Cybersecurity Advice

Our news section dedicated to cybersecurity advice is regularly updated with news about the latest online threats and most recently-discovered security vulnerabilities – and advice on how to deal with them.

MSPs will particularly find our cybersecurity advice security of value, as it addresses many of the online security issues that clients may have heard about and developed concerns about their own cybersecurity defenses.

MSPs can reassure clients that the risk of systems and networks being infected by an online threat – or security vulnerabilities in their software being exploited by a hacker – can be nullified with a web filtering solution from TitanHQ.

Terdot Trojan Steals Banking Credentials and Hijacks Social Media Accounts

The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code.

The Terdot Trojan is not new, having first appeared in the middle of last year, although a new variant of the credential-stealing malware has been developed and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the UK.

The new variant includes several new features. Not only will the Terdot Trojan steal banking credentials, it will also spy on social media activity, and includes the functionality to modify tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also modify emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself spread.

Further, once installed on a device, Terdot can download other files. As new capabilities are developed, the modular Trojan can be automatically updated.

The latest variant of this nasty malware was identified by security researchers at Bitdefender. Bitdefender researchers note that in addition to modifying social media posts, the Trojan can create posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, spelling further misery for victims.

Aside from social media infections, the Trojan is distributed via phishing emails. One such spam email campaign includes buttons that appear to be PDF files, although a click will launch JavaScript which starts the infection process. However, Bitdefender researchers note that the primary infection vector appears to be the Sundown exploit kit – exploiting vulnerabilities in web browsers.

Unfortunately, detecting the Terdot Trojan is difficult. The malware is downloaded using a complex chain of droppers, code injections and downloaders, to reduce the risk of detection. The malware is also downloaded in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently picked up by many AV solutions.

“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” warns Bitdefender.

Protecting against threats such as banking Trojans requires powerful anti-malware tools to detect and block downloads, although businesses should consider additional protections to block the main attack vectors: Exploit kits and spam email.

Spam filtering software should be used to block phishing emails containing JavaScript and Visual Basic downloaders. A web filter is also strongly advisable to block access to webpages known to host malware and exploit kits. Even with powerful anti-virus, web filters, and spam filters, employees should be trained to be more security aware. Regular training and cybersecurity updates can help to eradicate risky behavior that can lead to costly malware infections.

Combosquatting: Study Reveals Extent of Use of Trademarks in Web Attacks

Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials.

Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example.

Combosquatting is so named because it involves the purchasing of a domain that combines a trademarked name with another word – yahoofiles.com, disneyworldamusement.info, facebook-security.com or google-privacy.com for example.

The technique is not new, but the extent that it is being used by hackers was not well understood. Now researchers at Georgia Tech, Stony Brook University and London’s South Bank University have conducted a study that has revealed the extent to which hackers, spammers, and scammers are using this technique.

The research, which was supported by the U.S. Department of Defense, National Science Foundation and the U.S. Department of Commerce, was presented at the 2017 ACM Conference on Computer and Communications Security (CCS) on October 31, 2017.

For the study, the researchers analyzed more than 468 billion DNS records, collected over 6 years, and identifed combosquatting domains. The researchers noted the number of domains being used for combosquatting has increased year over year.

The extent to which the attack method is being used is staggering. For just 268 trademarks, they identified 2.7 million combosquatting domains, which they point out makes combosquatting more than 100 times as common as typosquatting. While many of these malicious domains have been taken down, almost 60% of the domains were active for more than 1,000 days.

The team found these domains were used for a wide variety of nefarious activities, including affiliate abuse, phishing, social engineering, advanced persistent threats, malware and ransomware downloads.

End users are now being taught to carefully check domain names for typos and transposed letters to detect typosquatting, but this technique fools users into thinking they are on a website that is owned by the brand included in the domain.

First author of the study, Georgia Tech researcher Panagiotis Kintis, said, “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”

In order to prevent these types of trademark use attacks, many companies register hundreds of domains that contain their trademark. The researchers found that many of the domains being used by hackers had previously been owned by the holders of the trademark. When the domains were not renewed, they were snapped up by hackers. Many of the malicious domains that had been previously purchased by hackers, had been re-bought by other scammers when they came up for renewal.

Users are being lured onto the domains using a variety of techniques, including the placing of adverts with the combosquatting domains on ad-networks, ensuring those adverts are displayed on a wide variety of legitimate websites – a technique called malvertising. The links are also distributed in spam and phishing emails. These malicious URLS are also frequently displayed in search engine listings, and remain there until complaints are filed to have the domains removed.

Due to the prevalence of this attack technique, organizations should include it in their cyber awareness training programs to alert users to the attack method and ensure they exercise caution.

The researchers also suggest an organization should be responsible for taking these domains down and ensuring they cannot be re-bought when they are not renewed.

TitanHQ Provides Insights into Great Innovations in Enterprise WiFi Security at WiFi Now Europe 2017

TitanHQ Provides Insights into Great Innovations in Enterprise WiFi Security at WiFi Now Europe 2017

TitanHQ Sales Director Conor Madden will be talking enterprise Wi-Fi security at this year’s Wi-Fi Now Europe 2017, explaining some of the key innovations in Wi-Fi security to keep enterprise Wi-Fi networks secure.

This will be the fourth time in two years that Conor has provided his insights into Wi-Fi security developments at Wi-Fi Now conferences. Conor will be giving his presentation – Four Great Innovations in Enterprise Wi-Fi – Part One – on the first day of the conference between 12:00 and 12:30.

Conor will explain how DNS-based Wi-Fi security adds an essential layer of security to keep enterprise Wi-Fi networks secure, and will offer insights into how enterprises can easily create customized Wi-Fi services. In addition to Conor’s headline speech, the TitanHQ team will be in attendance and will be demonstrating WebTitan Cloud for Wi-Fi at Stand 23 over the three days of the event. The team will also demonstrate some of the big-ticket deployments from the past 18 months. The team will also explain some of the new refinements and updates that have made WebTitan even more useful and user friendly, including the new API capability that is proving so popular with product managers and engineers.

Wi-Fi Now Europe 2017 – The Premier Conference for the Wi-Fi Industry

The Wi-Fi Now Europe 2017 event brings together leaders, entrepreneurs, innovators, and experts from all areas of the Wi-Fi industry. This year there will be more than 50 speakers including analysts, thought leaders, technology leaders, carriers and service providers. More than 40 companies from all areas of the Wi-Fi industry will be demonstrating their products and services to attendees.

The conferences are a highlight in the calendar for anyone involved in the Wi-Fi industry and provide attendees with an incredible networking opportunity and the chance to learn about the latest advances in Wi-Fi, exciting new products and new services on offer.

The Wi-Fi Now Europe 2017 Conference will be taking place between October 31st and November 2nd at the NH Den Haag Hotel atop The Hague’s World Trade Center Building.

Gold passes give attendees complete access to all events at the 3-day conference, with day passes also available. Advance registration is required for all attendees.

TitanHQ On the Road

It has been a busy few weeks for TitanHQ. The team has been traveling across Europe and the United States, showcasing its web filtering, spam filtering and email archiving solutions.

The Wi-Fi Now Europe 2017 comes hot on the heels of the DattoCon17 conference in London, where the team met with more than 400 MSPs and the ASCII Summit in Washington D.C., where TitanHQ explained how Managed Service Providers can grow their business and easily increase monthly recurring revenues.  Earlier this month, TitanHQ attended the Kaseya Connect Europe IT Management Event and explained about the new integration of WebTitan with Kaseya.

The road trip continues into November in the United States, with TitanHQ attending both the upcoming HTG Meeting in Orlando, FL (Oct 30-Nov 3) and the IT Nation, ConnectWise Conference at the Hyatt Regency, Orlando, between November 8-10, 2017.

Look Beyond HIPAA Compliance to Prevent Healthcare Data Breaches

Last month saw a significant rise in healthcare data breaches, clearly demonstrating that healthcare providers, health plans, and business associates are struggling to prevent healthcare data breaches.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was introduced to ensure that healthcare organizations implement a range of safeguards to ensure the confidentiality, integrity, and availability of healthcare data. It has now been more than decade since the Security Rule was introduced, and data breaches still occurring with alarming frequency. In fact, more data breaches are occurring than ever before.

September Data Breaches in Numbers

The Protenus Breach Barometer Report for September, which tracks all reported healthcare data breaches, showed there were 46 breaches of protected health information (PHI) in September, with those breaches resulting in the exposure of 499,144 individuals’ PHI. Hacking and IT incidents were cited as the cause of 50% of those breaches, with insiders causing 32.6% of incidents. Loss and theft of devices was behind almost 11% of the month’s breaches. Previous monthly reports in 2017 have shown that insiders are often the biggest cause of healthcare data breaches.

HIPAA Compliance Will Not Prevent Healthcare Data Breaches

HIPAA compliance can go some way toward making healthcare organizations more resilient to cyberattacks, malware and ransomware infections, but simply complying with the HIPAA Security Rule does not necessarily mean organizations will be impervious to attack.

HIPAA compliance is about raising the bar for cybersecurity and ensuring a minimum standard is maintained. While many healthcare organizations see HIPAA compliance as a goal to achieve a good security posture, the reality is that it is only a baseline. To prevent data breaches, healthcare organizations must go above and beyond the requirements of HIPAA.

Detect Insider Breaches Promptly

Preventing insider data breaches can be difficult for healthcare organizations. Healthcare employees must be given access to patient records in order to provide medical care, and there will always be the occasional bad apple that snoops on the records of patients who they are not treating, and individuals who steal data to sell to identity thieves.

HIPAA Requires healthcare organizations to maintain access logs and check those logs regularly for any sign of unauthorized access. The term ‘regularly’ is open to interpretation. A check every six months or once a year could be viewed as regular and compliant with HIPAA regulations. However, during those 6 or 12 months, the records of thousands of patients could be accessed. Healthcare organizations should go above and beyond HIPAA requirements and should ideally implement a system that constantly monitors for unauthorized access or at least conduct access log reviews every quarter as a minimum. This will not prevent healthcare data breaches, but it will reduce their severity.

Close the Door to Hackers

50% of breaches in September were due to hacking and IT incidents. Hackers are opportunistic, and while targeted attacks on large healthcare organizations do occur, most of the time hackers take advantage of long-standing vulnerabilities that have not been addressed. In order to correct those vulnerabilities, they must first be identified, hence the need for regular risk analyses as required by the HIPAA Security Rule. An organization-wide risk analysis should take place at least every year to remain HIPAA compliant, but more frequently to ensure vulnerabilities have not crept in.

Additionally, a check should be performed at least every month to make sure all software is up to date and all patches have been applied. There have been numerous examples recently of cloud storage instances being left unprotected and accessible by the public. There are free tools that can be used to check for exposed AWS buckets for example. Scans should be regularly conducted. Cybercriminals will be doing the same.

Prevent Impermissible Disclosures of PHI

One of the leading causes of PHI disclosures occurs when laptop computers, zip drives, and other portable devices are lost or stolen. While employees can be trained to take care of their devices, thieves will seize any opportunity if devices are left unprotected. HIPAA does not demand the use of encryption, and alternative measures can be used to secure devices, but HIPAA covered entities and their business associates should use encryption on portable devices to ensure that in the event of loss or theft, data cannot be accessed. If an encrypted device is stolen or lost, it is not a HIPAA breach. Using encryption on portable devices is a good way to prevent healthcare data breaches.

Small portable storage devices such as pen drives are convenient, but they should never be used for transporting PHI – They are far too easy to lose or misplace. Use HIPAA-compliant cloud storage services such as Dropbox or Google Drive as they are more secure.

Block Malware and Ransomware Attacks

Malware and ransomware attacks are reportable breaches under HIPAA, and can result in major data breaches. Email is the primary vector for delivering malware, so it is essential for an effective spam filtering solution to be implemented. HIPAA requires training to be provided to employees regularly, but a once-a-year training session is no longer sufficient. Training sessions should take place at least every 6 months, with regular security alerts on the latest phishing threats communicated to employees as and when necessary. Ideally, training should be an ongoing process, involving phishing simulation exercises.

Malware and ransomware can also be downloaded in drive-by attacks when browsing the Internet. A web filtering solution should be used to prevent healthcare employees from visiting malicious sites, to block phishing websites, and prevent drive-by malware downloads. A web filter is not a requirement of HIPAA, but it is an important extra layer of security that can prevent healthcare data breaches.

Government Internet Safety Strategy Aims to Make UK the Safest Place to be Online

This week, the UK government’s Culture Secretary Karen Bradley announced the publication of a new green paper outlining the government’s Internet Safety Strategy, saying the aim is to make the UK the safest place to be online.

The Internet Safety Strategy outlines the steps that the government is taking to prevent cyber-bullying, trolling and the accessing of pornography by minors. The government has come under increasing pressure in recent years to take decisive action to curb the growing problem of online abuse and harm to minors from accessing age-inappropriate websites.

In a recent press release announcing the new Internet Safety Strategy, Bradley said “In the past year, almost one fifth of 12-15-year olds encountered something online that they ‘found worrying or nasty in some way’ and 64% of 13-17-year olds have seen images or videos offensive to a particular group.” The problem is not confined to minors. Adults too have been offended or upset by material they have viewed on social media sites, and the new strategy will also help to keep adults safe and protected online.

The aim of the new proposals is not censorship of the Internet – the UK government continues “to embrace the huge benefits and opportunities the Internet has brought for British citizens.” The aimof the government’s Internet Safety Strategy is simply to make the Internet a safer place and prevent harm to vulnerable people, especially children.

Bradley said, “Behaviour that is unacceptable in real life is unacceptable on a computer screen. We need an approach to the Internet that protects everyone without restricting growth and innovation in the digital economy.”

The Internet Safety Strategy tackles a range of online issues using several different methods – a combination of improved efforts to educate children and the public about online dangers and acceptable online conduct, social media advice, the promotion of safety features for parents to use to protect their children, and the use of Internet filtering in schools.

Some of the key elements in the Internet Safety Strategy are:

  • Developing a new social media code of practice to address bullying, intimidating, or humiliating online content
  • An industry-wide levy so social media companies and communication service providers contribute to raise awareness and counter internet harms​
  • The publication of an annual Internet safety transparency report detailing the progress made at reducing abusive and harmful content and conduct
  • Providing support for start-ups and tech companies to help them build safety features into their products and apps at the design stage
  • Compulsory new subjects in schools: Relationship education at the primary school level and relationship & sex education at secondary level
  • Encouraging social media companies to provide social media safety advice to parents and build that advice into their platforms
  • Promoting the use of social media and Internet safety features by parents
  • Changing the name of the UK Council for Child Internet Safety to the UK Council for Internet Safety, to show the safety of all Internet users is of concern

In the new green paper, the Keeping Children Safe in Education (KCSIE) guidance is highlighted. The guidance details the steps that schools and colleges in England should take to protect students and keep them safe online. The guidance was updated in September last year to include a new section on safeguarding children online. Schools were reminded of their responsibility to prevent children from accessing harmful and inappropriate website content, explaining Internet filtering in schools is a requirement. Solutions that allow Internet filtering in schools should block inappropriate content and also allow the monitoring of the attempted access of inappropriate material.

The use of similar controls by parents is being encouraged, first by making sure the options are available – the big four ISPs in the UK all offer Internet content filtering controls – and to improve education on the need to implement content filtering solutions to protect children at home.

Vicki Shotbolt, Chief Executive Officer at Parent Zone – an organization set up to provide expert information to families, schools and family professionals on the Internet safety – said, “It is encouraging to see the government proposing concrete steps to ensure that industry is doing everything they can to support families and make the Internet a place that contributes to children flourishing.”

The Rapid Evolution of Ransomware

There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the past two years have seen a massive explosion in new ransomware families. Between 2015 and 2016, Proofpoint determined there had been a 600% increase in ransomware families and Symantec identified 100 totally new ransomware families in 2016.

The development of new ransomware variants has largely been automated, allowing developers to massively increase the number of threats, making it much harder for the developers of traditional, signature-based security solutions such as antivirus and antimalware software to maintain pace.

The latest ransomware variants use a wide variety of techniques to evade detection, with advanced obfuscation methods making detection even more problematic.

Ransomware is also becoming much more sophisticated, causing even greater problems for victims. Ransomware is now able to delete Windows Shadow Volume copies, hampering recovery. Ransomware can interfere with file activity logging, making an infection difficult to detect until it is too late. Ransomware can encrypt files on removable drives – including backups – and spread laterally on a network, encrypting files on network shares and multiple end points.

Not only have the ransomware variants become more sophisticated, so too have the methods for distributing the malicious code. Highly sophisticated spam campaigns use a variety of social engineering techniques to fool end users into visiting malicious links and opening infected email attachments. Droppers with heavily obfuscated code are used to download the malicious payload and a considerable amount of effort is put into crafting highly convincing emails to maximize the probability of an end user taking the desired action.

Then, there is ransomware-as-a-service – the use of affiliates to spread ransomware in exchange for a cut of the profits. Ransomware kits are now supplied, complete with intuitive web based interfaces and instructions for crafting ransomware campaigns. Today, it is not even necessary to have any technical skill to conduct a ransomware campaign.

The profits from ransomware are also considerable. In 2016, the FBI estimated profits from ransomware would exceed $1 billion. With such high returns, it is no surprise that ransomware has become the number one malware threat for businesses.

The Evolution of Ransomware – Notorious Ransomware Variants from the Past Two Years

  • Locky: Deletes volume shadow copies from the compromised system, thereby preventing the user from restoring files without paying the ransom.
  • Jigsaw: An extremely aggressive ransomware variant that deletes encrypted files every hour until the ransom is paid, with total file deletion in 72 hours.
  • Petya: Rather than encrypting files, Petya changes and encrypts the master boot record, preventing files from being accessed. Petya is also capable of installing other malware payloads.
  • NotPetya: A wiper that appears to be ransomware, although NotPetya permanently changes the master boot record making file recovery impossible.
  • CryptMix: Attackers claim they will donate the ransom payments to a children’s charity, in an effort to get victims to pay up. There is no evidence ransom payments are directed to worthy causes.
  • Cerber: Now used to target users of cloud-based Office 365, who are less likely to have backed up their data. Some Cerber variants speak to their victims and tell them their files have been encrypted.
  • KeRanger: One of the first ransomware strains to target Mac OS X applications.
  • Gryphon: Spread via remote desktop protocol (RDP) using brute force tactics to guess weak passwords.
  • TorrentLocker: A ransomware variant being used to target SMBs, spread via spam email attachments claiming to be job applications
  • HDDCryptor: A ransomware variant that targets network shares, file, printers, serial ports, and external drives. HDDCryptor locks the entire hard disk
  • CryptMIC: A ransomware variant that does not change file extensions, making it harder for victims to identify the threat
  • ZCryptor: Ransomware with worm-like capabilities, able to rapidly spread across a network and infect multiple networked devices and external drives
  • WannaCrypt: A 2017 ransomware variant with worm-like capabilities, able to spread rapidly to infect all vulnerable computers on a network.

Ransomware is most commonly spread via spam email, exploit kits and by remotely exploiting vulnerabilities. To protect against ransomware you need an advanced spam filter, a web filter such as WebTitan to block access to sites containing exploit kits, and you need to ensure software and operating systems are kept 100% up to date.

In the event that you are infected with ransomware, you must be able to recover files from a backup. Use the 321 approach to ensure you can recover files without paying the ransom – Make three backup copies, on two different media, with one copy stored securely off site. Also make sure backups are tested to ensure files can be restored in an emergency.

Rising Popularity of Ransomware-as-a-Service is More Bad News for Businesses

Cybercriminals have realized they can greatly increase the number of infections – and profits – by adopting an affiliate model – termed ransomware-as-a-service. The affiliate model works well for online retailers, who can generate sales from customers they would be unlikely to reach if they worked on their own. The same applies to ransomware developers.

Affiliates are recruited to distribute ransomware in exchange for a cut of the profits. Ransomware developers can recruit would-be cybercriminals to send out their malicious code in targeted attacks around the world, extending their reach considerably. The greater the number of affiliates, the wider ransomware can be spread and the more payments are received. The returns are substantial for relatively little effort.

In addition to developing the ransomware, kits have been created that make it simple for affiliates to launch their own campaigns. No technical skill is required, affiliates simply enter in their own parameters via an online interface and they can start conducting their own campaigns. Affiliates just need to know how to distribute the ransomware. Full instructions are usually provided.

With an army of spammers sending out the ransomware, the number of devices infected has soared. In 2017, Cerber became the most widely used ransomware variant, even surpassing Locky. The secret of the success was adopting the ransomware-as-a-service model.

For the most part, ransomware is a numbers game. The more individuals that are actively distributing ransomware, the greater the number of infections. With the threat of email and web-based attacks growing, businesses must invest in new technologies to counter the threat.

There are two key solutions that should be adopted by all businesses to improve protections against ransomware. A spam filter is a must – a fact not lost on the majority of businesses. However, even though email is the primary vector used to spread ransomware and malware, there are still businesses that have not yet purchased a spam filtering solution.

A recent survey by PhishMe indicates only 85% of businesses are using spam filtering technology to block phishing emails. That means 15% of businesses have yet to implement this most fundamental of ransomware defenses.

The second key solution is a web filter. Web filters allow employers to carefully control the websites that their employees can access, including blocking websites known to host malware. If an email makes it past a spam filter and an employee clicks on a malicious hyperlink, a web filter can prevent the malicious site from being accessed. A web filter also offers protection from malvertising – malicious adverts that direct users to phishing websites and sites hosting exploit kits.

Of course, technology can only go so far. Even layered defenses can be breached, which is why employees need to be taught how to identify potentially malicious emails. Employees should receive regular security awareness training and be encouraged to report potentially malicious emails. When those emails are reported, IT teams can add the malicious links to the web filter to prevent other individuals in the organization from visiting the malicious websites.

For further information on spam and web filtering, contact the TitanHQ today.

Beware of Hoeflertext Warnings: Popups Used to Deliver Ransomware

Popup warnings of missing fonts, specifically the Hoeflertext font, are being used to infect users with malware. The Hoeflertext warnings appear as popups when users visit compromised websites using the Chrome or Firefox browsers. The warnings flash up on screen with the website in the background displaying jumbled or unreadable text.

Hoeflertext is a legitimate font released by Apple in 1991, although popup warnings that the font is missing are likely to be a scam to fool users into downloading Locky Ransomware or other malware.

Visitors to the malicious websites are informed that Hoeflertext was not found, which prevents the website from being displayed. The popup contains an option to “update” the browser with a new font pack, which will allow the website content to be displayed.

Clicking on the update button will not install a font pack, instead it will launch a download of a JavaScript script file – Win.JSFontlib09.js. If that file is saved and opened, it will download Locky ransomware onto the user’s device.

This is not the first time the Hoeflertext font scam has been used. NeoSmart Technologies discovered the scam in February this year, although recently both Palo Alto Networks and SANS Internet Storm Center have both report it is being used in a new campaign.

Another version of the campaign is being used to deliver the NetSupport Manager remote access tool (RAT). In this case, the file downloaded is called Font_Chrome.exe, which will install the RAT if it is run. The researchers suggest the RAT is being favored as it offers the attackers a much wider range of capabilities than ransomware. The RAT is commercially available and has been used in several malware campaigns in the past, including last year’s campaign using hacked Steam accounts.

The RAT, once installed, gives the attackers access to the infected computer allowing them to search for and steal sensitive information and download other malware.

The actors behind this campaign have been using spam email to direct users to the malicious websites where the popups are displayed. The SANS Internet Storm Center says one campaign has been identified using emails that appear to have been sent via Dropbox, asking the user to verify their email address to complete the sign-up process.

Clicking on the ‘verify your email’ box will direct the user to a malicious website displaying fake Dropbox pages where the popups appear. Internet Explorer users do not have the popups displayed, instead they are presented with a fake anti-virus alerts linked to a tech support scam.

The latest campaign shows why it is so important for businesses to use an advanced spam filtering solution to block malicious messages. A web filtering solution is also beneficial to prevent end users from visiting malicious websites in case the messages are delivered and opened. Along with security awareness training for employees to alert them to the risks of email and web-based attacks such as this, businesses can protect themselves from attack.

Internet Filtering for Managed Service Providers: A Must For Your Service Stack

With the volume of cyberattacks increasing and heightened pressure on businesses to offer family-friendly WiFi access, a partnership with a company that offers Internet filtering for managed service providers is now a must.

Businesses that offer WiFi access to customers provide greater value and are more likely to attract customers. Younger age groups in particular are more likely to choose an establishment that allows them to connect to the Internet and not use their own data allowance.  Coffee shops, restaurants, bars, and retail outlets now appreciate that providing WiFi access brings in more customers.

However, it is becoming increasingly important for secure WiFi access to be provided. Customers are now demanding more. They want reassurance that efforts are being made to make WiFi networks secure. Parents also want to make sure their children will not be exposed to harmful website content when hooking up to WiFi networks.

With demand for a filtered Internet service high, it is an easy sell for managed service providers. Further, Internet filtering brings in regular monthly revenue for next to no effort. Once the service is set up there is very little maintenance. Due to the low maintenance overhead and ease of implementation, Internet filtering for managed service providers could even be provided as part of an existing security suite to give clients even greater value for money.

Visiting clients to install solutions and perform updates is costly and eats into profits. It can also be difficult to convince businesses to pay out for an appliance to keep customers safe online. Free WiFi may increase footfall, but having to pay for a $500 appliance is a difficult sell.

However, with a cloud-based filter there is no need for any hardware purchases, no need for MSPs to visit their clients for an installation, and all settings can be changed remotely via an online administration control panel. Customers can even be given their own logins so they can tweak their own settings and whitelist and blacklist certain webpages at will.

WebTitan Cloud for WiFi – Internet Filtering for Managed Service Providers Made Simple

WebTitan Cloud for WiFi has been developed to make Internet filtering for managed service providers as simple as possible. This go-to-market content filtering solution can be set up for each client in around 20 minutes, with no need for site visits or any software downloads. WebTitan Cloud for WiFi is also supplied with a full set of APIs for easy backend integration and reports can be scheduled and sent automatically.

Each client can have their own administration control panel to tweak their content filtering settings, and since the interface is non-technical, there is no steep learning curve. Internet filtering controls are applied by category, so configuration is a quick and easy process.

Content filtering with WebTitan Cloud for WiFi has no discernible impact on Internet speed, there is no limit to the number of WiFi points that can be protected and no limit on bandwidth.

Setting different web filtering controls for different users and user groups is straightforward, since the solution integrates with LDAP and Active Directory. Filtering settings can also be set by the time of day or night.

If you want to offer your clients real-time spyware, malware and virus protection and allow them to carefully control Internet access to keep customers safe online and avoid legal liability, WebTitan Cloud for WiFi is the ideal choice.

To make it even better for MSPs, WebTitan Cloud for WiFi can be supplied in white label form ready to accept MSPs branding and there is a choice of hosting options, including the option of hosting the solution in your own environment. Add to that Industry leading customer service and you have the complete package.

If you are an MSP and are Interested in offering Internet filtering to your service stack or are looking for a lower cost service provider with better margins, contact the MSP team at TitanHQ today and find out how easy – and profitable – Internet filtering for managed service providers can be.

How Can I Protect Personally Identifiable Information Under GDPR?

From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?

The General Data Protection Regulation

GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.

GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.

Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.

Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.

Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.

In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.

Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.

Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.

How Can I Protect Personally Identifiable Information under GDPR?

GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.

A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.

GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.

Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.

Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.

Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.

To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.

Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.

Guidance on Strengthening Passwords Updated by NIST

The National Institute of Standards and Technology (NIST) has updated its guidance on strengthening passwords, suggesting the standard of using a combination of capital letters, lower case letters, numbers and special characters may not be effective at improving password strength. The problem is not with this method of strengthening passwords, but with end users.

Hackers and other cybercriminals attempt to gain access to accounts by guessing passwords. They try many different passwords until the correct one is guessed. This process is often automated, with many thousands of guesses made using lists of commonly used passwords, dictionary words and passwords discovered from past data breaches.

By implementing password policies that force end users to use strong passwords, organizations can improve their resilience against these brute force attacks.

By using capital and lower-case letters, there are 52 possible options rather than 26, making the guessing process much more time consuming. Add in 10 numerals and special characters and guessing becomes harder still. There is no doubt that this standard practice for creating strong passwords is effective and makes passwords much less susceptible to brute force attacks.

The problem is that in practice, that may not be the case. Creating these strong passwords – random strings of letters, numbers and symbols – makes passwords difficult to guess but also virtually impossible to remember. When multiple passwords are required, it becomes harder still for end users and they get frustrated and cut corners.

A good example is the word ‘password’, which is still – alarmingly – used to secure many accounts, according to SplashData’s list of the worst passwords of the year. Each year, ‘password’ makes it onto the list, even though it is likely to be the first word attempted in any brute force attack.

When companies update their password polices forcing users to use at least one capital letter and number in a password, many end users choose Password1, or Passw0rd or P455w0rd. All would be high up on a password list used in a brute force attack.

Attempts such as these to meet company password requirements mean security is not actually improved by password policies. If this is going to happen, it would make more sense – from a security perspective – to allow employees to make passwords easier to remember in a more secure way.

NIST Tweaks its Guidance on Strengthening Passwords

As NIST points out in its guidance on strengthening passwords, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought.” With current standard password practices, “The impact on usability and memorability is severe.” That results in end users creating weak passwords that meet company password policies.

Rather than force end users to use special characters and end up with ‘Password!’, a better way would be to increase the length of passwords and allow the use of spaces. End users should be encouraged to choose easy to remember phrases.

The use of a space does not make a password any more secure, although increasing a password from 8 characters to say, 15 or 20 characters, certainly does. It also makes passwords much easier to remember. NIST suggests passwords must have a minimum of 8 characters, and that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”

NIST also explains in its guidance on strengthening passwords that certain types of common cyberattacks involving passwords are unaffected by password strength. Take phishing for instance. It doesn’t matter whether a password is ‘12345678’ or ‘H19g46”&”^’ to a phisher. Provided the phishing email is well crafted, the password will still be disclosed. The same applies to keyloggers. A keylogger logs keystrokes and the strength of the password is irrelevant.

NIST’s guidance on strengthening passwords also suggests that rather than strengthening passwords further, there are far more effective ways of making brute force attacks much harder without frustrating end users. Limiting the number of failed login attempts before a user is blocked is one such option. Organizations should also combine this with blacklists of unacceptable passwords that should include dictionary words, other weak passwords and those revealed from past data breaches. NIST also recommends secured hashed storage of passwords

The NIST guidance on strengthening passwords can be found in – NIST Special Publication 800-63B – Appendix A – Strength of Memorized Secrets

Poor Patch Management Policies Result in Cyberattacks and Huge Settlement

The importance of implementing good patch management policies was clearly highlighted by the WannaCry ransomware attacks in May. The ransomware attacks were made possible due to poor patch management policies at hundreds of companies. The attackers leveraged a vulnerability in Windows Server Message Block (SMB) using exploits developed by – and stolen from – the U.S. National Security Agency.

The exploits took advantage of SMB flaws that had, by the time the exploits were made public, been fixed by Microsoft. Fortunately for the individuals behind the attacks, and unfortunately for many companies, the update had not been applied.

In contrast to the majority of ransomware attacks that required some user involvement – clicking a link or opening an infected email attachment – the SMB flaws could be exploited remotely without any user interaction.

WannaCry was not the only malware variant that took advantage of unpatched systems. The NotPetya (ExPetr) attacks the following month also used the same EternalBlue exploit. Again, these attacks required no user involvement. NotPetya was a wiper that was used for sabotage and the damage caused by those attacks was considerable. Entire systems had to be replaced, companies were left unable to operate, and the disruption continued for several weeks after the attacks for many firms. For some companies, the losses from the attacks were in the millions.

These attacks could have easily been prevented with something as simple as applying a single patch – MS17-010. The patch was available for two months prior to the WannaCry attacks. Even patch management policies that required software to be checked once a month would have prevented the attacks. In the case of NotPetya, companies affected had also not reacted to WannaCry, even though there was extensive media coverage of the ransomware attacks and the risk of not patching promptly was clearly highlighted.

The take home message is unaddressed security vulnerabilities will be exploited. Companies can purchase a swathe of expensive security solutions to secure their systems, but companies with poor patch management policies will experience data breaches. It is no longer a case of if a breach will occur, just a matter of when.

Poor Patch Management Policies Cost Insurer More than $5 Million

This month has shown another very good reason for patching promptly. A multi-state action by attorneys general in 32 states has resulted in a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company. Nationwide has agreed to a $5.5 million settlement to resolve the investigation into its 2012 data breach.

The breach involved the theft of data relating to 1.27 million policy holders and individuals who obtained insurance quotes from the company. In that case, the data theft was possible due to an unaddressed vulnerability in a third-party application. Even though the vulnerability was rated as critical, the insurer did not update the application. The vulnerability remained unaddressed for three years. The update was only applied after data were stolen.

The investigation into the breach was jointly led by Connecticut Attorney General George Jepsen. Announcing the settlement Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”

Unaddressed vulnerabilities will be exploited by cybercriminals. Attacks will result in data theft, hardware damage, law suits filed by breach victims, attorneys general fines and fines by other regulators. These costs can all be avoided with good patch management policies.

How Can I Restrict Internet Access at Work?

There are many reasons why businesses want to restrict Internet access at work. Allowing employees to have unrestricted access to the Internet can result in a major drain on productivity, the risk of malware and ransomware downloads must be managed and inappropriate Internet access at work can cause legal issues. However, restricting Internet access at work can also cause problems.

The Problem of Personal Internet Use at Work

Some employees spend an unreasonable amount of the working day surfing the Internet, playing games or accessing their social media accounts. Personal Internet use can see hours of the working day wasted. Multiple an hour a day by your number of employees and the losses are considerable.

There are other drains on productivity as a result of these activities. They can have a knock-on effect on Internet speed. If employees are downloading large files from file sharing websites or streaming music or videos, this can result in latency that affects all employees. Internet speed slows and important websites may become temporarily unavailable.

The Danger of Malware and Ransomware Downloads

Personal Internet use at work can cause other productivity-draining issues. If employees are accessing social media websites, downloading files or are visiting questionable websites, the risk of a malware or ransomware downloads increases significantly.

Ransomware can result in an entire network being taken out of action, as has recently been seen at companies affected by the WannaCry and NotPetya attacks. In the case of the latter, companies have experienced major disruptions for weeks following the attacks.

Even if antivirus software is installed, it may not prevent malware and ransomware downloads. Cybercriminals are getting better at obfuscation. Ransomware may not be detected until it is too late.

Accessing of Inappropriate Web Content

While most employees do not use the Internet to access unsavoury or illegal web content, there are always a few bad apples. The problem of accessing pornography at work is a real issue, and could be much worse than you think.

In 2014, a survey conducted by the Barna Group showed 63% of men and 36% of women have viewed pornography at work. A survey in Forbes in 2013 Forbes revealed 25% of adults have viewed porn at work. 28% of employees have downloaded porn at work according to another survey.

Many businesses feel the best way to tackle the problem of personal Internet use is through acceptable usage policies and greater oversight of employees by line managers. When individuals are discovered to be abusing the Internet, action can be taken against individuals without restricting Internet access at work for everyone. This does not always prove effective.

Even if policies are introduced that threaten instant dismissal for accessing pornography at work, it may not curb use. The use of anonymizer services will prevent bosses from discovering what sites are being visited. In the case of personal Internet use, differentiating between minor personal use and persistent abuse can be difficult.

The alternative is to restrict Internet access at work with a web filter. A web filter can be used to block access to specific websites or categories of website content.

Problems with Using a Web Filter to Restrict Internet Access at Work

A web filter may seem like a quick and easy solution, although companies that restrict Internet access at work with a web filter can experience problems. Those problems can be worse than the issues the web filter was installed to correct.

If you restrict Internet access at work using an appliance-based web filtering solution it can result in latency. Each website must be inspected before it is accessed. In the case of secure (HTTPS) sites, each webpage must be decrypted, inspected, and re-encrypted. This places a considerable strain on resources. The result is considerable latency. As more sites switch to SSL certification and also use 4096-bit encryption, the problem will only get worse.

If you restrict Internet access at work, employees who were only accessing the occasional personal site may be unhappy with the new restrictions. This can have an effect on productivity and create a hostile working environment. Why should all employees be made to suffer because of the actions of a few?

How to Avoid Problems and Still Restrict Internet Access at Work

The issue of latency can be avoided if a cloud-based web filter is used. Cloud-based filters allow employers to restrict Internet access at work, but since the solutions are based in the cloud, they use the service providers resources. The result is Internet control without latency. There are other benefits. Cloud-based web filters are more flexible, scalable, and do not require the purchase of any hardware.

Some cloud-based filters, WebTitan for instance, allow time-based controls to be applied. Employers can use this feature to restrict Internet access at work during busy times and relax control at others. It is easy to block access to certain sites 100% of the time, others some of the time – relaxing controls during breaks for instance – and setting different controls for different employees or groups of employees. Since the filter integrates with LDAP and Active Directory, setting controls for different user groups is simple. It is also possible to block anonymizer websites to prevent users from bypassing content filtering controls.

Speak to TitanHQ About Internet Filtering Controls

Internet content control is quick, easy and low cost with WebTitan. The solution allows you to easily restrict Internet access at work and avoid the common problems associated with web filtering. If you are Interested in curbing personal Internet use at work, contact TitanHQ today for advice. You can also sign up for a free trial and evaluate WebTitan in your own environment before you commit to a purchase.

2017 Sees Huge Rise in Malware Attacks on Schools

2017 has seen a major rise in malware attacks on schools. While cybercriminals have conducted attacks using a variety of different malware, one of the biggest problems is ransomware. Ransomware is malicious code that encrypts files, systems and even master file tables, preventing victims from accessing their data. The attack is accompanied by a ransom demand. Victims are required to pay a ransom amount per infected device. The ransom payments can range from a couple of hundred dollars to more than a thousand dollars per device. Ransom demands of tens of thousands of dollars are now common.

Data can be recovered from a backup, but only if a viable backup of data exists. All too often, backup files are also encrypted, making recovery impossible unless the ransom is paid.

Ransomware attacks can be random, with the malicious code installed via large-scale spam email campaigns involving millions of messages. In other cases, schools are targeted. Cybercriminals are well aware that cybersecurity defenses in schools are often poor and ransoms are more likely to be paid because schools cannot function without access to their data.

Other forms of malware are used to record sensitive information such as login credentials. These are then relayed back to the attackers and are used to gain access to school networks. The attackers search for sensitive personal information such as tax details, Social Security numbers and other information that can be used for identity theft. With ransomware, attacks are discovered immediately as ransom notes are placed on computers and files cannot be accessed. Keyloggers and other forms of information stealing malware often take many months to detect.

Recent malware attacks on schools have resulted in entire networks being sabotaged. The NotPetya attacks involved a form of malware that encrypts the master file table, preventing the computer from locating stored data. In this case, the aim of the attacks was to sabotage critical infrastructure. There was no way of recovering the encrypted MFT apart from with a full system restore.

The implications of malware attacks on schools can be considerable. Malware attacks on schools result in considerable financial losses, data can be lost or stolen, hardware can be rendered useless and educational institutions can face prosecution or law suits as a result of attacks. In some cases, schools have been forced to turn students away while they resolve infections and bring their systems back online.

Major Malware Attacks on Schools in 2017

Listed below are some of the major malware attacks on schools that have been reported in 2017. This is just a very small selection of the large number of malware attacks on schools in the past 6 months.

Minnesota School District Closed for a Day Due to Malware Attack

Malware attacks on schools can have major consequences for students. In March, the Cloquet School District in Minnesota experienced a ransomware attack that resulted in significant amounts of data being encrypted, preventing files from being accessed. The attackers issued a ransom demand of $6,000 for the keys to unlock the encryption. The school district is technology-focused, so without access to its systems, lessons were severely disrupted. The school even had to close for the day while IT support staff restored data. In this case, sensitive data were not compromised, although the disruption caused was severe. The ransomware is understood to have been installed as a result of a member of staff opening a phishing email that installed the ransomware on the network.

Swedesboro-Woolwich School District Suffers Cryptoransomware Attack

The Swedesboro-Woolwich School District in New Jersey comprises four elementary schools and has approximately 2,000 students. It too suffered a crypto-ransomware attack that took its computer systems out of action. The attack occurred on March 22, resulting in documents and spreadsheets being encrypted, although student data were apparently unaffected.

The attack took a significant part of the network out of action, including the District’s internal and external communications systems and even its point-of-sale system used by students to pay for their lunches. The school was forced to resort to pen and paper while the infection was removed. Its network administrator said, “It’s like 1981 again!”

Los Angeles Community College District Pays $28,000 Ransom

Ransomware was installed on the computer network of the Los Angeles County College District, not only taking workstations out of action but also email and its voicemail system. Hundreds of thousands of files were encrypted, with the incident affecting most of the 1,800 staff and 20,000 students. A ransom demand of $28,000 was issued by the attackers. The school had no option but to pay the ransom to unlock the encryption.

Calallen Independent School District Reports Ransomware Attack

The Calallen Independent School District in northwestern Corpus Christi, TX, is one of the latest victims of a ransomware attack. In June, the attack started with a workstation before spreading to other systems. In this case, no student data were compromised or stolen and the IT department was able to act quickly and shut down affected parts of the network, halting its spread. However, the attack still caused considerable disruption while servers and systems were rebuilt. The school district also had to pay for improvements to its security system to prevent similar attacks from occurring.

Preventing Malware and Ransomware Attacks on Schools

Malware attacks on schools can occur via a number of different vectors. The NotPetya attacks took advantage of software vulnerabilities that had not been addressed. In this case, the attackers were able to exploit the vulnerabilities remotely with no user interaction required. A patch to correct the vulnerabilities had been issued by Microsoft two months before the attacks occurred. Prompt patching would have prevented the attacks.

Software vulnerabilities are also exploited via exploit kits – hacking kits loaded on malicious websites that probe for vulnerabilities in browsers and plugins and leverage those vulnerabilities to silently download ransomware and malware. Ensuring browsers and plugins are 100% up to date can prevent these attacks. However, it is not possible to ensure all computers are 100% up to date, 100% of the time. Further, there is usually a delay between an exploit being developed and a patch being released. These web-based malware attacks on schools can be prevented by using a web filtering solution. A web filter can block attempts by end users to access malicious websites that contain exploit kits or malware.

By far the most common method of malware delivery is spam email. Malware – or malware downloaders – are sent as malicious attachments in spam emails. Opening the attachments results in infection. Links to websites that download malware are also sent via spam email. Users can be prevented from visiting those malicious sites if a web filter is employed, while an advanced spam filtering solution can block malware attacks on schools by ensuring malicious emails are not delivered to end users’ inboxes.

TitanHQ Can Help Schools, Colleges and Universities Improve Defenses Against Malware

TitanHQ offers two cybersecurity solutions that can prevent malware attacks on schools. WebTitan is a 100% cloud-based web filter that prevents end users from visiting malicious websites, including phishing sites and those that download malware and ransomware.

WebTitan requires no hardware, involves no software downloads and is quick and easy to install, requiring no technical skill. WebTitan can also be used to block access to inappropriate website content such as pornography, helping schools comply with CIPA.

SpamTitan is an advanced spam filtering solution for schools that blocks more than 99.9% of spam email and prevents malicious messages from being delivered to end users. Used in conjunction with WebTitan, schools will be well protected from malware and ransomware attacks.

To find out more about WebTitan and SpamTitan and for details of pricing, contact the TitanHQ team today. Both solutions are also available on a 30-day no-obligation free trial, allowing you to test both products to find out just how effective they are at blocking cyberthreats.

Secure WiFi Access for Shops to Attract More Repeat Business

Providing free WiFi in shops helps to attract more foot traffic and improves the shopping experience, although retailers are now realizing the benefits of providing secure WiFi access for shops. Over the past two years, there has been considerable media coverage of the dangers of public WiFi hotspots. Consumer websites are reporting horrifying cases of identity theft and fraud with increasing regularity.

With public awareness of the risks of connecting to public WiFi networks now much greater than ever before, secure WiFi access for shops has never been more important. Consumers now expect free WiFi access in shops, but they also want to ensure that connecting to those WiFi networks will not result in a malware infection or their personal information being obtained by hackers.

Fortunately, there are solutions that can easily be adopted by retailers that mitigate the risks and ensure consumers can connect to WiFi networks safely, but before we cover those options, let’s look a little more closely at the risks associated with unsecured WiFi networks.

The Risks of Unsecured WiFi Networks

If retailers provide free WiFi access in store it helps to attract more foot traffic, individuals are encouraged to stay in stores for longer, they have access to information and reviews about products and studies have shown that customers spend more when free WiFi is provided. A survey by iGT, conducted in 2014, showed that more than 6 out of ten customers spend longer in shops that provide WiFi access and approximately 50% of customers spend more money.

Connecting to a public WiFi network is different from connecting to a home network. For a start, considerably more people connect, including individuals who are intent on stealing information for identity theft and fraud. Man-in-the-middle attacks are common. Man-in-the-middle attacks involve a hacker intercepting or altering communications between a customer and a website. If login details or other sensitive information is entered, a hacker can obtain that information.

Malware and ransomware can be downloaded onto users’ devices and phishing websites can easily be accessed if secure WiFi access for shops is not provided. Consumers typically have Internet security solutions in place on home networks that block these malicious websites. They expect the same protections on retailers’ WiFi networks. Malware poses a significant threat. Alcatel-Lucent, a French telecommunications company, reports that malware attacks on mobile devices are increasing by 25% per year.

Then there is the content that can be accessed. Recently, before Starbucks took steps to block the accessing of pornography via its WiFi networks, the coffee shop chain received a lot of criticism from consumers who had caught glimpses of other customers accessing pornography on their devices.

Secure WiFi Access for Shops Brings Many Benefits

The provision of secure WiFi access for shops tells customers you are committed to ensuring they can access the Internet safely and securely on your premises. It tells parents that you are committed to protecting minors and ensuring they can access the Internet without being exposed to adult content. It tells consumers that you care, which helps to improves the image of your brand. It is also likely to result in positive online reviews.

Providing secure WiFi access for shops makes it easier for you to gain an insight into customer behavior. A web filtering solution will provide you with reports on the sites that your consumers are accessing. This allows you to profile your customers and find out more about their interests. You can see what sites they access, which can guide your future advertising programs and help you develop more effective marketing campaigns. You can also find out more about your real competitors from customers browsing habits.

The provision of secure WiFi access for shops will also help you to reduce legal liability. If you do not block illegal activities on your WiFi network, such as file sharing (torrents) sites, you could face legal action for allowing the downloading of pirated material. The failure to block pornography could result in a lawsuit if a minor is not prevented from accessing adult content.

WebTitan – Secure WiFi Access for Shops Made Simple

Secure WiFi access for shops doesn’t have to be complicated or expensive. TitanHQ offers a solution that is cost effective, easy to implement, requires no technical skill, has no effect on Internet speed and the solution can protect any number of shops in any number of locations. The filtering solution can be managed from an intuitive web-based graphical user interface for all WiFi access points, and a full suite of reports provides you with invaluable insights into customer behavior.

WebTitan Cloud for WiFi is a 100% cloud-based DNS filtering solution. Point your DNS records to WebTitan and you will be filtering the Internet in minutes and blocking undesirable, dangerous and illegal web content. You do not need any additional hardware, you do not need to download any software and configuring the filtering settings typically takes about 30 minutes.

To find out more about WebTitan Cloud for WiFi, including details of pricing and to register for a 30-day, no obligation free trial, contact TitanHQ today.

Why is Internet and WiFi Filtering in Hospitals is so Important?

Hospitals have invested heavily in solutions to secure the network perimeter, although Internet and WiFi filtering in hospitals can easily be forgotten. Network and software firewalls have their uses, although IT security staff know all too well that cyberattacks targeting employees can see those defenses bypassed.

A common weak point in security is WiFi networks. IT security teams may have endpoint protection systems installed, but not on mobile devices that connect to WiFi networks.

A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, that signals a huge pay day for a hacker.

There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data if it is encrypted by ransomware. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its ransomware infection in February last year. It was one of several hospitals to give in to attackers’ demands.

The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals

The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, there are laptops, tablets and an increasing number of medical devices connected to the networks. As use of mobile devices in healthcare continues to grow and the explosion in IoT devices continues, the risk of attacks on the WiFi environment will only ever increase.

Patients also connect to hospital WiFi networks, as do visitors. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks.

Internet and WiFi filtering in hospitals is therefore no longer an option, it should be part of the cybersecurity strategy for all healthcare organizations.

Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats

Malware, ransomware, hacking and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.

Guest WiFi access in hospitals is provided to allow patients and visitors to gain access to the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites to ensure all users can still enjoy reasonable Internet speeds.

It is also important to prevent patients, visitors and healthcare professionals from accessing inappropriate website content.  Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file sharing websites, gambling or gaming sites, or any other undesirable category of web content.

Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal and undesirable content is not just about protecting patients and visitors. It also reduces legal liability.

Internet and WiFi Filtering in Hospitals Made Simple

WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost effective to implement, the solution requires no additional hardware or software installations and there is no latency. Being DNS-based, set up is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.

WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based graphical user interface. Separate filtering controls can be applied for different locations, user groups or even individuals. Since the solution links in with Active Directory the process is quick and simple. Separate content controls can easily be set for guests, visitors and staff, including by role.

WebTitan Cloud for WiFi supports blacklists, whitelists and allows precision content control via category or keyword and blocks phishing websites and sites known to host exploit kits and malware. In Sort, WebTitan Cloud for WiFi gives you control over what happens on your WiFI network.

To find out more about WebTitan Cloud for WiFi, details of pricing and to register for a free trial, contact the TitanHQ team today.

Secure WiFi for Hotels Demanded by Guests

Hotel guests used to choose hotels based on whether free WiFi was available, now free WiFi is no longer enough – secure WiFi for hotels is required to ensure the Internet can be accessed safely, a fast connection is essential and the WiFi signal must be reliable.

Even budget hotels know the attractive power of free WiFi and how much easier it is to attract guests with free, reliable Internet access. Forrester Research conducted a survey back in 2013 that showed 90% of hotel guests considered free WiFi access to be the most important hotel amenity, while 34% of respondents said when it comes to choosing a hotel, free WiFi was a deal breaker when choosing a place to stay.

Providing Free WiFi is No Longer Enough

Now that most hotels are offering free WiFi, travelers have become much more discerning. Free WiFi access is no longer sufficient. Hotel guests want reliable access, good Internet speeds, sufficient bandwidth to stream music and videos and secure WiFi for hotels is similarly important. Hotels now need to improve their WiFi networks to continue to attract business.

A quick look on TripAdvisor and other review sites is all it takes to assess the quality of the Internet connection. There are even websites dedicated to providing this information. A poor WiFi signal is one of the most common complaints about hotels.

Providing an excellent Internet connection may not mean a 5-star review is guaranteed – but one or two-star reviews can be expected if the Internet connection or WiFi coverage is poor.

If you really want to attract more guests, provide free WiFi access. If you want to gain a serious competitive advantage, ensure all rooms have an excellent signal, there is sufficient bandwidth and make sure your network is secure. Guests now expect the same protections they have at home.

Common Problems with Hotel WiFi Networks

Listed below are some of the common problems reported by guests about hotel WiFi

Problems connecting more than one device to the network – Hotels often have WiFi networks with limited bandwidth. Restrictions may be in place that only allow one device to be connected per room. For a couple or family, that is no longer sufficient. Most guests will require at least two devices to be connected simultaneously per room, without Internet speed dropping to a snail’s pace.

Parents do not want their children to be able to access porn – A night in a hotel should be a relaxing experience. Parents do not want to have to spend their time policing the Internet. They want controls in place to make sure adult content cannot be accessed by their kids.

Connecting to guest WiFi should be safe and secure – Guests should be protected from malware and ransomware infections and steps should be taken by the hotel operator to reduce the risk of man-in-the-middle attacks. Safe and secure WiFi for hotels is essential. Accessing hotel WiFi should not result in nasties being transferred to guests’ devices. Safe and secure WiFi for hotels is especially important for business travelers. They should be able to enter their usernames and passwords without risking an account compromise.

Bandwidth issues are a major bugbear – If some guests are streaming video to their devices, it should not prevent other users from accessing the Internet or enjoying reasonable Internet speeds. Even at busy times, all guests should be able to connect.

How to Resolve these Problems?

Bandwidth is a major issue. Increasing bandwidth comes at a cost. If free WiFi is provided, it is difficult to recover that expenditure. There are solutions however. Hotels can offer free WiFi access to all guests, yet block streaming sites and other bandwidth-heavy activities. If guests want to be able to stream video, they could be offered a premium service and be charged for non-standard access. The same could apply to adult content. Hotels could offer family-friendly WiFi as standard, with a paid for service having fewer restrictions.

Secure WiFi for hotels is a must. Hotels can implement solutions that block malware and prevent guests from accessing phishing websites. Providing an encrypted connection is also essential. Guests should be able to login to their accounts without being spied on.

Secure WiFi for Hotels Made Simple

A web content filter can be used to resolve the above problems and ensure safe and secure Internet access for all guests. Arranging secure WiFi for hotels is simple with TitanHQ.

TitanHQ’s WebTitan Cloud for WiFi is a content filter with a difference. The solution can be deployed on existing hardware with no need for any software installations.  Once installed, it is simple to manage, with updates to the system occurring automatically. Users don’t even need any technical expertise. The solution can be implemented and accounts set up in minutes. It doesn’t matter how many hotels you operate, all can be protected with ease through a central control panel that can be accessed from any location.

Secure WiFi for Hotels from TitanHQ

WebTitan Cloud for WiFi allows hotel operators to:

  • Control content and online activities without any impact on Internet speed
  • Block pornography and other inappropriate content to make the WiFi network family-friendly
  • Prevent users from engaging in illegal activity
  • Block phishing websites
  • Prevent malware and ransomware downloads
  • Restrict bandwidth-heavy activities such as video and music streaming services
  • Create user groups with different restrictions, allowing streaming or adult content for specific user groups
  • Set web filtering controls for different access points
  • Manage content filtering for multiple hotels with ease, no matter where in the world they are located

To find out more about all of the benefits of WebTitan Cloud for Wifi, how secure WiFi for hotels can be provided, details of prices and to register for a free trial, contact the TitanHQ team today. Your guests will thank you for it.

Why Secure Guest WiFi for Business is So Important

Regardless of whether you run a hotel, coffee shop or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself to considerable risk.

Why Is Providing Internet Access so Important?

In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.

With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sale will be made elsewhere.

Why is Secure Guest WiFi for Business So Important?

There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows them to collect contact details for future marketing and business can gain valuable customer insights.

However, giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be more security aware and have introduced policies covering allowable Internet usage, but guests, customers and other visitors are likely to have different views about the content that can be accessed on your WiFi network.

Guests and customers could take advantage of a lack of control over accessible website content to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities. They may accidentally or deliberately install malware or ransomware, or visit phishing websites. Secure guest WiFi for business means protecting yourself and your customers. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network, preventing man-in-the-middle attacks, malware downloads and blocking phishing attacks. You will also be protected from legal liability.

5 Things to Consider About Secure Guest WiFi for Business Customers

If you are going to open up your network to guests, security cannot be an afterthought. Before providing WiFi access be sure to consider the points below:

Network Segregation

Segregating your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your internal network must be totally separate from the network used by guests. It should not be possible for guests to see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, it will not spread from the guest network to your internal network.

Always Change Default Passwords and SSIDs

This is one of the most basic security practices, yet because of that it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.

It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up rogue access points to conduct man-in-the-middle attacks.

Keep your Firmware Updated!

Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed on a monthly basis.

Encrypt Your Wireless Signals

You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2 encryption. You can then post the SSID and password in your business to make it easy for legitimate users to gain access to your network.

Secure Guest WiFi for Business Means Content Filtering

Secure guest WiFi for business means adding some controls over the content that can be accessed on your WiFi network. Content filtering is a must. You should block access to adult content – which includes pornography, gambling sites and other web content that is ethically or morally questionable. A web filtering solution will also protect your customers from accidental malware and ransomware downloads while blocking phishing websites. Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades.

WebTitan at the Kaseya Connect Europe User Conference

The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.

The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.

Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.

The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.

Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.

Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.

TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.

WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.

SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.

Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.

Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.

“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”

The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.

Astrim Exploit Kit Now Delivering Mole Ransomware

The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.

Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.

However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.

In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.

The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.

Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.

The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.

An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.

However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.

With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.

HTTPS Phishing Websites Increase as Cybercriminals Exploit Trust in Encrypted Connections

Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.

The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.

HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.

A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.

Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.

The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.

Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.

HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.

The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.

Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.

WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.

Mac Malware Warning Issued: Handbrake for Mac App Infected with RAT

A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.

A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.

A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.

Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.

Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.

Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.

The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:

  • launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
  • rm -rf ~/Library/RenderFiles/activity_agent.app
  • if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder

The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.

Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.

The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.

‘Crazy Bad’ Microsoft Malware Protection Engine Bug Patched

A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.

If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.

The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.

The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.

The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.

While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk.  Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment.  The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.

The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.

GDPR Compliance: Is your Organization Prepared?

On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.

GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.

The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.

How Will GDPR Protect Consumers?

One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data.  Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.

GDPR gives consumers the right to:

  • Find out how their data will be used
  • Discover how data were obtained if informed consent was not provided
  • Access personal data
  • Find out how long data will be stored
  • Correct errors in stored data
  • Move data to a different processor
  • Restrict or prohibit the processing of data
  • Find out with whom data have been or will be shared
  • Have data permanently erased
  • Avoid being evaluated on the basis of automated processing

Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.

While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.

What Data are Covered by GDPR?

Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.

Data Security Standards Necessary for GDPR Compliance

GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.

GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.

Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”

Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.

Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.

Data Breach Notification Requirements of GDPR

Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.

Preparing for GDPR

Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.

Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.

Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.

What are The Penalties for Non-Compliance with GDPR?

Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.

If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.

Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.

Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.

Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.

How Can TitanHQ Help with GDPR Compliance?

TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.

TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.

SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.

WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads.  The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.

ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.

For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.

Continued Use of Unsupported Operating Systems Places Organizations at High Risk of Attack

Do you have any machines running on unsupported operating systems? Is all of your software up to date with all of the latest patches applied? If you are not patching promptly or are still running outdated, unsupported operating systems or software, you are taking unnecessary risks and are leaving your network open to attack.

Hackers are constantly trawling the Internet looking for vulnerable systems to attack. Even if you are only running Windows XP or Vista on one networked machine, it could allow a hacker to exploit vulnerabilities and gain access to part or all of your network.

An alarming number of businesses are still running outdated software and are not patching promptly. For instance, 7.4% of businesses are still using Windows XP, even though Microsoft stopped issuing patches three years ago.

Hackers are discovering new vulnerabilities in software and operating systems faster than the software manufacturers can address those flaws. Zero-day vulnerabilities are regularly discovered and exploits developed to take advantage of the flaws and gain access to business networks. When a software developer stops issuing updates, the list of potential vulnerabilities that can be exploited grows fast.

Take Windows for example. Each set of updates released by Microsoft every Patch Tuesday contains patches to remediate several critical vulnerabilities that could be exploited to run code or access a system and gain user privileges. While exploits may not currently exist for those flaws at the time the patches are released, that is not the case for long. Hackers can look at the updates and reverse engineer patches to discover the vulnerabilities. Exploits can then be developed to attack unpatched machines.

Take the recent set of updates addressed by Microsoft in its March Patch Tuesday update as an example. Microsoft silently patched a slew of flaws for which exploits had been developed. Four days later, exploit tools from The Equation Group were dumped online by Shadow Brokers. Those tools could be used to exploit the flaws addressed by Microsoft a few days previously.

The exploit tools can be used to attack unpatched machines, but the patches were only issued to address flaws in supported versions of Windows. Many of those exploit tools can be used to attack unsupported Windows versions such as XP and Vista.

One of those tools, called Eternalromance, will likely work on all previous versions of Windows back to Windows XP. EasyPi, Eclipsedwing, Emeraldthread, eraticgopher and esteemaudit have all been confirmed to work on Windows XP.

Those are just the exploit tools recently discovered by The Equation Group. They represent just a small percentage of the exploits that exist for flaws in older, unpatched Windows versions. In addition to exploits for Windows flaws, there are exploits for many software programs.

There will always be zero day exploits that can be used to attack businesses, but running outdated software and unsupported operating systems makes it too easy for hackers.

Businesses of all sizes must therefore ensure that they have good patch management policies covering all software and operating systems and all devices. However, since unsupported operating systems will never be patched, continued use of those products represents a very large and unnecessary risk.

The True Cost of a Ransomware Attack

The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.

Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.

Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.

Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.

Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.

While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.

In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!

Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.

What is the Cost of a Ransomware Attack?

Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.

The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.

However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.

System downtime is one of the biggest costs.  Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.

A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.

One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.

Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.

Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.

Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.

The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.

It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.

To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.

2016: The Year of Ransomware

In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.

2016 Will be Remembered as The Year of Ransomware

Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.

That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.

Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.

Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.

In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!

Biggest Ransomware Threats in 2016

TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.

By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.

Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.

2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.

You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.

 

The Year of Ransomware

Should Malware Protection at the ISP Level be Increased?

Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?

Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.

Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.

Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.

While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.

ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.

Malware Protection at the ISP Level

Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.

ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.

ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.

An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.

The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.

The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.

The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.

If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.

ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections

Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.

ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.

WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.

If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.

Phishing Attacks on Law Firms Are Soaring

The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.

Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.

Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.

However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.

While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.

Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.

A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.

Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.

 

Phishing Attacks on Law Firms

Is Your Organization Protected Against Printer Hacking?

You have secured your servers, you have end point protection, but have you ensured your organization is protected against printer hacking? According to one hacker, as many as 300,000 organizations have left a gaping hole in their security defenses as a result of leaving their printers open to the Internet and failing to even use any form of authentication.

Your Printer Has Been Owned!

The hacker decided to draw attention to the problem, not by publishing details of the flaws, but by attacking around 150,000 companies. The attack was rather benign. The hacker did not attempt to gain access to network resources or install malware. He just sent rogue jobs to the printers.

The printouts said “Your printer has been owned.” The hacker also claimed the printers had been added to ’a flaming botnet’ as a result of the lack of security in place. Some of the messages sent are not appropriate for reproduction. A common message was ‘everyone likes a meme, fix your bull***t.’

The claims were not true, but the hacker did prove a point. Printer hacking is a very real threat and future attacks may be much more malicious in nature. If printers are left open to the Internet with no authentication required, they could be subjected to DoS attacks. Companies would be left unable to print. Printers could also be added to botnets. Those would be best-case scenarios of course. Printer hacking could cause much more serious harm.

Hackers could take advantage of flaws and run arbitrary code. Printers could be used as a launchpad to gain access to corporate networks, sabotage systems, install malware and ransomware, and stealing corporate secrets and sensitive customer and patient data.

Following the printer cyberattack, the ‘victims’ took to social media to report the incidents. Some reported that corporate network printers were affected, others claimed their POS system printers had been owned. In the case of the former, the cyberattack could potentially have resulted in a network compromise. In the case of the latter, credit and debit card-stealing malware could have been installed.

The hacker in question claims he is a UK student with an interest in security research. He says he has access to RCE flaws that would enable him to take control of more than 300,000 printers. In this experiment, he took advantage of the lack of authentication controls on communications port 9100. The attacks involved the RAW protocol, Internet Printing Protocol (IPP) and the Line Printer Daemon (LPD).

Many of the printers susceptible to printer hacking are used by universities and other higher education establishments. In a separate ‘attack’ a different hacker also proved a point about the lack of security controls, the ease of finding computers to attack, and just how easy it was to send rogue output to printers. He chose to send anti-sematic print jobs to printers at universities in the United States for maximum coverage. After the attacks, reports started flooding social media from students at Yale, UC Berkeley, DePaul University and UMass Amherst.

Printer Hacking Mitigation Required

The two hacks come just a few days after security researchers in Germany announced they had discovered vulnerabilities in printer manufacturers by some of the big names in computer hardware, such as Samsung, HP, Dell and Lexmark. More than 20 models of printer were discovered to contain flaws that could be easily exploited. Undoubtedly many more printers are vulnerable.

If printers are left exposed and can be accessed by anyone over the Internet, it will only be a matter of time before a malicious attack occurs. Protecting against printer hacking is therefore essential. To do this, printers should be set up on a virtual private network (VPN) and organizations should make 100% sure that their printers cannot be accessed through public IP addresses. That would require access controls to be applied to routers to whitelist certain IP ranges.

Why a Restaurant WiFi Filtering Service is Now Essential

A restaurant WiFi filtering service can help to keep customers safe when they use the Internet by blocking access to websites known to contain malware. A restaurant WiFi filtering service will also ensure that patrons can only view website content that is suitable for families.

WiFi networks are often abused and used by some individuals to view pornography or other material that has no place in a restaurant. If one diner chooses to view such material on a personal device while in a restaurant, other diners may catch glimpses of the screen – That hardly makes for a pleasant dining experience.

However, there is another important reason why a restaurant WiFi filtering service should be used. Diners can be protected from a range of web-borne threats while using free wi-Fi networks, but also the computer systems of the restaurant.

Each year, many restaurants discover that their computers and networks have been infected with malware. Malware infections are often random; however, restaurants are now being targeted by cybercriminals.  If a hacker can gain access to a restaurant’s computer network and succeeds in loading malware onto its POS system, every customer who pays for a meal with their debit or credit card could have their credentials sent to the hacker.

Restaurants, especially restaurant chains, are targeted for this very reason. One infected POS system will give a cybercriminal a steady source of credit card numbers. Each year, there are many examples of restaurants that have been attacked in this manner. One of the latest restaurant chains to be attacked was Popeye’s Louisiana Kitchen – A multinational chain of fried chicken and fast food restaurants.

Popeyes recently discovered a cyberattack that resulted in malware being installed on its systems. The attack started on or around May 5, 2016 and continued undiscovered until August 18, 2016. During that time, certain customers who paid for their meals on their credit and debit cards had their card numbers stolen by the malware and passed on to the attackers.

Popeyes only discovered the cyberattack when it received notification from its credit card processor of suspicious activity on customers’ accounts. CCC Restaurant Enterprises, which operates Popeyes, retained a forensic expert to analyze its systems for signs of its systems having been compromised. That analysis revealed a malware infection. The information stealing malware was passing credentials to the attacker and those details were being used to defraud customers. Ten restaurants in the chain were known to have been affected. Those restaurants were located in Georgia, North Carolina, and Texas. The malware infection has now been removed and customers are no longer at risk, although the cyberattack undoubtedly caused reputation damage for the chain.

Malware can be installed via a number of different vectors. Vulnerabilities can be exploited in servers and software. It is therefore essential to ensure that all software is patched and kept up to date. Attacks can occur via email, with malicious links and attachments sent to employees. A spam filter can block those emails and prevent infection. Attacks can also take place over the Internet. The number of malicious websites now produced every day has reached record levels and the threat level is critical.

A restaurant WiFi filtering service will not protect against every possible type of attack but it does offer excellent protection against web-borne threats. A web filtering service can also prevent users from visiting malicious links sent in spam and phishing emails, blocking users’ attempts to click the links. A restaurant WiFi filtering service will also ensure family-friendly Internet access is provided to customers. Something that is increasingly important for parents when choosing a restaurant.

To find out more about how a restaurant WiFi filtering service can be implemented, the wide range of benefits that such a service offers, and for details of how you can trial the WebTitan restaurant WiFI filtering service for 30 days without charge, contact the TitanHQ team today.

Why Web Filtering for Managed Service Providers is Now Essential

The increase in cyberattacks and proliferation of web-borne threats has made web filtering for Managed Service Providers one of the most important, and profitable, opportunities for MSPs. However, not all MSPs have started offering a web filtering service to their clients, even though web filtering is now an essential cybersecurity defense

Why is web filtering for Managed Service Providers now so important? Listed below – and in a useful infographic – are some of the reasons why businesses need to control the websites that can be visited by their employees and why web filtering for Managed Service Providers is an important addition to any MSPs service stack.

Cybercriminals Have Switched from Email to the Web to Spread Malware

Email remains one of the most likely routes that malware can be installed. Malicious email volume is growing and in Q3, 2016, Proofpoint discovered 96.8% of malicious attachments were used to download Locky ransomware. Blocking malicious spam email messages is therefore an essential element of any organization’s cybersecurity defense strategy. However, times are a changing. The threat from web-borne attacks has increased significantly in the past few years.

Cybercriminals are well aware that most organizations now use a spam filter to block malicious messages and that they now conduct end user training to warn employees of the risks of opening email attachments or clicking on hyperlinks sent by strangers.

However, far fewer businesses have implemented a solution that blocks web-borne threats. Consequently, cybercriminals have changed their focus from email to the Internet.

The shift to the web means cybercriminals can reach a much bigger target audience and can spread malware and ransomware more effectively. The extent of this paradigm shift is deeply concerning.

Now, more than 80% of malware is web-related and spread via malicious web adverts, hijacked websites, and websites that have been created with the sole purpose of infecting visitors with malware.

As TitanHQ CTO Neil Farrell points out, “the average business user now encounters 3 malicious links per day.” Those links are rarely identified as malicious and the malware downloads that result from visiting malicious websites go undetected.

Web-Borne Threats have Increased Substantially in Recent Years

Cybercriminals use exploit kits – malicious software that probes for vulnerabilities in browsers – on hijacked webpages and purpose designed, malware-laced websites. Zero-day vulnerabilities are frequently identified in web browsers, browser plugins, and extensions and these flaws can be exploited and leveraged to download malware and ransomware. Each time a new flaw is identified, it is rapidly added to a swathe of exploit kits.

Anti-virus software is capable of detecting a high percentage of malware and preventing the malicious software from being installed on computers; however, new forms of malware are being released at an unprecedented rate. A new malware is now released every 4 seconds. Naturally, there is a lag between the release of new malware and the addition of its signature into antivirus software companies’ virus definition lists. Visits to malicious websites all too often result in malware installations that go undetected.

Malicious websites are constantly being created. Google reports that since July 2013, 113,132 new phishing websites have been created and it is businesses that are being targeted. TitanHQ now adds over 60,000 new malware-spreading websites to its blocklists every single day.

Companies that fail to block these web-borne threats face a high risk of their computers and networks being infected with malware. Figures from IDC show that 30% of companies employing more than 500 staff have experienced malware infections as a result of end users surfing the Internet.

New Threats are Constantly Being Developed

The range of threats is also increasing. Malware-infected websites are conducting Cross Site Request Forgery (CSRF) attacks, Cross-Component attacks, SQL injection attacks, as well exploiting vulnerabilities in popular Internet applications such as Adobe Flash, JSON, JavaScript, XPath and XML. Keeping all of these applications 100% up to date, 100% of the time is simply not possible for businesses, and any out-of-date-software could be exploited.

Malware is used to log keystrokes to obtain login credentials for further, more sophisticated attacks. Banking credentials are stolen and fraudulent transfers are made. Businesses also have to contend with the current ransomware epidemic. 40% of businesses have now been attacked with ransomware.

Malware and ransomware infections do not just occur via obscure websites that few employees visit. Hugely popular news sites such as the New York Times and the BBC have been discovered to display adverts containing malicious code. Social media websites are also a major risk. 24% of organizations have been infected with malware via Facebook and 7% via LinkedIn/Twitter, according to a recent study by Osterman Research.

These and other serious threats, along with the extent to which infections are occurring, have been summarized in a new infographic that can be accessed by clicking on the image below:

web filtering for managed service providers msps (infographic)

WebTitan Cloud – Web Filtering for Managed Service Providers

Fortunately, there is an easy solution to prevent web-borne attacks: WebTitan Cloud. WebTitan Cloud is a 100% cloud-based web filtering solution that can be used to prevent end users from visiting websites known to contain malware. WebTitan can be configured to block malicious adverts and can prevent end users from being directed to malware-infected websites if malicious links are clicked.

Given the range of threats and the extent to which cybercriminals are using the web, it is now essential for organizations to add web filtering to their cybersecurity defenses. Consequently, web filtering for Managed Services Providers presents a huge opportunity for growth. TitanHQ has seen a significant increase in uptake of its web filtering for Managed Service Providers in recent months as MSPs have started to appreciate the huge potential web filtering for Managed Services Providers has to improve bottom lines.

WebTitan can be rapidly added to an MSPs service stack and is an easy sell to clients. WebTitan can be deployed remotely and rapidly installed and configured. The solution is automatically updated, requires little to no IT support, is technology agnostic, and therefore so has an extremely low management overhead. The solution also has excellent scalability and can be used to protect any number of end users.

MSPs can be provided with a white-label version of WebTitan Cloud ready for branding and WebTitan Cloud can even be hosted within an MSPs own environment. Perhaps most important for MSPs is the high margin recurring SaaS model. That means high recurring revenues for MSPs and better bottom lines.

Contact TitanHQ today to find out more about web filtering for Managed Service Providers, for full technical specifications, and to discover just how easy it is to add WebTitan to your service stack and start boosting profits.

The Risks of Social Media In Business

Many employers are not entirely happy with employees using social media sites in the workplace, and with good reason: There are many risks of social media in business and the costs can be considerable.

Social Media Use Can be a Huge Drain on Productivity

When employees are spending time updating their Facebook accounts or checking Twitter they are not working. All those minutes spent on social media platforms really do add up. Social media site use can be a major drain on productivity.

If every employee in an organisation spends an hour a day on social media sites, the losses are considerable. Unfortunately, many employees spend much more than an hour a day on the sites.

Salary.com reports that around 4% of employees waste more than half of each day on non-work related tasks. For a company employing 1,000 members of staff, that equates to more than 160 hours lost each day, not including the hour or two spent on social media sites by the remaining 96% of the workforce.

Social media site use is not all bad, in fact, the use of the sites can be good for productivity. Employees cannot be expected to work solidly for 8 or more hours each day; at least not 8 highly productive hours. If employees enjoy some ‘Facetime’ every hour or two, it can help them to recharge so they are more productive when they return to their work duties.

The problem for employers is how to control the use of Facebook in the workplace and ensure that social media site use is kept within acceptable limits. Taking 5 minutes off every hour or two is one thing. Taking longer can have a seriously negative impact. Unfortunately, relying on employees to self-moderate their use of social media sites may not be the best way to ensure that Internet use is not abused.

The Cost of Social Media Use Can Be Severe

Productivity losses can have a serious negative impact on profits, but there are far biggest costs to employers from social media site use. In fact, the risks of social media in business are considerable.

The cost from lost productivity can be bad, but nowhere near as bad as the cost of a malware or ransomware infection. Social media sites are commonly used by hackers to infect computers. Just visiting a malicious Facebook or Twitter link can result in a malware or ransomware infection. The cost of resolving those infections can be astronomical. The more time employees spend on non-work related Internet activities, the greater the risk of a malware infection.

Is there a genuine risk? According to PC Magazine, the risks are very real. There is a 40% chance of infection with malicious code within 10 minutes of going online and a 94% chance of encountering malicious code within an hour.

Controlling employees’ use of the Internet can not only result in huge increases in productivity, Internet control can help to reduce the risk of malware and ransomware infections. Further, by limiting the sites that can be accessed by employees, organizations can greatly reduce legal liability.

Fortunately, there is a simple, cost-effective, and reliable solution that allows organisations to effectively manage the risks of social media in business: WebTitan.

Managing the Risks of Social Media in Business

WebTitan is an innovative web filtering solution that allows organizations to accurately enforce Internet usage policies. Employers can block inappropriate content to effectively reduce legal liability, block or limit the use of social media sites to improve productivity, and prevent users from encountering malicious code that could give cybercriminals a foothold in the network.

If you have yet to implement a web filtering solution to control Internet use in the workplace or you are unhappy with the cost or performance of your current web filtering product, contact TitanHQ today and find out more about the difference WebTitan can make to your bottom line.

To find out more about the risks of social media in business and why it is now so important to manage social media use in the workplace, click the image below to view our informative infographic.

Risks of Social Media In Business

How to Block Facebook Chat at Work

One of the questions most frequently asked of the WebTitan customer support team is how to block Facebook chat at work without blocking access to Facebook entirely.

Why Block Facebook Chat at Work?

There are many reasons why an organization would want to prevent employees from accessing Facebook. Social media websites can be a drain on productivity. Some employees may spend hours of each day accessing and updating their Facebook account, which is time spent not working.

However, an employee cannot remain productive for a full eight hours each day. By allowing access to Facebook – and other social media sites – employers can actually increase productivity, providing social media site use is kept within acceptable limits.

If employees take short breaks throughout the day and access Facebook for a few minutes every hour, they are likely to be more productive. Morale can also be improved with a little social media site use.

However, there is the question of security to consider and Facebook chat is a particular cause for concern. Many organisations believe Facebook Chat is a security risk. Use of Facebook chat can increase the risk of malware infections. The chat function also lacks the security standards demanded by many organizations and makes it too easy for employees to share sensitive corporate data. Use of Facebook chat is also difficult to police.

How to Block Facebook Chat Without Blocking Facebook Access

With WebTitan Cloud it is easy to block Facebook chat at work without blocking Facebook access entirely. The process takes just a few seconds and is detailed in the video presentation below (and described underneath.)

 

 

To block Facebook chat at work, open your WebTitan Cloud administration panel and navigate to “Filtering URL keywords.”

To block Facebook chat you need to add in two blacklisted keywords. Enter in the first keyword:

ajax/updatestatus.php

Then set filter options to ‘find keyword in entire URL’

The second keyword that must be blocked is:

ajax/mercury/send_messages.php

As before, set filter options to ‘find keyword in entire URL’

These two files are used by Facebook chat and if the files are blocked, the Facebook chat will not function, although the Facebook website will still be accessible.

In order for URL keywords to work correctly it is necessary to have the SSL certificate pushed out to the browsers. Further information on how to do this via GPO or manually can be found in the help section on the WebTitan website.

Visit the link below for detailed instructions on how you can download and push out the SSL certificate to browsers.
http://helpdesk.webtitan.com/support/solutions/articles/4000035615-ssl-inspection-certificates

How to Prevent Drive-By Malware Downloads

Are you taking steps to prevent drive-by malware downloads? Have you implemented controls to reduce your attack surface and prevent your employees from inadvertently downloading malware onto your network?

Malvertising – A Major Security Risk that Should be Managed

Malvertising is the term used for the practice of displaying malicious adverts to website visitors. The malicious adverts are displayed via third party advertising networks which are present on a wide range of legitimate websites. Malicious adverts have been displayed to visitors to many of the top 500 global websites.

The New York Times website was discovered to be displaying malvertising via a third party ad networks. Those adverts redirected visitors to websites where ransomware was downloaded. The UK’s BBC website was similarly discovered to be displaying malicious adverts that resulted in ransomware downloads.

Other high profile sites found to be displaying malvertising include AOL, the NFL website, Realtor, theweathernetwork, newsweek, infolinks, answers.com, and thehill, amongst many many others.

Proofpoint recently announced it has succeeded in shutting down the AdGholas malvertising operation. This large-scale operation was reported to have resulted in malicious adverts being displayed to between 1 million and 5 million individuals per day. Researchers at Proofpoint estimated that between 10% and 20% of computers that loaded the malicious adverts were redirected to websites containing exploit kits. Exploit kits probe for security vulnerabilities in web browsers. If vulnerabilities are discovered, malware is silently downloaded onto the site visitor’s computer. Of course this was just one malvertising operation out of many.

Cost of Malware and Ransomware Infections

Many ransomware variants are capable of moving laterally within a network and replicating. One download may see multiple computers infected. Each infected device is encrypted with a separate key and a separate ransom demand is issued for each infection.

Organizations experiencing multiple infections can be issued with ransom demands of tens of thousands of dollars. In January, Hollywood Presbyterian Medical Center was forced to pay $17,000 for the decryption keys to unlock its computers.

The threat from malware can be far more serious. Malware such as keyloggers can be used to obtain login credentials to corporate bank accounts, allowing criminals to make fraudulent transfers and empty company accounts. Malware can install backdoors that can be used to steal patient data from healthcare organizations. Failing to prevent drive-by malware downloads can prove very costly indeed. Recently, the Ponemon Institute calculated the average healthcare data breach cost to be $4 million. The cost per compromised healthcare record was calculated to be $158.

Prevent Drive-by Malware Downloads

To prevent drive-by malware downloads you need to employ a range of tactics. Good patch management policies can help to ensure that devices are not left vulnerable. Software, browsers, and browser plugins should be kept up to date and patches applied promptly. Plugins and software commonly exploited by cybercriminals include Java, Adobe Flash, and PDF reader, as well as out of date web browsers.

Organizations can prevent employees from being directed to malicious websites by using a web filtering solution. A web filter can be configured to block websites known to contain malware or host exploit kits. A web filter can be used to block third party advertising from being displayed. Block the ad networks, and you will ensure that malvertising is not displayed.

You should also implement Acceptable Usage Policies (AUPs) to limit the websites that employees can visit. A web filtering solution can help in this regard. Employees can be instructed not to visit certain categories of websites which are known to carry a higher than average risk, but a web filter can be used to enforce those policies. By blocking access to gambling websites, pornography, sites containing illegal website content, and other risky websites such as p2p file sharing sites, risk can be greatly reduced.

A web filtering solution cannot prevent all data breaches and malware attacks, but it is a vital element of cybersecurity defenses that should not be ignored. It is one of the most important controls to employ to prevent drive-by malware downloads.

Ranscam Ransomware Shows Why Paying the Ransom Is Never Wise

Another day passes and another ransomware variant emerges, although the recently discovered Ranscam ransomware takes nastiness to another level. Ranscam ransomware may not be particularly sophisticated, but what it lacks in complexity it more than makes up for in maliciousness.

The typical crypto-ransomware infection involves the encryption of a victim’s files, which is accompanied by a ransom note – often placed on the desktop. The ransomware note explains that the victim’s files have been encrypted and that in order to recover those files a ransom must be paid, usually in Bitcoin.

Since many victims will be unaware how to obtain Bitcoin, instructions are provided about how to do this and all the necessary information is given to allow the victim to make the payment and obtain the decryption key to unlock their files.

There is usually a time-frame for making payment. Usually the actors behind the campaign threaten to permanently delete the decryption key if payment is not received within a specific time frame. Sometimes the ransom payment increases if payment is delayed.

Ranscam Ransomware will not Allow Victims to Recover Their Files

Rather than encrypting files and deleting the decryption key, Ranscam ransomware threatens to delete the victim’s files.

The ransomware note claims the victim’s files have been encrypted and moved to a hidden partition on their hard drive, which prevents the files from being located or accessed. The payment requested by the actors behind this scam is 0.2 Bitcoin – Around $133 at today’s exchange rate.

While the ransom note claims that the victim’s files will be moved back to their original location and will be decrypted instantly once payment is received, this is not the case.

Unfortunately for the victims, but the time the ransom note is displayed, the victim’s files have already been deleted. Paying the ransom will not result in the encrypted files being recovered. A decryption key will not be provided because there isn’t one.

Researchers at Talos – who discovered the Ranscam ransomware variant – noted that the ransomware authors have no way of verifying if payment has been made. The ransomware only simulates the verification process. There is also no process built into the ransomware that will allow a victim’s files to be recovered.

Backup Your Files or Be Prepared to Lose Them

Many ransomware authors have a vested interest in ensuring that a victim’s files can be recovered. If word spreads that there is no chance of recovering encrypted files, any individual who has had their computer infected will not pay the ransom demand. Locky, CryptoWall, and Samsa ransomware may be malicious, but at least the thieves are honorable and make good on their promise. If they didn’t, discovering that files had a locky extension would be a guarantee that those files would be permanently lost.

There are new ransomware variants being released on an almost daily basis. Many of the new variants are simplistic and lack the complexity to even allow files to be recovered. The discovery of Ranscam ransomware clearly shows why it is essential to make sure that critical files are regularly backed up. Without a viable backup, there is no guarantee that files can be recovered and you – or your organization – will be at the mercy of attackers. Not all will be willing – or able to – recover encrypted files.

New Angler Exploit Kit Update Confirms Need for Web Filtering Software

Researchers at FireEye have reported that the Angler Exploit Kit has been updated and that it is now capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protection – the first time this behavior has been observed in the wild.

Angler Exploit Kit Could be Used to Deliver any Malicious Payload

The Angler exploit kit is being used to exploit vulnerabilities in Silverlight and Adobe Flash plug-ins. If vulnerabilities are found, Angler downloads its malicious payload: TeslaCrypt ransomware. Teslacrypt was closed down a few weeks ago and the authors released a universal decryption key that can unlock all infections. Anti-virus firms have since developed tools that can be used to remove TeslaCrypt infections. However, it is probable that the Angler exploit kit will be updated to deliver other malicious payloads for which there is no known fix. Many distributors of TeslaCrypt have already transitioned to CryptXXX.

Currently EMET protections are only being bypassed on devices running Windows 7, although it is probable that attackers will soon develop EMET bypasses that work on more recent versions of Windows. That said, updating to later versions of Windows will help organizations improve their security posture. If an upgrade is not possible or practical, sys admins should ensure that patches are applied promptly. If possible, ActiveX should also be disabled as should Flash and Silverlight plugins. Uninstalling unnecessary software and disabling plugins will reduce the attack surface.

EMET was developed to prevent malicious actors from exploiting memory corruption vulnerabilities, and while this has proved effective at some preventing attacks, the bypass shows that Microsoft’s protection is not 100% effective. While EMET can be used to reduce the risk of ransomware and other malware infections, system admins should not rely on EMET alone. Multi-layered security defenses should be employed to keep networks protected, as this bypass clearly shows. It is still essential to use anti-virus and anti-malware software and to keep definitions up to date.

While efforts can be made to prevent exploit kits from taking advantage of vulnerabilities in plugins, enterprises can reduce risk further by stopping end users from visiting websites known to host exploit kits. By implementing a web filtering solution and restricting access to certain categories of website, enterprises can greatly enhance their security posture.

Web Filtering Services for MSPs: Why MSPs Can’t Afford Not to Offer Web Filtering to Clients

There are a number of companies that offer web filtering services for MSPs; however, while many managed service providers are happy to provide web filtering to their clients if the service is requested, web filtering is not generally offered to clients as part of an MSP’s range of standard Internet services. Yet, by leveraging web filtering services for MSPs it is possible to substantially increase profits for very little effort.

Web filtering services for MSPs have been developed to be easy to implement, easy to sell to clients, and straightforward to manage, so why are more MSPs not offering web filtering to their clients as part of their Internet services?

Some MSPs may feel that there is not much of a market for web filtering. Draconian Internet usage policies may ensure that Internet access is not abused, yet highly restrictive Internet policies can have a negative impact on staff morale and productivity. Most employees can be trusted to get all of their daily tasks completed, while still occasionally checking Facebook, purchasing something on Amazon, and viewing the occasional YouTube video.

However, providing totally free access to the Internet is unwise. Not preventing employees from accessing illegal and inappropriate website content can cause employers many problems. Some of those problems can prove very costly to resolve.  Any organization that has not chosen to filter the Internet – even to a minimal degree – may not be aware of the risks. If MSPs explain these risks, they are likely to find many of their clients will want to sign up for web filtering services.

What are the Main Benefits of Using Web Filtering Services?

There are two main reasons for using a web filter to control Internet content:

Reducing the Risk of Malware Infections

As we have seen in recent months, there is a clear and present danger of a serious malware infection. Cyberattacks are taking place with increasing regularity, new malware is being released at alarming rates, and cybercriminals have embraced ransomware and are using it to extort money out of businesses.

IT teams struggle to implement patches promptly, leaving their networks at risk of attack. This is mainly due to the frequency at which patches are released. Keeping all software – including web browsers and plugins – 100% up to date, 100% of the time is an uphill struggle.

If end users visit malicious websites containing exploit kits, malware and ransomware can be easily loaded onto networks. Issuing staff members with acceptable use policies (AUPs) can reduce the probability of end users visiting high-risk websites, while policies can help to reduce the risk from shadow IT installations, but unless those policies are enforced there is a risk that some employees will break the rules.

Numerous organizations have experienced phishing attacks even when training has been provided on how to identify phishing emails. Unfortunately, scammers are getting much better at crafting highly convincing emails to fool users into visiting websites containing exploit kits that can download malware.

Business email compromise scams have been increasing in recent months, prompting the FBI to issue warnings due to the high risk of attack. Scammers are impersonating CEOs, CISOs, and executives to get end users to visit websites and divulge their login credentials or download malware.

With so many Internet threats to deal with, policies are no longer enough to keep organizations’ networks free from malicious software and infections can prove very costly to resolve.

Controlling Personal Use of the Internet

Many companies take a relaxed attitude to personal Internet use, provided it is kept within certain limits. This is arguably the best option for employers and employees. Blocking personal access to the Internet can have a negative effect on staff morale, and all employees will need to use the Internet from time to time for personal reasons.

That said, there will always be some members of staff that choose to abuse their Internet access and this can lead to serious problems for employers. Not only is there a risk of malware infections, abuse of the Internet can have legal implications for employers. The use of illegal file sharing websites for copyright-infringing downloads, the accessing of illegal website content such as child pornography, or even the viewing of legal pornography in the workplace can cause many HR issues.

Of course, web filtering is not only about blocking access. It allows companies to monitor use of the Internet and identify employees who are breaking the rules before serious HR or legal issues arise. Web filtering also allows organizations to place limits on online activities at certain times of the day to ensure the workforce remains productive and bandwidth is not wasted.

Summary of the Benefits of Filtering the Internet

  • Blocks malware, ransomware, botnets, adware, and spyware installations
  • Prevents the accessing of illegal website content
  • Stops the downloading and installation of shadow IT
  • Prevents bandwidth wastage
  • Allows employers to monitor employees’ Internet usage
  • Prevents many HR issues
  • Helps organizations to comply with industry regulations
  • Can help to increase employee productivity

Benefits of Web Filtering Services for MSPs

  • Protects clients from Internet threats
  • Easily increases client revenue
  • Helps MSP’s to attract more clients and win new business
  • Allows MSPs to provide a more comprehensive range of Internet services

Web Filtering Services for MSPs can be Easily Incorporated into Existing Service Packages

Web filtering services for MSPs no longer require expensive appliances to be purchased, and it is not necessary to use local IT support teams to visit clients to install and configure web filters. In fact, it is not even necessary to install software on clients’ devices or servers at all. Clients can have their Internet filtered within 5 minutes of them saying yes to a sales representative if cloud-based web filtering services are used.

Cloud-based web filtering services for MSPs require clients to make a small change to their DNS settings, something that even the most technically inept employee could be talked through over the phone. By pointing the DNS to the service provider’s servers, the Internet can be filtered quickly and painlessly.

Web filtering services for MSPs can be easily offered to clients alongside managed service providers’ solutions. WebTitan Cloud – and WebTitan Cloud for WiFi – are offered as web filtering services for MSPs without any branding. MSPS are able to add their own logos and corporate color schemes, tailor block pages, and customize reports with their own branding. If required, MSPs can also host the solution within their own infrastructure or use a private cloud for clients.

The management overhead is low and the configuration of new accounts is quick and easy. New client accounts can be set up in approximately 20 minutes. Even reporting is taken care of with a full suite of pre-configured, schedulable reports, including instant email alerts.

The cost for the client is low with only a small spend required per user, per year, and the margins offered by TitanHQ on web filtering services for MSPs are generous. This allows MSPs to easily increase profits, in some cases, by tens of thousands of dollars.

If you want to attract new business, increase client spending, and easily increase profits, web filtering services for MSPs could well be the answer.

For further information on our web filtering services for MSPs, including a product demonstration and details of pricing, contact our sales team today.

Critical Symantec Vulnerability is “As Bad as it Can Possibly Get”

This week, a new critical Symantec vulnerability has been discovered that enables an attacker to trigger a memory buffer overflow, allowing root-level control over a system to be gained without any user interaction. The cross-platform security vulnerability affects many Symantec and Norton anti-virus software releases.

Critical Vulnerability in Symantec AVE Scan Engine is “As Bad as it Can Possibly Get”

The critical fault has been found in the core scanning engine used in both Norton and Symantec anti-virus software, including Norton antivirus, and Symantec’s Scan Engine, Endpoint Antivirus, and Email Security, although other products may also be affected. The vulnerability affects Windows, Mac, Linux, and UNIX platforms.

Since the scan engine intercepts all system input and output, the vulnerability could be exploited by an attacker by simply sending a file attachment to a user’s inbox. The user would not even be required to open the file in order for the vulnerability to be exploited.

The vulnerability could therefore allow an attacker to take full control of the device on which the software has been installed with no user interaction necessary. The vulnerability has been described as “as bad as it can possibly get” by Tavis Ormandy – the researcher at Google Project Zero who discovered the security flaw.

Ormandy said that if the vulnerability is exploited it causes kernel memory corruption on Windows because “the scan engine is loaded into the kernel (wtf!!!).” It must be said, unpacking malware in the kernel was perhaps not the best decision. Ormandy also discovered a number of other remote code execution security vulnerabilities in Symantec products.

The new critical Symantec vulnerability has now been addressed – AVE version 20151.1.1.4 – although the remaining vulnerabilities have yet to be remediated. Users of Symantec and Norton branded products will have to wait until a patch is made available.

According to an advisory issued by Symantec, the critical vulnerability affects the AVE scanning engine and occurs “when parsing malformed portable-executable header files.” If one of these malformed portable-executable header files is downloaded in an application or document, or if a malicious website is visited which downloads one of these files onto the device, the flaw could be exploited. The flaw could also be exploited if an attacker sends one of these files to the user as an email attachment, or even if a link is sent in an email. The parsing of the malformed file would be triggered.

Symantec reported that “Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation.”

The critical Symantec vulnerability needs to be remediated as soon as possible. If you run Symantec anti-virus software and your system is not set to update automatically, it is essential to perform a manual Symantec LiveUpdate to address the issue. A patch is expected to be released in the next few days to address the other serious vulnerabilities discovered by Ormandy.

How to Block Exploit Kits and Keep your Network Protected

Last week, the website of a major toy manufacturer was discovered to have been compromised and was being used to infect visitors with ransomware. The website of Maisto was loaded with the Angler exploit kit that probed visitors’ browsers for exploitable vulnerabilities. When vulnerabilities were discovered, they were exploited and ransomware was downloaded onto visitors’ devices. In this case, the ransomware used was CryptXXX.

The website was attacked using JavaScript, which loaded the site with the angler exploit kit. The exploit kit searches for a wide range of browser plugin vulnerabilities that can be exploited. A malware dropper called Bedep is then used to install the ransomware.

Many ransomware infections require a system rebuild and restoration of data from a backup. If a viable backup does not exist there is no alternative but to pat the attackers for an encryption. Fortunately, in this case there is an easy fix for a CryptXXX infection. The ransomware-encrypted files can be decrypted for free according to Kaspersky Lab. However, there are many malicious strains of ransomware that are not so easy to remove.

While decrypting files locked by CryptXXX is possible, that is not the only malicious action performed by the ransomware. CryptXXX is also an information stealer and can record logins to FTP clients, email clients, and steal other data stored in browsers. It can even steal bitcoins from local wallets.

CryptXXX is now being used in at least two major exploit kit attack campaigns according to researchers from Palo Alto Networks. While Locky ransomware was extensively used in March this year – deployed using the Nuclear exploit kit – the attackers appear to have switched to the Angler exploit kit and the Bedep/CryptXXX combo.

How to Block Exploit Kits from Downloading Malware

To protect end users’ devices and networks from malware downloads and to block exploit kits, system administrators must ensure that all browser plugins are kept up to date. Exploit kits take advantage in security vulnerabilities in a wide range of plugins, although commonly vulnerabilities in Flash and Java are exploited. These two browser plugins are used on millions of machines, and new zero-day vulnerabilities are frequently discovered in both platforms. Cybercriminals are quick to take advantage. As soon as a new vulnerability is identified it is rapidly added to exploit kits. Any machine that contains an out-of-date plug in is at risk of attack.

It takes time for patches to be developed and released when a new zero-day vulnerability is discovered. Keeping all devices up to date is a time consuming process and sys admins are unlikely to be able to update all devices the second a patch is released. To effectively protect devices and networks from attacks using exploit kits, consider using a web filtering solution.

A web filter can be used to block websites containing exploit kits and thus prevent the downloading of malware, even if patches have not been installed. The best way to block exploit kits from downloading malware is to ensure that end users never visit a website containing an exploit kit!

A web filter should not be an excuse for poor patch management practices, but web filtering software can ensure devices and networks are much better protected.