The U.S. midterm elections have been attracting considerable attention, so it is no surprise that cybercriminals are taking advantage and are running a midterm elections SEO poisoning campaign. It was a similar story in the run up to the 2016 presidential elections and the World Cup. Whenever there is a major newsworthy event, there are always scammers poised to take advantage.
Thousands of midterm elections themed webpages have sprung up and have been indexed by the search engines, some of which are placing very highly in the organic results for high-traffic midterm election keyword phrases.
The aim of the campaign is not to influence the results of the midterm elections, but to take advantage of public interest and the huge number of searches related to the elections and to divert traffic to malicious websites.
What is SEO Poisoning?
The creation of malicious webpages and getting them ranked in the organic search engine results is referred to as search engine poisoning. Search engine optimization (SEO) techniques are used to promote webpages and convince search engine algorithms that the pages are newsworthy and relevant to specific search terms. Suspect SEO practices such as cloaking, keyword stuffing, and backlinking are used to fool search engine spiders into rating the webpages favorably.
The content on the pages appears extremely relevant to the search term to search engine bots that crawl the internet and index the pages; however, these pages do not always display the same content. Search engine spiders and bots see one type of content, human visitors will be displayed something entirely different. The scammers are able to differentiate human and bot visitors through different HTTP headers in the web requests. Real visitors are then either displayed different content or are redirected to malicious websites.
Midterm Elections SEO Poisoning Campaign Targeting 15,000+ Keywords
The midterm elections SEO poisoning campaign is being tracked by Zscaler, which notes that the scammers have managed to get multiple malicious pages ranking in the first page results for high traffic phrases such as “midterm elections.”
However, that is just the tip of the iceberg. The scammers are actually targeting more than 15,000 different midterm election keywords and are using more than 10,000 compromised websites in the campaign. More sites are being compromised and used in the campaign each day.
When a visitor arrives at one of these webpages from a search engine, they are redirected to one of many different webpages. Multiple redirects are often used before the visitor finally arrives at a particular landing page. Those landing pages include phishing forms to obtain sensitive information, host exploit kits that silently download malware, or are used for tech support scams and include various ruses to fool visitors into installing adware, spyware, cryptocurrency miners, ransomware or malicious browser extensions. In addition to scam sites, the campaign is also being used to generate traffic to political, religious and adult websites.
This midterms elections SEO poisoning campaign poses a significant threat to all Internet users, but especially businesses that do not control the content that can be accessed by their employees. In such cases, campaigns such as this can easily result in the theft of credentials or malware/ransomware infections, all of which can prove incredibly costly to resolve.
One easy-to-implement solution is a web filter such as WebTitan. WebTitan can be deployed in minutes and can be used to carefully control the content that can be accessed by employees. Blacklisted websites will be automatically blocked, malware downloads prevented, and malicious redirects to phishing websites and exploit kits stopped before any harm is caused.
For further information on the benefits of web filtering and details of WebTitan, contact the TitanHQ team today.
A new and improved version of Azorult malware has been identified. The latest version of the information stealer and malware downloader has already been used in attacks and is being distributed via the RIG exploit kit.
Azorult malware is primarily an information stealer which is used to obtain usernames and passwords, credit card numbers, and other information such as browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities added.
Azorult malware was first identified in 2016 by researchers at Proofpoint and has since been used in a large number of attacks via exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more commonly, malicious Word files containing malware downloaders.
Back in 2016, the malware variant was initially installed alongside the Chthonic banking Trojan, although subsequent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen multiple threat actors pair the information stealer with a secondary ransomware payload.
Campaigns have been detected using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the initial aim is to steal login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been obtained, the ransomware is activated, and a ransom payment is demanded to decrypted files.
A new version of the Azorult was released in July 2018 – version 3.2 – which contained significant improvements to both its stealer and downloader functions. Now Proofpoint researchers have identified a new variant – version 3.3 – which has already been added to RIG. The new variant was released shortly after the source code for the previous version was leaked online.
The new variant uses a different method of encryption, has improved cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and an updated admin panel. The latest version has a lower detection rate by AV software ensuring more installations.
If your operating systems and software are kept fully patched and up to date you will be protected against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many companies are slow to apply patches, which need to be extensively tested. It is therefore strongly advisable to also deploy a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan prevents end users from visiting malicious websites such as those hosting exploit kits.
The latest version of Azorult malware was first listed for sale on October 4. It is highly probable that other threat actors will purchase the malware and distribute it via phishing emails, as was the case with previous versions. It is therefore strongly advisable to also implement an advanced spam filter and ensure that end users are trained how to recognize potentially malicious emails.
TitanHQ, the leading provider of spam filtering, web filtering, and email archiving solutions for managed service providers (MSPs) recently partnered with Datto Networking, the leading provider of MSP-delivered IT solutions to SMBs.
The partnership has seen TitanHQ’s advanced web filtering technology incorporated into the Datto Networking Appliance to provide secure internet access to all users connected the network.
The new technology providing enhanced protection against web-based threats while allowing administrators to carefully control the web content that can be accessed by employees and guest users.
On October 18, 2018, Datto and TitanHQ will be hosting a webinar that will explain the new functionality of the Datto Networking Appliance to MSPs, including a deep dive into the new web filtering technology.
The use of fake software updates to spread malware is nothing new, but a new malware campaign has been detected that is somewhat different. Fake Adobe Flash updates are being pushed that actually do update the user’s Flash version, albeit with an unwanted addition of the XMRig cryptocurrency miner on the side.
The campaign uses pop-up notifications that are an exact replica of the genuine notifications used by Adobe, advising the user that their Flash version needs to be updated. Clicking on the install button, as with the genuine notifications, will update users’ Flash to the latest version. However, in the background, the XMRig cryptocurrency miner is also downloaded and installed. One installed, XMRig will run silently in the background, unbeknown to the user.
The campaign was detected by security researchers at Palo Alto Network’s Unit 42 team. The researchers identified several Windows executable files that started with AdobeFlashPlayer that were hosted on cloud servers not controlled by Adobe.
An analysis of network traffic during the infection process revealed most of the traffic was linked to updating Adobe Flash from an Adobe controlled domain, but that soon changed to traffic through a domain associated with installers known to push cryptocurrency miners. Traffic was later identified over TCP port 14444 that was associated with the XMRig cryptocurrency miner.
Further analysis of the campaign revealed it has been running since mid-August, with activity increasing significantly in September when the fake Adobe Flash updates started to be distributed more heavily.
End users are unlikely to detect the downloading and installation of the XMRig cryptocurrency miner, but there is likely to be a noticeable slowdown in the speed of their computer. The installation of the XMRig cryptocurrency miner may be stealthy, but when it runs it uses almost all of the computer’s CPU for cryptocurrency mining. Any user that checks Task Manager will see Explorer.exe hogging their CPU. As with most cryptocurrency miners, XMRig mines Monero. What is not currently known is which websites are distributing the fake Adobe Flash updates, or how traffic is being generated to those sites.
Any notification about a software update that pops up while browsing the internet should be treated as suspicious. The window should be closed, and the official website of that software provider should be visited to determine if an update is necessary. Software updates should only ever be downloaded from official websites, in the case of Adobe Flash, that is Adobe.com.
The Palo Alto researchers note “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.”
In May, security researchers at Proofpoint discovered a spam email campaign that was distributing a new banking Trojan named DanaBot. At the time it was thought that a single threat actor was using the DanaBot Trojan to target organizations in Australia to obtain online banking credentials.
That campaign has continued, but in addition, campaigns have been identified in Europe targeting customers of banks in Italy, Germany, Poland, Austria, and the UK. Then in late September, a further DanaBot Trojan campaign was conducted targeting U.S. banks.
The DanaBot Trojan is a modular malware written in Delphi that is capable of downloading additional components to add various different functions.
The malware is capable of taking screenshots, stealing form data, and logging keystrokes in order to obtain banking credentials. That information is sent back to the attackers’ C2 server and is subsequently used to steal money from corporate bank accounts.
An analysis of the malware and the geographical campaigns shows different IDs are used in the C2 communication headers. This strongly suggests that the campaigns in each region are being conducted by different individuals and that the DanaBot Trojan is being offered as malware-as-a-service. Each threat actor is responsible for running campaigns in a specific country or set of countries. Australia is the only country where there are two affiliates running campaigns. In total, there appears to currently be 9 individuals running distribution campaigns.
The country-specific campaigns are using different methods to distribute the malicious payload, which include the new Fallout exploit kit, web injects, and spam email. The latter is being used to distribute the Trojan in the United States.
The U.S. campaign uses a fax notice lure with the emails appearing to come from the eFax service. The messages look professional and are complete with appropriate formatting and logos. The emails contain a button that must be clicked to download the 3-page fax message.
Clicking on the button will download a Word document with a malicious macro which, if allowed to run, will launch a PowerShell script that downloads the Hancitor downloader. Hancitor will then download the Pony stealer and the DanaBot Trojan.
Proofpoint’s analysis of the malware revealed similarities with the ransomware families Reveton and CryptXXX, which suggests that DanaBot has been developed by the same group responsible for both of those ransomware threats.
The U.S. DanaBot campaign is targeting customers of various U.S. banks, including RBC Royal Bank, Royal Bank, TD Bank, Wells Fargo, Bank of America, and JP Morgan Chase. It is likely that the campaigns will spread to other countries as more threat actors are signed up to use the malware.
Preventing attacks requires defense in depth against each of the attack vectors. An advanced spam filter is required to block malspam. Users of Office 365 should increase protection with a third-party spam filter such as SpamTitan to provide better protection against this threat. To prevent web-based attacks, a web filtering solution should be used. WebTitan can block attempts by end users to visit websites known to contain exploit kits and IPs that have previously been used for malicious purposes.
End users should also trained never to open email attachments or click on hyperlinks in emails from unknown senders, or to enable macros on documents unless they are 100% certain that the files are genuine. Businesses in the United States should also consider warning their employees about fake eFax emails to raise awareness of the threat.
Its conference season and the TitanHQ team is hitting the road again. The TitanHQ team will be travelling far and wide and will be attending the major MSP industry events in the United States and Europe throughout October and November.
The conferences give new and current MSP partners the chance to meet the TitanHQ team face to face, get answers to questions, pick up tips and tricks to get the most out of TitanHQ products, and find out about the latest innovations for MSPs from TitanHQ.
Conference season kicks off with the third annual Kaseya Connect Europe Conference in Amsterdam (October 2-4) at the NH Collection Amsterdam Grand Hotel Krasnapolsky in Amsterdam. Kaseya is the leading provider of complete IT infrastructure management solutions for MSPs, offering best-in-class solutions to help MSPs efficiently manage and secure IT environments for their clients.
TitanHQ is an Emerald Sponsor for the event and will be showcasing its SpamTitan spam filtering and WebTitan web filtering solutions for MSPs. TitanHQ will be at booth 4 at the event, next to Datto and Bitdefender – both of which are TitanHQ partners.
Next stop for the TitanHQ tour bus is the CompTIA EMEA Member & Partner Conference at Etc. Venues County Hall on the south bank of the Thames in London (October 16-17). The Computing Technology Industry Association is the world’s leading tech association, providing education, training, certification, advocacy, philanthropy and market research. The conference brings together members and thought leaders from the entire tech industry with panel discussions, keynote speeches, and the latest news and advice about the key trends and topics impacting the tech industry.
TitanHQ is a key sponsor of the event and will be on hand give product demonstrations and explain about the opportunities that exist for MSPs to add web filtering, spam filtering, and email archiving services to their client offerings.
At the end of October, the TitanHQ team will be heading to sunny Spain for DattoCon18 at the Fairmont Rey Juan Carlos I in Barcelona (October 29-31). The conference is focused on helping business owners run their businesses more effectively through the use of Autotask + Datto solutions. There will be a host of educational sessions and keynote speeches at the event, with plenty of opportunities for networking. TitanHQ will be showcasing its security solutions for MSPs at the conference.
At the start of November, TitanHQ will be in attendance at the leading conference for the WiFi industry. The WiFi Now Europe conference is being held in Berlin ((November 6-8) at the Holiday Inn Berlin City-West. The event offers three full days dedicated to all things WiFi. Attendees will find out about key developments in WiFi and the latest industry trends, with opportunities to learn from industry experts, meet key industry influencers, and discover new business opportunities.
TitanHQ will be showcasing its WebTitan Cloud for WiFi solution at the event and will be explaining how MSPs can incorporate web filtering into their service stacks to provide greater value to their clients and improve their bottom lines
Next comes a quick hop across the Atlantic to the HTG Peer Groups Q4 conference in at the Omni Orlando Resort in Orlando, Florida (October 10-16). HTG is an international consulting, coaching and peer group organization that helps business by igniting personal, leadership, business and legacy transformation to get companies to achieve their full potential.
There will be a full program of events throughout the week including peer group meeting and opportunities for learning and building relationships. TitanHQ will be in attendance and will be showcasing its innovative business security solutions.
Summary of TitanHQ Conference Schedule 2018
October 2-4: Kaseya Connect Europe, Amsterdam, Netherlands. Booth #4
October 16-17: CompTia EMEA Member & Partner Conference; London, UK. Booth #28
October 29-31: DattoCon18, Barcelona, Spain.
November 6-8: WiFi Now, Berlin, Germany.
November 10-16: HTG Peer Groups Q4 Conference, Orlando, FL, USA.
A new version of GandCrab ransomware (GandCrab v5) has been released. GandCrab is a popular ransomware threat that is offered to affiliates under the ransomware-as-a-service distribution model. Affiliates receive a cut of the profits from any ransoms payed by individuals they manage to infect.
GandCrab was first released in January 2018 and fast grew into one of the most widely used ransomware variants. In July it was named the top ransomware threat and is regularly updated by the authors.
There have been several changes made in GandCrab v5, including the change to a random 5-character extension for encrypted files. The ransomware also uses an HTML ransom note rather than dropping a txt file to the desktop.
Bitdefender released free decryptors for early versions of the ransomware, although steps were taken by the authors to improve security for version 2.0. Since version 2.0 was released, no free decryptors for GandCrab ransomware have been developed.
Recovery from a GandCrab v5 infection will only be possible by paying the ransom – approximately $800 in the Dash cryptocurrency – or by restoring files from backups. Victims are only given a limited time for paying the ransom before the price to decrypt doubles. It is therefore essential that backups are created of all data and for those backup files to be checked to make sure files can be recovered in the event of disaster.
Since this ransomware variant is offered under the ransomware-as-a-service model, different vectors are used to distribute the ransomware by different threat actors. Previous versions of the ransomware have been distributed via spam email and through exploit kits such as RIG and GrandSoft. GandCrab v5 has also been confirmed as being distributed via the new Fallout exploit kit.
Traffic is directed to the exploit kit using malvertising – malicious adverts that redirect users to exploit kits and other malicious websites. These malicious adverts are placed on third party advertising networks that are used by many popular websites to provide an extra income stream.
Any user that clicks one of the malicious links in the adverts is redirected to the Fallout exploit kit. The Fallout exploit kit contains exploits for several old vulnerabilities and some relatively recent flaws. Any user that has a vulnerable system will have GandCrab ransomware silently downloaded onto their device. Local files will be encrypted as well as files on all network shares, not just mapped drives.
Whenever a new zero-day vulnerability is discovered it doesn’t take long for an exploit to be incorporated into malware. The publication of proof of concept code for a Task Scheduler ALPC vulnerability was no exception. Within a couple of days, the exploit had already been adopted by cybercriminals and incorporated into malware.
The exploit for the Task Scheduler ALPC vulnerability allows executable files to be run on a vulnerable system with System privileges and has been incorporated into GandCrab v5. The exploit is believed to be used to perform system-level tasks such as deleting Windows Shadow Volume copies to make it harder for victims to recover encrypted files without paying the ransom. Microsoft has now issued a patch to correct the flaw as part of its September Patch Tuesday round of updates, but many companies have yet to apply the patch.
The most important step to take to ensure that recovery from a ransomware attack is possible is to ensure backups are created. Without a viable backup the only way of recovering files is by paying the ransom. In this case, victims can decrypt one file for free to confirm that viable decryption keys exist. However, not all ransomware variants allow file recovery.
Preventing ransomware infections requires software solutions that block the main attack vectors. Spam filtering solutions such as SpamTitan prevent malicious messages from being delivered to inboxes. Web filters such as WebTitan prevent end users from visiting malicious sites known to host exploit kits. Remote desktop services are often exploited to gain system access, so it is important that these are disabled if they are not required, and if they are, they should only be accessible through VPNs.
Patches should be applied promptly to prevent vulnerabilities from being exploited and advanced antimalware solutions should be deployed to detect and quarantine ransomware before files are encrypted.
A new malware threat – named Viro botnet malware – has been detected that combines the file-encrypting capabilities of ransomware, with a keylogger to obtain passwords and a botnet capable of sending spam emails from infected devices.
Viro botnet malware is one of a new breed of malware variants that are highly flexible and have a wide range of capabilities to maximize profit from a successful infection. There have been several recently discovered malware variants that have combined the file-encrypting properties of ransomware with cryptocurrency mining code.
The latest threat was identified by security researchers at Trend Micro who note that this new threat is still in development and appears to have been created from scratch. The code is dissimilar to other known ransomware variants and ransomware families.
Some ransomware variants are capable of self-propagation and can spread from one infected device to other devices on the same network. Viro botnet malware achieves this by hijacking Outlook email accounts and using them to send spam email containing either a copy of itself as an attachment or a downloader to all individuals in the infected user’s contact list.
Viro botnet malware has been used in targeted attacks in the United States via spam email campaigns, although bizarrely, the ransom note dropped on the victims’ desktops is written in French. This is not the only new ransomware threat to include a French ransom note. PyLocky, a recently detected new ransomware threat that masquerades as Locky ransomware, also had a French ransom note. This appears to be a coincidence as there are no indications that the two ransomware threats are related or are being distributed by the same threat group.
With Viro botnet, Infection starts with a spam email containing a malicious attachment. If the attachment is opened and the content is allowed to run, the malicious payload will be downloaded. Viro botnet malware will first check registry keys and product keys to determine whether its encryption routine should run. If those checks are passed, an encryption/decryption key pair will be generated via a cryptographic Random Number Generator, which are then sent back to the attacker’s C2 server. Files are then encrypted via RSA and a ransom note is dropped on the desktop.
Viro botnet malware also contains a basic keylogger which will log all keystrokes on an infected machine and send the data back to the attacker’s C2 server. The malware is also capable of downloading further malicious files from the attacker’s C2.
While the attacker’s C2 server was initially active, it has currently been taken down so any further devices that are infected will not have data encrypted. Connection to the C2 server is necessary for the encryption routine to start. Even though the threat has been neutralized this is expected to only be a brief hiatus. The C2 is expected to be resurrected and larger distribution campaigns can have been predicted.
Protecting against email-based threats such as Viro botnet malware requires an advanced spam filtering solution such as SpamTitan to prevent malicious messages from being delivered to end users. Advanced antimalware software should be installed to detect malicious files should they be downloaded, and end users should receive security awareness training to help them identify security threats and respond appropriately.
Multiple backups should also be created – with one copy stored securely offsite – to ensure files can be recovered in the event of file encryption.
Xbash malware is one of several new malware threats to be detected in recent weeks that incorporate the file-encrypting properties of ransomware with the coin mining functionality of cryptocurrency mining malware.
This year, several cybersecurity and threat intelligence companies have reported that ransomware attacks have plateaued or are in decline. Ransomware attacks are still profitable, although it is possible to make more money through cryptocurrency mining.
The recent Internet Organized Crime Threat Report released by Europol notes that cryptojacking is a new cybercrime trend and is now a regular, low-risk revenue stream for cybercriminals, but that “ransomware remains the key malware threat”. Europol notes in its report that a decline has been seen in random attacks via spam email, instead cybercriminals are concentrating on attacking businesses where greater profits lie. Those attacks are highly targeted.
Another emerging trend offers cybercriminals the best of both worlds – the use of versatile malware that have the properties of both ransomware and cryptocurrency miners. These highly versatile malware variants provide cybercriminals with the opportunity to obtain ransom payments as well as the ability to mine for cryptocurrency. If the malware is installed on a system that is not ideally suited for mining cryptocurrency, the ransomware function is activated and vice versa.
Xbash malware is one such threat, albeit with one major caveat. Xbash malware does not have the ability to restore files. In that respect it is closer to NotPetya than Cerber. As was the case with NotPetya, Xbash malware just masquerades as ransomware and demands a payment to restore files – Currently 0.2 BTC ($127). Payment of the ransom will not result in keys being supplied to unlock encrypted files, as currently files are not encrypted. The malware simply deletes MySQL, PostgreSQL, and MongoDB databases. This function is activated if the malware is installed on a Linux system. If it is installed on Windows devices, the cryptojacking function is activated.
Xbash malware also has the ability to self-propagate. Once installed on a Windows system it will spread throughout the network by exploiting vulnerabilities in Hadoop, ActiveMQ and Redis services.
Currently, infection occurs through the exploitation of unpatched vulnerabilities and brute force attacks on systems with weak passwords and unprotected services. Protection against this threat requires the use of strong, unique non-default passwords, prompt patching, and endpoint security solutions. Blocking access to unknown hosts on the Internet will prevent communication with its C2 if it is installed, and naturally it is essential that multiple backups are regularly made to ensure file recovery is possible.
Kaspersky Lab determined there has been a doubling of these multi-purpose remote access tools over the past 18 months and their popularity is likely to continue to increase. This type of versatile malware could well prove to be the malware of choice for advanced threat actors over the course of the next 12 months.
A Bristol Airport ransomware attack has resulted in its customer display screens being taken offline for two days. Staff at the airport have had to resort to using dry markers and whiteboards to display flight arrival and departure information while the malicious software was removed and files were decrypted.
Ransomware was installed on its administrative computer system in the early hours on Friday, 14 September. As a result of the attack, several applications had to be taken offline as part of the airport’s efforts to contain the attack and prevent critical airport systems from being affected. The application used to display arrival and departure information throughout the airport was one of the casualties.
A statement was provided to the media confirming that a ransom demand had been received but the decision was taken not to give in to the attacker’s demand. Instead, IT staff at the airport chose to restore affected systems from backups. That process continued throughout the weekend. Screens in key locations throughout the airport were slowly brought back online on Sunday and efforts are continuing to restore files on all other affected computers at the airport.
Bristol Airport spokesman, James Gore, said initial investigations suggest this was a speculative rather than a targeted attack on the airport and that it was an online attack on its administrative systems. The exact nature of the Bristol Airport ransomware attack has not yet been disclosed and it is not known what variant of ransomware was used.
The recovery process has taken longer than was expected as the airport has adopted a particularly cautious approach due to the number of critical and security systems at the airport which could potentially have been affected. As it was, customer and airport safety were not affected by the ransomware attack and flights were not delayed.
Ransomware Still Poses a Major Threat to Businesses
Ransomware attacks have declined in recent months as many cybercriminals have turned to cryptocurrency mining as an easier way of generating an income, but the Bristol Airport ransomware attack shows that the threat of ransomware attacks is ever present. Cybercriminals have certainly not totally abandoned ransomware and it remains a serious threat.
Online attacks are also common. Ransomware is still widely distributed via exploit kits – Software loaded onto compromised websites that probes for vulnerabilities in browsers and plugins. When vulnerabilities are identified, they are exploited and ransomware is silently downloaded.
How to Prevent Ransomware Attacks
Protecting against ransomware attacks requires layered security solutions to block the key attack vectors. Spam filtering software will block the majority of malicious emails and prevent them from being delivered to end users’ inboxes. Security awareness training will help to ensure that employees can identify any malicious emails than make it past perimeter email security controls.
One of the most effective solutions for blocking web-based attacks is a web filter. Web filters can be configured to prevent end users from visiting malicious websites and will block drive-by downloads of malware. Naturally, all software, including browsers and browser plugins, should be kept up to date and fully patched to prevent vulnerabilities from being exploited. Anti-virus software on all servers and end points is also a must.
As was the case with the Bristol airport ransomware attack, files could be recovered from backups without the need to pay the ransom demand. To ensure file recovery is possible, regular backups must be made.
A good backup practice will see at least three backup copies created, on at least two separate media, with one copy stored securely offsite on a device that is not connected to a network or the Internet.
For more information on anti-ransomware solutions for businesses, speak to TitanHQ today. TitanHQ offers award-winning spam filtering and web filtering technology that blocks malware and ransomware attacks and other email and web-based threats.
There are many new services that managed service providers (MSPs) can add to their service stacks, such as cloud migration and digitization services, but the biggest area for growth is currently cybersecurity services.
The number of cyberattacks on SMBs and enterprises has increased substantially in recent years. More attacks are now being conducted than ever before, and many of those attacks are succeeding.
A successful attack can prove extremely profitable for an attacker and extremely costly for an enterprise. When a network or email account is breached, sensitive information can be stolen, such as the personal data of customers and employees and corporate secrets and proprietary data.
When customer information is stolen, the damage to a company’s reputation can be considerable. Customer churn rate increases, business is lost, and there may be regulatory fines to cover and lawsuits to fight. Notifications need to be issued and credit monitoring and identity theft protection services may need to be provided to customers. When proprietary data is stolen, a company’s competitive advantage can easily be lost.
Following any security breach, hours must be committed to forensic analyses to search for possible backdoors and malware. The breach cause must be identified and security holes must be plugged. All those costs (and more) add up. This year’s Cost of a Data Breach study conducted by the Ponemon Institute/IBM Security revealed the average cost of a data breach of up to 100,000 personal records has risen to $3.86 million in 2018 – a 6.4% increase since 2017.
The massive disruption to businesses caused by cyberattacks and the considerable cost of mitigating data breaches means SMBs and enterprises need to take precautions and invest in cybersecurity defenses. However, the shortage of skilled staff in this area and already overworked IT departments has meant many companies have had to turn to MSPs and managed security service providers (MSSPs) to help shore up their defenses, monitor for potential intrusions, and respond to breaches when they occur.
Many MSPs have responded to the demand and are now offering security services to their clients to meet the demand. That demand is so great, that managed security services are now a huge growth area for MSPs.
Each year, Channel Futures conducts its MSP 501 survey, which evaluates the revenue growth, service deliverables, and business models and strategies adopted by the most progressive and forward-thinking MSPs around the globe. This year, the survey revealed that the biggest growth area is security services. 73% of all surveyed MSPs said security was their fastest growing service. As a point of comparison, the next biggest growth area was professional services (55%), followed by Office 365 (52%) and consulting (51%).
With huge demand for managed security services, it is no longer a question of whether they should be added to MSPs service stacks, but more a question of how they can be integrated, how to architect those services, and how to package security services together to meet customers’ needs.
What Security Services are Being Offered by MSPs?
Many enterprises and SMBs that attempt to go it alone end up deploying dozens of different security solutions at considerable cost, only to discover they are still attacked and suffer network breaches. Most businesses do not have the staff to commit to implementing, monitoring, and managing large numbers of cybersecurity solutions. This creates an opportunity for MSPs.
Some MSPs have opted to provide clients with a suite of cybersecurity solutions from a single provider, as the solutions work seamlessly together and there is less potential for security gaps to exist. While this has worked for some MSPs, the problem with this approach is clients could approach that vendor and decide to go direct. MSPs that have succeeded with this model are adding considerable value – such as their expertise in running those solutions.
Logicalis, ranked #10 in the MSP 501 list, has taken a different approach and is bundling together a range of solutions that can be easily managed together and match customers’ needs exactly. “We pick our swim lanes, we pick our areas that are most relevant to our skills, to our customers, and we make sure we have the disciplines and domain expertise to deliver against that,” said Logicalis’ chief sales officer Mike Houghton.
Clients often get the best value – and protection – when MSPs package together cybersecurity products from a wide range of cybersecurity solution providers to provide a comprehensive security service, as Tom Clancy, CEO of Valiant Technology and #206 in Channel Future’s MSP 501 list explained. “Providing a bundle of offerings from different vendors that work well together is the most effective way for an MSP to retain its role as a trusted adviser.”
Valiant Technology has even taken this a step further and is moving towards making security a ‘non-optional’ offering. Clancy explained to Channel Futures that, “Our managed services plans will say, ‘It costs this much per seat, and it’s this much if you want the security package. And by the way, you really want the security package, otherwise here’s my limitation of liability.”
Naturally, putting together a package of security services requires considerable research and planning, new staff may need to be hired, and training on the products must be provided. It is a lot of work, but the potential rewards are considerable.
How Can TitanHQ Help?
TitanHQ has developed a suite of security products that are ideally suited for MSPs, offering a winning combination of easy deployment, remote management, superb protection against a wide range of threats, and excellent margins. The solutions mitigate the threat from web and email-based attacks integrate seamlessly into MSPs existing service stacks.
SpamTitan provides world-class protection from spam and malicious emails, preventing malware, ransomware, and phishing emails from reaching end users’ inboxes. The solution is complimented by WebTitan, a powerful web filtering solution that prevents end users from visiting malicious websites, blocks drive-by downloads of malicious software, and enforces acceptable Internet usage policies.
To find out more about how these two solutions benefit MSPs and their clients, and the tools available to seamlessly integrate these technology-agnostic security services into MSPs security packages, contact the TitanHQ team today.
Vulnerabilities in the VPNs NordVPN and ProtonVPN have been identified that allow execution of arbitrary code with system level privileges, highlighting the risk that can be introduced if VPN software is not kept fully patched and up to date.
VPNs May Not be As Secure as You Think
One common method used to securely access the Internet on public WiFi networks is to connect through a VPN. A VPN helps to prevent man-in-the-middle attacks and the interception of data by creating a secure tunnel through which data flows. Using VPN software means a user’s data is encrypted preventing information from being accessed by malicious actors.
While the connection is secured using a VPN, that does not always mean that a user is well protected. VPNs may not be quite as secure as users believe. Like any software, there can be vulnerabilities in VPNs that can be exploited. If the latest version of VPN software is not used, data may be vulnerable.
High Severity Vulnerabilities Identified in Popular VPNs
Recently, two of the most popular VPN clients have been found to contain a privilege escalation bug that could be exploited to allow an attacker to execute arbitrary code with elevated privileges.
The bug is present in NordVPN and ProtonVPN clients, both of which use the open-source OpenVPN software to create a tunnel through which information passes. In April, a flaw was identified which allowed an attacker with low level privileges to run arbitrary code and elevate their privileges to system level. Further, the flaw was not difficult to exploit.
A change could easily be made to the OpenVPN configuration file, adding parameters such as “plugin”, “script-security”, “up”, and “down”. Files specified within those parameters would be executed with elevated privileges. The flaw was identified by security researcher Fabius Watson of VerSprite Security, and prompt action was taken to patch the flaw.
However, while patches were issued by NordVPN and ProtonVPN that prevented the “plugin”, “script-security”, “up”, and “down” parameters from being added to the configuration file by standard users, the flaw had only been partially corrected.
Researchers at Cisco Talos discovered the same parameters could still be added to the configuration file if they were added in quotation marks. Doing that would bypass the mitigations of the patches. These vulnerabilities have been tracked under separate CVE codes – CVE-2018-3952 for ProtonVPN and CVE-2018-4010 for NordVPN. Both flaws are considered high-severity and have been assigned a CVSS v3 base score of 8.8 out of 10.
NordVPN and ProtonVPN have now released an updated patch which prevents the addition of these parameters using quotation marks, thus preventing threat actors from exploiting the vulnerability. Both vendors have tackled the problem in different ways, with ProtonVPN opting to put the configuration file in the installation directory to prevent standard users from making any changes, while NordVPN used an XML model to generate the configuration file. Standard users are not able to modify the template.
Securing Connections on Public WiFi Access Points
VPNs are an excellent way of improving security when connecting to public WiFi networks, but policies and procedures should be implemented to ensure that patches are applied promptly. It is not always possible to configure VPN clients to automatically update to the latest version. If vulnerabilities in VPNs are not addressed, they can be a major security weak point.
An additional protection that can be implemented to protect remote workers when connecting to WiFi networks is a web filtering solution such a WebTitan. WebTitan allows businesses to carefully control the web content that can be accessed by employees no matter where they connect – through wired networks, business WiFi networks, and when connecting to the Internet through public WiFi networks.
By controlling the types of sites that can be accessed, and using blacklists of known malicious sites, the potential for malware downloads can be greatly reduced.
If you want to improve WiFi security or implement web filtering controls for remote workers, contact the TitanHQ team today to find out more about WebTitan and the difference it can make to your security posture.
A new exploit kit has been detected that is being used to deliver Trojans and GandCrab ransomware. The Fallout exploit kit was unknown until August 2018, when it was identified by security researcher Nao_sec. Nao_sec observed the Fallout exploit kit being used to deliver SmokeLoader – a malware variant whose purpose is to download other types of malware.
Nao_sec determined that once SmokeLoader was installed, it downloaded two further malware variants – a previously unknown malware variant and CoalaBot – A HTTP DDoS Bot that is based on August Stealer code. Since the discovery of the Fallout exploit kit in August, it has since been observed downloading GandCrab ransomware on vulnerable Windows devices by researchers at FireEye.
While Windows users are being targeted by the threat group behind Fallout, MacOS users are not ignored. If a MacOS user encounters Fallout, they are redirected to webpages that attempt to fool visitors into downloading a fake Adobe Flash Player update or fake antivirus software. In the case of the former, the user is advised that their version of Adobe Flash Player is out of date and needs updating. In the case of the latter, the user is advised that their Mac may contain viruses, and they are urged to install a fake antivirus program that the website claims will remove all viruses from their device.
The Fallout exploit kit is installed on webpages that have been compromised by the attacker – sites with weak passwords that have been brute-forced and those that have out of date CMS installations or other vulnerabilities which have been exploited to gain access.
The two vulnerabilities exploited by the Fallout exploit kit are the Windows VBScript Engine vulnerability – CVE-2018-8174 – and the Adobe Flash Player vulnerability – CVE-2018-4878, both of which were identified and patched in 2018.
The Fallout exploit kit will attempt to exploit the VBScript vulnerability first, and should that fail, an attempt will be made to exploit the Flash vulnerability. Successful exploitation of either vulnerability will see GandCrab ransomware silently downloaded.
The first stage of the infection process, should either of the two exploits prove successful, is the downloading of a Trojan which checks to see if certain processes are running, namely: filemon.exe, netmon.exe, procmon.exe, regmon.exe, sandboxiedcomlaunch.exe, vboxservice.exe, vboxtray.exe, vmtoolsd.exe, vmwareservice.exe, vmwareuser.exe, and wireshark.exe. If any those processes are running, no further action will be taken.
If those processes are not running, a DLL will be downloaded which will install GandCrab ransomware. Once files are encrypted, a ransom note is dropped on the desktop. A payment of $499 is demanded per device to unlock the encrypted files.
Exploit kits will only work if software is out of date. Patching practices tend to be better in the United States and Europe, so attackers tend to rely on other methods to install their malicious software in these regions. Exploit kit activity is primarily concentrated in the Asia Pacific region where software is more likely to be out of date.
The best protection against the Fallout exploit kit and other EKs is to ensure that operating systems, browsers, browser extensions, and plugins are kept fully patched and all computers are running the latest versions of software. Companies that use web filters, such as WebTitan, will be better protected as end users will be prevented from visiting, or being redirected to, webpages known to host exploit kits.
To ensure that files can be recovered without paying a ransom, it is essential that regular backups are made. A good strategy is to create at least three backup copies, stored on two different media, with one copy stored securely offsite on a device that is not connected to the network or accessible over the Internet.
The CamuBot Trojan is a new malware variant that is being used in vishing campaigns on employees to obtain banking credentials.
Cybercriminals Use Vishing to Convince Employees to Install CamuBot Trojan
Spam email may be the primary method of delivering banking Trojans, but there are other ways of convincing employees to download and run malware on their computers.
In the case of the CamuBot Trojan the method used is vishing. Vishing is the voice equivalent of phishing – The use of the telephone to scam people, either by convincing them to reveal sensitive information or to take some other action such as downloading malware or making fraudulent bank transfers.
Vishing is commonly used in tech support scams where people are convinced to install fake security software to remove fictitious viruses on their computers. The campaign used to install the CamuBot Trojan is a variation on this theme and was uncovered by IBM X-Force researchers.
The attack starts with some reconnaissance. The attackers identify a business that uses a specific bank. Individuals within that organization are then identified that are likely to have access the bank accounts used by the business – payroll staff for example. Those individuals are then contacted by telephone.
The attackers claim that they are calling from the bank and are performing a check of security software on the user’s computer. The user is instructed to visit a webpage where a program will run a scan to find out if they have an up-to-date security module installed on their computer.
The fake scan is completed, and the user is informed that their security module is out of date. The caller then explains that the user must download the latest version of the security module and install it on their computer.
Once the file is downloaded and executed, it runs just like any standard software installer. The user is advised of the minimum system requirements needed for the security module to work and the installer includes the bank’s logo and color scheme to make it appear genuine.
The user is guided through the installation process, which first requires them to stop certain processes that are running on their computer. The installer displays the progress of the fake installation, but in the background, the CamuBot Trojan is being installed. Once the process is completed, it connects to its C2 server.
The user is then directed to what appears to be the login portal for their bank where they are required to enter their login credentials. The portal is a phishing webpage, and the credentials to access the users bank account are captured by the attacker.
Many banks require a second factor for authentication. If such a control is in place, the attackers will instruct the user that a further installation is required for the security module to work. They will be talked through the installation of a driver that allows a hardware-based authentication device to be remotely shared with the attacker. Once that has been installed and approved, the attackers are able to intercept any one-time passwords that are sent by the bank to the user’s device, allowing the attackers to take full control of the bank account and authorize transactions.
The CamuBot Trojan shows that malware does not need to be stealthy to be successful. Social engineering techniques can be just a effective at getting employees to install malware.
The CambuBot Trojan campaign is primarily being conducted in Brazil, but the campaign could be rolled out and used in attacks in other countries. The techniques used in this campaign are not new and have ben used in several malware campaigns in the past.
Consequently, it is important for this type of attack to be covered as part of security awareness training programs. Use of a web filter will also help to prevent these attacks from succeeding by blocking access to the malicious pages where the malware is downloaded.
A massive MagnetoCore malware campaign has been uncovered that has seen thousands of Magneto stores compromised and loaded with a payment card scraper. As visitors pay for their purchases on the checkout pages of compromised websites, their payment card information is sent to the attacker’s in real time.
Once access is gained to a website, the source code is modified to include the MagnetoCore malware, which is hidden among legitimate files in the Magnetocore.net domain.
The hacking campaign was detected by Dutch security researcher Willem de Groot. Over the past six months, the hacker behind the campaign has loaded MagnetoCore malware on at least 7,339 Magneto stores. The number of compromised websites is believed to be increasing at a rate of around 50 or 60 new stores per day.
Site owners have been informed of the MagentoCore malware infections, although currently more than 5,170 Magneto stores still have the script on the site.
The campaign was discovered when de Groot started scanning Magneto stores looking for malware infections and malicious scripts. He claims that around 4.2% of Magneto stores have been compromised and contain malware or a malicious script.
While a high number of small websites have been infected, according to de Groot, the script has also been loaded onto the websites of multi-million-dollar publicly traded companies, suggesting the hacker behind the attack has been able to steal tens, or most likely, hundreds of thousands of payment cards.
With a full set of payment card data selling for between $5 and $30 per card on darknet marketplaces, the individual(s) or hacking group behind the campaign has likely made a substantial profit.
Further information on the threat actor(s) responsible for the attacks has come from RiskIQ, which reports that the MagnetoCore malware campaign is part of much larger payment card scraping campaign known as MageCart. RiskIQ reports that MageCart has been in operation since at least 2015 and says the campaign being run by three groups. One of the groups was responsible for the TicketMaster breach reported in June that affected 5% of its customers.
All three groups are using the same tactics as part of a single campaign. It is likely the MagnetoCore malware campaign is being run by the same individuals responsible for MageCart.
Access to the sites is gained through a simple but time-consuming process – Conducting a brute force attack to guess the password for the administrator account on the website. According to de Groot, it can take months before the password is guessed. Other tactics known to be used are the use of malware such as keyloggers to obtain the login credentials and the exploitation of vulnerabilities in unpatched content management systems.
Preventing website compromises requires the use of very strong passwords and prompt patching to ensure all vulnerabilities are addressed. CMS systems should also be updated as soon as a new version is released.
It is also important for site owners to conduct regular scans of website CMSs to search for malicious scripts or code alterations, and to use a security solution that alerts the webmaster when a code change is detected on a website.
Unfortunately, finding out that a site has been compromised and removing the malicious code will not be sufficient. A painstaking check of the codebase is required as multiple backdoors are often added to compromised websites to ensure access can still be gained should the malicious code be discovered and removed.
An email archive is a store for old emails which may need to be accessed from time to time but are not needed on a day to day basis. An email archive securely preserves all email conversations in a searchable format that allows companies to satisfy state, federal, and industry requirements.
Email Archives Save on Storage Space
While messages could be left in personal mailboxes, the number of emails received on a daily basis means the storage space required for each mailbox would be considerable, especially considering the requirement in many industries to retain emails for several years. Even if employees exercised strict control over their inboxes and mailbox folders and diligently deleted spam and non-official emails, storage space will still likely become an issue in a short space of time.
Archives are Searchable Email Stores
One common solution to preserve emails is a mailbox backup. Email backups allow an entire mailbox to be restored in the event of disaster or could be used to recover emails that have been accidentally deleted.
However, as with any store, be it a storeroom at work, or your attic or garage at home, knowing that an item is in storage does not mean it is easy to find. While you may need to invest a little time to find a particular item in your garage, it can be a gargantuan task to find a single email in an email backup containing thousands or even tens of thousands of messages, as backups are not searchable.
An email archive differs from a backup as messages are indexed to allow searches to be performed. Finding a message in a backup file can take hours or even days. Finding a message in an archive takes a matter of seconds or a minute or two. When an email needs to be produced for any reason, an email archive allows it to be quickly found.
Typically, IT staff have much more pressing things to attend to than recovering accidentally deleted emails. An archive can be accessed and searched by employees without any IT department involvement. Further, if a cloud-based archive is used, emails can be accessed from any location and emails found even when the mail server is down.
There are naturally situations when more formal searches are required, such as when issues are identified with an employee and HR needs further information on the matter. Legal eDiscovery requests require large quantities of emails to be found and provided to attorneys, and customer disputes require email conversations to be quickly found. An archive significantly reduces the time taken for these tasks to be performed. A company-wide search of emails typically takes 80% less time when an archive is used.
Email Archives are Important for GDPR Compliance
Since the General Data Protection Regulation has come into effect, email archives are even more important. When a request is received from an individual who wants to exercise their right to be forgotten, all data must be erased, which includes data contained in email accounts. An email archive allows emails to easily be found and deleted.
The email archive serves as a black box recorder for email ensuring that come what may, all emails can be located. Emails in the archive are also tamper-evident and court admissible. This makes email archives important for compliance with state, federal, and industry regulations.
An Email Archive Saves Companies Time and Money
Mail server efficiency is improved by using archives, server management costs are reduced, and storage costs are slashed. Typically, companies can save up to 75% on storage space when an archive is used. Further, when emails need to be migrated to new mail servers, it is a much quicker process when the majority of emails have been placed in an archive. The cost savings from using an email archive are considerable.
In summary, an email archive maintains an audit trail, ensures emails are never lost or deleted, provides a failsafe in the event of disaster, and ensures emails can be found quickly. An email archive saves companies time, money, and helps with compliance with state, federal, and industry regulations.
ArcTitan: A Fast, Efficient, Low Cost Email Archiving Solution for Businesses
If you have not yet started using an email archiving solution, TitanHQ has an ideal solution. ArcTitan is a fast, convenient, scalable, and low-cost archiving solution for SMBs and enterprises.
ArcTitan is a cloud-based email archiving solution that integrates seamlessly with Outlook. ArcTitan allows emails to be quickly and easily archived and retrieved on demand via super-fast, user-friendly search screens.
All emails are de-duplicated and compressed to reduce storage space and all messages and attachments are stored securely in IL5 certified datacenters.
If you want an easy to use email archiving solution that can be implemented in minutes, contact the TitanHQ team today for further information.
Security awareness training best practices to help your organization tackle the weakest link in the security chain: Your employees.
The Importance of Security Awareness Training
It doesn’t matter how comprehensive your security defenses are and how much you invested on cybersecurity products, those defenses can all be bypassed with a single phishing email. If one such email is delivered to an end user who does not have a basic understanding of security and they respond to that message, malware can be installed, or the attacker can otherwise gain a foothold in your network.
It is the risk of such an attack that has spurred many organizations to develop a security awareness training program. By teaching all employees cybersecurity best practices – from the CEO to the lowest level workers – security posture can be greatly enhanced and susceptibility to phishing attacks and other cyberattacks will be greatly reduced.
However, simply providing employees with a training session when they join the company is not sufficient. Neither is it enough to give an induction in cybersecurity followed by an annual refresher training session. Employees cannot be expected to retain knowledge for 12 months unless frequent refresher training sessions are provided. Further, cybercriminals are constantly developing new tactics to fool end users. Training programs must keep up with those changing tactics.
To help organizations develop an effective security awareness training program we have compiled a list of security awareness training best practices to follow. Adopt these security awareness training best practices and you will be one step closer to developing a security culture in your organization.
Security Awareness Training Best Practices
Listed below are some security awareness training best practices that will help you develop an effective training program that will ultimately help you to prevent data breaches.
C-Suite Involvement is a Must
It is often said that the weakest link in the security chain are an organization’s employees. While that is undoubtedly true, the C-Suite is also a weak link. If the C-Suite does not take an active interest in cybersecurity and does not realize the importance of the human element in security, it is unlikely that sufficient support will be provided and unlikely that appropriate resources are made available. C-suite involvement can also help with organization-wide collaboration. It will be very difficult to create a security culture in an organization if there is no C-Suite involvement in cybersecurity.
An Organization-Wide Effort is Required
A single department will likely be given the responsibility for developing and implementing a security awareness program, but it will not be easy in isolation. Assistance will be required from other departments. The heads of different departments can help to ensure that the security awareness training program is given the priority it deserves.
To ease the burden on the IT department, members of other departments can be trained and can assist with the provision of support or may even be able to assist with the training efforts. Other departments, such as marketing, can help developing content for newsletters and other training material. The HR department can help by setting policies and procedures.
Creation of Security Awareness Training Content
There is no need to develop training content for employees from scratch as there are many free resources available that can give you a head start. Many firms offer high quality training material for a price, which is likely to be lower than the cost of developing training material in-house. Take advantage of these resources but make sure that you develop a training program that is specific to the threats faced by your organization and the sector in which you operate. Your training program must be comprehensive. If any gaps exist, they are likely to be exploited sooner or later.
Diversity of Training
A one-size-fits-all approach to training will ultimately fail. People respond differently to different training methods. Some may retain more knowledge through classroom-based training, others may need one-to-one training, and many will benefit more from CBT training sessions. Your training program should include a wide range of different methods to help with different learning styles. The more engaging your program is, the more likely knowledge will be retained. Use posters, newsletters, email security alerts, games, and quizzes and you will likely see major improvements in your employees’ security awareness.
You can develop a seriously impressive training program for your employees that looks perfect on paper, but if your employees only manage to retain 20% of the content, your training program will not be very effective. The only way you can determine how effective your training program is through attack simulations. Phishing simulation exercises and simulations of other attack scenarios should be conducted before, during, and after training. You will be able to assess how effective all elements of the training program have been, and it will give you the feedback you need to identify weak links and take action to improve your training program.
Security Awareness Training Needs to be a Constant Process
Security awareness training is not a checkbox item that can be completed and forgotten about for another year. Your program should be running constantly and should consist of an annual training session for all employees, semi-annual training sessions, and other training efforts spread throughout the year. The goal should be to make sure security issues are always fresh in the mind.
Cybersecurity best practices for restaurants that you can adopt to make your network more secure and prevent hackers from gaining access to your POS system and customers’ credit card information.
Cybercriminals are Targeting Restaurants’ POS Systems
If you run a busy restaurant you will most likely be processing thousands of credit and debit card transactions every month. Every time someone pays with a card you have a legal responsibility to ensure that the card details that are read through your point of sale (POS) system remain private and cannot be stolen by your employees or obtained by cybercriminals.
So far this year there have been several major cyberattacks on restaurants that have resulted in the credit and debit card numbers of customers being stolen. In August, Darden Restaurants discovered that hackers gained access to the POS system used in its Cheddar’s Scratch Kitchen restaurants and potentially stole over half a million payment card numbers.
Applebee’s, PDQ, Zippy’s, and Chili’s have all experienced cyberattacks in 2018 which have resulted in hackers gaining access to customers’ payment cards. Last year also saw several cyberattacks on restaurants, including attacks on Shoney’s, Arby’s, Chipotle, and the Sonic Drive-In chain. These restaurant cyberattacks are notable due to the amount of card numbers that were stolen. The cyberattack on Cheddar’s is thought to have resulted in the theft of more than half a million payment card numbers, expiry dates and CVV codes, while the Sonic data breach has been estimated to have impacted millions of customers.
Not all cyberattacks on restaurants are conducted on large restaurant chains. Smaller restaurants are also being attacked. These smaller establishments may not process anywhere near as many payment card transactions as a chain the size of Applebee’s, but the attacks can still prove profitable for criminals. Card details sell for upwards of $7, so the theft of 1,000 card numbers from a small restaurant will still generate a decent profit and the effort required to conduct cyberattacks on small restaurants is often far less than an attack on a large chain.
All restaurants are at risk of hacking. Steps must therefore be taken by all restaurants to make it as hard as possible for hackers to gain access to the network, POS systems, and customer data. With this in mind we have listed cybersecurity best practices for restaurants to adopt to avoid a data breach.
Cybersecurity Best Practices for Restaurants
Listed below are some cybersecurity best practices for restaurants to adopt to make it harder for hackers to gain access to your network and data. There is no silver bullet that will stop all cyberattacks, but these cybersecurity best practices for restaurants will help to improve your security posture.
Network Segmentation is a Must
You will most likely have multiple computers in use in your restaurant as well as many other devices that connect to your network via an ethernet connection or WiFi. Every device that connects to your network is a possible entry point that could be exploited by a hacker. It is therefore important to stake steps to ensure that if one device is compromised, access cannot be gained to your entire network. Your POS system needs to be segregated from other parts of the network and users should only be permitted to access parts of the network that are required to complete their assigned duties.
Patch Management and Vulnerability Scanning
All it takes is for one vulnerability to remain unaddressed for you to be vulnerable to attack. It is therefore essential to maintain an inventory of all devices that connect to your network and ensure that patches and software updates are applied on all those devices as soon as they are released. You should also conduct regular vulnerability scans to identify possible weak points and take prompt action to ensure those weak points are addressed.
Secure the Perimeter with a Firewall
One of the most important cybersecurity solutions to implement to prevent hackers from gaining access to your network is a firewall. A firewall monitors and controls incoming and outgoing network traffic and serves as a barrier between a trusted internal network and an untrusted external network. A firewall is also an important element of PCI compliance.
Implement a Spam Filter to Block Malicious Emails
Email is the most common vector used to install malware. Phishing attacks are commonplace and are an easy way for hackers to gain login credentials and get a foothold in the network. Use a spam filter such as SpamTitan to prevent malicious messages from being delivered to end users’ inboxes and block all malware-laced emails.
Protect Your WiFi Network with a Web Filtering Solution
Your WiFi network is a potential weak spot and must be secured. If you provide WiFi access to your customers, ensure they are only provided with access to a guest network and not the network used by your staff. Implement a web filter to control what users can do when connected to your network. A web filter will help to prevent malware from being downloaded and can be configured to block access to risky websites. WebTitan is an ideal web filter for restaurants to improve WiFi security.
Purchase Antivirus Software
Antivirus software is one of the most basic software solutions to protect against malware. Malware is commonly installed on POS systems to record and exfiltrate payment card information. Not only should you ensure that a powerful antivirus solution is installed, you should also ensure regular scans of the network are performed.
Provide Security Awareness Training to Staff
Your employees are a potential weak point in your security defenses. Don’t assume that your employees are security aware. Teach your staff cybersecurity best practices for restaurants, provide anti-phishing training, and explain about risky behaviors that could easily lead to a data breach.
Backup and Backup Again
You should perform regular backups of all your essential data to protect against saboteurs and provide protection against ransomware attacks. If disaster strikes, you will need to record all your data. Adopt the 3-2-1 approach to creating backups. Create three copies, on two separate media, and store one copy securely off site on an air-gapped device that is not connected to the Internet.
Vet your Vendors
Access to your network may be gained through your vendors. The cyberattack on PDQ restaurants occurred via a remote access tool used by one of its technology vendors. If a vendor is able to connect to your network, it is essential that they have appropriate security controls in place. Be sure to check how secure your vendor is and what controls they have in place to prevent hacking before giving them network access.
Adopt these cybersecurity best practices for restaurants and you will make it harder for hackers to gain access to your network and you should be able to avoid a costly data breach.
A recent Cheddar’s Scratch Kitchen data breach is believed to have affected more than half a million of the restaurant chain’s customers and resulted in their credit/debit card details being obtained by hackers.
Darden Restaurants acquired Cheddar’s Scratch Kitchen in March 2017. The newly acquired restaurant chain was using a legacy point-of-sale (POS) system which was disabled and replaced by April 10, 2018 as part of Darden’s integration process.
However, prior to the system being replaced, hackers gained access to the POS system and customers’ credit/debit card details. There are 163 Cheddar’s Scratch Kitchen restaurants spread across 23 states – Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin. All locations were affected by the breach.
The Cheddar’s Scratch Kitchen data breach affects all customers who visited those restaurants between November 3, 2017 and January 2, 2018 and paid for their meal using a debit or credit card. Determining how many of its customers have been affected is likely to take some time, although current estimates suggest that as many as 567,000 customers could be affected.
Restaurants are an attractive target for cybercriminals. If access can be gained to the network containing the POS system, malware can be installed to intercept and record credit card numbers as diners pay for their meals.
Once installed, malware can silently steal credit card numbers for months. Typically, it is only when banks and credit card companies detect a pattern of credit card fraud and link it to a particular establishment that an investigation is launched and malware is detected.
While the value of credit card numbers on the black market has dropped due to the constant availability of stolen credentials, full sets of credit card information can still fetch at least $7. At that price, the Cheddar’s Scratch Kitchen data breach could have netted the attackers $4 million. With such a massive potential payday it is no surprise that restaurants are such a big target for hackers.
The Cheddar’s Scratch Kitchen data breach is one of many attacks on restaurant chains in recent months. In March 2018, RMH Franchise Holdings announced that malware had been discovered on the POS system used in 160 Applebee’s restaurants. The malware had been programmed to record names, credit and debit card numbers, expiry dates, and CVV codes and was present on the system for a month between December 2017 and January 2018.
In May, a cyberattack was detected at Zippy’s Restaurants which affected 25 of the Hawaii restaurant chain’s locations. Malware had been installed on its POS system for 4 months before it was detected. Also in May, Chili’s restaurants announced that malware had been discovered on the POS system used in some of its restaurants. The malware was active between March and April 2018.
In June, the PDQ restaurant chain discovered it had been attacked and customers’ credit and debit card information had been stolen. The attackers had access to the POS system for almost a year between May 2017 and April 2018. In that attack, access was gained through a remote connection tool used by a technology vendor.
Last year also saw numerous cyberattacks on restaurant chains. Shoney’s, Arby’s, Chipotle, and Sonic Drive-In all experienced major cyberattacks, with the latter estimated to have impacted millions of customers.
If you own a restaurant it is essential to implement a range of cybersecurity solutions to keep hackers out of your network and ensure your customers credit and debit card numbers remain secure.
There has been a significant increase in healthcare phishing attacks in recent weeks, both in frequency and the severity of attacks. In July alone, more than 1.6 million healthcare records were exposed due to healthcare phishing attacks and the attacks show no sign of slowing.
Healthcare phishing attacks are to be expected. The email accounts of healthcare employees often contain highly sensitive information – Information that can be used for a multitude of nefarious purposes such as tax fraud, medical identity theft to obtain prescription medications, and identity theft to obtain credit cards and loans. If access can be gained to the email account of one healthcare employee, messages can be sent to other employees in the organization from the compromised account. Since those messages come from a genuine email account within the organization, they are less likely to be blocked and are more likely to elicit a response. When one email account is compromised there is a high probability that access will be gained to other email accounts.
In the United States, a summary of all healthcare data breaches of more than 500 records is published by the Department of Health and Human Services’ Office for Civil Rights (OCR). The OCR breach portal lists hundreds of email-related data breaches have been reported since summaries first started being published in 2009, although there has been a significant increase in phishing-related data breaches in recent months. July 2018 saw two of the largest and most serious healthcare phishing attacks ever reported.
The largest healthcare phishing attacks in July were reported by the Iowa Health System (UnityPoint Health), Boys Town National Research Hospital, and Confluence Health. These healthcare phishing attacks resulted in the exposure of 1,421,107 records, 105,309 records, and 33,821 records respectively.
In July alone, there were 33 large data breaches reported to OCR. Those breaches include unauthorized accessing of health records by employees, lost devices containing electronic health information, improper disposal of medical records, and unauthorized disclosures of health records by employees. While unauthorized disclosures are often behind the majority of breaches, in July it was email-related hacking incidents were behind 39% of all reported data breaches. Those email account breaches resulted in the exposure and possible theft of 1,620,318 patients’ health and personal information. Not only was email the most common location of breached health information in July, it was the same story in March, April, May and June.
The large-scale healthcare phishing attacks have continued in August. This month, Augusta University Health reported a phishing attack had resulted in the exposure and possible theft of the PII and PHI of 417,000 individuals. In that attack hackers gained access to the email accounts of 24 members of staff. 38,000 records were also potentially accessed by hackers following a phishing attack on Legacy Health.
With the threat of healthcare phishing attacks greater than ever and the high cost of mitigating those breaches, it is more important than ever for healthcare organizations to improve their defenses against phishing.
TitanHQ offers healthcare organizations two vital cybersecurity solutions that can help to prevent phishing attacks, which along side ongoing security awareness and anti-phishing training for staff can greatly reduce the potential for a successful phishing attack to occur.
SpamTitan is an advanced spam filtering solution that blocks 100% of known malware and more than 99.97% of malicious emails, preventing them from reaching end users inboxes. Occasional emails may be delivered to inboxes, which is where WebTitan helps. WebTitan is a powerful DNS web filtering solution that blocks attempts by employees to access known phishing websites, stopping them from reaching websites where they would otherwise disclose their login credentials.
To find out more about these solutions and how they can be deployed in a healthcare environment, contact the TitanHQ sales team today and take an important first step towards improving the resilience of your organization to phishing attacks.
A new SharePoint phishing scam has been detected that attempts to steal Office 365 credentials. The scam emails being sent in this campaign are similar to those used in countless Google Docs phishing attacks, which appear at face value to be attempts to collaborate through the sharing of files. These scams are often used to spread malware, with the documents often containing malicious macros or links to websites where malware is silently downloaded.
These brand impersonation attacks use an email format that is identical to those used in genuine messages. The phishing emails contain logos, formatting and links that makes the messages identical to legitimate messages requesting collaboration on a project.
This SharePoint phishing scam includes a hyperlink to a genuine SharePoint document, which may not be flagged as malicious since the file itself does not contain malware.
The SharePoint file advises the user that the content they are looking for has been uploaded to OneDrive for Business and a further click is necessary to access the file. A hyperlink named “Access Document” is included in the SharePoint file along with the genuine OneDrive for Business logo and appropriate graphics. At face value the document does not appear malicious, although checking the destination URL of the link will reveal that it directs the user to a suspect website.
It is that website where the phishing attempt takes place. After clicking the link the user is presented with a login window for Office 365 and their Microsoft login details must be entered. Entering Office 365 credentials at this point will pass them to the criminals behind this campaign. The user is unlikely to realize that they have been successfully phished as after entering credentials they will be directed to a genuine Office site.
This SharePoint phishing scam appears to target businesses. Business users are likely to be used to collaborating using SharePoint and are therefore more likely to respond. Gaining access to a business Office 365 account is more lucrative for the attackers, allowing them to access to email accounts to use in further phishing campaigns and access to data stored in those accounts and other sensitive data.
Email addresses for business users can easily be located through sites such as LinkedIn or lists of business email addresses could be purchased on the dark web and hacking forums.
This SharePoint phishing scam, Google Docs phishing scams, and similar campaigns spoofing Dropbox are commonplace and highly effective. They take advantage of familiarity with these collaboration services, trust in the brands, a lack of security awareness, and business employees that do not stop and think before clicking.
Preventing these attacks requires technological solutions to stop the messages from being delivered. Security awareness training can be highly effective at conditioning employees to stop and think before taking any action, while web filters can block these attacks by preventing malicious URLs from being visited. Without these controls in place, businesses will be vulnerable.
A recent study in the United Kingdom conducted by researchers at the Oxford Internet Institute at the University of Oxford on the effectiveness of parental controls suggests that they may not be as effective as was thought at preventing minors from accessing online pornography.
While the study certainly adds to the body of evidence on the effectiveness of parental controls, such as those provided by Internet Service Providers, care should be taken interpreting the findings, especially comparing ISP parental controls with commercial web filtering solutions for schools.
The researchers suggest that their study “Delivered conclusive evidence that filters were not effective for protecting young people from online sexual material,” and such bold claims have naturally been reported in the media as ‘Internet controls not being effective’.
However, the study only assessed whether minors had encountered a single image of nudity or of a sexual nature. No internet filtering solution can be expected to block every single sexual image. The goal of parental controls is not to ensure that pornographic content cannot ever be accessed, only that the chance of it being accessed is reduced to a very low level.
Further, while controls can be put in place to block direct accessing of pornography, parental control filers can easily be bypassed through the use of VPNs and anonymizer services. If a minor wishes to gain access to pornography, it is easy to do so via an anonymizer service. Parental control filters put in place by Internet Service Providers do not block access to anonymizer services.
Search for “free anonymizer” in Google, access the site, and enter the URL of an adult site on a home network with parental controls in place, and you will discover exactly how easy it is to access adult content. Even easier, search for “bypass parental controls” and you will get a long list of options.
Commercial filters, such as those offered to schools and businesses, allow adult content to be blocked but also the use of anonymizer services to prevent filtering controls from being bypassed, providing greater protection – which is necessary in places of business and in schools. If an anonymizer is used and a commercial web filter is in place that blocks anonymizers, access will be denied, and the attempt will be recorded.
What is particularly worrying, is the suggestion that the findings of this study on the effectiveness of parental controls should be applied to schools. The researchers suggest in the paper “Our findings raise the question of whether mandatory state-funded Internet filtering in schools should still be regarded as a cost-effective intervention,” instead, the use of age verification tools or simply boosting educational strategies to support responsible online behavior should be explored.
Commercial web filtering solutions and parental controls solutions are not the same, and it is worth considering the following scenario. If a parent was to discover their child had viewed pornography at school and no filtering controls were in place to prevent access, would that parent agree with the school’s decision not to block pornography because a filter could potentially be bypassed? Or would a parent prefer a filter be put in place to make it harder for such content to be viewed?
The researchers do point out that more research is required to solidify the findings, specifically “to test Internet filtering in an experimental setting, done in accordance to Open Science principles.”
One thing is for certain, the use of web filters and parental controls to protect minors is certainly likely to continue to involve considerable discussion and the solution to the problem of minors accessing online material of a sexual nature is likely to involve a combination of technological controls, monitoring of internet access, and educational efforts.
The importance of web filtering for businesses cannot be understated. Businesses can install a range of perimeter defenses, but if controls are not implemented to restrict the activities of employees, malware can easily be downloaded onto work devices. The cost of mitigating malware infections can be considerable. The NotPetya malware attacks last year cost Maersk around $300 million. The Ponemon Institute annual cost of a data breach study suggests the average cost of a data breach is now $3.6 million for large businesses.
There is no single software solution that can provide total protection for businesses. A range of security solutions are required to reduce risk to an acceptable level, and web filters are one such control that should now be used by all businesses.
A new campaign has been detected this week that demonstrates the importance of web filtering for businesses, highlighting one of the methods used to install malicious software on corporate devices. In this case, the aim of the campaign is to install adware, unwanted browser extensions, and PuPs, although this tactic is often used to install much more malicious software.
The individuals behind this campaign are using autogenerated content to create large quantities of websites that incorporate commonly used keywords related to popular celebrities and adult industry actors. The aim of the campaign is to get these webpages indexed by the search engines and appearing in the organic search engine listings. Individuals who search for these keywords are likely to be presented with these webpages.
Upon opening these webpages, a popup is launched that advises the user that their computer lacks the codecs and software necessary to play the video. To get the videos to play, they need to install a media player. If the end user chooses to install the media player, rather than the media player being installed, a bundle of other programs is downloaded and installed on their device. The campaign also directs users to webpages where they are encouraged to install browser extensions.
If an employee is actively searching for inappropriate website content, it is easy to see how that individual would proceed with a download, and in doing so, install any number of potentially malicious programs.
This is not a hypothetical situation – many employees do just that. A recent survey conducted by Spiceworks delved into the reasons why companies are increasingly using web filters. The primary reason was to prevent the installation of malware. Further, when asked about whether employees had caused problems by accessing inappropriate website content, 38% of respondents said they had experienced a data breach in the past 12 months as a result of employees visiting websites that were not necessary for work.
The survey also revealed the extent that employees are using the Internet for personal reasons. Out of the companies that had not implemented a web filter, it was estimated that 58% of employees were wasting more than 4 hours a week on personal internet use, while 26% of employees were wasting 7 or more hours on non-work-related websites. That adds up to 26 days a year lost by each of those employees.
A web filter can allow a company to improve the productivity of the workforce. Employees will always slack off from time to time, but web filters can help to reduce the number of lost hours. The survey showed that the percentages fell to 43% spending more than 4 hours a week on non-work-related sites and 18% spending more than 7 hours a week slacking off online when a web filter was deployed – a significant reduction in lost hours. Further, blocking social media websites saw the figure fall to 30% of employees wasting more than 4 hours a week on personal internet use.
Another important benefit of web filtering is to prevent the accessing of illegal website content. Companies can be legally liable for illegal activities by their employees, such as the downloading of copyright protected material through peer-to-peer file sharing networks. The survey revealed two thirds of companies were using their web filter to avoid legal liability and 84% were using a web filter to stop illegal activity online. Data leakage is also a serious concern. 57% of companies use web filters to prevent data leakage and hacking.
If you want to improve your security posture, reduce the potential for productivity losses, and reduce legal liability, a web filter and at least some form of content control is essential.
If you have yet to implement a web filter, are unhappy with your current provider, or would like further information on the importance of web filtering for businesses, call the TitanHQ team today for further information. A free trial is also available for WebTitan, the leading web filtering solution for businesses, to allow you to find out first hand the benefits that content control offers.
What is a Botnet? How are they used? What harm can be caused, and how can you prevent a computer from becoming part of a botnet? These and other questions answered.
What is a Botnet?
A botnet is simply a collection of computers and other Internet-connected devices that are controlled by a threat actor. Usually that control is achieved via a malware installation, with the malware communicating with the threat actor’s command and control server.
Once malware has been installed on one device, potentially it can propagate to other devices on the same network, creating a mini-army of slave devices under the threat actor’s control. Any computer with the malware installed is part of the botnet and can be used on its own or collectively with other compromised devices for malicious purposes.
What are Botnets Used For?
Botnets are often used to conduct Distributed Denial of Service (DDoS) attacks, with the devices in the botnet used to access a particular service simultaneously and flooding it with traffic making that service temporarily unavailable. The Mirai botnet, which mostly consists of vulnerable IoT devices, was used to take down large sections of the Internet, including some of the most popular websites such as Twitter and Netflix. DDoS attacks are now being conducted that exceed 1 terabits per second, largely due to sheer number of devices that are part of the botnet.
One of the biggest botnets ever assembled was made possible with Zeus malware, a banking Trojan that was particularly difficult to detect. In the United States, an estimated 3.6 million computers had been infected with the malware, making Zeus one of the biggest botnets ever created.
In addition to DDoS attacks, botnets are also used to send huge quantities of spam and phishing emails. The Necurs botnet is the world’s largest spamming botnet, delivering 60% of all spam emails. The Gamut spam botnet delivers around 37% of spam botnet traffic. These two spamming botnets are primarily used to send malicious messages containing email attachments with malicious macros that download malware such as the Dridex banking Trojan, and the ransomware variants Locky, Globelmposter, and Scarab.
Recently, the rise in the value of cryptocurrencies has made it highly profitable to use the processing power of botnets to mine cryptocurrency. When processing power is used for cryptocurrency mining, the performance of the computers will reduce significantly.
How Are Botnets Created?
Botnets can be created through several different methods. In the case of IoT devices, attackers often take advantage of weak passwords and default credentials that have not been changed. Since IoT devices are less likely to be updated automatically with the latest software and firmware, it is easier to exploit flaws to gain access to the devices. IoT Devices also rarely have antivirus controls, making infection easier and detection of malware much harder.
Computers are most commonly recruited into botnets through malware sent via spam email campaigns – such as those sent out by the spamming botnets. Malware is delivered via infected email attachments or links to malicious websites where malicious code is hosted. Messages can be sent via social media networks and chat apps, which also direct users to malicious websites where malware is downloaded.
Drive-by downloads are also common – Malware is downloaded by exploiting vulnerabilities in browsers, add-ons or browser plug-ins, often through exploit kits loaded on compromised websites.
Prevent a Computer from Becoming Part of a Botnet
It is much easier to prevent a computer from becoming part of a botnet than identifying a malware infection and eradicating it once it has been installed. To prevent a computer from becoming part of a botnet, it is necessary to use technological controls and adopt security best practices.
Businesses need to ensure all staff are trained to be more security aware and are told about the risks of opening email attachments or clicking links in emails from unknown senders. They should also be told not to automatically trust messages from contacts as their email accounts could have been compromised. Employees should be taught security best practices and risky behavior, such as connecting to public WiFi networks without using a VPN, should be eradicated.
All software must be kept up to date with patches applied promptly. This will reduce the risk of vulnerabilities being exploited to deliver malware. Antivirus software should be installed and configured to update automatically, and regular AV scans should be performed.
Firewalls should be used to implemented to prevent unauthorized network access and allow security teams to monitor internet traffic.
Spam filtering solutions should be implemented to block the majority of malicious messages from being delivered to end users’ inboxes. The more messages that are blocked, the less chance there is of an employee responding to a phishing email and inadvertently installing malware.
One way to prevent a computer from becoming part of a botnet that is often forgotten, is the use of a web filtering solution. A web filter, such as WebTitan, will prevent malware and ransomware downloads and block access to malicious websites sent via email or through web browsing.
Implement these controls and it will make it much harder for your organization’s computers to be infected with malware and added to a botnet.
Austin, Texas-based managed services provider Acumera has successfully integrated the WebTitan web filtering solution into their service offerings and are now providing advanced web filtering to their clients.
Acumera provides managed security services to a wide range of companies throughout the United States across hundreds of thousands of locations, including healthcare providers, automated parking garages and some of the best-known retailers in the country such as 7-Eleven, Circle K, Subway, Pluckers, Benetton, and Valero service stations.
Many of the companies that have chosen Acumera to provide fully managed security services operate in hundreds or thousands of locations – 7-Eleven has more than 7,700 stores in the United States. Acumera secures payment systems and provides network security, connectivity, and visibility services across these widely distributed networks.
Acumera’s expertise in securing large highly distributed networks ensures its customers have the peace of mind that their networks and systems are fully secured, while avoiding the security headaches that many highly distributed companies face. Acumera’s customers certainly get an excellent return on their investment and tremendous value for money.
The Acumera Team with TitanHQ Alliances Director Mr. Eddie Monaghan in Austin, Texas.
Now, following the integration of WebTitan, Acumera’s customers can now benefit from advanced malware and ransomware protection both on and off corporate networks. WebTitan provides excellent protection from a wide range of web-based threats and allows companies to carefully control the websites that their employees can access. Highly granular controls ensure accurate content control without overblocking.
WebTitan Cloud is an easy to use, multi-tenant solution that MSPs can quickly set up and configure. There is no need for any hardware purchases, software installations of site visits. The 100% cloud-based solution can integrate seamlessly with existing client packages to increase revenue and attract more business.
The solution can be hosted on TitanHQ’s servers or within MSPs own environments, with a full white label version ready to take MSPs own branding.
Thanks to the WebTitan Application Programming Interface (API), managed services providers can easily incorporate WebTitan into their service offerings and provide DNS filtering to their customers.
If you are a managed service provider and you are interested in adding DNS filtering to your service stack and would like to become a TitanHQ Alliance partner, contact the TitanHQ team today for more information.
TitanHQ has announced as part of its strategic alliance with networking and security solution provider Datto, WebTitan Cloud and WebTitan Cloud for Wi-Fi have been incorporated into the Datto networking range and are immediately available to MSPs.
Datto is the leading provider of enterprise-level technology to small to medium sized businesses through its MSP partners. Datto offers data backup and disaster recovery solutions, cloud-to-cloud data protection services, managed networking services, professional services automation, and remote monitoring and management tools.
The addition of WebTitan to its range of security and networking solutions means its MSP partners can now offer their clients another level of security to protect them from malware and ransomware downloads and phishing attacks.
WebTitan is a 100% cloud-based DNS web filtering solution developed with MSPs in mind. In addition to allowing businesses to carefully control the types of websites their employees can access through corporate wired and wireless networks, the solution provides excellent protection against phishing attacks and web-based threats.
With phishing now the number one threat faced by SMBs and a proliferation of ransomware attacks, businesses are turning to their MSPs to provide security solutions to counter the threat.
Businesses that implement the solution are given real-time protection against malicious URLs and IPs, and employees are prevented from accessing malicious websites through general web browsing and via malicious URLs sent in phishing emails.
“We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers,” said TitanHQ CEO, Ronan Kavanagh.
“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
At the upcoming TitanHQ-sponsored DattoCon 2018 conference in Austin, TX – the largest MSP event in the United States – MSPs will be able to see WebTitan in action. TitanHQ’s full team will be in attendance, including Ronan Kavanagh – TitanHQ’s CEO, Conor Madden – Sales Director, Dryden Geary – Marketing Manager, and Eddie Monaghan – Alliance Manager.
MSPs can visit the TitanHQ team at booth #66 in the exhibition hall for a demonstration of WebTitan, SpamTitan – TitanHQ’s award -winning spam filtering solution – and ArcTitan, TitanHQ’s email archiving solution. All three solutions are MSP friendly and are easily added to MSP’s service stacks.
DattoCon 2018 runs all week from June 18, 2018. The TitanHQ team will be present all week and meetings can be arranged in advance by contacting TitanHQ ahead of the conference.
A hacking group has succeeded in infecting hundreds of thousands of routers with VPNFilter malware. The scale of the malware campaign is astonishing. So far more than half a million routers are believed to have been infected with the malware, prompting the FBI to issue a warning to all consumers and businesses to power cycle their routers.
Power cycling the router may not totally eradicate the malware, although it will temporarily disrupt communications and will help to identify infected devices, according to a May 25 public service announcement issued by the FBI.
All users have been advised to change the password on their router, install firmware updates if they are available, and disable the router’s remote management feature.
According to the U.S. Department of Justice, the malware campaign is being conducted by the Sofacy Group, also known as Fancy Bear and APT28. The hacking group has ties to the Russian government with some believing the hacking group is directed by Russia’s military intelligence agency.
While most of the infected routers and NAS devices are located in Ukraine, devices in more than 50 countries are known to have been infected with the malware. VPNFilter malware is a modular malware with a range of different functions that include the ability to capture all information that passes through the router, block network traffic and prevent Internet access, and potentially, the malware can totally disable the router. The infected routers could also be used to bring down specific web servers in a DDoS attack.
Many common router models are vulnerable including Linksys routers (E1200, E2500, WRVS4400N), Netgear routers (DGN2200, R6400, R7000, R8000, WNR1000, WNR2000), Mikrotik RouterOS for Cloud Core Routers (V1016, 1036, 1072), TP-Link (R600VPN), QNAP (TS251, TS439 Pro and QNAP NAS devices running QTS software).
The motive behind the malware infections is not known and neither the method being used to install the malware. The exploitation of vulnerabilities on older devices, brute force attacks, and even supply chain attacks have not been ruled out.
The FBI has taken steps to disrupt the malware campaign, having obtained a court order to seize control of a domain that was being used to communicate with the malware. While communications have now been disrupted, if a router has been compromised the malware will remain until it is removed by the router owners.
How to Update Your Router
While each router will be slightly different, they can be accessed by typing in 192.168.1.1 into the browser and entering the account name and password. For many users this will be the default login credentials unless they have been changed during set up.
In the advanced settings on the router it will be possible to change the password and disable remote management, if it is not already disabled. There should also be an option to check the firmware version of the router. If an update is available it should be applied.
You should then either manually power cycle the router – turn it off and unplug it for 20 seconds – or ideally use the reboot settings via the administration panel.
DrayTek Discovers Actively Exploited Zero Day Vulnerability
The Taiwanese broadband equipment manufacturer DrayTek has discovered some of its devices are at risk due to a zero-day vulnerability that is being actively exploited in the wild. More than 800,000 households and businesses are believed to be vulnerable although it is unknown how many of those devices have been attacked to date.
The affected devices are Vigor models 2120; 2133; 2760D; 2762; 2832; 2860; 2862; 2862B; 2912; 2925; 2926; 2952; 3200; 3220 and BX2000, 2830nv2; 2830; 2850; and 2920.
The vulnerability allows the routers to be compromised via a Cross-Site Request Forgery attack, one where a user is forced to execute actions on a web application in which they are currently authenticated. While data theft is possible with this type of attack, the attackers are using this attack to change configuration settings – namely DNS settings. By making that change, the attackers can perform man in the middle attacks, and redirect users from legitimate sites to fake sites where credentials can be stolen.
A firmware update has now been released to correct the vulnerability and all users of vulnerable DrayTek devices are being encouraged to check their DNS settings to make sure they have not been altered, ensure no additional users have been added to the device configuration, and apply the update as soon as possible.
When accessing the router, ensure no other browser windows are open. The only tab that should be open is the one used to access the router. Login, update the firmware and then logout of the router. Do not just close the window. Also ensure that you set a strong password and disable remote access if it is not already disabled.
Many small businesses purchase a router and forget about it unless something goes wrong and Internet access stops. Firmware updates are never installed, and little thought is given to upgrading to a new model. However, older models of router can be vulnerable to attack. These attacks highlight the need to keep abreast of firmware updates issued by your router manufacturer and apply them promptly.
TitanHQ has announced its 100% cloud-based web filtering platform, WebTitan, has been fully integrated into the Kaseya IT Complete Platform.
The IT Complete platform helps MSPs deliver invaluable cybersecurity and IT services to their clients quickly and efficiently. By using the platform, MSPs can save valuable time, allowing them to concentrate on IT projects strategic to their business.
The addition of a web filtering solution to the IT Complete platform allows MSPs to provide a more comprehensive range of cybersecurity solutions to their clients to help protect against a wide range of web-based threats. The web filtering solution joins cybersecurity solutions developed by Bitdefender, Cisco, and Dell and is now available to all MSPs who use Kaseya VSA.
WebTitan is a powerful DNS-based web filtering solution ideally suited to MSPs. The solution provides proven protection against malware and ransomware downloads, and complements existing anti-virus, email filtering, data backup solutions, and firewalls.
Being 100% cloud-based it is easy to deploy without the need for any hardware purchases, software installations, or site visits. With the new integration, WebTitan can be accessed directly through Kaseya VSA, and can be deployed and configured in minutes, providing near instant protection against web-based threats.
The integration of WebTitan into the Kaseya IT Complete platform is particularly timely, as some of the world’s leading MSPs will be attending the Kaseya Connect conference in Las Vegas, NV this week.
“Kaseya is a partner we have admired for a long time and I’m delighted to announce this integration. With over 10 million endpoints under their management it represents a massive opportunity for our business,” said Ronan Kavanagh, CEO of TitanHQ. “We look forward to working with Kaseya’s MSP partners and adding our personal touch and renowned focus on great customer support.”
The massive increase in cyberattacks on businesses in recent years has made cybersecurity a key area of growth for MSPs. Companies need to implement layered defenses to protect an ever-increasing attack surface and turn to MSPs to help them secure their networks.
“Security is a critical service that all MSPs must deliver,” said Frank Tisellano, Jr., vice president product management and design. “Adding WebTitan to our open ecosystem of partner solutions means our customers now have even greater access to best of breed technologies to meet the needs of their business. With growing concerns over malware, ransomware and phishing as key threats to MSP customers, WebTitan adds a highly effective layer of protection.”
TitanHQ’s WebTitan is a powerful web filtering solution that helps businesses control the web content that can be accessed by its employees, but how does WebTitan work and how can the solution improve an organization’s security posture?
Why Are Web Filters Necessary?
Many businesses choose to implement a web filtering solution to prevent employees from accessing inappropriate web content such as pornography or to stop work computers from being used to download illegal content such as pirated films, music, and TV shows. A category-based web filter allows businesses to block certain types of web content with ease, such as adult material and P2P file sharing websites.
While content filters can achieve those aims, perhaps a more important function of web filters is to block web-based threats such as malware and phishing websites. Many businesses choose to deploy WebTitan to block these threats, but how does WebTitan work?
How Does WebTitan Work?
WebTitan Cloud is a 100% cloud-based web filtering solution that serves as a semi-permeable membrane between an organisation’s users and the Internet. When an end user attempts to access a particular URL that does not violate an organization’s acceptable Internet use policy, the request is honoured. Since there is no latency, the speed at which the website is loaded is the same as if no filtering mechanism is in place.
Unknown to the user, when an attempt is made to access a webpage, the DNS request is sent to WebTitan Cloud which determines whether the request should be allowed or denied.
If the user attempts to access a gambling website and the gambling category has been blocked through WebTitan Cloud, the user will be advised that their request has been denied and access to the site will be prevented. But how does WebTitan work as far as malicious websites are concerned? How are malicious URLs identified and blocked?
How Does WebTitan Block Access to Malicious Websites?
How does WebTitan determine which URLs are benign and which ones are malicious, and how are those checks performed in real-time?
To block malicious sites, WebTitan uses a crowd-sourced approach and obtains a constant stream of URLs for analysis. These ActiveWeb URLs come from websites actively visited by a global network of customers through high traffic markets such as subscriber analytics, networks security, IOT, and ad tech.
This traffic is used to train WebTitan’s human-supervised Machine Learning Systems to detect, monitor, and categorize threats. Using in house and third-party tools, WebTitan performs link, content, static, heuristic, and behavioural anomaly analyses to categorize threats. When threats are detected, the WebTitan team profiles, tests and validates those threats. Once threats have been validated, they are blocked with false positives used to train the system to improve future accuracy.
In contrast to many DNS-based systems, which only work at the domain level, WebTitan works at the path level and is capable of blocking individual webpages rather than entire domains. The majority of malicious URLs in the WebTitan database are marked as malicious at the path level – 99.7% of IP-based URLs and 88.35% of non-IP-based URLs.
WebTitan performs checks of websites that have previously been marked as malicious to determine whether they still contain malware or other threats. The WebTitan Malicious Detection Solution revisits up to 300,000 sites to check whether they are still infected or have been cleaned, and the database is updated accordingly. Sites previously marked as malicious can be accessed once they have been determined to be safe.
What Web-Based Threats Does WebTitan Block?
There are ten main web-based threats that WebTitan protects against:
Malware distribution points
Spyware and questionable software
Phishing and other fraudulent sites
Command and Control (C2) servers
Malware call-home addresses
Compromised sites and links to malware
With WebTitan, businesses not only have highly granular control over the types of sites that can be visited by their employees, a wide range of malicious sites are also blocked, preventing malware and ransomware infections, data theft, data exfiltration and fraud.
Many businesses have moved from wired to wireless technologies which has had a negative impact on their security posture. Wired networks are easier to secure than wireless networks, and if vulnerabilities exist they can be exploited by cybercriminals. Because of these security flaws, and the ease of exploiting them, wireless networks attacks are common. In this post we explore some of the common wireless network attacks and offer advice on simple steps that can be taken to secure wireless networks and prevent costly data breaches.
Wi-Fi is Ubiquitous, Yet Many Businesses Neglect Security
Wi-Fi access used to be something you had to pay for, but now free WiFi is something that is taken for granted. Visitors to a hotel, coffee shop, bar, retail outlet, or restaurant now expect WiFi to be provided. The decision to use a particular establishment is often influenced by whether free WiFi is available, but increasingly the quality of the connection is a factor in the decision process.
The quality of the WiFi on offer is not just a question of there being enough bandwidth and fast internet speeds.
Parents often choose to visit establishments that provide secure WiFi with content control, such as those that have been verified under the Friendly WiFi scheme. In order to be accredited under the scheme, businesses must have implemented appropriate filtering controls to ensure that minors are prevented from accessing age-inappropriate material. The massive rise in cyberattacks via public WiFi networks has seen many consumers choose establishments that offer secure WiFi access.
If you run a business and are providing WiFi to customers or have yet to provide WiFi and are considering adding a WiFi hotspot to attract more customers, be sure to consider the security of your network. The past couple of years have seen many major attacks on WiFi networks and customers who use wireless services.
Some of the most common wireless network attacks are detailed below.
What are the Most Common Wireless Network Attacks?
Some of the most common wireless network attacks are opportunistic in nature. Businesses that fail to secure their WiFi networks leave the door wide open to scammers and hackers who would otherwise look for easier targets. Those scammers are happy to take advantage of poor security controls to steal sensitive information from WiFi users and distribute malware. Unsecured WiFi networks are also targeted by sophisticated cybercriminals and organized crime groups to gain a foothold in the network. The attacks can be extremely lucrative. If malware can be installed on POS systems, the credit/debit card numbers of tens or hundreds of thousands of customers can be stolen.
Fake WiFi Access Points, Evil Twins, and Man in the Middle Attacks
Visitors to hotels, coffee shops and malls often connect to the free WiFi on offer, but various studies have shown that care is not always taken when connecting. Customers often choose the WiFi access point based on the name without checking it is the wireless network set up by a particular establishment for customer use.
Criminals can easily set up fake WiFi access points, often using the name of the establishment in the SSID name. Calling it ‘Free Airport WiFi’ is a common ploy to get people to connect. When customers connect to these rogue WiFi networks they can still access the Internet and are likely to be unaware that anything is wrong. However, everything they do online is being monitored by cybercriminals. Sensitive information entered online, such as email addresses and passwords, credit card numbers, or banking credentials can be stolen.
How is this done? The attacker simply creates a hotspot on a smartphone and pairs it with a tablet or laptop. The hacker can then sit in the coffee shop drinking a latte while monitoring the traffic of everyone that connects. Alternatively they can use a router with the same name and password as the one currently in use. This may also have a stronger WiFi signal, which may see more people connect to it but it is an “evil twin” through which man in the middle attacks occur – the interception of data sent over the network.
This is one of the most common wireless network attacks and it is surprisingly effective. One study indicated more than a third of WiFi hotspot users take no precautions when accessing WiFi hotspots and frequently connect to unsecured networks.
Packet Sniffing: Interception of Unencrypted Traffic
Research by Kaspersky Lab in 2016 showed more than a quarter of public Wi-Fi hotspots set up in malls were insecure and lacked basic security controls. A quarter did not encrypt traffic at all, while research conducted by Skycure showed that five of the 10 busiest malls in the USA had risky WiFi networks. One mall in Las Vegas was discovered to be operating 14 risky WiFi access points. Hackers can use programs called packet sniffers to intercept traffic on unencrypted WiFi networks. These common wireless network attacks are easy on older routers, such as those using WEP encryption. WPA offers better security, although as a minimum WPA2 should be used, or better still, the recently released WPA3. Packet sniffing is one of the most common wireless network attacks.
Examples of WiFi Network Attacks
Listed below are some examples of common wireless networks attacks that have resulted in the installation of malware or theft of sensitive information. These attacks could easily have been prevented had appropriate security controls been implemented.
Tel Aviv Free WiFi Network Hacked
One notable example of how easy it can be for a hacker to take over a WiFi network comes from Tel Aviv. Tel Aviv offers a city-wide free WiFi network, which incorporates basic security controls to keep users secure on the network. However, it did not prove to be as secure as city officials thought.
While commuting home, Tel Aviv resident Amihai Neiderman noticed a new WiFi access point had appeared. The FREE_TLV access point was provided by the city and Neiderman decided to test its security controls. After determining the IP address through which WiFi clients accessed the Internet, he disconnected, scanned the router, and discovered the web-based login interface was run through HTTPS port 443.
While he found no major vulnerabilities, after extensive analysis he identified a buffer overflow vulnerability which he successfully exploited to take full control of the router. By doing so, if he was so inclined, he could have intercepted the traffic from tens of thousands of users.
Toasters Used to Hack Unsecured WiFi Networks
Perhaps not one of the most common WiFi network attacks, but notable none the less due to the rise in use of IoT devices. IoT capability has been incorporated into all manner of devices from toasters to washing machines. These devices can be vulnerable to supply chain attacks – Where hardware is altered to allow the devices to be used to attack WiFi networks. In 2016, Russian officials discovered chips imported from China had been altered and were being used to spread malware that could eavesdrop on unsecured WiFi networks from a range of 200 meters. They were used to infect those networks with malware that could steal information.
In Flight WiFi Network Hacked from the Ground
Cybersecurity expert Ruben Santamarta has demonstrated it is possible to hack into airline WiFi networks from the ground and view the internet activity of passengers and intercept their information. More worryingly, he was also able to gain access to the cockpit network and SATCOM equipment. He claims the same technique could be used for ships, industrial facilities and even military installations. He explained how he did it in his “Last Call for SATCOM security” presentation at the 2018 blackhat hacker conference.
WiFi Networks Used to Gain Access to Business Data
Creating a WiFi network for guests is simple. Ensuring it is secure and cannot be used for attacks on the business network or customers requires more thought and effort. Any business that allows customers to make purchases using credit and debit cards is a major target for hackers and poor WiFi security is likely to be exploited sooner or later. The past few years have seen many major attacks that have resulted in malware being installed on POS systems. These are now some of the most common wireless network attacks.
How Can Businesses Prevent the Most Common Wireless Network Attacks?
How can businesses protect against some of the most common wireless network attacks? While it is difficult to prevent the creation of fake WiFi hotspots, there are steps that can be taken to prevent many common wireless network attacks.
Isolate the Guest Network
If your business network is not isolated from your guest WiFi network, it could be used to gain access to business data and could place your POS at risk of compromise. Use a router that offers multiple SSIDs – most modern routers have that functionality. These routers often have a guest SSID option or separate guest portal. Make sure it is activated when it is deployed. Alternatively, your wireless router may have a wireless isolation feature which will prevent WiFi users from accessing your internal network and other client devices. If you require multiple access points throughout your establishment, you are likely to need a VLAN or EoIP tunnel configuration – A more complicated setup that will require you to seek professional advice on security.
Encrypt WiFi Traffic with WPA2 or WPA3
If you have an old router that does not support WPA2 encryption its time for an upgrade. WPA2 is the minimum standard for WiFi security, and while it can still be cracked, it is time consuming and difficult. WPA3 has now been released and an upgrade should be considered. You should also make sure that WPS is turned off.
Update Firmware Promptly
All software and devices contain vulnerabilities and require updating. Software should be patched and devices such as routers will need to have their firmware upgraded when new versions are released. Check your device manufacturers website periodically for details of firmware updates and ensure your device is updated.
Create a Secure SSID
Your router will have a default SSID name, but this should be changed to personalize it to your business. If you make it easily identifiable, it will reduce the potential for rogue access points to be confused with your own. Ensure that you enforce WPA2 encryption with a shared key and post that information for your customers along with your SSID in a prominent place where they can see it.
Restrict WiFi Access
If your wireless router or access point is too powerful, it could be accessed from outside your premises. Choose a router that allows you to alter the strength of your signal and you can ensure only your customers will use your connection. Also ensure that your WiFi access point is only available during business hours. If your access points are left unsupervised when your business is closed, it increases the risk of an attack.
Secure Your Infrastructure
Administrator access can be abused, so ensure that your login name and your passwords are secure. If the default credentials are not changed, it will only be a matter of time before they are abused. Change the username from ‘admin’ or any other default username. Set a strong password that includes upper and lower-case letters, at least one number, and a special character. The password must be at least 8 characters although more is better. Alternatively use a 14-character+ passphrase.
Use a Web Filter
A web filtering solution is an essential protection for all WiFi networks. Web filters will prevent users from visiting websites and web pages that are known to have been compromised or have been confirmed as malicious. This will protect your customers from web-based threats such as drive by downloads, exploit kits and phishing. A web filter will also allow you to prevent your network from being used to download or view unacceptable content such as pornography and lets you control bandwidth usage to ensure all customers can enjoy decent Internet speeds.
TitanHQ offers a scalable, easy to deploy, granular web filter for WiFi networks. WebTitan Cloud for WiFi requires no hardware purchases or software downloads, and being 100% cloud-based, can be managed and monitored from any location.
A web-based malware distribution network that was redirecting around 2 million website visitors a day to compromised websites hosting exploit kits has been disrupted, crippling the malware distribution operation. The web-based malware distribution network – known as EITest – was using compromised websites to redirect web visitors to sites where exploits were used to download malware and ransomware, as well as redirect users to phishing websites and tech support scams that convinced visitors to pay for fake software to remove non-existent malware infections.
Due to the scale of the operation, removing the redirects from compromised websites is a gargantuan task. Efforts to clean up those sites are continuing, with national CERTs notified to provide assistance. However, the web-based malware distribution network has been sinkholed and traffic is now being redirected to a safe domain. Proofpoint researchers were able to seize a key domain that was generating C&C domains, blocking the redirects and re-routing them to four new EITest domains that point to an abuse.ch sinkhole.
The sinkhole has only been in operation for a month – being activated on March 15 – yet already it has helped to protect tens – if not hundreds of millions – of website visitors. In the first three weeks alone, an astonishing 44 million visitors had been redirected to the sinkhole from around 52,000 compromised websites and servers.
The majority of the compromised websites were running WordPress. Malicious code had been injected by taking advantage of flaws in the CMS and plugins installed on the sites. Vulnerabilities in Joomla, Drupal, and PrestaShop had also been exploited to install the malicious code.
The web-based malware distribution network has been in operation since at least 2011, although activity increased significantly in 2014. While previous efforts had been made to disrupt the malware distribution network, most failed and others were only temporarily successful.
The malicious code injected into the servers and websites primarily redirected website visitors to an exploit kit called Glazunov, and to a lesser extent, the Angler exploit kit. Those exploit kits probed for multiple vulnerabilities in software to download ransomware and malware.
The threat actors behind EITest are believed to have responded and have attempted to gain control of the sinkhole, but for the time being those efforts have been thwarted.
How to Improve Security and Block Web-Based Malware Attacks
While it is certainly good news that such a major operation has been disrupted, the scale of the operation highlights the extent of the threat of web-based attacks. Spam email may have become the main method for distributing malware and ransomware, but organizations should not ignore the threat from web-based attacks.
These attacks can occur when employees are simply browsing the web and visiting perfectly legitimate websites. Unfortunately, lax security by website owners can easily see their website compromised. The failure to update WordPress or other content management systems and plugins along with poor password practices makes attacks on the sites a quick and easy process.
One of the best cybersecurity solutions to implement to reduce the risk of web-based attacks is a web filter. Without a web filter in place, employees will be permitted to visit any website, including sites known to host malware or be used for malicious purposes.
With a web filter in place, redirects to malicious websites can be blocked, downloads of risky files prevented, and web-based phishing attacks thwarted.
TitanHQ is the leading provider of cloud-based web filtering solutions for SMBs and enterprises. WebTitan Cloud and WebTitan Cloud for WiFi allow SMBs and enterprises to carefully control the website content that can be accessed by their employees, guest network users, and WiFi users. The solution features powerful antivirus protections, uses blacklists of known malicious websites, and incorporates SSL/HTTPS inspection to provide protection against malicious encrypted traffic.
The solution also allows SMBs and enterprises to enforce their acceptable internet usage policies and schools to enforce Safe Search and YouTube for Schools.
For further information on how WebTitan can protect your employees and students and prevent malware infections on your network, contact TitanHQ today.
Phishing is commonly associated with spam emails, but it is not the only method of phishing as the PayPal text phishing scam below shows. Phishers use various methods to obtain sensitive information. Phishing threats could arrive by email, text message, instant messenger services, over the phone or even in the mail.
Phishing is arguably the biggest threat to businesses and consumers and can result in a malware infection, the encryption of files via ransomware, an email account being compromised, the theft of sensitive data such as credit/debit card numbers or bank account information. A successful phishing attack could prove incredibly costly as bank accounts could be easily emptied. For businesses, malware infections can be catastrophic and billions are lost to business email compromise phishing scams each year.
There are approximately 200 million PayPal users, which makes the online payment service particularly attractive for phishers. PayPal is one of the most world’s most commonly spoofed brands. If the brand is spoofed, there is a relatively high percentage that the phishing email or text message will be received by a person who has a PayPal account. Further, PayPal accounts usually contain money and they are linked to a bank account and/or credit card. Gaining access to PayPal credentials can see the account and linked bank account emptied.
Phishers use a variety of social engineering techniques to fool end users into installing malware or disclosing their login credentials and other sensitive information. Spam email may be the main method of attack, although the use of text (SMS) messages – often referred to as SMiShing – is growing. This method of phishing can prove more successful for the attackers. The PayPal text phishing scam below is much harder to identify as malicious as many of the PayPal email phishing scams that have been detected in recent weeks.
Beware of this Credible PayPal Text Phishing Scam
This PayPal text phishing scam, and several variants along the same theme, have been detected in recent weeks. The text message appears to have been sent from PayPal from a short code number.
The message reads:
Your account is currently under review. Please complete the following security form to avoid suspension: http://bit[dot]ly/PayPal_-no-sms.eu
Another message reads:
Your account is under review. Please fill in the following security form to avoid lockout: http://bit[dot]ly/_payPal__
This PayPal text phishing scam works because many people do not carefully check messages before clicking links. Click the link on either of these two messages and you will be directed to a website that appears to be the official PayPal website, complete with branding and the normal web layout. However, this is a PayPal text phishing scam. The websites that the messages direct recipients to are scam sites.
Those sites naturally require the user to enter their login credentials. Doing so just passes those credentials to the scammer. The scammer will then use those credentials to access an account, empty it of funds, and plunder the bank account(s) linked to the PayPal account. The password for the account may also be changed to give the attacker more time to make transfers and lock the genuine account holder out.
These scams are particularly effective on smartphones as the full URL of the site being visited is not displayed in the address bar due to the small screen size. It may not be immediately apparent that an individual is not on the genuine PayPal website.
This PayPal text phishing scam shows that you need to be always be on your guard, whether accessing your emails, text messages, or answering the telephone.
Don’t Become a Victim of an SMS Phishing Scam
The PayPal text phishing scam detailed above is just one example of how cybercriminals obtain sensitive information via text message. Any brand could be impersonated. Shortlinks are often used to hide the fact that the website is not genuine, as is altering the link text to mask the true URL.
To avoid becoming a victim of a SMiShing scam, assume any text message correspondence from a retailer or company could be a scam. If you receive a message – typically a warning about security – take the following steps.
Access your account by typing in the correct URL into your web browser. Do not use the link in the message.
Check the status of your account. If there is a freeze on your account, your account is under review, or it has been suspended, this will be clear when you log in.
If in doubt, contact the vendor by telephone or send an email, again using verified contact information and not any contact details supplied in the text message (or email).
Before logging in or disclosing any sensitive information online, check the entire URL to make sure the domain is genuine.
PayPal Email Phishing Scams
This PayPal text phishing scam is one of thousands of phishing campaigns targeting PayPal users, most of which arrive in inboxes.
PayPal email phishing scams can be highly convincing. The emails contain the familiar PayPal logo, the text in the message body is often well written with no grammatical errors or spelling mistakes, the footers contain all the information you would expect, and the font is the same as that used in genuine PayPal messages.
The purpose of PayPal phishing emails will vary depending on the campaign, although typically the aim is:
To fool someone into disclosing their PayPal username/email address and password combination
To obtain a credit/debit card number, expiry date, and CVV code
To obtain bank account information and other personal information to allow account access
To obtain a Social Security number and date of birth
To install malware – Malware can capture all the above information and more
To install ransomware – Ransomware encrypts files and prevents them from being accessed unless a ransom payment is made
PayPal phishing emails can be very convincing and virtually indistinguishable from genuine communications; however, there are often signs that suggest all may not be what it seems.
Some of the common identifiers of PayPal phishing emails have been detailed below:
The messages contain questionable grammar or spelling mistakes.
The hyperlink text suggests one domain, when hovering the mouse arrow over the link shows it directs the user to a different domain.
The message does not address the account holder personally and starts with dear PayPal user, user, or PayPal member instead of using the first and last name or the business name.
A link in the email directs the recipient of the message to a website other than the genuine paypal.com domain or local site – paypal.ca, paypal.co.uk for example.
The website the user is asked to visit does not start with HTTPS and/or does not have the green padlock symbol in the address bar.
The email requests personal information be disclosed such as bank account details, credit card numbers security questions and answers.
A user is requested to download or install software on their device.
HTTPS Does Not Mean a Website is Genuine
There has been a general push to get businesses to make the switch from HTTP to HTTPS by installing an SSL certificate. The SSL certificate binds a cryptographic key to an organization’s details and activates both the padlock sign and changes a website to start with HTTPS. This ensures that the connection between the browser and the web server is encrypted and secured.
If the website has a valid SSL certificate installed, it reduces the potential for snooping on information as its entered in the browser – credit card information for example. However, what an SSL certificate will not offer is a guarantee that information is safe and secure.
A website owned by or controlled by a cybercriminal could have valid SSL certificate and start with HTTPS and have a green padlock. Disclosing information on that site could see sensitive information handed to a scammer.
As more and more businesses have made the transition to HTTPS, so have cybercriminals. According to the Anti-Phishing Working Group’s (APWG) Q1, 2018 phishing activity trends report, 33% of all phishing websites now use HTTPS and have valid SSL certificates. HTTPS and a green padlock do not mean that a website is genuine.
Anti-Phishing Best Practices to Adopt
Exercise caution when someone sends you a hyperlink in a text message or email. The sender may not be who you think it is. A contact or family member’s email account may have been compromised or their phone stolen or the email address may have been spoofed.
Never open email attachments in unsolicited emails from unrecognized senders.
Beware of any email that suggests urgent action must be taken, especially when there is a threat of negative consequences – your account will be limited or deleted for example.
If in doubt about the genuineness of an email, do not click or open any attachments. Simply delete the message.
Businesses should implement an advanced spam filter to prevent the majority of phishing emails from reaching inboxes.
Businesses should also implement DMARC to prevent spoofing of their brands.
Businesses should provide ongoing security awareness training to employees to teach the skills required to identify phishing emails and smishing attempts such as this PayPal text phishing scam.
Lawmakers are considering a new bill that calls for mandatory web filtering in Rhode Island. More than a dozen U.S states are considering similar laws which make it necessary for the manufacturers or distributors of Internet enabled devices to use web filters to block access to adult content by default.
In other states the bill goes under the banner of the Human Trafficking Prevention Act. The aim of the legislation is to reduce the availability of online pornography, which is often claimed to represent ‘a public health crisis’ in the United States.
The purpose of the bill – sponsored by Senators Frank Ciccone (D-Providence) and Hannah Gallo (D-Cranston) – is not to make it illegal to view online pornography but to make state residents pay a fee if they want to view such material on their laptops, computers, and smartphones.
Bill Proposes Web Filtering in Rhode Island on All Internet-Enabled Devices
As in other states, the wording of the legislation means that web filtering in Rhode Island would be mandatory on all Internet-enabled devices, not only smartphones, laptops and desktops. This would require web filtering controls to also cover IoT devices and routers, which would be applied at the ISP level.
If the bill is passed, web filtering in Rhode Island would cover online pornography and any shows, motion pictures, performances, or images that “taken as a whole, lack serious literary, artistic, political, or scientific value.” The web filter would also need to block access to websites or hubs that facilitates human trafficking and prostitution and ensure child pornography and revenge porn cannot be accessed.
The move would certainly make it harder for minors to access adult content since in order to remove the filtering controls the device owner would be required to prove they are over 18 years of age. Any device sold in the state would need to be supplied with a warning about the removal of the filtering mechanism and the repercussions of doing so.
Any individual who wishes to remove the filtering would be allowed to do so by paying a one-off fee of $20. The fee would be added to a fund that supports the victims of human trafficking.
Any such technological control is unlikely to be 100% accurate, so a mechanism must be introduced that ensures requests can be submitted to add websites and webpages to the filter when obscene content has escaped the filtering controls. Conversely, when content is blocked that is not sexual in nature or is not patently offensive, a request can be submitted to add the page to a whitelist of allowable websites or have the site recategorized. Such requests would need to be processed no later than 5 days after the request has been submitted.
The failure to act on such requests would be punishable with a financial penalty of up to $500 per piece of content that was reported but not blocked. In its current form the bill does not call for similar fines to be imposed when requests are submitted to unblock legitimate content that has been inadvertently blocked by the filtering controls.
If you have yet to implement a web filtering solution to control the content that your employees can access at work, you are taking an unnecessary risk that could result in a costly malware infection, ransomware being installed on your network, or a lawsuit that could have been prevented by implementing basic web filtering controls. Many SMBs have considered implementing a web filter yet have not chosen a solution due to the cost, the belief that a web filter will cause more problems than it solves, or simply because they do not think it offers enough benefits. In this post we explain some of the common misconceptions about web filtering and attempt to debunk some common web filtering myths.
Common Web Filtering Myths
Antivirus Solutions Provide Adequate Protection from Web-Based Malware Attacks
Antivirus software is a must, although products that use signature-based detection methods are not as reliable as they once were. While antivirus companies are still quick to identity new malware variants, the speed at which new variants are being released makes it much harder to keep up. Further, not all malware is written to the hard drive. Fileless malware remains in the memory and cannot easily be detected by AV software. Antivirus software is still important, but you now need a host of other solutions to mount a reasonable defense against attacks. Layered defenses are now a must.
Along with AV software you should have anti spam software in place to block email-based threats such as phishing. You need to train your workforce to recognize web and email threats through security awareness training. Firewalls need to be set with sensible rules, software must be kept updated and patches must be applied promptly, regular data backups are a must to ensure recovery is possible in the event of a ransomware attack, and a web filtering solution should be installed.
A web filter allows you to carefully control the web content that can be accessed by employees. By using blacklists, websites known to host malware can be simply blocked, redirects via malvertising can be prevented, and controls can be implemented to prevent potentially malicious files from being downloaded. You can also prevent your employees from visiting categories of sites – or specific websites – that carry a higher than average risk.
There are other benefits to web filtering that can help you avoid unnecessary costs. By allowing employees to access any content, organizations leave themselves open to lawsuits. Businesses can be held liable for activities that take place on their networks such as accessing illegal content and downloading/sharing copyright-protected material.
Web Filtering is Prohibitively Expensive
Many businesses are put off implementing a web filtering solution due to the perceived cost of filtering the Internet. If you opt for an appliance-based web filter, you need to make sure you have an appliance with sufficient capacity and powerful appliances are not cheap. However, there is a low-cost alternative that does not require such a major cash commitment.
DNS filtering requires no hardware purchases so there is no major capital expenditure. You simply pay for the licenses you need and you are good to go. You may be surprised to find out just how low the price per user actually is.
Web Filtering is Too Complicated to Implement
Some forms of web filters are complex, and hardware-based filters will take some time to install and configure, which will take IT staff away from important duties. However, DNS based filters could not be any easier to implement. Implementing the solution is a quick process – one that will take just a couple of minutes. You just need to point your DNS to your web filtering service provider.
Even configuring the filter is straightforward. With WebTitan you are given a web-based portal that you can use to configure the settings and apply the desired controls. In its simplest form, you can simply use a checkbox option to select the categories of websites that you want to block.
Since WebTitan includes a database of malicious websites, any request to visit one of those websites will be denied. You can also easily upload third party blacklists, and for total control, use a whitelist to only allow access to specific websites.
Employees Will Just Bypass Web Filtering Controls
No web filtering solution is infallible, although it is possible to implement some basic controls that will prevent all but the most determined and skilled workers from accessing prohibited websites. Simple firewall rules can be easily set and you can block DNS requests to anything other than your approved DNS service. You can also set up WebTitan to block the use of anonymizers.
IT Support Will be Bombarded with Support Calls from Employees Trying to Access Blocked Websites
If you decide to opt for whitelisting acceptable websites, you are likely to be bombarded with support calls when users discover they are unable to access sites necessary for work. Similarly, if you choose to heavily filter the Internet and block most categories of website, then your helpdesk could well be swamped with calls.
However, for most companies, filtering the internet is simply a way of enforcing acceptable usage policies, which your employees should already be aware of. You are unlikely to get calls from employees who want access to porn at work, or calls from employees who want to continue gambling and gaming on the clock. Restrict productivity draining sites, illegal web content, phishing websites, and sites that are not suitable in the workplace, and explain to staff your polices in advance, and your support calls should be kept to a minimum.
Find Out More About DNS Filtering
If you have yet to implement DNS filtering in your organization, it is possible to discover the benefits of Internet filtering before committing to a purchase. TitanHQ offers a free trial of WebTitan Cloud (and WebTitan Cloud for WiFi) so you can try before committing to a purchase.
If you would like further information on getting started with web filtering, have technical questions about implementation, would like details of pricing or would like a demo or a free trial, contact the TitanHQ team today.
It has taken some time, and Google did not want to have to take action, but finally the Google Chrome Ad blocker has been released. The new feature of Chrome means intrusive adverts can now be blocked by users if they so wish.
What Will the Google Chrome Ad Blocker Block?
Google makes a considerable amount of money from advertising, so the Google Chrome Ad blocker will not block all adverts, only those that are deemed to be intrusive and annoying. Those are naturally subjective terms, so how will Google determine what constitutes ‘intrusive’?
One of the first checks performed by Google is whether adverts on a webpage violate the standards set by the Coalition for Better Ads – A groups of trade organizations and online media companies committed to improving the online experience for Internet users.
The Coalition for Better Ads has identified ad experiences that rank the lowest across a range of experience factors and has set a bar for what is acceptable. These standards include four types of ads for Desktop users: Popup ads, auto-playing videos with sound, prestitial ads with countdowns, and large sticky ads. There are eight categories covering mobile advertising: Popup ads, prestitial ads (where ads are loaded before content), prestitial ads with countdowns, flashing animated ads, auto-playing videos with sound, full screen scrollover ads, large sticky ads, and an ad density higher than 30%.
Google Chrome assesses webpages against these standards. If the page has none of the above ad categories, no action will be taken. Google says when 7.5% of ads on a site violate the standards the filter will kick in. If the above standards are violated the site get a warning and will be given 30 days to take action. Site owners that ignore the warning and fail to take action will have their sites added to a list of failed sites. Those websites will have the adverts blocked, although visitors will be given the option of loading adverts on that site.
The aim of the Google Chrome Ad blocker is not to block advertisements, but to urge site owners to adhere to Better Ads standards. Google reports that the threat of ad blocking has already had a positive effect. Before the Google Chrome Ad blocker was even released, Google says 42% of sites with intrusive adverts have already made changes to bring their sites in line with Better Ads standards.
The move may not have been one Google wanted to make, but it is an important step to take. Intrusive adverts have become a major nuisance and web users are taking action by installing ad blockers. Ad blockers do not rate ads based on whether they are annoying. They block all adverts, which is obviously bad for companies such as Google. Google made $95.4 billion dollars from advertising last year and widespread use of ad blockers could make a serious dent in its profits. According to figures from Deloitte, 31% of users in the United States have already installed ad blockers and the figure is expected to rise to a third of all computers this year.
So, will the Google Chrome ad blocker mean fewer people will use ad blocking software? Time will tell, but it seems unlikely. However, the move may mean fewer people will seriously consider blocking adverts in the future if companies start adhering to Better Ads standards.
Why Businesses Should Consider Using a Web Filter
For businesses, adverts are more than a nuisance. Some adverts pose a serious security risk. Cybercriminals use malicious adverts to direct end users to phishing websites and webpages hosting exploit kits and malware. Termed malvertising, these adverts are a major risk. While it is possible to use an adblocker to prevent these malicious adverts from being displayed, adblockers will not prevent other serious web-based threats. For greater web security, a web filter is required.
By carefully controlling the web content that can be accessed by employees, businesses can greatly improve web security and block the majority of web-based threats.
For more information on blocking malicious and undesirable content, contact the TitanHQ team today for advice.
The multi-award-winning email and web filtering solution provider TitanHQ has announced an exciting new partnership with the international consulting, coaching, and peer group organization HTG.
The new partnership – announced at the HTG Peer Groups Q1 quarterly meeting at the Pointe Hilton Squaw Peak Resort in Phoenix AZ – will see TitanHQ join HTG Peer Groups as a Gold vendor, which gives the HTG community immediate access to TitanHQ’s leading web filtering solution WebTitan.
Currently, service providers are being called upon to provide costly support to their clients to help them defend against ransomware and malware attacks. They are also required to spend a considerable proportion of the time allocated to each client under service level agreements mitigating malware and ransomware infections caused by careless employees.
By implementing WebTitan, service providers can easily provide an additional layer of Internet security to their clients, helping to protect them against ransomware and malware attacks. With WebTitan in place, they will also avoid the costly and time-consuming task of mitigating attacks and removing malicious software.
By deploying WebTitan, managed service providers quickly and easily secure their clients’ networks. Once protected, instead of accessing the Internet directly, all Internet requests are made through WebTitan, which serves as a protective barrier preventing malicious websites from being accessed. WebTitan scans websites and webpages searching for malicious content and when harmful webpages are identified they are added to block lists. Any request made by a user to access a malicious website will blocked before a connection to the site is made.
Additionally, WebTitan is a powerful content filter that can be controlled by the MSP or their clients. Once the content filter is applied, any attempt to access a webpage or website that contravenes the organization’s acceptable Internet usage polices will be blocked. WebTitan also provides visibility into Internet usage via detailed reports that are automatically sent to security/HR teams.
HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right)
The new partnership between TitanHQ and HTG will make it even easier for the HTG community to add this important security protection to their service stacks and provide better value to their clients.
“We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said Arlin Sorensen, founder of HTG Peer Groups.
In contrast to many web filtering solutions that have been developed for enterprises and subsequently tweaked to make the products suitable for MSPs, WebTitan was developed specifically with MSPs in mind.
“The WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process,” said Ronan Kavanagh, CEO of TitanHQ. “It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web security vendor. Our goal is to successfully engage with HTG members to build strong and long-lasting relationships.”
In addition to being given access to WebTitan, the HTC community will also have access to TitanHQ’s email archiving platform ArcTitan and will be able to offer spam and phishing protection to their clients through SpamTitan, the leading email filtering solution for MSPs.
The Rockingham school district in North Carolina discovered Emotet malware had been installed on its network in late November. The cost of resolving the infection was an astonishing $314,000.
The malware was delivered via spam emails, which arrived in multiple users’ inboxes. The attack involved a commonly used ploy by cybercriminals to get users to install malware.
The emails appeared to have been sent by the anti-virus vendor used by the school district, with the subject line ‘incorrect invoice’ and the correct invoice included as an attachment. The emails were believable and were similar to many other legitimate emails received on a daily basis.
The emails asked the recipient to open and check the attached invoice; however, doing so would see malware downloaded and installed on the email recipient’s computer.
Soon after those emails were received and opened, staff started to experience problems. Internet access appeared to have been blocked for some users. Reports from Google saying email accounts had been shut down due to spamming started to be received. The school district investigated and discovered several devices and servers had been infected with malware.
Emotet malware is a network worm that is capable of spreading across a network. Infection on one machine will see the virus transmitted to other vulnerable devices. The worm drops a type of banking malware on infected devices that is used to steal victims’ credentials such as online banking details.
Emotet is a particularly advanced malware variant that is difficult to detect and hard to remove. The Rockingham school district discovered just how problematic Emotet malware infections can be when attempts were made to remove the worm. The school district was able to successfully clean some infected machines by reimaging the devices; however, the malware simply re-infected those computers.
Mitigating the attack required assistance from security experts, but even with expert help the recovery process is expected to take up to a month. 10 ProLogic ITS engineers will spend around 1,200 on site reimaging machines. 12 servers and potentially up to 3,000 end points must be reimaged to remove the malware and stop reinfection. The cost of cleanup will be $314,000.
Attacks such as this are far from uncommon. Cybercriminals take advantage of a wide range of vulnerabilities to install malware on business computers and servers. In this case the attack took advantage of gaps in email defenses and a lack of security awareness of employees. Malware can similarly be installed by exploiting unpatched vulnerabilities in software, or by drive-by downloads over the Internet.
To protect against Emotet malware and other viruses and worms layered defenses are required. An advanced spam filtering solution can ensure malicious emails are not delivered, endpoint detection systems can detect atypical user behavior, antivirus solutions can potentially detect and prevent infections, while web filters can block web-based attacks and drive-by downloads. End users are the last line of defense and should therefore be trained to recognize malicious emails and websites.
Only a combination of these and other cybersecurity defenses can keep organizations well protected. Fortunately, with layers defenses, it is possible to avoid costly malware and phishing attacks such as the one experienced by the Rockingham school district.
15 years after the launch of the wireless security protocol WPA2, the Wi-Fi Alliance has announced this year will see the release of the WPA3 protocol. The transition period from the WPA2 to WPA3 protocol is expected to take several months.
WPA2 was released in 2003, bringing with it a number of key security enhancements to its predecessor WPA. WPA2 fast became the accepted Wi-Fi CERTIFIED security technology and is now used in more than 35,000 certified Wi-Fi products, including smartphones, tablets, and IoT devices.
Since its launch, WPA2 has received several enhancements and the protocol will continue to be updated this year. The Wi-Fi alliance says updates will be applied over the coming weeks and months and will occur ‘under-the-hood’ and will be unnoticeable to users. The enhancements will address configuration, authentication, and encryption.
The first major update to WPA2 is for Protected Management Frames (PMF) in Wi-Fi devices, which ensure the integrity of network management traffic on Wi-Fi networks. The update concerns when devices are required to use PMF, refining configurations for Wi-Fi CERTIFIED devices to ensure the highest possible level of security.
The second enhancement requires companies to conduct additional checks of their devices to ensure best practices for using the Wi-Fi security protocols have been adopted. This will reduce the potential for the misconfiguration of networks and devices, further safeguarding managed networks with centralized authentication services.
The third major update standardizes 128-bit level cryptographic suite configurations, which will deliver more consistent network security configurations. The Wi-Fi Alliance VP, Kevin Robinson, said, “Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security.” This update will ensure all cryptographic components used are of the required standard, ensuring there are no weak links in the encryption chain.
By adding these enhancements to its Wi-Fi certification program, users can be sure all certified Wi-Fi devices will have the highest level of security.
The Wi-Fi Alliance says WPA2 will continue to be deployed in Wi-Fi devices, although following the launch of the WPA3 protocol later this year there will be a gradual transition to the WPA3 protocol. During the transition period, both WPA2 and WPA3 will be run concurrently. The process of changeover is expected to take several months, as it is necessary for all hardware to be certified to make sure the new protocol can be supported.
The WPA3 protocol will incorporate several important enhancements to improve Wi-Fi security. The full specifications have not yet been published but are expected to include increased privacy protections for users of open networks with individualized data encryption.
Controls to prevent malicious actors from undertaking multiple login attempts via commonly used passwords is expected, as well as more simplified configuration for IoT devices that do not have a display. The new WPA3 protocol will also use 192-bit security or the Commercial National Security Algorithm to improve security for government, defense, and industrial networks.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.”
The Children’s Internet Protection Act (CIPA) requires Internet filtering controls in schools to be applied to block obscene images, child pornography, or other images that could be harmful to minors.
Compliance with the Children’s Internet Protection Act is not mandatory, but a lack of Internet filtering controls in schools means that it is not possible to receive discounts under the e-rate program – an initiative that makes telecommunications and Internet services more affordable for schools. The discounts are considerable. Schools can reduce their telecommunications costs by up to 90%.
Consequently, many schools choose to comply with CIPA and apply Internet filtering controls to block inappropriate website content. However, Internet filtering controls in schools are often overly restrictive, and are not only used to block obscene content, but other material with important educational value.
A recent report by the American Civil Liberties Union (ACLU) of Rhode Island, has revealed that many schools are choosing to use their Internet filters to block a broad range of website content – Far more than is necessary to comply with CIPA.
The latest report is a follow-on study from a 2013 investigation into Internet filtering controls in schools in Rhode Island. Four years ago, the ACLU study found that teachers were being hampered by Internet filters and prevented from using the Internet to educate students. Students were also blocked from accessing information relevant to their studies.
Since that initial report was released, the Rhode Island Department of Education (RIDE) released guidance for schools on Internet filtering, following the passage of a new state law that required Internet filtering controls in schools to foster academic freedom.
For the latest report, ACLU requested copies of Internet filtering policies from school districts to determine whether state laws were being followed and if Internet filtering controls in schools had improved following the model policy issued by RIDE.
33 school districts responded to the request, but only five of the schools had an Internet filtering policy in place, and out of those five, three were not in compliance with the new state law.
Critics of Internet filtering controls in schools often point out that in an effort to block obscene and sexual content, topics such as sex education are accidentally blocked. However, the report suggests that the blocking of such content by Rhode Island schools was not always accidental.
It is important for children to be able to have their questions answered on sex. Schools are often the only places where children can access such educational content. UCLU found that it was common for sex education content to be blocked by filters in Rhode Island schools.
Other topics that were commonly blocked were material related to drugs, tobacco, alcohol, terrorism, and religion. ACLU pointed out that the Internet filtering controls prevented students from researching topics such as the medicinal use of marijuana, fetal alcohol syndrome, abortion, or the opioid epidemic in the United States.
Some schools had even more restrictive filers in place that prevented students and staff from accessing topics such as hobbies, dictionaries, news and political websites, humor and information about alternative sexual lifestyles.
The Internet filtering law in Rhode Island requires schools to have an Internet filtering policy that explains why a particular category of website content is blocked to ensure transparency, and to list who is responsible for making the decision about blocking that category.
A mechanism must also be put in place that allows staff and students to request the lifting of a block (whitelisting a website for example) to allow educational content to be accessed. Yet the report showed that in many cases, staff and students had to wait for excessively long periods before their request was honored.
The law requires a list to be maintained of all requests and for those lists to be assessed annually to determine whether filtering controls need to be altered. RIDE’s model Internet filtering policy must also be adopted to ensure academic freedom.
ACLU said, “Without adoption and implementation of strong policies across the board, we will continue to see an array of issues involving the over-filtering of our schools’ Internet systems, which will continue to negatively impact students from accessing information and teachers from making use of helpful educational tools.”
Using a clunky system that blocks valuable content will be damaging to children’s education. Internet content filtering in schools is important, but it is also important for a technological control to be implemented that is not overly restrictive.
With WebTitan, it is possible to block obscene content and to comply with CIPA, without restricting access to important educational content. Category filters are accurate, and thanks to highly granular controls, adjusting filtering settings is a quick and straightforward process. With WebTitan, schools can quickly fine tune their filters and process staff and student requests to unblock content and comply with both CIPA and state laws.
If you are looking for an alternative solution that allows you to carefully control the content that can be accessed over the Internet by staff and students, that allows different controls to be applied for different users and user groups and is easy to use, contact the TitanHQ team today and find out about the difference WebTitan can make.
Passwords should be complex and difficult to guess, but that makes them difficult to remember, so what about using password managers to get around that problem? Are password managers safe and secure? Are they better than attempting to remember passwords for every one of your accounts?
First of all, it is worth considering that most people have a great deal of passwords to remember – email accounts (work and personal), social media accounts, bank accounts, retail sites, and just about every other online service. If you rarely venture online and do not make online purchases, that means you will need to learn a handful of passwords (and change them regularly!).
Most people will have many passwords. Far too many to remember. That means people tend to choose easy to remember – and easy to guess – passwords and tend to reuse passwords on multiple sites.
These poor security practices are a recipe for disaster. In the case of password reuse, if one password is guessed, multiple accounts can be compromised. So, are password managers safe? If that is the alternative, then most definitely.
With a password manager you can generate a strong and impossible to remember password for every online account. That makes each of those accounts more secure. Emmanuel Schalit, CEO of Dashline, a popular password manager, said, “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own.”
That does mean that if the server used by the password manager company is hacked, you do stand to lose all of your passwords. Bear in mind that no server can ever be 100% secure. There have been hacks of password manager servers and vulnerabilities have been discovered (see below). Password managers are not risk-free. Fortunately, password managers encrypt passwords, so even if a server is compromised, it would be unlikely that all of your passwords would be revealed.
That said, you will need to set a master password to access your password manager. Since you are essentially replacing all of your unique passwords with a single password, if the master password is guessed, then your account can be accessed and with it, all of your passwords. To keep password managers safe and secure, it is important to use a strong and complex password for your account – preferably a passphrase of upwards of 12 characters and you should change that password every three months.
If you use a cloud-based password manager, it is possible that when that service goes down, you will not be able to access your own account. Fortunately, downtime is rare, and it would still be possible to reset your passwords. You could also consider keeping a local copy of your passwords and encrypting that file. In a worst-case scenario, such as the password manager company going bust, you would always have a copy. Some services will also allow you to sync your encrypted backups with the service to ensure local copies are kept up to date.
Flaws Discovered in Password Managers
Tavis Ormandy, a renowned researcher from the Google Project Zero team, recently discovered a flaw in Keeper Password Manager that could potentially be exploited to gain access to a user’s entire vault of stored passwords. The Keeper Password Manager flaw could not be exploited remotely without any user interaction. However, if the user was lured onto a specially crafted website while logged into their password manager, the attacker could inject malicious code to execute privileged code in the browser extension and gain access to the account. Fortunately, when Keeper was alerted to the flaw, it was rapidly addressed before the flaw could be exploited.
Last year Ormandy also discovered a flaw in LastPass, one of the most popular password managers. Similarly, that flaw could be exploited by luring the user to a specially crafted webpage via a phishing email. Similarly, that flaw was rapidly addressed. The LastPass server was also hacked the year before, with the attackers gaining access to some users’ information. LastPass reports that while it was hacked, users’ passwords were not revealed.
These flaws do go to show that while password managers are safe, vulnerabilities may exist, and even a password manager can potentially be hacked.
Are Password Managers Safe to Use?
So, are password managers safe? They can be, but as with any other software, vulnerabilities may exist that can leave your passwords exposed. It is therefore essential to ensure that password manager extensions/software are kept up to date, as is the case with all other software and operating systems.
Security is only as good as the weakest link, so while your password manager is safe, you will need to use a complex master password to prevent unauthorized individuals from accessing your password manager account. If that password is weak and easily guessable, it will be vulnerable to a brute force attack.
In addition to a complex master password, you should take some additional precautions. It would be wise not to use your password manager to save the password to your bank account. You should use two-factor authentication so if a new device attempts to connect to any of your online accounts, you will receive an alert on your trusted device or via email.
As an additional protection, businesses that allow the use of password managers should consider implementing a web filtering solution that prevents users from visiting known malicious websites where vulnerabilities could be exploited. By restricting access to certain categories of website, or whitelists of allowable sites, the risk of web-based attacks can be reduced to a low and acceptable level.
Password managers should also be used with other security solutions that provide visibility into who is accessing resources. Identity and access management solutions will help IT managers determine when accounts have been breached, and will raise flags when anomalous activity is detected.
HTTPS phishing websites have increased significantly this year, to the point that more HTTPS phishing websites are now being registered than legitimate websites with SSL certificates, according to a new analysis by PhishLabs.
If a website starts with HTTPS it means that a SSL certificate is held by the site owner, that the connection between your browser and the website is encrypted, and you are protected from man-in-the-middle attacks. It was not long ago that a green padlock next to the URL, along with a web address starting with HTTPS, meant you could be reasonably confident that that the website you were visiting was genuine. That is no longer the case, yet many people still believe that to be true.
According to PhisLabs, a recent survey showed that 80% of respondents felt the green padlock and HTTPS indicated the site was legitimate and/or secure. The truth is that all it means is traffic between the browser and the website is encrypted. That will prevent information being intercepted, but if you are on a phishing website, it doesn’t matter whether it is HTTP or HTTPS. The end result will be the same.
Over the past couple of years there has been a major push to move websites from HTTP to HTTPS, and most businesses have now made the switch. This was in part due to Google and Firefox issuing warnings about websites that lacked SSL certificates, alerting visitors that entering sensitive information on the sites carried a risk. Since October, Google has been labelling websites as Not Secure in the URL via the Chrome browser.
Such warnings are sufficient to see web visitors leave in their droves and visit other sites where they are better protected. It is no surprise that businesses have sat up and taken notice and made the switch. According to Let’s Encrypt, 65% of websites are now on HTTPS, compared to just 45% in 2016.
However, it is not only legitimate businesses that are switching to secure websites. Phishers are taking advantage of the benefits that come from HTTPS websites. Namely trust.
Consumer trust in HTTPS means cybercriminals who register HTTPS sites can easily add legitimacy to their malicious websites. It is therefore no surprise that HTTPS phishing websites are increasing. As more legitimate websites switch to HTTPS, more phishing websites are registered with SSL certificates. If that were not the case, the fact that a website started with HTTP would be a clear indicator that it may be malicious and cybercriminals would be at a distinct disadvantage.
What is a surprise is the extent to which HTTPS is being abused by scammers. The PhishLabs report shows that in the third quarter of 2017, almost a quarter of phishing websites were hosted on HTTPS pages. Twice the number seen in the previous quarter. An analysis of phishing sites spoofing Apple and PayPal showed that three quarters are hosted on HTTPS pages. Figures from 2016 show that less than 3% of phishing sites were using HTTPS. In 2015 it was just 1%.
While checks are frequently performed on websites before a SSL certificate is issued, certification companies do not check all websites, which allows the scammers to obtain SSL certificates. Many websites are registered before any content is uploaded, so even a check of the site would not provide any clues that the site will be used for malicious purposes. Once the certificate is obtained, malicious content is uploaded.
The PhishLabs report also shows there is an approximate 50/50 spread between websites registered by scammers and legitimate websites that have been compromised and loaded with phishing webpages. Just because a site is secure, it does not mean all plugins are kept up to date and neither that the latest version of the CMS is in use. Vulnerabilities exist on many websites and hackers are quick to take advantage.
The rise in HTTPS phishing websites is bad news for consumers and businesses alike. Consumers should be wary that HTTPS is no guarantee that website is legitimate. Businesses that have restricted Internet access to only allow HTTPS websites to be visited may have a false sense of security that they are protected from phishing and other malicious sites, when that is far from being the case.
For the best protection, businesses should consider implementing a web filter that scans the content of webpages to identify malicious sites, and that the solution is capable of decrypting secure sites to perform scans of the content.
For more information on how a web filter can help to protect your organization from phishing and malware downloads, give the TitanHQ sales team a call today.
The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code.
The Terdot Trojan is not new, having first appeared in the middle of last year, although a new variant of the credential-stealing malware has been developed and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the UK.
The new variant includes several new features. Not only will the Terdot Trojan steal banking credentials, it will also spy on social media activity, and includes the functionality to modify tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also modify emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself spread.
Further, once installed on a device, Terdot can download other files. As new capabilities are developed, the modular Trojan can be automatically updated.
The latest variant of this nasty malware was identified by security researchers at Bitdefender. Bitdefender researchers note that in addition to modifying social media posts, the Trojan can create posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, spelling further misery for victims.
Unfortunately, detecting the Terdot Trojan is difficult. The malware is downloaded using a complex chain of droppers, code injections and downloaders, to reduce the risk of detection. The malware is also downloaded in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently picked up by many AV solutions.
“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” warns Bitdefender.
Protecting against threats such as banking Trojans requires powerful anti-malware tools to detect and block downloads, although businesses should consider additional protections to block the main attack vectors: Exploit kits and spam email.
Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials.
Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example.
Combosquatting is so named because it involves the purchasing of a domain that combines a trademarked name with another word – yahoofiles.com, disneyworldamusement.info, facebook-security.com or google-privacy.com for example.
The technique is not new, but the extent that it is being used by hackers was not well understood. Now researchers at Georgia Tech, Stony Brook University and London’s South Bank University have conducted a study that has revealed the extent to which hackers, spammers, and scammers are using this technique.
The research, which was supported by the U.S. Department of Defense, National Science Foundation and the U.S. Department of Commerce, was presented at the 2017 ACM Conference on Computer and Communications Security (CCS) on October 31, 2017.
For the study, the researchers analyzed more than 468 billion DNS records, collected over 6 years, and identifed combosquatting domains. The researchers noted the number of domains being used for combosquatting has increased year over year.
The extent to which the attack method is being used is staggering. For just 268 trademarks, they identified 2.7 million combosquatting domains, which they point out makes combosquatting more than 100 times as common as typosquatting. While many of these malicious domains have been taken down, almost 60% of the domains were active for more than 1,000 days.
The team found these domains were used for a wide variety of nefarious activities, including affiliate abuse, phishing, social engineering, advanced persistent threats, malware and ransomware downloads.
End users are now being taught to carefully check domain names for typos and transposed letters to detect typosquatting, but this technique fools users into thinking they are on a website that is owned by the brand included in the domain.
First author of the study, Georgia Tech researcher Panagiotis Kintis, said, “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”
In order to prevent these types of trademark use attacks, many companies register hundreds of domains that contain their trademark. The researchers found that many of the domains being used by hackers had previously been owned by the holders of the trademark. When the domains were not renewed, they were snapped up by hackers. Many of the malicious domains that had been previously purchased by hackers, had been re-bought by other scammers when they came up for renewal.
Users are being lured onto the domains using a variety of techniques, including the placing of adverts with the combosquatting domains on ad-networks, ensuring those adverts are displayed on a wide variety of legitimate websites – a technique called malvertising. The links are also distributed in spam and phishing emails. These malicious URLS are also frequently displayed in search engine listings, and remain there until complaints are filed to have the domains removed.
Due to the prevalence of this attack technique, organizations should include it in their cyber awareness training programs to alert users to the attack method and ensure they exercise caution.
The researchers also suggest an organization should be responsible for taking these domains down and ensuring they cannot be re-bought when they are not renewed.
TitanHQ Sales Director Conor Madden will be talking enterprise Wi-Fi security at this year’s Wi-Fi Now Europe 2017, explaining some of the key innovations in Wi-Fi security to keep enterprise Wi-Fi networks secure.
This will be the fourth time in two years that Conor has provided his insights into Wi-Fi security developments at Wi-Fi Now conferences. Conor will be giving his presentation – Four Great Innovations in Enterprise Wi-Fi – Part One – on the first day of the conference between 12:00 and 12:30.
Conor will explain how DNS-based Wi-Fi security adds an essential layer of security to keep enterprise Wi-Fi networks secure, and will offer insights into how enterprises can easily create customized Wi-Fi services. In addition to Conor’s headline speech, the TitanHQ team will be in attendance and will be demonstrating WebTitan Cloud for Wi-Fi at Stand 23 over the three days of the event. The team will also demonstrate some of the big-ticket deployments from the past 18 months. The team will also explain some of the new refinements and updates that have made WebTitan even more useful and user friendly, including the new API capability that is proving so popular with product managers and engineers.
Wi-Fi Now Europe 2017 – The Premier Conference for the Wi-Fi Industry
The Wi-Fi Now Europe 2017 event brings together leaders, entrepreneurs, innovators, and experts from all areas of the Wi-Fi industry. This year there will be more than 50 speakers including analysts, thought leaders, technology leaders, carriers and service providers. More than 40 companies from all areas of the Wi-Fi industry will be demonstrating their products and services to attendees.
The conferences are a highlight in the calendar for anyone involved in the Wi-Fi industry and provide attendees with an incredible networking opportunity and the chance to learn about the latest advances in Wi-Fi, exciting new products and new services on offer.
The Wi-Fi Now Europe 2017 Conference will be taking place between October 31st and November 2nd at the NH Den Haag Hotel atop The Hague’s World Trade Center Building.
Gold passes give attendees complete access to all events at the 3-day conference, with day passes also available. Advance registration is required for all attendees.
TitanHQ On the Road
It has been a busy few weeks for TitanHQ. The team has been traveling across Europe and the United States, showcasing its web filtering, spam filtering and email archiving solutions.
The Wi-Fi Now Europe 2017 comes hot on the heels of the DattoCon17 conference in London, where the team met with more than 400 MSPs and the ASCII Summit in Washington D.C., where TitanHQ explained how Managed Service Providers can grow their business and easily increase monthly recurring revenues. Earlier this month, TitanHQ attended the Kaseya Connect Europe IT Management Event and explained about the new integration of WebTitan with Kaseya.
The road trip continues into November in the United States, with TitanHQ attending both the upcoming HTG Meeting in Orlando, FL (Oct 30-Nov 3) and the IT Nation, ConnectWise Conference at the Hyatt Regency, Orlando, between November 8-10, 2017.
Last month saw a significant rise in healthcare data breaches, clearly demonstrating that healthcare providers, health plans, and business associates are struggling to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was introduced to ensure that healthcare organizations implement a range of safeguards to ensure the confidentiality, integrity, and availability of healthcare data. It has now been more than decade since the Security Rule was introduced, and data breaches still occurring with alarming frequency. In fact, more data breaches are occurring than ever before.
September Data Breaches in Numbers
The Protenus Breach Barometer Report for September, which tracks all reported healthcare data breaches, showed there were 46 breaches of protected health information (PHI) in September, with those breaches resulting in the exposure of 499,144 individuals’ PHI. Hacking and IT incidents were cited as the cause of 50% of those breaches, with insiders causing 32.6% of incidents. Loss and theft of devices was behind almost 11% of the month’s breaches. Previous monthly reports in 2017 have shown that insiders are often the biggest cause of healthcare data breaches.
HIPAA Compliance Will Not Prevent Healthcare Data Breaches
HIPAA compliance can go some way toward making healthcare organizations more resilient to cyberattacks, malware and ransomware infections, but simply complying with the HIPAA Security Rule does not necessarily mean organizations will be impervious to attack.
HIPAA compliance is about raising the bar for cybersecurity and ensuring a minimum standard is maintained. While many healthcare organizations see HIPAA compliance as a goal to achieve a good security posture, the reality is that it is only a baseline. To prevent data breaches, healthcare organizations must go above and beyond the requirements of HIPAA.
Detect Insider Breaches Promptly
Preventing insider data breaches can be difficult for healthcare organizations. Healthcare employees must be given access to patient records in order to provide medical care, and there will always be the occasional bad apple that snoops on the records of patients who they are not treating, and individuals who steal data to sell to identity thieves.
HIPAA Requires healthcare organizations to maintain access logs and check those logs regularly for any sign of unauthorized access. The term ‘regularly’ is open to interpretation. A check every six months or once a year could be viewed as regular and compliant with HIPAA regulations. However, during those 6 or 12 months, the records of thousands of patients could be accessed. Healthcare organizations should go above and beyond HIPAA requirements and should ideally implement a system that constantly monitors for unauthorized access or at least conduct access log reviews every quarter as a minimum. This will not prevent healthcare data breaches, but it will reduce their severity.
Close the Door to Hackers
50% of breaches in September were due to hacking and IT incidents. Hackers are opportunistic, and while targeted attacks on large healthcare organizations do occur, most of the time hackers take advantage of long-standing vulnerabilities that have not been addressed. In order to correct those vulnerabilities, they must first be identified, hence the need for regular risk analyses as required by the HIPAA Security Rule. An organization-wide risk analysis should take place at least every year to remain HIPAA compliant, but more frequently to ensure vulnerabilities have not crept in.
Additionally, a check should be performed at least every month to make sure all software is up to date and all patches have been applied. There have been numerous examples recently of cloud storage instances being left unprotected and accessible by the public. There are free tools that can be used to check for exposed AWS buckets for example. Scans should be regularly conducted. Cybercriminals will be doing the same.
Prevent Impermissible Disclosures of PHI
One of the leading causes of PHI disclosures occurs when laptop computers, zip drives, and other portable devices are lost or stolen. While employees can be trained to take care of their devices, thieves will seize any opportunity if devices are left unprotected. HIPAA does not demand the use of encryption, and alternative measures can be used to secure devices, but HIPAA covered entities and their business associates should use encryption on portable devices to ensure that in the event of loss or theft, data cannot be accessed. If an encrypted device is stolen or lost, it is not a HIPAA breach. Using encryption on portable devices is a good way to prevent healthcare data breaches.
Small portable storage devices such as pen drives are convenient, but they should never be used for transporting PHI – They are far too easy to lose or misplace. Use HIPAA-compliant cloud storage services such as Dropbox or Google Drive as they are more secure.
Block Malware and Ransomware Attacks
Malware and ransomware attacks are reportable breaches under HIPAA, and can result in major data breaches. Email is the primary vector for delivering malware, so it is essential for an effective spam filtering solution to be implemented. HIPAA requires training to be provided to employees regularly, but a once-a-year training session is no longer sufficient. Training sessions should take place at least every 6 months, with regular security alerts on the latest phishing threats communicated to employees as and when necessary. Ideally, training should be an ongoing process, involving phishing simulation exercises.
Malware and ransomware can also be downloaded in drive-by attacks when browsing the Internet. A web filtering solution should be used to prevent healthcare employees from visiting malicious sites, to block phishing websites, and prevent drive-by malware downloads. A web filter is not a requirement of HIPAA, but it is an important extra layer of security that can prevent healthcare data breaches.
Cybercriminals are delivering Smoke Loader malware via a new malvertising campaign that uses health tips and advice to lure end users to a malicious website hosting the Terror Exploit Kit.
Malvertising is the name given to malicious adverts that appear genuine, but redirect users to phishing sites and websites that have been loaded with toolkits – exploit kits – that probe for unpatched vulnerabilities in browsers, plugins, and operating systems.
Spam email is the primary vector used to spread malware, although the threat from exploit kits should not be ignored. Exploit kits were used extensively in 2016 to deliver malware and ransomware, and while EK activity has fallen considerably toward the end of 2016 and has remained fairly low in 2017, attacks are still occurring. The Magnitude Exploit it is still extensively used to spread malware in the Asia Pacific region, and recently there has been an increase in attacks elsewhere using the Rig and Terror exploit kits.
The Smoke Loader malware malvertising campaign has now been running for almost two months. ZScaler first identified the malvertising campaign on September 1, 2017, and it has remained active throughout October.
Exploit kits can be loaded with several exploits for known vulnerabilities, although the Terror EK is currently attempting to exploit two key vulnerabilities: A scripting engine memory corruption vulnerability (CVE-2016-0189) that affects Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also attempted.
Patches have been released to address these vulnerabilities, but if those patches have not been applied systems will be vulnerable to attack. Since these attacks occur without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious adverts.
Smoke Loader malware is a backdoor that if installed, will give cybercriminals full access to an infected machine, allowing them to steal data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not new – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to prevent detection. Smoke Loader malware has also been associated with the installation of the TrickBot banking Trojan and Globelmposter ransomware.
To protect against attacks, organizations should ensure their systems and browsers are updated to the latest versions and patches are applied promptly. Since there is usually a lag between the release of a new patch and installation, organizations should consider the use of a web filter to block malicious adverts and restrict web access to prevent employees from visiting malicious websites.
For advice on blocking malvertisements, restricting Internet access for employees, and implementing a web filter, contact the TitanHQ team today.
Last year, the Mirai botnet was used in massive DDoS attacks; however, the IoT Reaper botnet could redefine massive. The Mirai botnet, which mostly consisted of IoT devices, was capable of delivering DDoS attacks in excess of 1 terabit per second using just 100,000 malware infected devices.
The IoT Reaper botnet reportedly includes almost 2 million IoT devices, and infections with Reaper malware are growing at an alarming rate. An estimated 10,000 new IoT devices are infected and added to the botnet every day.
Researchers at Qihoo 360, who discovered the new botnet, report that the malware also includes in excess of 100 DNS open resolvers, making DNS amplification – DNS Reflection Denial of Service (DrDoS) – attacks possible.
Check Point has also been tracking a new botnet that includes an estimated 1 million devices, with 60% of the devices the firm tracks infected with the botnet malware. Check Point has called the botnet IoTroop, although it is probable that it is the same botnet as Qihoo 360 has been tracking. Check Point says it is “forming to create a cyber-storm that could take down the Internet.”
While the IoT Reaper botnet has existed for some time, it was not identified until September this year. Previously, the malware used to enslaves IoT devices was installed by taking advantage of default and weak passwords. However, that has now changed, and infections have been growing at an alarming rate as a result.
IoT Reaper is using nine different exploits for known vulnerabilities that have yet to be patched, with routers, cameras, and NVRs being targeted from more than 10 different manufacturers including router manufacturers Netgear, D-Link, Linksys, and surveillance camera manufacturers AvTech, Vacron, and GoAhead.
Unfortunately, while PC users are used to applying patches to keep their computers secure, the same cannot be said for routers and surveillance cameras, which often remain unpatched and vulnerable to infection.
At present the intentions of the actors behind the botnet are not known, but it is highly likely that the botnet will be used to perform DDoS attacks, as has been the case with other IoT botnets. Even though the number of enslaved devices is substantial, researchers believe the botnet is still in the early stages of development and we are currently enjoying the quiet before the storm.
If a botnet involving 100,000 devices can deliver a 1 terabit per second attack, the scale of the DDoS attacks with IoT Reaper could be in the order of tens of terabits per second. Fortunately, for the time being at least, the botnet is not being used for any attacks. The bad news is those attacks could well start soon, and since the malware allows new modules to be added, it could soon be weaponized and used for another purpose.
A critical WiFi security flaw has been discovered by security researchers in Belgium. The WPA2 WiFi vulnerability can be exploited using the KRACK (Key Reinstallation attack) method, which allows malicious actors to intercept and decrypt traffic between a user and the WiFi network in a man-in-the-middle attack. The scale of the problem is immense. Nearly every WiFi router is likely to be vulnerable.
Exploiting the WPA2 WiFi vulnerability would also allow a malicious actor to inject code or install malware or ransomware. In theory, this attack method would even allow an attacker to insert malicious code or malware into a benign website. In addition to intercepting communications, access could be gained to the device and any connected storage drives. An attacker could gain full control of a device that connects to a vulnerable WiFi network.
There are two conditions required to pull off KRACK– The WiFi network must be using WPA2-PSK (or WPA-Enterprise) and the attacker must be within range of the WiFi signal.
The first condition is problematic, since most WiFi networks use the WPA2 protocol and most large businesses use WPA-Enterprise. Further, since this is a flaw in the WiFI protocol, it doesn’t matter what device is being used or the security on that device. The second offers some protection for businesses for their internal WiFi networks since an attack would need to be pulled off by an insider or someone in, or very close to, the facility. That said, if an employee was to use their work laptop to connect to a public WiFi hotspot, such as in a coffee shop, their communications could be intercepted and their device infected.
In the case of the latter, the attack could occur before the user has stirred sugar into his or her coffee, and before a connection to the Internet has been opened. That’s because this attack occurs when a device connects to the hotspot and undergoes a four-way handshake. The purpose of the handshake is to confirm both the client and the access point have the correct credentials. With KRACK, a vulnerable client is tricked into using a key that is already in use.
The researchers explained that “our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.” The researchers also pointed out, “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations.”
The disclosure of this WPA2 WiFi vulnerability has had many vendors franticly developing patches to block attacks. The security researcher who discovered the WPA2 WiFi vulnerability – Mathy Vanhoef – notified vendors and software developers months previously, allowing them to start work on their patches. Even with advance notice, relatively few companies have so far patched their software and products. So far, companies that have confirmed patches have been applied include Microsoft, Linux, Apple, and Cisco/Aruba. However, to date, Google has yet to patch its Android platform, and neither has Pixel/Nexus. Google is reportedly still working on a patch and will release it shortly.
There is also concern over IoT devices, which Vanhoef says may never receive a patch for the WPA2 WiFi vulnerability, leaving them highly vulnerable to attack. Smartphones similarly may not be patched promptly. Since these devices regularly connect to public WiFi hotspots, they are likely to be the most vulnerable to KRACK attacks.
While the WPA2 WiFi vulnerability is serious, there is perhaps no need to panic. At least, that is the advice of the WiFi Alliance – which co-developed WPA2. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.” The WiFi Alliance also explained, “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”
The UK’s National Cyber Security Center pointed out that even with the WPA2 WiFi vulnerability, WPA2 is still more secure than WPA or WEP, also explaining that there is no need to change WiFi passwords or enterprise credentials to protect against this vulnerability. However, businesses and consumers should ensure they apply patches promptly, and businesses should consider developing policies that require all remote workers to connect to WiFi networks using a VPN.
This week, the UK government’s Culture Secretary Karen Bradley announced the publication of a new green paper outlining the government’s Internet Safety Strategy, saying the aim is to make the UK the safest place to be online.
The Internet Safety Strategy outlines the awareness campaign that the government is taking to prevent cyber-bullying, trolling and the accessing of pornography by minors. The government has come under increasing pressure in recent years to take decisive action to curb the growing problem of online abuse and harm to minors from accessing age-inappropriate websites.
In a recent press release announcing the new Internet Safety Strategy, Bradley said “In the past year, almost one fifth of 12-15-year olds encountered something online that they ‘found worrying or nasty in some way’ and 64% of 13-17-year olds have seen images or videos offensive to a particular group.” The problem is not confined to minors. Adults too have been offended or upset by material they have viewed on social media sites, and the new strategy will also help to keep adults safe and protected online.
The aim of the new proposals is not censorship of the Internet – the UK government continues “to embrace the huge benefits and opportunities the Internet has brought for British citizens.” The aimof the government’s Internet Safety Strategy is simply to make the Internet a safer place and prevent harm to vulnerable people, especially children.
Bradley said, “Behaviour that is unacceptable in real life is unacceptable on a computer screen. We need an approach to the Internet that protects everyone without restricting growth and innovation in the digital economy.”
The Internet Safety Strategy tackles a range of online issues using several different methods – a combination of improved efforts to educate children and the public about online dangers and acceptable online conduct, social media advice, the promotion of safety features for parents to use to protect their children, and the use of Internet filtering in schools.
Some of the key elements in the Internet Safety Strategy are:
Developing a new social media code of practice to address bullying, intimidating, or humiliating online content
An industry-wide levy so social media companies and communication service providers contribute to raise awareness and counter internet harms
The publication of an annual Internet safety transparency report detailing the progress made at reducing abusive and harmful content and conduct
Providing support for start-ups and tech companies to help them build safety features into their products and apps at the design stage
Compulsory new subjects in schools: Relationship education at the primary school level and relationship & sex education at secondary level
Encouraging social media companies to provide social media safety advice to parents and build that advice into their platforms
Promoting the use of social media and Internet safety features by parents
Changing the name of the UK Council for Child Internet Safety to the UK Council for Internet Safety, to show the safety of all Internet users is of concern
In the new green paper, the Keeping Children Safe in Education (KCSIE) guidance is highlighted. The guidance details the steps that schools and colleges in England should take to protect students and keep them safe online. The guidance was updated in September last year to include a new section on safeguarding children online. Schools were reminded of their responsibility to prevent children from accessing harmful and inappropriate website content, explaining Internet filtering in schools is a requirement. Solutions that allow Internet filtering in schools should block inappropriate content and also allow the monitoring of the attempted access of inappropriate material.
The use of similar controls by parents is being encouraged, first by making sure the options are available – the big four ISPs in the UK all offer Internet content filtering controls – and to improve education on the need to implement content filtering solutions to protect children at home.
Vicki Shotbolt, Chief Executive Officer at Parent Zone – an organization set up to provide expert information to families, schools and family professionals on the Internet safety – said, “It is encouraging to see the government proposing concrete steps to ensure that industry is doing everything they can to support families and make the Internet a place that contributes to children flourishing.”
A Social Community Partnership in Ireland that terminated an employee for accessing porn at work was sued for unfair dismissal; however, the Workplace Relations Commission (WRC) in Dublin upheld the decision of the company to terminate the employee, which was deemed to be the appropriate sanction under the circumstances.
The viewing of any pornographic material in the workplace is unacceptable, but for a Social Community Partnership that provides services to children and families, it is especially important to take action when employees access obscene material – In this case the webpages depicted rape, the abduction of girls, and non-consensual sex.
A statement released by the unnamed Social Community Partnership read, “[The worker’s] actions go against the grain of the organization, but has the potential to put at risk the company’s funding relationship with Government services.”
The accessing of inappropriate material was discovered during a review of the computers used by receptionists at the Partnership. That review revealed pornographic material had been accessed on a reception computer on seven occasions between September 30th and November 26th, 2015. The material was accessed between 1.28pm and 16.40pm, and while multiple employees had access to the computer, on three of the occasions, the terminated employee was the only member of staff working in the reception area.
Once that was confirmed in May 2016, the employee’s contract was terminated for gross misconduct. The employee appealed the decision internally, claiming the allegations were incorrect. She denied accessing porn at work and claimed she was not the only person to have access to the computer. Two other receptionists were employed at the firm and could have accessed the material. When the appeal was rejected, the employee sued the firm for unfair dismissal.
An independent IT consultant was brought in to conduct a scan of the computer to confirm that a malware infection was not present, which could theoretically have been responsible for the sites being accessed. The woman maintained there was no evidence against her and popups could have explained the accessing of the material. She also said other employees could have accessed the computers in the reception area, which did not require the use of secure passwords.
The WRC ruled that, on the balance of probability, the employee did access pornographic material, and the decision to terminate the employee was correct. The woman has been unable to find further work in the field, despite her 18 years’ experience, due to the nature of her dismissal.
Employees Accessing Porn at Work Is a Widespread Problem
The accessing of pornography at work is widespread, global problem – and one that acceptable Internet usage policies do not prevent.
A 2013 report from the UK government found computers in parliament were used to make an average of 800 visits to pornographic websites per day – more than 300,000 attempts were made over the period of study.
A 2014 survey by Proven Men Ministries found nearly two third of men (63%) and one third of women (36%) admitted accessing pornography at work, while a 2015 poll conducted by The Sun newspaper in the UK found 15% of women in the UK watch pornography at work.
In the United States, a Harris Poll in 2011 found 3% of Americans watch porn at work, with an earlier study by The Nielsen Company placing the figure at around 28%.
While there is some variation between the studies, it is clear that the accessing of pornography at work is a widespread problem, responsible for a significant loss of productivity, the creation of a hostile work environment, and many HR issues.
Companies Can Easily Avoid Pornography-Related HR Issues
Even though acceptable Internet usage policies are developed, and employees have to confirm that those policies have been read and understood, many employees still access porn at work. Some employees simply disregard those policies, others mistakenly believe they will not be found out.
For the company, accessing porn at work causes major HR issues. Complaints are often made by other employees who have caught a glimpse of the material, a hostile work environment can develop, HR departments have to take disciplinary action, and recruit and train replacement employees – all of which are a drain on productivity and result in many lost man hours.
As this case shows, these incidents can result in bad publicity, potentially loss of funding, and legal costs from fighting lawsuits.
However, all of these problems are easy to avoid. Companies can simply block adult website content with a web filter. A web filter allows firms to enforce acceptable Internet usage policies and prevent obscene or otherwise inappropriate material from being accessed by employees.
The Social Community Partnership would have been able to avoid all the bad publicity and paying to fight the unfair dismissal claim if a web filtering solution been put in place to enforce acceptable Internet usage policies.
If you have yet to start filtering the Internet, and are not blocking pornography and other inappropriate material from being accessed in the workplace, contact TitanHQ today and ask about WebTitan – The leading web filtering solution for enterprises.
The healthcare industry has been extensively targeted, and now Dark Overlord cyberattacks on schools have soared – The education sector is now being targeted.
The cyberattacks on healthcare institutions included threats to publish data. Those threats were often ignored, resulting in sensitive data being dumped online. While such data dumps are damaging to healthcare organizations and their patients, many attacked institutions followed the advice of the FBI and chose not to give in to the mafia-style extortion tactics.
The recent Dark Overlord cyberattacks on schools have been different. Educational institutions have not only been hacked and had sensitive data stolen, the hacking group has escalated its threats. Additionally, rather than just sending threats to the schools, parents of some of the children whose data were stolen have also been contacted by text. The aim is clear. To put pressure on schools to pay up.
The latest wave Dark Overlord cyberattacks on schools have been spread across the country. Schools in Alabama, Iowa, Montana, and Texas have all been attacked in recent weeks. The attacks have followed a similar pattern to the attacks on healthcare organizations, Gorilla Glue, and Netflix. Sensitive data have been stolen, a payment was demanded, and a threat issued to publish the data online if the payment was not made.
Payment of a ransom does not guarantee data will not be released. The latest episode of Orange is the New Black was stolen and Netflix was threatened. A $50,000 ransom was paid, but the episode was still released – It was claimed this was for contacting the FBI.
The latest attacks have got more personal. The Dark Overlord cyberattacks on schools have seen parents of children sent personalized text messages threatening violence against their children. One of those messages included the address of the family with the message “your child is still so innocent. Don’t have anyone look outside.” The Des Moines Register reported that one parent responded to the message telling the sender of the messages to stop and was told, “we are just getting started.” Other text messages threatened to kill kids at the school resulting in the school closing for a day as a precaution.
In the case of the cyberattack on Johnston Community School District in Iowa, data was dumped online. TDO allegedly said the data would help child predators.
The attack on Montana’s Columbia Falls School district was accompanied by a 7-page letter, in which Sandy Hook was referenced. Threats were issued about publishing grades, sensitive behavioral reports, details of ‘shoddy student work’, nurse reports, and private health information. While various methods of payment were offered, a ransom payment of $150,000 was demanded in Bitcoin. In exchange, TDO said all stolen data would be deleted.
Similar attacks have occurred at Alabama’s Crenshaw County Schools District and Splendora School District in Texas. The escalation in the threats was reportedly in response to the FBI telling breach victims not to respond to the messages and not to pay the ransom demands.
While these Dark Overlord cyberattacks on schools follow a similar pattern to other attacks, there are notable differences, raising the prospect that some of the attacks were performed by other hackers piggybacking on the name.
Regardless of who is conducting the attacks, the message to schools – and all other organizations – is clear. Make sure your networks are well defended. Implement layered cybersecurity defenses, patch promptly, and consider using encryption for all stored data.
Libraries are places of open learning where the Internet can be freely accessed. Acceptable internet usage policies for libraries are usually developed, but many libraries do not go as far as restricting access to certain types of Internet content. That means acceptable Internet usage policies for libraries can be easily abused. Library computers can be used for highly illegal activities and there is little to prevent minors from coming to harm.
The Importance of Free and Open Internet Access in Libraries
The provision of open access to the Internet in libraries is understandable. Libraries are places of learning where the public can gain access to information of all types. Even if information is highly controversial and causes offense to some individuals, that does not mean access to the information should be blocked.
When Charles Darwin published the Origin of Species it was hugely controversial, but it would be difficult to argue the book has no place in a library. In order for people to understand and debate Darwin’s views, they need access to his book.
Access to the Internet is now provided in most libraries. For many individuals, libraries are the only places where the Internet can be accessed freely. Children especially may be unable to access the Internet at home and view important educational information without fear of reprisals – viewing information on LGBTI issues for example or information on sex education.
Many libraries, as places of open learning, are reluctant to place any restrictions on Internet access, instead acceptable internet usage policies for libraries are used to lay down the rules on the content that is permitted and prohibited.
Typical Acceptable Internet Usage Policies for Libraries
When acceptable internet usage policies for libraries are used, they usually state that while access to website content is not blocked, library computers should not be used to access illegal web content – content such as child pornography, which is illegal in all forms.
Acceptable Internet usage policies for libraries often reference the Children’s Internet Protection Act (CIPA), which requires schools and libraries to implement controls to prevent the accessing of imagery that could be harmful to minors – pornography, child abuse, child pornography, and other potentially harmful imagery. However, schools and libraries are only required to comply with CIPA if they receive certain state or government funding. Many libraries would be reluctant to block adult pornography, because it is not illegal and would not do so if they are not required to do so by CIPA.
While acceptable internet usage policies for libraries are important for laying down the rules, not all library patrons read those policies or adhere to them. The policies will do nothing to prevent illegal content from being accessed and minors will not be prevented from accessing potentially harmful images.
Where Acceptable Internet Usage Policies for Libraries Fail
There have been numerous complaints made by members of the public in recent years of cases of patrons using library computers to access pornography, in full view of other library patrons. The past few days have seen another example covered by the media of where the use of acceptable internet usage policies for libraries has failed.
The latest compliant was made about College Terrace Library in Palo Alto, CA. The library has an acceptable Internet usage policy but does not filter the Internet in any way. The policy states “Libraries and librarians should not deny or limit access to electronic information because of its allegedly controversial content or because of the librarian’s personal beliefs or fear of confrontation.”
The complaint in question, which has led to a police investigation, concerns the actions of one of the library’s patrons, who was seen accessing images of child pornography on a library computer in full view of other patrons. That individual’s actions were illegal and contravened library AUPs, yet it was still possible for that information to be accessed.
Free and Open Internet Access in Libraries, With Certain Restrictions?
The incident shows how the decision not to impose any restrictions on Internet access has potential to cause harm to library patrons, many of whom will be minors. Acceptable internet usage policies for libraries can be ineffective; however, the use of Internet filtering software can solve this problem.
The purpose of Internet filtering software in libraries is not to limit free speech, or even police Internet as such. The aim is to protect minors and to prevent extremely harmful illegal content from being accessed by some individuals to protect all library patrons.
The American Library Association (ALA) is against filtering of Internet content in libraries. The ALA even filed a lawsuit claiming CIPA was unconstitutional and violated the first amendment rights of consumers. The ALA argued that the Internet was a public forum, and as such required strict scrutiny, but that Internet filtering technology would result in overblocking of website content. A lower court agreed, but the case was taken to the Supreme Court which ruled that public-forum principles were not applicable as the Internet is not a traditional public forum. The Court also ruled that even if there was overblocking of website content, librarians could easily disable the filtering for certain individuals or unblock sites that had been caught by the filters and that this would result in only a minimum burden on librarians. The Supreme Court also ruled that CIPA was constitutional.
While the use of Internet filters used to result in overblocking of content, today that is less of an issue. Categorization of websites is now far better and more reliable. Internet filtering software has improved considerably in the past 15 years.
Why a Content Filter for Libraries Should be Implemented
Libraries are places of learning and should provide open access to the Internet, but they are not places where it should be possible to view child pornography. Libraries have a responsibility to protect patrons from viewing such material, and other harmful website content such as phishing websites.
They should also be using content filters to prevent the downloading of malware and ransomware. In January this year, libraries in St. Louis had their computers taken out of action as the result of a ransomware download. That attack not only prevented Internet access for days, but it took out the system used to log borrowed and returned books. Patrons of 16 libraries in Missouri were prevented from borrowing books. The library had to wipe its system and rebuild it from scratch, a process that took weeks.
Provided content filtering software is used wisely, and mechanisms are introduced to allow the content filter to be lifted on sites that are not illegal or do not contravene acceptable internet usage policies for libraries, they should be applied to ensure that illegal website content cannot be accessed, systems are protected, and patrons are prevented from coming to harm.
Internet content filters can be used to block sites known to host illegal content such as images of child abuse and child pornography, and sites that have been shown to be used for phishing or to deliver malware. Blacklists for these sites are maintained by several organizations.
Internet content filtering ensures the public are prevented from engaging in illegal activity and are protected from phishing attacks. Those controls to not contravene Americans’ first amendment rights.
If you are a librarian and are interested in blocking illegal content but keeping Internet access open, or if you wish to apply for grants, funding, or discounts and must comply with CIPA, contact TitanHQ today to find out more about your Internet content filtering options.
Businesses today need to implement layered defenses to prevent malware and ransomware from being installed on their networks. A web filtering solution should be one of those defenses. At its most basic, a web filter will block access to websites known to contain malware, exploit kits, or be used for phishing.
While web filters are commonly used as an additional security measure to block malware, one of the most important reasons for implementing a web filter is to prevent employees from accessing inappropriate or illegal website content and to prevent productivity draining online activities. In some cases, employers choose to severely restrict Internet access by only allowing employees to access to whitelisted sites – websites that need to be accessed for work purposes.
Regardless of the level of control you want to apply, it is usual for different controls to be needed for different individuals or groups of employees. For example, social media sites could be blocked for the entire organizations, but not for the marketing department, which would need to access corporate social media accounts.
While it is possible to place restrictions on different computers using a virtual local area network (VLAN), using a VLAN for content control lacks flexibility. If a device is on a VLAN that prohibits Internet access entirely, there may be instances when Internet access is temporarily required.
Integrating a Web Filter with LDAP
A better, more flexible solution is to base content filtering controls on the user, or user group. Integrating a web filter with LDAP allows filtering controls to be easily applied for different users, rather than limiting controls to a particular device.
In a call center, a telemarketer could logon using their LDAP information and have one set of filtering controls, whereas a manager could logon to the same device and have far greater permissions. The use of LDAP also allows detailed reports to be generated on which users and devices have accessed certain websites or website content. If DHCP is used on workstation and mobile devices, it may only be possible to view access logs up to a day old. Integrating a web filter with LDAP will make it much easier to generate reports when performing audits of Internet use.
Oftentimes, employees will be assigned to more than one LDAP group, so while it is possible to assign web filtering controls to specific groups, rules can be set to cater for members of more than one group, such as using the most or least restrictive content filtering settings when a user is in multiple LDAP groups. Not everyone will have a LDAP account. When guests require Internet access, a default configuration can be set. If users need to take their devices off site, content filtering by IP address or VLAN would not be possible. In such cases, a client-based solution is used to capture the LDAP session. This is important for K12 Schools that issue laptops for students to take home.
Using a web filtering solution that integrates with LDAP makes content filtering much easier to manage. WebTitan integrates with LDAP allowing you to easily apply content filtering controls by user or user group, with a range of APIs also provided to integrate with Active Directory, NetIQ and other deployment, billing and management tools.
If you want to start filtering the Internet and controlling the content that your users can access, contact TitanHQ today for further information, to schedule a product demonstration, and take advantage of our free trial.
This week, news has emerged about a serious Deloitte data breach that allegedly resulted in ‘several gigabytes’ of sensitive emails sent to and from the accountancy firm’s clients being obtained by hackers.
Deloitte is one of the big four accountancy firms and provides auditing and tax consultancy services to some of the world’s biggest companies, including many banks, pharmaceutical firms, and government agencies. Deloitte also offers cybersecurity consultancy services and is one of the most widely respected firms, and was rated as the top cybersecurity consultancy firm in the world in 2012.
According to a report in The Guardian, the Deloitte data breach was detected in March, but was only announced this week. Hackers are believed to have access to the firm’s Azure cloud account for months, with the initial breach believed to have occurred in October last year. The Azure account was used to store company emails.
Access to the cloud was gained by hacking an administrator account, which was protected with a password, although allegedly did not have two-factor authentication in place.
Deloitte has confirmed it has suffered a data breach, although few details have been released about the nature of the breach other than Deloitte saying only a small number of its clients have been impacted. Deloitte also issued a statement saying, “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” The Guardian reported that just six of the company’s clients had been impacted, although Deloitte has not publicly confirmed how many clients were notified of the breach.
Deloitte hired a leading cybersecurity firm to perform a forensic analysis to determine the actions taken by the attacker(s), which information was accessed, and what clients were impacted. That analysis revealed the types of information compromised included email communications including file attachments, architectural diagrams for its clients, health information, and in some cases, sensitive security and design details. Usernames, passwords, IP addresses, and personal data of the firm’s clients were also believed to have been obtained by the attacker(s).
The cloud account allegedly contained as many as 5 million emails, although Deloitte believes only a small percentage of those emails were accessed during the time the attacker(s) had access to the account. While that is the official line, some sources close to the investigation suggest the Deloitte data breach is being downplayed. Brian Krebs wrote in a blog post that he has been informed that the attackers gained access to the firm’s entire store of emails and that all administrator accounts at the company had been compromised.
That source also said Deloitte performed a company-wide reset of its email passwords on October 17, 2016, suggesting a potential breach was suspected at the time. The source, who was close to the investigation, said several gigabytes of data had been exfiltrated from the cloud account to a server in the United Kingdom.
Investigations are continuing into a massive Sonic data breach that has potentially impacted millions of its customers.
Sonic, an Oklahoma City-based restaurant chain with more than 3,600 franchise restaurants in the United States, was alerted to a potential breach by its card payment processor after a pattern of fraudulent purchases was identified and linked to the restaurant chain.
The Sonic data breach was first reported by Brian Krebs, who linked the listing of a batch of 5 million credit and debit card numbers on the cybercrime marketplace Joker’s Stash to a potential breach at Sonic.
Krebs reported that two individuals who had agreed to purchase credit card numbers from the seller both said the cards had previously been used in Sonic locations. After contacting Sonic to report the potential breach, Krebs was notified that the restaurant chain was investigating a potential breach.
Sonic has issued a statement saying it is working with law enforcement and has hired a third-party forensics firm to confirm whether its systems have been hacked, and if so, to determine the nature and scope of the breach.
At present it is unclear how many of the restaurants chain’s locations have been impacted or the number of customer’s that have had their card details stolen. While the batch of credit and debit card numbers listed for sale indicates the breach victim count could be as high as 5 million, it has yet to be established whether all of those card numbers came from the Sonic data breach. It is possible the list could be an amalgamation of data from several breaches.
The Sonic data breach has potential to be one of the largest POS data breaches to affect the hospitality industry, and is the latest in a string of cyberattacks on restaurants. Earlier this year Chipotle Mexican Grill experienced a breach that affected most of the chain’s restaurants. Arby’s and the Select restaurant chain have also announced major data breaches. Last year, a major breach of card details was reported by Wendy’s which affected more than 1,000 of its restaurants.
Restaurant chain data breaches typically involve malware installed on point-of-sale systems that collects and exfiltrates card details. The malware infections often go unnoticed for weeks or months. It is only when card processors notice trends in credit card fraud and alert specific restaurants or restaurant chains that the breach is identified. The malicious actors behind these breaches often hold on to the stolen data until a sufficiently large batch of card numbers have been obtained, before listing the data for sale on darknet marketplaces.
In this case, the card numbers from the Sonic data breach were selling for between $25 and $50 depending on the type of card. This is much higher than the usual cost of stolen card numbers, indicating the card details have come from a recent data breach with most of the cards yet to be cancelled.
Hackers can gain access to POS systems via email phishing attacks, by exploiting vulnerabilities using exploit kits, direct attacks on unpatched and out-of-date operating systems, brute force RDP attacks, or by infiltrating the systems of vendors that have legitimate access to restaurant networks. It was the latter that enabled hackers to gain access to Target’s system and steal credit card details of 40 million customers. The same was true of the Wendy’s breach. Hackers obtained the credentials of some of its service providers and were able to login and install malware.
Restaurants can reduce the risk of data breaches by complying with the Payment Card Industry’s Data Security Standard (PCI DSS), a list of 12 requirements spread across six control objectives. Those requirements include the use of spam filtering, web filtering solutions, and securing the Wi-Fi environment – the latter two can both be achieved by implementing WebTitan.
There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the past two years have seen a massive explosion in new ransomware families. Between 2015 and 2016, Proofpoint determined there had been a 600% increase in ransomware families and Symantec identified 100 totally new ransomware families in 2016.
The development of new ransomware variants has largely been automated, allowing developers to massively increase the number of threats, making it much harder for the developers of traditional, signature-based security solutions such as antivirus and antimalware software to maintain pace.
The latest ransomware variants use a wide variety of techniques to evade detection, with advanced obfuscation methods making detection even more problematic.
Ransomware is also becoming much more sophisticated, causing even greater problems for victims. Ransomware is now able to delete Windows Shadow Volume copies, hampering recovery. Ransomware can interfere with file activity logging, making an infection difficult to detect until it is too late. Ransomware can encrypt files on removable drives – including backups – and spread laterally on a network, encrypting files on network shares and multiple end points.
Not only have the ransomware variants become more sophisticated, so too have the methods for distributing the malicious code. Highly sophisticated spam campaigns use a variety of social engineering techniques to fool end users into visiting malicious links and opening infected email attachments. Droppers with heavily obfuscated code are used to download the malicious payload and a considerable amount of effort is put into crafting highly convincing emails to maximize the probability of an end user taking the desired action.
Then, there is ransomware-as-a-service – the use of affiliates to spread ransomware in exchange for a cut of the profits. Ransomware kits are now supplied, complete with intuitive web based interfaces and instructions for crafting ransomware campaigns. Today, it is not even necessary to have any technical skill to conduct a ransomware campaign.
The profits from ransomware are also considerable. In 2016, the FBI estimated profits from ransomware would exceed $1 billion. With such high returns, it is no surprise that ransomware has become the number one malware threat for businesses.
The Evolution of Ransomware – Notorious Ransomware Variants from the Past Two Years
Locky: Deletes volume shadow copies from the compromised system, thereby preventing the user from restoring files without paying the ransom.
Jigsaw: An extremely aggressive ransomware variant that deletes encrypted files every hour until the ransom is paid, with total file deletion in 72 hours.
Petya: Rather than encrypting files, Petya changes and encrypts the master boot record, preventing files from being accessed. Petya is also capable of installing other malware payloads.
NotPetya: A wiper that appears to be ransomware, although NotPetya permanently changes the master boot record making file recovery impossible.
CryptMix: Attackers claim they will donate the ransom payments to a children’s charity, in an effort to get victims to pay up. There is no evidence ransom payments are directed to worthy causes.
Cerber: Now used to target users of cloud-based Office 365, who are less likely to have backed up their data. Some Cerber variants speak to their victims and tell them their files have been encrypted.
KeRanger: One of the first ransomware strains to target Mac OS X applications.
Gryphon: Spread via remote desktop protocol (RDP) using brute force tactics to guess weak passwords.
TorrentLocker: A ransomware variant being used to target SMBs, spread via spam email attachments claiming to be job applications
HDDCryptor: A ransomware variant that targets network shares, file, printers, serial ports, and external drives. HDDCryptor locks the entire hard disk
CryptMIC: A ransomware variant that does not change file extensions, making it harder for victims to identify the threat
ZCryptor: Ransomware with worm-like capabilities, able to rapidly spread across a network and infect multiple networked devices and external drives
WannaCrypt: A 2017 ransomware variant with worm-like capabilities, able to spread rapidly to infect all vulnerable computers on a network.
Ransomware is most commonly spread via spam email, exploit kits and by remotely exploiting vulnerabilities. To protect against ransomware you need an advanced spam filter, a web filter such as WebTitan to block access to sites containing exploit kits, and you need to ensure software and operating systems are kept 100% up to date.
In the event that you are infected with ransomware, you must be able to recover files from a backup. Use the 321 approach to ensure you can recover files without paying the ransom – Make three backup copies, on two different media, with one copy stored securely off site. Also make sure backups are tested to ensure files can be restored in an emergency.
Cybercriminals have realized they can greatly increase the number of infections – and profits – by adopting an affiliate model – termed ransomware-as-a-service. The affiliate model works well for online retailers, who can generate sales from customers they would be unlikely to reach if they worked on their own. The same applies to ransomware developers.
Affiliates are recruited to distribute ransomware in exchange for a cut of the profits. Ransomware developers can recruit would-be cybercriminals to send out their malicious code in targeted attacks around the world, extending their reach considerably. The greater the number of affiliates, the wider ransomware can be spread and the more payments are received. The returns are substantial for relatively little effort.
In addition to developing the ransomware, kits have been created that make it simple for affiliates to launch their own campaigns. No technical skill is required, affiliates simply enter in their own parameters via an online interface and they can start conducting their own campaigns. Affiliates just need to know how to distribute the ransomware. Full instructions are usually provided.
With an army of spammers sending out the ransomware, the number of devices infected has soared. In 2017, Cerber became the most widely used ransomware variant, even surpassing Locky. The secret of the success was adopting the ransomware-as-a-service model.
For the most part, ransomware is a numbers game. The more individuals that are actively distributing ransomware, the greater the number of infections. With the threat of email and web-based attacks growing, businesses must invest in new technologies to counter the threat.
There are two key solutions that should be adopted by all businesses to improve protections against ransomware. A spam filter is a must – a fact not lost on the majority of businesses. However, even though email is the primary vector used to spread ransomware and malware, there are still businesses that have not yet purchased a spam filtering solution.
A recent survey by PhishMe indicates only 85% of businesses are using spam filtering technology to block phishing emails. That means 15% of businesses have yet to implement this most fundamental of ransomware defenses.
The second key solution is a web filter. Web filters allow employers to carefully control the websites that their employees can access, including blocking websites known to host malware. If an email makes it past a spam filter and an employee clicks on a malicious hyperlink, a web filter can prevent the malicious site from being accessed. A web filter also offers protection from malvertising – malicious adverts that direct users to phishing websites and sites hosting exploit kits.
Of course, technology can only go so far. Even layered defenses can be breached, which is why employees need to be taught how to identify potentially malicious emails. Employees should receive regular security awareness training and be encouraged to report potentially malicious emails. When those emails are reported, IT teams can add the malicious links to the web filter to prevent other individuals in the organization from visiting the malicious websites.
For further information on spam and web filtering, contact the TitanHQ today.
The cyberattack on Equifax affected almost half the population of the United States. 143 million U.S. consumers potentially had their sensitive data stolen by hackers, as did around 400,000 individuals in the United Kingdom and 100,000 consumers in Canada.
To notify victims of the Equifax data breach by mail would have been a monumental and incredibly costly task. Instead, Equifax set up a website where breach victims could check to see if their data had been exposed and also register for free credit monitoring and identity theft protection services.
The official website used for this purpose is equifaxsecurity2017.com. Visitors to the website are required to enter some personal information as identification – the last six digits of their Social Security number and their full name.
That site then directed visitors to a second site, Trustedidpremier.com – which, it has to be said, does seem somewhat phishy. The site is owned by Equifax, with the name taken from its identity theft protection service, but the site did not mention Equifax, which led to many consumers questioning whether the site was real.
These choices gave phishers with a gilt-edged opportunity to take advantage. By registering a website similar to that used by Equifax, it would be possible to fool many U.S. consumers into revealing their sensitive information. For instance, instead of asking for the last six digits of the Social Security number, criminals could ask for the full SSN, along with a date of birth and a full name. If the fake website had official Equifax logos, many consumers would be fooled.
If Equifax had put the information on a subdomain of its official website, it would be easy for consumers to verify that they were on the correct site. The decision to use a new website for this purpose has made it too easy for scammers to take advantage.
There have already been many fake Equifax domains registered and used for phishing. While these sites are being identified quickly and shut down, during the time they are online they can be used to capture large volumes of sensitive information. Some of the recently registered domains featured transposed letters and common misspellings, such as replacing the y with a u to catch out careless typists.
However, it is not only bad typists that could be fooled by such a scam. One fake site – securityequifax2017.com – was registered that would likely fool many consumers. Such a site should also have been purchased by Equifax to prevent it being purchased by a scammer.
Fortunately, the website had been purchased by a software developer called Nick Sweeting specifically to demonstrate how easy it would be to take advantage. It was made clear on the site that the website was fake, and was not actually being used for phishing, only to raise awareness of the risk of similar sites being purchased by phishers.
However, so realistic was the site that it even fooled one Equifax employee. On at least eight occasions, that individual Tweeted the fake domain via the official Equifax Twitter account. The incorrect link was tweeted on at least 8 occasions according to Sweeney.
The fake site has since been blocked and taken offline; however, for two weeks the site was active. Had this been a real Equifax phishing website, many consumers could have been fooled.
The average cost of a SMB data breach is now $117,000 per incident, according to a large study of data breach costs at small to medium sized businesses.
The study was conducted by Kaspersky Lab and B2B International, with over 5,000 businesses in 30 countries asked about the costs of resolving data breaches.
There has been a rise in the average cost of a SMB data breach again this year and some notable changes to how those costs break down, compared to last year when the study was previously conducted. There were also notable differences between the main costs for SMBs and large enterprises.
Last year, the single biggest cost of data breaches was the reallocation of staff time, although this year, respondents from SMBs said the biggest costs were the loss of business as a result of a data breach and bringing in external experts to help investigate and resolve data breaches.
Out of the $117,000 average cost of a SMB data breach, $21,000 was spend on bringing in external experts and a further $21,000 had to be covered as a result of lost business. Other major costs were additional wages for staff ($16,000), credit rating damage and increases in insurance premiums ($11,000), improving software and infrastructure ($11,000), repairing brand damage ($10,000), and employing new staff ($10,000). The lowest costs were training ($9,000) and compensation ($8,000).
Kaspersky Lab points out that the reason these costs are so high for SMBs is likely due to a lack of skilled in-house staff, meaning they have little choice but to call in the professionals. Small businesses are also particularly vulnerable to loss of business as a result of a data breach. However, the study showed that small to medium sized businesses tend not to have to dig deep to pay compensation, which has been attributed to less formal business relationships.
The cause of SMB data breaches has a significant bearing on resolution costs. Some types of attack proved much costlier to resolve. The average cost of a SMB data breach that resulted from a targeted attack was $188,000, followed by security incidents affecting non-computing connected devices (IoT) at $152,000 per incident.
Breaches caused by the loss of devices containing sensitive information cost an average of $83,000 to resolve, inappropriate use of IT resources cost $79,000, while virus and malware infections were the cheapest to resolve, costing an average of $68,000.
For enterprises, average data breach costs jumped from $1.2 million in 2016 to $1.3 million in 2017, with the main costs of a breach being additional wages for internal staff ($207,000), software and infrastructure improvements (172,000), bringing in external professionals ($154,000), training ($153,000), lost business ($148,000), and compensation ($147,000).
SMBs have increased spending on IT security in response to the increased threat of attack, devoting 19% of their IT budgets to security compared with 16% in 2017. There was a much smaller increase in security spending at very small businesses (1-49 employees), rising just 1% from 13%-14% of their IT budgets. There was no change in spending for large enterprises (1000+ employees) with 19% of IT budgets spent on security.
Popup warnings of missing fonts, specifically the Hoeflertext font, are being used to infect users with malware. The Hoeflertext warnings appear as popups when users visit compromised websites using the Chrome or Firefox browsers. The warnings flash up on screen with the website in the background displaying jumbled or unreadable text.
Hoeflertext is a legitimate font released by Apple in 1991, although popup warnings that the font is missing are likely to be a scam to fool users into downloading Locky Ransomware or other malware.
Visitors to the malicious websites are informed that Hoeflertext was not found, which prevents the website from being displayed. The popup contains an option to “update” the browser with a new font pack, which will allow the website content to be displayed.
This is not the first time the Hoeflertext font scam has been used. NeoSmart Technologies discovered the scam in February this year, although recently both Palo Alto Networks and SANS Internet Storm Center have both report it is being used in a new campaign.
Another version of the campaign is being used to deliver the NetSupport Manager remote access tool (RAT). In this case, the file downloaded is called Font_Chrome.exe, which will install the RAT if it is run. The researchers suggest the RAT is being favored as it offers the attackers a much wider range of capabilities than ransomware. The RAT is commercially available and has been used in several malware campaigns in the past, including last year’s campaign using hacked Steam accounts.
The RAT, once installed, gives the attackers access to the infected computer allowing them to search for and steal sensitive information and download other malware.
The actors behind this campaign have been using spam email to direct users to the malicious websites where the popups are displayed. The SANS Internet Storm Center says one campaign has been identified using emails that appear to have been sent via Dropbox, asking the user to verify their email address to complete the sign-up process.
Clicking on the ‘verify your email’ box will direct the user to a malicious website displaying fake Dropbox pages where the popups appear. Internet Explorer users do not have the popups displayed, instead they are presented with a fake anti-virus alerts linked to a tech support scam.
The latest campaign shows why it is so important for businesses to use an advanced spam filtering solution to block malicious messages. A web filtering solution is also beneficial to prevent end users from visiting malicious websites in case the messages are delivered and opened. Along with security awareness training for employees to alert them to the risks of email and web-based attacks such as this, businesses can protect themselves from attack.
On October 10, 2017, the European Parliament will vote on a new copyright law that could see content filtering on websites in Europe which are deemed to violate copyright laws.
These laws would apply to all websites displayed to users in Europe. The law would naturally cover websites such as torrent sites that share links to download copyright protected material, but also other websites may also be censored. Websites such as Reddit, E-bay, Wikipedia and GitHub could all easily fall foul of the Directive on Copyright in the Digital Single Market if users of the sites upload copyright protected material.
If the Directive on Copyright in the Digital Single Market is passed in its current form, all website owners would have to monitor content uploaded by site users to ensure copyright laws are not violated. Online services providers would be required by law to implement content filters to prevent pirated material from being displayed on their websites. Detection mechanisms such as the fingerprinting technology used by YouTube would need to be implemented. Platform operators would be liable for any copyrighted material uploaded to their sites.
Content filtering on websites in Europe could not be performed manually – the work involved in vetting all content would make that impractical. Therefore, content filters would need to be automatic, and if all content must be checked to determine if it is acceptable, all uploads would need to be scanned.
An alternative has been proposed to the upload filter – the “link tax” or ancillary copyright that was introduced in Spain and Germany. The link tax required sites that publish news snippets from other sites to be charged for doing so, although that measure did not work in practice so it is unlikely to be applied across all member states.
If Internet filters are applied, it would be difficult to differentiate between allowable use of copyrighted material and illegal use. It therefore has potential to affect parody websites, the use of quotes, and it could spell the end of Internet memes, at least in Europe. Also, if the new Directive is agreed in its current form, users would have no protection from unfair deletion of website content.
Raegan MacDonald, senior EU policy Manager at Mozilla said, “The proposal would make filtering and blocking of online content the norm, effectively undermining innovation, competition and freedom of expression.” He also labelled some of the elements of the new directive as “dysfunctional and borderline absurd.” Some see the Directive on Copyright in the Digital Single Market as Internet censorship akin to that used by China.
It has been argued that the use of this technology to apply content filtering on websites in Europe would violate the privacy of Internet users, as such a system would require all communications on websites to be monitored. That would potentially violate European privacy laws. A letter has been sent by six EU member states questioning the legality of the new Directive asking whether the directive is legal and whether “the proposed measures justified and proportionate.”
As it stands, if the Directive is passed, it will prove costly for businesses and as EDRi points out, the new law has potential to “undermine access to copyright-free public domain works that are for now freely available for everyone.”
A new study has been published in the Journal of Psychosocial Research on Cyberspace on the problem of cyberloafing, highlighting not only the cost to business but also the cost to individuals. Cyberloafing is a major drain on productivity, yet it is all too common. Employees who engage in cyberloafing can also seriously damage their career prospects.
The Business Cost of Cyberloafing
Employers are paying their employees to work, yet a significant amount of time is lost to cyberloafing. Cyberloafing dramatically reduces productivity and eats up company profits. The study was conducted on 273 employees and cyberloafing was measured along with the traits that led to the behaviour.
The study revealed a correlation between dark personality traits such as psychopathy, Machiavellianism and narcissism, but also showed that employees are wasting huge amounts of time simply because they can get away with it. The sites most commonly visited were not social media sites, but news websites and retail sites for online shopping.
In an ideal world, employees would be able to do their jobs and allocate some time each day to personal Internet use without any losses in productivity. Some employees do just that and curb personal Internet use and do not let it interfere with their work duties. However, for many employees, cyberfloafing is a problem and huge losses are suffered by employers as a result.
A 2013 study on cyberloafing conducted by Salary.com showed that 69% of employees waste time at work every day, with 64% visiting non-work related websites. Out of those individuals, 39% said they wasted up to an hour on the Internet at work, 29% wasted 1-2 hours, and 32% wasted more than 2 hours a day.
Cyberloafing can make a huge dent in company profits. A company with 100 employees, each of whom spend an hour a day on personal Internet use, would see productivity losses of in excess of 25,000 man-hours a year.
Productivity losses caused by cyberloafing are not the only problem – or cost. When employees use the Internet for personal reasons, their actions slow down the network resulting in slower Internet speeds for all. Personal Internet use increases the risk of malware and viruses being introduced, which can cause further productivity losses. The cost of resolving those infections can be considerable.
What Can Employers do to Reduce Productivity Losses?
First of all, it is essential that the workforce is advised of company policies relating to personal Internet use. Informing the staff about what is an acceptable level of personal Internet use and what constitutes unacceptable behaviour ensures everyone is aware of the rules. They must also be advised of the consequences of cyberloafing.
The Journal of Psychosocial Research on Cyberspace study suggests “a worker’s perceived ability to take advantage of an employer is a key part of cyberloafing.” By increasing monitoring and making it clear that personal Internet use is being noted, it serves as a good deterrent. When personal Internet use reaches problem levels there should also be repercussions for the employees concerned.
If there are no penalties in place for employees that break the rules and company policies are not enforced, little is likely to change.
As for what those penalties are is down to the employer. Action could be taken against the individuals concerned via standard disciplinary procedures such as verbal and written warnings. Controls could be put in place to curb Internet activity – such as blocks placed on certain websites – social media sites/news sites for example – when employees are spending too much time online. Those blocks could be temporary or even time-based, only allowing personal Internet use during breaks or at times when workloads are typically low.
WebTitan – An Easy Solution to Reduce Productivity Losses and Curb Cyberloafing
Such controls are easily applied with WebTitan. WebTitan is an Internet filter for enterprises that can be used to reclaim lost productivity and block access to web content that is unacceptable in the workplace.
WebTitan allows Internet controls to be easily set for individual employees, user groups, or the entire organisation, with the ability to apply time-based web filtering controls.
Preventing all employees from accessing the Internet for personal reasons may not be the best way forward, as that could have a negative impact on morale which can similarly reduce productivity. However, some controls can certainly help employers reduce productivity losses. Internet filtering can also lower legal liability by preventing illegal activities and the accessing of adult content in the workplace and can help to prevent the development of a hostile work environment.
If you are interested in improving productivity and enforcing Internet usage policies in your organization, contact TitanHQ to discuss your options.
A new Facebook Messenger malware and adware campaign has been detected by Kaspersky Lab. The malware is capable of gathering information about the user and directing them to websites that offer downloads tailored to the users’ operating system and browser. Landing pages are also customized to maximize the probability of the user taking the required actions. This advanced Facebook Messenger malware and adware campaign works on Windows PCs and Macs and is not dependent on the browser being used.
The Facebook Messenger malware and adware campaign starts with a Messenger message containing a link to a video file, with that link pointing to Google Docs. Since Facebook Messenger is used with Bitly URLs it is hard for users to determine that the links are not what they seem.
Cleverly, a picture is taken from the user’s Facebook page which is incorporated into a dynamic landing page that is tailored to the individual. The landing page appears to host a playable video file. Clicking on the video will direct the user to a website where information is gathered on their environment, including their operating system, browser type and other information. The user is then directed to another website that is tailored to the information obtained from the first website.
Windows users using Firefox are directed to one website, IE users to another, and Mac users elsewhere. Those sites offer updates such as Flash downloads and malicious Chrome extensions. At present, these campaigns are being used to download adware, although they could easily be tweaked to install malware.
The Chrome extension is adware, but also includes a downloader which will allow further payloads to be delivered to the user’s device. What is not currently known is how the messages are being sent via Messenger. David Jacoby, the Kaspersky Lab researcher who discovered the Facebook Messenger malware and adware campaign, said, “It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing.”
While the messages could be sent by unknown individuals, they may also be sent from Facebook contacts whose accounts have been compromised. Any hyperlinks sent via Messenger should therefore be treated with suspicion, especially when they appear out of the blue.
This new campaign is clever, although it is just one of many that are distributed via Messenger. Businesses can protect themselves against Facebook Messenger malware campaigns by using a Web Filtering solution such as WebTitan.
Many businesses choose not to block Facebook due to the negative impact it has on staff morale. However, with WebTitan it is possible to block Facebook Messenger without blocking the Facebook website. Employees can still access Facebook, while employers are protected from malicious messages that could result in malware downloads.
With the volume of cyberattacks increasing and heightened pressure on businesses to offer family-friendly WiFi access, a partnership with a company that offers Internet filtering for managed service providers is now a must.
Businesses that offer WiFi access to customers provide greater value and are more likely to attract customers. Younger age groups in particular are more likely to choose an establishment that allows them to connect to the Internet and not use their own data allowance. Coffee shops, restaurants, bars, and retail outlets now appreciate that providing WiFi access brings in more customers.
However, it is becoming increasingly important for secure WiFi access to be provided. Customers are now demanding more. They want reassurance that efforts are being made to make WiFi networks secure. Parents also want to make sure their children will not be exposed to harmful website content when hooking up to WiFi networks.
With demand for a filtered Internet service high, it is an easy sell for managed service providers. Further, Internet filtering brings in regular monthly revenue for next to no effort. Once the service is set up there is very little maintenance. Due to the low maintenance overhead and ease of implementation, Internet filtering for managed service providers could even be provided as part of an existing security suite to give clients even greater value for money.
Visiting clients to install solutions and perform updates is costly and eats into profits. It can also be difficult to convince businesses to pay out for an appliance to keep customers safe online. Free WiFi may increase footfall, but having to pay for a $500 appliance is a difficult sell.
However, with a cloud-based filter there is no need for any hardware purchases, no need for MSPs to visit their clients for an installation, and all settings can be changed remotely via an online administration control panel. Customers can even be given their own logins so they can tweak their own settings and whitelist and blacklist certain webpages at will.
WebTitan Cloud for WiFi – Internet Filtering for Managed Service Providers Made Simple
WebTitan Cloud for WiFi has been developed to make Internet filtering for managed service providers as simple as possible. This go-to-market content filtering solution can be set up for each client in around 20 minutes, with no need for site visits or any software downloads. WebTitan Cloud for WiFi is also supplied with a full set of APIs for easy backend integration and reports can be scheduled and sent automatically.
Each client can have their own administration control panel to tweak their content filtering settings, and since the interface is non-technical, there is no steep learning curve. Internet filtering controls are applied by category, so configuration is a quick and easy process.
Content filtering with WebTitan Cloud for WiFi has no discernible impact on Internet speed, there is no limit to the number of WiFi points that can be protected and no limit on bandwidth.
Setting different web filtering controls for different users and user groups is straightforward, since the solution integrates with LDAP and Active Directory. Filtering settings can also be set by the time of day or night.
If you want to offer your clients real-time spyware, malware and virus protection and allow them to carefully control Internet access to keep customers safe online and avoid legal liability, WebTitan Cloud for WiFi is the ideal choice.
To make it even better for MSPs, WebTitan Cloud for WiFi can be supplied in white label form ready to accept MSPs branding and there is a choice of hosting options, including the option of hosting the solution in your own environment. Add to that Industry leading customer service and you have the complete package.
If you are an MSP and are Interested in offering Internet filtering to your service stack or are looking for a lower cost service provider with better margins, contact the MSP team at TitanHQ today and find out how easy – and profitable – Internet filtering for managed service providers can be.
The cost of a malware attack is difficult to predict. There are many factors that affect the cost. The type of malware, whether data were stolen, the extent of the infection, how easy it is to mitigate, and how much business is lost while the infection is resolved. For many companies, the customer churn rate increases after a cyberattack, and certainly one in which sensitive data are stolen.
For Maersk, the NotPetya attack did not result in any theft of customer data. Consequently, there was no need to pay for credit monitoring services or mail breach notification letters to customers – Two additional and sizable costs associated with a malware attack. That said, the cost was considerable. Maersk has estimated the NotPetya wiper attack has cost as much as $300 million.
NotPetya was initially thought to be ransomware. The malware had a number of similarities to Petya ransomware – The malware overwrote and encrypted the master file table and a ransom demand was issued. However, in the case of NotPetya, paying the ransom would not result in keys being sent to unlock the encryption. The purpose of the attack was sabotage. The attackers had no intention of providing keys and allowing firms to recover their data.
For A.P. Møller – Maersk, the consequences of the attack were considerable. After its systems were taken out of action, the company was unable to load and unload its cargo ships in ports around the world. Many ships had to be rerouted as a result of the attack. Systems had to be rebuilt and the firm suffered considerable disruption while the infection was resolved.
A Model Response to A Cyberattack
Maersk was extremely quick to announce it had been attacked. The attacks occurred on June 27, 2017 and Maersk announced the following day that it had been affected. The company also maintained transparency throughout the following days and weeks while it attempted to recover, giving frequent updates on its progress in resolving the infection. The transparency has been applauded, with many security experts saying the company executed a model breach response. Not all companies were nearly as transparent.
The company recently issued an interim statement explaining how severe the attack was and how it would dent profits saying, “Business volumes were negatively affected for a couple of weeks in July. We expect that the cyberattack will impact results negatively by $200-$300 million.”
Nuance Communications was also affected, and similarly gave frequent updates to its customers on the impact of the attack and its efforts to resolve the infection. That communication undoubtedly reduced customer churn, although with its systems taken out of action for more than three weeks, many customers were forced to seek alternate vendors. Whether they will return remains to be seen. Nuance believes its Q2 profits are down about $15 million as a result of the attack, although losses are likely to be ongoing and the attack will certainly affect its Q3 profits. The manufacturer Reckitt Benckiser has estimated the NotPetya attack has cost the company around $129 million in lost revenue.
These are just three large companies to have disclosed the cost of the malware attack. Logistics firm TNT suffered considerable disruption as a result of the attack, as did FedEx, Mondelez, Merck, Heritage Valley Health System, WPP, Rosneft, DLA Piper, Saint-Gobain and many firms in Ukraine – the country worst affected by the attacks. The total cost of these malware attacks will certainly be measured in billions.
The Ponemon institute calculated the average cost of a malware attack that results in a data breach to be $3.62 million. This malware attack clearly shows the devastating effect of a malware attack and why it is so important for companies to invest improving policies, procedures and cybersecurity defenses.
From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?
The General Data Protection Regulation
GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.
GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.
Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.
Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.
Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.
In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.
Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.
Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.
How Can I Protect Personally Identifiable Information under GDPR?
GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.
A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.
GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.
Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.
Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.
Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.
To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.
Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.
The National Institute of Standards and Technology (NIST) has updated its guidance on strengthening passwords, suggesting the standard of using a combination of capital letters, lower case letters, numbers and special characters may not be effective at improving password strength. The problem is not with this method of strengthening passwords, but with end users.
Hackers and other cybercriminals attempt to gain access to accounts by guessing passwords. They try many different passwords until the correct one is guessed. This process is often automated, with many thousands of guesses made using lists of commonly used passwords, dictionary words and passwords discovered from past data breaches.
By implementing password policies that force end users to use strong passwords, organizations can improve their resilience against these brute force attacks.
By using capital and lower-case letters, there are 52 possible options rather than 26, making the guessing process much more time consuming. Add in 10 numerals and special characters and guessing becomes harder still. There is no doubt that this standard practice for creating strong passwords is effective and makes passwords much less susceptible to brute force attacks.
The problem is that in practice, that may not be the case. Creating these strong passwords – random strings of letters, numbers and symbols – makes passwords difficult to guess but also virtually impossible to remember. When multiple passwords are required, it becomes harder still for end users and they get frustrated and cut corners.
A good example is the word ‘password’, which is still – alarmingly – used to secure many accounts, according to SplashData’s list of the worst passwords of the year. Each year, ‘password’ makes it onto the list, even though it is likely to be the first word attempted in any brute force attack.
When companies update their password polices forcing users to use at least one capital letter and number in a password, many end users choose Password1, or Passw0rd or P455w0rd. All would be high up on a password list used in a brute force attack.
Attempts such as these to meet company password requirements mean security is not actually improved by password policies. If this is going to happen, it would make more sense – from a security perspective – to allow employees to make passwords easier to remember in a more secure way.
NIST Tweaks its Guidance on Strengthening Passwords
As NIST points out in its guidance on strengthening passwords, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought.” With current standard password practices, “The impact on usability and memorability is severe.” That results in end users creating weak passwords that meet company password policies.
Rather than force end users to use special characters and end up with ‘Password!’, a better way would be to increase the length of passwords and allow the use of spaces. End users should be encouraged to choose easy to remember phrases.
The use of a space does not make a password any more secure, although increasing a password from 8 characters to say, 15 or 20 characters, certainly does. It also makes passwords much easier to remember. NIST suggests passwords must have a minimum of 8 characters, and that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”
NIST also explains in its guidance on strengthening passwords that certain types of common cyberattacks involving passwords are unaffected by password strength. Take phishing for instance. It doesn’t matter whether a password is ‘12345678’ or ‘H19g46”&”^’ to a phisher. Provided the phishing email is well crafted, the password will still be disclosed. The same applies to keyloggers. A keylogger logs keystrokes and the strength of the password is irrelevant.
NIST’s guidance on strengthening passwords also suggests that rather than strengthening passwords further, there are far more effective ways of making brute force attacks much harder without frustrating end users. Limiting the number of failed login attempts before a user is blocked is one such option. Organizations should also combine this with blacklists of unacceptable passwords that should include dictionary words, other weak passwords and those revealed from past data breaches. NIST also recommends secured hashed storage of passwords
Exploit kit activity has fallen considerably since last year, but new variants are being developed, one of the latest being the Disdain exploit kit.
An exploit kit is a web-based toolkit capable of probing web users’ browsers for vulnerabilities. If vulnerabilities are discovered, they can be exploited to silently download ransomware and malware.
All that is required for an attack to take place is for web users to be directed to the domain hosting the exploit kit and for them to have a vulnerable browser or out of date plugin. Currently, the author of the Disdain exploit kit claims his/her toolkit can exploit more than a dozen separate vulnerabilities in Firefox, IE, Edge, Flash and Cisco WebEx – Namely, CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710, CVE-2017-0037, CVE-2016-7200, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551, CVE-2016-4117, CVE-2016-1019, CVE-2015-5119, and CVE-2017-3823. Many of those exploits are recent and would have a high chance of success.
No malware distribution campaigns have so far been identified using the Disdain exploit kit, although it is likely to just be a matter of time before attacks are conducted. The Disdain exploit kit has only just started being offered on underground forums.
Fortunately, the developer does not have a particularly good reputation on the forums, which is likely to slow the use of the exploit kit. However, it is being offered at a low price which may tempt some malware distributors to start conducting campaigns. The EK can be rented for as little as $80 a day, with discounts being offered for weekly and monthly use. The Disdain exploit kit is being offered for considerably less than some of the other exploit kits currently being touted on the forums, including the Nebula EK.
All that is required is for someone to rent the kit, provide the malicious payload, and direct traffic to the domain hosting the Disdain exploit kit – such as via a malvertising campaign or botnet. The price and capabilities of the EK mean it has potential to become a major threat.
Protecting Your Business from Online Threats
Cybercriminals may be favouring spam email over exploit kits for delivering malware, although the threat of web-based attacks should not be ignored. To a large extent, good patch management practices can reduce the risk of exploit kit attacks, although not entirely. Exploit kits are frequently updated with new vulnerabilities for which patches have yet to be released. If end users are directed to domains hosting exploit kits, malware and ransomware downloads can be expected.
Along with prompt patching, businesses should consider implementing a web filtering solution. A web filter can be configured to carefully control the websites that end users can visit. A web filter will block access to all webpages known to host malware or contain exploit kits. Risky categories of website, which end users have no work purpose for visiting, can also easily be blocked reducing the risk of phishing attacks and improving employee productivity.
An appliance-based web filter can be costly to implement and can have a negative effect on Internet speed. A DNS-based web filter on the other hand requires no hardware purchases and has no latency. Internet speed is unaffected. Since a web filter can also be used to restrict access to websites that take up a lot of bandwidth, Internet speeds for all can actually improve.
WebTitan Cloud – and WebTitan Cloud for WiFi – are DNS-based web filtering solutions for enterprises that allow precision control over the sites that can be accessed by end users and offer excellent protection against web-based threats such as exploit kits and phishing websites.
The solutions require no hardware purchases, no software downloads, there is no latency, and they are highly scalable. Implementing and configuring the solutions is quick and easy and they require minimal maintenance.
WebTitan is also ideal for MSPs, being available in full white-label form with a choice of hosting options – including hosting in an MSPs environment.
If you want to improve the productivity of your workforce and effectively manage online threats – or offer web filtering to your clients – contact the TitanHQ team today to discuss your options and register for a free trial.
The importance of implementing good patch management policies was clearly highlighted by the WannaCry ransomware attacks in May. The ransomware attacks were made possible due to poor patch management policies at hundreds of companies. The attackers leveraged a vulnerability in Windows Server Message Block (SMB) using exploits developed by – and stolen from – the U.S. National Security Agency.
The exploits took advantage of SMB flaws that had, by the time the exploits were made public, been fixed by Microsoft. Fortunately for the individuals behind the attacks, and unfortunately for many companies, the update had not been applied.
In contrast to the majority of ransomware attacks that required some user involvement – clicking a link or opening an infected email attachment – the SMB flaws could be exploited remotely without any user interaction.
WannaCry was not the only malware variant that took advantage of unpatched systems. The NotPetya (ExPetr) attacks the following month also used the same EternalBlue exploit. Again, these attacks required no user involvement. NotPetya was a wiper that was used for sabotage and the damage caused by those attacks was considerable. Entire systems had to be replaced, companies were left unable to operate, and the disruption continued for several weeks after the attacks for many firms. For some companies, the losses from the attacks were in the millions.
These attacks could have easily been prevented with something as simple as applying a single patch – MS17-010. The patch was available for two months prior to the WannaCry attacks. Even patch management policies that required software to be checked once a month would have prevented the attacks. In the case of NotPetya, companies affected had also not reacted to WannaCry, even though there was extensive media coverage of the ransomware attacks and the risk of not patching promptly was clearly highlighted.
The take home message is unaddressed security vulnerabilities will be exploited. Companies can purchase a swathe of expensive security solutions to secure their systems, but companies with poor patch management policies will experience data breaches. It is no longer a case of if a breach will occur, just a matter of when.
Poor Patch Management Policies Cost Insurer More than $5 Million
This month has shown another very good reason for patching promptly. A multi-state action by attorneys general in 32 states has resulted in a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company. Nationwide has agreed to a $5.5 million settlement to resolve the investigation into its 2012 data breach.
The breach involved the theft of data relating to 1.27 million policy holders and individuals who obtained insurance quotes from the company. In that case, the data theft was possible due to an unaddressed vulnerability in a third-party application. Even though the vulnerability was rated as critical, the insurer did not update the application. The vulnerability remained unaddressed for three years. The update was only applied after data were stolen.
The investigation into the breach was jointly led by Connecticut Attorney General George Jepsen. Announcing the settlement Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”
Unaddressed vulnerabilities will be exploited by cybercriminals. Attacks will result in data theft, hardware damage, law suits filed by breach victims, attorneys general fines and fines by other regulators. These costs can all be avoided with good patch management policies.
In November last year, the San Francisco Municipal Transportation Agency (Muni) was attacked with Mamba ransomware. The attackers issued a ransom demand of 100 Bitcoin – $73,000 – for the keys to unlock the encryption. Muni refused to pay up, instead opting to recover files from backups. However, the Mamba ransomware attack still proved costly. The attack took its fare system out of action and passengers had to be allowed to travel for free for more than a day. The average take on fares on a weekend day is $120,000.
It has been relatively quiet on the Mamba ransomware front since that attack, although this month has seen several Mamba ransomware attacks, indicating the gang behind the malware is back in action. Those attacks are geographically targeted with businesses in Saudi Arabia and Brazil currently in the firing line, according to Kaspersky Lab researchers who first detected the attacks.
Mamba ransomware uses DiskCryptor for full disk encryption rather than searching for and encrypting certain file types. That means a Mamba ransomware attack will prevent the operating system from running.
Once installed, the malware forces a reboot of the system and modifies the Master Boot Record and encrypts disk partitions and reboots again, this time victims are presented with a warning screen advising data have been encrypted. The attacks share some similarities with the NotPetya (ExPetr) attacks of June.
The algorithms used to encrypt the data are strong and there is no known decryptor for Mamba Ransomware. If the disk is encrypted, victims face permanent file loss if they do not have a viable backup and refuse to pay the ransom demand. However, the latest attacks make no mention of payment of a ransom. Victims are just instructed to email one of two email addresses for the decryption key.
The reason for this approach is it allows ransoms to be set by the attackers on an infection by infection basis. Once the extent of encryption is determined and the victim is identified, the attackers can set the ransom payment accordingly.
It is currently unclear whether the attackers hold the keys to unlock the encryption and whether payment of the ransom will result in file recovery. Kaspersky reports that the group behind this ransomware variant has not been identified. This may be a criminal attack by an organized crime gang or a nation-state sponsored cyberattack where the intention is not to obtain ransoms but to sabotage businesses.
Businesses can enhance their defences against this and other malware variants by implementing WebTitan.
WebTitan is a web filtering solution for the enterprise that allows businesses to prevent end users from visiting malicious websites, such as those used for phishing and for downloading malware and ransomware. By blocking access to malicious sites and carefully controlling access to sites known to carry a high risk of malware delivery – file sharing websites for example – businesses can prevent web-based malware attacks.
There are many reasons why businesses want to restrict Internet access at work. Allowing employees to have unrestricted access to the Internet can result in a major drain on productivity, the risk of malware and ransomware downloads must be managed and inappropriate Internet access at work can cause legal issues. Due to the risks involved, it is unsurprising that many firms choose to use a technological solution to enforce acceptable Internet usage policies. This post explores some of the key benefits that can come from using a web filter to limit Internet access in the workplace and some of the potential problems that can be caused by using content control software.
The Problem of Personal Internet Use at Work
It is inevitable that employees will slack off online from time to time. Simply placing restrictions on the websites that can be accessed will not eradicate time wasting, but it can allow businesses to make significant improvements to productivity. Some employees spend a considerable percentage of the working day on personal Internet use, playing online games, or accessing their social media accounts. If every employee in an organization was to spend an hour a day on personal internet use, the productivity losses would be considerable. A company with 100 employees would lose 100 hours a day, which is 4,000 hours a week, or 208,000 hours a year!
There are other drains on productivity that can result from excessive personal Internet use at work. When employees use streaming services, download files via P2P networks, or engage in other bandwidth heavy activities, it will naturally have an impact on Internet speeds across the entire organization. Using a web filter to restrict internet access at work and limiting access to certain bandwidth draining activities, businesses can ensure sufficient bandwidth is always available for all employees.
The Danger of Malware and Ransomware Downloads
If employees are accessing social media websites, downloading files or are visiting questionable websites, the risk of a malware or ransomware downloads increases significantly.
Exploit kits probe for vulnerabilities in browsers and plugins, which are then exploited to silently download malware. Traffic is usually directed to these websites through malicious adverts – termed malvertising – although websites are constantly being compromised and legitimate sites could easily be hijacked, and malicious content could be added.
Certain types of website carry a high risk of causing a malware infection and allowing employees to access to these sites, many of which are not suitable for work, could easily result in the downloading of malicious software.
The operators of legitimate pornographic websites often take great care to ensure their sites are not compromised. They are, after all, legitimate businesses. However, pornographic content is often used as a lure to spread malware.
One of the riskiest online activities is the use of torrents sites and P2P file sharing networks. There are few – if any – controls over the content that is shared via torrents sites and pirated music and video files are often seeded with malware, spyware, and adware. Illegal software downloads are incredibly risky as malware is often bundled in the executable files used to install the software or in Keygen tools that generate product keys.
A malware or ransomware attack can prove incredibly costly. Many companies have experienced ransomware attacks that have resulted in systems being out of action for several days or even weeks, causing massive losses due to the business grinding to a halt. A ransomware attack can result in an entire network being taken out of action, as was the case with the WannaCry attacks in 2017. The NHS in the UK suffered major disruption as a result of the installation of the malware. The NotPetya wiper malware campaign conducted soon after caused widespread damage. The shipping firm Maersk had its systems infected and the clean up bill is expected to rise to around $300 million.
A web filter will not prevent all malware and ransomware downloads, but it is possible to prevent certain categories of ‘risky’ website from being visited by employees, the filtering solution can be configured to block the downloading of certain file types, and websites known to contain malware or exploit kits can be blocked. Any attempt to visit one of those websites will direct an user to a block screen. Many businesses decide to restrict Internet access at work primarily to protect against malware and ransomware downloads.
A Web Filter Offers Additional Protection Against Phishing Attacks
Phishing is the number one cyber threat faced by businesses. It has been estimated that more than 90% of cyberattacks start with a phishing email. One of the best protections against phishing is a spam filtering solution, which will block the majority of malicious messages from being delivered to end users. However, no spam filter is 100% effective and some malicious messages will end up in employees’ inboxes. Employees can be trained how to identify phishing emails and taught cybersecurity best practices that will reduce susceptibility to phishing attacks, but sooner or later an employee will likely be fooled into clicking a link in an email and will arrive at a phishing website.
When a user is directed to a website and discloses their login credentials, an attacker can gain access to their email account and all the sensitive data contained in the account. The compromised account can be used to send further phishing emails to other employees. It is common for a single response to a phishing email resulting in several email accounts being compromised. Phishing attacks are some of the costliest to resolve. Each email in a compromised account must be checked for personally identifiable information and other sensitive data. Manually checking thousands of emails can take weeks and can cost hundreds of thousands of dollars.
A web filter is an additional layer of security that helps organizations improve their defenses against phishing by preventing phishing websites from being accessed. When an employee clicks a link to a website that has been added to a blacklist due to past use in phishing campaigns, the user will be directed to a block screen. WebTitan blocks up to 60,000 attempts to access malicious websites each day.
Preventing Inappropriate Web Content from Being Accessed
While most employees do not use the Internet to access illegal and not-suitable-for-work content, there are always a few bad apples. The problem of accessing pornography at work is a real issue, and could be much worse than you think.
In 2014, a survey conducted by the Barna Group showed 63% of men and 36% of women have viewed pornography at work. A survey in Forbes in 2013 revealed 25% of adults have viewed porn at work, while another survey suggested 28% of employees had admitted to downloading porn at work. Not only is the accessing of pornography at work a major drain of productivity, it can lead to the development of a hostile working environment. Pornography is often used to harass and degrade employees, often women. There have been cases of employees taking legal action against their employers over the failure to implement content controls in the workplace and prevent pornography from being accessed by employees.
Many businesses feel the best way to tackle the problem of pornography access in the workplace is through acceptable usage policies and greater oversight of employees by line managers. When individuals are discovered to be abusing the Internet, action can be taken against individuals without having to restrict Internet access at work for everyone. This does not always prove effective. When pornography access is discovered, employees usually face instant dismissal. That carries a cost to to the HR department and productivity losses while new employees are hired and trained.
The easiest solution is is to use a web filter to restrict Internet access at work. A web filter can be used to block access to specific websites or categories of website content such as pornographic sites and enforce acceptable usage policies. This is one of the most common reasons why businesses restrict Internet access at work.
Problems with Using a Web Filter to Restrict Internet Access at Work
A web filter may seem like a quick and easy solution to the above issues, although companies that restrict Internet access at work with web filters can encounter problems. Those problems can be worse than the issues the web filter was installed to correct if the correct web filtering solution is not used and it is not configured correctly.
If you restrict Internet access at work using an appliance-based web filtering solution it can result in latency. Each website must be inspected before it is accessed. In the case of secure (HTTPS) sites, each webpage must be decrypted, inspected, and re-encrypted. This places a considerable strain on resources. As more sites switch to HTTPS the problem of latency becomes a real issue.
If you restrict Internet access at work, employees who were only accessing the occasional personal site may be unhappy with the new restrictions. This can have an effect on productivity and create a hostile working environment. Why should all employees be made to suffer because of the actions of a few?
When web filters are used to restrict Internet access at work and they lack highly granular controls, there can be issued with the overblocking of website content. Websites that are used for work may be blocked, which requires the IT support team to spend a considerable amount of time whitelisting websites.
How to Restrict Internet Access at Work and Avoid Problems
The issue of latency can be avoided if a cloud-based web filter is used. Cloud-based filters allow employers to restrict Internet access at work, but since the solutions are based in the cloud, they use the service provider’s resources. The result is Internet control without latency. There are other benefits too. Cloud-based web filters are more flexible, scalable, and do not require the purchase of any hardware which results in considerable cost savings.
Some cloud-based filters, WebTitan for instance, allow time-based controls to be applied. Employers can use this feature to restrict Internet access at work during busy times and relax control at others. It is easy to block access to certain sites 100% of the time, others some of the time – relaxing controls during breaks for instance – and setting different controls for different employees or groups of employees. Since the filter integrates with LDAP and Active Directory, setting controls for different user groups is simple. It is also possible to block anonymizer websites to prevent users from bypassing content filtering controls.
Employers who intelligently restrict Internet access at work and still allow some time for personal Internet access are likely to avoid the creation of a hostile working environment while protecting against threats and reducing legal liability.
Speak to TitanHQ About Internet Filtering Controls
Internet content control is quick, easy and low cost with WebTitan. The solution allows you to easily restrict Internet access at work and avoid the common problems associated with web filtering. If you are Interested in curbing personal Internet use at work, contact TitanHQ today for advice. You can also sign up for a free trial and evaluate WebTitan in your own environment before you commit to a purchase.
2017 has seen a major rise in malware attacks on schools. While cybercriminals have conducted attacks using a variety of different malware, one of the biggest problems is ransomware. Ransomware is malicious code that encrypts files, systems and even master file tables, preventing victims from accessing their data. The attack is accompanied by a ransom demand. Victims are required to pay a ransom amount per infected device. The ransom payments can range from a couple of hundred dollars to more than a thousand dollars per device. Ransom demands of tens of thousands of dollars are now common.
Data can be recovered from a backup, but only if a viable backup of data exists. All too often, backup files are also encrypted, making recovery impossible unless the ransom is paid.
Ransomware attacks can be random, with the malicious code installed via large-scale spam email campaigns involving millions of messages. In other cases, schools are targeted. Cybercriminals are well aware that cybersecurity defenses in schools are often poor and ransoms are more likely to be paid because schools cannot function without access to their data.
Other forms of malware are used to record sensitive information such as login credentials. These are then relayed back to the attackers and are used to gain access to school networks. The attackers search for sensitive personal information such as tax details, Social Security numbers and other information that can be used for identity theft. With ransomware, attacks are discovered immediately as ransom notes are placed on computers and files cannot be accessed. Keyloggers and other forms of information stealing malware often take many months to detect.
Recent malware attacks on schools have resulted in entire networks being sabotaged. The NotPetya attacks involved a form of malware that encrypts the master file table, preventing the computer from locating stored data. In this case, the aim of the attacks was to sabotage critical infrastructure. There was no way of recovering the encrypted MFT apart from with a full system restore.
The implications of malware attacks on schools can be considerable. Malware attacks on schools result in considerable financial losses, data can be lost or stolen, hardware can be rendered useless and educational institutions can face prosecution or law suits as a result of attacks. In some cases, schools have been forced to turn students away while they resolve infections and bring their systems back online.
Major Malware Attacks on Schools in 2017
Listed below are some of the major malware attacks on schools that have been reported in 2017. This is just a very small selection of the large number of malware attacks on schools in the past 6 months.
Minnesota School District Closed for a Day Due to Malware Attack
Malware attacks on schools can have major consequences for students. In March, the Cloquet School District in Minnesota experienced a ransomware attack that resulted in significant amounts of data being encrypted, preventing files from being accessed. The attackers issued a ransom demand of $6,000 for the keys to unlock the encryption. The school district is technology-focused, so without access to its systems, lessons were severely disrupted. The school even had to close for the day while IT support staff restored data. In this case, sensitive data were not compromised, although the disruption caused was severe. The ransomware is understood to have been installed as a result of a member of staff opening a phishing email that installed the ransomware on the network.
Swedesboro-Woolwich School District Suffers Cryptoransomware Attack
The Swedesboro-Woolwich School District in New Jersey comprises four elementary schools and has approximately 2,000 students. It too suffered a crypto-ransomware attack that took its computer systems out of action. The attack occurred on March 22, resulting in documents and spreadsheets being encrypted, although student data were apparently unaffected.
The attack took a significant part of the network out of action, including the District’s internal and external communications systems and even its point-of-sale system used by students to pay for their lunches. The school was forced to resort to pen and paper while the infection was removed. Its network administrator said, “It’s like 1981 again!”
Los Angeles Community College District Pays $28,000 Ransom
Ransomware was installed on the computer network of the Los Angeles County College District, not only taking workstations out of action but also email and its voicemail system. Hundreds of thousands of files were encrypted, with the incident affecting most of the 1,800 staff and 20,000 students. A ransom demand of $28,000 was issued by the attackers. The school had no option but to pay the ransom to unlock the encryption.
Calallen Independent School District Reports Ransomware Attack
The Calallen Independent School District in northwestern Corpus Christi, TX, is one of the latest victims of a ransomware attack. In June, the attack started with a workstation before spreading to other systems. In this case, no student data were compromised or stolen and the IT department was able to act quickly and shut down affected parts of the network, halting its spread. However, the attack still caused considerable disruption while servers and systems were rebuilt. The school district also had to pay for improvements to its security system to prevent similar attacks from occurring.
Preventing Malware and Ransomware Attacks on Schools
Malware attacks on schools can occur via a number of different vectors. The NotPetya attacks took advantage of software vulnerabilities that had not been addressed. In this case, the attackers were able to exploit the vulnerabilities remotely with no user interaction required. A patch to correct the vulnerabilities had been issued by Microsoft two months before the attacks occurred. Prompt patching would have prevented the attacks.
Software vulnerabilities are also exploited via exploit kits – hacking kits loaded on malicious websites that probe for vulnerabilities in browsers and plugins and leverage those vulnerabilities to silently download ransomware and malware. Ensuring browsers and plugins are 100% up to date can prevent these attacks. However, it is not possible to ensure all computers are 100% up to date, 100% of the time. Further, there is usually a delay between an exploit being developed and a patch being released. These web-based malware attacks on schools can be prevented by using a web filtering solution. A web filter can block attempts by end users to access malicious websites that contain exploit kits or malware.
By far the most common method of malware delivery is spam email. Malware – or malware downloaders – are sent as malicious attachments in spam emails. Opening the attachments results in infection. Links to websites that download malware are also sent via spam email. Users can be prevented from visiting those malicious sites if a web filter is employed, while an advanced spam filtering solution can block malware attacks on schools by ensuring malicious emails are not delivered to end users’ inboxes.
TitanHQ Can Help Schools, Colleges and Universities Improve Defenses Against Malware
TitanHQ offers two cybersecurity solutions that can prevent malware attacks on schools. WebTitan is a 100% cloud-based web filter that prevents end users from visiting malicious websites, including phishing sites and those that download malware and ransomware.
WebTitan requires no hardware, involves no software downloads and is quick and easy to install, requiring no technical skill. WebTitan can also be used to block access to inappropriate website content such as pornography, helping schools comply with CIPA.
SpamTitan is an advanced spam filtering solution for schools that blocks more than 99.9% of spam email and prevents malicious messages from being delivered to end users. Used in conjunction with WebTitan, schools will be well protected from malware and ransomware attacks.
To find out more about WebTitan and SpamTitan and for details of pricing, contact the TitanHQ team today. Both solutions are also available on a 30-day no-obligation free trial, allowing you to test both products to find out just how effective they are at blocking cyberthreats.
Providing free WiFi in shops helps to attract more foot traffic and improves the shopping experience, although retailers are now realizing the benefits of providing secure WiFi access for shops. Over the past two years, there has been considerable media coverage of the dangers of public WiFi hotspots. Consumer websites are reporting horrifying cases of identity theft and fraud with increasing regularity.
With public awareness of the risks of connecting to public WiFi networks now much greater than ever before, secure WiFi access for shops has never been more important. Consumers now expect free WiFi access in shops, but they also want to ensure that connecting to those WiFi networks will not result in a malware infection or their personal information being obtained by hackers.
Fortunately, there are solutions that can easily be adopted by retailers that mitigate the risks and ensure consumers can connect to WiFi networks safely, but before we cover those options, let’s look a little more closely at the risks associated with unsecured WiFi networks.
The Risks of Unsecured WiFi Networks
If retailers provide free WiFi access in store it helps to attract more foot traffic, individuals are encouraged to stay in stores for longer, they have access to information and reviews about products and studies have shown that customers spend more when free WiFi is provided. A survey by iGT, conducted in 2014, showed that more than 6 out of ten customers spend longer in shops that provide WiFi access and approximately 50% of customers spend more money.
Connecting to a public WiFi network is different from connecting to a home network. For a start, considerably more people connect, including individuals who are intent on stealing information for identity theft and fraud. Man-in-the-middle attacks are common. Man-in-the-middle attacks involve a hacker intercepting or altering communications between a customer and a website. If login details or other sensitive information is entered, a hacker can obtain that information.
Malware and ransomware can be downloaded onto users’ devices and phishing websites can easily be accessed if secure WiFi access for shops is not provided. Consumers typically have Internet security solutions in place on home networks that block these malicious websites. They expect the same protections on retailers’ WiFi networks. Malware poses a significant threat. Alcatel-Lucent, a French telecommunications company, reports that malware attacks on mobile devices are increasing by 25% per year.
Then there is the content that can be accessed. Recently, before Starbucks took steps to block the accessing of pornography via its WiFi networks, the coffee shop chain received a lot of criticism from consumers who had caught glimpses of other customers accessing pornography on their devices.
Secure WiFi Access for Shops Brings Many Benefits
The provision of secure WiFi access for shops tells customers you are committed to ensuring they can access the Internet safely and securely on your premises. It tells parents that you are committed to protecting minors and ensuring they can access the Internet without being exposed to adult content. It tells consumers that you care, which helps to improves the image of your brand. It is also likely to result in positive online reviews.
Providing secure WiFi access for shops makes it easier for you to gain an insight into customer behavior. A web filtering solution will provide you with reports on the sites that your consumers are accessing. This allows you to profile your customers and find out more about their interests. You can see what sites they access, which can guide your future advertising programs and help you develop more effective marketing campaigns. You can also find out more about your real competitors from customers browsing habits.
The provision of secure WiFi access for shops will also help you to reduce legal liability. If you do not block illegal activities on your WiFi network, such as file sharing (torrents) sites, you could face legal action for allowing the downloading of pirated material. The failure to block pornography could result in a lawsuit if a minor is not prevented from accessing adult content.
WebTitan – Secure WiFi Access for Shops Made Simple
Secure WiFi access for shops doesn’t have to be complicated or expensive. TitanHQ offers a solution that is cost effective, easy to implement, requires no technical skill, has no effect on Internet speed and the solution can protect any number of shops in any number of locations. The filtering solution can be managed from an intuitive web-based graphical user interface for all WiFi access points, and a full suite of reports provides you with invaluable insights into customer behavior.
WebTitan Cloud for WiFi is a 100% cloud-based DNS filtering solution. Point your DNS records to WebTitan and you will be filtering the Internet in minutes and blocking undesirable, dangerous and illegal web content. You do not need any additional hardware, you do not need to download any software and configuring the filtering settings typically takes about 30 minutes.
To find out more about WebTitan Cloud for WiFi, including details of pricing and to register for a 30-day, no obligation free trial, contact TitanHQ today.
Hospitals have invested heavily in solutions to secure the network perimeter, although Internet and WiFi filtering in hospitals can easily be forgotten. Network and software firewalls have their uses, although IT security staff know all too well that cyberattacks targeting employees can see those defenses bypassed.
A common weak point in security is WiFi networks. IT security teams may have endpoint protection systems installed, but not on mobile devices that connect to WiFi networks.
A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, that signals a huge pay day for a hacker.
There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data if it is encrypted by ransomware. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its ransomware infection in February last year. It was one of several hospitals to give in to attackers’ demands.
The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals
The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, there are laptops, tablets and an increasing number of medical devices connected to the networks. As use of mobile devices in healthcare continues to grow and the explosion in IoT devices continues, the risk of attacks on the WiFi environment will only ever increase.
Patients also connect to hospital WiFi networks, as do visitors. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks.
Internet and WiFi filtering in hospitals is therefore no longer an option, it should be part of the cybersecurity strategy for all healthcare organizations.
Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats
Malware, ransomware, hacking and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.
Guest WiFi access in hospitals is provided to allow patients and visitors to gain access to the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites to ensure all users can still enjoy reasonable Internet speeds.
It is also important to prevent patients, visitors and healthcare professionals from accessing inappropriate website content. Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file sharing websites, gambling or gaming sites, or any other undesirable category of web content.
Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal and undesirable content is not just about protecting patients and visitors. It also reduces legal liability.
Internet and WiFi Filtering in Hospitals Made Simple
WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost effective to implement, the solution requires no additional hardware or software installations and there is no latency. Being DNS-based, set up is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.
WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based graphical user interface. Separate filtering controls can be applied for different locations, user groups or even individuals. Since the solution links in with Active Directory the process is quick and simple. Separate content controls can easily be set for guests, visitors and staff, including by role.
WebTitan Cloud for WiFi supports blacklists, whitelists and allows precision content control via category or keyword and blocks phishing websites and sites known to host exploit kits and malware. In Sort, WebTitan Cloud for WiFi gives you control over what happens on your WiFI network.
To find out more about WebTitan Cloud for WiFi, details of pricing and to register for a free trial, contact the TitanHQ team today.
Hotel guests used to choose hotels based on whether free WiFi was available, now free WiFi is no longer enough – secure WiFi for hotels is required to ensure the Internet can be accessed safely, a fast connection is essential and the WiFi signal must be reliable.
Even budget hotels know the attractive power of free WiFi and how much easier it is to attract guests with free, reliable Internet access. Forrester Research conducted a survey back in 2013 that showed 90% of hotel guests considered free WiFi access to be the most important hotel amenity, while 34% of respondents said when it comes to choosing a hotel, free WiFi was a deal breaker when choosing a place to stay.
Providing Free WiFi is No Longer Enough
Now that most hotels are offering free WiFi, travelers have become much more discerning. Free WiFi access is no longer sufficient. Hotel guests want reliable access, good Internet speeds, sufficient bandwidth to stream music and videos and secure WiFi for hotels is similarly important. Hotels now need to improve their WiFi networks to continue to attract business.
A quick look on TripAdvisor and other review sites is all it takes to assess the quality of the Internet connection. There are even websites dedicated to providing this information. A poor WiFi signal is one of the most common complaints about hotels.
Providing an excellent Internet connection may not mean a 5-star review is guaranteed – but one or two-star reviews can be expected if the Internet connection or WiFi coverage is poor.
If you really want to attract more guests, provide free WiFi access. If you want to gain a serious competitive advantage, ensure all rooms have an excellent signal, there is sufficient bandwidth and make sure your network is secure. Guests now expect the same protections they have at home.
Common Problems with Hotel WiFi Networks
Listed below are some of the common problems reported by guests about hotel WiFi
Problems connecting more than one device to the network – Hotels often have WiFi networks with limited bandwidth. Restrictions may be in place that only allow one device to be connected per room. For a couple or family, that is no longer sufficient. Most guests will require at least two devices to be connected simultaneously per room, without Internet speed dropping to a snail’s pace.
Parents do not want their children to be able to access porn – A night in a hotel should be a relaxing experience. Parents do not want to have to spend their time policing the Internet. They want controls in place to make sure adult content cannot be accessed by their kids.
Connecting to guest WiFi should be safe and secure – Guests should be protected from malware and ransomware infections and steps should be taken by the hotel operator to reduce the risk of man-in-the-middle attacks. Safe and secure WiFi for hotels is essential. Accessing hotel WiFi should not result in nasties being transferred to guests’ devices. Safe and secure WiFi for hotels is especially important for business travelers. They should be able to enter their usernames and passwords without risking an account compromise.
Bandwidth issues are a major bugbear – If some guests are streaming video to their devices, it should not prevent other users from accessing the Internet or enjoying reasonable Internet speeds. Even at busy times, all guests should be able to connect.
How to Resolve these Problems?
Bandwidth is a major issue. Increasing bandwidth comes at a cost. If free WiFi is provided, it is difficult to recover that expenditure. There are solutions however. Hotels can offer free WiFi access to all guests, yet block streaming sites and other bandwidth-heavy activities. If guests want to be able to stream video, they could be offered a premium service and be charged for non-standard access. The same could apply to adult content. Hotels could offer family-friendly WiFi as standard, with a paid for service having fewer restrictions.
Secure WiFi for hotels is a must. Hotels can implement solutions that block malware and prevent guests from accessing phishing websites. Providing an encrypted connection is also essential. Guests should be able to login to their accounts without being spied on.
Secure WiFi for Hotels Made Simple
A web content filter can be used to resolve the above problems and ensure safe and secure Internet access for all guests. Arranging secure WiFi for hotels is simple with TitanHQ.
TitanHQ’s WebTitan Cloud for WiFi is a content filter with a difference. The solution can be deployed on existing hardware with no need for any software installations. Once installed, it is simple to manage, with updates to the system occurring automatically. Users don’t even need any technical expertise. The solution can be implemented and accounts set up in minutes. It doesn’t matter how many hotels you operate, all can be protected with ease through a central control panel that can be accessed from any location.
Secure WiFi for Hotels from TitanHQ
WebTitan Cloud for WiFi allows hotel operators to:
Control content and online activities without any impact on Internet speed
Block pornography and other inappropriate content to make the WiFi network family-friendly
Prevent users from engaging in illegal activity
Block phishing websites
Prevent malware and ransomware downloads
Restrict bandwidth-heavy activities such as video and music streaming services
Create user groups with different restrictions, allowing streaming or adult content for specific user groups
Set web filtering controls for different access points
Manage content filtering for multiple hotels with ease, no matter where in the world they are located
To find out more about all of the benefits of WebTitan Cloud for Wifi, how secure WiFi for hotels can be provided, details of prices and to register for a free trial, contact the TitanHQ team today. Your guests will thank you for it.
Regardless of whether you run a hotel, coffee shop or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself – and them – to considerable risk.
Why Is Providing Internet Access so Important?
In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.
With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sale will be made elsewhere. Keep them in your store and allow them to access the internet and your chances of achieving a sale will be increased.
Of course, if you are unable to compete with online retailers – Amazon for example – you could provide free WiFi but block access to that website.
Why is Secure Guest WiFi for Business So Important?
There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows businesses to collect contact details for future marketing programs, and by monitoring the use of the Internet in store businesses can gain valuable customer insights and find out more about the interest of their customers. Businesses should note however that the General Data Protection Regulation (GDPR) requires consent to be obtained before any data are collected and used.
Giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be more security aware and have introduced policies covering allowable Internet usage, but guests, customers and other visitors are likely to have different views about the content that can be accessed on your WiFi network.
Guests and customers could take advantage of a lack of restrictions to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities on a business network or even illegal activity such as copyright infringing downloads. They may also accidentally or deliberately install malware or ransomware or visit phishing websites.
Secure guest WiFi for business means protecting yourself and your customers and guest users. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network. You will be able to block man-in-the-middle attacks, malware downloads and protect against phishing attacks. You will also be able to reduce legal liability if you carefully control the websites that can be accessed by guest users.
5 Things to Consider About Secure Guest WiFi for Business Customers
If you are going to open up your network to guests, security cannot be an afterthought. Secure guest WiFi for business is a must. Before providing WiFi access, be sure to consider the points below:
Segmenting your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your internal network must be totally separate from the network used by guests.
It should not be possible for guests to see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, if you segregate your network, it will greatly limit the harm caused.
Always Change Default Passwords and SSIDs
This is one of the most basic security practices, yet because of that it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.
It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up rogue access points to conduct man-in-the-middle attacks. You can then post the SSID and password internally to make it easy for legitimate users to gain access to your network. Be sure to change your password regularly.
Keep your Firmware Updated!
Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices and network. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed monthly to ensure that all devices have been updated and no firmware updates have been missed.
Encrypt Your Wireless Signals
You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2/WPA3 encryption.
If your router does not support WPA2 as a minimum it is time to upgrade your router’s firmware or if that is not possible, you should buy a modern router that supports WPA3 encryption. If you fail to encrypt your WiFi, it is too easy for your bandwidth to be stolen.
Secure Guest WiFi for Business Means Content Filtering
Secure guest WiFi for business means adding controls to limit the content that can be accessed on your WiFi network.
You should block access to adult content – which includes pornography, gambling sites, and dating sites, and also web content that is ethically or morally questionable or illegal.
A web filtering solution will also protect your customers from accidental malware and ransomware downloads and is an important anti-phishing control.
Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades. In contrast to appliance-based web filters, cloud-based filters are more scalable and are more adaptable to the changing needs of your business.
WebTitan Cloud for WiFi – Secure Guest WiFi for Business Users
TitanHQ has made it easy to secure guest WiFi for business users. WebTitan Cloud for WiFi is a 100% cloud-based web filter that allows businesses to carefully control the categories of web content that can be accessed by guest users.
WebTitan Cloud for WiFi allows businesses to block access to 53 different predefined categories of web content, including pornography, gambling, dating, news, and social media websites. Within those 53 categories are more than 500 million websites in 200 languages that have been assessed for content and categorized. A cloud-based lookup also ensures accurate and flexible filtering based on page content.
Secure guest WiFi for business means effective malware, ransomware, and phishing protection. With WebTitan Cloud for WiFi deployed, access to compromised websites, phishing sites, and other malicious websites will be blocked.
Flexible policy creation means control over the filter can be delegated for different departments, and controls can be applied for different types of users. Cloud Keys can also be created to allow specific users to bypass policy rules.
A full suite of reports ensures detailed information is always available, with email notifications alerting administrators to attempted policy violations and a real-time browsing view available.
If you want to take control of your WiFi network or are an MSP looking for an easy-to-use multi-tenant solution to allow you to provide a web filtering service to your clients, WebTitan Cloud for WiFi is a quick, easy to use, and low cost way of providing secure guest WiFi for business users.
Contact TitanHQ today for further product information, details of pricing, and to register for a free trial.
Family-Guard offers its customers online protection by blocking access to adult website content such as pornography and stopping malware infections, ensuring the Internet can be accessed safely and securely by all family members.
Family-Guard supplies WiFi routers with pre-configured DNS settings to its customers. Plug in the router and customers are instantly protected from online threats and inappropriate content. As more families take steps to prevent their children from harm online, the company has gone from strength to strength.
However, the firm was not entirely satisfied with its previous web filtering provider and sought a partnership with a new company. Before deciding to deploy WebTitan Cloud for WiFi, Family-Guard needed to be certain that WebTitan offered the required level of protection for its customers. It was essential that all harmful and dangerous website content could be filtered out to ensure customers received the service they paid for. TitanHQ could reassure Family-Guard that its URL filtering technology was up to the task.
The problem with the firm’s previous partner was the inaccuracies in categories and site classifications. Those problems could not be overcome. WebTitan on the other hand offers accurate classification of websites, with more than 500 million web addresses present in its database, including sites in more than 200 languages. Since deploying WebTitan Cloud for WiFi through its router packages, Family-Guard has not experienced the accuracy problems of its previous provider.
Another key consideration when selecting a service provider was the ability to provide the solution in white-label form. It was essential for Family-Guard to incorporate its own branding, which includes the product as well as the user interface for setting filtering controls. With WebTitan, the solution can be supplied without any branding, ready for customization. The white label option and choice of hosting also makes WebTitan an ideal web content filter for managed service providers.
While reassurances could be provided by TitanHQ, the proof of the pudding is in the eating. Before committing, Family-Guard needed to perform extensive testing of the solution. The firm signed up for a free trial and conducted independent tests. Tanner Harman, President of Family-Guard said, “In terms of the trial everything was very straightforward, it was good to speak to an engineer that was able to answer all my questions, this is not common in the technology industry.”
WebTitan is incredibly easy to use and maintain. There are no software updates necessary as all are managed by TitanHQ. Setting up the solution is also straightforward. Once the DNS has been directed to WebTitan, it is just a case of configuring the web filtering controls. For Family Guard, it took staff around 30 minutes to become familiar and comfortable with using the solution. The company is now reaping the benefits.
“For our technical staff, it reduced the time spend on support calls as the number of support calls reduced dramatically almost immediately,” the solution has also dramatically reduced the time the support team has spent dealing with malware. Tanner said, “WebTitan Cloud blocks all the bad stuff before it hits the customers location so issues that previously occurred regularly are now avoided.”
It can take some time following deployment to fully appreciate the benefits that WebTitan brings to an organization. Family-Guard implemented the solution in April 2016. The cost saving from deploying WebTitan Cloud has been considerable. In the 12 months following the implementation of WebTitan Cloud, Family Guard has enjoyed savings of more than $10,000.
Further, as Family-Guard grows, it is not limited by its license. With WebTitan, additional licenses can be added as and when required with a dynamic pricing plan lacking the barriers and wastage typical of other web filtering solutions.
Whether you are looking for a web content filter for public hotspots, a filtering solution to package into your products and services or a content filtering solution for your business WiFi network, TitanHQ can help.
For further information on the features and benefits of WebTitan, answers to technical questions and to register for a free trial, contact the TitanHQ team today.
Customers are increasingly choosing to visit retailers based on whether free Internet access is available in store. Providing WiFi access doesn’t just attract more customers. It provides retailers with an opportunity to communicate new sales initiatives to customers and allows valuable information to be gathered on what customers do inside stores. Monitoring the websites accessed by customers also allows retailers to gain a valuable insight into customer behavior.
Retailers are increasingly offering free WiFi in-store to attract more customers, but providing access to the Internet in-store carries risks. If customers have free, unfettered access to the Internet they would be able to access inappropriate content, accidentally download malware or use the connection for illegal file downloads.
Retailers can gain huge benefits from offering customers free access to WiFi network, but without security solutions to mitigate risk, the offer of free WiFi can backfire. A web content filter for public hotspots is now essential.
Selfridges understands the benefits of providing free WiFi access to customers, but also the risks. If WiFi was to be provided in-store, it would need to be secure to prevent customers from installing malware or accessing phishing websites
Selfridges also needed protection from legal liability. Steps therefore needed to be taken to prevent customers from accessing inappropriate website content in store and to stop minors from accessing adult content.
Selfridges prides itself on providing high quality products and customer service, so it was important to ensure for its WiFi service to reflect the stores values. Alisdair Morison, IT manager at Selfridges, said “We had to ensure that guests could not access malicious sites or to view inappropriate content while in the store.”
In the case of inappropriate website content, the risks are considerable. Morison said, “We knew that if a guest accessed porn on the WiFi connection and a child or other person could inadvertently view that screen, we would be legally liable.” The same applies to illegal file downloads via its WiFi network.
Choosing a solution posed a number of challenges. Selfridges has a small, but busy IT department so a web filtering solution needed to have a small administrative burden. Technical staff are not present in each store so it was important that the solution could be managed remotely for all four locations without the need for any site visits.
Selfridges contacted TitanHQ and chose WebTitan Cloud for WiFi. “We looked at a bunch of solutions. I was really taken aback by the price point, features and functionality we were going to get with WebTitan WiFi,” said Morison, “Other solutions didn’t have all the features and functionalities we wanted; they could do some of what we now do with WebTitan WiFi, but at a higher cost.”
The solution was set up in less than half a day and the IT team can manage the solution remotely and monitor WiFi connections. All four locations are managed through a central administration management console. All that was required to get started was to add the company’s external IP address to the GUI, update DNS forwarders and set the filtering controls.
Selfridges now blocks pornography, illegal activities such as file sharing and activities that are ethically or legally questionable. The WiFi network is child-friendly, so parents need not worry about the content that their children can access in-store. The WiFi network can be used safely and securely by all its 200 million annual visitors, with both Selfridges and its customers gaining benefits from in-store WiFi.
TitanHQ has announced a new partnership agreement with the intelligent spaces firm Purple. TitanHQ will be securing the firm’s WiFi networks and providing content filtering with WebTitan Cloud for WiFi.
Purple is a leader in its field, with over 20 million users spread across 125 countries around the globe. Its solution helps businesses monitor their physical spaces and promote their brand, in addition to gaining valuable insights into customer behavior at their venues. Purple’s clients include the City of New York, Legoland, Jaguar, Pizza Express, Outback Steakhouse, the Indiana Pacers, Merlin Entertainments Group and British Land to name but a few.
Purple will be adding WebTitan to its WiFi and Analytics package to improve security for its customers. Current and new customers will benefit from a more secure WiFi package and will be protected from a wide range of web-based threats.
WebTitan is a market-leading web content filtering solution that currently blocks more than 60,000 malware variants each day, protecting end users when they venture online. WebTitan can be used to control the content that can be accessed via WiFi networks around the globe from a single administration console. Companies can protect thousands – or tens of thousands – of WiFi access points simultaneously with WebTitan without any latency. The solution is easy to set up and configure, requires no additional hardware and has an extremely low management overhead.
Protection from exploit kits, phishing websites, and malware and ransomware downloads is more important now than ever. Cybercriminals having increased their efforts and malware, phishing and ransomware attacks are becoming increasingly common.
In the case of ransomware, payment of the ransom demand may not allow data to be recovered as has clearly been demonstrated by the NotPetya attacks. Many companies that were attacked with NotPetya are still experiencing major problems and disruptions to services, with several firms forced to replace entire networks following installation of the malware.
Cyberattacks such as WannaCry and NotPetya are likely to become the new norm, with companies needing to do more to protect their networks – and their customers – from attack.
With WebTitan, malware and ransomware protection is only part of the story. WebTitan is a powerful content filter that prevents inappropriate content from being accessed by WiFi users – Something that is becoming increasingly important in the retail and hospitality industries. With Purple’s retail and hospitality sector clients growing fast, this additional protection was essential.
For Purple, it soon became clear that the partnership with TitanHQ was the perfect choice, as James Wood, Head of Integration at Purple explained, “We approached TitanHQ with a number of specific requirements that were unique to Purple. From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan was also ideal for Purple customers, Woods said, “We take guest Wi-Fi security seriously so it was important that our customers were protected in the right way. Along with superior protection, WebTitan also allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
Installing the new web filtering system and replacing the incumbent system was completed in the quickest possible time frame, with tens of thousands of users migrated to the new system in a matter of days. Woods said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.
The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.
Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.
The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.
Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.
Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.
TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.
WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.
SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.
Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.
Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.
“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”
The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.
The RoughTed malvertising campaign was rampant in June, causing problems for 28% of organizations around the world according to Check Point.
Malvertising is the name given to adverts that redirect users to malicious websites – sites hosting exploit kits that download malware and ransomware, phishing kits that gather sensitive information for malicious purposes or are used for a variety of scams.
Malvertising campaigns pose a significant threat because it is not possible to avoid seeing the malicious adverts, even if users are careful about the websites they visit. Malicious adverts are displayed through third party ad networks, which are used on a wide range of websites. Even well known, high traffic websites such as the BBC, New York Times, TMZ and MSN have all been discovered to have displayed malicious adverts. Cybercriminals only need to place their adverts with one advertising network to see their adverts displayed on many thousands of websites.
The RoughTed malvertising campaign was first identified in May, although activity peaked in June. By that time, it had resulted in infections in 150 countries throughout North and South America, Europe, Africa, Asia and Australasia.
It is sometimes possible to block malvertising using ad blockers, which prevent adverts from being displayed; however, the RoughTed malvertising campaign can get around these controls and can bypass ad blockers ensuring adverts are still displayed.
A web filtering solution can be useful at preventing categories of websites from being accessed that commonly host malicious adverts – sites hosting pornography for example – although due to the wide range of websites that display third party adverts, it would not be possible to eradicate risk. That said, an advanced web filtering solution such as WebTitan offers excellent protection by blocking access to the malicious sites rather than the malvertising itself.
Websites are rapidly added to blacklists when they are detected as being used for nefarious purposes. WebTitan supports blacklists and can block these redirects, preventing end users from visiting malicious sites when they click on the ads.
In addition to blacklists, WebTitan URL classification uses a multi-vector approach to deeply analyze websites. The URL classification uses link analysis, content analysis, bot detection and heuristic analysis to identify websites as malicious. These advanced techniques are used to block ad fraud, botnets, C2 servers, sites containing links to malware, phishing websites, spam URLs, compromised websites and malware distribution sites including those hosting exploit kits. The URL classification system used by WebTitan leverages data supplied by 500 million end users with the system continuously updated and optimized.
If you want to protect your organization from the actions of your end users and block the majority of online threats, contact the TitanHQ team today for further information on WebTitan and take a closer look at the web filtering solution in action.
2017 US data breaches have reached a record high, jumping an incredible 29% year over year. The mid-year data breach report from the Identity Theft Resource Center (ITRC) and CyberScout shows there were 791 reported data breaches between January 1 to June 30, 2017.
If 2017 US data breaches continue at the current pace, and there are no indications to suggest they will not, this year is set to be another record breaker. Last year smashed previous records with 1,093 data breaches reported for the year. This year looks on track to see the total reach – or exceed – 1,500 breaches. That would represent a 37% increase year over year.
The biggest cause of 2017 US data breaches is hacking according to the report. Hacking includes phishing attacks, malware infections and ransomware attacks, the latter seeing a massive increase in the past 12 months. In the first six months of 2017, 63% of incidents were attributed to hacking – a 5% increase year over year. 47.7% of those breaches involving phishing to some degree. ITRC says 18.5% of 2017 US data breaches involved malware or ransomware.
Employee error and negligence, which includes improper disposal of sensitive data, continue to cause many breaches, with those causes accounting for 9% of the total. Accidental exposure of sensitive data on the Internet was the cause of 7% of data breaches. The number of breaches in both categories decreased year over year.
Most 2017 US Data Breaches Were Reported by the Business Sector
In the first half of the year, the business sector reported the most data breaches – 54.7% – with the healthcare and medical industry in second place with 22.5% of breaches. The education sector was third with 11% of breaches followed by the banking and financial services sector with 5.8% of the total. The government and military sector rounds off the top five with 5.6% of reported breaches.
There was an increase in data breaches reported by the hospitality and fast food sector in the first half of the year, most of which involved the theft of credit card details after malware was installed on POS systems. One of the biggest breaches affected Sabre Corporation and its SynXis hotel booking service. Hard Rock Hotels, Trump Hotels, Loews hotels and Four Seasons were all among the victims. In the case of Trump hotels, it was the third payment card data breach experienced in the past 2 years.
Biggest Healthcare Data Breaches of 2017 (So far)
The healthcare industry has also seen a rise in data breaches in 2017 of 14% according to the figures published by the Department of Health and Human Services’ Office for Civil Rights. The main cause of healthcare data breaches – 37% – was hacking and IT incidents, which includes ransomware and malware attacks. Unauthorized access/disclosure came a close second with 35% of the total. Loss and theft of devices containing ePHI was in third place with 24% of the total followed by improper disposal on 4%.
The biggest healthcare data breaches of 2017 so far are:
Commonwealth Health Corporation
Airway Oxygen, Inc.
Urology Austin, PLLC
Harrisburg Gastroenterology Ltd
Washington University School of Medicine
Stephenville Medical & Surgical Clinic
Primary Care Specialists, Inc.
The healthcare industry must report data breaches under HITECH/HIPAA regulations, including the number of individuals impacted. However, ITRC/CyberScout report that many organizations are holding back details of the number of individuals impacted due to the large HIPAA violation fines. Without that information, it is difficult to obtain an accurate picture of the severity of data breaches.
Eva Velasquez, ITRC President and CEO, said, “The number of records breached in a specific incident allows us to provide more insight into the scope of this problem, and is a necessary next step in our advocacy efforts.”
Human error was to blame for a massive Verizon Communications data leak that saw the personal information, account details and PIN numbers of more than 6 million customers exposed on the Internet.
The Verizon Communications data leak is particularly serious due to the highly sensitive nature of the exposed data. In addition to customers’ names, addresses, email addresses and phone numbers, PIN numbers and account details were also exposed. Since the PIN is used to confirm the identity of customers, anyone in possession of the data could easily impersonate customers. The PINs are used to verify identities by customer service staff at the firm’s wireline call center.
The Verizon Communications data leak was caused by a misconfigured cloud server that was set to allow external access. Amazon automatically secures its servers, although changing the settings will allow data to be accessed externally. The error was made by an employee of NICE Systems, an Israeli third-party vendor contracted by Verizon to improve its wireline self-service call center portal for residential and small business customers.
As was the case with a number of recent data leaks, the misconfigured cloud server was found by Chris Vickery, security researcher and Director of Cyber Risk Research at UpGuard. The Amazon S3 storage server error was identified on June 13 and was brought to the attention of Verizon, which corrected the problem on June 22, 9 days after being notified of the security hole. Data were accessible by anyone who had the web address.
Initially, UpGuard suspected up to 14 million individuals had been affected as a result of the Verizon Communications data leak, although Verizon has since released a statement confirming the incident impacted around 6 million customers.
Vickery discovered the server had six unsecured folders. The information in the files related to customers who called Verizon customer service between January and June 2017.
A spokesperson for Verizon told ZDNet, “Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project. Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”
While the data were exposed online, the information does not appear to have been accessed by anyone other than the security researcher who discovered the error. Verizon said, “There has been no loss or theft of Verizon or Verizon customer information.”
Last month, TitanHQ conducted a survey on managed service providers that have added WebTitan Cloud for Service Providers to their service stacks and are providing web filtering and anti-malware services to their customers.
There are many reasons why service providers have started offering a web filtering service. Customers often ask service providers for a web filtering service to prevent their employees from accessing inappropriate web content in the workplace and to stop inappropriate content from being accessed via WiFi networks in public places. They also want greater protection from malware and ransomware and to control use of bandwidth.
TitanHQ is well aware of the benefits that can be gained from using WebTitan Cloud for Service Providers, but the company wanted to gather feedback from MSPs and find out why they are so happy providing the web filtering service to their customers.
The answer to that question was abundantly clear from the survey. When asked to state the number one reason why they use web filtering there was a clear winner. 89% of service providers said they use WebTitan Cloud for Service Providers because “It saves significantly on my support time and cost.”
Managed Service Providers that offer WebTitan Cloud to customers are enjoying major savings. Since WebTitan Cloud is highly effective at blocking access to malicious websites, customers experience less downtime as a result of malware infections. For service providers that means less time is spent mitigating malware infections, which is arguably the biggest expense of IT operation teams and tech support staff.
One NYC-based Managed Service Provider summed up why web filtering is so important, saying ““Web filtering is one of the, if not the greatest bang for your buck services. It’s built in anti-malware has protected our clients, and us from having to fix, thousands of hours of repair time I am absolutely certain.”
A Washington-based MSP said, “By reducing malware-related security incidents, you’re reducing your number one uncontrollable expense: the people on your IT operations team, like your help desk techs,” while a London, UK-based MSP explained that since they started providing a web filtering service, “Our Crypto calls dropped to 0.”
As well as cutting down the time spend responding to security incidents MSPs found that WebTitan Cloud for Service Providers was an easy way to improve client spending. The second most popular response was WebTitan Cloud for Service Providers is “an easy monthly recurring revenue source”.
How Can WebTitan Cloud for Service Providers Benefit Your Organization?
WebTitan Cloud for Service Providers has been developed specifically for Managed Service Providers. The solution is ideal for hotspot and WiFi providers, MSPs, ISPs and retail and public organizations that offer access to WiFi networks, including schools, universities, libraries, restaurants, cafes, shops and hotels.
The solution is highly scalable to hundreds of thousands of users and the web filtering service has no latency as it is DNS based. That also means it is not necessary to become an Internet Service Provider to offer a web filtering service.
MSPs love the fact that the solution is provided as a white label and is ready to have branding and color schemes applied. WebTitan Cloud for Service Providers also has multiple hosting options, including the option of hosting the solution within an MSPs own environment.
WebTitan Cloud for Service Providers is an API-driven, multi-tenant solution that’s easy to implement and manage. New customers can be added in minutes, there are no hardware requirements and the solution can be managed remotely without the need for site visits.
Customers benefit from an extensive list of features that help them protect their brand by blocking access to inappropriate content via WiFi networks, protect users by blocking malware and save bandwidth by restricting access to streaming services.
If you are an IT service provider and you have yet to start offering a web filtering and anti-malware service, or you are unhappy with your current solution provider, contact the TitanHQ team today to find out more about how offering or switching to WebTitan can save you time and money and improve your bottom line.
A new study conducted by the Ponemon Institute has shown that General Data Protection Regulation preparations have only been made by a small minority of companies, with almost half of surveyed organizations unsure where to even start.
The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016. Companies have been given until May 25, 2018 to comply with GDPR. When the new regulation comes into force, any company discovered not to be in compliance can face a heavy fine. The maximum fine for non-compliance will be €20 million or 4% of global annual turnover, whichever is the highest.
Many companies started their General Data Protection Regulation preparations as soon as the new legislation was approved. According to the Ponemon Institute survey, only 9% of companies have made the necessary changes comply with GDPR. 59% of surveyed organizations haven’t even started their General Data Protection Regulation preparations and don’t even know how to comply.
Interestingly, the threat of fines and the difficulty complying with GDPR has put many companies off doing business in the EU. 34% of surveyed companies have said their General Data Protection Regulation preparations have involved shutting down their European operations. However, that does not mean they will not need to comply. Compliance with GDPR is mandatory for any company doing business in the European Union, even if they do not have a physical base in one of the European member states.
Even the threat of fines has not convinced many companies to start preparing. Only 38% of companies said their senior leadership viewed compliance as a priority.
The changes for many companies to ensure compliance will be considerable. 89% of respondents said GDPR will have a significant impact on their data breach protection practices. However, there is considerable doubt about how effective GDPR will be. Only 41% of companies believe the new regulation will improve privacy protection practices while 70% said they don’t believe the new regulation will benefit victims of a data breach.
If you have yet to start preparing and updating your policies and procedures you don’t have long. The compliance date may be months away, but for many companies, preparations will take some time. If you are keen to avoid a fine for non-compliance, now is the time to start your GDPR compliance preparations.
If you are unaware of what GDPR means for your business or whether you need to comply with the regulation, you can find out more on this link.
The sharp rise in the use of smartphones by children and the increase Internet access points has prompted Friendly WiFi to launch a new campaign to promote the adoption of Internet filtering controls for public WiFi hotspots.
Businesses in the UK are being encouraged to implement web filtering controls to ensure children can connect their WiFi networks without being exposed to potentially harmful material.
Friendly WiFi is a government initiated scheme launched in 2014 to promote Internet filtering controls for public WiFi hotspots. Businesses that filter the Internet and block inappropriate content from being accessed via their WiFi networks can display the digital Friendly WiFi banner. This banner lets parents know their children can connect to the Internet safely.
Friendly WiFi is the only scheme of its kind in the world. The main aim of the initiative is to make the UK the safest place in the world for children to venture online. When the scheme was launched in 2014 there were 5.6 million WiFi hotspots in the UK; however, that number is estimated to triple by the end of next year.
A recent study has shown that nearly half the population of the UK uses public WiFi hotspots and research suggests more than 40% of children aged between 5 and 15 now have a smartphone and connect to the Internet. The growth in hotspots and smartphone usage among children makes it more important than ever for public WiFi hotspots to have harmful content filtered out.
Figures supplied by Friendly WiFi suggest the number of WiFi access points around the globe is likely to increase to 432.5 million by 2020, which represents a 700% increase from 2015. Even though many of these WiFi networks can be accessed by minors, fewer than half of those hotspots have internet filtering controls in place.
In the UK the use of Internet filtering controls for public WiFi hotspots is growing. Major high street names such as Starbucks and Tesco have already adopted Internet filtering controls, as have McDonalds and IKEA and many small businesses. The aim of the latest Friendly WiFi campaign is to accelerate adoption of Internet filtering controls.
To be able to display the Digital Friendly WiFi symbol, businesses must implement Internet filtering controls for public WiFi hotspots to block all websites and web pages that display pornographic content. Businesses must also block all webpages containing child pornography using the blacklist maintained by the Internet Watch Foundation. Organizations must also prevent advertisements or links to such content from being displayed.
Bev Smith, director of Friendly WiFi said “Now is the right time for all businesses which provide public WiFi to prove they take the same care for their customer’s online safety as they do for their physical wellbeing.”
The Anti-Phishing Working Group (APWG) has recently released a new report showing the changing trends in phishing in 2016. The report provides interesting insights into how cybercriminal activity is changing and the attack methods most commonly used by cybercriminals to fool end users into installing malware or revealing their login credentials.
The report uses data from more than 250,000 phishing attacks that were detected between 2015 and 2016; clearly showing some of the new trends in phishing and how phishers have been conducting their attacks. The report is focused on phishing rather than spear phishing, with the latter involving highly varied targeted attacks on specific individuals in an organization.
Phishing emails often contain malicious email attachments with scripts and macros used to silently download malware onto end users’ computers. However, the report shows there was a major increase in phishing domains in 2016 with criminals registering more domains than ever before. Phishing attacks also reached record levels last year. Phishing is now the number one cyber threat faced by organizations.
APWG says that almost half of new top-level domains that were available for open registration in 2016 were used for phishing. APWG suggests the increase in malicious domain registrations demonstrates that domain registrars are struggling to detect and take down malicious domains.
While it was previously thought that phishers registered domains for immediate use in phishing attacks, the study suggests domains are most commonly held for up to three weeks before they are used.
Phishing attacks were failry evenly split between domains registered by phishers and compromised websites. One in 20 attacks used a subdomain for phishing, with the number of attacks using subdomains continuing to fall. See here for phishing examples.
Brand spoofing is becoming increasingly common, with major brands are now experiencing thousands of phishing attacks a year. However, the number of targeted brands in 2016 fell to 679 from 783 the previous year. The most targeted brands – which experienced three quarters of attacks – were Apple, PayPal, Yahoo and Taobao.com. Each experienced more than 30,000 attacks each in 2016.
2016 saw a 10% increase in unique phishing attacks, rising from 230,280 in 2015 to 255,065 attacks in 2016. Those attacks were spread across 195,475 unique domain names – the most domains ever detected and almost three times the number used in 2015. While a variety of TLDs are used for phishing websites, 75% involved just four TLDs – .com; .cc, .pw and .tk. APWG says 90% of phishing domains are spread across just 16 TLDs.
Attacks in 2016 were spread across a wide range of industries although 92% of attacks affected four industries: eCommerce & software/SaaS (30%), banking and finance (25%), social networking/email (19%) and money transfer firms (18%).
The U.S. Federal Bureau of Investigation has issued its annual Internet Crime Report, showing cybercriminals have netted at least $1.3 billion last year. The figures for the report were compiled by the FBI’s Internet Crime Complaint Center, or IC3 is it is also known. Those losses came from 298,728 complaints that had been filed with IC3 in 2016.
The Internet Crime Report provides some insight into the main methods used by cybercriminals to fraudulently obtain money. Last year, the three crime types that resulted in the biggest losses were Business Email Compromise (BEC) attacks, romance/confidence fraud and non-payment/non-delivery scams.
BEC scams resulted in losses of $360.5 million last year and the scams are becoming increasingly common. Confidence and romance fraud was second, resulting in losses of $219.8 million with corporate data breaches in third place causing losses of $95.9 million. Phishing, via the web, email, SMS messages and telephone resulted in losses of $31.7 million. Losses from extortion were $15.8 million with ransomware tracked separately and causing losses of $2.4 million. Tech support fraud netted cybercriminals $7.8 million with malware and scareware losses tracked as $3.9 million.
The FBI singled out four key criminal activities in its 2016 Internet Crime Report that have become major issues in 2016: BEC, ransomware, tech support fraud and extortion.
BEC scams involve the impersonation of foreign suppliers and other vendors that are usually paid by wire transfer. A similar type of scam, referred to as email account compromise (EAC), targets individuals in a company responsible for making wire transfers.
Both scams involve the impersonation of company executives with fraudulent wire transfer requests sent to accounts department employees. Since it is the CEO that is often impersonated the scams are commonly referred to as CEO fraud. Transfers are commonly for tens or hundreds of thousands of dollars. In some cases, companies have been conned out of millions. BEC scams topped the list of losses.
BEC scams have also been rife in 2017, with the start of the year seeing an increase in BEC scams with the aim of obtaining the tax information of employees, typically W-2 forms. In 2016, there were 12,005 reported BEC scams, although this is likely just a small percentage of the real total.
Ransomware has become a major threat for businesses with criminals targeting employees using phishing emails. The FBI says Remote Desktop Protocol was also a major attack vector in 2016. The FBI suggests that security awareness training for employees is now a critical preventative measure that should be provided by all organizations. In 2016, there were 2,673 reported ransomware incidents. Similarly, many businesses choose not to report ransomware attacks.
Another major threat comes from tech support scams where criminals impersonate security companies. The attackers claim an urgent security issue must be resolved for which payment is required. These scams can involve screen-locking malware, cold calls or pop up messages. Typosquatting is also commonly used. Criminals register URLs similar to major online brands to take advantage of careless typists.
Extortion continues to be a major problem and it takes many forms. There have been numerous cases of criminals impersonating government agencies, with threats of Denial of Service attacks similarly common. Hackers have been stealing data and demanding ransoms for its return, while sextortion, hitman schemes and loan schemes are also rife.
While the Internet Crime Report provides an indication of how rampant cybercrime has become, the reports hugely underestimate the true extent of the problem. Only a small percentage of victims of cybercrime report the incident to law enforcement. The Department of Justice estimates only 15% of Internet crime is reported, while the FBI suggests only one in seven cases of Internet crime are actually reported. It is not only individuals that fail to report crimes. Many businesses that experience cyberattacks or other Internet crime-related losses fail to report the incidents. The true figures from cybercrime are likely to be several orders of magnitude worse than the Internet Crime Report suggests.
A massive global cyberattack is underway involving Petya ransomware. Ukraine has been hit particularly hard although companies all over Europe have reported that systems have been taken out of action and ransoms demanded. Social media websites are awash with reports of disruption to services across a wide range of industries and countries. The attacks appear to have started in Russia/Ukraine but spread rapidly across Europe, with reports emerging that companies in India have also been affected.
The attacks appear to involve a variant of Petya ransomware – a particularly nasty ransomware variant for which there is no kill switch or free decryptor. Petya ransomware takes the Master File Table (MFT) out of action rather than encrypting individual files. Consequently, the attacks occur faster than with other ransomware variants. Without access to the MFT, computers are unable to locate files stored on the hard drive. Those files remain unencrypted, but cannot be accessed.
The ransom demand to unlock the infection is understood to be approximately $300, although that figure will need to be multiplied by the number of devices affected.
Another WannaCry Style Global Ransomware Attack
The WannaCry ransomware attacks used exploits stolen from the NSA, which were published online by Shadow Brokers. Those exploits worked on unpatched systems, exploiting vulnerabilities to automatically download a network worm and WannaCry ransomware. The attacks spread rapidly – around the world and within organizations.
This wave of attacks appears to be similar. The attacks started happening this morning with the Russian cybersecurity firm Group-IB one of the first to suggest this was a WannaCry-style attack involving an NSA exploit. That has since been confirmed by other cybersecurity firms. Fabian Wosar of Emisoft said he has confirmed that the infection is spreading using the same EternalBlue exploit as WannaCry, as has MalwareHunterTeam.
Organizations that applied the patch issued by Microsoft in March were protected from WannaCry and will likely be protected from this Petya ransomware attack. Following WannaCry, Microsoft issued patches for unsupported operating systems to prevent further attacks from occurring. However, judging by the number of attacks that have already occurred, the WannaCry attacks did not spur some companies into action. Many have still not patched their systems.
Several well-known companies have reported they are under attack and have had servers and computers taken out of action, with companies in Russia, Ukraine, France, Spain, Denmark, India and the UK all understood to have been affected. Companies that have confirmed they have been attacked include:
Russia – Oil company Rosneft and metal maker Evraz
Ukraine – Boryspil Airport, aircraft manufacturer Antonov, two postal services, the Ukraine government, the Ukraine national bank. The Cernobyl nuclear powe plant has also been attacked, as have many other energy companies in the country.
Denmark – Shipping firm A.P. Moller-Maersk, including APM Terminals which runs shipping container ports around the world.
France – Construction firm Saint Gobain
International – Companies reportedly affected include the law firm DLA Piper, advertising firm WPP, food manufacturer Mondalez and U.S pharmaceutical firm Merck.
Time will tell whether this Petya ransomware attack will be on a similar scale to WannaCry. Since it is currently occurring it will likely be a few days before the true scale of the attack becomes known.
2016 was a bad year for data breaches, but a new analysis by the Identity Theft Resource Center (ITRC) shows 2017 data breaches figures are far worse. Year over year, data breaches have increased by 29.1%.
Last year saw record numbers of data breaches, with 1,093 incidents tracked by the ITRC; however, If breaches continue to occur at the rate seen over the past 6 months, this year is likely to be another record breaking year. 2017 is likely to see more than 1,500 breaches – a particularly worrying milestone to pass.
55.4% of 2017 data breaches have been reported by organizations in the business sector. Those 420 incidents have involved more than 7.5 million records, more than 64% of all records exposed so far in 2017. The healthcare industry has also experienced many data breaches, accounting for 22% of the total. So far this year, the protected health information of 2.5 million individuals has been exposed – 21.1% of all records exposed so far in 2017, resulting in HIPAA breaches.
Education may have only experienced 87 data breaches this year – 11.5% of the year to date total – but those breaches account for 9% of exposed records, helped in no small part by a single breach at Washington State University that involved at least 1 million records.
The government/military (43 breaches) is in fourth place, accounting for 1.8% of the total with the 200,000+ exposed records. Fifth place is taken by the financial services with 41 breaches, with more than 526,000 exposed records accounting for 5.4% of the year to date figures.
The ITRC has been tracking data breaches since 2005, with the 2017 data breaches bringing the overall total number of incidents up to 7,656. The total number of exposed records has now risen to 899,792,157.
In the case of healthcare data breaches, more incidents have been reported following the clarification of HIPAA Rules covering ransomware attacks. Last year there was some confusion as to whether ransomware attacks were reportable. The Department of Health and Human Services’ Office for Civil Rights confirmed late last year that most ransomware attacks are reportable under HIPAA Rules. Consequently, there has been an increase in reports of these events in recent months.
Companies in other industries are also reporting more data breaches due to changes in state legislation and public pressure. However, ITRC points out the big jump in 2017 data breaches can also be explained by an increase in insider incidents and cyberattacks.
The increase in data breaches in 2017 clearly highlights the importance of conducting a thorough, organization-wide risk analysis to identify all potential vulnerabilities that could potentially be exploited. A risk management plan should then be put in place to address any vulnerabilities that are identified.
While organizations should consider augmenting security to protect the network perimeter, the threat from within should not be ignored. Employees are typically a weak point in security defenses, although action can be taken to reduce risk. Training should be provided to improve security awareness, technological solutions implemented to reduce the risk from phishing and other malicious email-born attacks, while web-based attacks can be limited with a web filtering solution.
2017 may be shaping up to be a particularly bad year for data breaches, but with investment in people and cybersecurity defenses, it is not too late to prevent 2017 from being another record-breaking year.
The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.
Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.
However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.
In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.
The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.
Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.
The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.
An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.
However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.
With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.
The healthcare industry has been heavily targeted by cybercriminals, but retail industry data breaches are now the most common according to a recent study by Trustwave. Retail industry data breaches account for 22% of all reported breaches, closely followed by the food and beverage industry on 20%.
In 2016, corporate and internal networks were the most commonly breached systems although there was a marked increase in POS system breaches, which are now the second most targeted systems accounting for 31% of all reported breaches. Last year, POS data breaches only accounted for 22% of the total. POS data breaches were most common in the United States. In 2015, E-commerce platforms were heavily targeted accounting for 38% of all breaches, although in 2016 the percentage fell to 26%.
Healthcare data is in high demand, although it is still credit card numbers that are most commonly stolen. 63% of data breaches involved card data, split between card track data (33% of incidents) – mostly from hospitality and retail industry data breaches – and card-not-present data (30% of incidents) which came from breaches of e-commerce platforms.
The United States was also the most targeted country, accounting for 49% of all breaches – more than double the percentage of Asia-Pacific in second place with 21% of reported breaches. Europe was in third place with 20%.
Zero-day exploits are in high demand, commanding an initial price of $95,000 on the black market, although there were only 9 zero-day vulnerabilities exploited in the wild in 2016 – 5 for Adobe Flash, 3 for Internet Explorer and one for Microsoft Silverlight.
The top two methods of compromise were remote access – 29.7% of attacks – and phishing and social engineering, which accounted for 18.8% of attacks.
Exploit kit activity has fallen since the fall of the Angler, Magnitude and Nuclear exploit kits, although others such as Rig are increasing in popularity. Exploit kits activity could increase further due to the low cost of conducting malvertising campaigns – malicious adverts on third party ad networks that direct individuals to sites hosting exploit kits. Trustwave reports it now costs cybercriminals $5 to target 1,000 vulnerable computers with malicious adverts. Trustwave warns that while exploit kit activity has fallen, it would be wrong to assume it is gone for good. If it is profitable to use exploit kits, more will be developed.
Spam email is still the primary attack vector. In 2016, there was an increase in spam email messages rising from 54% of message volume in 2015 to 60% of total email volume in 2016. 35% of those messages contained malicious attachments, which Trustwave reports is up from 3% in 2015.
The most common malware variants discovered in 2016 data breach investigations attacked POS systems and were PoSeidon (18%) and Alina (13.5%) with Carbanak/Anunak in third place on 10%.
A recent Ponemon Institute study suggest data breaches take more than six months to detect, while Trustwave’s figures suggest the median number of days between intrusion and detection for external incidents was 65 days in 2016, although some companies took up to 2,000 days to discover a breach. Detection rates have improved from 2015, when it took an average of 80.5 days to detect a breach.
For the first time in the past seven years, the cost of a data breach has fallen, with a 10% reduction in per capita data breach costs across all industry sectors. The global study revealed the average cost of a data breach is now $141 per exposed or stolen record. The global average cost of a data breach is down to $3.62 million from $4 million last year.
The IBM Security sponsored study was conducted by the Ponemon Institute, which has been tracking the costs of data breaches for the past seven years. In every other year data breach costs have risen year over year.
The Ponemon Institute say the reduction can partly be explained by a strong dollar. In the United States, the cost of a data breach has risen from $221 to $225 per record with the total breach cost increasing to $7.35 million from $7.02 million last year.
For the study, the Ponemon Institute assessed the breach resolution costs after organizations experienced a breach and had notified affected individuals. Large data breaches – those in which more than 100,000 records were exposed or stolen – were not included in the study as they were deemed atypical. Instead, only breaches of between 5,000 and 100,000 records were included. The average size of the breaches were 28,512 records. A breach was defined as the loss or theft of a record that included an individual’s name along with either their Social Security number, financial information or medical record.
For the seventh consecutive year, the healthcare industry had the highest data breach costs. The per capita cost of a healthcare data breach was $380. The financial services, another highly regulated industry, had the second highest breach costs ($336 per record). Services sector data breaches cost $274 per record, life sciences breaches were $264 per record and the Industrial sector had a per capita breach cost of $259.
The lowest breach costs were retail ($177), hospitality ($144), entertainment ($131), research ($123) and the public sector ($110). The biggest cause of data breaches were malicious and criminal attacks, which also carried the highest resolution costs. System glitches and human error each accounted for 24% of data breaches.
An analysis of breach costs revealed there are a number of ways to reduce the cost of a data breach. Having a breach response plan in place saw companies reduce breach costs by $19 per record, while the use of encryption reduced breach costs by an average of $17 per record. Employee education helped reduce breach costs by an average of $12.50 per record.
A fast response to a data breach can also dramatically reduce the total breach cost. Organizations that were able to contain a breach within 30 days saw breach costs reduced by $1 million. On average, it takes companies more than six months to discover a breach and containing the breach takes an average of 66 days.
Following the massive WannaCry ransomware attacks there has been heightened interest in cybersecurity products. Marketers have capitalized on the fear of an imminent attack to increase downloads of fake antivirus apps.
The apps are sold to worried users promising to protect them from WannaCry and other ransomware threats. In some cases, a free scan is offered that reveals the user’s device is already infected with any number of malicious programs. Installing the app will allow users to rid their device of the malicious software.
In many cases, the fake antivirus apps misreport infections to scare users into buying and installing an unnecessary app. Some of those apps will offer no protection whatsoever, but others are more sinister. Many of the new fake antivirus apps that are sneaking their way into the Google Play store are far from benign. PUPs, Trojans and adware are packaged with the apps. Users download the fake antivirus apps to protect themselves against malware, when the reality is downloading the app results in infection.
A study of antivirus apps has recently been conducted by RiskIQ. The firm discovered almost 6,300 antivirus apps that were either an antivirus solution, reviews of antivirus software or were otherwise associated with an antivirus program. More than 700 of those apps triggered blacklist detections on VirusTotal, with many of the apps coming packaged with malware.
131 of the 655 antivirus apps on the Google Play Store triggered blacklist detections. Many of the apps are no longer active, although 55 out of 508 active AV apps on the Google Play Store were blacklisted. In total, 20% of blacklisted antivirus apps were in the Google Play store with 10.8% still active.
RiskIQ reports that some of the blacklisted apps are false positives and not all of those apps are bundled with malware. However, many of the apps were rated as malicious by multiple AV vendors and were not all they claimed to be.
While it is important to have antivirus software on mobile devices, users should exercise caution when downloading any app. Just because an app claims to protect you and your device, it does not mean that it will do as it says. Downloading the app could even result in infection.
Users can reduce the risk of downloading a fake antivirus app by only using official app stores such as Google Play, but additional checks should be performed. An app should not be installed if the developer is using a free email address such as Gmail or Outlook. RiskIQ recommends checking the descriptions of the apps, specifically looking for spelling mistakes or grammatical errors. The app should ideally be checked against VirusTotal to see if it raises any red flags and users should carefully check the permissions requested.
Over the past few days, a new threat called Fireball malware has been spreading rapidly and has allegedly been installed on more than 250 million computer systems. An estimated 20% of corporate networks have been infected with the malware. 10% of infections are in India, 9.6% in Brazil, 6.4% in Mexico, 5.2% in Indonesia and 2.2% in the United States.
The new malware variant was discovered by security researchers at Check Point, who claim the malware campaign is “possibly the largest infection operation in history.”
Fireball malware targets web browsers and is used to manipulate traffic. Once infected, the end user is redirected to fake search engines, which redirect search queries to Google and Yahoo. Fireball malware is being used to generate fake clicks and boost traffic, installing plugins and new configurations to boost the threat actor’s advertisements.
The malware is also capable of stealing user information using tracking pixels and can easily be turned into a malware downloader. Once installed, Fireball malware can run any code on the victims’ computer, making the infection especially dangerous. While Fireball malware is not believed to be dropping additional malware at this stage, it remains a very real possibility. The malware has a valid certificate, hides the infection and cannot be easily uninstalled.
The malware is being distributed bundled with other software such as the Mustang browser and Deal WiFi, both of which are provided by a large Chinese digital marketing agency called Rafotech. It is Rafotech that is understood to be behind Fireball malware.
Rafotech is not using the malware for distributing other malware, nor for any malicious purposes other than generating traffic to websites and serving end users adverts, but Fireball may not always remain as adware. At any point, Fireball could simultaneously drop malware on all infected systems.
The recent WannaCry ransomware attacks serve as a good comparison. Once the network worm had spread, it was used to deploy WannaCry. More than 300,000 computers were infected the worm, which then dropped the ransomware. If a more advanced form of malware had been used that did not have a kill switch, the WannaCry attacks would have been far more severe. Now imagine a scenario where the same happened on 250 million computers… or even more as Fireball malware spreads further.
Fireball could also drop botnet malware onto those computers. A botnet involving 250 million or more computers would result in absolutely devastating DDoS attacks on a scale never before seen. As a comparison, Mirai is understood to include around 120,000 devices and has wreaked havoc. A botnet comprising 250 million or more devices could be used to take down huge sections of the internet or target critical infrastructure. It would be a virtual nuclear bomb.
A new report from RSA Security has revealed 40,000 subdomains linked to the Rig exploit kit have been taken down, which is just as well considering how many enterprises are failing to update Adobe Flash promptly and are still using vulnerable Flash versions.
Exploit kits such as Rig are used to probe for vulnerabilities in browsers and plugins, with several exploits loaded to the kit. When the EK finds an exploitable vulnerability, malware is silently downloaded. The Rig EK has previously been used to distribute a variety of malicious payloads including banking Trojans and Cerber ransomware.
While the news of the shutdown of tens of thousands of subdomains used by the Rig exploit kit is good news, this week has also seen some worrying news emerge.
A recent study conducted by Duo Security has revealed the reason why exploit kits are such an effective means of malware delivery. Enterprises are failing to update software and are still using vulnerable Flash versions and other out-of-date plugins, even though those plugins and software versions contain several critical vulnerabilities that are being actively exploited.
53% of Enterprise End Points Have Vulnerable Flash Versions Installed
The study involved an analysis of key indicators of device health on 4.5 million Windows computers, Macs, Android smartphones and Apple mobiles. In the security firm’s Trusted Access Report, it was revealed that 53% of enterprise end points were running outdated versions of Adobe Flash. Last year when a similar study was run, there were 10% fewer devices running outdated Flash versions.
Far from revealing enterprise computers to be one version out of date, 21% of devices were discovered to be running Flash version 126.96.36.199, released in January 2017. That version has 13 critical code execution vulnerabilities that were addressed in February, all of which had the most severe rating for Windows, MacOS and Chrome.
Keeping up to date with the latest software releases can be difficult. New versions of software and plugins are frequently released to correct known flaws and many IT security professionals suffer from update fatigue. Updates are often delayed as a result, but that leaves the door open to cybercriminals.
Update Software and Block Malicious Domains
To protect against exploit kits and malicious downloads, organizations should ensure software versions are kept 100% up to date, especially browsers and browser plugins. It is a tiresome, never ending process, but failure to update promptly leaves organizations vulnerable to attack.
To ease the pressure on IT departments, an additional control can be implemented to block access to malicious websites containing exploit kits.
WebTitan is a web filtering that prevents downloads of malicious files by blocking access to malicious websites. Links to malicious sites are often sent in spam email, the clicking of which directs users to webpages hosting exploit kits. WebTitan blocks these links preventing the sites from being accessed. WebTitan can also be configured to prevent malicious file downloads and malvertising redirects, further protecting organizations from attack.
For full details on the capabilities of WebTitan, advice on web filtering and to register for a free 30-day trial of WebTitan, contact the TitanHQ team today.
Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.
The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.
HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.
A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.
Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.
The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.
Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.
HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.
The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.
Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.
WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.
TitanHQ is proud to announce a new partnership with the intelligent spaces company Purple. Purple has chosen TitanHQ’s WiFi content filtering solution – WebTitan – to keep its WiFi networks secure and to carefully control the content that can be accessed by its clients and their customers.
The importance of securing WiFi networks has been highlighted by recent cyberattacks, including the WannaCry ransomware attacks on May 12. Consumers can be provided with WiFi access, but need to be protected from web-borne threats such as drive-by ransomware downloads and phishing attacks.
WebTitan offers protection against a wide range of web-borne threats including exploit kits, phishing websites, malicious web adverts and drive-by downloads of malware and ransomware. Every day, WebTitan detects more than 60,000 web threats and protects customers by blocking access to harmful webpages. WebTitan also allows businesses to carefully control the content that can be accessed via WiFi networks, filtering out obscene, harmful, and illegal website content.
As a leading provider of WiFi analytics and marketing services, Purple is well aware of the potential risks that come from unsecured WiFi hotspots. The company is committed to securing its WiFi networks and ensuring its customers are protected in the right way. Purple required exceptional protection for its customers, yet not all WiFi filtering solutions matched the company’s unique requirements.
Purple explained those requirements to TitanHQ, which was able respond with a solution that matched the company’s exacting needs. James Wood, Head of Integration at Purple said, “From day one it was evident that they were capable of not only providing what we needed but were very responsive and technically adept.”
WebTitan allows companies to manage WiFi content controls in multiple locations from a single administration console, making it an ideal solution for global WiFi businesses. For companies such as Purple, whose clients need to have control over their own filtering controls, WebTitan was ideal. Wood explained that WebTitan “allows us to extend the control to our customers via their API. Our customers can now manage their own filtering settings directly from the Purple Portal.”
TitanHQ was able to respond rapidly roll out WebTitan in a matter of days. Purple customers are now protected by the leading WiFi content filtering solution and can access the Internet safely and securely. Wood said, “With demanding timescales involved for the migration, we invested heavily in WebTitan and they have not failed to deliver.”
TitanHQ CEO Ronan Kavanagh is delighted that Purple has chosen TitanHQ has its WiFi filtering partner. Kavanagh said, “Purple is now a valued member of the TitanHQ family and we are delighted to welcome the firm onboard. This is a partnership that illustrates just how well suited WebTitan is to Wi-Fi environments.”
The use of library Internet filters to protect minors from harmful web content is a hot topic that is causing much debate in the United States. Libraries promote free research and learning. Having Internet filters in libraries naturally places restrictions on the types of content that can be accessed, potentially hampering both.
Many parents argue that library Internet filters are required to protect their children from accessing harmful web content or accidentally seeing obscene content on other patron’s screens.
Pornography is one of the biggest worries. Many individuals visit libraries to use the computers to access hardcore adult material, even though it is a public place with children present. Parents argue that such actions must be prevented. There can be free research, but within limits.
It is not only parents that are concerned about the lack of library Internet filters. In many states, legislation is being considered to make it mandatory for library Internet filters to be put in place to restrict access to pornography.
Many libraries are resisting calls to restrict access to the Internet with web filters. The Library Board in Watertown, South Dakota is a good example. As a center for free research, the library board opposed the use of web filters. If library Internet filters were applied, it could potentially have an adverse effect on research and would result in the blocking of legitimate website content.
However, the library board has been under pressure to start filtering the Internet, with citizens petitioning the library board to start restricting access to inappropriate content, with city officials and law enforcement also appealing to the library board to start filtering the Internet.
The library board has now accepted that a web filter should now be used to control the content that can be accessed through its computers. A web filtering solution will be applied to block patrons from accessing obscene and illegal material. The web filtering solution is expected to be applied in the next few weeks and will be used to restrict access to certain web content via its wired and WiFi networks.
The Library Board was not opposed to the blocking of pornography, but to the other content that may accidentally be also blocked by the filtering solutions. Prior to making the decision to use liberary Internet filters, the Watertown police department assured the library board that filtering solutions are now far more sophisticated than they once were and can allow libraries to very carefully control the content that can be accessed.
The need to do something was made clear following a report that particularly concerning material had been downloaded by one patron through the library’s WiFi network. The library board is also keen to prevent its Internet connections from being used for illegal purposes, such as copyright infringing file downloads.
Additional controls will be applied to make this more difficult, such as limiting download speeds and applying timers on Internet access, with stricter controls on the wireless WiFi network since it is not possible to verify the age of the individual accessing the Internet.
In order to prevent the overblocking of website content, controls will be applied carefully and a system will be set up to allow patrons to request the unblocking of website content that has been accidently blocked by the filtering solution.
Watertown Library board is just the latest in an increasing number of libraries that has discovered it is possible to protect patrons’ First Amendment rights while also ensuring minors are protected from harmful website content. With highly granular library Internet filters such as WebTitan, it is possible to do both.
The EternalRocks worm is a new threat that comes hot on the heels of WannaCry ransomware. The self-replicating network work uses similar tactics to infect computers and spread to other connected devices; however, in contrast to the worm used to spread WannaCry ransomware, there is no kill switch. In fact, at present, there is also no malicious payload. That is unlikely to be the case for very long.
The WannaCry ransomware attacks were halted when a security researcher discovered a kill switch. Part of the infection process involved checking a nonsense domain that had not been registered. If no connection was made, the ransomware element would proceed and start encrypting files. By registering the domain, the encryption process didn’t start. Had the domain not been registered, the attacks would have been more far reaching, affecting more than the 300,000 computers believed to have been affected by the Friday 12 attacks.
New threats were predicted to be released in the wake of WannaCry, either by the same group or copycats. The EternalRocks worm therefore does not come as a surprise. That said, EternalRocks could be far more dangerous and cause considerably more harm than WannaCry.
The WannaCry ransomware attacks involved just used two exploits developed by the NSA – EternalBlue and DoublePulsar. EternalRocks uses six NSA hacking tools (EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch).
In addition to the Windows Server Message Block (SMBv1) and SMBv2 hacking tools, this threat uses a SMBv3 exploit in addition to a backdoor Trojan, the latter being used to spread infection to other vulnerable computers on a network. Two SMB reconnaissance tools have also been incorporated to scan open ports on the public Internet.
EternalRocks is also capable of hiding on the infected machine after deployment. With the WannaCry attacks, users were alerted that their computers had been compromised when the ransomware encrypted their files and a note was placed on the desktop.
Once on a computer, the EternalRocks worm waits for 24 hours before downloading the Tor browser, contacting the attackers, and replicating and spreading to other devices on the network.
The self-replicating network worm was discovered by security researcher Miroslav Stampar from CERT in Croatia. While the threat has only just been discovered, Stampar says the first evidence of infections dates back to May 3.
At present, the EternalRocks worm does not have any malicious payload. It neither installs malware nor ransomware, but that does not mean it poses no risk. Worms can be weaponized at any point, as was seen on Friday 12 May, when WannaCry ransomware was deployed.
For the time being, it is unclear how many computers have already been infected and how EternalRocks will be weaponized.
Preventing infection with EternalRocks worm and other similar yet to be released – or discovered – threats is possible by ensuring operating systems and software are patched promptly. Older operating systems should also be upgraded as soon as possible. As Kaspersky Lab reported, 95% of the WannaCry attacks affected Windows 7 devices. No Windows 10 devices were reportedly attacked.