 1,093 data breaches reported for the year. This year looks on track to see the total reach – or exceed – 1,500 breaches. That would represent a 37% increase year over year.

The biggest cause of 2017 US data breaches is hacking according to the report. Hacking includes phishing attacks, malware infections and ransomware attacks, the latter seeing a massive increase in the past 12 months. In the first six months of 2017, 63% of incidents were attributed to hacking – a 5% increase year over year. 47.7% of those breaches involving phishing to some degree. ITRC says 18.5% of 2017 US data breaches involved malware or ransomware.

Employee error and negligence, which includes improper disposal of sensitive data, continue to cause many breaches, with those causes accounting for 9% of the total. Accidental exposure of sensitive data on the Internet was the cause of 7% of data breaches. The number of breaches in both categories decreased year over year.

Most 2017 US Data Breaches Were Reported by the Business Sector

In the first half of the year, the business sector reported the most data breaches – 54.7% – with the healthcare and medical industry in second place with 22.5% of breaches. The education sector was third with 11% of breaches followed by the banking and financial services sector with 5.8% of the total. The government and military sector rounds off the top five with 5.6% of reported breaches.

There was an increase in data breaches reported by the hospitality and fast food sector in the first half of the year, most of which involved the theft of credit card details after malware was installed on POS systems. One of the biggest breaches affected Sabre Corporation and its SynXis hotel booking service. Hard Rock Hotels, Trump Hotels, Loews hotels and Four Seasons were all among the victims. In the case of Trump hotels, it was the third payment card data breach experienced in the past 2 years.

Biggest Healthcare Data Breaches of 2017 (So far)

The healthcare industry has also seen a rise in data breaches in 2017 of 14% according to the figures published by the Department of Health and Human Services’ Office for Civil Rights. The main cause of healthcare data breaches – 37% – was hacking and IT incidents, which includes ransomware and malware attacks. Unauthorized access/disclosure came a close second with 35% of the total. Loss and theft of devices containing ePHI was in third place with 24% of the total followed by improper disposal on 4%.

The biggest healthcare data breaches of 2017 so far are:

OrganizationEntity TypeRecords ExposedBreach Type
Commonwealth Health CorporationHealthcare Provider697,800Theft
Airway Oxygen, Inc.Healthcare Provider500,000Hacking/IT Incident
Urology Austin, PLLCHealthcare Provider279,663Hacking/IT Incident
Harrisburg Gastroenterology LtdHealthcare Provider93,323Hacking/IT Incident
VisionQuest EyecareHealthcare Provider85,995Hacking/IT Incident
Washington University School of MedicineHealthcare Provider80,270Hacking/IT Incident
Emory HealthcareHealthcare Provider79,930Hacking/IT Incident
Stephenville Medical & Surgical ClinicHealthcare Provider75,000Unauthorized Access/Disclosure
Primary Care Specialists, Inc.Healthcare Provider65,000Hacking/IT Incident

 

The healthcare industry must report data breaches under HITECH/HIPAA regulations, including the number of individuals impacted. However, ITRC/CyberScout report that many organizations are holding back details of the number of individuals impacted. Without that information, it is difficult to obtain an accurate picture of the severity of data breaches.

Eva Velasquez, ITRC President and CEO, said, “The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts.”

Verizon Communications Data Leak Resulted in Exposure of 6 Million Accounts

Human error was to blame for a massive Verizon Communications data leak that saw the personal information, account details and PIN numbers of more than 6 million customers exposed on the Internet.

The Verizon Communications data leak is particularly serious due to the highly sensitive nature of the exposed data. In addition to customers’ names, addresses, email addresses and phone numbers, PIN numbers and account details were also exposed. Since the PIN is used to confirm the identity of customers, anyone in possession of the data could easily impersonate customers. The PINs are used to verify identities by customer service staff at the firm’s wireline call center.

The Verizon Communications data leak was caused by a misconfigured cloud server that was set to allow external access. Amazon automatically secures its servers, although changing the settings will allow data to be accessed externally. The error was made by an employee of NICE Systems, an Israeli third-party vendor contracted by Verizon to improve its wireline self-service call center portal for residential and small business customers.

As was the case with a number of recent data leaks, the misconfigured cloud server was found by Chris Vickery, security researcher and Director of Cyber Risk Research at UpGuard. The Amazon S3 storage server error was identified on June 13 and was brought to the attention of Verizon, which corrected the problem on June 22, 9 days after being notified of the security hole. Data were accessible by anyone who had the web address.

Initially, UpGuard suspected up to 14 million individuals had been affected as a result of the Verizon Communications data leak, although Verizon has since released a statement confirming the incident impacted around 6 million customers.

Vickery discovered the server had six unsecured folders. The information in the files related to customers who called Verizon customer service between January and June 2017.

A spokesperson for Verizon told ZDNet, “Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project. Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

While the data were exposed online, the information does not appear to have been accessed by anyone other than the security researcher who discovered the error. Verizon said, “There has been no loss or theft of Verizon or Verizon customer information.”

Why is WebTitan Cloud for Service Providers So Popular with MSPs?

Last month, TitanHQ conducted a survey on managed service providers that have added WebTitan Cloud for Service Providers to their service stacks and are providing web filtering and anti-malware services to their customers.

There are many reasons why service providers have started offering a web filtering service. Customers often ask service providers for a web filtering service to prevent their employees from accessing inappropriate web content in the workplace and to stop inappropriate content from being accessed via WiFi networks in public places. They also want greater protection from malware and ransomware and to control use of bandwidth.

TitanHQ is well aware of the benefits that can be gained from using WebTitan Cloud for Service Providers, but the company wanted to gather feedback from MSPs and find out why they are so happy providing the web filtering service to their customers.

The answer to that question was abundantly clear from the survey. When asked to state the number one reason why they use web filtering there was a clear winner. 89% of service providers said they use WebTitan Cloud for Service Providers because “It saves significantly on my support time and cost.”

Managed Service Providers that offer WebTitan Cloud to customers are enjoying major savings. Since WebTitan Cloud is highly effective at blocking access to malicious websites, customers experience less downtime as a result of malware infections. For service providers that means less time is spent mitigating malware infections, which is arguably the biggest expense of IT operation teams and tech support staff.

One NYC-based Managed Service Provider summed up why web filtering is so important, saying ““Web filtering is one of the, if not the greatest bang for your buck services. It’s built in anti-malware has protected our clients, and us from having to fix, thousands of hours of repair time I am absolutely certain.”

A Washington-based MSP said, “By reducing malware-related security incidents, you’re reducing your number one uncontrollable expense: the people on your IT operations team, like your help desk techs,” while a London, UK-based MSP explained that since they started providing a web filtering service, “Our Crypto calls dropped to 0.”

As well as cutting down the time spend responding to security incidents MSPs found that WebTitan Cloud for Service Providers was an easy way to improve client spending. The second most popular response was WebTitan Cloud for Service Providers is “an easy monthly recurring revenue source”.

How Can WebTitan Cloud for Service Providers Benefit Your Organization?

WebTitan Cloud for Service Providers has been developed specifically for Managed Service Providers. The solution is ideal for hotspot and WiFi providers, MSPs, ISPs and retail and public organizations that offer access to WiFi networks, including schools, universities, libraries, restaurants, cafes, shops and hotels.

The solution is highly scalable to hundreds of thousands of users and the web filtering service has no latency as it is DNS based. That also means it is not necessary to become an Internet Service Provider to offer a web filtering service.

MSPs love the fact that the solution is provided as a white label and is ready to have branding and color schemes applied. WebTitan Cloud for Service Providers also has multiple hosting options, including the option of hosting the solution within an MSPs own environment.

WebTitan Cloud for Service Providers is an API-driven, multi-tenant solution that’s easy to implement and manage. New customers can be added in minutes, there are no hardware requirements and the solution can be managed remotely without the need for site visits.

Customers benefit from an extensive list of features that help them protect their brand by blocking access to inappropriate content via WiFi networks, protect users by blocking malware and save bandwidth by restricting access to streaming services.

If you are an IT service provider and you have yet to start offering a web filtering and anti-malware service, or you are unhappy with your current solution provider, contact the TitanHQ team today to find out more about how offering or switching to WebTitan can save you time and money and improve your bottom line.

Only 9% of Companies Have Completed Their General Data Protection Regulation Preparations

A new study conducted by the Ponemon Institute has shown that General Data Protection Regulation preparations have only been made by a small minority of companies, with almost half of surveyed organizations unsure where to even start.

The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016. Companies have been given until May 25, 2018 to comply with GDPR. When the new regulation comes into force, any company discovered not to be in compliance can face a heavy fine. The maximum fine for non-compliance will be €20 million or 4% of global annual turnover, whichever is the highest.

Many companies started their General Data Protection Regulation preparations as soon as the new legislation was approved. According to the Ponemon Institute survey, only 9% of companies have made the necessary changes comply with GDPR. 59% of surveyed organizations haven’t even started their General Data Protection Regulation preparations and don’t even know how to comply.

Interestingly, the threat of fines and the difficulty complying with GDPR has put many companies off doing business in the EU. 34% of surveyed companies have said their General Data Protection Regulation preparations have involved shutting down their European operations. However, that does not mean they will not need to comply. Compliance with GDPR is mandatory for any company doing business in the European Union, even if they do not have a physical base in one of the European member states.

Even the threat of fines has not convinced many companies to start preparing. Only 38% of companies said their senior leadership viewed compliance as a priority.

The changes for many companies to ensure compliance will be considerable. 89% of respondents said GDPR will have a significant impact on their data breach protection practices. However, there is considerable doubt about how effective GDPR will be. Only 41% of companies believe the new regulation will improve privacy protection practices while 70% said they don’t believe the new regulation will benefit victims of a data breach.

If you have yet to start preparing and updating your policies and procedures you don’t have long. The compliance date may be months away, but for many companies, preparations will take some time. If you are keen to avoid a fine for non-compliance, now is the time to start your GDPR compliance preparations.

If you are unaware of what GDPR means for your business or whether you need to comply with the regulation, you can find out more on this link.

Internet Filtering Controls for Public WiFi Hotspots Promoted in New Friendly WiFi Campaign

The sharp rise in the use of smartphones by children and the increase Internet access points has prompted Friendly WiFi to launch a new campaign to promote the adoption of Internet filtering controls for public WiFi hotspots.

Businesses in the UK are being encouraged to implement web filtering controls to ensure children can connect their WiFi networks without being exposed to potentially harmful material.

Friendly WiFi is a government initiated scheme launched in 2014 to promote Internet filtering controls for public WiFi hotspots. Businesses that filter the Internet and block inappropriate content from being accessed via their WiFi networks can display the digital Friendly WiFi banner. This banner lets parents know their children can connect to the Internet safely.

Friendly WiFi is the only scheme of its kind in the world. The main aim of the initiative is to make the UK the safest place in the world for children to venture online. When the scheme was launched in 2014 there were 5.6 million WiFi hotspots in the UK; however, that number is estimated to triple by the end of next year.

A recent study has shown that nearly half the population of the UK uses public WiFi hotspots and research suggests more than 40% of children aged between 5 and 15 now have a smartphone and connect to the Internet. The growth in hotspots and smartphone usage among children makes it more important than ever for public WiFi hotspots to have harmful content filtered out.

Figures supplied by Friendly WiFi suggest the number of WiFi access points around the globe is likely to increase to 432.5 million by 2020, which represents a 700% increase from 2015. Even though many of these WiFi networks can be accessed by minors, fewer than half of those hotspots have internet filtering controls in place.

In the UK the use of Internet filtering controls for public WiFi hotspots is growing. Major high street names such as Starbucks and Tesco have already adopted Internet filtering controls, as have McDonalds and IKEA and many small businesses. The aim of the latest Friendly WiFi campaign is to accelerate adoption of Internet filtering controls.

To be able to display the Digital Friendly WiFi symbol, businesses must implement Internet filtering controls for public WiFi hotspots to block all websites and web pages that display pornographic content. Businesses must also block all webpages containing child pornography using the blacklist maintained by the Internet Watch Foundation. Organizations must also prevent advertisements or links to such content from being displayed.

Bev Smith, director of Friendly WiFi said “Now is the right time for all businesses which provide public WiFi to prove they take the same care for their customer’s online safety as they do for their physical wellbeing.”

New Report Shows Changing Trends in Phishing

The Anti-Phishing Working Group (APWG) has recently released a new report showing the changing trends in phishing in 2016. The report provides interesting insights into how cybercriminal activity is changing and the attack methods most commonly used by cybercriminals to fool end users into installing malware or revealing their login credentials.

The report uses data from more than 250,000 phishing attacks that were detected between 2015 and 2016; clearly showing some of the new trends in phishing and how phishers have been conducting their attacks. The report is focused on phishing rather than spear phishing, with the latter involving highly varied targeted attacks on specific individuals in an organization.

Phishing emails often contain malicious email attachments with scripts and macros used to silently download malware onto end users’ computers. However, the report shows there was a major increase in phishing domains in 2016 with criminals registering more domains than ever before. Phishing attacks also reached record levels last year. Phishing is now the number one cyber threat faced by organizations.

APWG says that almost half of new top-level domains that were available for open registration in 2016 were used for phishing. APWG suggests the increase in malicious domain registrations demonstrates that domain registrars are struggling to detect and take down malicious domains.

While it was previously thought that phishers registered domains for immediate use in phishing attacks, the study suggests domains are most commonly held for up to three weeks before they are used.

Phishing attacks were failry evenly split between domains registered by phishers and compromised websites. One in 20 attacks used a subdomain for phishing, with the number of attacks using subdomains continuing to fall.

Brand spoofing is becoming increasingly common, with major brands are now experiencing thousands of phishing attacks a year. However, the number of targeted brands in 2016 fell to 679 from 783 the previous year. The most targeted brands – which experienced three quarters of attacks – were Apple, PayPal, Yahoo and Taobao.com. Each experienced more than 30,000 attacks each in 2016.

2016 saw a 10% increase in unique phishing attacks, rising from 230,280 in 2015 to 255,065 attacks in 2016. Those attacks were spread across 195,475 unique domain names – the most domains ever detected and almost three times the number used in 2015. While a variety of TLDs are used for phishing websites, 75% involved just four TLDs – .com; .cc, .pw and .tk. APWG says 90% of phishing domains are spread across just 16 TLDs.

Attacks in 2016 were spread across a wide range of industries although 92% of attacks affected four industries:  eCommerce & software/SaaS (30%), banking and finance (25%), social networking/email (19%) and money transfer firms (18%).

New Internet Crime Report Issued by FBI – Losses in 2016 Totaled $1.3 Billion

The U.S. Federal Bureau of Investigation has issued its annual Internet Crime Report, showing cybercriminals have netted at least $1.3 billion last year. The figures for the report were compiled by the FBI’s Internet Crime Complaint Center, or IC3 is it is also known. Those losses came from 298,728 complaints that had been filed with IC3 in 2016.

The Internet Crime Report provides some insight into the main methods used by cybercriminals to fraudulently obtain money. Last year, the three crime types that resulted in the biggest losses were Business Email Compromise (BEC) attacks, romance/confidence fraud and non-payment/non-delivery scams.

BEC scams resulted in losses of $360.5 million last year and the scams are becoming increasingly common. Confidence and romance fraud was second, resulting in losses of $219.8 million with corporate data breaches in third place causing losses of $95.9 million. Phishing, via the web, email, SMS messages and telephone resulted in losses of $31.7 million. Losses from extortion were $15.8 million with ransomware tracked separately and causing losses of $2.4 million. Tech support fraud netted cybercriminals $7.8 million with malware and scareware losses tracked as $3.9 million.

The FBI singled out four key criminal activities in its 2016 Internet Crime Report that have become major issues in 2016: BEC, ransomware, tech support fraud and extortion.

BEC scams involve the impersonation of foreign suppliers and other vendors that are usually paid by wire transfer. A similar type of scam, referred to as email account compromise (EAC), targets individuals in a company responsible for making wire transfers.

Both scams involve the impersonation of company executives with fraudulent wire transfer requests sent to accounts department employees. Since it is the CEO that is often impersonated the scams are commonly referred to as CEO fraud. Transfers are commonly for tens or hundreds of thousands of dollars. In some cases, companies have been conned out of millions. BEC scams topped the list of losses.

BEC scams have also been rife in 2017, with the start of the year seeing an increase in BEC scams with the aim of obtaining the tax information of employees, typically W-2 forms. In 2016, there were 12,005 reported BEC scams, although this is likely just a small percentage of the real total.

Ransomware has become a major threat for businesses with criminals targeting employees using phishing emails. The FBI says Remote Desktop Protocol was also a major attack vector in 2016. The FBI suggests that security awareness training for employees is now a critical preventative measure that should be provided by all organizations. In 2016, there were 2,673 reported ransomware incidents. Similarly, many businesses choose not to report ransomware attacks.

Another major threat comes from tech support scams where criminals impersonate security companies. The attackers claim an urgent security issue must be resolved for which payment is required. These scams can involve screen-locking malware, cold calls or pop up messages. Typosquatting is also commonly used. Criminals register URLs similar to major online brands to take advantage of careless typists.

Extortion continues to be a major problem and it takes many forms. There have been numerous cases of criminals impersonating government agencies, with threats of Denial of Service attacks similarly common. Hackers have been stealing data and demanding ransoms for its return, while sextortion, hitman schemes and loan schemes are also rife.

While the Internet Crime Report provides an indication of how rampant cybercrime has become, the reports hugely underestimate the true extent of the problem. Only a small percentage of victims of cybercrime report the incident to law enforcement. The Department of Justice estimates only 15% of Internet crime is reported, while the FBI suggests only one in seven cases of Internet crime are actually reported. It is not only individuals that fail to report crimes. Many businesses that experience cyberattacks or other Internet crime-related losses fail to report the incidents. The true figures from cybercrime are likely to be several orders of magnitude worse than the Internet Crime Report suggests.

Massive Global Cyberattack Uses EternalBlue Exploit and Installs Petya Ransomware

A massive global cyberattack is underway involving Petya ransomware. Ukraine has been hit particularly hard although companies all over Europe have reported that systems have been taken out of action and ransoms demanded. Social media websites are awash with reports of disruption to services across a wide range of industries and countries. The attacks appear to have started in Russia/Ukraine but spread rapidly across Europe, with reports emerging that companies in India have also been affected.

The attacks appear to involve a variant of Petya ransomware – a particularly nasty ransomware variant for which there is no kill switch or free decryptor. Petya ransomware takes the Master File Table (MFT) out of action rather than encrypting individual files. Consequently, the attacks occur faster than with other ransomware variants. Without access to the MFT, computers are unable to locate files stored on the hard drive. Those files remain unencrypted, but cannot be accessed.

The ransom demand to unlock the infection is understood to be approximately $300, although that figure will need to be multiplied by the number of devices affected.

Another WannaCry Style Global Ransomware Attack

The WannaCry ransomware attacks used exploits stolen from the NSA, which were published online by Shadow Brokers. Those exploits worked on unpatched systems, exploiting vulnerabilities to automatically download a network worm and WannaCry ransomware. The attacks spread rapidly – around the world and within organizations.

This wave of attacks appears to be similar. The attacks started happening this morning with the Russian cybersecurity firm Group-IB one of the first to suggest this was a WannaCry-style attack involving an NSA exploit. That has since been confirmed by other cybersecurity firms. Fabian Wosar of Emisoft said he has confirmed that the infection is spreading using the same EternalBlue exploit as WannaCry, as has MalwareHunterTeam.

Organizations that applied the patch issued by Microsoft in March were protected from WannaCry and will likely be protected from this Petya ransomware attack. Following WannaCry, Microsoft issued patches for unsupported operating systems to prevent further attacks from occurring. However, judging by the number of attacks that have already occurred, the WannaCry attacks did not spur some companies into action. Many have still not patched their systems.

Several well-known companies have reported they are under attack and have had servers and computers taken out of action, with companies in Russia, Ukraine, France, Spain, Denmark, India and the UK all understood to have been affected. Companies that have confirmed they have been attacked include:

Russia – Oil company Rosneft and metal maker Evraz

Ukraine – Boryspil Airport, aircraft manufacturer Antonov, two postal services, the Ukraine government, the Ukraine national bank. The Cernobyl nuclear powe plant has also been attacked, as have many other energy companies in the country.

Denmark – Shipping firm A.P. Moller-Maersk, including APM Terminals which runs shipping container ports around the world.

France – Construction firm Saint Gobain

International – Companies reportedly affected include the law firm DLA Piper, advertising firm WPP, food manufacturer Mondalez and U.S pharmaceutical firm Merck.

Time will tell whether this Petya ransomware attack will be on a similar scale to WannaCry. Since it is currently occurring it will likely be a few days before the true scale of the attack becomes known.

2017 Data Breaches 29% Higher Than 2016

2016 was a bad year for data breaches, but a new analysis by the Identity Theft Resource Center (ITRC) shows 2017 data breaches figures are far worse. Year over year, data breaches have increased by 29.1%.

Last year saw record numbers of data breaches, with 1,093 incidents tracked by the ITRC; however, If breaches continue to occur at the rate seen over the past 6 months, this year is likely to be another record breaking year. 2017 is likely to see more than 1,500 breaches – a particularly worrying milestone to pass.

55.4% of 2017 data breaches have been reported by organizations in the business sector. Those 420 incidents have involved more than 7.5 million records, more than 64% of all records exposed so far in 2017. The healthcare industry has also experienced many data breaches, accounting for 22% of the total. So far this year, the protected health information of 2.5 million individuals has been exposed – 21.1% of all records exposed so far in 2017.

Education may have only experienced 87 data breaches this year – 11.5% of the year to date total – but those breaches account for 9% of exposed records, helped in no small part by a single breach at Washington State University that involved at least 1 million records.

The government/military (43 breaches) is in fourth place, accounting for 1.8% of the total with the 200,000+ exposed records. Fifth place is taken by the financial services with 41 breaches, with more than 526,000 exposed records accounting for 5.4% of the year to date figures.

The ITRC has been tracking data breaches since 2005, with the 2017 data breaches bringing the overall total number of incidents up to 7,656. The total number of exposed records has now risen to 899,792,157.

In the case of healthcare data breaches, more incidents have been reported following the clarification of HIPAA Rules covering ransomware attacks. Last year there was some confusion as to whether ransomware attacks were reportable. The Department of Health and Human Services’ Office for Civil Rights confirmed late last year that most ransomware attacks are reportable under HIPAA Rules. Consequently, there has been an increase in reports of these events in recent months.

Companies in other industries are also reporting more data breaches due to changes in state legislation and public pressure. However, ITRC points out the big jump in 2017 data breaches can also be explained by an increase in insider incidents and cyberattacks.

The increase in data breaches in 2017 clearly highlights the importance of conducting a thorough, organization-wide risk analysis to identify all potential vulnerabilities that could potentially be exploited. A risk management plan should then be put in place to address any vulnerabilities that are identified.

While organizations should consider augmenting security to protect the network perimeter, the threat from within should not be ignored. Employees are typically a weak point in security defenses, although action can be taken to reduce risk. Training should be provided to improve security awareness, technological solutions implemented to reduce the risk from phishing and other malicious email-born attacks, while web-based attacks can be limited with a web filtering solution.

2017 may be shaping up to be a particularly bad year for data breaches, but with investment in people and cybersecurity defenses, it is not too late to prevent 2017 from being another record-breaking year.

Astrim Exploit Kit Now Delivering Mole Ransomware

The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.

Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.

However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.

In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.

The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.

Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.

The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.

An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.

However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.

With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.

Retail Industry Data Breaches Most Common with U.S. Companies Heavily Targeted

The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.

In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.

Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.

The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.

Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.

The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.

Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.

Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.

The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.

A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.

Study Reveals the Cost of a Data Breach

For the first time in the past seven years, the cost of a data breach has fallen, with a 10% reduction in per capita data breach costs across all industry sectors. The global study revealed the average cost of a data breach is now $141 per exposed or stolen record. The global average cost of a data breach is down to $3.62 million from $4 million last year.

The IBM Security sponsored study was conducted by the Ponemon Institute, which has been tracking the costs of data breaches for the past seven years. In every other year data breach costs have risen year over year.

The Ponemon Institute say the reduction can partly be explained by a strong dollar. In the United States, the cost of a data breach has risen from $221 to $225 per record with the total breach cost increasing to $7.35 million from $7.02 million last year.

For the study, the Ponemon Institute assessed the breach resolution costs after organizations experienced a breach and had notified affected individuals. Large data breaches – those in which more than 100,000 records were exposed or stolen – were not included in the study as they were deemed atypical. Instead, only breaches of between 5,000 and 100,000 records were included. The average size of the breaches were 28,512 records. A breach was defined as the loss or theft of a record that included an individual’s name along with either their Social Security number, financial information or medical record.

For the seventh consecutive year, the healthcare industry had the highest data breach costs. The per capita cost of a healthcare data breach was $380. The financial services, another highly regulated industry, had the second highest breach costs ($336 per record). Services sector data breaches cost $274 per record, life sciences breaches were $264 per record and the Industrial sector had a per capita breach cost of $259.

The lowest breach costs were retail ($177), hospitality ($144), entertainment ($131), research ($123) and the public sector ($110).  The biggest cause of data breaches were malicious and criminal attacks, which also carried the highest resolution costs. System glitches and human error each accounted for 24% of data breaches.

An analysis of breach costs revealed there are a number of ways to reduce the cost of a data breach. Having a breach response plan in place saw companies reduce breach costs by $19 per record, while the use of encryption reduced breach costs by an average of $17 per record. Employee education helped reduce breach costs by an average of $12.50 per record.

A fast response to a data breach can also dramatically reduce the total breach cost. Organizations that were able to contain a breach within 30 days saw breach costs reduced by $1 million. On average, it takes companies more than six months to discover a breach and containing the breach takes an average of 66 days.

Fear of WannaCry Being Exploited to Push Fake Antivirus Apps

Following the massive WannaCry ransomware attacks there has been heightened interest in cybersecurity products. Marketers have capitalized on the fear of an imminent attack to increase downloads of fake antivirus apps.

The apps are sold to worried users promising to protect them from WannaCry and other ransomware threats. In some cases, a free scan is offered that reveals the user’s device is already infected with any number of malicious programs. Installing the app will allow users to rid their device of the malicious software.

In many cases, the fake antivirus apps misreport infections to scare users into buying and installing an unnecessary app. Some of those apps will offer no protection whatsoever, but others are more sinister. Many of the new fake antivirus apps that are sneaking their way into the Google Play store are far from benign. PUPs, Trojans and adware are packaged with the apps. Users download the fake antivirus apps to protect themselves against malware, when the reality is downloading the app results in infection.

A study of antivirus apps has recently been conducted by RiskIQ. The firm discovered almost 6,300 antivirus apps that were either an antivirus solution, reviews of antivirus software or were otherwise associated with an antivirus program. More than 700 of those apps triggered blacklist detections on VirusTotal, with many of the apps coming packaged with malware.

131 of the 655 antivirus apps on the Google Play Store triggered blacklist detections. Many of the apps are no longer active, although 55 out of 508 active AV apps on the Google Play Store were blacklisted. In total, 20% of blacklisted antivirus apps were in the Google Play store with 10.8% still active.

RiskIQ reports that some of the blacklisted apps are false positives and not all of those apps are bundled with malware. However, many of the apps were rated as malicious by multiple AV vendors and were not all they claimed to be.

While it is important to have antivirus software on mobile devices, users should exercise caution when downloading any app. Just because an app claims to protect you and your device, it does not mean that it will do as it says. Downloading the app could even result in infection.

Users can reduce the risk of downloading a fake antivirus app by only using official app stores such as Google Play, but additional checks should be performed. An app should not be installed if the developer is using a free email address such as Gmail or Outlook. RiskIQ recommends checking the descriptions of the apps, specifically looking for spelling mistakes or grammatical errors. The app should ideally be checked against VirusTotal to see if it raises any red flags and users should carefully check the permissions requested.

Fireball Malware: 250 Million+ Infections and Rising

Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.

The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”

Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.

The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.

The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.

Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.

The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.

Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.

Vulnerable Flash Versions Found on 53% of Enterprise End Points

A new report from RSA Security has revealed 40,000 subdomains linked to the Rig exploit kit have been taken down, which is just as well considering how many enterprises are failing to update Adobe Flash promptly and are still using vulnerable Flash versions.

Exploit kits such as Rig are used to probe for vulnerabilities in browsers and plugins, with several exploits loaded to the kit. When the EK finds an exploitable vulnerability, malware is silently downloaded. The Rig EK has previously been used to distribute a variety of malicious payloads including banking Trojans and Cerber ransomware.

While the news of the shutdown of tens of thousands of subdomains used by the Rig exploit kit is good news, this week has also seen some worrying news emerge.

A recent study conducted by Duo Security has revealed the reason why exploit kits are such an effective means of malware delivery. Enterprises are failing to update software and are still using vulnerable Flash versions and other out-of-date plugins, even though those plugins and software versions contain several critical vulnerabilities that are being actively exploited.

53% of Enterprise End Points Have Vulnerable Flash Versions Installed

The study involved an analysis of key indicators of device health on 4.5 million Windows computers, Macs, Android smartphones and Apple mobiles. In the security firm’s Trusted Access Report, it was revealed that 53% of enterprise end points were running outdated versions of Adobe Flash. Last year when a similar study was run, there were 10% fewer devices running outdated Flash versions.

Far from revealing enterprise computers to be one version out of date, 21% of devices were discovered to be running Flash version 24.0.0.194, released in January 2017. That version has 13 critical code execution vulnerabilities that were addressed in February, all of which had the most severe rating for Windows, MacOS and Chrome.

Keeping up to date with the latest software releases can be difficult. New versions of software and plugins are frequently released to correct known flaws and many IT security professionals suffer from update fatigue. Updates are often delayed as a result, but that leaves the door open to cybercriminals.

Update Software and Block Malicious Domains

To protect against exploit kits and malicious downloads, organizations should ensure software versions are kept 100% up to date, especially browsers and browser plugins. It is a tiresome, never ending process, but failure to update promptly leaves organizations vulnerable to attack.

To ease the pressure on IT departments, an additional control can be implemented to block access to malicious websites containing exploit kits.

WebTitan is a web filtering that prevents downloads of malicious files by blocking access to malicious websites. Links to malicious sites are often sent in spam email, the clicking of which directs users to webpages hosting exploit kits. WebTitan blocks these links preventing the sites from being accessed. WebTitan can also be configured to prevent malicious file downloads and malvertising redirects, further protecting organizations from attack.

For full details on the capabilities of WebTitan, advice on web filtering and to register for a free 30-day trial of WebTitan, contact the TitanHQ team today.

HTTPS Phishing Websites Increase as Cybercriminals Exploit Trust in Encrypted Connections

Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.

The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.

HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.

A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.

Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.

The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.

Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.

HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.

The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.

Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.

WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.

Purple Protects Customers with TitanHQ’s WebTitan WiFi Content Filtering Solution

TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple.  Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.

The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.

WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.

As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.

Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”

WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”

TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”

TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”

Library Internet Filters to be Added in Watertown, SD

The use of library Internet filters to protect minors from harmful web content is a hot topic that is causing much debate in the United States. Libraries promote free research and learning. Having Internet filters in libraries naturally places restrictions on the types of content that can be accessed, potentially hampering both.

Many parents argue that library Internet filters are required to protect their children from accessing harmful web content or accidentally seeing obscene content on other patron’s screens.

Pornography is one of the biggest worries. Many individuals visit libraries to use the computers to access hardcore adult material, even though it is a public place with children present.  Parents argue that such actions must be prevented. There can be free research, but within limits.

It is not only parents that are concerned about the lack of library Internet filters. In many states, legislation is being considered to make it mandatory for library Internet filters to be put in place to restrict access to pornography.

Many libraries are resisting calls to restrict access to the Internet with web filters. The Library Board in Watertown, South Dakota is a good example. As a center for free research, the library board opposed the use of web filters. If library Internet filters were applied, it could potentially have an adverse effect on research and would result in the blocking of legitimate website content.

However, the library board has been under pressure to start filtering the Internet, with citizens petitioning the library board to start restricting access to inappropriate content, with city officials and law enforcement also appealing to the library board to start filtering the Internet.

The library board has now accepted that a web filter should now be used to control the content that can be accessed through its computers. A web filtering solution will be applied to block patrons from accessing obscene and illegal material. The web filtering solution is expected to be applied in the next few weeks and will be used to restrict access to certain web content via its wired and WiFi networks.

The Library Board was not opposed to the blocking of pornography, but to the other content that may accidentally be also blocked by the filtering solutions. Prior to making the decision to use liberary Internet filters, the Watertown police department assured the library board that filtering solutions are now far more sophisticated than they once were and can allow libraries to very carefully control the content that can be accessed.

The need to do something was made clear following a report that particularly concerning material had been downloaded by one patron through the library’s WiFi network. The library board is also keen to prevent its Internet connections from being used for illegal purposes, such as copyright infringing file downloads.

Additional controls will be applied to make this more difficult, such as limiting download speeds and applying timers on Internet access, with stricter controls on the wireless WiFi network since it is not possible to verify the age of the individual accessing the Internet.

In order to prevent the overblocking of website content, controls will be applied carefully and a system will be set up to allow patrons to request the unblocking of website content that has been accidently blocked by the filtering solution.

Watertown Library board is just the latest in an increasing number of libraries that has discovered it is possible to protect patrons’ First Amendment rights while also ensuring minors are protected from harmful website content. With highly granular library Internet filters such as WebTitan, it is possible to do both.

EternalRocks Worm Poses Far Greater Threat than WannaCry

The EternalRocks worm is a new threat that comes hot on the heels of WannaCry ransomware. The self-replicating network work uses similar tactics to infect computers and spread to other connected devices; however, in contrast to the worm used to spread WannaCry ransomware, there is no kill switch. In fact, at present, there is also no malicious payload. That is unlikely to be the case for very long.

The WannaCry ransomware attacks were halted when a security researcher discovered a kill switch. Part of the infection process involved checking a nonsense domain that had not been registered. If no connection was made, the ransomware element would proceed and start encrypting files. By registering the domain, the encryption process didn’t start. Had the domain not been registered, the attacks would have been more far reaching, affecting more than the 300,000 computers believed to have been affected by the Friday 12 attacks.

New threats were predicted to be released in the wake of WannaCry, either by the same group or copycats. The EternalRocks worm therefore does not come as a surprise. That said, EternalRocks could be far more dangerous and cause considerably more harm than WannaCry.

The WannaCry ransomware attacks involved just used two exploits developed by the NSA – EternalBlue and DoublePulsar. EternalRocks uses six NSA hacking tools (EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch).

In addition to the Windows Server Message Block (SMBv1) and SMBv2 hacking tools, this threat uses a SMBv3 exploit in addition to a backdoor Trojan, the latter being used to spread infection to other vulnerable computers on a network. Two SMB reconnaissance tools have also been incorporated to scan open ports on the public Internet.

EternalRocks is also capable of hiding on the infected machine after deployment. With the WannaCry attacks, users were alerted that their computers had been compromised when the ransomware encrypted their files and a note was placed on the desktop.

Once on a computer, the EternalRocks worm waits for 24 hours before downloading the Tor browser, contacting the attackers, and replicating and spreading to other devices on the network.

The self-replicating network worm was discovered by security researcher Miroslav Stampar from CERT in Croatia. While the threat has only just been discovered, Stampar says the first evidence of infections dates back to May 3.

At present, the EternalRocks worm does not have any malicious payload. It neither installs malware nor ransomware, but that does not mean it poses no risk. Worms can be weaponized at any point, as was seen on Friday 12 May, when WannaCry ransomware was deployed.

For the time being, it is unclear how many computers have already been infected and how EternalRocks will be weaponized.

Preventing infection with EternalRocks worm and other similar yet to be released – or discovered – threats is possible by ensuring operating systems and software are patched promptly. Older operating systems should also be upgraded as soon as possible. As Kaspersky Lab reported, 95% of the WannaCry attacks affected Windows 7 devices. No Windows 10 devices were reportedly attacked.

New Uiwix Ransomware Variant Targets SMB Flaw

A new Uiwix ransomware variant has been detected using EternalBlue to gain access to vulnerable systems. Businesses that have not yet patched they systems are vulnerable to this new attack.

In contrast to the WannaCry ransomware variant that was used in Friday’s massive ransomware campaign, Uiwix ransomware is a fileless form of ransomware that operates in the memory. Fileless ransomware is more difficult to detect as no files are written to the hard drive, which causes problems for many antivirus systems. Uiwix ransomware is also stealthy and will immediately exit if it has been installed in a sandbox or virtual machine.

Trend Micro reports that the new Uiwix ransomware variant also “appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”

As with WannaCry ransomware, the ransomware is not being spread via email. Instead the attackers are searching for vulnerable systems and are taking advantage of SMB vulnerabilities and attacking computers over TCP port 445. Infection with Uiwix sees the Uiwix extension added to encrypted files. The ransom demand to supply keys to decrypt locked files is $200.

The threat does not appear to be as severe as WannaCry, as the attackers are manually targeting vulnerable systems. Crucially, the ransomware lacks the wormlike properties of WannaCry. If one machine is infected, the ransomware will not then spread to other networked devices.

Since the WannaCry attacks, many businesses have now implemented the MS17-010 patch and have blocked EternalBlue attacks. Microsoft has also released a patch for Windows XP, Windows Server 2003, and Windows 8, allowing users of older, unsupported Windows versions to secure their systems and prevent attacks.

However, the search engine Shodan shows there are still approximately 400,000 computers that have not yet been patched and are still vulnerable to cyberattacks using the EternalBlue exploit.

Another threat that uses the EternalBlue and DoublePulsar exploits is Adylkuzz; however, the malware does not encrypt data on infected systems. The malware is a cryptocurrency miner than uses the resources of the infected computer to mine the Monero cryptocurrency. Infection is likely to see systems slowed, rather than files encrypted and data stolen.

Other malware and ransomware variants are likely to be released that take advantage of the exploits released by Shadow Brokers. The advice to all businesses is to ensure that software is patched promptly and any outdated operating systems are upgraded. Microsoft has issued a patch for the older unsupported systems in response to the WannaCry attacks, but patches for Windows Server 2003, Windows XP and Windows 8 are unlikely to become a regular response to new threats.

Edmodo Data Breach: Millions of Account Details Stolen

An Edmodo data breach has been reported that has impacted tens of millions of users of the education platform, including teachers, students and parents.

Edmodo is a platform used for K-12 school lesson planning, homework assignments and to access grades and school reports.  There are currently more than 78 million registered users of the platform. The hacker responsible for the Edmodo data breach claims to have stolen the credentials of 77 million users.

The claim has been partially verified by Motherboard, which was provided with a sample of 2 million records that were used for verification purposes. While the full 77 million-record data set has not been checked, it would appear the claim is genuine.

The hacker, nclay, has listed the data for sale on the darknet marketplace Hansa and has asked to be paid $1,000 for the entire list. The data includes usernames, hashed passwords and email addresses. Email addresses for around 40 million users are believed to have been obtained by the hacker.

The passwords have been salted and encrypted using the bcrypt algorithm. While it is possible that the passwords can be decrypted, it would be a long and difficult process.  Edmodo users have therefore been given a little time to reset their passwords and secure their accounts.

The Edmodo data breach is now being investigated and third party cybersecurity experts have been contracted to conduct a full analysis to determine how access to its system was gained. All users of the platform have been emailed and advised to reset their passwords.

Even if access to the accounts cannot be gained, 40 million email addresses would be valuable to spammers. Users of the platform are likely to face an elevated risk of phishing and other spam emails, should nclay find a buyer for the stolen data.

This is not the only large-scale data breach to affect the education sector this year. Schoolzilla, a data warehousing service for K-12 schools, also experienced a major cyberattack this year. The data breach was discovered last month and is believed to have resulted in the theft of 1.3 million students’ data. In the case of Schoolzilla, the hacker took advantage of a backup file configuration error.

WannaCry Ransomware Attacks Halted… Temporarily

The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe.  The massive ransomware campaign saw 61 NHS Trusts in the UK affected.

As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.

The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.

The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.

This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.

For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.

The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.

Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.

The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.

There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.

Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.

Mac Malware Warning Issued: Handbrake for Mac App Infected with RAT

A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.

A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.

A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.

Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.

Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.

Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.

The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.

Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.

The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.

‘Crazy Bad’ Microsoft Malware Protection Engine Bug Patched

A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.

If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.

The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.

The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.

The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.

While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk.  Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment.  The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.

The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.

NCCIC Issues Multi-Industry Alert on Sophisticated New Malware Threat

A sophisticated new malware threat has been discovered that is being used to target a wide range of industry sectors and infect systems with RAT/malware.

The campaign is being used to spread multiple malware variants and gain full access to systems and data. While many organizations have been attacked, the threat actors have been targeting IT service providers, where credential compromises can be leveraged to gain access to their clients’ environments.

The threat actors are able to evade detection by conventional antivirus solutions and operate virtually undetected.

The campaign has been running since at least May 2016 according to a recent alert issued by the National Cybersecurity Communications Integration Center (NCCIC) of the U.S. Department of Homeland Security.

The campaign is still being investigated, but due to the risk of attack, information has now been released to allow organizations to take steps to block the threat and mitigate risk. NCCIC categorizes the threat level as medium.

While threat detection systems are capable of identifying intrusions, this campaign is unlikely to be detected. The attack methods used by the threat actors involve impersonating end users leveraging stolen credentials. Communications with the C2 are encrypted, typically occurring over port 443 with the domains frequently changing IP address. Domains are also spoofed to appear as legitimate traffic, including Windows update sites.

Two main malware variants are being used in this campaign – the remote administration Trojan (RAT) REDLEAVES and the PLUGX/SOGU Remote Access Tool. PLUGX malware has been around since 2012, although various modifications have been made to the malware to prevent detection.

PLUGX allows the threat actors to perform a range of malicious activities such as setting connections, terminating processes, logging off the current user and modifying files. It also gives the threat actors full control of the compromised system and allows the downloading of files. READLEAVES offers the threat actors a typical range of RAT functions including system enumeration.

NCCIC has released Indicators of Compromise (IOCs) to allow organizations to conduct scans to determine whether they have been infected and further information will be published when it becomes available.

While anti-virus solutions should be used, they are unlikely to offer protection against this malware campaign. NCCIC warns organizations that there is no single security solution that can prevent infection, therefore a multi-layered defense is required. The aim of organizations should be to make it as difficult as possible for the attackers to gain access to their systems and install malware and operate undetected.

NCCIC offers several suggestions to help organizations improve their defenses against attack. Since phishing emails are used to fool end users into revealing their credentials, anti-phishing solutions should be employed to prevent the emails from reaching end users’ inboxes.

Other mitigations are detailed in NCCIC’s recent report, which can be downloaded from US-CERT on this link.

Internet Security and Threat Report Offers Insight into Changing Attack Trends

Sabotage, subversion and ransomware attacks all increased sharply in 2016, with malware-infected emails now at a five-year high according to the latest installment of Symantec’s Internet Security and Threat Report (ISTR).

For the 22nd volume of the report, the antivirus and antimalware software vendor analyzed data collected from millions of users of its security solutions – The world’s largest civilian threat collection network, consisting of 98 million attack sensors spread across 157 countries around the globe.

The 77-page Internet Security and Threat Report is one of the most highly respected publications issued by any cybersecurity company.

The Internet Security and Threat Report provides a valuable insight into the state of cybersecurity and details how global cybersecurity threats have changed over the course of the past 12 months.

Internet Security and Threat Report Shows Change in Attack Tactics

Data theft and financial fraud may be major motivators behind cyberattacks on businesses, but over the past 12 months there has been a sharp rise in politically motivated cyberattacks. Rather than steal data, the attackers are sabotaging businesses using destructive malware such as hard disk wipers.

The attacks are conducted to cause serious harm to business competitors, although nation state-backed hackers have also been targeting the critical infrastructure in many countries. Attacks on Ukrainian energy providers have been conducted to disrupt the power supply while attacks on companies in Saudi Arabia –  using Shamoon malware – attempted to permanently delete corporate data.

Many attacks were conducted last year with a different aim – subversion. That was clearly demonstrated during the recent U.S presidential campaign. Sensitive data from the Democratic party was leaked in an attempt to influence the outcome of the U.S presidential election. The FBI investigation into the hacking of the presidential election is ongoing.

Sabotage is on the rise, but data theft incidents continue. The past year has seen many espionage attacks resulting in the theft of sensitive data and corporate secrets and financial attacks have increased.

The Internet Security and Threat Report shows there has been a major increase in large-scale financial heists in the past year. Attacks on consumers are occurring with increasingly regularity, although the banks themselves are now being targeted. Those attacks have resulted in the theft of many millions of dollars.

The Carbanak gang has been highly active in this area and has performed multiple attacks on U.S banks, while the Banswift group performed one of the biggest heists of the year, stealing $81 million from the central bank in Bangladesh.

While exploit kits and other web-based attacks were a major threat in 2015, attackers have returned to email as the primary method of gaining access to networks. In 2015, Symantec blocked an average of 340,000 web-based attacks per day. In 2016, the number had fallen to 229,000 – a significant reduction, although the threat of web-based attacks cannot be ignored.

The Biggest Malware Threat Comes from Email

Phishing is still a major risk for businesses, although the phishing rate has fallen over the past three years, according to the Internet Security and Threat Report. In 2014, one in 965 messages were used for phishing. In 2016, the number fell to one in 2,596 emails.

However, email spam levels have remained constant year on year. Email spam accounts for 53% of all sent messages.

Phishing email volume may be down, but email-borne malware attacks have increased. The Symantec Internet Security and Threat Report shows the volume of malicious emails now being sent is higher than any point in the past five years.

Now, one in 131 emails contain either a malicious attachment or hyperlink, up from one in 220 emails in 2015 and one in 244 emails in 2014.  The number of new malware variants being released has also soared. In 2014, there were 275 million new malware variants discovered. That figure rose to 357 million last year. The number of bots sending malicious email has also increased year on year, from 91.9 million in 2015 to 98.6 million in 2016.

Ransomware Attacks Soared in 2016

Ransomware attacks also increased significantly in 2016, with the United States the most targeted country. Even though the FBI and other law enforcement agencies strongly advise against paying a ransom, 64% of U.S. companies ignore that advice and pay the attackers for keys to decrypt their data.

In 2015, the average ransom demand was for $294 per infected machine. Over the course of the past 12 months, ransom amounts have increased considerably. The Symantec Internet Security and Threat Report shows ransom demands increased by an astonishing 266% in 2016. The average ransom demand is now $1,077 per infected machine.

Symantec tracked 101 separate ransomware families in 2016 – A substantial rise from the 30 known ransomware families in 2014 and 2015.  Last year, there were 463,841 ransomware detections, up from 340,655 from 2015.

One of the biggest threats comes from the cloud, although many organizations are underestimating the risk. When organizations were asked how many cloud apps are in use in their company, few provided an accurate figure. Many estimated they used around 40 cloud-based apps. Symantec reports that for the average company, the figure is closer to 1,000.

As the Internet Security and Threat Report shows, the cyberthreat landscape is constantly changing as cybercriminals develop new methods of attacking businesses. Only by keeping up to date on the latest threat indicators and bolstering cybersecurity defenses can businesses maintain a robust security posture and prevent attacks.

The GDPR Impact on Business Practices is Considerable

The GDPR impact on business practices is considerable, as is the cost of GDP compliance. A recent survey conducted by PwC revealed that 77% of large companies are expecting GDPR compliance to cost in excess of $1 million. Due to the considerable GDPR impact on business practices, many companies are already rethinking whether or not to continue doing business in Europe.

Many large multinational companies are well aware of the GDPR impact on business practices and the amount of work GDPR compliance will involve. That is not the case for SMEs, many of which are only just realizing they must comply with GDPR.

GDPR does not just apply to social media sites and global retailers. All businesses, regardless of their size, will be required to comply with the General Data Protection Regulation if they collect or process the personal information of EU citizens.

The definition of personal information is broad and includes online identifiers such as IP addresses. Even online retailers that allow EU citizens to access their websites are required to comply with GDPR.

All businesses will be required to perform a risk analysis to identify potential vulnerabilities to the confidentiality and integrity of stored data. Many large companies already have a swathe of cybersecurity protections to keep sensitive data secure, but most smaller organizations will discover they must implement more robust cybersecurity protections in order to comply with GDPR.

Companies will need to review their policies on data collection. When GDPR comes into effect, companies will need to have a valid reason for collecting personal information. Any data collected must also be limited to the minimum necessary information to perform the purpose for which data are collected.

Doing business in Europe will require privacy protections to be enhanced, new data security measures to be implemented, data collection practices to be changed, and policies and procedures to be updated. Legal teams must then assess GDPR compliance.

The GDPR impact on business practices is likely to be considerable for many companies. The time taken to perform risk analyses, assess policies and procedures, find and implement security solutions and update privacy policies will be considerable. Leaving GDPR compliance to the last minute is likely to see the deadline missed. That could prove to be very costly or even catastrophic for many businesses. Failure to comply with GDPR regulations can result in a fine of €20 million or 4% of global revenue, whichever is the greater. Non-compliance simply isn’t an option.

Software Exploit Attacks Rose by 25% in 2016 with Businesses the Worst Affected

Kaspersky Lab has released new figures showing software exploit attacks increased by almost a quarter in 2016. In total, more than 702 million attempted software exploit attacks were performed; a rise of 24.54% year on year. Corporate users were the worst affected, registering 690,000 attacks in 2016; a rise of 28.35% year on year.

According to the report, 69.8% of software exploit attacks took advantage of flaws in web browsers, Microsoft Windows, Microsoft Office or the Android platform. Software exploit attacks involve malware leveraging flaws in software to run malicious code or install other malware. Last year, the most common exploit took advantage of the Stuxnet vulnerability on unpatched systems.

Software exploits are difficult to identify because they occur silently without alerting the user. Unlike email-based attacks, software exploits require no user interaction. A user must only be convinced to visit a website hosting an exploit kit. A hyperlink can be sent via email or users can be redirected to malicious sites using malvertising. Attacks can occur through general web browsing. Hackers often take advantage of flaws to hijack websites and install exploit kits.

While attacks on companies have increased, attacks on private users fell by around 20% to 4.3 million attacks. This has been attributed to two major exploit kits – Neutrino and Angler – being shut down. Without those exploit kits, criminal groups have lost the ability to spread malware and have had to resort to different tactic to spread malware, with spam email the delivery mechanism of choice.

Exploit kits are expensive to develop and require considerable work, and since software developers are reacting faster and patching vulnerabilities, exploit kits are no longer as profitable for cybercriminals. However, exploits are still being used by sophisticated criminal gangs in targeted attacks aimed at stealing highly sensitive data.

This year has seen an increase in exploit activity using the Rig exploit kit, while last month Checkpoint noted a major rise in software exploit attacks.

Exploit kits may not pose as big a threat as in late 2015, but they are still a significant threat for businesses. Organizations can improve their defenses against software exploits by installing patches promptly and ensuring anti-virus and anti-malware solutions are kept up to date. A web filtering solution should also form part of organizations’ defenses. Web filters prevent end users from visiting, or being redirected to, websites known to host exploit kits.

GDPR Compliance: Is your Organization Prepared?

On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.

GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.

The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.

How Will GDPR Protect Consumers?

One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data.  Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.

GDPR gives consumers the right to:

  • Find out how their data will be used
  • Discover how data were obtained if informed consent was not provided
  • Access personal data
  • Find out how long data will be stored
  • Correct errors in stored data
  • Move data to a different processor
  • Restrict or prohibit the processing of data
  • Find out with whom data have been or will be shared
  • Have data permanently erased
  • Avoid being evaluated on the basis of automated processing

Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.

While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.

What Data are Covered by GDPR?

Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.

Data Security Standards Necessary for GDPR Compliance

GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.

GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.

Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”

Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.

Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.

Data Breach Notification Requirements of GDPR

Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.

Preparing for GDPR

Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.

Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.

Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.

What are The Penalties for Non-Compliance with GDPR?

Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.

If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.

Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.

Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.

Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.

How Can TitanHQ Help with GDPR Compliance?

TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.

TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.

SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.

WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads.  The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.

ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.

For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.

Chipotle Mexican Grill Security Breach: Customers’ Credit Card Numbers Potentially Stolen

A recent Chipotle Mexican Grill security breach has potentially resulted in customers’ credit card details being accessed by unauthorized individuals.

A statement released by the fast casual restaurant chain confirms that unauthorized individuals gained access to its network hosting its payment processing system. The initial findings of its investigation suggest access was first gained on March 24, 2017. Customers who visited its restaurants between March 24 and April 18, have potentially been affected. The investigation into the Chipotle Mexican Grill security breach is continuing to determine how many of the chain’s 2,000+ restaurants have been affected.

Few details about the Chipotle Mexican Grill security breach have been released as the investigation is ongoing, although the threat is now believed to have been blocked.

Chipotle Mexican Grill called in external cybersecurity experts to investigate a potential breach after unusual activity was detected on the network hosting its payment processing system. Law enforcement was alerted, as was its payment processor. Additional security protections have already been installed to bolster cybersecurity defenses in response to the suspected attack. Efforts are continuing to confirm the exact dates of the attack and the restaurants that have been affected.

The Chipotle Mexican Grill security breach is one of many incidents reported by restaurant chains this year. Restaurants are being targeted by cybercriminals due to the high number of credit cards that are processed. If attackers can gain access to restaurant payment processing systems, many thousands of credit card numbers can be stolen.

There are many methods used by cybercriminals to gain a foothold in a network and gain access to payment processing systems.

Typically attacks occur as a result of an employee opening an infected email attachment or visiting a hyperlink in an email that allows malware to be downloaded. Phishing emails are also sent, which aim to get employees to reveal their login credentials. Restaurants can improve their resilience against email-borne attacks by implementing an advanced spam filtering solution.

Web-borne attacks are also common. A recent report from Symantec shows web-based attacks have increased in the past year.

If an employee can be convinced to visit a malicious website, or is directed to such a site via a malvertising campaign, malware can be silently downloaded. Exploit kits on malicious websites probe for vulnerabilities in browsers and exploit those vulnerabilities to download malware.

Web-borne attacks can be prevented by ensuring that patches are applied promptly and all vulnerabilities are plugged. However, the number of patches now being released makes it difficult for restaurants to keep up. New zero day vulnerabilities are also constantly being discovered and added to exploit kits.

Many restaurants are improving their defenses against web-based attacks by implementing a web filtering solution. A web filter can be used to carefully control the websites that can be accessed on restaurant computers.

Web filters block all known malicious websites using black lists. As soon as a website is discovered to be hosting an exploit kit, malware, or used for phishing, it is added to blacklists and the site is blocked by the web filter.

A web filter is also an excellent phishing defense. If an employee clicks on a phishing hyperlink in an email, the web filter can block the URL and prevent the user from visiting the site.

There are other important advantages to implementing a web filtering solution for restaurants. The solution can be used to carefully control the websites that customers can access. Restaurants can therefore ensure that customers do not access malicious sites or inappropriate website content such as pornography. Consumers are increasingly seeking restaurants that offer free Wi-Fi, but also those that implement controls to secure their Wi-Fi networks.

If you would like to improve your resilience against cyberattacks and offer your customers secure and safe Internet access, contact the TitanHQ team today and find out more about your options.

New Locky Ransomware Attacks Use Techniques Similar to Dridex Malware Campaigns

Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.

It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.

That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.

The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.

New Infection Method Used in Latest Locky Ransomware Attacks

The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.

The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.

If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.

The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.

The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.

The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.

One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.

Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.

Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.

Intercontinental Hotels Group Data Breach Affected 1,184 Hotels

The Intercontinental Hotels Group data breach previously announced in February as affecting 12 hotels in the chain has proven to have been far more extensive than was first thought.

Last week the group announced that the breach affected guests that used their credit cards to pay at franchisee hotels across the United States and in Puerto Rico between September 29, 2016 and December 29, 2016.

According to the chain’s website, the Intercontinental Hotels Group data breach potentially affected guests who stayed at its Holiday Inn, Holiday Inn Express, Crowne Plaza, Staybridge Suites, Candlewood Suites, Hotel Indigo, and InterContinental Hotels. The full list of hotels that have potentially been affected by the malware incident has been listed on the IHG website. In total, 1,184 of the group’s hotels have potentially been affected.

The Intercontinental Hotels Group data breach involved malware that had been downloaded onto its systems, which was capable of monitoring payment card systems and exfiltrating payment card data. It does not appear that any other information other than card details and cardholders’ names were stolen by the attackers.

The hotel group does not believe the data breach extended past December 29, 2016, although that cannot be entirely ruled out as it took until February/March for all of the affected hotels to be investigated and for confirmation to be received that the malware had been removed.

Prior to the malware being installed, IHG had started installing the OHG Secure Payment Solution (SPS), which provides point to point encryption to prevent incidents such as this from resulting in the theft of clients’ data.  Had the process started sooner, the Intercontinental Hotel Group data breach could have been prevented.

Hotels that had implemented the SPS prior to September 29, 2016 were not affected and those that had implemented the solution between September 29, 2016 and December 29, 2016 stopped the malware from being able to locate and steal credit card data. In those cases, only clients that used their credit cards at affected hotels between September 29, 2016 and when the SPS system was installed were affected.

Intercontinental Hotels Group Data Breach One of Many Affecting the Hospitality Sector

The Intercontinental Hotels Group data breach stands out due to the extent to which the group was affected, with well over 1,100 hotels affected. However, this is far from the only hotel group to have been affected by POS malware. Previous incidents have also been reported by Hard Rock Hotels, Hilton Hotels, Omni Hotels & Resorts and Trump Hotels.

Hotels, in particular hotel chains, are big targets for cybercriminals due to the size of the prize. Many hotel guests choose to pay for their rooms and services on credit cards rather than in cash, and each hotel services many thousands – often tens of thousands – of guests each year.

Globally, IHG hotels service more than 150 million guests every year, which is a tremendous number of credit and debit cards. Such a widespread malware infection would be highly lucrative for the attackers. Credit card numbers may only sell for a couple of dollars a time, but with that number of guests, an attack such as this would be a huge pay day for the attackers.

The Hospitality Sector is a Big Target and Vulnerable to Cyberattacks

While many tactics are used to gain access to POS systems, oftentimes it is weak or default passwords that allow hackers to gain access to hotel computer systems. Stolen credentials are another common way that access is gained.  The Verizon’s Data Breach Investigations Report (DBIR) for 2016 shows that in each of the reported breaches affecting the hospitality sector, access to systems was gained by the attackers in less than an hour.

Malware can also be inadvertently downloaded by employees and guests. Poor segregation of the POS system from other parts of the network is commonplace. That makes it easy for hackers to move laterally within the network once a foothold has been gained. Doubling up POS systems as workstations makes it too easy for hackers to gain access to POS systems.

Many hotels also fail to perform adequate risk assessments and do not conduct penetration tests or vulnerability scans. Even malware scans are performed infrequently. Some hotels also fail to implement appropriate security solutions to block access to malware-laden websites.

The Intercontinental Hotels Group data breach could have been prevented, and certainly discovered more quickly. The same is true for many hotel data breaches.

Unless hotels and hotel groups improve their cybersecurity posture and implement appropriate technology, policies and procedures to prevent cyberattacks, data breaches of this nature will continue to occur.

TitanHQ offers a range of products that can prevent hackers from gaining access to computers and POS systems. For further information on how you can protect your hotel or chain against cyberattacks, contact the TitanHQ team today.

87% of Companies Have Experienced a Cyberattack in the Past Year

Last week, the Bitglass Threats Below the Surface Report was released. The report highlights the extent to which organizations are being attacked by cybercriminals. Far from cyberattacks being a relatively rare occurrence, they are now as certain as death and taxes.

The report revealed that out of the 3,000 IT professionals surveyed for the report, 87% said they had experienced a cyberattack in the past 12 months. Many of those respondents had experienced numerous cyberattacks in the past year, with one company in three experiencing more than five cyberattacks in the last 12 months. To put that figure in perspective and show how the probability of being attacked has increased, two years ago, only half of companies were experiencing cyberattacks on that scale.

IT professionals rated mobile devices as one of the biggest problem areas. When asked to rate security posture, more respondents rated mobile as somewhat or highly vulnerable than any other system. While attacks can come from all angles, the report revealed that many companies are not actively monitoring their systems and devices for potential vulnerabilities. Only 24% monitored SaaS and IaaS apps for vulnerabilities, 36% monitored mobile devices and 60% monitored the network perimeter and laptops/desktops.

In response to the increased number of threats and the frequency of cyberattacks, companies have been forced to increase spending on cybersecurity defenses. The Bitglass Threats Below the Surface Report shows biggest spenders are the retail and technology sectors, with 39% of retail organizations and 36% of technology companies saying they are now spending a large proportion of their budgets on cybersecurity. 52% of respondents said their organization is planning on increasing cybersecurity spending.

Respondents were asked to rate their biggest concerns for the report to get a gauge of the biggest perceived threats. The biggest concern for 37% of respondents is phishing. Phishing attacks are becoming more sophisticated and harder for non-security professionals to identify. A range of social engineering techniques are used to fool end users into opening infected email attachments or clicking on malicious links and revealing their sensitive information. While effective at preventing many phishing attacks, training alone is no longer sufficient. Technological controls are now essential.

Malware is also a major concern along with insider threats, rated as a top concern by 32% and 33% of respondents, with email one of the main methods of malware delivery. Ransomware was also a major concern, although while ransomware attacks can result in significant costs and system downtime, fortunately, many companies have improved their ransomware defenses and have been able to recover without paying a ransom by restoring files from backups.

54% of companies said they had experienced a ransomware attack and were able to recover their data from backups without having to pay a ransom. That said, 33% of companies had no alternative but to pay a ransom to recover locked data, while 13% of companies said they had refused to pay a ransom and had experienced data loss as a result.

Continued Use of Unsupported Operating Systems Places Organizations at High Risk of Attack

Do you have any machines running on unsupported operating systems? Is all of your software up to date with all of the latest patches applied? If you are not patching promptly or are still running outdated, unsupported operating systems or software, you are taking unnecessary risks and are leaving your network open to attack.

Hackers are constantly trawling the Internet looking for vulnerable systems to attack. Even if you are only running Windows XP or Vista on one networked machine, it could allow a hacker to exploit vulnerabilities and gain access to part or all of your network.

An alarming number of businesses are still running outdated software and are not patching promptly. For instance, 7.4% of businesses are still using Windows XP, even though Microsoft stopped issuing patches three years ago.

Hackers are discovering new vulnerabilities in software and operating systems faster than the software manufacturers can address those flaws. Zero-day vulnerabilities are regularly discovered and exploits developed to take advantage of the flaws and gain access to business networks. When a software developer stops issuing updates, the list of potential vulnerabilities that can be exploited grows fast.

Take Windows for example. Each set of updates released by Microsoft every Patch Tuesday contains patches to remediate several critical vulnerabilities that could be exploited to run code or access a system and gain user privileges. While exploits may not currently exist for those flaws at the time the patches are released, that is not the case for long. Hackers can look at the updates and reverse engineer patches to discover the vulnerabilities. Exploits can then be developed to attack unpatched machines.

Take the recent set of updates addressed by Microsoft in its March Patch Tuesday update as an example. Microsoft silently patched a slew of flaws for which exploits had been developed. Four days later, exploit tools from The Equation Group were dumped online by Shadow Brokers. Those tools could be used to exploit the flaws addressed by Microsoft a few days previously.

The exploit tools can be used to attack unpatched machines, but the patches were only issued to address flaws in supported versions of Windows. Many of those exploit tools can be used to attack unsupported Windows versions such as XP and Vista.

One of those tools, called Eternalromance, will likely work on all previous versions of Windows back to Windows XP. EasyPi, Eclipsedwing, Emeraldthread, eraticgopher and esteemaudit have all been confirmed to work on Windows XP.

Those are just the exploit tools recently discovered by The Equation Group. They represent just a small percentage of the exploits that exist for flaws in older, unpatched Windows versions. In addition to exploits for Windows flaws, there are exploits for many software programs.

There will always be zero day exploits that can be used to attack businesses, but running outdated software and unsupported operating systems makes it too easy for hackers.

Businesses of all sizes must therefore ensure that they have good patch management policies covering all software and operating systems and all devices. However, since unsupported operating systems will never be patched, continued use of those products represents a very large and unnecessary risk.

Mac Malware Infections Increased by 700% in 2016

Windows-based systems are far more likely to be infected by viruses and malware; however, Mac users are far from immune to malware infections. A new report from McAfee suggests Mac malware infections increased substantially in 2016. Malware instances rose by a staggering 700% in the space of just one year.

The Threats Report by McAfee Labs shows that its anti-virus solutions detected and prevented 460,000 Mac malware infections in the final quarter of 2016 alone. That is a significant jump from the previous quarter when 150,000 Mac malware infections were detected and blocked – a rise of 247% from Q3 to Q4.

Compared to the number of infections of Windows based systems, the number of mac malware infections is still very low. McAfee detected more than 600 malware samples on Windows devices and 15 million attempted virus attacks on Android devices. At its highest, Mac malware infections were at 1.3% of the level seen on Windows-based devices.

However, the rise in Mac malware attacks should not be ignored. While Mac users are far better protected against malware attacks than Windows users, they should not be complacent. Cybercriminals are now developing more malware to target Mac users and they are no longer content with attacking Windows devices.

McAfee reports that malware developers are increasingly tailoring their malicious software to be capable of attacking multiple platforms. As more consumers and businesses use Macs and other Apple devices, attacks become more profitable. When there is potential for profit, malware developers are quick to take advantage.

The Threats Report indicates much of the new Mac malware is adware, with OSX/Bundlore one of the main malware variants discovered in Q4, 2016. Adware usually comes bundled with legitimate apps, especially apps on non-official stores. Downloading apps from the Mac app store is unlikely to result in infection.

Other forms of Mac malware have also increased in prevalence. As with Windows-based malware, the malware has been developed to steal login credentials and banking details. Remote access Trojans have also increased in number as has Mac ransomware – OSX/Keydnap being a notable example. OSX/Keydnap was bundled with the torrent client BitTorrent and even found its way onto the official download site.

To prevent Mac malware infections, businesses and consumers should be security aware and not take unnecessary risks. Apps should only be downloaded from official stores, security software should be installed, updates to software and apps should be applied promptly and strong, secure passwords should be used.

The True Cost of a Ransomware Attack

The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.

Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.

Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.

Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.

Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.

While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.

In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!

Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.

What is the Cost of a Ransomware Attack?

Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.

The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.

However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.

System downtime is one of the biggest costs.  Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.

A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.

One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.

Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.

Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.

Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.

The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.

It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.

To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.

Philadelphia Ransomware Used in Target Attacks on U.S Healthcare Organizations

A new variant of Stampedo ransomware – called Philadelphia ransomware – is being used in targeted attacks on the healthcare sector in the United States. The ransomware variant is being spread using spear phishing emails.

Spear phishing emails have been detected that incorporate the healthcare organization’s logo along with the name of a physician at the organization. The use of a logo and a name adds credibility to the email, increasing the likelihood of the targeted individual clicking the link and downloading the malicious file. Information about organization’s and details of potential targets can easily be found on social media websites such as LinkedIn.

Cyber security firm Forcepoint analyzed Philadelphia ransomware and detected a string called “hospitalspam” in the encrypted JavaScript. A similarly named directory was also found on the ransomware C2, suggesting a campaign is being conducted that specifically targets the healthcare sector. Forcepoint reports that two hospitals – one in Oregon and one in Washington – have already been infected with the ransomware.

In recent months, cybercriminals have favored email attachments for spreading ransomware and malware, with Word documents containing malicious Word macros one of the most popular methods of ransomware and malware infection. The latest campaign, which was identified by Forcepoint, also uses malicious Word documents. However, rather than sending a malicious Word document as an attachment, the emails contain a link to a website where the Word document is automatically downloaded.

As with email attachments, the document must be opened and macros enabled in order for the ransomware to be downloaded.

Philadelphia Ransomware Attacks Likely to Increase

Philadelphia ransomware attacks are likely to increase thanks to a professional affiliate campaign. Would-be attackers are being recruited using a video that highlights the many features of the ransomware. The video calls Philadelphia ransomware “the most advanced and customizable ransomware ever,” and shows just how easy it is for someone with little technical skill to start their own ransomware campaign.

Would-be cybercriminals are able to rent out the ransomware and use it for their own spamming campaigns, provided they pay the author an initial fee of around $400. The one-off payment, so the authors claim, gives a user lifetime use of the ransomware. Affiliates will then be given a cut of any ransom payments they are able to generate.

Affiliate campaigns such as this – known as ransomware-as-a-service – are becoming increasingly popular. They allow non-technical spammers to jump on the ransomware bandwagon and start generating ransom payments. There is likely to be no shortage of takers.

Fortunately, the ransomware is not as advanced as the promotional video makes out. Furthermore, a decryptor for Philadelphia ransomware has been developed and can be downloaded for free via Softpedia. No ransom needs to be paid, although infection with Philadelphia ransomware can still result in considerable disruption. Healthcare organizations should therefore be on their guard.

Anti-Pornography Legislation in Alabama Proposed

Anti-pornography legislation in Alabama could be introduced from January 1, 2018, following the introduction of a new bill last month. House Bill 428 was introduced by Jack Williams (R-Montgomery) to prevent state residents from using Internet-enabled devices to view obscene material.

The anti-pornography legislation classes obscene material as material that would, to an average person, appeal to prurient interest. Pornography, child abuse images and child pornography are included in the definition of obscene content, as is any other material that depicts patently offensive sexual conduct or excretory functions, lacks artistic, political or scientific value, or facilitates or promotes prostitution, sexual cyber-harassment or human trafficking.

If the anti-pornography legislation is passed, the sale of any Internet-enabled device without a web filtering solution in place would be classed as a Class A misdemeanour and would be punishable with a maximum fine of $6,000 per incident and up to one year in jail. However, should such a device be sold to a minor, the offense would increase to a Class C misdemeanor for which the fine would rise to a maximum of $30,000 per incident and a jail term of up to 10 years.

While an Internet filtering solution must be in place at the point of sale, it would not be an offence for the purchaser of the device to remove the filter, provided a request is submitted to the seller in writing, proof that the individual is over 18 years old is supplied and a one-time filter deactivation fee of $20 is paid.

The fees will be collected by the Department of Revenue. 60% of the fees will be directed to the Alabama Crime Victims Compensation Fund, 20% will be directed to grants programs which will in part, be devoted to helping victims of human trafficking, with the remaining 20% of fees deposited in the General State Fund.

It is unclear at this stage how vendors of Internet-enabled devices would ensure that their devices are protected. The legislation describes a filter as a hardware or software solution that can be used to block websites, email, chatrooms, or other Internet-based communications based on category, content or site. The type of filter used will be left to the discretion of the seller.

Since there is a possibility that webpages or websites may be incorrectly categorized, the solution would also require a mechanism that allows websites or content to be blocked or unblocked. The vendor would be required to supply a phone number to a call center to allow requests to block/unblock content to be submitted. Failure to act on those requests in a reasonable time frame would be punishable with a $500 fine for each failure to block an obscene website or webpage.

Alabama is not the only state to propose anti-pornography legislation. Similar bills have also been introduced in New Mexico, North Dakota and South Carolina.

Sundown Exploit Kit Now a Significant Threat

Researchers have identified changes to the Sundown exploit kit. Sundown is now in transition and is being actively developed. It now poses a significant threat.

Exploit kit activity has fallen over the past year as cybercriminals have turned to other methods of infecting end users. Spam email is now favored by many cybercriminals and exploit kit activity has dropped to next to nothing. However, over the past few weeks there has been an increase in exploit kit activity, with the Sundown exploit kit fast becoming a major threat.

Researchers at Cisco Talos report that the Sundown exploit kit has been upgraded and has now matured. While it was once a relatively unsophisticated exploit kit, that is no longer the case. The researchers point out that Sundown is likely to become one of the most widely used exploit kits, taking the place of the larger exploit kits that were used extensively in early 2016.

A number of upgrades have been made to the Sundown exploit kit in recent weeks. The individuals behind the Sundown exploit kit have removed many of the identifiers previously associated with the exploit kit. The exploit kit is now much harder to identify.

The Sundown exploit kit is one of a very small number that have had new exploits added in recent months. Some of the old exploits have also been removed. The actors behind Sundown have also increased the likelihood of infection. In a recent alert, Cisco Talos researchers explain that the exploit kit does not attempt to gain access to a system via a single exploit, instead the Sundown EK uses an extensive arsenal of malware tools to maximize the chance of compromising a system.

While the payload used to be downloaded via the browser, now the exploit kit uses the command line and wscript. A change has also been made to how the malicious payload is downloaded. The payload is now located on a different server to the landing page and exploit kit. The same root domain is used for both, although the subdomains are different.

The actors behind the kit are also purchasing large numbers of established domains, typically domains that are more than 6 months old. Those domains are used for a short time and are then resold. Using older domains allows the attacker to bypass screening controls that blacklist recently registered domains.

The discovery of major updates made to the Sundown EK could indicate there will soon be a major increase in exploit kit attacks. Angler, Neutrino, and Nuclear may have virtually disappeared, but exploit kits still pose a significant threat.

Businesses can protect their endpoints from malware and ransomware infections via exploit kits by using a web filtering solution. A web filtering solution can be configured to carefully control the websites that can be accessed by end users to reduce the risk of infection, and domains known to host exploit kits can be blocked.

For further information on web filtering and protecting end points from malware and ransomware, contact the TitanHQ team today.

Researchers Discover Increase in Exploit Kit Activity

Exploit kits have been one of the attack vectors of choice for cybercriminals, although research from Trustwave shows exploit kit activity has been in decline over the past 12 months. Trustwave reports exploit kit activity fell by around 300% over the course of 2016.

Exploit kits are used to probe for vulnerabilities in web browsers and web browser plugins. When a user visits a website hosting an exploit kit, their browser is probed for flaws. If a flaw is found, it is exploited to silently download malware and ransomware.

However, as the middle of the year approached, exploit kit activity started to fall. There are many possible reasons why exploit kit activity has declined. Efforts have increased to make browsers more secure and defenses against exploit kits have certainly been improved.

Adobe Flash vulnerabilities were the most exploited, but last year Adobe started issuing patches faster, limiting the opportunity for the attackers to exploit flaws. The fall in exploit kit activity has also been attributed to the takedown of cybercriminal gangs that extensively used and developed exploit kits. In 2016, the Russian outfit Lurk was broken up and a number of high profile arrests were made. Lurk was the outfit behind the infamous Angler exploit kit. Angler, along with Neutrino, Nuclear and Magnitude were extensively used to download malware and ransomware.

The recently published 2017 IBM X-Force Threat Intelligence Index shows spam email volume increased around the middle of 2016 and there was a marked increase in malicious email attachments. Spam email has now become the attack vector of choice, but that doesn’t mean exploit kits have died. Exploit kits are still being used in attacks, but at a much-reduced level.

Exploit kits are now being used in smaller, more targeted attacks on specific geographical regions, rather than the global attacks using Angler, Nuclear and Magnitude.

Over the past few months, exploit kit activity has started to rise and new exploit kits have been discovered. Late last year, the DNSChanger exploit kit was discovered. While most exploit kits target vulnerabilities in browsers, the DNSChanger exploit kit targets vulnerabilities in routers.

Researchers from Zscaler’s ThreatLabz report there has been an increase in exploit kit activity in the first quarter of 2017. The researchers have noticed a new KaiXin campaign and Neutrino activity has increased. The researchers also detected a new exploit kit called Terror. The Terror exploit kit has been compiled from other exploit kits such as Sundown. The RIG EK continues to be one of the most commonly used kits and has been found to be delivering the ransomware variants Cerber and Locky.

Malicious email attachments may still be the attack vector of choice for spreading ransomware and malware payloads, but the threat from exploit kits is still significant and should not be ignored.

To find out how you can improve your defenses against exploit kits, contact the TitanHQ team today.

Source Code for NukeBot Trojan Published Online

The source code for the NukeBot Trojan has been published online on a source-code management platform. The code for NukeBot – or Nuclear Bot as it is also known –  appears to have been released by the author, rather than being leaked.

To date, the NukeBot Trojan has not been detected in the wild, even though it was first seen in December 2016. The NukeBot Trojan was developed by a hacker by the name of Gosya. The modular malware has a dual purpose. In addition to it functioning like a classic virus, it also works like an anti-virus program and is capable of detecting and eradicating other installed malware. The modular design means additional components and functionality can easily be added. When attempting to sell the malware in December last year, the author said further modules would be developed.

The release of the code for the NukeBot Trojan is understood to be an effort by the author to regain trust within the hacking community. IBM says Gosya is a relatively new name in hacking circles, having joined cybercrime forums in late 2016.

While newcomers need to build trust and gain the respect of other hacking community members, Gosya almost immediately listed the malware for sale soon after joining underground communities and failed to follow the usual steps taken by other new members.

Gosya may have developed a new malware from scratch, but he failed to have the malware tested and certified. No test versions of the malware were provided and underground forum members discovered Gosya was using different monikers on different forums in an attempt to sell his creation. Gosya’s actions were treated as suspicious and he was banned from forums where he was trying to sell his malware.

While other hackers may have been extremely dubious, they incorrectly assumed that Gosya was attempting to sell a ripped malware. The NukeBot Trojan was not only real, it was fully functional. There was nothing wrong with the malware, the problem was the actions taken by Gosya while attempting to sell his Trojan.

While many new malware variants are developed using sections of code from other malware – Zeus being one of the most popular – the NukeBot Trojan appears to be entirely new. Back in December, when the malware was first detected and analyzed, researchers from Arbor Networks and IBM X-Force verified that the malware was fully functional and had viable code which did not appear to have been taken from any other malware variant.  The malware even included an admin control panel that can be used to control infected computers.

Now that the source code has been released it is likely that Gosya will be accepted back in the forums. The source code will almost certainly be used by other malware developers and real-world NukeBot attacks may now start.

RIAA Wants Internet Service Providers to Filter Pirated Content

The Recording Industry Association of America (RIAA) wants regulations to be introduced that will force Internet Service Providers to filter pirated content, rather relying on the current system of DCMA takedowns, which the RIAA believes to be ‘antiquated.’ The RIAA claims the current DCMA notice and takedown system is ‘extremely burdensome’ and ‘ineffective’ and that the system invites abuse.

The RIAA and 14 other organizations wrote to the U.S. Copyright Office last week explaining the inadequacies of current DCMA Safe Harbors and suggesting a number of potential solutions to the problem.

Currently, Internet Service Providers are required to take down copyright-infringing content after receiving a DMCA request. The request must be acted on expeditiously and ISPs are legally protected from copyright infringement lawsuits.  The legislation has so far protected Internet Service Providers from legal action. Were it not for the legislation, an ISP could potentially be sued every time one of its users uploaded content that violated copyright.

One of the main problems is while the current system protects innocent Internet service providers who have passively, or unwittingly, allowed their services to be used for copyright infringing activities, some entertainment services are protected, even though their businesses are based entirely on copyright infringement, such as the streaming of sports, entertainment and movies.

A number of suggestions have been made such as amending Digital Millennium Copyright Act to include a timeframe for processing DCMA takedowns as well as requiring Internet Service Providers to filter pirated content and use automated systems that identify pirated content and prevent it from being uploaded once the content has been flagged.

The RIAA suggests that when a DCMA request is received requiring specific content to be removed, that content should then be flagged. A system should be put in place that blocks that content from being uploaded in the future on a different webpage or website. Currently, a takedown of content just means the individual or organization can simply upload the content again on another webpage or domain and the process must start over again. The RIAA says the current system is like an endless game of Whac-A-Mole.

The proposals have been criticized as any automated process is likely to result in the removal of web content that is protected under fair use laws and that automated systems could result in the overblocking of website content.

This argument has been countered by the RIAA saying the risk has been exaggerated and that argument is often used by ISPs to avoid implementing content identification technologies. The RIAA argues that current technologies are sufficiently granular to allow them to be calibrated to filter pirated content and protect fair uses.

Safari Scareware Used to Extort Money from Porn Viewers

A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.

A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.

A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.

One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.

Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.

This type of Safari scareware is nothing new, although the zero-day flaw that was exploited to display the messages was. The attackers loaded code onto a number of websites which exploited a flaw in the way the Safari browser handles JavaScript pop-up windows. The code targeted iOS versions 10.2 and earlier.

The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.

Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.

Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.

Another Major Restaurant POS Breach Has Been Detected

Another major restaurant POS breach has been detected. This time, Cleveland-based Select Restaurants Inc., has had its POS system breached. Select Restaurants owns many well-known restaurants throughout the United States.

According to Brian Krebs, restaurants known to be affected by the POS malware infection include:

  • The Rusty Scupper (Baltimore, MD)
  • Parkers Blue Ash Tavern (Cincinnati, OH)
  • Parkers’ Restaurant & Bar (Downers Grove, IL)
  • Winberie’s Restaurant & Bar (Oak Park, IL., Princeton, NJ., Summit, NJ.)
  • Black Powder Tavern (Valley Forge, PA)

The restaurant POS breach does not appear to have occurred at Select Restaurants, instead it was the chain’s POS vendor that was attacked – Geneva. IL-based 24×7 Hospitality Technology. The attack occurred via a remote access application that the company uses to remotely access, update, and maintain the POS system used by its customers.

After gaining access to the POS system, the attackers installed a form of malware known as PoSeidon. The malware records and exfiltrates credit card data when cards are swiped by restaurant staff when customers pay for their meals. The malware was installed and active for around 3 months from October 2016 to January 2017.

While fraudulent use of customers’ credit card details is often quickly detected by banks and credit card companies, it can be difficult to track those fraudulent card uses back to a specific retailer or restaurant. When major restaurant chains experience POS malware infections it is far easier to detect the source of the fraud. Malware infections at smaller restaurant chains can take much longer to detect.  During that time, the credit card details of all of the restaurant’s customers can be stolen.

The remote access system could have been attacked using a variety of methods. If a weak password was used, it may have been guessed or a brute force attack could have occurred. Alternatively, an employee may have revealed a password by responding to a phishing or spear phishing email.

In this case, the malware was installed via the POS system provider, although a restaurant POS breach could just as easily occur. Restaurant chains can do little to prevent attacks on their POS system provider, but they can implement cybersecurity defenses to protect them against direct attacks.

Restaurants are major targets for cybercriminals. Malware can remain undetected for many months during which time many thousands of credit cards can be stolen. The consequences for restaurant chains can be severe. While customers may not experience any losses – their credit card company will usually refund any fraudulent purchases – the effect on a restaurant chain’s reputation can be permanent.

To protect systems from attack, restaurant chains should ensure software solutions are installed to block the most common attack vectors. Software must be kept up to date and patched promptly to prevent vulnerabilities from being exploited and antivirus solutions should be kept up to date and regular scans should be scheduled on all parts of the network.

For further information on how to prevent a restaurant POS breach and malware infections, contact the TitanHQ team today.

Default ISP Web Filtering Controls Required, Says House of Lords Report on Internet Safety for Children

A House of Lords report on Internet safety for children calls for ISP web filtering controls to be applied as standard.

The UK government is keen for Internet service providers to apply web filtering controls to make it harder for children to access inappropriate website content such as pornography. In 2013, the UK government called on ISPs to implement web filters as standard. Four of the leading ISPs in the UK – Sky, Talk Talk, BT and Virgin Media – responded and have offered filtering controls to their customers.

However, not all ISPs in the United Kingdom provide this level of content control and the House of Lords report suggest that many ISP web filtering controls do not go far enough to ensure children are protected. The report explains that the ‘big four’ ISPs only cover 90% of all Internet users, leaving 10% of users without any form of Internet filtering service.

It is also pointed out in the report that only Sky has opted for a default-on web filter to prevent adult content from being accessed by minors. If new customers want to access adult content they must request that the filter be taken off. The other ISPs have made the service available but do not provide a filtered Internet service that is turned on by default.

The new report calls for ISP web filtering controls to be improved and for ISPs “to implement minimum standards of child-friendly design, filtering, privacy, data collection, and report and response mechanisms for complaints.” The House of Lords report also calls for ISP web filtering controls to be put on all accounts by default, requiring users to specifically request it be turned off if required. Further, the report says the default standard of Internet control should offer the strictest privacy protections for users.

Not everyone agrees with this level of control. The Internet Service Provider Association (ISPA) says that such a move is ‘disproportionate,’ and while the association is committed to keeping children safe when online, mandating ISP web filtering controls is not the way forward. For instance, if an ISP makes it clear that it offers an unfiltered service, that should be permitted. Chairman of the ISPA, James Blessing, believes the best way forward is “a joint approach based on education, raising awareness and technical tools.”

While parents will be well aware of the risks their children face when they go online, the House of Lords report does not believe Internet safety education should be left to parents. addition to making it harder for children to access inappropriate website content, the report calls for mandatory lessons in schools on safe use of the Internet, covering risks, acceptable behavior and online responsibilities.

Health Center Malware Potentially Exfiltrated Patient Data for a Year

A health center malware infection has potentially resulted in 2,500 patients’ protected health information (PHI) being sent to unknown individuals over a period of almost a year. Lane Community College health clinic in Eugene, OR, discovered the malware during routine maintenance last month.

Further investigation determined that the malware had been installed on the computer in March 2016. The malware remained active until last month when it was discovered and removed. The malware was identified as Backdoor:Win32/Vawtrak – a Trojan backdoor that enables attackers to steal login information and take full control of an infected PC.

While data access was possible, Lane Community College health clinic uncovered no evidence to suggest patient data had been stolen, although the possibility that PHI was accessed and stolen could not be ruled out. A spokesperson for the clinic said an analysis of 20 other computers used by the clinic uncovered no further malware infections. In this case, the infection was limited as the computer was not connected to other computers on the network.

The only data exposed were those stored on the machine itself. The information potentially exposed included patients’ names, addresses, phone numbers, dates of birth and medical diagnoses.

A health center malware infection can prove costly to resolve. In this case, the infection was limited to one machine, although once access has been gained and malware installed, hackers can often move laterally within a network and spread infections to other machines. Once data have been exfiltrated and there is no further need for access, hackers commonly install ransomware to extort money from their victims.

The exposure or theft of patient data can often lead to lawsuits from patients. While many of those lawsuits ultimately fail, defending a lawsuit can be costly. Healthcare data breaches that result in more than 500 records being exposed are also investigated by the Department of Health and Human Services’ Office for Civil Rights to determine whether the breaches were caused as a result of HIPAA violations. Should HIPAA Rules be found to have been breached, covered entities may have to cover heavy fines.

Health center malware attacks are commonplace due to the value of healthcare data on the black market. Healthcare providers should therefore implement a range of defenses to protect against malware infections.

Malware is commonly inadvertently installed by end users via spam email or redirects to malicious websites. Both of these attack vectors can be blocked with low cost solutions. Backdoor:Win32/Vawtrak – also known as Trojan-PSW.Win32.Tepfer.uipc – is recognized by Kaspersky Lab – one of the dual AV engines used by the SpamTitan spam filtering solution. SpamTitan blocks 100% of known malware and blocks 99.97% of spam emails to keep end users and computers protected.

To protect against Web-borne attacks and to prevent malicious software downloads, WebTitan can be deployed. Web-Titan is a powerful DNS-based web filtering solution that can be used to block a wide range of web-borne threats to keep healthcare networks malware free.

Both solutions are available on a free 30-day trial to allow healthcare providers to experience the benefits first hand before committing to a purchase.

To find out more about TitanHQ’s cybersecurity solutions for healthcare organizations or to sign up for a free trial, give the sales team a call today.

MajikPOS Malware Used in Targeted Attacks on PoS Systems of U.S. Businesses

A new form of PoS malware – called MajikPOS malware – has recently been discovered by security researchers at Trend Micro. The new malware has been used in targeted attacks on businesses in the United States, Canada, and Australia.

The researchers first identified MajikPOS malware in late January, by which time the malware had been used in numerous attacks on retailers. Further investigation revealed attacks had been conducted as early as August 2016.

MajikPOS malware has a modular design and has been written in .NET, a common software framework used for PoS malware. The design of MajikPOS malware supports a number of features that can be used to gather information on networks and identify PoS systems and other computers that handle financial data.

The attackers are infecting computers by exploiting weak credentials. Brute force attacks are conducted on open Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) ports. A variety of techniques are used to install the MajikPOS malware and evade detection, in some causes leveraging RATs that have previously been installed on retailers’ systems. The malware includes a RAM scraping component to identify credit card data and uses an encrypted channel to communicate with its C&C and exfiltrate data undetected.

MajikPOS malware is being used by a well-organized cybercriminal organization and credit card details are being stolen on a grand scale. The stolen information is then sold on darknet ‘dump shops’. The stolen credit card numbers, which the researchers estimate to number at least 23,400, are being sold individually for between $9 and $39. The gang also sells the credit card numbers in batches of 25, 50, or 100. The majority of credit cards belong to individuals in the United States or Canada.

POS Malware Infections Can be Devastating

A number of different attack vectors can be used to install PoS malware. Malware can be installed as a result of employees falling for spear phishing emails. Cybercriminals commonly gain a foothold in retailers’ networks as a result of employees divulging login credentials when they respond to phishing emails.

While exploit kit activity has fallen in recent months, the threat has not disappeared and malvertising campaigns and malicious links sent via emails are still used in targeted attacks on U.S retailers.

Brute force attacks are also common, highlighting how important it is to change default credentials and set strong passwords.

POS malware infections can prove incredibly costly for retailers. Just ask Home Depot. A PoS malware infection has cost the retailer more than $179 million to resolve, with the cost of the security breach continuing to rise. That figure does not include the loss of business as a result of the breach. Consumers have opted to shop elsewhere in their droves following the 2014 PoS malware attack.

This latest threat should serve as a warning for all retailers. Security vulnerabilities can – and are – exploited by cybercriminals. If inadequate protections are put in place to keep consumers’ data secure, it will only be a matter of time before systems are attacked.

PetrWrap Ransomware: An Old Threat Has Been Hijacked by a Rival Gang

There is a new ransomware threat that businesses should be aware of, but PetrWrap ransomware is not exactly anything new. It is actually a form of ransomware that was first discovered in May last year. PetrWarp ransomware is, to all intents and purposes, almost exactly the same as the third incarnation of Petya ransomware. There is one key difference though. PetrWrap ransomware has been hijacked by a criminal gang and its decryption keys have been changed.

The criminal organization behind PetrWrap ransomware have taken Petya ransomware, for which there is no free decryptor, and have exploited a vulnerability that has allowed them to steal it and use it for their own gain. The attackers have simply added an additional module to the ransomware that modifies it on the fly. After all, why bother going to all the trouble of developing your own ransomware variant when a perfectly good one already exists!

Petya ransomware is being offered to spammers and scammers under an affiliate model. The ransomware authors are loaning the ransomware to others and take a percentage of the profits gained from ransoms that are paid. This is a common tactic to increase overall profits, just as retailers pay affiliate marketers to sell their products for a commission. In the case of ransomware-as-a-service, this allows the authors to infect more computers by letting others do the hard work of infecting computers.

Yet the gang behind PetrWrap has chosen not to give up a percentage of the profits. They are keeping all of the ransom payments for themselves. The module modifies and repurposes the malware code meaning even the Petya ransomware authors are unable to decrypt PetrWrap ransomware infections.

Kaspersky Lab research Anton Ivenov says “We are now seeing that threat actors are starting to devour each other and from our perspective, this is a sign of growing competition between ransomware gangs.” He pointed out the significance of this, saying “the more time criminal actors spend on fighting and fooling each other, the less organized they will be, and the less effective their malicious campaigns will be.”

Petya – and PetrWrap ransomware – is not a typical ransomware variant in that no files are encrypted. While Locky, CryptXXX, and Samsa search for a wide range of file types and encrypt them to prevent users from accessing their data, Petya uses a different approach. Petya modifies the master boot record that launches the operating system. The ransomware then encrypts the master file table. This prevents an infected computer from being able to locate files stored on the hard drive and stops the operating system from running. Essentially, the entire computer is taken out of action. The effect however is the same. Users are prevented from accessing their data unless a ransom is paid. Petya and PetrWrap ransomware can spread laterally and infect all endpoint computers and servers on the network. Rapid detection of an infection is therefore critical to limit the harm caused.

Cost of a Retail Data Breach: $179 Million for Home Depot

When considering how much to invest in cybersecurity defenses, be sure to bear in mind the cost of a retail data breach. Poor security practices and a lack of appropriate cybersecurity defenses can cost a company dearly.

A data breach of the scale of that suffered by Home Depot in 2014 will cost hundreds of millions of dollars to resolve. The home depot data breach was massive. It was the largest retail data breach involving a point of sale system that has been reported to date. Malware had been installed that allowed criminals to steal more than 50 million credit card numbers from home depot customers and around 53 million email addresses.

The attack was made possible due to the use of stolen credentials from one of the retailer’s vendors. Those credentials were used to gain a foothold in the network. Those privileges were subsequently elevated, the Home Depot network was explored, and when access to the POS system was gained, malware was installed to capture credit card details. The malware infection went undetected for five months between April and September 2014.

Last year, Home Depot agreed to pay out $19.5 million to customers that had been affected by the breach. The payout included the costs of providing credit monitoring services to breach victims.  Home Depot has also paid out at least $134.5 million to credit card companies and banks, and this week, a further $25 million settlement has been agreed to cover damages suffered by the banks as a result of the breach.

The latest settlement amount will allow banks and credit card companies to file claims for $2 per compromised credit card without having to show evidence of losses suffered. If banks can show losses, they will receive up to 60% of uncompensated losses.

The total cost of the retail data breach stands at around $179 million, although that figure does not include all legal fees that Home Deport will be forced to pay, and neither does it include undisclosed settlements. The final cost of the retail data breach will be considerably higher. It is already creeping closer to the $200 million mark.

Then there is the loss of business as a result of the breach. Following any data breach, customers often take their business elsewhere. Many consumers affected by the breach have chosen to shop elsewhere. There is, after all, not only one DIY retailer in the United States.

A number of studies have been conducted on the fallout from a data breach. One HyTrust study suggests businesses may lose 51% of customers following a breach of sensitive data!

For Home Depot, the cost of a retail data breach has been considerably more than the cost of implementing technologies to monitoring its vendor’s cybersecurity practices, scanning for malware, and implementing security best practices.

Cyber Liability Insurance for Law Firms Now Offered by ABA

The increase in cyberattacks on law firms has prompted the American Bar Association (ABA) to start offering cyber liability insurance for law firms, in addition to its standard insurance policies.

Cyber liability insurance for law firms is becoming as important as travel, medical and dental insurance. Cybercriminals are now targeting law firms with increasing frequency and vigor due to the treasure trove of data they store on clients.

The data can be used for fraud, although the highly sensitive nature of information disclosed to attorneys makes blackmail and extortion an attractive and potentially lucrative option. However, access to sensitive data gives cybercriminals the option of insider trading. Only last year, indictments against three Chinese nationals were unsealed by the Manhattan U.S. attorney’s office showing that more than $4 million in illegal stock trades were performed following the theft of attorney’s emails. The hackers had gained access to email accounts at three Chicago law firms involved in major mergers and acquisitions.

Cybercriminals’ use of stolen data aside, cyberattacks can prove incredibly costly. Following a cyberattack, costs of mitigation can spiral. Law firms must cover the cost of forensic investigations to determine the nature and extent of an attack, and which clients and systems have been impacted. Analyses must identify malware infections and backdoors that may have been installed allowing persistent access to networks and data.

If client data are accessed, law firms must cover the cost of legal defenses and liability protection. Lawsuits will undoubtedly follow any cyberattack. Any breach of sensitive data will almost certainly have an impact on law firms’ reputations, resulting in considerable loss of revenue. Then there are the improvements to cybersecurity defenses to prevent further attacks, the cost of which can be substantial.

For large law firms, cyberattacks can make a significant dent in profits. For small law firms, a cyberattack could prove catastrophic. Given the high costs involved, it is no surprise that cyber liability insurance for law firms is now deemed a necessity.

For the past few years, the ABA has been improving awareness of the cybersecurity risks that must be mitigated by law firms. Awareness has improved as a result and many law firms have invested heavily in technologies to protect against cyberattacks. In 2013, the ABA also petitioned the government to introduce new laws specifically to protect law firms from cyberattacks and the threat of cyber-espionage. Cyber liability insurance for law firms was a natural step for the ABA.

The ABA has developed its new program during the past year to provide affordable coverage from some of the nation’s top insurance carriers. The ABA’s cyber liability insurance for law firms is underwritten by Chubb Limited – The largest publicly traded property and casualty insurer.

WiFi Filtering for Cities Used to Improve Free WiFi Network in Cape Town

Cape Town’s Century City has implemented a free WiFi network for residents, although to make the network more secure and prevent bandwidth abuse, WiFi filtering for cities has been adopted.

The new service – called Let’s Connect – is provided by the telecoms company that operates the fiber-optic broadband network for the Cape Town suburb – Century City Connect – in partnership with ISP Comtel Communications.

The new WiFi network currently comprises 86 WiFi access points within the Cape Town suburb, although there are plans to increase the range of the free WiFi zone to include an extra 100 access points. At present, the WiFi network is supported by a 200 Mbps fiber-optic line which will provide users with 10Mbps speeds for uploads and downloads. Users will be required to register for the service, after which they will be limited to four hours of free WiFi access per day.

Providing a free WiFi network offers residents a host of benefits, but ensuring upload and download speeds are reasonable requires additional technology. If WiFi filtering for cities was not used, there would be considerable potential for the service to be abused by some users. At times of heavy usage, bandwidth will naturally be squeezed, but to limit this as far as is possible, it was necessary for WiFi filtering for cities to be deployed. The web filtering technology place certain limits on user activities.

The WiFi filtering solution used to control internet access is not overly restrictive. Torrent downloads have been blocked, not only because they are used or illegal file sharing, but the downloading of massive files by multiple users has potential to slow Internet speeds across Century City.

In practice, simply blocking torrent sites may not be sufficient to stop bandwidth crushing downloads. It would be possible for users to circumvent the controls. For more comprehensive blocking, the ISP has used DNS-based WiFi filtering, content filtering, and firewalls. Multiple levels of filtering controls makes it much harder for individuals to gain access to torrent sites and upload and download content.

Torrent sites are not the only drain of bandwidth. Software updates likewise suck up bandwidth. Many users have their devices set to update software only when connected to a WiFi network. Connecting to the city WiFi network could see thousands of devices updating software at the same time, further squeezing bandwidth. To reduce the impact, Century City has rate limiting in place. Updates will still be possible, but at a level that will not have a major negative impact on available bandwidth.

As with many locations around the world that use WiFi filtering for cities, Century City will also be using the technology to block adult content. This control works at the domain-level and is based on blacklists. The filters used at Century City also block botnet activity, prevent users from downloading malware and ransomware, and block phishing websites to keep users protected online.

While users will only be permitted four hours of free usage, limits will not be placed on certain categories of website. Educational sites and job websites will be accessible 24/7, even if the 4-hour quota has been used up. A number of other websites will also be whitelisted to ensure constant access is possible.

The project shows how WiFi filtering for cities can be used to ensure the maximum number of users can get the benefits of city-wide free WiFi networks, and how the Internet can be carefully filtered to keep users protected.

Final New York Department of Financial Services Cybersecurity Rules Issued

The final New York Department of Financial Services cybersecurity rules have now been issued. Covered entities – banks, Insurance companies, and financial service firms operating in the state of New York must now comply with new rules.  The financial services cybersecurity rules are the first to be introduced at the state level in the U.S.

The purpose of the cybersecurity rules is to make it harder for cybercriminals to gain access to confidential consumer data. The new rules require companies to adopt a host of cybersecurity measures to keep consumer data confidential and secure.

The financial services cybersecurity rules were first announced last fall. Following the announcement and publication of the draft cybersecurity rules on September 13, 2016, there followed a 45-day comment period. A revised version of the DFS cybersecurity rules was published in late December, which was followed by a further 30-day comment period. The comments received have been considered and now final changes to the cybersecurity rules have been made.

The final financial services cybersecurity rules are effective as of March 1, 2017. Covered entities have up to 6 months to ensure compliance, after which non-compliance could result in a significant financial penalty and other sanctions.

New York state governor Andrew Cuomo announced the release of the final financial services cybersecurity rules saying “New York is the financial capital of the world and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks.”

The new rules should not pose too many problems for the majority of firms in the financial sector, provided that they have already adopted best practices issued by the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC). However, where the new cybersecurity rules differ is their specificity. The FINRA and SEC guidelines do not specify the measures that must be adopted, whereas the DFS cybersecurity rules are much more specific about the measures that must be adopted to keep data secure.

The final version of the financial services cybersecurity rules has seen an easing of document retention requirements. In previous versions of the rules, covered entities were required to keep all categories of records for a period of five years. In the final version of the rules, the 5-year retention period only applies to records that are necessary to reconstruct financial transactions to support the normal operations of the company. Records of cybersecurity events that could materially harm the company need only to be kept for three years.

The new rules require the DFS to be notified of a cybersecurity event within 72 hours of it occurring, if the event has a reasonable likelihood of materially harming any part of the normal operations of the covered entity or if the entity has a pre-existing duty to notify another government or regulatory agency.

While the financial services cybersecurity rules are strict, there are many exemptions. Several security experts have suggested the new rules do not go far enough for this very reason.

Many of the exemptions apply to smaller companies. For instance, in order for a company to be a covered entity, the annual turnover must be more than 5 million dollars. Smaller firms employing fewer than 10 individuals are similarly exempt. That effectively means a company with 9 employees does not need to implement as stringent data security measures as a company that employs 10 individuals; however, a line must be drawn somewhere.

There are also exemptions for firms that do not possess or control non-public information. There are further exemptions for charitable organizations and insurance companies that operate in the state of New York, but are not chartered in New York state, and for reinsurers that accept credits or assets from an assuming insurer not authorized in the state. However, further updates of the rules may see some of the exemptions removed.

The Cybersecurity Requirements for Financial Services Companies can be viewed on this link.

2016: The Year of Ransomware

In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.

2016 Will be Remembered as The Year of Ransomware

Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.

That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.

Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.

Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.

In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!

Biggest Ransomware Threats in 2016

TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.

By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.

Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.

2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.

You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.

 

The Year of Ransomware

Should Malware Protection at the ISP Level be Increased?

Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?

Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.

Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.

Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.

While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.

ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.

Malware Protection at the ISP Level

Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.

ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.

ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.

An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.

The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.

The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.

The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.

If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.

ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections

Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.

ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.

WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.

If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.

Library WiFi Filtering Bill Signed Off by Utah Senators

In Utah, lawmakers are attempting in make it harder for pornography to be accessed, especially in libraries. A new bill has been introduced that would make it compulsory for library WiFi filtering to be implemented to block patrons from accessing pornography. That bill has now been signed off by a group of Utah senators, bringing the compulsory use of library WiFi filtering closer to being written into the state legislature.

Last year, Sen. Todd Weiler, R-Woods Cross, was heavily involved in a campaign to raise awareness of the problems related to the accessing of hardcore pornography, with the senator claiming the use of pornography had now become “a public health crisis.”

Sen. Weiler, was not alone in his thinking. Many people supported the campaign and agreed that pornography was particularly damaging for minors, that its use threatened marriages and was contributing to the rise in sexual violence.

Library WiFi filtering is a contentious issue. While many libraries across the United States have implemented a WiFi filter to block pornography and other harmful images to protect minors and obtain government grants and discounts, many librarians are opposed to library WiFi filtering.

Libraries are places of learning where individuals can come to gain access to all types of information. The use of Internet filtering in libraries is seen as excessively curbing civil liberties and undermining freedom of speech. Public opinion is similarly divided, although many individuals would not want to catch a glimpse of hardcore pornography on another patron’s computer, and even less so their children.

In Utah, the majority of libraries have already implemented library WiFi filtering software. Weiler says that there are more than 100 public libraries in the state and that the larger libraries are already filtering out pornography. However, he pointed out that there are a dozen or so smaller library branches that have yet to implement Internet filtering on WiFi networks.

In the case of small libraries, there may not be sufficient funds available for WiFi filtering solutions to be purchased, even if by implementing those solutions savings could be made through the eRate program. Sen. Weiler appreciates that the cost of implementing a software solution may be prohibitively expensive for smaller libraries, which is why he is requesting $50,000 from the state budget to be made available to smaller libraries via a grant program. Those grants could then be used to pay for Internet filtering solutions for libraries in the state that have yet to purchase a filtering solution.

Now that the bill has been signed off, it will go before the senate for debate, although there is a high probability that the bill will be written into state law. Support for Sen. Weiler’s anti-pornography campaign last year was strong and many members of the chamber and house of representatives backed Sen. Weiler’s campaign last year. The campaign also received public backing from the governor of Utah.

The Email Archiving Cost is Lower Than You May Think

The email archiving cost can be avoided, but fail to use an email archiving service at your peril. Huge fines await organizations that cannot recover emails promptly.

U.S. businesses are required are required to keep emails for several years. The IRS requires all companies to keep emails for 7 years, the FOIA requires emails to be kept for 3 years, and 7 years again for Healthcare organizations (HIPAA), public companies (Sarbanes Oxley), banking and finance (Gramm-Leach-Bliley Act) and securities firms (SEC).

While large firms are able to absorb the cost of email archiving, many SMBs look at the email archiving cost and try to save money by opting for backups instead. While it is possible to save on the email archiving cost by using backups, the decision not to use an email archiving service could prove to be very costly indeed.

Email backups can serve the same purpose as email archiving in the sense that both can be used to keep old emails. However, while an email backup can help a business protect against data loss, if ever there is a need to recovery backed up emails, companies often encounter problems.

Email backups are fine for recovering entire email accounts (mostly). In the event of a malware or ransomware attack, email backups can be used to recover entire email accounts. However, what happens if only certain emails need to be found – for eDiscovery purposes in the event of a lawsuit for example?

An eDiscovery order may be received that requires all email correspondence sent to a particular client or customer to be retrieved. Such a request may require emails from 100s of employees to be located. Those emails may date back several years. Finding all emails would be an incredibly time consuming process, and it may not actually be possible to recover all correspondence. Backup files cannot easily be searched. They are just data repositories, not a well-managed archive.

An email archive on the other hand is different. Not only can individual emails be easily recovered, the entire archive can be quickly and easily searched. If an eDiscovery request is received, all requested emails can be quickly and easily recovered. The process is likely to take minutes. The recovery of files from a backup could take weeks or even months, assuming that the task is even possible.

Email backups fail surprisingly often. The recent spate of ransomware attacks has highlighted a number of examples of data backups that have been corrupted, leaving organizations little option but to pay the attackers for a key to decrypt locked data. In the case of a ransomware infection, the ransom payment may be hundreds, thousands or even tens of thousands of dollars. However, the failure to produce email correspondence for eDiscovery or a compliance audit can be even higher.

Non-compliance with the Sarbanes-Oxley Act and other industry legislation can see fines of several million dollars issued. Only last year, Scottrade was issued with a fine of $2.6 million by the Financial Industry Regulatory Authority (FINRA). Scottrade had kept records of its emails, but not a complete record. More than 168 million emails had not been retained that should have been present in an archive. As Brad Bennett, Executive Vice President and Chief of Enforcement at FINRA explained when announcing the fine, “Firms must maintain sound supervisory systems and procedures to ensure the integrity, accuracy, and accessibility of electronic books and records.” That includes email correspondence.

The cost of email archiving is not only low compared to the cost of a regulatory fine, email arching is actually inexpensive, especially when using a cloud-based email archiving solution such as ArcTitan. Being cloud-based, emails are securely stored without the need for any additional hardware. Business can rest assured that no email will ever be lost.

In the event of an eDiscovery order, any email can be retrieved almost instantly, regardless of when the email was archived. No specific software is required as emails can be archived from Office 365 and archived messages can be accessed easily using an Outlook plug-in or even directly from the browser. Furthermore, the load on an organization’s email server can be greatly reduced. Reductions of 80% have been seen by a number of TitanHQ’s clients.

To find out more about the full benefits of email archiving and the features of ArcTitan, give the TitanHQ sales team a call today. We think you will be pleasantly surprised at how low the email archiving cost can be.

University Cyberattack Involved Campus Vending Machines and 5,000 IoT Devices

A recent university cyberattack in the United States resulted in more than 5,000 systems being taken out of action.

The university cyberattack only became apparent after the IT department was flooded with complaints from staff and students that the Internet had slowed to a snail’s pace. By the time that the cyberattack was identified, the attack had spread to multiple systems and devices, resulting in major headaches for the IT department. Attempts were made to bring systems back online but they failed. Not only had IoT devices been compromised, passwords were changed by the attackers. The IT department was locked out and was prevented from gaining access to any of the compromised devices.

The attack involved a range of devices. Even campus vending machines had been loaded with malware and were under the control of the attackers. In total, 5,000 smart devices were compromised in the attack and had been added to an emerging IoT botnet.

An investigation was launched which revealed the extent of the attack. Virtually the entire IoT network had been lost to the attackers. Everything from smart lightbulbs in street lamps to drink-dispensing vending machines had been infected with malware and made part of a botnet.

The IoT devices were making hundreds of DNS lookups, preventing users from performing web searches or visiting websites. In this case, the devices were being used to make seafood-related searches. So many searches that genuine use of the Internet was prevented.

Once the first devices were compromised, the infection spread rapidly. Every IoT device connected to the network was attacked, with the devices brute-forced until the correct username and password combo was found. The devices were then loaded with malware and added to the botnet. The speed at which the IoT devices were compromised and loaded with malware was due to the use of weak passwords and default login credentials. The university, for convenience, had also made the mistake of loading all IoT devices onto one network.

Once the attackers had gained access to an IoT device and loaded their malware, they had full control of the device. To prevent removal of the malware, the attackers changed the password on the device, locking the IT department out.

Once that had occurred, the only way the IT department thought it would be possible to remove the malware and regain control would be to replace every IoT device. All 5,000 of them.

However, before such a drastic measure was taken, the university sought external assistance and was advised to use a packet sniffer to intercept clear-text passwords sent by the attackers to the malware-compromised devices. The university was able to read the new passwords and regain access to its IoT devices. Passwords were then changed on all 5,000 devices and the malware was removed.

A university cyberattack such as this can cause considerable IT headaches, major disruption for staff and students, and involves a not insignificant resolution cost. However, the university cyberattack could have been avoided. Even if an attack was not prevented, its severity could have been greatly reduced.

Had strong passwords been set, the attackers would have found it much harder to infect devices, buying the IT department time and allowing action to be taken to mitigate the attack.

While it is easy to see why all IoT devices were included on a single network, such a move makes it far too easy for cybercriminals to spread malware infections. It is never wise to put all of one’s eggs in the same basket. It is also important to ensure that networks are separated. If access to devices on one network is gained, damage will be limited.

Cyberattacks on Educational Institutions in 2017 Paints Bleak Outlook

The financial services sector and healthcare industry are obvious targets for cybercriminals, but cyberattacks on educational institutions in 2017 have risen sharply. There have been a multitude of cyberattacks on educational institutions in 2017, and February is far from over. The list paints a particularly bleak outlook for the rest of the year. At the current rate, cyberattacks on educational institutions in 2017 are likely to smash all previous records, eclipsing last year’s total by a considerable distance.

Why Have There Been So Many Cyberattacks on Educational Institutions in 2017?

Educational institutions are attractive targets for cybercriminals. They hold large quantities of personal information of staff and students. Universities conduct research which can fetch big bucks on the black market.

While some of the finest minds, including computer scientists, are employed by universities, IT departments are relatively small, especially compared to those at large corporations.

Educational institutions, especially universities, are often linked to government agencies. If hackers can break into a university network, they can use it to launch attacks on the government. It is far easier than direct attacks on government agencies.

Cybersecurity protections in universities are often relatively poor. After all, it is hard to secure sprawling systems and huge networks that are designed to share information and promote free access to information by staff, students and researchers. Typically, university networks have many vulnerabilities that can easily be exploited.

Schools are also often poorly protected due to a lack of skilled staff and funding. Further, many schools are now moving to one-to-one programs, which means each student is issued with either a Chrome tablet or a Windows 10 laptop. More devices mean more opportunities for attack, plus the longer each student is connected to the Internet, the more time cybercriminals have to conduct attacks.

Another problem affecting K12 schools is the age of individuals who are accessing the Internet and email. Being younger, they tend to lack awareness about the risks online and are therefore more susceptible to social engineering and phishing attacks. The data of minors is also much more valuable and can be used for far longer by cybercriminals before fraud is detected.

While college students are savvier about the risks online, they are targeted using sophisticated scams geared to their ages. Fake job offers and scams about student loans are rife.

The threat of cyberattacks doesn’t always come from outside an institution. School, college and university students are hacking their own institution to gain access to systems to change their grades or for sabotage. Students with huge debts may also seek data to sell on the black market to help make ends meet.

While all of these issues can be resolved, much needs to be done and many challenges need to be overcome. It is an uphill struggle, and without additional funding that task can seem impossible. However, protections can be greatly improved without breaking the bank.

Major Cyberattacks on Educational Institutions in 2017

There have been several major cyberattacks on educational institutions in 2017, resulting in huge losses – both financial losses and loss of data. Educational institutions have been hacked by outsiders, hacked by insiders and ransomware attacks are a growing problem. Then there are the email-based social engineering scams that seek the tax information of staff. Already this year there have been huge numbers of attacks that have resulted in the theft of W-2 forms. The data on the forms are used to file fraudulent tax returns in the names of staff.

Notable cyberattacks on educational institutions in 2017 include:

Los Angeles Valley College

One of the most expensive cyberattacks on educational institutions in 2017 was a ransomware infection at Los Angeles Valley College. The attack saw a wide range of sensitive data encrypted, taking its network, email accounts and voicemail system out of action. The systems could not be restored from backups leaving the college with little alternative but to pay the $28,000 ransom demand. Fortunately, valid decryption keys were sent and data could be restored after the ransom was paid.

South Carolina’s Horry County Schools

The Horry County School District serves almost 43,000 students. It too was the victim of a ransomware attack that saw its systems taken out of action for a week, even though the ransom demand was paid. While it would have been possible to restore data from backups, the amount of time it would take made it preferable to pay the $8,500 ransom demand.

South Washington County Schools

Hackers do not always come from outside an organization, as discovered by South Washington County Schools. A student hacked a server and copied the records of 15,000 students onto a portable storage device, although the incident was detected and the individual apprehended before data could be sold or misused.

Northside Independent School District

One of the largest cyberattacks on educational institutions in 2017 was reported by Northside Independent School District in San Antonio, Texas. Hackers gained access to its systems and the records of more than 23,000 staff and students.

Manatee County School District

Manatee County School District experienced one of the largest W-2 form phishing attacks of the year to date. A member of staff responded to a phishing email and sent the W-2 forms of 7,900 staff members to tax fraudsters.

Huge Numbers of W-2 Form Phishing Attacks Reported

This year has seen huge numbers of W-2 form phishing attacks on educational institutions. Databreaches.net has been tracking the breach reports, with the following schools, colleges and educational institutions all having fallen for phishing scams. Each has sent hundreds – or thousands of W-2 forms to tax fraudsters after responding to phishing emails.

  • Abernathy Independent School District
  • Argyle School District
  • Ark City School District
  • Ashland University
  • Barron Area School District
  • Belton Independent School District
  • Ben Bolt Independent School District
  • Black River Falls School District
  • Bloomington Public Schools
  • College of Southern Idaho
  • Corsicana Independent School District
  • Davidson County Schools
  • Dracut Schools
  • Glastonbury Public Schools
  • Groton Public Schools
  • Independence School District
  • Lexington School District 2
  • Manatee County School District
  • Mercedes Independent School District
  • Mercer County Schools
  • Mohave Community College
  • Morton School District
  • Mount Health City Schools
  • Neosho County Community College
  • Northwestern College
  • Odessa School District
  • Powhatan County Public Schools
  • Redmond School District
  • San Diego Christian College
  • Tipton County Schools
  • Trenton R-9 School District
  • Tyler Independent School District
  • Virginian Wesleyan College
  • Walton School District
  • Westminster College
  • Yukon Public Schools

*List updated June 2017

These cyberattacks on educational institutions in 2017 show how important it is to improve cybersecurity defenses.

If you would like advice on methods/solutions you can adopt to reduce the risk of cyberattacks and data breaches, contact TitanHQ today. TitanHQ offers cost-effective cybersecurity solutions for educational institutions to block email and web-based attacks and prevent data breaches.

Cybersecurity Solutions for Managed Service Providers Key to Business Growth

There are many cybersecurity solutions for managed service providers to add to their service stacks and offer to clients. However, the failure to offer a comprehensive range of cybersecurity solutions can prove costly. There is considerable demand for managed services, and the failure to provide them could see clients effectively handed to competitors.

Furthermore, there is now increased competition. Managed service providers have offered preventative cybersecurity solutions to their clients for many years, but competition in this sphere is increasing.

IT companies that have previously relied on fixing computer problems or providing data breach investigative services as their core business have realized there is big money to be made from providing cybersecurity services to prevent problems. An increasing number of IT companies are now capitalizing on high profile data breaches and demand for preventative solutions from SMBs and are now providing these services.

In order to capitalize on the opportunity for sales and to make sure clients do not start looking elsewhere, managed service providers need to make sure that they offer a full suite of cybersecurity solutions. Solutions that will keep their clients protected from the barrage of cybersecurity attacks that are now occurring.

Fortunately, the move away from hardware-based solutions to cloud-based services is making it easier for managed services providers. Cloud-based solutions are not only cheaper for clients, they are easier for MSPs to deliver and manage. While providing solutions that prevent cyberattacks may have been impractical and provided little return for the effort, that is no longer the case.

There are many potential cybersecurity solutions for managed service providers, although one area in particular where MSPs can take advantage is to offer solutions to prevent phishing attacks. Phishing – obtaining sensitive information from employees – is one of the main ways that cybercriminals gain access to networks and sensitive data.

Companies are spending big on network security to prevent direct attacks, yet cybercriminals know all too well that even multi-million-dollar security defenses can be breached. The easiest way to gain network access is to be provided with it by employees.

It is much easier to fool an employee into downloading malware, ransomware, or revealing their email or login credentials that it is to find security vulnerabilities or use brute force tactics. All it takes is for a phishing email to reach the inbox of an employee.

Anti-phishing training companies, which provide security awareness training for employees and teach them how to identify phishing emails, know all too well that training alone is ineffective. Some employees are poor at putting training into practice.

Even if security awareness training is provided, employees will still open email attachments from strangers and click on links sent to them in emails. Furthermore, cybercriminals are getting better at crafting emails to get links clicked and malware-ridden attachments opened.

We have already seen this year (and last tax season) how effective phishing emails can be. At least 145 companies in the United States (that we know about) emailed W-2 Forms of employees to scammers via email last year. This year looks like it will be even worse.

A high percentage of malware infections occur as a result of spam emails with infection either through email attachments (downloaders) or links to malicious sites where malware is silently downloaded. The same is true of many ransomware infections.

Given the high risk of a phishing attack occurring or information-stealing malware and ransomware being installed, organizations are happy to pay for managed solutions that can block phishing emails, prevent malware-infecting emails from being delivered, and stop employees from visiting malicious links.

MSPs can take advantage by providing these services. Since cloud-based solutions are available that offer the required level of protection, adding these solutions to an MSPs service stack is a no brainer. Cloud-based solutions to protect against phishing, malware, and ransomware infections require no hardware, no site visits, and require little management overhead.

TitanHQ can provide cloud-based solutions ideal for inclusion in MSPs service stacks. TitanHQ’s email and web protection solutions – SpamTitan and WebTitan – are effective at blocking a wide range of email and web-borne threats.

SpamTitan blocks over 99.97% of spam email, has a low false positive rate and blocks 100% of known malware. Inboxes are kept spam and malware free, and an anti-phishing component prevents phishing emails from being delivered to end users.

WebTitan offers excellent protection from web-borne threats, protecting employees and networks from drive-by malware and ransomware downloads and blocking links to malicious websites.

Furthermore, these solutions can be run in a public/private cloud, can be provided in white-label format ready for MSP’s branding, have low management overhead and include generous margins for MSPs.

If you are an MSP and are looking to increase the range of cybersecurity services you can offer to clients, give TitanHQ a call today and find out more about the our cybersecurity solutions for managed service providers.

With our cybersecurity solutions for managed service providers, you can improve your cybersecurity portfolio, provide better value to your clients and boost your bottom line.

Phishing Attacks on Law Firms Are Soaring

The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.

Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.

Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.

However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.

While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.

Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.

A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.

Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.

 

Phishing Attacks on Law Firms

Law Firm Phone Hacking Results in $65,000 Phone Bill

A law firm phone hacking incident has resulted in an Alexandria, VA attorney being sent a staggering $65,000 phone bill. The attorney’s phone system was hacked and used to make a slew of international phone calls in the middle of the night to numbers in Algeria and Serbia.

In total, 195 phone calls were made through the law firm’s phone system in just 45 minutes. Since the incident occurred in the middle of the night, no one noticed. The small law firm only employs three people, none of whom were in the office at the time.

Attorney David Chamowitz was informed by his service provider via email about the calls and the charges.  This law firm phone hacking incident was not a one off. Even though the attorney changed the password on his system, he was attacked again suggesting the hacker had a backdoor into the system. To ensure that future calls were not made, the attorney has had to switch off long distance call capabilities.

The hacker responsible was unlikely to be looking to speak to friends and relatives abroad. This type of scam involves making calls to premium rate international numbers, with the hackers making money from those calls. The charges for the calls can be extortionate, as Chamowitz discovered. Many other small to medium sized businesses have been targeted by hackers and have had to foot the bill for the calls. Phone charges totaling tens of thousands of dollars can easily be racked up.

As was the case with Chamowitz, the attack occurred at a time when it was unlikely to be noticed. Calls are usually made outside of business hours, often in the middle of the night.

Flaws in security systems are exploited to gain access to voicemail systems, although more commonly, hackers take advantage of poor security controls such as default login credentials left active on voicemail systems. Small businesses may implement firewalls and a host of security measures to protect their computers from attack, yet do not realize that voicemail system hacks are also possible.

The default credentials can easily be found online via the search engines or they can be easily guessed. Usernames of ‘admin’ are common and passwords are often set to 1234.

As this law firm phone hacking incident shows, any system that can be accessed externally can be hacked. Whether that is a computer, server, router, IoT device or phone/voicemail system.

To protect against voicemail system hacks it is important to ensure that default credentials are changed and strong passwords are set. A PBX firewall should be employed and calls logs should be monitored. If there is no need for your business to make international or premium rate calls, speak to your service provider and try to block those calls. Also, consider setting the system to not permit outbound calls at certain times (outside of office hours) and disable external access to the phone system/voicemail when the office is closed.

Restaurant Malware Attack Results in Theft of More Than 355,000 Credit and Debit Cards

A restaurant malware attack has resulted in the theft of the credit and debit card numbers of more than 355,000 customers, according to Krebs on Security. A breach was suspected to have occurred when credit unions and banks started to notice a flurry of fraudulent purchases. The breach was traced to the fast food restaurant chain Arbys.

While there have been numerous instances of credit card fraud reported in the past few days, the Arbys data breach was first identified in January. Industry partners contacted Arbys regarding a potential breach of credit/debit card numbers. At that point, the incident was only thought to have affected a handful of its restaurants.

The malware infection was soon uncovered and the FBI was notified, although the agency requested that Arby’s did not go public so as not to impede the criminal investigation. However, a statement has recently been released confirming that Arby’s is investigating a breach of its payment card systems.

Upon discovery of the breach, Arby’s retained the services of cybersecurity firm Mandiant to conduct a forensic analysis. The Mandiant investigation is continuing, although rapid action was taken to contain the incident and remove the malware from Arby’s payment card systems. The investigation revealed that the incident only impacted certain corporate-owned stores. None of the franchised stores were infected with malware. Arbys has more than 3,300 stores across the United States, more than 1,000 of which are corporate-owned.

PSCU, an organization serving credit unions, was the first to identify a potential breach after receiving a list of 355,000 stolen credit card/debit card numbers from its member banks. It is currently unclear when the restaurant malware attack first occurred, although the malware is currently thought to have been actively stealing data from October 25, 2016 until January 19, 2017, when the malware was identified and removed.

This is of course not the first restaurant malware attack to have been reported in recent months. The restaurant chain Wendys suffered a similar malware attack last year. That incident also resulted in the theft of hundreds of thousands of payment card details before the malware was discovered and removed. Similar payment card system malware infections were also discovered by Target and Home Depot and resulted in huge numbers of card details being stolen.

Details of how the malware was installed have not been released, although malware is typically installed when employees respond to spear phishing campaigns. Malware is also commonly installed as a result of employees clicking on malicious links contained in spam emails or being redirected to malicious sites by malvertising. In some cases, malware is installed by hackers who take advantage of unaddressed security vulnerabilities.

Once malware has been installed it can be difficult to identify, even when anti-virus and anti-malware solutions are in use. As was the case with the latest restaurant malware attack, data theft was only identified when cybercriminals started using the stolen payment card information to make fraudulent purchases.

Protecting against malware attacks requires multi-layered cybersecurity defenses. Good patch management policies are also essential to ensure that any security vulnerabilities are remediated promptly. Anti-spam and anti-phishing solutions can greatly reduce the volume of messages that make it through to employees’ inboxes, while malicious links and redirects can be blocked with a web filtering solution. A little training also goes a long way. All staff members with computer access should receive anti-phishing training and should be instructed on security best practices.

Regular scans should be performed on all systems to search for malware that may have evaded anti-virus and anti-malware solutions. Since a restaurant malware attack will target payment card systems, those should be frequently scanned for malware. Rapid detection of malware will greatly reduce the damage caused.

2016 Malware Report Shows Changes in Malware Trends Over the Past 12 Months

If your organization was hit with a malware or ransomware infection last year, the 2016 malware report from Malwarebytes may serve as an unpleasant reminder of 12 months best forgotten. Malware infections rose in 2016 and ransomware infections soared. In the case of the latter, there was an explosion in new variants. Malwarebytes charted a 267% increase in ransomware variants between January 2016 and November 2016. In quarter four alone more than 400 active ransomware variants were cataloged.

During those 11 months, email spam volume increased significantly as did the percentage of those spam emails that were malicious. Botnets went into overdrive distributing malicious email messages that sent swathes of malicious links and attachments to employees. There were malicious Word macros, JavaScript downloaders, PowerShell scripts, and VBScripts aplenty. Fileless malware consisting entirely of PowerShell also emerged.

The 2016 malware report shows how ransomware has become the revenue-generator of choice for many cybercriminals. It is easy to understand why. Infecting computers is a relatively easy process, ransom payments are made within a matter of days, much of the process is entirely automated, and ransomware-as-a-service means no skill is even required to jump on the bandwagon and send out campaigns.

The 2016 malware report indicates ransomware accounted for 18% of malicious payloads from spam email and ransomware is the payload of choice for exploit kits, accounting for 66% of malicious downloads.

Locky was a major threat for most of the year, but in December there was a massive spike in Cerber ransomware variants, which are now the most populous ransomware family.

The cybersecurity’s company’s 2016 malware report confirms what many security professionals already know all too well. 2016 was a particularly bad year for everyone but the cybercriminals. Unfortunately, the outlook for 2017 does not look any better. In fact, it looks like it will be even worse.

Predictions have been made that will send shivers down many a system administrator’s spine. Ransomware is set to become even more aggressive. Critical infrastructures are likely to be targeted. Healthcare ransomware attacks will increase potentially placing patients’ lives at risk. Educational institutions will be targeted. No organization will be immune to attack.

Fortunately, new ransomware families will be limited in 2017. But that is only because Locky and Cerber are so effective and can easily be tweaked to avoid detection.

Then there are the botnets. The increase in use of IoT devices would not be a problem, were it not for a lack of security. Many insecure devices are coming to market which can all too easily be added to botnets. As we saw in the tail end of the year, these botnets – such as Mirai – are capable of conducting devastating DDoS attacks. Those attacks are only likely to increase in scale and frequency. As Malwarebytes correctly points out, unless manufacturers of IoT devices are better regulated and are forced to improve their security, vast sections of the Internet will come under threat.

So, it looks like all bad news for 2017. All organizations can do is purchase the technology to deal with the threats, plug security holes promptly, train staff to be aware of the threats, and shore up their defenses. The next 12 months could be a rocky ride.

Is Your Organization Protected Against Printer Hacking?

You have secured your servers, you have end point protection, but have you ensured your organization is protected against printer hacking? According to one hacker, as many as 300,000 organizations have left a gaping hole in their security defenses as a result of leaving their printers open to the Internet and failing to even use any form of authentication.

Your Printer Has Been Owned!

The hacker decided to draw attention to the problem, not by publishing details of the flaws, but by attacking around 150,000 companies. The attack was rather benign. The hacker did not attempt to gain access to network resources or install malware. He just sent rogue jobs to the printers.

The printouts said “Your printer has been owned.” The hacker also claimed the printers had been added to ’a flaming botnet’ as a result of the lack of security in place. Some of the messages sent are not appropriate for reproduction. A common message was ‘everyone likes a meme, fix your bull***t.’

The claims were not true, but the hacker did prove a point. Printer hacking is a very real threat and future attacks may be much more malicious in nature. If printers are left open to the Internet with no authentication required, they could be subjected to DoS attacks. Companies would be left unable to print. Printers could also be added to botnets. Those would be best-case scenarios of course. Printer hacking could cause much more serious harm.

Hackers could take advantage of flaws and run arbitrary code. Printers could be used as a launchpad to gain access to corporate networks, sabotage systems, install malware and ransomware, and stealing corporate secrets and sensitive customer and patient data.

Following the printer cyberattack, the ‘victims’ took to social media to report the incidents. Some reported that corporate network printers were affected, others claimed their POS system printers had been owned. In the case of the former, the cyberattack could potentially have resulted in a network compromise. In the case of the latter, credit and debit card-stealing malware could have been installed.

The hacker in question claims he is a UK student with an interest in security research. He says he has access to RCE flaws that would enable him to take control of more than 300,000 printers. In this experiment, he took advantage of the lack of authentication controls on communications port 9100. The attacks involved the RAW protocol, Internet Printing Protocol (IPP) and the Line Printer Daemon (LPD).

Many of the printers susceptible to printer hacking are used by universities and other higher education establishments. In a separate ‘attack’ a different hacker also proved a point about the lack of security controls, the ease of finding computers to attack, and just how easy it was to send rogue output to printers. He chose to send anti-sematic print jobs to printers at universities in the United States for maximum coverage. After the attacks, reports started flooding social media from students at Yale, UC Berkeley, DePaul University and UMass Amherst.

Printer Hacking Mitigation Required

The two hacks come just a few days after security researchers in Germany announced they had discovered vulnerabilities in printer manufacturers by some of the big names in computer hardware, such as Samsung, HP, Dell and Lexmark. More than 20 models of printer were discovered to contain flaws that could be easily exploited. Undoubtedly many more printers are vulnerable.

If printers are left exposed and can be accessed by anyone over the Internet, it will only be a matter of time before a malicious attack occurs. Protecting against printer hacking is therefore essential. To do this, printers should be set up on a virtual private network (VPN) and organizations should make 100% sure that their printers cannot be accessed through public IP addresses. That would require access controls to be applied to routers to whitelist certain IP ranges.

Hotel Malware Attacks on the Rise: 12 U.S InterContinental Hotels Affected

Hotel malware attacks have been hitting the headlines in the past two years as cybercriminals target hotels looking for payment card information. Now, InterContinental Hotels Group Plc has announced that a malware infection has potentially resulted in the theft of customers’ payment card details from 12 of its hotels in the United States. The hotel malware attacks affected guests at InterContinental Hotels as well as Crowne Plaza and Holiday Inn hotels.

The data breach affected the payment systems used by the hotel chain’s restaurants and bars, but did not extend to the front desk system used to process guests.

Malware was installed on the hotels’ servers which searched for and obtained customer track data from credit and debit card transactions. Customers’ card data – including names, card numbers, expiry dates and verification codes – were intercepted and potentially stolen using the malware. The malware was discovered in late December when the hotel chain hired a cybersecurity firm to investigate a potential data breach following an unusual level of fraud affecting the hotel chain’s customers. That investigation revealed malware had been installed as early as August 1, 2016 which remained active until December 15, 2016.

InterContinental has not disclosed whether the malware passed on any payment card information to the attackers nor how many customers had been impacted by the incident, only that servers at 12 of the chain’s hotels had been affected. Investigations into the security breach are continuing and the investigation has now been extended to other hotels owned by InterContinental in the Americas.

Hotels are commonly targeted by cybercriminals seeking payment card information. Last summer, InterContinental’s Kimpton Hotels & Restaurants were attacked with malware and similar incidents were reported last year by Marriot International’s Starwood Hotels as well as the Hyatt, Westin, and Sheraton hotel chains. Hotel malware attacks were reported by the Hilton chain and Trump Hotels in 2015.

Cybercriminals are most interested in POS systems used by hotels. Malware is installed that is capable of capturing payment card information and those data are then transferred to the attackers. All too often, malware is installed and stays active for months before it is detected. During that time, tens of thousands of hotel guests can be impacted and have fraudulent charges applied to their accounts.

While hotel customers are often covered by their card providers’ insurance policy, the fallout from these incidents can be considerable. When guests suffer credit card and debit card fraud as a result of visiting a particular hotel, they may take their business elsewhere.

Malware can be installed by cybercriminals via a number of different attack vectors. Direct attacks take advantage of security flaws in software and hardware. Last year, Cylance’s Sophisticated Penetration Exploitation and Research Team (SPEAR) identified a zero-day vulnerability in ANTLabs InnGate routers, which are used by many of the top hotel chains to provide Internet access for guests. The flaw could be exploited to gain access to guest’s smartphones, laptops, and tablets, or potentially be used to install malware that targets POS systems on hotel servers.

According to SPEAR, the flaw was being actively exploited and 277 hotels had been targeted across 29 countries, including more than 100 hotels in the United States. Eight out of the world’s top ten hotel chains were found to have systems vulnerable to this type of attack. A patch was promptly issued to correct the flaw and hotels were able to plug the security hole.

It may not be possible to prevent attacks that exploit zero-day vulnerabilities; however, there are steps that can be taken to reduce hotel malware attacks. Malware is often downloaded as a result of employees’ or guests’ actions. Malware may be deliberately installed, although all too often downloads occur silently as a result of employees and guests visiting malicious websites.

Blocking access to these websites will protect both the hotel and its guests from web-borne malware and ransomware attacks. If a web filter – such as WebTitan – is installed, all websites known to house malware will be blocked.

Any individual who attempts to connect to one of those websites, or is redirected to one of those sites via a malicious email link or malvertising, will be protected. WebTitan can also be configured to prevent individuals from downloading files known to carry a high risk of being malicious – JavaScript files and executables for instance.

If you run a hotel or hotel chain, a web filter is an additional layer of security that should be seriously considered. A web filter will help to reduce the risk of malware and ransomware infections and keep hotel networks safe and secure for all users.

Hotel Ransomware Attack Affects Key Card and Reservation System

A hotel ransomware attack in Austria hit the headlines in the past couple of days. The cyberattack affected the Romantik Seehotel Jägerwirt. The hotel’s computer system was infiltrated by the attacker who installed ransomware. A range of files were encrypted, which prevented the hotel from being able to check-in new guests and issue new key cards for hotel doors.

Hotel Ransomware Attack Hampers Guest Check-ins

Early reports of the hotel ransomware attack suggested hotel guests were locked out of their rooms or, in some cases, locked in their rooms. The latter is not possible as even when electronic key cards are used, locks can be opened manually from the inside. Guests who had been issued with key cards prior to the attack were also able to use their cards to get in their rooms, according to a statement issued by the hotel’s manager.

However, the cyberattack still caused considerable disruption at the 111-year old hotel. According to local news sources, the attack affected the hotel’s key card system, reservation system, and its cash desk.

Since files were encrypted that were necessary to program new key cards, any guest that had not been checked in before the cyberattack occurred experienced considerable delays. The issue was only resolved when the hotel paid the ransom demand of 1500 Euros – approximately £1,300/$1,600. Systems remained out of action for 24 hours as a result of the attack.

This was not the only attack affecting the hotel. A second attack reportedly occurred, although the hotel was able to thwart that attempt by taking its systems offline. Repeat attacks are unfortunately common. If one ransomware attack results in the payment of a ransom, other attacks may also occur as the attackers attempt to extort even more money from their victim. Backdoors are often installed during initial attacks to enable access to continue after payment has been made.

Not being able to check-in new guests for a period of 24 hours can make a serious dent in profits, not only from guests being forced to seek alternative accommodation, but also from the damage to a hotel’s reputation. Such an attack can keep future guests away.

In this case, in addition to paying the ransom demand, the manager of the Romantik Seehotel Jägerwirt confirmed that the hotel will be going old school in the impending future. Rather than continue to use an electronic key card system, the hotel will revert to using standard keys for hotel room doors. Another hotel ransomware attack would therefore not prevent guests from checking in.

Hotels Must be Prepared for Cybersecurity Incidents

This is not the first hotel ransomware attack to have occurred in 2017 and it certainly will not be the last. Hotels are attractive targets for cybercriminals because hotels cannot afford to have critical systems offline for lengthy periods of time due to the disruption they cause. Cybercriminals know that ransom demands are likely to be paid.

In this case, no lasting harm was caused, although that does not mean future attacks will be limited to reservation systems and cash desk operations. Elevator systems may be targeted or other systems that have potential to compromise the health and safety of guests.

Hotels therefore need to make sure that not only are defenses augmented to prevent ransomware attacks, but a data breach response plan is in place to ensure that in the event of a cybersecurity incident, rapid action can be taken to limit the harm caused.

Malware and Phishing Attacks on Healthcare Organizations are the New Norm

Malware and phishing attacks on healthcare organizations are all but guaranteed. In fact, they are almost as certain as death and taxes. Healthcare organizations hold huge volumes of data on patients and more types of data than virtually any other industry.

Healthcare providers store personal information and Social Security numbers, which are needed for identity theft and tax fraud. Insurance information that can be used for health insurance fraud; Medicare/Medicaid numbers and health information that can be used for medical fraud. Bank account information and credit card numbers are also often stored. For cybercriminals, breaching a healthcare organization’s defenses means a big payday.

Further, health data does not expire like credit card numbers. Social Security numbers never change. It is therefore no surprise that malware and phishing attacks on healthcare organizations are on the rise.

As if there was not enough incentive to attack healthcare organizations, the healthcare industry has underinvested in cybersecurity defenses, lagging behind other industries when it comes to implementing the latest technologies to thwart cybercriminals. Healthcare networks are also highly complex and difficult to protect. They also contain many outdated software and operating systems. Many healthcare organizations still run medical devices on the unsupported Windows XP OS, which contains many vulnerabilities.

The Health Insurance Portability and Accountability Act (HIPAA) has helped to bring cybersecurity standards up to an acceptable level. HIPAA compliance has made it harder for cybercriminals, although far from impossible. With the healthcare industry, firmly in cybercriminals’ crosshairs, healthcare organizations need to look beyond meeting the minimum standards for data security to avoid a HIPAA fine and ensure that defenses are improved further still.

One of the biggest problems comes from cyberattacks on healthcare employees. Even advanced firewalls can be easily avoided if employees can be fooled into clicking on a malicious link or opening an infected email attachment. Phishing attacks on healthcare organizations are the most common way that cybercriminals gain access to healthcare networks. Most cyberattacks start with a spear phishing email.

In addition to perimeter defenses, it is essential for healthcare organizations to employ technologies to block phishing attacks. Advanced spam filters will prevent the vast majority of phishing emails from being delivered, while web filtering solutions will block phishing attacks on healthcare organizations by preventing malicious links from being clicked and malicious websites from being accessed.

A web filter can also be configured to block downloads of file types commonly associated with malware: SCR, VB, and JavaScript files for instance. A web filter is also an excellent defense against drive-by malware downloads, social media phishing links, and malvertising.

Fortunately, with appropriate defenses in place, cyberattacks can be prevented and the confidentiality, integrity, and availability of ePHI can be preserved.

For further information on the major healthcare cyberattacks of 2016, the key threats to healthcare organizations, and the impact of data breaches, click the image below to view our healthcare hacking infographic.

 

Phishing Attacks on Healthcare Organizations

US Ransomware Attacks Quadrupled in 2016

According to a new report from data breach insurance provider Beazley, US ransomware attacks on enterprises quadrupled in 2016. There is no sign that these attacks will slow, in fact they are likely to continue to increase in 2017. Beazley predicts that US ransomware attacks will double in 2017.

Half of US Ransomware Attacks Affected Healthcare Organizations

The sophisticated nature of the latest ransomware variants, the broad range of vectors used to install malicious code, and poor user awareness of the ransomware threat are making it harder for organizations to prevent the attacks.

For its latest report, Beazley analyzed almost 2,000 data breaches experienced by its clients. That analysis revealed not only that US ransomware attacks had increased, but also malware infections and accidental disclosures of data. While ransomware is clearly a major threat to enterprises, Beazley warned that unintended disclosures of data by employees is actually a far more dangerous threat. Accidental data breaches increased by a third in 2016.

US ransomware attacks and malware incidents increased in the education sector, which registered a 10% rise year on year. 45% of data breaches experienced by educational institutions were the result of hacking or malware and 40% of data breaches suffered by companies in the financial services. However, it was the healthcare industry that experienced the most ransomware attacks. Nearly half of 2016 US ransomware attacks affected healthcare organizations.

The report provides some insight into when organizations are most at risk. US ransomware attacks spiked at the end of financial quarters and also during busy online shopping periods. It is at these times of year when employees most commonly let their guard down. Attackers also step up their efforts at these times. Beazley also points out that ransomware attacks are more likely to occur during IT system freezes.

Ransomware Attacks on Police Departments Have Increased

Even Police departments are not immune to ransomware attacks. Over the past two years there have been numerous ransomware attacks on police departments in the United States. In January, last year, the Midlothian Police Department in Chicago was attacked with ransomware and paid a $500 ransom to regain access to its files.

The Dickson County Sheriff’s Office in Tennessee paid $572 to unlock a ransomware infection last year, and the Tewksbury police department in Massachusetts similarly paid for a key to decrypt its files. In 2015, five police departments in Maine (Lincoln, Wiscasset, Boothbay Harbor, Waldboro and Damariscotta) were attacked with ransomware and in December 2016, the Cockrell Hill Police Department in Texas experienced a ransomware infection. The attack resulted in video evidence dating back to 2009 being encrypted. However, since much of that information was stored in backup files, the Cockrell Hill Police Department avoided paying the ransom.

Defending Against Ransomware

Unfortunately, there is no silver bullet to protect organizations from ransomware attacks. Ransomware defenses should consist of a host of technologies to prevent ransomware from being downloaded or installed, but also to ensure that infections are rapidly detected when they do occur.

Ransomware prevention requires technologies to be employed to block the main attack vectors. Email remains one of the most common mediums used by cybercriminals and hackers. An advanced spam filtering solution should therefore be used to prevent malicious emails from being delivered to end users. However, not all malicious attachments can be blocked. It is therefore essential to not only provide employees with security awareness training, but also to conduct dummy ransomware and phishing exercises to ensure training has been effective.

Many US ransomware attacks in 2016 occurred as a result of employees visiting – or being redirected to – malicious websites containing exploit kits. Drive-by ransomware downloads are possible if browsers and plugins are left unpatched. Organizations should ensure that patch management policies are put in place to ensure that all systems and software are patched promptly when updates are released.

Given the broad range of web-based threats, it is now becoming increasingly important for enterprises to implement a web filtering solution. A web filter can be configured to prevent employees from visiting malicious websites and to block malvertising-related web redirects. Web filters can also be configured to prevent employees from downloading malicious files and engaging in risky online behavior.

The outlook for 2017 may be bleak, but it is possible to prevent ransomware and malware attacks. However, the failure to take adequate preventative steps to mitigate risk is likely to prove costly.

2016 Data Breach Report Shows Massive Rise in Severity of Attacks

A recently released 2016 data breach report has shown that the number of data breaches reported by businesses has remained fairly constant year on year. 4,149 data breaches were reported between January and December 2016, which is broadly on a par with the figures from 2015.

2015 saw the largest ever healthcare data breach ever reported – The 78.8 million record data breach at Anthem Inc. There were also two other healthcare data breaches in 2015 that resulted in the theft of more than 10 million records. The 11-million record breach at Premera Blue Cross and the 10-million record breach at Excellus BlueCross BlueShield.

2016 saw more data breaches reported by healthcare organizations than in 2015, although the severity of the attacks was nowhere near as bad.  More than 27 million healthcare records were exposed in 2016, whereas the total for 2015 was in excess of 113 million.

2016 Data Breach Report Shows Severity of Cyberattacks Has Dramatically Increased

While the severity of healthcare data breaches fell year on year, the 2016 data breach report from Risk Based Security shows an overall increase in the severity of data breaches across all industries. 2016 was a record-breaking year.

In 2013 more than 1 billion records were exposed or stolen – the first time that the 1 billion record milestone had been passed. 2016 saw that previous milestone smashed.  More than four times as many records were stolen in 2016 than in 2013. 2016 data breaches exposed an incredible 4.2 billion records.

The RBS 2016 data breach report details 94 data breaches that exposed more than 1 million records. 37 breaches resulted in the exposure of more than 10 million records. The United States was the biggest target, accounting for 47.5% of the data breaches reported over the course of the year.

Healthcare data breaches hit the headlines frequently in 2016 due to the potential impact they had on the victims. However, healthcare industry data breaches only made up 9.2% of the annual total. The business sector was the worst hit, accounting for 51% of breaches in 2016. Government organizations made up 11.7% of the total and education 4.7%.

According to the RBS 2016 data breach report, the top ten data breaches of 2016 exposed an incredible 3 billion records and the average severity score of those breaches was 9.96 out of 10. All but one of those security breaches was caused by hackers. One of the incidents was a web-related breach. Six of the data breaches reported in 2016 ranked in the top ten list of the largest data breaches ever reported.

Six 2016 Security Incidents Ranked in the Top 10 List of Largest Ever Data Breaches

The largest data breach of 2016 – and also the largest data breach ever reported – was the hacking of Yahoo. More than 1 billion user credentials were exposed as a result of that cyberattack. While malware is a major threat to businesses, malware attacks only accounted for 4.5% of data breaches in 2016. Hacking exposed the most records and was the main cause of 2016 data breaches, accounting for 53.3% of incidents and 91.9% of the total number of stolen records.

Many organizations also reported being attacked on multiple occasions. The 2016 data breach report shows that 123 organizations reported multiple data breaches in 2016 and 37% of those organizations reported experiencing three or more data breaches between January and December.

According to RBS, more than 23,700 data breaches have now been tracked. In total, more than 9.2 billion records have been exposed or stolen in those incidents. According to RBS Executive vice president Inga Goddijn, “Any organization that has sensitive data – which is every organization with employees or confidential business information – can be a target.”

Cyberattacks are coming from all angles. Employees are being targeted via email, the volume of malware-laden websites and phishing sites has soared, malvertising is increasing and hackers are exploiting unpatched software vulnerabilities.

It is difficult to predict how bad 2017 will be for cybersecurity breaches, but it is fair to assume that data breaches will continue to occur at a similar level. Organizations need to respond by increasing their cybersecurity defenses to prevent attacks from occurring, but also to prepare for the worst and ensure they are ready to deal with a breach when one occurs. A fast response can limit the damage caused.

Should First Amendment Rights Include Viewing Pornography in Libraries?

The use of web filters in libraries has been in the headlines on many occasions in recent months. There has been much debate over the extent to which libraries should allow patrons to exercise their First Amendment freedoms and whether Internet access should be controlled.

Many libraries in the United States choose not to implement web filters to control the content that can be accessed on their computers, instead they tackle the problem of inappropriate website access by posting acceptable usage guidelines on walls next to computers.

However, patrons of libraries can have very different views of what constitutes acceptable use. Many users of library computers take advantage of the lack of Internet policing and use the computers to view hardcore pornography.

While this is every American’s right under the First Amendment, it can potentially cause distress to other users of libraries. Libraries are visited by people of all ages including children. It is therefore possible that children may accidentally view highly inappropriate material on other users’ screens.

Libraries that apply for government discounts under the e-rate program are required to comply with the Children’s Internet Protection Act (CIPA). The legislation, which went into effect on April 20, 2001, requires schools and libraries to implement controls to restrict Internet access and prevent the viewing of obscene images, child pornography, and other imagery that is harmful to minors. However, it is only mandatory for libraries to comply with CIPA regulations if they choose to take advantage of e-rate discounts. Many libraries do not.

A recent article in DNA Info has highlighted the extent to which library computers are used to access pornography. One patron recently reported an incident that occurred when she visited Harold Washington Library in Chicago to complete forms on a library computer. She claimed that the person on the computer next to her was viewing hardcore pornography and was taking photographs of the screen using his mobile phone camera.

That individual was viewing material of very explicit nature and the screen was in full view of other users of the library. When the woman mentioned what was going on to a security guard, she was told that there was nothing that could be done. The library had chosen to honor patrons First Amendment Rights, even though those rights were in conflict with public decency. A reporter spoke to one librarian who said “Up here in this branch there’s porn 24/7.”

Most libraries in Chicago do not use web filters to limit access to obscene material, although that is not the case in all libraries in the United States. The reverse is true in libraries in Wisconsin for example.

The American Library Association does not recommend the use of web filters in libraries and instead believes the issue of inappropriate website usage should be tackled in other ways, such as to “remind people to behave well in public.”

The debate over First Amendment rights and the blocking of pornography in libraries is likely to continue for many years to come. However, institutions that are commonly frequented by individuals under the age of 18, who are not permitted by law to view pornography, efforts should be made to protect them from harm.  If technical measures such as web filters are not used to block pornography in libraries, at the very least libraries should use privacy screens to limit the potential for minors to view other users’ screens.

Do you believe patrons of libraries should be allowed to view any and all website content? Should First Amendment rights extent to the viewing of pornography in libraries?

Credential Stuffing Attacks on Enterprises Soar Following Major Data Breaches

Credential stuffing attacks on enterprises are soaring according to a recent study conducted by Shape Security. The massive data breaches at the likes of LinkedIn, Yahoo, MySpace have provided cybercriminals with passwords aplenty and those passwords are used in these automated brute force login attempts.

Organizations that have discovered data breaches rapidly force password-resets to prevent criminals from gaining access to users’ accounts; however, stolen passwords can still be incredibly valuable. A study conducted by Microsoft in 2007 suggested that the average computer user has 25 accounts that require the use of a username and password, while Sophos suggests users have an average of 19 accounts.

Password managers can be used to help individuals remember their login credentials, but many people have not signed up for such a service. To remember passwords people just recycle them and use the same password over and over again. Cybercriminals are well aware of that fact and use stolen passwords in credential stuffing attacks on websites and mobile applications.

Shape Security suggests that for many enterprises, 90% of login traffic comes from credential stuffing attacks. Those attacks can be highly effective and since they are automated, they require little effort on the part of the attacker. A batch of passwords is purchased from any number of sellers and resellers on darknet marketplaces. A target site is identified and an automated script is developed to login. The criminals then scale up the assault by renting a botnet. It is then possible to conduct hundreds of thousands of login attempts simultaneously.

Many of the stolen credentials are old, so there is a high probability that passwords will have been changed, but not always. Many people keep the same passwords for years.

The success rate may be low, but the scale of the credential stuffing attacks gives cybercriminals access to hundreds of thousands of accounts.

Shape Security researchers suggest the success rate of these attacks is around 2%. To put this into perspective, if the passwords from the Yahoo data breach were used in credential stuffing attacks, which they almost certainly are, a success rate of 2% would give criminals access to 20 million user accounts.

There is certainly no shortage of passwords to attempt to use to gain access to accounts. According to the report, more than 3 billion username and password combinations were stolen by cybercriminals in 2016 alone. That would potentially give the attackers access to 60 million accounts.

These attacks are not hypothetical. During a 4-month observation period of just one major U.S. retailer in 2016, Shape Security discovered that 15.5 million attempted logins occurred. Even more worrying was that more than 500,000 of the retailer’s customers were using recycled passwords that had previously been stolen from other websites.

Additionally, as a recent report from SplashData has shown, weak passwords continue to be used. The top 25 list of the worst passwords in 2016 still contains very weak passwords such as 123456 and password. These commonly used passwords will also be attempted in brute force attacks. SplashData suggests as many as 10% of Internet users use at least one of the passwords in the top 25 worst password list.

These studies highlight the seriousness of the risk of recycling passwords and send a clear message to organizations: Develop mitigations to prevent the use of stolen credentials and ensure that password policies are developed and enforced.

Two U.S. States Propose Stricter Internet Censorship Laws

Internet censorship laws in two U.S. states may be augmented, forcing Internet service providers and device manufacturers to implement technology that blocks obscene material from being viewed on Internet-connected devices.

North Dakota has recently joined South Carolina in proposing stricter Internet censorship laws to restrict state residents’ access to pornography. There is growing support for stricter Internet censorship laws in both states to block pornography and websites that promote prostitution, and it is believed that stricter Internet censorship laws will help reduce human trafficking in the states.

The new Internet censorship laws would not prevent state residents from accessing pornography on their laptops, computers and smartphones, as the technology would only be required on new devices sold in the two states. Any new device purchased would be required to have “digital blocking capability” to prevent obscene material from being accessed. Should the new Internet censorship laws be passed, state residents would be required to pay $20 to have the Internet filter removed.

The proposed law in North Dakota – Bill 1185 – classifies Internet Service Provider’s routers and all laptops, computers, smartphones, and gaming devices that connect to the Internet as “pornographic vending machines” and the proposed law change would treat those devices as such. The bill would also require device manufacturers to block ‘prostitution hubs’ and websites that facilitate human trafficking. If passed, the ban on the sale of non-filtered Internet devices would be effective from August 1, 2017.

Lifting of the block would only be possible if a request to remove the Internet filter was made in writing, the individual’s age was verified in a face to face encounter, and if a $20 fee was paid. Individual wishing to lift the block would also be required to receive a written warning about the dangers of removing the Internet filter.

The fees generated by the state would be directed to help offset the harmful social effects of obscene website content, such as funding the housing, legal and employment costs of victims of child exploitation and human trafficking. Fees would be collected at point of sale.

Device manufacturers would have a duty to maintain their Internet filter to ensure that it continues to remain fully functional, but also to implement policies and procedures to unblock non-obscene website content that has accidentally been blocked by filtering software. A system would also be required to allow requests to be made to block content that has somehow bypassed the Internet filtering controls. Requests submitted would need to be processed in a reasonable time frame. Failure to process the requests promptly would see the company liable to pay a $500 fine per website/webpage.

State Representative Bill Chumley (R‑Spartanburg) introduced similar updates in South Carolina last month, proposing changes to the state’s Human Trafficking Prevention Act. Both states will now subject the proposed bills to review by their respective House Judiciary Committees.

Why a Restaurant WiFi Filtering Service is Now Essential

A restaurant WiFi filtering service can help to keep customers safe when they use the Internet by blocking access to websites known to contain malware. A restaurant WiFi filtering service will also ensure that patrons can only view website content that is suitable for families.

WiFi networks are often abused and used by some individuals to view pornography or other material that has no place in a restaurant. If one diner chooses to view such material on a personal device while in a restaurant, other diners may catch glimpses of the screen – That hardly makes for a pleasant dining experience.

However, there is another important reason why a restaurant WiFi filtering service should be used. Diners can be protected from a range of web-borne threats while using free wi-Fi networks, but also the computer systems of the restaurant.

Each year, many restaurants discover that their computers and networks have been infected with malware. Malware infections are often random; however, restaurants are now being targeted by cybercriminals.  If a hacker can gain access to a restaurant’s computer network and succeeds in loading malware onto its POS system, every customer who pays for a meal with their debit or credit card could have their credentials sent to the hacker.

Restaurants, especially restaurant chains, are targeted for this very reason. One infected POS system will give a cybercriminal a steady source of credit card numbers. Each year, there are many examples of restaurants that have been attacked in this manner. One of the latest restaurant chains to be attacked was Popeye’s Louisiana Kitchen – A multinational chain of fried chicken and fast food restaurants.

Popeyes recently discovered a cyberattack that resulted in malware being installed on its systems. The attack started on or around May 5, 2016 and continued undiscovered until August 18, 2016. During that time, certain customers who paid for their meals on their credit and debit cards had their card numbers stolen by the malware and passed on to the attackers.

Popeyes only discovered the cyberattack when it received notification from its credit card processor of suspicious activity on customers’ accounts. CCC Restaurant Enterprises, which operates Popeyes, retained a forensic expert to analyze its systems for signs of its systems having been compromised. That analysis revealed a malware infection. The information stealing malware was passing credentials to the attacker and those details were being used to defraud customers. Ten restaurants in the chain were known to have been affected. Those restaurants were located in Georgia, North Carolina, and Texas. The malware infection has now been removed and customers are no longer at risk, although the cyberattack undoubtedly caused reputation damage for the chain.

Malware can be installed via a number of different vectors. Vulnerabilities can be exploited in servers and software. It is therefore essential to ensure that all software is patched and kept up to date. Attacks can occur via email, with malicious links and attachments sent to employees. A spam filter can block those emails and prevent infection. Attacks can also take place over the Internet. The number of malicious websites now produced every day has reached record levels and the threat level is critical.

A restaurant WiFi filtering service will not protect against every possible type of attack but it does offer excellent protection against web-borne threats. A web filtering service can also prevent users from visiting malicious links sent in spam and phishing emails, blocking users’ attempts to click the links. A restaurant WiFi filtering service will also ensure family-friendly Internet access is provided to customers. Something that is increasingly important for parents when choosing a restaurant.

To find out more about how a restaurant WiFi filtering service can be implemented, the wide range of benefits that such a service offers, and for details of how you can trial the WebTitan restaurant WiFI filtering service for 30 days without charge, contact the TitanHQ team today.

Advantages and Disadvantages of Internet Filtering in Libraries

There are advantages and disadvantages of Internet filtering in libraries. Even though there are some potential drawbacks to filtering the Internet, an increasing number of libraries in the United States are now opting to use a web filtering solution.

What are the Advantages and Disadvantages of Internet Filtering in Libraries?

Controlling the types of content that can be accessed via library computers has sparked many debates. The American Library Association (ALA) for instance does not recommend Internet filtering. The problem, according to ALA, is that blocking Internet content in libraries “compromises First Amendment freedoms and the core values of librarianship.”

While it is true that libraries are institutions for learning, restricting access to certain types of website content is particularly important to ensure that children are protected. Unrestricted access to the Internet means minors could all too easily view imagery that could cause harm: Pornography for instance.

The ALA says it is better to tackle the problem of inappropriate Internet access with educational programs rather than restricting access. While the ALA understands that children should be protected from obscene and other potentially harmful website content, teaching children how to use the Internet correctly – and how to search for information – is viewed as a reasonable measure to limit harm.

However, for adults, training is likely to prove less effective. If an adult wishes to access illegal or inappropriate website content, acceptable usage policies and educational programs may not prove effective. Children may also choose to ignore library rules and access inappropriate content.

While many Americans have welcomed the use of Internet filtering in libraries to restrict access to obscene or illegal material, there has been concern raised about how the use of Internet filters could potentially limit access to ideas and valuable information. The main disadvantage of controlling Internet access in libraries is not the restriction of access to certain types of web content that have little to no educational value, but the overblocking of website content.

Some Internet filtering solutions lack granular controls which make it easy for libraries to inadvertently restrict access to valuable material. One example would be blocking of sexual content. Blocking sexual content would prevent pornography from being viewed, but potentially also valuable information on sex education: Sexually transmitted diseases or information on LGBT issues for instance. However, with the right solution, it is possible to carefully control Internet content without accidentally blocking valuable educational material.

Internet Content Filtering Helps Libraries Meet Digital Inclusion Goals

The debate over the advantages and disadvantages of Internet filtering in libraries is likely to go on for some time to come, although for many libraries the decision is now becoming less about First Amendment freedoms and more about money.

Libraries face considerable financial pressures, which can be eased with state and federal grants. The Children’s Internet Protection Act requires libraries to implement an Internet filter to block obscene images, child pornography, and other imagery that could be harmful to minors. Compliance is not mandatory, although it is a prerequisite for obtaining certain grants and discounts under the E-rate program.

Library Services and Technology Act grants are available, although while money can be received, unless an Internet content filter is in place, those funds cannot be used for Internet technology, which can limit the ability of libraries to meet their digital inclusion goals and better serve local communities.

The ALA will not – at the present time at least – recommend the use of Internet filtering in libraries, although the organization does concede that some libraries rely on federal or state funding in order to provide patrons with computers and Internet access.

The message to these institutions is to choose a solution which will “mitigate the negative effects of filtering to the greatest extent possible.”

Libraries can implement an internet content filtering solution to block the minimum level of content in order to comply with state and federal regulations. Policies can be implemented to allow content to be unblocked, if it has been inadvertently blocked by a content filtering solution.

It is then possible to receive funding that will allow them to better serve their communities and meet digital inclusion goals, while ensuring that children – and to a lesser extent adults – are appropriately protected.

Why WebTitan is an Ideal Internet Filtering Solution for Libraries

With WebTitan, libraries can control Internet access to meet CIPA requirements and qualify for discounts and grants, while mitigating the negative effects of Internet control. WebTitan features highly granular controls allowing librarians to precisely control the types of web content that can be accessed by patrons. Since the administration control panel is intuitive and easy to use, requests to unblock specific webpages can be easily processed by library staff, without the need for any technical skill.

To find out more about using WebTitan in libraries contact TitanHQ today. You will also receive full assistance setting up WebTitan for a free 30-day trial and can discover for yourself how easy it is to meet CIPA requirements without overblocking website content.

59% of Companies Increased Cybersecurity Spending in 2016

Cybersecurity spending in 2016 was increased by 59% of businesses according to PwC. Cybersecurity is now increasingly being viewed as essential for business growth, not just an IT cost.

As more companies digitize their data and take advantage of the many benefits of the cloud, the threat of cyberattacks becomes more severe. The past 12 months have already seen a major increase in successful cyberattacks and organizations around the world have responded by increasing their cybersecurity spending.

The increased threat of phishing attacks, ransomware and malware infections, data theft and sabotage has been a wake up call for many organizations; unfortunately, it is often only when an attack takes place that that wake up call occurs. However, forward-thinking companies are not waiting for attacks, and are increasing spending on cybersecurity and are already reaping the benefits. They experience fewer attacks, client and customer confidence increases, and they gain a significant competitive advantage.

The annual Global State of Information Security Report from Pricewaterhouse Coopers (PwC) shows that companies are realizing the benefits of improving cybersecurity defenses. More than 10,000 individuals from 133 companies took part in the survey that provided data for the report. 59% of respondents said that their company increased cybersecurity spending in 2016. Technical solutions are being implemented, although investment in people has also increased.

Cybercriminals are bypassing complex, multi-layered cybersecurity defences by targeting employees. Organizations have responded by increasing privacy training. 56% of respondents say all employees are now provided with privacy training, and with good reason.

According to the report, 43% of companies have reported phishing attacks in the past 12 months, with this cybersecurity vector the most commonly cited method of attack. The seriousness of the threat was highlighted by anti-phishing training company PhishMe. The company’s Enterprise Phishing Susceptibility and Resiliency Report showed 90% of cyberattacks start with a spear phishing email. Given how effective training can be at reducing the risk from phishing, increasing spending on staff training is money well spent.

The same is true for technical cybersecurity solutions that reduce phishing risk. Two of the most important solutions are antispam and web filtering solutions, with each tackling the problem from a different angle. Antispam solutions are employed to prevent phishing emails from reaching employees’ inboxes, while web filtering solutions are being used to block access to phishing websites. Along with training, companies can effectively neutralize the threat.

Many companies lack the staff and resources to develop their own cybersecurity solutions; however, the range of managed security services now available is helping them to ensure that their networks, data, and systems are adequately protected. According to the PwC report, 62% of companies are now using managed security services to meet their cybersecurity and privacy needs. By using partners to assist with the challenge of securing their systems, organizations are able to use limited resources to better effect and concentrate those resources on other areas critical to business processes.

There has been a change to how organizations are view cybersecurity over the past few years. Rather than seeing cybersecurity as simply a cost that must be absorbed, it is now increasingly viewed important for business growth. According to PwC US and Global Leader of Cybersecurity and Privacy David Burg, “To remain competitive, organizations today must make a budgetary commitment to the integration of cybersecurity with digitization from the outset.” Burg also points out, “The fusion of advanced technologies with cloud architectures can empower organizations to quickly identify and respond to threats, better understand customers and the business ecosystem, and ultimately reduce costs.”

Doxware – A New Ransomware Threat to Deal with in 2017

Companies must now deal with a new ransomware threat: 2017 is likely to see a proliferation of doxware attacks.

2016 was the year when cybercriminals fully embraced ransomware and used it to devastating effect on many organizations. As 2016 started, the healthcare industry was heavily targeted. Cybercriminals rightly assumed that the need for healthcare professionals to access patient data would mean ransom payments would likely be paid. That was certainly the case with Hollywood Presbyterian Medical Center. An attack resulted in a ransom of $17,000 being paid to allow the medical center to regain access to patient data and computer systems

Hospitals throughout the United States continued to be attacked, but not only in the United States, Attacks spread to the United Kingdom and Germany. The education sector was also hit heavily. Many schools and universities were attacked and were forced to pay ransoms to obtain keys to unlock their data.

Between April 2015 and March 2016, Kaspersky Lab reported that ransomware infections rose by 17.7%. The figures for April 2016 to March 2017 are likely to show an even bigger rise.  Ransomware has rarely been out of the news headlines all year.

Cybercriminals are making stealthier and more sophisticated ransomware variants to avoid detection and cause more widespread disruption. Widespread media coverage, warnings by security companies and law enforcement agencies, and the likely costs of dealing with attacks has led many companies to improve their defenses and develop strategies to recover from infections.

With ransom demands of tens of thousands of dollars – or in some cases hundreds of thousands of dollars – and widespread attacks, the threat can no longer be ignored

One of the best ways of avoiding having to pay a sizeable ransom is to ensure data are backed up. Should ransomware be installed, IT departments can wipe their systems, restore files from backups, and make a quick recovery.

Ransomware is only an effective income generator for cybercriminals if ransoms are paid. If companies can easily recover, and restoring data from backups is cheaper than paying a ransom, cybercriminals will have to look elsewhere to make their money.

However, ransomware is far from dead. Cybercriminasl are changing their tactics. Ransomware is still being used to encrypt data, but an extra incentive is being added to the mix to increase the chance of a ransom being paid.

Doxware: The New Ransomware Threat

Doxware, like ransomware, encrypts data and a ransom demand is issued. However, in addition to encrypting data, information is also stolen. The gangs behind these attacks up the ante by threatening to publish sensitive data if the ransom is not paid.

If access is gained to corporate emails or other electronic conversations, the potential harm that can be caused is considerable. Reputation damage from doxware can be considerable, making payment of a ransom far more preferable to recovering data from a backup. If intellectual property is stolen and published the consequences for a company could be catastrophic.

2016 has already seen extortion attempts by hackers who have infiltrated networks, stolen data, and threatened its release if ransom payments are not made. TheDarkOverlord attacks on healthcare providers are just one example. However, in those attacks data were simply stolen. The combination of data theft with ransomware would be more likely to see ransoms paid. Already we have seen ransomware variants that combine an information stealing component and 2017 is likely to see the problem get far worse.

Crackdown on Fake News Shines Light on Typosquatting and Cybersecurity Risks

The proposed crackdown on fake news websites has shone a light on the use of typosquatting and cybersecurity risks for businesses from employees visiting fake news websites.

Over the past few weeks there has been considerable media attention focused on fake news websites and the harm that these fake news stories can cause.

Just as newspapers and news networks can earn big money from being the first to break a new story, there is big money to be made from posting fake news items. The problem is growing and it is now becoming harder to separate fact from fiction. 2016 has seen fake news stories hit the headlines – Both the problem and the republishing of fake news in the mainstream media.

Fake News Websites are a Serious Problem

This year’s U.S. presidential election has seen the Internet awash with propaganda and fake news posts, especially – but not exclusively – about support for Donald Trump and criticism of Hillary Clinton. Fake news sites such as the Denver Guardian (the periodical doesn’t actually exist) posted news about rigging of the election. Genuine news organizations notably picked up on a story about Denzel Washington supporting Trump; however, the original story was taken from a fake news site. Of course, these are just two of many hundreds of thousands of fake news stories published throughout the year.

All too often fake news stories are silly, satirical, or even humorous; however, they have potential to cause considerable harm and influence the public. Potentially, they could change the outcome of an election.

Consumers are now increasingly basing their opinions on fiction rather than fact. Fake news is nothing new of course, but the U.S. presidential election has brought it to the forefront and has highlighted the extent to which it is going on – on a scale never before seen.

Worldwide governments are now taking action to crackdown on the problem. Germany and Indonesia have joined the U.S. in the fight against fake news stories and there have been calls for greater regulation of online content.

Facebook has received considerable criticism for failing to do enough to prevent the proliferation of fake news. While CEO Mark Zuckerberg dismissed the idea that fake news on Facebook was influential in the election – “the idea that fake news on Facebook, which is a very small amount of the content, influenced the election in any way, I think is a pretty crazy idea.” However, last month he confirmed a new initiative to address hoaxes and fake news. Facebook is to make it easier for users to report fake news stories, third-party fact checkers will be enlisted, news websites will be analyzed more closely, and stories will be pushed down the rankings if they are getting fewer shares.

All of the attention on fake news sites has highlighted a tactic that is being used to spread fake news – a tactic that has long been used by cybercriminals to spread malware: Typosquatting.

Typosquatting and Cybersecurity Risks

Typosquatting – otherwise known as URL hijacking – is the use of a popular brand name with authority to fool web surfers into thinking a website is genuine. The fake news scandal brought attention to the tactic after fake news items were posted on spoofed news websites such as usatoday.com (usatoday.com.com) and abcnews (abcnews.com.co).

To the incautious or busy website visitor, the URL may only get a casual glance. The slightly different URL is unlikely to be spotted. This may only result in website visitors viewing fake news, although in many cases it can result in a malware download. Cybercriminals use this tactic to fool web surfers into visiting malicious websites where malware is automatically downloaded.

Typosquatting is also used on phishing websites and for fake retail sites that relieve visitors of their credit card information or other sensitive credentials.

Even fake news sites are a problem in this regard. They often contain third-party adverts – this is one of the ways that fake news stories generate income for the posters. Those adverts are often malicious. The site owners are paid to display the adverts or send visitors to malicious websites. Adverts are also used to direct visitors to fake retail sites – zappoos.com or Amazoon.com for example. Many fake news sites are simply used as phishing farms.

While consumers can be defrauded, businesses should also take note. Since many of these sites are used to either spread malware or direct users to malicious sites where malware is downloaded, fake news sites are a serious cybersecurity risk.

Governments and social media networks may be taking a stand against these malicious sites, but businesses should also take action. All it takes is for one user to visit a malicious site for malware or ransomware to be downloaded.

Fortunately, it is possible to reduce risk with a web filtering solution. Web filtering solutions such as WebTitan can be used to block access to websites known to contain malware. Malicious websites are rapidly added to global blacklists. If a web filtering solution is used, an employee will be prevented from visiting a blacklisted site, which will prevent a malware download.

Malicious adverts can also be blocked and prevented from being displayed. Malicious links on fake news sites can also easily be blocked. Users can also be prevented from visiting websites when clicking on links to the sites in emails or on social media websites.

For further information on the full range of benefits of WebTitan and to find out how you can sign up for a free 30-day trial of WebTitan, contact TitanHQ today.

Anti-Phishing Solutions for Businesses Required to Tackle Growing Phishing Risk

Anti-phishing solutions for businesses are now an essential element of cybersecurity defenses. The risk from phishing websites has grown considerably in 2016, and 2017 is likely to see the problem become much more severe. 

Anti-Phishing Solutions for Businesses Now a Necessity

Cybercriminals are using increasingly sophisticated tactics to infect end users with malware and ‘phish’ for sensitive information such as credit card details, email login credentials, and other sensitive data that can be used for identity theft and fraud. Cybercriminals have changed their tactics to infect more end users and bypass traditional cybersecurity defenses.

In the past it was common for domains to be registered by cybercriminals and only used for phishing or to spread malware. Sooner or later the websites would be reported as malicious in nature, and those domains would be added to global blacklists. As the sites were blocked, the cybercriminals would simply buy another domain and repeat the process. Phishing websites used to remain active for weeks or even months before they ceased to be effective. However, cybersecurity firms are now faster at detecting malicious websites and adding them to blacklists.

Cybercriminals are aware that phishing websites and malicious webpages have a very short shelf life and will only remain effective for a few days before they are blocked. In response, they have changed tactics and are now creating webpages which are only used for very short periods of time.

New webpages are now being created faster and in higher volumes. Those webpages now remain active for less than 24 hours in the majority of cases. Cybercriminals are hijacking legitimate websites with poor security controls or unaddressed vulnerabilities. Malicious URLS are then created and hidden on those domains. Cybercriminals have now all but abandoned malicious websites in favor of single URLs on otherwise benign websites.

The volume of phishing websites has also increased considerably in 2016. Studies now suggest that around 400,000 phishing websites are being detected every month of the year.

Web Filtering Solutions Can Significantly Reduce Risk

There are many anti-phishing solutions for businesses that can be adopted to reduce risk, although one of the most effective tools is an advanced web filter. A web filter can be used to prevent users from visiting malicious websites and webpages that are used to phish for sensitive information or infect end users with malware.

While it was possible for standard web filtering solutions to protect against the risk from phishing by comparing domains against blacklists, it is now essential for each webpage to be checked to determine whether it is malicious. Each URL must also be checked each time it is visited to make sure that it has not been hijacked and used for phishing or to spread malware. For that an advanced web filtering solution is needed, such as WebTitan.

WebTitan checks each webpage that an end user attempts to visit in a fraction of a second, with no noticeable latency – slowing of webpage loading. If a website or webpage is identified as malicious the end user will be prevented from accessing that webpage.

WebTitan allows businesses to further protect their networks by restricting access to certain categories of websites which are commonly used by cybercriminals to spread malware. Since these websites have no legitimate work purpose, they can be easily blocked without any negative impact on the business. In fact, businesses are likely to see significant increases in employee productivity as a result.

Cybercriminals are also increasingly using third party advertising blocks on legitimate websites to display malicious adverts. Those adverts redirect visitors to malicious websites containing exploit kits. Some of those adverts require no user interaction at all – visitors are automatically redirected to websites where drive-by malware downloads occur. WebTitan can be configured to prevent these adverts from being displayed, thus neutralizing the risk.

Cybercriminal activity has been steadily increasing, yet employing an advanced web filtering solution such as WebTitan can help businesses stay one step ahead of cybercriminals and keep their networks malware free.

For further information on the capabilities of WebTitan, to find out how easy it is to protect your end users and networks from attack, and to register for a free 30-day trial of WebTitan, contact TitanHQ today.

Why Web Filtering for Managed Service Providers is Now Essential

The increase in cyberattacks and proliferation of web-borne threats has made web filtering for Managed Service Providers one of the most important, and profitable, opportunities for MSPs. However, not all MSPs have started offering a web filtering service to their clients, even though web filtering is now an essential cybersecurity defense

Why is web filtering for Managed Service Providers now so important? Listed below – and in a useful infographic – are some of the reasons why businesses need to control the websites that can be visited by their employees and why web filtering for Managed Service Providers is an important addition to any MSPs service stack.

Cybercriminals Have Switched from Email to the Web to Spread Malware

Email remains one of the most likely routes that malware can be installed. Malicious email volume is growing and in Q3, 2016, Proofpoint discovered 96.8% of malicious attachments were used to download Locky ransomware. Blocking malicious spam email messages is therefore an essential element of any organization’s cybersecurity defense strategy. However, times are a changing. The threat from web-borne attacks has increased significantly in the past few years.

Cybercriminals are well aware that most organizations now use a spam filter to block malicious messages and that they now conduct end user training to warn employees of the risks of opening email attachments or clicking on hyperlinks sent by strangers.

However, far fewer businesses have implemented a solution that blocks web-borne threats. Consequently, cybercriminals have changed their focus from email to the Internet.

The shift to the web means cybercriminals can reach a much bigger target audience and can spread malware and ransomware more effectively. The extent of this paradigm shift is deeply concerning.

Now, more than 80% of malware is web-related and spread via malicious web adverts, hijacked websites, and websites that have been created with the sole purpose of infecting visitors with malware.

As TitanHQ CTO Neil Farrell points out, “the average business user now encounters 3 malicious links per day.” Those links are rarely identified as malicious and the malware downloads that result from visiting malicious websites go undetected.

Web-Borne Threats have Increased Substantially in Recent Years

Cybercriminals use exploit kits – malicious software that probes for vulnerabilities in browsers – on hijacked webpages and purpose designed, malware-laced websites. Zero-day vulnerabilities are frequently identified in web browsers, browser plugins, and extensions and these flaws can be exploited and leveraged to download malware and ransomware. Each time a new flaw is identified, it is rapidly added to a swathe of exploit kits.

Anti-virus software is capable of detecting a high percentage of malware and preventing the malicious software from being installed on computers; however, new forms of malware are being released at an unprecedented rate. A new malware is now released every 4 seconds. Naturally, there is a lag between the release of new malware and the addition of its signature into antivirus software companies’ virus definition lists. Visits to malicious websites all too often result in malware installations that go undetected.

Malicious websites are constantly being created. Google reports that since July 2013, 113,132 new phishing websites have been created and it is businesses that are being targeted. TitanHQ now adds over 60,000 new malware-spreading websites to its blocklists every single day.

Companies that fail to block these web-borne threats face a high risk of their computers and networks being infected with malware. Figures from IDC show that 30% of companies employing more than 500 staff have experienced malware infections as a result of end users surfing the Internet.

New Threats are Constantly Being Developed

The range of threats is also increasing. Malware-infected websites are conducting Cross Site Request Forgery (CSRF) attacks, Cross-Component attacks, SQL injection attacks, as well exploiting vulnerabilities in popular Internet applications such as Adobe Flash, JSON, JavaScript, XPath and XML. Keeping all of these applications 100% up to date, 100% of the time is simply not possible for businesses, and any out-of-date-software could be exploited.

Malware is used to log keystrokes to obtain login credentials for further, more sophisticated attacks. Banking credentials are stolen and fraudulent transfers are made. Businesses also have to contend with the current ransomware epidemic. 40% of businesses have now been attacked with ransomware.

Malware and ransomware infections do not just occur via obscure websites that few employees visit. Hugely popular news sites such as the New York Times and the BBC have been discovered to display adverts containing malicious code. Social media websites are also a major risk. 24% of organizations have been infected with malware via Facebook and 7% via LinkedIn/Twitter, according to a recent study by Osterman Research.

These and other serious threats, along with the extent to which infections are occurring, have been summarized in a new infographic that can be accessed by clicking on the image below:

web filtering for managed service providers msps (infographic)

WebTitan Cloud – Web Filtering for Managed Service Providers

Fortunately, there is an easy solution to prevent web-borne attacks: WebTitan Cloud. WebTitan Cloud is a 100% cloud-based web filtering solution that can be used to prevent end users from visiting websites known to contain malware. WebTitan can be configured to block malicious adverts and can prevent end users from being directed to malware-infected websites if malicious links are clicked.

Given the range of threats and the extent to which cybercriminals are using the web, it is now essential for organizations to add web filtering to their cybersecurity defenses. Consequently, web filtering for Managed Services Providers presents a huge opportunity for growth. TitanHQ has seen a significant increase in uptake of its web filtering for Managed Service Providers in recent months as MSPs have started to appreciate the huge potential web filtering for Managed Services Providers has to improve bottom lines.

WebTitan can be rapidly added to an MSPs service stack and is an easy sell to clients. WebTitan can be deployed remotely and rapidly installed and configured. The solution is automatically updated, requires little to no IT support, is technology agnostic, and therefore so has an extremely low management overhead. The solution also has excellent scalability and can be used to protect any number of end users.

MSPs can be provided with a white-label version of WebTitan Cloud ready for branding and WebTitan Cloud can even be hosted within an MSPs own environment. Perhaps most important for MSPs is the high margin recurring SaaS model. That means high recurring revenues for MSPs and better bottom lines.

Contact TitanHQ today to find out more about web filtering for Managed Service Providers, for full technical specifications, and to discover just how easy it is to add WebTitan to your service stack and start boosting profits.

Beware of Social Media Ransomware Attacks

This month, security researchers have discovered cybercriminals are conducting social media ransomware attacks using Facebook Messenger and LinkedIn. Social media posts have long been used by cybercriminals to direct people to malicious websites containing exploit kits that download malware; however, the latest social media ransomware attacks are different.

According to researchers at CheckPoint Security, the social media ransomware attacks take advantage of vulnerabilities in Facebook Messenger. Images are being sent through Facebook Messenger with double extensions. They appear as a jpeg or SVG file, yet they have the ability to download malicious files including ransomware. The files are understood to use a double extension. They appear to be images but are actually hta or js files.

CheckPoint says “The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file.” The report goes on to say “This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” No technical details have been released as CheckPoint claim the vulnerability has yet to be fixed by Facebook.

Earlier this week, security researcher Bart Blaze claimed to have also identified a Facebook Messenger campaign that was allegedly being used to spread Locky ransomware. Blaze said an SVG image was being sent via Facebook Messenger that contained malicious JavaScript code that installed a malware downloader called Nemucod. Nemucod subsequently downloaded Locky. This is also the first time that the actors behind the infamous Locky ransomware are believed to have used Facebook Messenger to spread infections.

Facebook responded to Blaze’s claim saying the problem was not related to Messenger, but involved bad Chrome extensions. Facebook said the problem had been reported to the appropriate parties.

Ransomware Attacks on the Rise

According to the Kaspersky Security Network, ransomware attacks on SMBs have increased eightfold in the past 12 months. The problem is also getting worse. More than 200 ransomware families have now been discovered by security researchers, and new forms of the malicious file-encrypting software are being released on a daily basis.

Any business that is not prepared for a ransomware attack, and has not implemented security software to protect computers and networks, is at risk of being attacked. A recent survey conducted by Vanson Bourne on behalf of SentinelOne showed that 48% of organizations had been attacked with ransomware in the past 12 months. Those companies had been attacked an average of 6 times.

How to Prevent Social Media Ransomware Attacks

Social media ransomware attacks are a concern for businesses that do not block access to social media platforms in the workplace. It is possible to prevent employees from accessing social media websites using WebTitan, although many businesses prefer to allow employees some time to access the sites. Instead of blocking access to Facebook, businesses can manage risk by blocking Facebook Messenger. With WebTitan, it is possible to block Facebook Messenger without blocking the Facebook website.

If WebTitan is installed, webpages that are known to contain malware or ransomware downloaders will be blocked. When individuals link to these malicious websites in social media posts, employees will be prevented from visiting those sites. If a link is clicked, the filtering controls will prevent the webpage from being accessed.

To find out more about how WebTitan can protect your organization from web-borne threats such as ransomware and to register for a free trial of WebTitan, contact the Sales Team today.

The Risks of Social Media In Business

Many employers are not entirely happy with employees using social media sites in the workplace, and with good reason: There are many risks of social media in business and the costs can be considerable.

Social Media Use Can be a Huge Drain on Productivity

When employees are spending time updating their Facebook accounts or checking Twitter they are not working. All those minutes spent on social media platforms really do add up. Social media site use can be a major drain on productivity.

If every employee in an organisation spends an hour a day on social media sites, the losses are considerable. Unfortunately, many employees spend much more than an hour a day on the sites.

Salary.com reports that around 4% of employees waste more than half of each day on non-work related tasks. For a company employing 1,000 members of staff, that equates to more than 160 hours lost each day, not including the hour or two spent on social media sites by the remaining 96% of the workforce.

Social media site use is not all bad, in fact, the use of the sites can be good for productivity. Employees cannot be expected to work solidly for 8 or more hours each day; at least not 8 highly productive hours. If employees enjoy some ‘Facetime’ every hour or two, it can help them to recharge so they are more productive when they return to their work duties.

The problem for employers is how to control the use of Facebook in the workplace and ensure that social media site use is kept within acceptable limits. Taking 5 minutes off every hour or two is one thing. Taking longer can have a seriously negative impact. Unfortunately, relying on employees to self-moderate their use of social media sites may not be the best way to ensure that Internet use is not abused.

The Cost of Social Media Use Can Be Severe

Productivity losses can have a serious negative impact on profits, but there are far biggest costs to employers from social media site use. In fact, the risks of social media in business are considerable.

The cost from lost productivity can be bad, but nowhere near as bad as the cost of a malware or ransomware infection. Social media sites are commonly used by hackers to infect computers. Just visiting a malicious Facebook or Twitter link can result in a malware or ransomware infection. The cost of resolving those infections can be astronomical. The more time employees spend on non-work related Internet activities, the greater the risk of a malware infection.

Is there a genuine risk? According to PC Magazine, the risks are very real. There is a 40% chance of infection with malicious code within 10 minutes of going online and a 94% chance of encountering malicious code within an hour.

Controlling employees’ use of the Internet can not only result in huge increases in productivity, Internet control can help to reduce the risk of malware and ransomware infections. Further, by limiting the sites that can be accessed by employees, organizations can greatly reduce legal liability.

Fortunately, there is a simple, cost-effective, and reliable solution that allows organisations to effectively manage the risks of social media in business: WebTitan.

Managing the Risks of Social Media in Business

WebTitan is an innovative web filtering solution that allows organizations to accurately enforce Internet usage policies. Employers can block inappropriate content to effectively reduce legal liability, block or limit the use of social media sites to improve productivity, and prevent users from encountering malicious code that could give cybercriminals a foothold in the network.

If you have yet to implement a web filtering solution to control Internet use in the workplace or you are unhappy with the cost or performance of your current web filtering product, contact TitanHQ today and find out more about the difference WebTitan can make to your bottom line.

To find out more about the risks of social media in business and why it is now so important to manage social media use in the workplace, click the image below to view our informative infographic.

Risks of Social Media In Business

How to Block Facebook Chat at Work

One of the questions most frequently asked of the WebTitan customer support team is how to block Facebook chat at work without blocking access to Facebook entirely.

Why Block Facebook Chat at Work?

There are many reasons why an organization would want to prevent employees from accessing Facebook. Social media websites can be a drain on productivity. Some employees may spend hours of each day accessing and updating their Facebook account, which is time spent not working.

However, an employee cannot remain productive for a full eight hours each day. By allowing access to Facebook – and other social media sites – employers can actually increase productivity, providing social media site use is kept within acceptable limits.

If employees take short breaks throughout the day and access Facebook for a few minutes every hour, they are likely to be more productive. Morale can also be improved with a little social media site use.

However, there is the question of security to consider and Facebook chat is a particular cause for concern. Many organisations believe Facebook Chat is a security risk. Use of Facebook chat can increase the risk of malware infections. The chat function also lacks the security standards demanded by many organizations and makes it too easy for employees to share sensitive corporate data. Use of Facebook chat is also difficult to police.

How to Block Facebook Chat Without Blocking Facebook Access

With WebTitan Cloud it is easy to block Facebook chat at work without blocking Facebook access entirely. The process takes just a few seconds and is detailed in the video presentation below (and described underneath.)

 

 

To block Facebook chat at work, open your WebTitan Cloud administration panel and navigate to “Filtering URL keywords.”

To block Facebook chat you need to add in two blacklisted keywords. Enter in the first keyword:

ajax/updatestatus.php

Then set filter options to ‘find keyword in entire URL’

The second keyword that must be blocked is:

ajax/mercury/send_messages.php

As before, set filter options to ‘find keyword in entire URL’

These two files are used by Facebook chat and if the files are blocked, the Facebook chat will not function, although the Facebook website will still be accessible.

In order for URL keywords to work correctly it is necessary to have the SSL certificate pushed out to the browsers. Further information on how to do this via GPO or manually can be found in the help section on the WebTitan website.

Visit the link below for detailed instructions on how you can download and push out the SSL certificate to browsers.
http://helpdesk.webtitan.com/support/solutions/articles/4000035615-ssl-inspection-certificates

Are You Prepared for a Ransomware Attack?

Are You Prepared for a Ransomware Attack?

It doesn’t matter which security report you read; one thing is clear. The ransomware problem is becoming worse and the threat greater than ever.

While ransomware attacks in 2015 were few and far between, 2016 has seen an explosion of ransomware variants and record numbers of attacks across all industry sectors. For every ransomware variant that is cracked and decryption software developed, there are plenty more to take its place.

200 Ransomware Families Now Discovered

As if there were not enough ransomware milestones reached this year, there is news of another. The total number of detected ransomware families has now surpassed 200. That’s families, not ransomware variants.

The ransomware families have been catalogued by the ID Ransomware Service; part of the Malware Hunter Team. The current count, which may well be out of date by the time this article is finished, stands at 210.

Not only are new ransomware being developed at an unprecedented rate, the latest variants are even sneakier and have new capabilities to avoid detection. They are also more virulent and capable of encrypting a far wider array of data, and can delete backup files and quickly spread across networks and storage devices.

More people are getting in on the act. Ransomware is being rented out as a service to affiliates who receive a cut of the ransoms they collect. Campaigns can now be run with little to no skill. Unsurprisingly there are plenty of takers.

Massive Campaign Spreading New Locky Ransomware Variant

One of the biggest threats is Locky, a particularly nasty ransomware variant that first appeared in February 2016. Even though Locky has not been cracked, new variants continue to be released at an alarming rate. This week yet another variant has been discovered. The developers and distributers are also using a variant of techniques to evade detection.

Three separate campaigns have been detected this week after a two-week period of relative quiet. The ransomware is now back with a vengeance, with one of the campaigns reportedly involving an incredible 14 million emails on October 24 alone; 6 million of which were sent in a single hour.

There have been some successes in the fight against ransomware. Earlier this year the No More Ransom project was launched. The No More Ransom Project is a joint initiative Europol and the Dutch National Police force, although a number of security firms have now collaborated and have supplied decryptors to unlock files encrypted by several ransomware strains. So far, decryptors have been uploaded to the site that can unlock several ransomware variants: Chimera, Coinvault, Rannoh, Rakhni, Shade, Teslacrypt, and Wildfire.

Ransomware Problem Unlikely to Be Solved Soon

Despite the sterling efforts of security researchers, many of the most widely used ransomware strains have so far proved impossible to crack. The authors are also constantly developing new strains and using new methods to avoid detection. The ransomware problem is not going to be resolved any time soon. In fact, the problem is likely to get a lot worse before it gets better.

Last year, an incredible 113 million healthcare records were exposed or stolen. This year looks like it will be a record-breaking year for breaches if incidents continue at the current rate. The sheer number of healthcare records now available to cybercriminals has had a knock-on effect on the selling price. Whereas it was possible to buy a complete set of health data for $75 to $100 last year, the average price for healthcare records has now fallen to between $20 and $50.

Cybercriminals are unlikely to simply accept a lower price for data. That means more attacks are likely to take place or profits will have to be made up by other means. The glut of stolen data is seeing an increasing number of cybercriminals turn to ransomware.

Are you Prepared for a Ransomware Attack?

With the threat from ransomware increasing, organizations need to prepare for an attack and improve defenses against ransomware. Policies should be developed for a ransomware attack so rapid action can be taken if devices are infected. A fast response to an attack can limit the spread of the infection and reduce the cost of mitigation; which can be considerable.

Defending against ransomware attacks is a challenge. Organizations must defend against malicious websites, malvertising, drive-by downloads, malicious spam emails, and network intrusions. Hackers are not only stealing data. Once a foothold has been gained in a network and data are stolen, ransomware is then deployed.

An appropriate defense strategy includes next generation firewalls, intrusion detection systems, web filtering solutions, spam filters, anti-malware tools, and traditional AV products. It is also essential to provide regular security awareness training to staff to ensure all employees are alert to the threat.

Even with these defenses attacks may still prove successful. Unless a viable backup of data exists, organizations will be left with two options: Accept data loss or pay the ransom. Unfortunately, even the latter does not guarantee data can be recovered. It may not be possible for attackers to supply valid keys to unlock the encryption and there is no guarantee that even if the keys are available that they will be sent through.

Since Windows Shadow copies can be deleted and many ransomware variants will also encrypt backup files on connected storage devices, backup devices should be air-gapped and multiple backups should be performed.

With attacks increasing, there is no time to wait. Now is the time to get prepared.

Time to Enforce Acceptable Usage Policies with a Web Filter

Most employees are required to agree to use the Internet responsibly and are made to sign an acceptable usage policy as part of their induction before being supplied with a user ID. The policies vary in their content from organization to organization, but typically prohibit individuals from using the Internet to access illegal material, visit websites containing pornography, or engage in online activities that have no work purpose. The policies detail prohibited uses and state the penalties if individuals are discovered to have abused their access rights.

For many businesses, this may be deemed to be sufficient. If policies are breached, there are serious repercussions for the individual. For most employees AUPs alone will be sufficient to stop Internet abuse. However, while a breach of AUPs could result in termination of a work contract or serious disciplinary action against an employee, the consequences for a business can be much more severe.

AUPs can cover employers and prevent legal issues resulting from inappropriate Internet use, but they cannot protect against malware and ransomware infections. The consequences of malware and ransomware infections can be considerable. Data can be lost or corrupted by malware, to confidential information stolen, used for nefarious purposes, or sold on the darknet to criminals. The financial and reputational consequences for a business could be catastrophic.

In the case of ransomware infections, the cost can be considerable. Earlier this year, Hollywood Presbyterian Medical Center experienced a ransomware attack that required a ransom payment of $17,000 to be paid to recover data. The costs of dealing with the infection even after the ransom was paid was considerable, not to mention the disruption to operations while data were locked. Full access to data was not regained for more than a week.

AUPs used to be sufficient to reduce risk – legal and otherwise – but today much more rigorous controls are required to keep networks secure. To manage the risk effectively, it is important to enforce acceptable usage policies with a technological solution.

The most effective way of ensuring AUPs are adhered to is to enforce acceptable usage polices with a web filtering solution. A web filter can be configured to ensure the Internet can only be used for activities that an employer permits. Controls can be applied to ensure that illegal websites are not visited or to block pornography in the workplace, or stricter controls can be applied to severely restrict access. Most importantly given the massive rise in ransomware and malware attacks, controls can be enforced to keep networks secure.

To find out more about the benefits of implementing a web filtering solution, how networks can be secured with WebTItan, and for details of pricing, contact the TitanHQ team today.