Web-borne threats are not exclusive to wired network systems, and mobile security is an element often ignored by organizations and mobile users alike. With the increased use of mobile devices in the workplace, mobile security is an issue that should feature uppermost in the consciousness of IT security professionals.
Mobile security is not just an issue for employers and employees. Visitors using an organization´s WiFi network to stay connected should also be subject to an acceptable use policy to ensure that they do not visit websites that may result in malware being downloaded onto a WiFi router – and subsequently onto every device that connects with the WiFi router.
Stay up-to-date with the latest news about mobile security and mitigate the risk of malware infecting users´ devices by implementing a WiFI Internet filter. A WiFi Internet filter can do much more than enhance online security. It has been seen to enhance productivity in the workplace, increase custom and even introduce new marketing opportunities for organizations in the retail sector.
What is a Botnet? How are they used? What harm can be caused, and how can you prevent a computer from becoming part of a botnet? These and other questions answered.
What is a Botnet?
A botnet is simply a collection of computers and other Internet-connected devices that are controlled by a threat actor. Usually that control is achieved via a malware installation, with the malware communicating with the threat actor’s command and control server.
Once malware has been installed on one device, potentially it can propagate to other devices on the same network, creating a mini-army of slave devices under the threat actor’s control. Any computer with the malware installed is part of the botnet and can be used on its own or collectively with other compromised devices for malicious purposes.
What are Botnets Used For?
Botnets are often used to conduct Distributed Denial of Service (DDoS) attacks, with the devices in the botnet used to access a particular service simultaneously and flooding it with traffic making that service temporarily unavailable. The Mirai botnet, which mostly consists of vulnerable IoT devices, was used to take down large sections of the Internet, including some of the most popular websites such as Twitter and Netflix. DDoS attacks are now being conducted that exceed 1 terabits per second, largely due to sheer number of devices that are part of the botnet.
One of the biggest botnets ever assembled was made possible with Zeus malware, a banking Trojan that was particularly difficult to detect. In the United States, an estimated 3.6 million computers had been infected with the malware, making Zeus one of the biggest botnets ever created.
In addition to DDoS attacks, botnets are also used to send huge quantities of spam and phishing emails. The Necurs botnet is the world’s largest spamming botnet, delivering 60% of all spam emails. The Gamut spam botnet delivers around 37% of spam botnet traffic. These two spamming botnets are primarily used to send malicious messages containing email attachments with malicious macros that download malware such as the Dridex banking Trojan, and the ransomware variants Locky, Globelmposter, and Scarab.
Recently, the rise in the value of cryptocurrencies has made it highly profitable to use the processing power of botnets to mine cryptocurrency. When processing power is used for cryptocurrency mining, the performance of the computers will reduce significantly.
How Are Botnets Created?
Botnets can be created through several different methods. In the case of IoT devices, attackers often take advantage of weak passwords and default credentials that have not been changed. Since IoT devices are less likely to be updated automatically with the latest software and firmware, it is easier to exploit flaws to gain access to the devices. IoT Devices also rarely have antivirus controls, making infection easier and detection of malware much harder.
Computers are most commonly recruited into botnets through malware sent via spam email campaigns – such as those sent out by the spamming botnets. Malware is delivered via infected email attachments or links to malicious websites where malicious code is hosted. Messages can be sent via social media networks and chat apps, which also direct users to malicious websites where malware is downloaded.
Drive-by downloads are also common – Malware is downloaded by exploiting vulnerabilities in browsers, add-ons or browser plug-ins, often through exploit kits loaded on compromised websites.
Prevent a Computer from Becoming Part of a Botnet
It is much easier to prevent a computer from becoming part of a botnet than identifying a malware infection and eradicating it once it has been installed. To prevent a computer from becoming part of a botnet, it is necessary to use technological controls and adopt security best practices.
Businesses need to ensure all staff are trained to be more security aware and are told about the risks of opening email attachments or clicking links in emails from unknown senders. They should also be told not to automatically trust messages from contacts as their email accounts could have been compromised. Employees should be taught security best practices and risky behavior, such as connecting to public WiFi networks without using a VPN, should be eradicated.
All software must be kept up to date with patches applied promptly. This will reduce the risk of vulnerabilities being exploited to deliver malware. Antivirus software should be installed and configured to update automatically, and regular AV scans should be performed.
Firewalls should be used to implemented to prevent unauthorized network access and allow security teams to monitor internet traffic.
Spam filtering solutions should be implemented to block the majority of malicious messages from being delivered to end users’ inboxes. The more messages that are blocked, the less chance there is of an employee responding to a phishing email and inadvertently installing malware.
One way to prevent a computer from becoming part of a botnet that is often forgotten, is the use of a web filtering solution. A web filter, such as WebTitan, will prevent malware and ransomware downloads and block access to malicious websites sent via email or through web browsing.
Implement these controls and it will make it much harder for your organization’s computers to be infected with malware and added to a botnet.
TitanHQ has announced as part of its strategic alliance with networking and security solution provider Datto, WebTitan Cloud and WebTitan Cloud for Wi-Fi have been incorporated into the Datto networking range and are immediately available to MSPs.
Datto is the leading provider of enterprise-level technology to small to medium sized businesses through its MSP partners. Datto offers data backup and disaster recovery solutions, cloud-to-cloud data protection services, managed networking services, professional services automation, and remote monitoring and management tools.
The addition of WebTitan to its range of security and networking solutions means its MSP partners can now offer their clients another level of security to protect them from malware and ransomware downloads and phishing attacks.
WebTitan is a 100% cloud-based DNS web filtering solution developed with MSPs in mind. In addition to allowing businesses to carefully control the types of websites their employees can access through corporate wired and wireless networks, the solution provides excellent protection against phishing attacks and web-based threats.
With phishing now the number one threat faced by SMBs and a proliferation of ransomware attacks, businesses are turning to their MSPs to provide security solutions to counter the threat.
Businesses that implement the solution are given real-time protection against malicious URLs and IPs, and employees are prevented from accessing malicious websites through general web browsing and via malicious URLs sent in phishing emails.
“We are delighted that Datto has chosen TitanHQ as a partner in web security. By integrating TitanHQ’s secure content and web filtering service, we are well positioned to offer Datto MSPs a best of breed solution for their small to mid-size customers,” said TitanHQ CEO, Ronan Kavanagh.
“We pride ourselves in equipping our community of Managed Service Provider partners with the right products and tools to allow each and every customer to succeed,” said John Tippett, VP, Datto Networking. “With that in mind, I’m delighted to welcome TitanHQ as a security partner and look forward to growing our partnership.”
At the upcoming TitanHQ-sponsored DattoCon 2018 conference in Austin, TX – the largest MSP event in the United States – MSPs will be able to see WebTitan in action. TitanHQ’s full team will be in attendance, including Ronan Kavanagh – TitanHQ’s CEO, Conor Madden – Sales Director, Dryden Geary – Marketing Manager, and Eddie Monaghan – Alliance Manager.
MSPs can visit the TitanHQ team at booth #66 in the exhibition hall for a demonstration of WebTitan, SpamTitan – TitanHQ’s award -winning spam filtering solution – and ArcTitan, TitanHQ’s email archiving solution. All three solutions are MSP friendly and are easily added to MSP’s service stacks.
DattoCon 2018 runs all week from June 18, 2018. The TitanHQ team will be present all week and meetings can be arranged in advance by contacting TitanHQ ahead of the conference.
The most common wireless network attacks are easy to pull off and can be highly profitable for criminals. It is therefore no surprise that wireless network attacks have increased significantly in the past couple of years.
Wi-Fi is Ubiquitous, Yet Many Businesses Neglect Security
Wi-Fi access used to be something you had to pay for, but now free WiFi is something that is taken for granted. Visitors to a hotel, coffee shop, bar, retail outlet, or restaurant now expect WiFi to be provided. The decision to use a particular establishment is often influenced by whether free WiFi is available, but increasingly the quality of the connection.
The quality of the WiFi on offer is not only about bandwidth. The massive rise in cyberattacks via public WiFi networks has seen consumers choose establishments based on the security of the WiFi access points. Parents often choose to visit establishments that offer controls over the types of content that can be accessed.
If you run a business and are providing WiFi or have yet to provide that service and are considering adding a WiFi hotspot to attract more customers, be sure to consider the security of your network. The past couple of years have seen many major attacks on WiFi networks. Some of the most common wireless network attacks are detailed below.
What are the Most Common Wireless Network Attacks?
Some of the most common wireless network attacks are opportunistic in nature. Businesses that fail to secure their WiFi networks leave the door wide open to amateur scammers and hackers who are all too happy to take advantage of poor security to steal credentials from users and spread malware. Unsecured WiFi networks are also targeted by sophisticated cybercriminals and organized crime groups.
Tel Aviv Free WiFi Network Hacked
One notable example of how easy it can be for a hacker to take over a WiFi network comes from Tel Aviv. Tel Aviv offers a city-wide free WiFi network, which incorporates basic security controls to keep users secure. However, it did not prove to be as secure as city officials thought.
While commuting home, Tel Aviv resident Amihai Neiderman noticed a new WiFi access point had appeared. The FREE_TLV access point was provided by the city and Neiderman decided to test its security controls. After determining the IP address through which WiFi clients accessed the Internet, he disconnected, scanned the router, and discovered the web-based login interface was run through HTTPS port 443.
While he found no major vulnerabilities, after extensive analysis he identified a buffer overflow vulnerability which he successfully exploited to take full control of the router. By doing so, if he was so inclined, he could have intercepted the traffic from tens of thousands of users.
Toasters Used to Hack Unsecured WiFi Networks
Perhaps not one of the most common WiFi network attacks, but notable none the less due to the rise in use of IoT devices. IoT capability has been incorporated into all manner of devices from toasters to washing machines. However, these devices can be vulnerable to supply chain attacks – Where hardware is altered which allows the devices to be used to attack WiFi networks. In 2016, Russian officials discovered chips imported from China had been altered and were being used to spread malware that could eavesdrop on unsecured WiFi networks from a range of 200 meters. They were used to infect those networks with malware that could steal information.
Interception of Unencrypted Traffic
Research by Kaspersky Lab in 2016 showed more than a quarter of public Wi-Fi hotspots set up in malls were insecure and lacked basic security controls. A quarter did not encrypt traffic at all, while research conducted by Skycure showed that five of the busiest 10 malls in the USA had risky WiFi networks. One mall in Las Vegas was discovered to be operating 14 risky WiFi access points. Hackers can use sniffers to monitor traffic on unencrypted WiFi networks.
Fake WiFi Access Points
Visitors to hotels, coffee shops and malls often connect to the free WiFi on offer, but various studies have shown that care is not always taken to connect to the official WiFi network. Criminals can easily set up fake WiFi access points, often using the name of the establishment. By connecting to the fake networks, users can still access the Internet, yet everything they do online is being monitored by cybercriminals. These man-in-the-middle attacks allow criminals to steal banking credentials, credit card numbers, and login information.
How is this done? The attacker simply creates a hotspot on a smartphone and pairs it with a tablet or laptop. The hacker can then sit in the coffee shop drinking a latte while monitoring the traffic of everyone that connects. One study indicated more than a third of WiFi hotspot users take no precautions when accessing WiFi hotspots and frequently connect to unsecured networks.
WiFi Networks Used to Gain Access to Business Data
Creating a WiFi network for guests is simple. Ensuring it is secure and cannot be used for attacks on the business network requires more thought and effort. Any business that allows customers to make purchases using credit and debit cards is a major target for hackers. The past few years have seen many major attacks that have resulted in malware being installed on POS systems. These are now some of the most common wireless network attacks.
How Can Businesses Prevent the Most Common Wireless Network Attacks?
How can businesses protect against some of the most common wireless network attacks? While it is difficult to prevent the creation of fake WiFi hotspots, there are steps that can be taken to prevent many common wireless network attacks.
Isolate the Guest Network
If your business network is not isolated from your guest WiFi network, it could be used to gain access to business data and could place your POS at risk of compromise. Use a router that offers multiple SSIDs – most modern routers have that functionality. These routers often have a guest SSID option or separate guest portal. Make sure it is activated when it is deployed. Alternatively, your wireless router may have a wireless isolation feature which will prevent WiFi users from accessing your internal network and other client devices. If you require multiple access points throughout your establishment, you are likely to need a VLAN or EoIP tunnel configuration – A more complicated setup that will require you to seek professional advice on security.
Create a Secure SSID
Your router will have a default SSID name, but this should be changed to personalize it to your business. If you make it easily identifiable, it will reduce the potential for rogue access points to be confused with your own. Ensure that you enforce WPA2 encryption with a shared key and post that information for your customers along with your SSID.
Restrict WiFi Access
If your wireless router or access point is too powerful, it could be accessed from outside your premises. Choose a router that allows you to alter the strength of your signal and you can ensure only your customers will use your connection. Also ensure that your WiFi access point is only available during business hours. If your access points are left unsupervised, it increases the risk of attack.
Secure Your Infrastructure
Administrator access can be abused, so ensure that your login name and your passwords are secure. If the default credentials are not changed, it will only be a matter of time before they are abused. Change the username from ‘admin’ or any other default username. Set a strong password that includes upper and lower-case letters, at least one number, and a special character. The password must be at least 8 characters although more is better. Alternatively use a 14-character+ passphrase.
Use Web Filtering
A web filtering solution is an essential protection for all WiFi networks. Web filters will prevent users from visiting websites and webpages that are known to have been compromised or have been confirmed as malicious. This will protect your customers from web-based threats as well as help to keep your network secure. A web filter will also allow you to prevent your network from being used to download or view unacceptable content such as pornography and lets you control bandwidth usage to ensure all customers can enjoy decent Internet speeds.
TitanHQ offers a scalable, easy to deploy, granular web filter for WiFi networks. WebTitan Cloud for WiFi requires no hardware purchases and no software downloads, and being 100% cloud-based, can be managed and monitored from any location.
Phishing is commonly associated with spam emails, but it is not the only method of phishing as this PayPal text phishing scam shows. Phishers use various methods to obtain sensitive information.
Phishing is arguably the biggest threat to businesses and consumers and one that can result in a malware infection, the encryption of files with ransomware, a compromised email account, or the theft of sensitive data such as credit/debit card numbers or bank account information.
Phishers use social engineering techniques to fool end users into installing malware or obtaining login credentials and other sensitive information. Spam email may be the main method of attack, although the use of text (SMS) messages – often referred to as smishing – is growing.
Beware of this Credible PayPal Text Phishing Scam
This PayPal text phishing scam, and several variants, have been detected in recent weeks. The text message appears to have been sent from PayPal from a short code number.
The message reads:
Your account is currently under review. Please complete the following security form to avoid suspension: http://bit[dot]ly/PayPal_-no-sms.eu
Another message reads:
Your account is under review. Please fill in the following security form to avoid lockout: http://bit[dot]ly/_payPal__
These scams work because many people do not carefully check messages before clicking links. Click the link on either of these two messages and you will be directed to a website that appears to be the official PayPal website, complete with branding and the normal web layout.
You will naturally have to login in but doing so just passes your account details to the attacker. The attacker will access your account and will empty the account of funds and plunder accounts linked to the PayPal account. The password may also be changed to give the attacker more time to make transfers.
These scams are particularly effective on smartphones as the full URL of the site you are on is not displayed due to the small screen size. It may not be immediately apparent that you are not on the correct site.
This PayPal text phishing scam shows that you need to be always be on your guard, whether accessing your emails, text messages, or answering the telephone.
Don’t Become a Victim of an SMS Phishing Scam
The PayPal text phishing scam detailed above is just one example of how cybercriminals obtain sensitive information via text message. Any brand could be impersonated with shortlinks commonly used to mask the fact that the link is not genuine.
To avoid becoming a victim of a smishing scam, assume any text message correspondence from a retailer or company could be a scam. If you receive a message – typically a warning about security – take the following steps.
- Access your account by typing in the correct URL into your web browser. Do not use the link in the message.
- Check the status of your account. If there is a freeze on your account, your account is under review, or it has been suspended, this will be clear when you log in.
- If in doubt, contact the vendor by telephone or send an email, again using verified contact information and not any contact details supplied in the text message (or email).
- Before logging in or disclosing any sensitive information online, check the entire URL to make sure the domain is genuine.
Precautions to Take to Protect Against Phishing
- Always set strong passwords and never reuse passwords. Each account should have a unique password. Since it can be difficult to remember all of your passwords, use a password manager and make sure you sent a strong master password for your password manager account.
- Change your passwords frequently and never reuse old passwords.
- Never tell anyone your password and do not write it down.
- Exercise extreme caution when someone sends you a hyperlink in a text message or email. The sender may not be who you think it is. A contact or family member’s email account may have been compromised or their phone stolen.
- Never open email attachments in unsolicited emails from unknown senders.
15 years after the launch of the wireless security protocol WPA2, the Wi-Fi Alliance has announced this year will see the release of the WPA3 protocol. The transition period from the WPA2 to WPA3 protocol is expected to take several months.
WPA2 was released in 2003, bringing with it a number of key security enhancements to its predecessor WPA. WPA2 fast became the accepted Wi-Fi CERTIFIED security technology and is now used in more than 35,000 certified Wi-Fi products, including smartphones, tablets, and IoT devices.
Since its launch, WPA2 has received several enhancements and the protocol will continue to be updated this year. The Wi-Fi alliance says updates will be applied over the coming weeks and months and will occur ‘under-the-hood’ and will be unnoticeable to users. The enhancements will address configuration, authentication, and encryption.
The first major update to WPA2 is for Protected Management Frames (PMF) in Wi-Fi devices, which ensure the integrity of network management traffic on Wi-Fi networks. The update concerns when devices are required to use PMF, refining configurations for Wi-Fi CERTIFIED devices to ensure the highest possible level of security.
The second enhancement requires companies to conduct additional checks of their devices to ensure best practices for using the Wi-Fi security protocols have been adopted. This will reduce the potential for the misconfiguration of networks and devices, further safeguarding managed networks with centralized authentication services.
The third major update standardizes 128-bit level cryptographic suite configurations, which will deliver more consistent network security configurations. The Wi-Fi Alliance VP, Kevin Robinson, said, “Often people may focus exclusively on the level of encryption when evaluating security of a technology, but there are a number of components—such as information protection (encryption), key establishment, digital signatures, and condensed representations of information—that work together as a system to deliver strong security.” This update will ensure all cryptographic components used are of the required standard, ensuring there are no weak links in the encryption chain.
By adding these enhancements to its Wi-Fi certification program, users can be sure all certified Wi-Fi devices will have the highest level of security.
The Wi-Fi Alliance says WPA2 will continue to be deployed in Wi-Fi devices, although following the launch of the WPA3 protocol later this year there will be a gradual transition to the WPA3 protocol. During the transition period, both WPA2 and WPA3 will be run concurrently. The process of changeover is expected to take several months, as it is necessary for all hardware to be certified to make sure the new protocol can be supported.
The WPA3 protocol will incorporate several important enhancements to improve Wi-Fi security. The full specifications have not yet been published but are expected to include increased privacy protections for users of open networks with individualized data encryption.
Controls to prevent malicious actors from undertaking multiple login attempts via commonly used passwords is expected, as well as more simplified configuration for IoT devices that do not have a display. The new WPA3 protocol will also use 192-bit security or the Commercial National Security Algorithm to improve security for government, defense, and industrial networks.
“Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.”
Passwords should be complex and difficult to guess, but that makes them difficult to remember, so what about using password managers to get around that problem? Are password managers safe and secure? Are they better than attempting to remember passwords for every one of your accounts?
First of all, it is worth considering that most people have a great deal of passwords to remember – email accounts (work and personal), social media accounts, bank accounts, retail sites, and just about every other online service. If you rarely venture online and do not make online purchases, that means you will need to learn a handful of passwords (and change them regularly!).
Most people will have many passwords. Far too many to remember. That means people tend to choose easy to remember – and easy to guess – passwords and tend to reuse passwords on multiple sites.
These poor security practices are a recipe for disaster. In the case of password reuse, if one password is guessed, multiple accounts can be compromised. So, are password managers safe? If that is the alternative, then most definitely.
With a password manager you can generate a strong and impossible to remember password for every online account. That makes each of those accounts more secure. Emmanuel Schalit, CEO of Dashline, a popular password manager, said, “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own.”
That does mean that if the server used by the password manager company is hacked, you do stand to lose all of your passwords. Bear in mind that no server can ever be 100% secure. There have been hacks of password manager servers and vulnerabilities have been discovered (see below). Password managers are not risk-free. Fortunately, password managers encrypt passwords, so even if a server is compromised, it would be unlikely that all of your passwords would be revealed.
That said, you will need to set a master password to access your password manager. Since you are essentially replacing all of your unique passwords with a single password, if the master password is guessed, then your account can be accessed and with it, all of your passwords. To keep password managers safe and secure, it is important to use a strong and complex password for your account – preferably a passphrase of upwards of 12 characters and you should change that password every three months.
If you use a cloud-based password manager, it is possible that when that service goes down, you will not be able to access your own account. Fortunately, downtime is rare, and it would still be possible to reset your passwords. You could also consider keeping a local copy of your passwords and encrypting that file. In a worst-case scenario, such as the password manager company going bust, you would always have a copy. Some services will also allow you to sync your encrypted backups with the service to ensure local copies are kept up to date.
Flaws Discovered in Password Managers
Tavis Ormandy, a renowned researcher from the Google Project Zero team, recently discovered a flaw in Keeper Password Manager that could potentially be exploited to gain access to a user’s entire vault of stored passwords. The Keeper Password Manager flaw could not be exploited remotely without any user interaction. However, if the user was lured onto a specially crafted website while logged into their password manager, the attacker could inject malicious code to execute privileged code in the browser extension and gain access to the account. Fortunately, when Keeper was alerted to the flaw, it was rapidly addressed before the flaw could be exploited.
Last year Ormandy also discovered a flaw in LastPass, one of the most popular password managers. Similarly, that flaw could be exploited by luring the user to a specially crafted webpage via a phishing email. Similarly, that flaw was rapidly addressed. The LastPass server was also hacked the year before, with the attackers gaining access to some users’ information. LastPass reports that while it was hacked, users’ passwords were not revealed.
These flaws do go to show that while password managers are safe, vulnerabilities may exist, and even a password manager can potentially be hacked.
Are Password Managers Safe to Use?
So, are password managers safe? They can be, but as with any other software, vulnerabilities may exist that can leave your passwords exposed. It is therefore essential to ensure that password manager extensions/software are kept up to date, as is the case with all other software and operating systems.
Security is only as good as the weakest link, so while your password manager is safe, you will need to use a complex master password to prevent unauthorized individuals from accessing your password manager account. If that password is weak and easily guessable, it will be vulnerable to a brute force attack.
In addition to a complex master password, you should take some additional precautions. It would be wise not to use your password manager to save the password to your bank account. You should use two-factor authentication so if a new device attempts to connect to any of your online accounts, you will receive an alert on your trusted device or via email.
As an additional protection, businesses that allow the use of password managers should consider implementing a web filtering solution that prevents users from visiting known malicious websites where vulnerabilities could be exploited. By restricting access to certain categories of website, or whitelists of allowable sites, the risk of web-based attacks can be reduced to a low and acceptable level.
Password managers should also be used with other security solutions that provide visibility into who is accessing resources. Identity and access management solutions will help IT managers determine when accounts have been breached, and will raise flags when anomalous activity is detected.
Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials.
Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example.
Combosquatting is so named because it involves the purchasing of a domain that combines a trademarked name with another word – yahoofiles.com, disneyworldamusement.info, facebook-security.com or google-privacy.com for example.
The technique is not new, but the extent that it is being used by hackers was not well understood. Now researchers at Georgia Tech, Stony Brook University and London’s South Bank University have conducted a study that has revealed the extent to which hackers, spammers, and scammers are using this technique.
The research, which was supported by the U.S. Department of Defense, National Science Foundation and the U.S. Department of Commerce, was presented at the 2017 ACM Conference on Computer and Communications Security (CCS) on October 31, 2017.
For the study, the researchers analyzed more than 468 billion DNS records, collected over 6 years, and identifed combosquatting domains. The researchers noted the number of domains being used for combosquatting has increased year over year.
The extent to which the attack method is being used is staggering. For just 268 trademarks, they identified 2.7 million combosquatting domains, which they point out makes combosquatting more than 100 times as common as typosquatting. While many of these malicious domains have been taken down, almost 60% of the domains were active for more than 1,000 days.
The team found these domains were used for a wide variety of nefarious activities, including affiliate abuse, phishing, social engineering, advanced persistent threats, malware and ransomware downloads.
End users are now being taught to carefully check domain names for typos and transposed letters to detect typosquatting, but this technique fools users into thinking they are on a website that is owned by the brand included in the domain.
First author of the study, Georgia Tech researcher Panagiotis Kintis, said, “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”
In order to prevent these types of trademark use attacks, many companies register hundreds of domains that contain their trademark. The researchers found that many of the domains being used by hackers had previously been owned by the holders of the trademark. When the domains were not renewed, they were snapped up by hackers. Many of the malicious domains that had been previously purchased by hackers, had been re-bought by other scammers when they came up for renewal.
Users are being lured onto the domains using a variety of techniques, including the placing of adverts with the combosquatting domains on ad-networks, ensuring those adverts are displayed on a wide variety of legitimate websites – a technique called malvertising. The links are also distributed in spam and phishing emails. These malicious URLS are also frequently displayed in search engine listings, and remain there until complaints are filed to have the domains removed.
Due to the prevalence of this attack technique, organizations should include it in their cyber awareness training programs to alert users to the attack method and ensure they exercise caution.
The researchers also suggest an organization should be responsible for taking these domains down and ensuring they cannot be re-bought when they are not renewed.
Last month saw a significant rise in healthcare data breaches, clearly demonstrating that healthcare providers, health plans, and business associates are struggling to prevent healthcare data breaches.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was introduced to ensure that healthcare organizations implement a range of safeguards to ensure the confidentiality, integrity, and availability of healthcare data. It has now been more than decade since the Security Rule was introduced, and data breaches still occurring with alarming frequency. In fact, more data breaches are occurring than ever before.
September Data Breaches in Numbers
The Protenus Breach Barometer Report for September, which tracks all reported healthcare data breaches, showed there were 46 breaches of protected health information (PHI) in September, with those breaches resulting in the exposure of 499,144 individuals’ PHI. Hacking and IT incidents were cited as the cause of 50% of those breaches, with insiders causing 32.6% of incidents. Loss and theft of devices was behind almost 11% of the month’s breaches. Previous monthly reports in 2017 have shown that insiders are often the biggest cause of healthcare data breaches.
HIPAA Compliance Will Not Prevent Healthcare Data Breaches
HIPAA compliance can go some way toward making healthcare organizations more resilient to cyberattacks, malware and ransomware infections, but simply complying with the HIPAA Security Rule does not necessarily mean organizations will be impervious to attack.
HIPAA compliance is about raising the bar for cybersecurity and ensuring a minimum standard is maintained. While many healthcare organizations see HIPAA compliance as a goal to achieve a good security posture, the reality is that it is only a baseline. To prevent data breaches, healthcare organizations must go above and beyond the requirements of HIPAA.
Detect Insider Breaches Promptly
Preventing insider data breaches can be difficult for healthcare organizations. Healthcare employees must be given access to patient records in order to provide medical care, and there will always be the occasional bad apple that snoops on the records of patients who they are not treating, and individuals who steal data to sell to identity thieves.
HIPAA Requires healthcare organizations to maintain access logs and check those logs regularly for any sign of unauthorized access. The term ‘regularly’ is open to interpretation. A check every six months or once a year could be viewed as regular and compliant with HIPAA regulations. However, during those 6 or 12 months, the records of thousands of patients could be accessed. Healthcare organizations should go above and beyond HIPAA requirements and should ideally implement a system that constantly monitors for unauthorized access or at least conduct access log reviews every quarter as a minimum. This will not prevent healthcare data breaches, but it will reduce their severity.
Close the Door to Hackers
50% of breaches in September were due to hacking and IT incidents. Hackers are opportunistic, and while targeted attacks on large healthcare organizations do occur, most of the time hackers take advantage of long-standing vulnerabilities that have not been addressed. In order to correct those vulnerabilities, they must first be identified, hence the need for regular risk analyses as required by the HIPAA Security Rule. An organization-wide risk analysis should take place at least every year to remain HIPAA compliant, but more frequently to ensure vulnerabilities have not crept in.
Additionally, a check should be performed at least every month to make sure all software is up to date and all patches have been applied. There have been numerous examples recently of cloud storage instances being left unprotected and accessible by the public. There are free tools that can be used to check for exposed AWS buckets for example. Scans should be regularly conducted. Cybercriminals will be doing the same.
Prevent Impermissible Disclosures of PHI
One of the leading causes of PHI disclosures occurs when laptop computers, zip drives, and other portable devices are lost or stolen. While employees can be trained to take care of their devices, thieves will seize any opportunity if devices are left unprotected. HIPAA does not demand the use of encryption, and alternative measures can be used to secure devices, but HIPAA covered entities and their business associates should use encryption on portable devices to ensure that in the event of loss or theft, data cannot be accessed. If an encrypted device is stolen or lost, it is not a HIPAA breach. Using encryption on portable devices is a good way to prevent healthcare data breaches.
Small portable storage devices such as pen drives are convenient, but they should never be used for transporting PHI – They are far too easy to lose or misplace. Use HIPAA-compliant cloud storage services such as Dropbox or Google Drive as they are more secure.
Block Malware and Ransomware Attacks
Malware and ransomware attacks are reportable breaches under HIPAA, and can result in major data breaches. Email is the primary vector for delivering malware, so it is essential for an effective spam filtering solution to be implemented. HIPAA requires training to be provided to employees regularly, but a once-a-year training session is no longer sufficient. Training sessions should take place at least every 6 months, with regular security alerts on the latest phishing threats communicated to employees as and when necessary. Ideally, training should be an ongoing process, involving phishing simulation exercises.
Malware and ransomware can also be downloaded in drive-by attacks when browsing the Internet. A web filtering solution should be used to prevent healthcare employees from visiting malicious sites, to block phishing websites, and prevent drive-by malware downloads. A web filter is not a requirement of HIPAA, but it is an important extra layer of security that can prevent healthcare data breaches.
A critical WiFi security flaw has been discovered by security researchers in Belgium. The WPA2 WiFi vulnerability can be exploited using the KRACK (Key Reinstallation attack) method, which allows malicious actors to intercept and decrypt traffic between a user and the WiFi network in a man-in-the-middle attack. The scale of the problem is immense. Nearly every WiFi router is likely to be vulnerable.
Exploiting the WPA2 WiFi vulnerability would also allow a malicious actor to inject code or install malware or ransomware. In theory, this attack method would even allow an attacker to insert malicious code or malware into a benign website. In addition to intercepting communications, access could be gained to the device and any connected storage drives. An attacker could gain full control of a device that connects to a vulnerable WiFi network.
There are two conditions required to pull off KRACK– The WiFi network must be using WPA2-PSK (or WPA-Enterprise) and the attacker must be within range of the WiFi signal.
The first condition is problematic, since most WiFi networks use the WPA2 protocol and most large businesses use WPA-Enterprise. Further, since this is a flaw in the WiFI protocol, it doesn’t matter what device is being used or the security on that device. The second offers some protection for businesses for their internal WiFi networks since an attack would need to be pulled off by an insider or someone in, or very close to, the facility. That said, if an employee was to use their work laptop to connect to a public WiFi hotspot, such as in a coffee shop, their communications could be intercepted and their device infected.
In the case of the latter, the attack could occur before the user has stirred sugar into his or her coffee, and before a connection to the Internet has been opened. That’s because this attack occurs when a device connects to the hotspot and undergoes a four-way handshake. The purpose of the handshake is to confirm both the client and the access point have the correct credentials. With KRACK, a vulnerable client is tricked into using a key that is already in use.
The researchers explained that “our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.” The researchers also pointed out, “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations.”
The disclosure of this WPA2 WiFi vulnerability has had many vendors franticly developing patches to block attacks. The security researcher who discovered the WPA2 WiFi vulnerability – Mathy Vanhoef – notified vendors and software developers months previously, allowing them to start work on their patches. Even with advance notice, relatively few companies have so far patched their software and products. So far, companies that have confirmed patches have been applied include Microsoft, Linux, Apple, and Cisco/Aruba. However, to date, Google has yet to patch its Android platform, and neither has Pixel/Nexus. Google is reportedly still working on a patch and will release it shortly.
There is also concern over IoT devices, which Vanhoef says may never receive a patch for the WPA2 WiFi vulnerability, leaving them highly vulnerable to attack. Smartphones similarly may not be patched promptly. Since these devices regularly connect to public WiFi hotspots, they are likely to be the most vulnerable to KRACK attacks.
While the WPA2 WiFi vulnerability is serious, there is perhaps no need to panic. At least, that is the advice of the WiFi Alliance – which co-developed WPA2. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.” The WiFi Alliance also explained, “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”
The UK’s National Cyber Security Center pointed out that even with the WPA2 WiFi vulnerability, WPA2 is still more secure than WPA or WEP, also explaining that there is no need to change WiFi passwords or enterprise credentials to protect against this vulnerability. However, businesses and consumers should ensure they apply patches promptly, and businesses should consider developing policies that require all remote workers to connect to WiFi networks using a VPN.
There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the past two years have seen a massive explosion in new ransomware families. Between 2015 and 2016, Proofpoint determined there had been a 600% increase in ransomware families and Symantec identified 100 totally new ransomware families in 2016.
The development of new ransomware variants has largely been automated, allowing developers to massively increase the number of threats, making it much harder for the developers of traditional, signature-based security solutions such as antivirus and antimalware software to maintain pace.
The latest ransomware variants use a wide variety of techniques to evade detection, with advanced obfuscation methods making detection even more problematic.
Ransomware is also becoming much more sophisticated, causing even greater problems for victims. Ransomware is now able to delete Windows Shadow Volume copies, hampering recovery. Ransomware can interfere with file activity logging, making an infection difficult to detect until it is too late. Ransomware can encrypt files on removable drives – including backups – and spread laterally on a network, encrypting files on network shares and multiple end points.
Not only have the ransomware variants become more sophisticated, so too have the methods for distributing the malicious code. Highly sophisticated spam campaigns use a variety of social engineering techniques to fool end users into visiting malicious links and opening infected email attachments. Droppers with heavily obfuscated code are used to download the malicious payload and a considerable amount of effort is put into crafting highly convincing emails to maximize the probability of an end user taking the desired action.
Then, there is ransomware-as-a-service – the use of affiliates to spread ransomware in exchange for a cut of the profits. Ransomware kits are now supplied, complete with intuitive web based interfaces and instructions for crafting ransomware campaigns. Today, it is not even necessary to have any technical skill to conduct a ransomware campaign.
The profits from ransomware are also considerable. In 2016, the FBI estimated profits from ransomware would exceed $1 billion. With such high returns, it is no surprise that ransomware has become the number one malware threat for businesses.
The Evolution of Ransomware – Notorious Ransomware Variants from the Past Two Years
- Locky: Deletes volume shadow copies from the compromised system, thereby preventing the user from restoring files without paying the ransom.
- Jigsaw: An extremely aggressive ransomware variant that deletes encrypted files every hour until the ransom is paid, with total file deletion in 72 hours.
- Petya: Rather than encrypting files, Petya changes and encrypts the master boot record, preventing files from being accessed. Petya is also capable of installing other malware payloads.
- NotPetya: A wiper that appears to be ransomware, although NotPetya permanently changes the master boot record making file recovery impossible.
- CryptMix: Attackers claim they will donate the ransom payments to a children’s charity, in an effort to get victims to pay up. There is no evidence ransom payments are directed to worthy causes.
- Cerber: Now used to target users of cloud-based Office 365, who are less likely to have backed up their data. Some Cerber variants speak to their victims and tell them their files have been encrypted.
- KeRanger: One of the first ransomware strains to target Mac OS X applications.
- Gryphon: Spread via remote desktop protocol (RDP) using brute force tactics to guess weak passwords.
- TorrentLocker: A ransomware variant being used to target SMBs, spread via spam email attachments claiming to be job applications
- HDDCryptor: A ransomware variant that targets network shares, file, printers, serial ports, and external drives. HDDCryptor locks the entire hard disk
- CryptMIC: A ransomware variant that does not change file extensions, making it harder for victims to identify the threat
- ZCryptor: Ransomware with worm-like capabilities, able to rapidly spread across a network and infect multiple networked devices and external drives
- WannaCrypt: A 2017 ransomware variant with worm-like capabilities, able to spread rapidly to infect all vulnerable computers on a network.
Ransomware is most commonly spread via spam email, exploit kits and by remotely exploiting vulnerabilities. To protect against ransomware you need an advanced spam filter, a web filter such as WebTitan to block access to sites containing exploit kits, and you need to ensure software and operating systems are kept 100% up to date.
In the event that you are infected with ransomware, you must be able to recover files from a backup. Use the 321 approach to ensure you can recover files without paying the ransom – Make three backup copies, on two different media, with one copy stored securely off site. Also make sure backups are tested to ensure files can be restored in an emergency.
A new Facebook Messenger malware and adware campaign has been detected by Kaspersky Lab. The malware is capable of gathering information about the user and directing them to websites that offer downloads tailored to the users’ operating system and browser. Landing pages are also customized to maximize the probability of the user taking the required actions. This advanced Facebook Messenger malware and adware campaign works on Windows PCs and Macs and is not dependent on the browser being used.
The Facebook Messenger malware and adware campaign starts with a Messenger message containing a link to a video file, with that link pointing to Google Docs. Since Facebook Messenger is used with Bitly URLs it is hard for users to determine that the links are not what they seem.
Cleverly, a picture is taken from the user’s Facebook page which is incorporated into a dynamic landing page that is tailored to the individual. The landing page appears to host a playable video file. Clicking on the video will direct the user to a website where information is gathered on their environment, including their operating system, browser type and other information. The user is then directed to another website that is tailored to the information obtained from the first website.
Windows users using Firefox are directed to one website, IE users to another, and Mac users elsewhere. Those sites offer updates such as Flash downloads and malicious Chrome extensions. At present, these campaigns are being used to download adware, although they could easily be tweaked to install malware.
The Chrome extension is adware, but also includes a downloader which will allow further payloads to be delivered to the user’s device. What is not currently known is how the messages are being sent via Messenger. David Jacoby, the Kaspersky Lab researcher who discovered the Facebook Messenger malware and adware campaign, said, “It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing.”
While the messages could be sent by unknown individuals, they may also be sent from Facebook contacts whose accounts have been compromised. Any hyperlinks sent via Messenger should therefore be treated with suspicion, especially when they appear out of the blue.
This new campaign is clever, although it is just one of many that are distributed via Messenger. Businesses can protect themselves against Facebook Messenger malware campaigns by using a Web Filtering solution such as WebTitan.
Many businesses choose not to block Facebook due to the negative impact it has on staff morale. However, with WebTitan it is possible to block Facebook Messenger without blocking the Facebook website. Employees can still access Facebook, while employers are protected from malicious messages that could result in malware downloads.
From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?
The General Data Protection Regulation
GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.
GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.
Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.
Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.
Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.
In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.
Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.
Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.
How Can I Protect Personally Identifiable Information under GDPR?
GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.
A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.
GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.
Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.
Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.
Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.
To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.
Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.
The National Institute of Standards and Technology (NIST) has updated its guidance on strengthening passwords, suggesting the standard of using a combination of capital letters, lower case letters, numbers and special characters may not be effective at improving password strength. The problem is not with this method of strengthening passwords, but with end users.
Hackers and other cybercriminals attempt to gain access to accounts by guessing passwords. They try many different passwords until the correct one is guessed. This process is often automated, with many thousands of guesses made using lists of commonly used passwords, dictionary words and passwords discovered from past data breaches.
By implementing password policies that force end users to use strong passwords, organizations can improve their resilience against these brute force attacks.
By using capital and lower-case letters, there are 52 possible options rather than 26, making the guessing process much more time consuming. Add in 10 numerals and special characters and guessing becomes harder still. There is no doubt that this standard practice for creating strong passwords is effective and makes passwords much less susceptible to brute force attacks.
The problem is that in practice, that may not be the case. Creating these strong passwords – random strings of letters, numbers and symbols – makes passwords difficult to guess but also virtually impossible to remember. When multiple passwords are required, it becomes harder still for end users and they get frustrated and cut corners.
A good example is the word ‘password’, which is still – alarmingly – used to secure many accounts, according to SplashData’s list of the worst passwords of the year. Each year, ‘password’ makes it onto the list, even though it is likely to be the first word attempted in any brute force attack.
When companies update their password polices forcing users to use at least one capital letter and number in a password, many end users choose Password1, or Passw0rd or P455w0rd. All would be high up on a password list used in a brute force attack.
Attempts such as these to meet company password requirements mean security is not actually improved by password policies. If this is going to happen, it would make more sense – from a security perspective – to allow employees to make passwords easier to remember in a more secure way.
NIST Tweaks its Guidance on Strengthening Passwords
As NIST points out in its guidance on strengthening passwords, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought.” With current standard password practices, “The impact on usability and memorability is severe.” That results in end users creating weak passwords that meet company password policies.
Rather than force end users to use special characters and end up with ‘Password!’, a better way would be to increase the length of passwords and allow the use of spaces. End users should be encouraged to choose easy to remember phrases.
The use of a space does not make a password any more secure, although increasing a password from 8 characters to say, 15 or 20 characters, certainly does. It also makes passwords much easier to remember. NIST suggests passwords must have a minimum of 8 characters, and that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”
NIST also explains in its guidance on strengthening passwords that certain types of common cyberattacks involving passwords are unaffected by password strength. Take phishing for instance. It doesn’t matter whether a password is ‘12345678’ or ‘H19g46”&”^’ to a phisher. Provided the phishing email is well crafted, the password will still be disclosed. The same applies to keyloggers. A keylogger logs keystrokes and the strength of the password is irrelevant.
NIST’s guidance on strengthening passwords also suggests that rather than strengthening passwords further, there are far more effective ways of making brute force attacks much harder without frustrating end users. Limiting the number of failed login attempts before a user is blocked is one such option. Organizations should also combine this with blacklists of unacceptable passwords that should include dictionary words, other weak passwords and those revealed from past data breaches. NIST also recommends secured hashed storage of passwords
The NIST guidance on strengthening passwords can be found in – NIST Special Publication 800-63B – Appendix A – Strength of Memorized Secrets
Providing free WiFi in shops helps to attract more foot traffic and improves the shopping experience, although retailers are now realizing the benefits of providing secure WiFi access for shops. Over the past two years, there has been considerable media coverage of the dangers of public WiFi hotspots. Consumer websites are reporting horrifying cases of identity theft and fraud with increasing regularity.
With public awareness of the risks of connecting to public WiFi networks now much greater than ever before, secure WiFi access for shops has never been more important. Consumers now expect free WiFi access in shops, but they also want to ensure that connecting to those WiFi networks will not result in a malware infection or their personal information being obtained by hackers.
Fortunately, there are solutions that can easily be adopted by retailers that mitigate the risks and ensure consumers can connect to WiFi networks safely, but before we cover those options, let’s look a little more closely at the risks associated with unsecured WiFi networks.
The Risks of Unsecured WiFi Networks
If retailers provide free WiFi access in store it helps to attract more foot traffic, individuals are encouraged to stay in stores for longer, they have access to information and reviews about products and studies have shown that customers spend more when free WiFi is provided. A survey by iGT, conducted in 2014, showed that more than 6 out of ten customers spend longer in shops that provide WiFi access and approximately 50% of customers spend more money.
Connecting to a public WiFi network is different from connecting to a home network. For a start, considerably more people connect, including individuals who are intent on stealing information for identity theft and fraud. Man-in-the-middle attacks are common. Man-in-the-middle attacks involve a hacker intercepting or altering communications between a customer and a website. If login details or other sensitive information is entered, a hacker can obtain that information.
Malware and ransomware can be downloaded onto users’ devices and phishing websites can easily be accessed if secure WiFi access for shops is not provided. Consumers typically have Internet security solutions in place on home networks that block these malicious websites. They expect the same protections on retailers’ WiFi networks. Malware poses a significant threat. Alcatel-Lucent, a French telecommunications company, reports that malware attacks on mobile devices are increasing by 25% per year.
Then there is the content that can be accessed. Recently, before Starbucks took steps to block the accessing of pornography via its WiFi networks, the coffee shop chain received a lot of criticism from consumers who had caught glimpses of other customers accessing pornography on their devices.
Secure WiFi Access for Shops Brings Many Benefits
The provision of secure WiFi access for shops tells customers you are committed to ensuring they can access the Internet safely and securely on your premises. It tells parents that you are committed to protecting minors and ensuring they can access the Internet without being exposed to adult content. It tells consumers that you care, which helps to improves the image of your brand. It is also likely to result in positive online reviews.
Providing secure WiFi access for shops makes it easier for you to gain an insight into customer behavior. A web filtering solution will provide you with reports on the sites that your consumers are accessing. This allows you to profile your customers and find out more about their interests. You can see what sites they access, which can guide your future advertising programs and help you develop more effective marketing campaigns. You can also find out more about your real competitors from customers browsing habits.
The provision of secure WiFi access for shops will also help you to reduce legal liability. If you do not block illegal activities on your WiFi network, such as file sharing (torrents) sites, you could face legal action for allowing the downloading of pirated material. The failure to block pornography could result in a lawsuit if a minor is not prevented from accessing adult content.
WebTitan – Secure WiFi Access for Shops Made Simple
Secure WiFi access for shops doesn’t have to be complicated or expensive. TitanHQ offers a solution that is cost effective, easy to implement, requires no technical skill, has no effect on Internet speed and the solution can protect any number of shops in any number of locations. The filtering solution can be managed from an intuitive web-based graphical user interface for all WiFi access points, and a full suite of reports provides you with invaluable insights into customer behavior.
WebTitan Cloud for WiFi is a 100% cloud-based DNS filtering solution. Point your DNS records to WebTitan and you will be filtering the Internet in minutes and blocking undesirable, dangerous and illegal web content. You do not need any additional hardware, you do not need to download any software and configuring the filtering settings typically takes about 30 minutes.
To find out more about WebTitan Cloud for WiFi, including details of pricing and to register for a 30-day, no obligation free trial, contact TitanHQ today.
Hospitals have invested heavily in solutions to secure the network perimeter, although Internet and WiFi filtering in hospitals can easily be forgotten. Network and software firewalls have their uses, although IT security staff know all too well that cyberattacks targeting employees can see those defenses bypassed.
A common weak point in security is WiFi networks. IT security teams may have endpoint protection systems installed, but not on mobile devices that connect to WiFi networks.
A look at the Department of Health and Human Services’ Office for Rights breach portal shows just how many cyberattacks on hospitals are now occurring. Cybercriminals are targeting healthcare organizations due to the value of protected health information (PHI) on the black market. PHI is worth ten times as much as credit card information, so it is no surprise that hospitals are in cybercriminals’ crosshairs. Even a small hospital can hold the PHI of more than 100,000 individuals. If access is gained to a hospital network, that signals a huge pay day for a hacker.
There has also been a massive increase in ransomware attacks. Since hospitals need access to patients’ PHI, they are more likely to pay a ransom to regain access to their data if it is encrypted by ransomware. Hollywood Presbyterian Medical Center paid $17,000 for the keys to unlock its ransomware infection in February last year. It was one of several hospitals to give in to attackers’ demands.
The Hospital WiFi Environment is a Potential Gold Mine for Cybercriminals
The increasing number of wireless devices that are now in use in hospitals increases the incentive for cybercriminals to attempt to gain access to WiFi networks. Not only do physicians use mobile phones to connect to the networks and communicate PHI, there are laptops, tablets and an increasing number of medical devices connected to the networks. As use of mobile devices in healthcare continues to grow and the explosion in IoT devices continues, the risk of attacks on the WiFi environment will only ever increase.
Patients also connect to hospital WiFi networks, as do visitors. They too need to be protected from malware and ransomware when connected to hospital guest WiFi networks.
Internet and WiFi filtering in hospitals is therefore no longer an option, it should be part of the cybersecurity strategy for all healthcare organizations.
Internet and WiFi filtering in Hospitals is Not Just About Blocking Cyberthreats
Malware, ransomware, hacking and phishing prevention aside, there are other important reasons for implementing Internet and WiFi filtering in hospitals.
Guest WiFi access in hospitals is provided to allow patients and visitors to gain access to the Internet; however, there is only a certain amount of bandwidth available. If Internet access is to be provided, all patients and visitors should be able to gain access. Internet and WiFi filtering in hospitals can be used to restrict access to Internet services that consume bandwidth, especially at times when network usage is heavy. Time-based controls can be applied at busy times to block access to video streaming sites to ensure all users can still enjoy reasonable Internet speeds.
It is also important to prevent patients, visitors and healthcare professionals from accessing inappropriate website content. Internet and WiFi filtering in hospitals should include a block on adult content and other inappropriate or illegal material. Blocks can easily be placed on illegal file sharing websites, gambling or gaming sites, or any other undesirable category of web content.
Internet and WiFi filtering in hospitals ensures WiFi networks can be used safely and securely by all users, including minors. Blocking illegal and undesirable content is not just about protecting patients and visitors. It also reduces legal liability.
Internet and WiFi Filtering in Hospitals Made Simple
WebTitan Cloud for WiFi is an ideal solution for Internet and WiFi filtering in hospitals. WebTitan Cloud for WiFi is cost effective to implement, the solution requires no additional hardware or software installations and there is no latency. Being DNS-based, set up is quick and simple. A change to the DNS settings is all that is required to start filtering the Internet.
WebTitan Cloud for WiFi is ideal for hospital systems. The solution is highly scalable and can be used to protect any number of users in any number of locations. Multiple sites can be protected from one easy-to-use web-based graphical user interface. Separate filtering controls can be applied for different locations, user groups or even individuals. Since the solution links in with Active Directory the process is quick and simple. Separate content controls can easily be set for guests, visitors and staff, including by role.
WebTitan Cloud for WiFi supports blacklists, whitelists and allows precision content control via category or keyword and blocks phishing websites and sites known to host exploit kits and malware. In Sort, WebTitan Cloud for WiFi gives you control over what happens on your WiFI network.
To find out more about WebTitan Cloud for WiFi, details of pricing and to register for a free trial, contact the TitanHQ team today.
Hotel guests used to choose hotels based on whether free WiFi was available, now free WiFi is no longer enough – secure WiFi for hotels is required to ensure the Internet can be accessed safely, a fast connection is essential and the WiFi signal must be reliable.
Even budget hotels know the attractive power of free WiFi and how much easier it is to attract guests with free, reliable Internet access. Forrester Research conducted a survey back in 2013 that showed 90% of hotel guests considered free WiFi access to be the most important hotel amenity, while 34% of respondents said when it comes to choosing a hotel, free WiFi was a deal breaker when choosing a place to stay.
Providing Free WiFi is No Longer Enough
Now that most hotels are offering free WiFi, travelers have become much more discerning. Free WiFi access is no longer sufficient. Hotel guests want reliable access, good Internet speeds, sufficient bandwidth to stream music and videos and secure WiFi for hotels is similarly important. Hotels now need to improve their WiFi networks to continue to attract business.
A quick look on TripAdvisor and other review sites is all it takes to assess the quality of the Internet connection. There are even websites dedicated to providing this information. A poor WiFi signal is one of the most common complaints about hotels.
Providing an excellent Internet connection may not mean a 5-star review is guaranteed – but one or two-star reviews can be expected if the Internet connection or WiFi coverage is poor.
If you really want to attract more guests, provide free WiFi access. If you want to gain a serious competitive advantage, ensure all rooms have an excellent signal, there is sufficient bandwidth and make sure your network is secure. Guests now expect the same protections they have at home.
Common Problems with Hotel WiFi Networks
Listed below are some of the common problems reported by guests about hotel WiFi
Problems connecting more than one device to the network – Hotels often have WiFi networks with limited bandwidth. Restrictions may be in place that only allow one device to be connected per room. For a couple or family, that is no longer sufficient. Most guests will require at least two devices to be connected simultaneously per room, without Internet speed dropping to a snail’s pace.
Parents do not want their children to be able to access porn – A night in a hotel should be a relaxing experience. Parents do not want to have to spend their time policing the Internet. They want controls in place to make sure adult content cannot be accessed by their kids.
Connecting to guest WiFi should be safe and secure – Guests should be protected from malware and ransomware infections and steps should be taken by the hotel operator to reduce the risk of man-in-the-middle attacks. Safe and secure WiFi for hotels is essential. Accessing hotel WiFi should not result in nasties being transferred to guests’ devices. Safe and secure WiFi for hotels is especially important for business travelers. They should be able to enter their usernames and passwords without risking an account compromise.
Bandwidth issues are a major bugbear – If some guests are streaming video to their devices, it should not prevent other users from accessing the Internet or enjoying reasonable Internet speeds. Even at busy times, all guests should be able to connect.
How to Resolve these Problems?
Bandwidth is a major issue. Increasing bandwidth comes at a cost. If free WiFi is provided, it is difficult to recover that expenditure. There are solutions however. Hotels can offer free WiFi access to all guests, yet block streaming sites and other bandwidth-heavy activities. If guests want to be able to stream video, they could be offered a premium service and be charged for non-standard access. The same could apply to adult content. Hotels could offer family-friendly WiFi as standard, with a paid for service having fewer restrictions.
Secure WiFi for hotels is a must. Hotels can implement solutions that block malware and prevent guests from accessing phishing websites. Providing an encrypted connection is also essential. Guests should be able to login to their accounts without being spied on.
Secure WiFi for Hotels Made Simple
A web content filter can be used to resolve the above problems and ensure safe and secure Internet access for all guests. Arranging secure WiFi for hotels is simple with TitanHQ.
TitanHQ’s WebTitan Cloud for WiFi is a content filter with a difference. The solution can be deployed on existing hardware with no need for any software installations. Once installed, it is simple to manage, with updates to the system occurring automatically. Users don’t even need any technical expertise. The solution can be implemented and accounts set up in minutes. It doesn’t matter how many hotels you operate, all can be protected with ease through a central control panel that can be accessed from any location.
Secure WiFi for Hotels from TitanHQ
WebTitan Cloud for WiFi allows hotel operators to:
- Control content and online activities without any impact on Internet speed
- Block pornography and other inappropriate content to make the WiFi network family-friendly
- Prevent users from engaging in illegal activity
- Block phishing websites
- Prevent malware and ransomware downloads
- Restrict bandwidth-heavy activities such as video and music streaming services
- Create user groups with different restrictions, allowing streaming or adult content for specific user groups
- Set web filtering controls for different access points
- Manage content filtering for multiple hotels with ease, no matter where in the world they are located
To find out more about all of the benefits of WebTitan Cloud for Wifi, how secure WiFi for hotels can be provided, details of prices and to register for a free trial, contact the TitanHQ team today. Your guests will thank you for it.
Regardless of whether you run a hotel, coffee shop or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself to considerable risk.
Why Is Providing Internet Access so Important?
In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.
With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sale will be made elsewhere.
Why is Secure Guest WiFi for Business So Important?
There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows them to collect contact details for future marketing and business can gain valuable customer insights.
However, giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be more security aware and have introduced policies covering allowable Internet usage, but guests, customers and other visitors are likely to have different views about the content that can be accessed on your WiFi network.
Guests and customers could take advantage of a lack of control over accessible website content to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities. They may accidentally or deliberately install malware or ransomware, or visit phishing websites. Secure guest WiFi for business means protecting yourself and your customers. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network, preventing man-in-the-middle attacks, malware downloads and blocking phishing attacks. You will also be protected from legal liability.
5 Things to Consider About Secure Guest WiFi for Business Customers
If you are going to open up your network to guests, security cannot be an afterthought. Before providing WiFi access be sure to consider the points below:
Segregating your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your internal network must be totally separate from the network used by guests. It should not be possible for guests to see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, it will not spread from the guest network to your internal network.
Always Change Default Passwords and SSIDs
This is one of the most basic security practices, yet because of that it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.
It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up rogue access points to conduct man-in-the-middle attacks.
Keep your Firmware Updated!
Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed on a monthly basis.
Encrypt Your Wireless Signals
You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2 encryption. You can then post the SSID and password in your business to make it easy for legitimate users to gain access to your network.
Secure Guest WiFi for Business Means Content Filtering
Secure guest WiFi for business means adding some controls over the content that can be accessed on your WiFi network. Content filtering is a must. You should block access to adult content – which includes pornography, gambling sites and other web content that is ethically or morally questionable. A web filtering solution will also protect your customers from accidental malware and ransomware downloads while blocking phishing websites. Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades.
Family-Guard offers its customers online protection by blocking access to adult website content such as pornography and stopping malware infections, ensuring the Internet can be accessed safely and securely by all family members.
Family-Guard supplies WiFi routers with pre-configured DNS settings to its customers. Plug in the router and customers are instantly protected from online threats and inappropriate content. As more families take steps to prevent their children from harm online, the company has gone from strength to strength.
However, the firm was not entirely satisfied with its previous web filtering provider and sought a partnership with a new company. Before deciding to deploy WebTitan Cloud for WiFi, Family-Guard needed to be certain that WebTitan offered the required level of protection for its customers. It was essential that all harmful and dangerous website content could be filtered out to ensure customers received the service they paid for. TitanHQ could reassure Family-Guard that its URL filtering technology was up to the task.
The problem with the firm’s previous partner was the inaccuracies in categories and site classifications. Those problems could not be overcome. WebTitan on the other hand offers accurate classification of websites, with more than 500 million web addresses present in its database, including sites in more than 200 languages. Since deploying WebTitan Cloud for WiFi through its router packages, Family-Guard has not experienced the accuracy problems of its previous provider.
Another key consideration when selecting a service provider was the ability to provide the solution in white-label form. It was essential for Family-Guard to incorporate its own branding, which includes the product as well as the user interface for setting filtering controls. With WebTitan, the solution can be supplied without any branding, ready for customization. The white label option and choice of hosting also makes WebTitan an ideal web content filter for managed service providers.
While reassurances could be provided by TitanHQ, the proof of the pudding is in the eating. Before committing, Family-Guard needed to perform extensive testing of the solution. The firm signed up for a free trial and conducted independent tests. Tanner Harman, President of Family-Guard said, “In terms of the trial everything was very straightforward, it was good to speak to an engineer that was able to answer all my questions, this is not common in the technology industry.”
WebTitan is incredibly easy to use and maintain. There are no software updates necessary as all are managed by TitanHQ. Setting up the solution is also straightforward. Once the DNS has been directed to WebTitan, it is just a case of configuring the web filtering controls. For Family Guard, it took staff around 30 minutes to become familiar and comfortable with using the solution. The company is now reaping the benefits.
“For our technical staff, it reduced the time spend on support calls as the number of support calls reduced dramatically almost immediately,” the solution has also dramatically reduced the time the support team has spent dealing with malware. Tanner said, “WebTitan Cloud blocks all the bad stuff before it hits the customers location so issues that previously occurred regularly are now avoided.”
It can take some time following deployment to fully appreciate the benefits that WebTitan brings to an organization. Family-Guard implemented the solution in April 2016. The cost saving from deploying WebTitan Cloud has been considerable. In the 12 months following the implementation of WebTitan Cloud, Family Guard has enjoyed savings of more than $10,000.
Further, as Family-Guard grows, it is not limited by its license. With WebTitan, additional licenses can be added as and when required with a dynamic pricing plan lacking the barriers and wastage typical of other web filtering solutions.
Whether you are looking for a web content filter for public hotspots, a filtering solution to package into your products and services or a content filtering solution for your business WiFi network, TitanHQ can help.
For further information on the features and benefits of WebTitan, answers to technical questions and to register for a free trial, contact the TitanHQ team today.
Customers are increasingly choosing to visit retailers based on whether free Internet access is available in store. Providing WiFi access doesn’t just attract more customers. It provides retailers with an opportunity to communicate new sales initiatives to customers and allows valuable information to be gathered on what customers do inside stores. Monitoring the websites accessed by customers also allows retailers to gain a valuable insight into customer behavior.
Retailers are increasingly offering free WiFi in-store to attract more customers, but providing access to the Internet in-store carries risks. If customers have free, unfettered access to the Internet they would be able to access inappropriate content, accidentally download malware or use the connection for illegal file downloads.
Retailers can gain huge benefits from offering customers free access to WiFi network, but without security solutions to mitigate risk, the offer of free WiFi can backfire. A web content filter for public hotspots is now essential.
Selfridges understands the benefits of providing free WiFi access to customers, but also the risks. If WiFi was to be provided in-store, it would need to be secure to prevent customers from installing malware or accessing phishing websites
Selfridges also needed protection from legal liability. Steps therefore needed to be taken to prevent customers from accessing inappropriate website content in store and to stop minors from accessing adult content.
Selfridges prides itself on providing high quality products and customer service, so it was important to ensure for its WiFi service to reflect the stores values. Alisdair Morison, IT manager at Selfridges, said “We had to ensure that guests could not access malicious sites or to view inappropriate content while in the store.”
In the case of inappropriate website content, the risks are considerable. Morison said, “We knew that if a guest accessed porn on the WiFi connection and a child or other person could inadvertently view that screen, we would be legally liable.” The same applies to illegal file downloads via its WiFi network.
Choosing a solution posed a number of challenges. Selfridges has a small, but busy IT department so a web filtering solution needed to have a small administrative burden. Technical staff are not present in each store so it was important that the solution could be managed remotely for all four locations without the need for any site visits.
Selfridges contacted TitanHQ and chose WebTitan Cloud for WiFi. “We looked at a bunch of solutions. I was really taken aback by the price point, features and functionality we were going to get with WebTitan WiFi,” said Morison, “Other solutions didn’t have all the features and functionalities we wanted; they could do some of what we now do with WebTitan WiFi, but at a higher cost.”
The solution was set up in less than half a day and the IT team can manage the solution remotely and monitor WiFi connections. All four locations are managed through a central administration management console. All that was required to get started was to add the company’s external IP address to the GUI, update DNS forwarders and set the filtering controls.
Selfridges now blocks pornography, illegal activities such as file sharing and activities that are ethically or legally questionable. The WiFi network is child-friendly, so parents need not worry about the content that their children can access in-store. The WiFi network can be used safely and securely by all its 200 million annual visitors, with both Selfridges and its customers gaining benefits from in-store WiFi.
The WannaCry ransomware attacks that crippled hospitals in the United Kingdom on Friday have temporarily halted, although not before infections spread to 150 countries around the globe. The massive ransomware campaign saw 61 NHS Trusts in the UK affected.
As the NHS was cancelling appointments and scrambling to halt the spread of the infection and restore its systems, the WannaCry ransomware attacks were going global. Organizations around the world were waking up to total chaos, with systems taken out of action and data access blocked. Other victims include FedEx, Telefonica, Deutsche Bahn and the Russian Interior Ministry and around 200,000 others.
The victim count rose considerably throughout Friday and Saturday morning, before a security researcher in the UK accidentally flicked the ransomware’s kill switch, preventing further WannaCry ransomware attacks. Had it not been for that researcher’s actions, the victim count would have been considerably higher.
The researcher in question prefers to remain anonymous, although he tweets under the Twitter account @MalwareTechBlog. While analyzing the ransomware, he discovered a reference to a nonsense web domain. He checked to see who owned the domain and discovered it had not been registered. He bought it and realized that his actions had stopped the ransomware in its tracks. If the domain could be contacted, encryption would not take place. If contact was not possible, the ransomware would proceed and encrypt files on the infected device.
This kill switch could have been put in place by the authors as a way to stop infections getting out of control. However, far more likely is the domain check was performed to determine if the ransomware was running in a test environment.
For now at least, the WannaCry ransomware attacks have stopped, although that does not mean they will not continue. New versions of the ransomware – without the kill switch – will almost certainly be released. In the meantime, IT security professionals have some time to plug the vulnerability that was exploited.
The exploit takes advantage of a vulnerability in Windows Server Message Block (SMB) that allows the attackers to download files onto a vulnerable machine. Microsoft issued a patch to plug the vulnerability on March 13 (MS17-010). Even though this was a high priority patch for which an exploit had been developed (ETERNALBLUE) and released online, many companies failed to update Windows leaving them vulnerable to attack.
Of course, any organization using an unsupported version of Windows – Windows XP for example – would not be able to apply the patch. Many NHS Trusts in the UK still use the unsupported version of Windows even though it is vulnerable to this and other exploits.
The attackers have reportedly made around $50,000 so far from the WannaCry ransomware attacks. That figure will rise, as victims are given 7 days to pay before the decryption keys held by the attackers will be permanently deleted. If payment is not made within 3 days, the $300 ransom doubles.
There are no clues as to who was behind the attack, although it was made possible by the actions of the hacking group Shadow Brokers, who published the exploit used in the WannaCry ransomware attacks in April. The exploit was not developed by Shadow Brokers however. That appears to have been developed by the National Security Agency in the USA. Shadow Brokers allegedly stole the exploit.
Microsoft has responded to the WannaCry ransomware attacks saying they should serve as a “wake-up call.” That’s not just the need to apply patches promptly to prevent cyberattacks, but also a wake up call for governments not to secretly stockpile exploits.
Sabotage, subversion and ransomware attacks all increased sharply in 2016, with malware-infected emails now at a five-year high according to the latest installment of Symantec’s Internet Security and Threat Report (ISTR).
For the 22nd volume of the report, the antivirus and antimalware software vendor analyzed data collected from millions of users of its security solutions – The world’s largest civilian threat collection network, consisting of 98 million attack sensors spread across 157 countries around the globe.
The 77-page Internet Security and Threat Report is one of the most highly respected publications issued by any cybersecurity company.
The Internet Security and Threat Report provides a valuable insight into the state of cybersecurity and details how global cybersecurity threats have changed over the course of the past 12 months.
Internet Security and Threat Report Shows Change in Attack Tactics
Data theft and financial fraud may be major motivators behind cyberattacks on businesses, but over the past 12 months there has been a sharp rise in politically motivated cyberattacks. Rather than steal data, the attackers are sabotaging businesses using destructive malware such as hard disk wipers.
The attacks are conducted to cause serious harm to business competitors, although nation state-backed hackers have also been targeting the critical infrastructure in many countries. Attacks on Ukrainian energy providers have been conducted to disrupt the power supply while attacks on companies in Saudi Arabia – using Shamoon malware – attempted to permanently delete corporate data.
Many attacks were conducted last year with a different aim – subversion. That was clearly demonstrated during the recent U.S presidential campaign. Sensitive data from the Democratic party was leaked in an attempt to influence the outcome of the U.S presidential election. The FBI investigation into the hacking of the presidential election is ongoing.
Sabotage is on the rise, but data theft incidents continue. The past year has seen many espionage attacks resulting in the theft of sensitive data and corporate secrets and financial attacks have increased.
The Internet Security and Threat Report shows there has been a major increase in large-scale financial heists in the past year. Attacks on consumers are occurring with increasingly regularity, although the banks themselves are now being targeted. Those attacks have resulted in the theft of many millions of dollars.
The Carbanak gang has been highly active in this area and has performed multiple attacks on U.S banks, while the Banswift group performed one of the biggest heists of the year, stealing $81 million from the central bank in Bangladesh.
While exploit kits and other web-based attacks were a major threat in 2015, attackers have returned to email as the primary method of gaining access to networks. In 2015, Symantec blocked an average of 340,000 web-based attacks per day. In 2016, the number had fallen to 229,000 – a significant reduction, although the threat of web-based attacks cannot be ignored.
The Biggest Malware Threat Comes from Email
Phishing is still a major risk for businesses, although the phishing rate has fallen over the past three years, according to the Internet Security and Threat Report. In 2014, one in 965 messages were used for phishing. In 2016, the number fell to one in 2,596 emails.
However, email spam levels have remained constant year on year. Email spam accounts for 53% of all sent messages.
Phishing email volume may be down, but email-borne malware attacks have increased. The Symantec Internet Security and Threat Report shows the volume of malicious emails now being sent is higher than any point in the past five years.
Now, one in 131 emails contain either a malicious attachment or hyperlink, up from one in 220 emails in 2015 and one in 244 emails in 2014. The number of new malware variants being released has also soared. In 2014, there were 275 million new malware variants discovered. That figure rose to 357 million last year. The number of bots sending malicious email has also increased year on year, from 91.9 million in 2015 to 98.6 million in 2016.
Ransomware Attacks Soared in 2016
Ransomware attacks also increased significantly in 2016, with the United States the most targeted country. Even though the FBI and other law enforcement agencies strongly advise against paying a ransom, 64% of U.S. companies ignore that advice and pay the attackers for keys to decrypt their data.
In 2015, the average ransom demand was for $294 per infected machine. Over the course of the past 12 months, ransom amounts have increased considerably. The Symantec Internet Security and Threat Report shows ransom demands increased by an astonishing 266% in 2016. The average ransom demand is now $1,077 per infected machine.
Symantec tracked 101 separate ransomware families in 2016 – A substantial rise from the 30 known ransomware families in 2014 and 2015. Last year, there were 463,841 ransomware detections, up from 340,655 from 2015.
One of the biggest threats comes from the cloud, although many organizations are underestimating the risk. When organizations were asked how many cloud apps are in use in their company, few provided an accurate figure. Many estimated they used around 40 cloud-based apps. Symantec reports that for the average company, the figure is closer to 1,000.
As the Internet Security and Threat Report shows, the cyberthreat landscape is constantly changing as cybercriminals develop new methods of attacking businesses. Only by keeping up to date on the latest threat indicators and bolstering cybersecurity defenses can businesses maintain a robust security posture and prevent attacks.
Kaspersky Lab has released new figures showing software exploit attacks increased by almost a quarter in 2016. In total, more than 702 million attempted software exploit attacks were performed; a rise of 24.54% year on year. Corporate users were the worst affected, registering 690,000 attacks in 2016; a rise of 28.35% year on year.
According to the report, 69.8% of software exploit attacks took advantage of flaws in web browsers, Microsoft Windows, Microsoft Office or the Android platform. Software exploit attacks involve malware leveraging flaws in software to run malicious code or install other malware. Last year, the most common exploit took advantage of the Stuxnet vulnerability on unpatched systems.
Software exploits are difficult to identify because they occur silently without alerting the user. Unlike email-based attacks, software exploits require no user interaction. A user must only be convinced to visit a website hosting an exploit kit. A hyperlink can be sent via email or users can be redirected to malicious sites using malvertising. Attacks can occur through general web browsing. Hackers often take advantage of flaws to hijack websites and install exploit kits.
While attacks on companies have increased, attacks on private users fell by around 20% to 4.3 million attacks. This has been attributed to two major exploit kits – Neutrino and Angler – being shut down. Without those exploit kits, criminal groups have lost the ability to spread malware and have had to resort to different tactic to spread malware, with spam email the delivery mechanism of choice.
Exploit kits are expensive to develop and require considerable work, and since software developers are reacting faster and patching vulnerabilities, exploit kits are no longer as profitable for cybercriminals. However, exploits are still being used by sophisticated criminal gangs in targeted attacks aimed at stealing highly sensitive data.
This year has seen an increase in exploit activity using the Rig exploit kit, while last month Checkpoint noted a major rise in software exploit attacks.
Exploit kits may not pose as big a threat as in late 2015, but they are still a significant threat for businesses. Organizations can improve their defenses against software exploits by installing patches promptly and ensuring anti-virus and anti-malware solutions are kept up to date. A web filtering solution should also form part of organizations’ defenses. Web filters prevent end users from visiting, or being redirected to, websites known to host exploit kits.
Do you have any machines running on unsupported operating systems? Is all of your software up to date with all of the latest patches applied? If you are not patching promptly or are still running outdated, unsupported operating systems or software, you are taking unnecessary risks and are leaving your network open to attack.
Hackers are constantly trawling the Internet looking for vulnerable systems to attack. Even if you are only running Windows XP or Vista on one networked machine, it could allow a hacker to exploit vulnerabilities and gain access to part or all of your network.
An alarming number of businesses are still running outdated software and are not patching promptly. For instance, 7.4% of businesses are still using Windows XP, even though Microsoft stopped issuing patches three years ago.
Hackers are discovering new vulnerabilities in software and operating systems faster than the software manufacturers can address those flaws. Zero-day vulnerabilities are regularly discovered and exploits developed to take advantage of the flaws and gain access to business networks. When a software developer stops issuing updates, the list of potential vulnerabilities that can be exploited grows fast.
Take Windows for example. Each set of updates released by Microsoft every Patch Tuesday contains patches to remediate several critical vulnerabilities that could be exploited to run code or access a system and gain user privileges. While exploits may not currently exist for those flaws at the time the patches are released, that is not the case for long. Hackers can look at the updates and reverse engineer patches to discover the vulnerabilities. Exploits can then be developed to attack unpatched machines.
Take the recent set of updates addressed by Microsoft in its March Patch Tuesday update as an example. Microsoft silently patched a slew of flaws for which exploits had been developed. Four days later, exploit tools from The Equation Group were dumped online by Shadow Brokers. Those tools could be used to exploit the flaws addressed by Microsoft a few days previously.
The exploit tools can be used to attack unpatched machines, but the patches were only issued to address flaws in supported versions of Windows. Many of those exploit tools can be used to attack unsupported Windows versions such as XP and Vista.
One of those tools, called Eternalromance, will likely work on all previous versions of Windows back to Windows XP. EasyPi, Eclipsedwing, Emeraldthread, eraticgopher and esteemaudit have all been confirmed to work on Windows XP.
Those are just the exploit tools recently discovered by The Equation Group. They represent just a small percentage of the exploits that exist for flaws in older, unpatched Windows versions. In addition to exploits for Windows flaws, there are exploits for many software programs.
There will always be zero day exploits that can be used to attack businesses, but running outdated software and unsupported operating systems makes it too easy for hackers.
Businesses of all sizes must therefore ensure that they have good patch management policies covering all software and operating systems and all devices. However, since unsupported operating systems will never be patched, continued use of those products represents a very large and unnecessary risk.
The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.
Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.
Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.
Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.
Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.
While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.
In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!
Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.
What is the Cost of a Ransomware Attack?
Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.
The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.
However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.
System downtime is one of the biggest costs. Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.
A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.
One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.
Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.
Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.
Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.
The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.
It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.
To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.
A flaw in the mobile Safari browser has been exploited by cybercriminals and used to extort money from individuals who have previously used their mobile device to view pornography or other illegal content. The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages.
A popup is displayed advising the user that Safari cannot open the requested page. Clicking on OK to close the message triggers another popup warning. Safari is then locked in an endless loop of popup messages that cannot be closed.
A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content. Some users have reported messages containing Interpol banners, which are intended to make the user think the lock has been put on their phone by law enforcement. The only way of unlocking the device, according to the messages, is to pay a fine.
One of the domains used by the attackers is police-pay.com; however, few users would likely be fooled into thinking the browser lock was implemented by a police department as the fine had to be paid in the form of an iTunes gift card.
Other messages threaten the user with police action if payment is not made. The attackers claim they will send the user’s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid.
The Safari scareware campaign was recently uncovered by Lookout, which passed details of the exploit onto Apple last month. Apple has now released an update to its browser which prevents the attack from taking place. Users can protect their devices against attack by updating their device to iOS version 10.3.
Scareware is different from ransomware, although both are used to extort money. In the case of ransomware, access to a device is gained by the attacker and malicious file-encrypting malware is downloaded. That malware then locks users’ files with powerful encryption. If a backup of the encrypted files is not owned, the user faces loss of data if they do not pay the attackers for the key to decrypt their locked files.
Scareware may involve malware, although more commonly – as was the case with this Safari scareware campaign – it involves malicious code on websites. The code is run when a user with a vulnerable browser visits an infected webpage. The idea behind scareware is to scare the end user into paying the ransom demand to unlock their device. In contrast to ransomware, which cannot be unlocked without a decryption key, it is usually possible to unlock scareware-locked browsers with a little computer knowhow. In this case, control of the phone could be regained by clearing the Safari cache of all data.
In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.
2016 Will be Remembered as The Year of Ransomware
Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.
That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.
Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.
Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.
In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!
Biggest Ransomware Threats in 2016
TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.
By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.
Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.
2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.
You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.
Malware and phishing attacks on healthcare organizations are all but guaranteed. In fact, they are almost as certain as death and taxes. Healthcare organizations hold huge volumes of data on patients and more types of data than virtually any other industry.
Healthcare providers store personal information and Social Security numbers, which are needed for identity theft and tax fraud. Insurance information that can be used for health insurance fraud; Medicare/Medicaid numbers and health information that can be used for medical fraud. Bank account information and credit card numbers are also often stored. For cybercriminals, breaching a healthcare organization’s defenses means a big payday.
Further, health data does not expire like credit card numbers. Social Security numbers never change. It is therefore no surprise that malware and phishing attacks on healthcare organizations are on the rise.
As if there was not enough incentive to attack healthcare organizations, the healthcare industry has underinvested in cybersecurity defenses, lagging behind other industries when it comes to implementing the latest technologies to thwart cybercriminals. Healthcare networks are also highly complex and difficult to protect. They also contain many outdated software and operating systems. Many healthcare organizations still run medical devices on the unsupported Windows XP OS, which contains many vulnerabilities.
The Health Insurance Portability and Accountability Act (HIPAA) has helped to bring cybersecurity standards up to an acceptable level. HIPAA compliance has made it harder for cybercriminals, although far from impossible. With the healthcare industry, firmly in cybercriminals’ crosshairs, healthcare organizations need to look beyond meeting the minimum standards for data security to avoid a HIPAA fine and ensure that defenses are improved further still.
One of the biggest problems comes from cyberattacks on healthcare employees. Even advanced firewalls can be easily avoided if employees can be fooled into clicking on a malicious link or opening an infected email attachment. Phishing attacks on healthcare organizations are the most common way that cybercriminals gain access to healthcare networks. Most cyberattacks start with a spear phishing email.
In addition to perimeter defenses, it is essential for healthcare organizations to employ technologies to block phishing attacks. Advanced spam filters will prevent the vast majority of phishing emails from being delivered, while web filtering solutions will block phishing attacks on healthcare organizations by preventing malicious links from being clicked and malicious websites from being accessed.
Fortunately, with appropriate defenses in place, cyberattacks can be prevented and the confidentiality, integrity, and availability of ePHI can be preserved.
For further information on the major healthcare cyberattacks of 2016, the key threats to healthcare organizations, and the impact of data breaches, click the image below to view our healthcare hacking infographic.
The proposed crackdown on fake news websites has shone a light on the use of typosquatting and cybersecurity risks for businesses from employees visiting fake news websites.
Over the past few weeks there has been considerable media attention focused on fake news websites and the harm that these fake news stories can cause.
Just as newspapers and news networks can earn big money from being the first to break a new story, there is big money to be made from posting fake news items. The problem is growing and it is now becoming harder to separate fact from fiction. 2016 has seen fake news stories hit the headlines – Both the problem and the republishing of fake news in the mainstream media.
Fake News Websites are a Serious Problem
This year’s U.S. presidential election has seen the Internet awash with propaganda and fake news posts, especially – but not exclusively – about support for Donald Trump and criticism of Hillary Clinton. Fake news sites such as the Denver Guardian (the periodical doesn’t actually exist) posted news about rigging of the election. Genuine news organizations notably picked up on a story about Denzel Washington supporting Trump; however, the original story was taken from a fake news site. Of course, these are just two of many hundreds of thousands of fake news stories published throughout the year.
All too often fake news stories are silly, satirical, or even humorous; however, they have potential to cause considerable harm and influence the public. Potentially, they could change the outcome of an election.
Consumers are now increasingly basing their opinions on fiction rather than fact. Fake news is nothing new of course, but the U.S. presidential election has brought it to the forefront and has highlighted the extent to which it is going on – on a scale never before seen.
Worldwide governments are now taking action to crackdown on the problem. Germany and Indonesia have joined the U.S. in the fight against fake news stories and there have been calls for greater regulation of online content.
Facebook has received considerable criticism for failing to do enough to prevent the proliferation of fake news. While CEO Mark Zuckerberg dismissed the idea that fake news on Facebook was influential in the election – “the idea that fake news on Facebook, which is a very small amount of the content, influenced the election in any way, I think is a pretty crazy idea.” However, last month he confirmed a new initiative to address hoaxes and fake news. Facebook is to make it easier for users to report fake news stories, third-party fact checkers will be enlisted, news websites will be analyzed more closely, and stories will be pushed down the rankings if they are getting fewer shares.
All of the attention on fake news sites has highlighted a tactic that is being used to spread fake news – a tactic that has long been used by cybercriminals to spread malware: Typosquatting.
Typosquatting and Cybersecurity Risks
Typosquatting – otherwise known as URL hijacking – is the use of a popular brand name with authority to fool web surfers into thinking a website is genuine. The fake news scandal brought attention to the tactic after fake news items were posted on spoofed news websites such as usatoday.com (usatoday.com.com) and abcnews (abcnews.com.co).
To the incautious or busy website visitor, the URL may only get a casual glance. The slightly different URL is unlikely to be spotted. This may only result in website visitors viewing fake news, although in many cases it can result in a malware download. Cybercriminals use this tactic to fool web surfers into visiting malicious websites where malware is automatically downloaded.
Typosquatting is also used on phishing websites and for fake retail sites that relieve visitors of their credit card information or other sensitive credentials.
Even fake news sites are a problem in this regard. They often contain third-party adverts – this is one of the ways that fake news stories generate income for the posters. Those adverts are often malicious. The site owners are paid to display the adverts or send visitors to malicious websites. Adverts are also used to direct visitors to fake retail sites – zappoos.com or Amazoon.com for example. Many fake news sites are simply used as phishing farms.
While consumers can be defrauded, businesses should also take note. Since many of these sites are used to either spread malware or direct users to malicious sites where malware is downloaded, fake news sites are a serious cybersecurity risk.
Governments and social media networks may be taking a stand against these malicious sites, but businesses should also take action. All it takes is for one user to visit a malicious site for malware or ransomware to be downloaded.
Fortunately, it is possible to reduce risk with a web filtering solution. Web filtering solutions such as WebTitan can be used to block access to websites known to contain malware. Malicious websites are rapidly added to global blacklists. If a web filtering solution is used, an employee will be prevented from visiting a blacklisted site, which will prevent a malware download.
Malicious adverts can also be blocked and prevented from being displayed. Malicious links on fake news sites can also easily be blocked. Users can also be prevented from visiting websites when clicking on links to the sites in emails or on social media websites.
For further information on the full range of benefits of WebTitan and to find out how you can sign up for a free 30-day trial of WebTitan, contact TitanHQ today.
Anti-phishing solutions for businesses are now an essential element of cybersecurity defenses. The risk from phishing websites has grown considerably in 2016, and 2017 is likely to see the problem become much more severe.
Anti-Phishing Solutions for Businesses Now a Necessity
Cybercriminals are using increasingly sophisticated tactics to infect end users with malware and ‘phish’ for sensitive information such as credit card details, email login credentials, and other sensitive data that can be used for identity theft and fraud. Cybercriminals have changed their tactics to infect more end users and bypass traditional cybersecurity defenses.
In the past it was common for domains to be registered by cybercriminals and only used for phishing or to spread malware. Sooner or later the websites would be reported as malicious in nature, and those domains would be added to global blacklists. As the sites were blocked, the cybercriminals would simply buy another domain and repeat the process. Phishing websites used to remain active for weeks or even months before they ceased to be effective. However, cybersecurity firms are now faster at detecting malicious websites and adding them to blacklists.
Cybercriminals are aware that phishing websites and malicious webpages have a very short shelf life and will only remain effective for a few days before they are blocked. In response, they have changed tactics and are now creating webpages which are only used for very short periods of time.
New webpages are now being created faster and in higher volumes. Those webpages now remain active for less than 24 hours in the majority of cases. Cybercriminals are hijacking legitimate websites with poor security controls or unaddressed vulnerabilities. Malicious URLS are then created and hidden on those domains. Cybercriminals have now all but abandoned malicious websites in favor of single URLs on otherwise benign websites.
The volume of phishing websites has also increased considerably in 2016. Studies now suggest that around 400,000 phishing websites are being detected every month of the year.
Web Filtering Solutions Can Significantly Reduce Risk
There are many anti-phishing solutions for businesses that can be adopted to reduce risk, although one of the most effective tools is an advanced web filter. A web filter can be used to prevent users from visiting malicious websites and webpages that are used to phish for sensitive information or infect end users with malware.
While it was possible for standard web filtering solutions to protect against the risk from phishing by comparing domains against blacklists, it is now essential for each webpage to be checked to determine whether it is malicious. Each URL must also be checked each time it is visited to make sure that it has not been hijacked and used for phishing or to spread malware. For that an advanced web filtering solution is needed, such as WebTitan.
WebTitan checks each webpage that an end user attempts to visit in a fraction of a second, with no noticeable latency – slowing of webpage loading. If a website or webpage is identified as malicious the end user will be prevented from accessing that webpage.
WebTitan allows businesses to further protect their networks by restricting access to certain categories of websites which are commonly used by cybercriminals to spread malware. Since these websites have no legitimate work purpose, they can be easily blocked without any negative impact on the business. In fact, businesses are likely to see significant increases in employee productivity as a result.
Cybercriminals are also increasingly using third party advertising blocks on legitimate websites to display malicious adverts. Those adverts redirect visitors to malicious websites containing exploit kits. Some of those adverts require no user interaction at all – visitors are automatically redirected to websites where drive-by malware downloads occur. WebTitan can be configured to prevent these adverts from being displayed, thus neutralizing the risk.
Cybercriminal activity has been steadily increasing, yet employing an advanced web filtering solution such as WebTitan can help businesses stay one step ahead of cybercriminals and keep their networks malware free.
For further information on the capabilities of WebTitan, to find out how easy it is to protect your end users and networks from attack, and to register for a free 30-day trial of WebTitan, contact TitanHQ today.
The Zuckerberg Twitter hack has clearly demonstrated the danger of password reuse. Zuckerberg used the same password for Twitter as he did for his Pinterest and LinkedIn accounts. In spite of the Facebook founder, chairman, and CEO’s lofty position at the top of the world’s most popular social media network, he is guilty of poor data security practices like many others.
In addition to reusing passwords, Zuckerberg also chose a password of 6 digits with no capital letters, symbols, or numbers and did not change it for at least three years. The password was revealed to be “dadada.”
Mark Zuckerberg Twitter Hack Stemmed from the LinkedIn Data Breach
A collective known as OurMine was responsible for the Mark Zuckerberg Twitter hack. The collective, which is understood to hail from Saudi Arabia, gained access to data from the LinkedIn breach. The data were listed for sale a few days previously by a hacker operating under the name of “Peace”.
The LinkedIn passwords were not stored as plaintext, so a little effort was required to reverse the hash to obtain the password. While SHA-1 was thought to be impossible to reverse, it has since been shown to be a relatively straightforward task unless the passwords are also salted. In the case of LinkedIn, they were not.
Simply enter in the SHA-1 hash of a password into one of many reverse hash calculators and the plaintext password will be revealed. A search of the keyword phrase “how to reverse a sha1 password” will reveal many online options for doing so. Once the password had been obtained, access to online accounts was possible.
The Zuckerberg Twitter hack did not appear to cause anything other than some embarrassment. The group notified Zuckerberg of the hack by tweeting him using his own account, saying “we are just testing your security.” While the tweet said that Zuckerberg’s Instagram account was compromised, it has since been confirmed that this account was secure all along, as was Zuckerberg’s Facebook account.
While it is embarrassing, it should be pointed out that Zuckerberg was not a regular Twitter user, having only sent 19 tweets from his account in the past four years. His compromised Pinterest account was similarly rarely used.
Spate of Account Hacks Reported After Major Data Leaks
Other individuals were not quite so fortunate. Since the data from the LinkedIn breach was made available online, numerous celebrity social media accounts have been compromised. The Twitter accounts of celebrities such as Keith Richards and Kylie Jenner were hacked, as was the account of Tenacious D. The latter’s account was used to send a tweet saying Jack Black had died.
While these hacks have not been confirmed as stemming from the LinkedIn breach (or the MySpace or Tumblr breaches) the spate of account hijacks suggest as much.
TeamViewer GmbH was also a victim, having had numerous accounts compromised recently. The company provides remote desktop software and a number of users claim that the hacking of GmbH employee accounts enabled attackers to compromise their computers and authorize PayPal and Amazon transactions. This was attributed to “password mismanagement” by GmbH rather than any flaws in their software.
All of these account hacks show how common the reuse of passwords is, and the danger of doing so. What should be particularly worrying for businesses, is many people use their LinkedIn passwords for work accounts, or vice versa. If that password is obtained via a data breach, malicious actors could do a considerable amount of damage.
Important Online Security Best Practices
To improve security and reduce the risk of more than one account being compromised….
- Never reuse passwords
- Create a complex password for each platform – use symbols, capitals, and numerals
- Change your passwords regularly – every month or three months
- Use 2-factor authentication if available
- Use a password manager to help keep track of passwords
- Don’t store your passwords in your browser
- Regularly check your email address/username against the Have I Been Pwned? database
Each year, the Ponemon Institute conducts a benchmark survey on healthcare data privacy and security. The surveys give a picture of the state of healthcare data security, highlight the main threats faced by the healthcare industry, and offer an insight into the main causes of healthcare data breaches. This week, the Ponemon Institute released the results of its 6th annual benchmark study on healthcare data privacy and security.
Over the past 6 years, the main causes of healthcare data breaches have changed considerably. Back in 2010/2011 when the two healthcare data privacy and security surveys were conducted, the main causes of healthcare data breaches were lost and stolen devices, third party errors, and errors made by employees.
Breaches caused by the loss and theft of unencrypted devices such as laptops, smartphones, tablets, and portable storage devices such as zip drives has fallen considerably in recent years. Due to the high risk of loss and theft – and the cost of risk mitigation following a data breach and compliance fines – healthcare organizations are keeping tighter controls on portable devices. Staff have been trained to be more security conscious and many healthcare organizations have chosen to use data encryption on portable devices. However, lost/stolen devices and mistakes by employees and third parties are still the root cause of 50% of healthcare data breaches.
Healthcare Data Privacy and Security Study Shows Criminals Caused 50% of Healthcare Data Breaches
Data breaches caused by the loss and theft of portable devices may be in decline, but the same cannot be said of cyberattacks, which have increased considerably. When the first benchmarking study was conducted in 2010, 20% of data breaches were caused by hackers and other cybercriminals. By 2015, the figure had risen to 45%. This year criminals have been responsible for 50% of healthcare data breaches.
Healthcare data breaches have increased in volume, frequency, and severity. Prior to 2015, the largest healthcare data breach exposed 4.7 million patient health records. Data breaches that exposed more than 1 million healthcare records were very rare. However, in 2015, the Anthem Inc. breach exposed 78.8 million healthcare records, Premera BlueCross recorded a cyberattack that exposed 11 million records, and Excellus Blue Cross Blue Shield reported a breach of 10 million records. These data breaches were caused by criminals who gained access to systems using phishing techniques.
Phishing remains a major cause for concern, as is malware, although over the course of the past 12 months a new threat has emerged. Ransomware is now the second biggest cause for concern for healthcare security professionals. DDoS attacks remain the biggest worry as far as cyberattacks are concerned.
The purpose of ransomware and DDoS attacks is to cause widespread disruption. Healthcare IT professionals are right to be concerned. Both of these types of cyberattack have potential to have a hugely detrimental effect on the care that is provided to patients, potentially disrupting healthcare operations to such a degree that patients can actually come to physical harm.
Healthcare organizations have been investing more heavily in data security technologies to prevent breaches, yet these measures have not been sufficient to stop breaches from occurring. The report indicates that 89% of healthcare organizations suffered a data breach in the past two years, 79% suffered more than one breach, and 45% experienced more than five data breaches.
The cost of healthcare data breaches is considerable. The Ponemon Institute calculates the average cost to resolve a data breach to be $2.2 million for healthcare providers. The average cost of a business associate data breach is $1 million. The total cost each year, to mitigate risk and resolve data breaches, has been estimated by Ponemon to be $6.2 billion for the industry as a whole.
Healthcare Organizations Need to Increase Cybersecurity Efforts
Cybersecurity budgets may have increased over the years, but too little is being spent on healthcare data privacy and security data. Even with the increased risk, 10% of healthcare organizations have actually decreased their cybersecurity budgets, and more than half (52%) said their budgets have stayed the same this year.
Further investment is needed to tackle the growing threat and to prevent criminals from gaining access to data and locking it with ransomware.
Education also needs to be improved and greater care taken by healthcare employees to prevent accidental disclosures of data and mistakes that open the door to cybercriminals. Employee negligence was rated as the top cause for concern by both healthcare providers and business associates of healthcare organizations. Unless greater care is taken to prevent data breaches and healthcare organizations are held more accountable, the data breach totals will only rise.
The Federal Trade Commission (FTC) is conducting a study to investigate the security update practices of mobile device manufacturers. The study is being conducted amid concern that mobile device manufacturers are not doing enough to ensure owners of mobile devices are protected from security threats.
Security Update Practices of Mobile Device Manufacturers Leave Mobile Users Exposed to Attack
A number of new and highly serious threats have emerged in recent years which allow attackers to remotely execute malicious code on mobile devices if users visit a compromised website. One of the most serious threats comes from the Stagefright vulnerability discovered last year.
The Stagefright vulnerability could potentially be exploited to allow attackers to gain control of Android smartphones. It has been estimated that as many as one billion devices are prone to attack via this vulnerability. Google released an Android update to fix the vulnerability, yet many mobile phone users were unable to update their devices as the manufacturer of their device, or the mobile carrier they used, did not allow the updates to be installed. Because of this, many smartphone owners are still vulnerable to attack.
Even when device manufacturers do update their devices there are often long delays between the issuing of the fix and the rolling out of updates. When a rollout is executed, it can take a week or more before all device owners receive their updates. During that time users are left vulnerable to attack.
The FTC wants to find out more about the delays and the rationale behind the slow rolling out of updates.
FTC and FCC Join Forces and Demand Answers from Carriers and Device Manufacturers
The FTC has joined forces with the Federal Communications Commission (FCC) for the study and has ordered smartphone manufacturers and developers of mobile device operating systems to explain how security updates are issued, the reasoning behind the decision to delay the issuing of security updates, and for some device manufacturers, why security updates are not being issued.
While the study is primarily being conducted on manufacturers of devices running the Android platform, although Apple has also been ordered to take part in the study, even though its devices are the most secure. Apple’s security update practices are likely to serve as a benchmark against which other manufacturers will be judged. Manufacturers that use the Android platform that will take part in the study include Blackberry, HTC, LG, Motorola and Samsung. Google and Microsoft will also take part.
The FTC is asking operating system developers and mobile manufacturers to disclose the factors that are considered when deciding whether to issue updates to correct known vulnerabilities. They have been asked to provide detailed information on the devices they have sold since August 2013, if security vulnerabilities have been discovered that affect those devices, and if and when those vulnerabilities have been – or will be – patched.
The FCC has asked questions of mobile phone carriers including the length of time that devices will be supported, the timing and frequency of updates, the process used when developing security updates, and whether device owners were notified when the decision was taken not to issue a security update for a specific device model.
Whether the study will result in better security update practices of mobile device manufacturers remains to be seen, although the results of the study, if published in full, will certainly make for interesting reading.
A new study has confirmed that the healthcare industry faces the highest risk of cyberattacks. Healthcare providers and health plans are being targeted by cybercriminals due to the value of patient data on the black market. A full set of medical records, along with personally identifiable information and Social Security numbers, sells for big bucks on darknet marketplaces. Health data is far more valuable then credit cards for instance.
Furthermore, organizations in the healthcare industry store vast quantities of data and cybersecurity protections are still less robust than in other industry verticals.
The survey was conducted by 451 Research on behalf of Vormetric. Respondents were asked about the defenses they had put in place to keep sensitive data secure, how they rated their defenses, and how they planned to improve protections and reduce the risk of cyberattacks occurring.
78% of respondents rated their network defenses as very or extremely effective, with network defenses having been prioritized by the majority of healthcare organizations. 72% rated data-at-rest defenses as extremely or very effective. While this figure seems high, confidence in data-at-rest defenses ranked second from bottom. Only government industries ranked lower, with 68% of respondents from government agencies rating their data-at-rest defenses as very or extremely effective.
Even though many IT security professionals in the healthcare industry believe their network and data-at-rest defenses to be robust, 63% of healthcare organizations reported having experienced a data breach in the past.
The Risk of Cyberattacks Cannot Be Effectively Managed Simply by Becoming HIPAA-Compliant
Many organizations have been prioritizing compliance with industry regulations rather than bolstering defenses to prevent data breaches. Many healthcare organizations see compliance with the Health Insurance Portability and Accountability Act (HIPAA) as being an effective way of ensuring data are protected.
HIPAA requires all covered-entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to implement administrative, technical, and physical safeguards to keep confidential patient data secure. By achieving “HIPAA-compliance” covered entities will improve their security posture and reduce the risk of cyberattacks, but compliance alone will not ensure that data are protected.
One only needs to look at the Department of Health and Human Services’ Office for Civil Rights breach portal to see that healthcare data breaches are commonplace. Many of the organizations listed in the breach portal have implemented defenses to protect data and are HIPAA-compliant. Compliance has not prevented data breaches from occurring.
The 451 Research survey asked respondents their views on compliance. 68% said it was very or extremely effective at ensuring data were secured. The reality is HIPAA only requires healthcare organizations to implement safeguards to achieve a minimum level of data security. In order to prevent data breaches and effectively manage the risk of cyberattacks, organizations need to invest more heavily in data security.
HIPAA does not, for example, require organizations to protect data-at-rest with encryption. If the network perimeter is breached, there is often little to prevent data from being stolen. Healthcare organizations are focusing on improving network protection but should not forget to protect data-at-rest with encryption. 49% said network security was still the main spending priority over the next 12 months, which was the highest rated security category for investment.
Healthcare organizations did appreciate that investment in technologies to protect data-at-rest was important, with 46% of respondents saying spending would be increased over the next 12 months on technologies such as disk and file encryption to help manage the risk of cyberattacks.
Employers are enjoying the benefits of mobile devices but IT security professionals are concerned about the security risk that that comes from the use of Smartphones and tablets. The more devices that are allowed to connect to company networks, the higher the risk, but are mobile device data breaches actually occurring?
There is widespread concern that the devices pose a major security risk, but little data on the extent to which mobile data breaches occur. A new survey sheds some light on just how frequently mobile devices are implicated in data breaches.
Six data security firms* sponsored a survey conducted by Crowd Research Partners which set out to shed some light on the matter. 882 IT security professionals from a wide range of industries were asked a number of questions relating to mobile security and data breaches experienced at their organizations.
More than a Fifth of Companies Have Suffered Mobile Device Data Breaches
The results show that 21% of companies have experienced a mobile device data breaches at some point in the past that affected either devices supplied by their company or used by employees under BYOD policies. However, a further 37% of respondents could not say whether mobile device data breaches had actually occurred, indicating many are at risk of data theft or loss, but would not be able to determine if a data breach had in fact occurred.
Malicious Wi-Fi networks continue to be a problem. 24% of respondents said that BYOD or corporate-supplied devices have connected to malicious Wi-Fi networks at some point in the past. Many companies cannot say whether this has actually happened. Almost half of respondents (48%) could not say with any degree of certainty whether their employees had connected to malicious Wi-Fi networks.
Cybercriminals are developing malware at an alarming rate and mobile devices are now being targeted by many cybercriminal gangs. While the majority of threats affect Android phones, iPhone users are also being targeted. A number of new iOS malware have been discovered in the past year.
Mobile malware is a major problem for businesses. 39% of respondents said users of their networks had, at some point in the past, downloaded malware onto their devices. 35% of respondents were unaware whether this had happened. This suggests more than a third of companies are not monitoring the mobile devices that are allow to connect to corporate networks.
Respondents were asked what measures they were using to protect the mobile devices they allowed to connect to their networks. Only 63% of respondents said they used password protection to keep the devices secure. 49% said they had implemented solutions that enable them to remotely wipe devices that are lost, stolen, or reach the end of their life. 43% use encryption for sensitive data and only 38% said they have policies covering data removal at employee separation or device disposal.
34% said that when an employee leaves their organization ensures data is wiped from mobile devices 100% of the time. 13% said this occurred more than half of the time, and 16% said this happened less than half of the time. Most alarmingly, 23% were unaware if they wiped devices and 14% said they never wipe data from employees’ devices when they leave the company.
43% reported using mobile device management (MDM), 28% used endpoint security tools such as anti-malware programs, and 27% used network access controls.
Many IT security professionals are worried about the risk posed by mobile devices and are concerned about mobile device data breaches. The survey results show there is good reason for them to be concerned. Many companies are failing to implement policies and procedures to effectively manage mobile device security risks.
*The online survey was sponsored by Bitglass, Blancco Technology Group, Check Point Technologies, Skycure, SnoopWall and Tenable Network Security. The survey was conducted on members of the LinkedIn Information Security Community.
AceDeceiver iPhone malware can attack any iPhone, not just those that have been jailbroken. The new iOS malware has recently been identified by Palo Alto Networks, and a warning has been issued that the new method of attack is likely to be copied and used to deliver other malware.
Malware Exploits Apple DRM Vulnerability
Many iPhone users jailbreak their phones to allow them to install unofficial apps, yet the act can leave phones open to malware infections. One of the best malware protections for iPhones is not to tamper with them. Most iPhone malware are only capable of attacking jailbroken phones. However, AceDeceiver is different.
The new malware exploits a vulnerability in Apple’s Digital Rights Management (DRM) mechanism allowing it to bypass iPhone security protections. AceDeceiver iPhone malware is capable of fooling FairPlay into thinking it is a legitimate app that has been purchased by the user.
Users that have installed a software tool called Aisi Helper to manage their IPhones are most at risk of infecting their phones. While Aisi Helper can be used to manage iPhones and perform tasks such as cleaning devices and performing backups, it can also be used to jailbreak phones to allow users to install pirated software. To date more than 15 million iPhone owners have installed Aisi Helper and face a high risk of an AceDeceiver malware attack.
The software tool has been around since 2013 and is mainly used as a method of distributing pirated apps. While the software has been known to be used for piracy, this is the first reported case of it being used to spread malware. Palo Alto Networks reports that some 6.6 million individuals are using the software tool on a regular basis, many of whom live in China. This is where most of the AceDeceiver iPhone malware attacks have taken place to date.
The software tool can be used to install AceDeceiver onto iPhones without users’ knowledge. The malware connects the user to an app store that is controlled by the attackers. Users must enter in their AppleID and password and the login credentials are then sent to the attackers’ server. While Palo Alto Networks has discovered that IDs and passwords are being stolen, they have not been able to determine why the attackers are collecting the data.
AceDeceiver Malware Attacks Non-Jailbroken iPhones
Protecting against AceDeceiver iPhone malware would appear to be simple. Don’t install Aisi Helper. However, that is only one method of delivery of AceDeceiver iPhone malware. In the past 7 months three different AceDeceiver malware variants have been uploaded to the official Apple App store. The three wallpaper apps managed to get around Apple’s code reviews initially to allow them to be made available on the Apple App store. They also passed subsequent code reviews.
Once Apple was made aware of the malicious apps the company removed from the App store. However, that is not sufficient to prevent users’ devices from being infected. According to Palo Alto’s Claud Xiao, an attack is still possible even though the apps have been removed from the App store. Apparently, all that is required is for the malicious apps to gain authorization from Apple once. They do not need to be available for download in order for them to be used for man-in-the-middle attacks. The vulnerability has not been patched yet, but Palo Alto has warned that even patching the problem will still leave users of older iPhones open to attack.
AceDeceiver iPhone Malware Attack Method Likely to be Copied
Xiao warned that this new method of malware delivery is particularly worrying because “it doesn’t require an enterprise certificate. Hence, this kind of malware is not under MDM solutions’ control, and its execution doesn’t need the user’s confirmation of trusting anymore.” Palo Alto believe the attack technique is likely to be copied and used to spread new malware to iPhone users.
Security firms are reporting that some of the United States ransomware attacks conducted over the past few months have demonstrated a level of sophistication that suggest they are the work of hacking groups previously backed by the Chinese government.
Ransomware attacks have previously been associated with low level cybercriminals who use spam email to send millions of messages out to random targets in the hope that some individuals will install the malicious file-locking software. In many cases, ransomware-as-a-service is being offered to cybercriminals via darknet marketplaces. Cybercriminals therefore do not need to have an extensive knowledge of hacking, and do not need to be highly skilled at conducting intrusions. However, due to the fact that ransomware can be incredibly lucrative, attacks are now being conducted by a wide range of individuals, including skilled hackers.
United States Ransomware Attacks Appear to Have Been Conducted by Former Chinese Government-Backed Hacking Groups
In some cases, the tactics used in the attacks bear the hallmarks of hacking groups known to have previously been involved in state-sponsored attacks on U.S. companies. The ransomware may not have been developed by foreign-government-backed hackers, but the methods and software used to gain entry to company networks and move around certainly appears to be.
Security firms Dell SecureWorks, InGuardians, G-C Partners, and Attack Research have all been called upon to investigate United States Ransomware attacks recently. The Dell team have investigated three highly sophisticated attacks, and the other companies have similarly been called upon to investigate security breaches involving ransomware.
All of the companies have come to the conclusion that these attacks were not the work of run-of-the-mill cybercriminals, and believe a well-known Chinese hacking group was behind the attacks. In one case, an attack on a U.S. company resulted in over 100 computers being locked with the file-encrypting software. Another attack involved 30 computers being locked. Similar large-scale ransomware attacks have also been investigated by the security firms. These attacks, like many conducted on large U.S. companies, have not previously been reported.
APT Tactics Used in Ransomware Attacks
Some of the attacks took advantage of security vulnerabilities in application servers, other used login credentials that were obtained in past Advanced Persistent Threat (APT) attacks on U.S companies. Rather than APT attacks taking place for espionage, the same methods appear to be used to gain access to networks in order to install ransomware.
None of the security firms are able to say with 100% certainty that the attacks were conducted by Chinese hacking groups, although it does appear to be the most logical answer. One theory put forward is that with China now pulling out of cyber-espionage after last year’s agreement with the U.S government, many Chinese hackers who were previously funded by the government are now out of work or are looking for additional income. Since the potential payoff from ransomware attacks is so high, they are now performing attacks on their own.
In some cases, where U.S companies have been compromised by government-sponsored attacks, it has been hypothesized that the hackers are cashing in as they pull out.
Even if Chinese hacking groups are not involved, it is clear is there is considerable money to be made by performing these attacks. Cybercriminal gangs who have previously targeted credit card numbers may now be switching to ransomware due to big potential payoffs.
Since most companies do not declare that they have suffered an attack and paid a ransom, it is difficult to tell exactly how bad the current situation is. But until ransomware ceases to be profitable, United States ransomware attacks are likely to continue.
Two new studies indicate the mobile malware threat is increasing at an unpresented rate. Any enterprise that allows smartphones to connect to its network, such as those operating a BYOD policy, faces an increased risk of a cyberattack via those devices.
G DATA Report Warns of Rapidly Increasing Mobile Malware Threat
According to the recent G DATA survey, the mobile malware threat has increased substantially over the course of the past 12 months and shows no sign of abating. The number of new malware variants discovered in 2015 is 50% higher than 2014. In 2015, 2.3 million malware samples targeting Android devices were collected, with a new variant being identified, on average, every 11 seconds. In the final quarter of the year, an alarming 758,133 new malware samples were collected, which represents an increase of 32% from the third quarter.
The main risk is older devices operating outdated versions of Android, although G DATA reports that hackers are developing exploits for security vulnerabilities far faster than in past years. Unless Android operating systems are kept totally up to date, vulnerabilities will exist that can be exploited. Unfortunately, phone manufacturers often delay rolling out operating system updates leaving all devices prone to attack.
Mobile Malware Infections Increasing According to Nokia Threat Intelligence Lab
Earlier this month, a report issued by the Nokia Threat Intelligence Lab suggested that 60% of malware operating in the mobile space targets Android smartphones. While iOS malware was a rarity, that has now changed. Nokia reports that for the first time ever, iOS malware has made the top 20 malware list, which now includes the iOS Xcodeghost and FlexiSpy malware. These two malware account for 6% of global smartphone infections.
Mobile ransomware is also increasing. In 2015, several new mobile ransomware variants were identified. Ransomware is used to lock devices with file-encrypting software. Users are only able to recover their files if a ransom is paid to the attackers. With an increasing number of individuals using their smartphones to store irreplaceable data, and many users not backing up those files, individuals are often given no choice but to pay attackers for a security key to unlock their data.
Nokia reports that the malware now being identified has increased in sophistication and has been written by hackers that know the Android system inside out. Malware is getting harder to detect, and once identified it can be extremely difficult to remove. Nokia reports that many malware variants are highly persistent and can even survive a factory reset.
How to Mitigate Mobile Malware Risk
With the mobile malware threat increasing, organizations must implement new security measures to keep devices secure and protect their networks. Anti-virus and anti-malware solutions should be installed on all devices allowed to connect to business networks to reduce the risk of a malware infection.
Many mobile devices are used for work purposes such as accessing business email accounts. Android malware infections could all too easily result in business data being compromised, while keyloggers could give attackers access to business networks.
Enterprises may not yet be majorly concerned about the rising mobile malware threat, but they should be. With the growing sophistication of today’s mobile malware, a business network compromise is a very real threat.
Enterprises that permit the use of mobile devices for work purposes should limit the actions that can be performed on Wi-Fi networks by implementing a web filtering solution. They should ensure that all BYOD policies stipulate a minimum Android version that can be used, and all devices should be kept up to date with app updates installed promptly. Enterprises should also monitor for jailbroken or rooted devices, and prevent them from being used for work purposes or from connecting to business Wi-Fi networks.
A new report issued by the Institute for Critical Infrastructure highlights the need for organizations to develop ransomware mitigation policies due to the high risk of cyberattacks involving the malicious file encrypting software. The report warns that 2016 will be a year when ransomware wreaks havoc on businesses in the United States, in particular on the U.S critical infrastructure community.
Ransomware is being used by cybercriminals as it is a highly effective method of extorting money from businesses. Businesses need data in order to function, and ransomware prevents them from accessing it. If ransomware is installed on a computer, or worse still spreads to a computer network, critical data needed by the business is encrypted. A ransom demand is issued by the attackers who will not release the decryption keys until the ransom is paid. Without those keys data will remain locked forever. Business are often given no alternative but to give in to the attackers’ demands.
Rampant Ransomware Prompts ICIT to Issue Warning
The report warns organizations of the current dangers, and says that in 2016, “Ransomware is rampant.” Organizations of all sizes are being targeted. The criminal gangs behind the campaigns are targeting healthcare providers, even though their actions place the lives of patients in danger. Police and fire departments have also been targeted, as have educational institutions and businesses. The greater the need for access to data, the bigger incentive organizations have to pay the ransom.
According to the report, “In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.” The cost of that downtime can be considerable. Far more than the ransom demand in many cases.
Unfortunately, as pointed out in the report, it is too difficult and time consuming to track down attackers. They are able to cover their tracks effectively and they take payment in Bitcoin or use other online payment methods that give them a degree of anonymity. Often attacks are conducted across International borders. This makes it simply too difficult for the perpetrators to be found and brought to justice by law enforcement agencies.
Even the FBI has said that it advises companies to pay the ransom in many cases, unless the victims can live without their data. The report says, “no security vendor or law enforcement authority can help victims recover from these attacks.” It is therefore up to each individual organization to put measures in place to protect against ransomware.
Ransomware Mitigation Policies are Essential
Recovering from a ransomware infection can be expensive and difficult. It is therefore imperative that defenses are put in place to prevent ransomware from being installed on computers and networks.
The report suggests four key areas that can help with ransomware mitigation.
- Forming a dedicated information security team
- Conducting staff training
- Implementing layered defenses
- Developing policies and procedures to mitigate risk
An information security team should conduct risk assessments, identify vulnerabilities, and ensure defenses are shored up. Security holes must be plugged to prevent them being exploited. The team must also devise strategies to protect critical assets. They are an essential element of a ransomware mitigation strategy.
Staff training is essential. Employees must be instructed how to identify threats. Employees are often targeted as they are the weakest link in the security chain. It is easiest to get an employee to install ransomware than to attempt a hack in many cases. According to the report, this is one of the most important ransomware mitigation steps to take.
Layered defenses should be implemented to make it harder for attackers to succeed. Organizations should not rely on one form of defense such as a firewall. Antivirus and antimalware solutions should be used, anti-spam filters employed to prevent email attacks, and web filtering solutions should be used to prevent web-borne attacks.
With the threat now having reached critical levels, ransomware mitigation policies are essential. Administrative policies can help reduce the likelihood of an attack being successful. Employees must be aware who they can report suspicious emails and network activity to, and those individuals must be aware how they should act and deal with threats.
The Marcher Trojan was first discovered in the wild around three years ago; however, malware does not remain the same for very long, so it is no surprise to see yet another Marcher Trojan variant appear. This time the method of attack differs substantially from previous incarnations of this money-stealing malware.
Marcher Trojan Delivered Using Fake Adobe Flash Update
This time, attackers are targeting users of online pornography and are attempting to trick them into installing the Marcher Trojan on their Android phones by disguising the malware as an Adobe Flash installer package. Adobe Flash may be on its last legs, but a considerable number of porn websites host Flash videos. Users of pornographic websites therefore need Adobe Flash in order to view adult videos.
The attackers are targeting users of pornographic websites by sending links to new porn sites via SMS messages and spam email. Clicking the links contained in those messages will direct the user to a malicious website where they are asked to download an update to Adobe Flash.
Adobe Flash updates are frequently released due to the high number of zero-day vulnerabilities discovered in the software. Users are therefore likely to think there is nothing untoward about the update. The attackers have named it AdobeFlashPlayer.apk to make the download appear genuine.
After downloading the update, the user is required to change settings on the phone to allow apps from unknown sources to be installed. They are then asked to give the fake Adobe Flash update administrator privileges. Once installed, the owner of the device will be unaware that they have just compromised their Android phone.
The malware will then start communicating with the attackers C&C server and will send a list of the apps installed on the device to the attackers. That information is then used to display the appropriate fake login screens for apps installed on the device. Those login screens record bank and credit card details and send them to the attackers.
Another method of attack used by the malware is to send a MMS message to the user asking them to download the X-Video porn app from the Google Play store. The X-Video app is not malicious and can be installed for free; however, after installing the app the user receives a fake prompt asking them to update their Google Play credit card information.
The Marcher Trojan can also prevent users from visiting the real Google Play store without first entering their payment card details into the fake Google Play payment screen.
Fortunately, the malware is easy to remove. The app can be deactivated and then uninstalled. But the user would need to know they have been infected in order to do that.
Blocking Adult Content to Protect WiFi Network Users
Any business that allows employees to access WiFi network can improve network security by blocking access to adult websites. Preventing WiFi network users from accessing adult sites and other websites commonly used to deliver malware can greatly improve security posture.
The Marcher Trojan is being used to steal money from Android users, although the malware has been used to deliver at least 50 different payloads. Other Trojan downloaders deliver ransomware and other nasty malware. Once on a network the malicious software can cause a considerable amount of damage.
WebTitan can be used to prevent the downloading of files commonly used by hackers to hide malware such as SCR, EXE, and ZIP files. It can also be used to block access to risky websites and those known to contain malware.
For business WiFi networks, a web filter is now becoming less of an option and more of a necessity to prevent malware and ransomware downloads and keep users’ devices and networks malware free.
The healthcare ransomware threat is not new, but the threat of attack is growing. Last week, a healthcare provider in the United States found out just how damaging a ransomware attack can be. Hollywood Presbyterian Hospital experienced a ransomware attack on February 5, resulting in part of its computer network being taken out of action for more than a week.
The healthcare provider’s electronic health record system (EHR) was locked by ransomware and a demand of $17,000 was made by the attackers to supply the security keys. This is not the first time that a healthcare provider has had to deal with a ransomware infection, but attacks on healthcare organizations have been relatively rare.
What makes this attack stand out is the fact that the ransom was actually paid. CEO Allen Stefanek said “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom.”
The Healthcare Ransomware Threat is Very Real
Many businesses in the country have been attacked and have been forced to pay sizable ransoms in order to get a security key to decrypt their locked data. If data is encrypted by attackers, and no backup exists, there is little choice but to pay the ransom and hope that the attackers make good on their promise to supply the security keys.
There is no guarantee that the attackers will pay of course. They could just demand even more money. There have also been cases where the attackers have “tweaked” their ransomware, but accidentally broke it in the process. Even if a ransom was paid, it would not be possible to unlock the data.
Paying a ransom does not therefore guarantee that the security keys will be supplied. In this case, the attackers did make good on their promise and supplied the keys allowing business to return to normal.
The public announcement about the ransomware attack, and the disclosure of the payment of the $17,000 ransom, could potentially lead to even more attacks taking place. That is a big payment for a hacker, yet orchestrating a ransomware campaign is relatively easy, and does not require a major financial outlay. The return on investment will be significant if a healthcare provider is forced to pay a ransom. Since the ransom was paid, this may prompt many more hackers to attack healthcare providers.
Ransomware Attack Raises a Number of Questions
This attack does raise a number of questions. What many security professionals will be asking is why the hospital paid at all. In the United States, healthcare providers are required to make backups and store those data off-site. In event of emergency, such as this, a healthcare provider must be able to restore patient data. This is a requirement of the Health Insurance Portability and Accountability Act (HIPAA). It doesn’t matter what the emergency is, if computers or networks are taken out of action, the protected health information of patients cannot be lost.
The reality however, is that restoring computer systems after a ransomware attack may not be quite as straightforward. It would depend on the extent of the ransomware attack, the number of systems that were compromised, the difficulty of restoring data, and how much data would actually be lost.
Backups should be performed daily, so it is possible that 24 hours of data may have been lost, but unlikely any more. Even if data loss had occurred, it is probably that the data were stored elsewhere and could be recovered. The payment of the ransom suggests that there may have actually been an issue with the backups, or that the cost of recovering data from the backups would have been more than the cost of paying the ransom.
Dealing with the Healthcare Ransomware Threat
Regardless of the reasons why data restoration was not possible, or paying the ransom seemed preferable, other healthcare providers should be concerned. Further attacks are likely to take place, so it is essential that backups are performed regularly, and critically, those backups are tested. A backup of data that cannot be restored is not a backup. It is a false hope.
Furthermore, healthcare providers must ensure employees are trained how to spot a malware and ransomware, and software solutions should be implemented to prevent spam emails from being delivered to inboxes. Staff should be prepared, but it is best not to put the malware identification skills to the test.
Not all ransomware is delivered via spam email. Additional protections must also be put in place to prevent drive-by attacks and malvertising should be blocked. A web filtering solution, such as WebTitan, should also be installed to reduce the risk of ransomware downloads and to enforce safe use of the Internet.
There is no silver bullet that can totally negate the healthcare ransomware threat. It is impossible to make any system 100% secure, but by implementing a range of protections the risk of a ransomware infection can be reduced to an acceptable level. A disaster recovery plan must also exist that will allow data to be restored in the event that an attack does prove to be successful.