Wireless Device Security Vulnerabilities Are Not Being Addressed

According to a recent report issued by Pwnie Labs, wireless device security vulnerabilities are not being addressed by enterprises even though many wireless devices can be used as backdoors into corporate networks.

If wireless printers and access points are not secured, hackers can easily use them to gain access to internal networks. Many organizations invest heavily in security defenses but forget to change the default configurations on their wireless printers. Pwnie Labs researchers ascertained that more than half of wireless devices (56%) used by enterprises are HP printers. When default settings are not changed, the devices can be used as a backdoor into corporate networks. HP printers were found to be the most commonly open wireless network, while 35% of wireless access points either did not use encryption or security defenses were found to be particularly weak.

Plugging wireless device security vulnerabilities is not always straightforward. Organizations need to change the default password on the devices, yet many do not do so because it causes connectivity problems. However, if wireless device security vulnerabilities are not addressed they could allow hackers to bypass an organization’s security defenses and gain access to internal networks.

Wireless Device Security Vulnerabilities Are Being Exploited by Hackers

A recent survey conducted on 400 IT security professionals showed that 55% of respondents had already witnessed a cyberattack via wireless devices. 86% said that they were concerned about wireless device security vulnerabilities.

Pwnie Labs found that many wireless printers are left with default settings active, although some do not even have a username and password set allowing anyone to connect. If the wireless printer is hardwired to an Ethernet network, gaining access to the printer via Wi-Fi could allow a hacker to also gain access to the network to which the printer is connected.

The devices are designed to make connection as easy as possible, and this feature can all too easily be exploited by attackers. If an attacker sets up a malicious access point and used the same SSID as that used by the manufacturer to configure the printer, the printer could automatically connect to that network.

To prevent this, remove open wireless networks from the preferred network list on the printer. Alternatively, ensure that the printer does not automatically connect to open wireless networks.

If a wireless printer is used as a network printer via an Ethernet connection, it is essential to disable Wi-Fi functionality to prevent the device from being used as a wireless bridge to the wired network. If there is no need for a wireless printer to be hardwired to a network, ensure that it isn’t and use strong encryption to connect wirelessly to the device.

Printers are not the only devices that can be used in this fashion. All devices with wireless functionality must be subjected to a full risk assessment. If wireless networks are not used by an organization, devices with wireless capability must have the function disabled. If wireless networks are in use, all devices must be carefully configured to reduce the risk of attack.

Enterprise Malware Attacks Increasing: Malware Infections Increased 73 pc in 2015

Last year saw a massive increase in the number of recorded enterprise malware attacks, with hackers also targeting public sector organizations and government agencies with increased frequency. According to the new Dell Security Annual Threat Report, malware attacks virtually doubled in 2015, and reached a staggering 8.19 billion worldwide infections.

The new report makes for worrying reading. The current threat level is greater than ever before and the volume of enterprise malware attacks now taking place has reached unprecedented levels. Organizations that fail to implement robust controls to protect their systems from malware downloads are likely to be attacked.

Dell Reports a 73% Increase in Malware Infections in 2015

To compile the report, Dell gathered data from its Dell SonicWALL Global Response Intelligence Defense network. In 2014, Dell SonicWALL received approximately 37 million unique malware samples. In 2015, that figure increased to 64 million: An increase of 73%. Dell noted increases in malware, ransomware, viruses, Trojans, worms, and botnets in 2015.

Not only is the volume of malware increasing, the vectors used to infect devices and networks are now much broader. Cybercriminals are also getting much better at concealing infections and covering their tracks. When malware is eventually discovered on systems, it has usually been present and active for some time.

Hackers are now using anti-forensic techniques to evade detection, steganography, URL pattern changes, and are modifying their landing page entrapment techniques. Command and Control center communications are also being encrypted making it harder to identify communications from infected devices and systems. Oftentimes, it is communications between malware and C&C servers that allow anti-malware and intrusion prevention systems to identify malware infections.

Spam email is still being used to deliver malicious software although drive-by attacks have increased. IoT devices are also being used to install malware due to the relatively poor security of the devices.

Enterprises now have a much broader attack surface to defend, yet security budgets are often stretched making it difficult for IT security teams to install adequate defenses to repel attacks using such a diverse range of attack vectors. It may not be possible to implement robust defenses to repel all attacks, although by concentrating on the most commonly exploited weaknesses the majority of enterprise malware attacks can easily be prevented.

How to Defend Against Enterprise Malware Attacks

The majority of successful enterprise malware attacks could have been prevented had basic security measures been implemented and had industry security best practices been adopted. Hackers may be using ever more sophisticated methods to infiltrate systems and steal data, but in the majority of cases they do not use zero-day vulnerabilities to attack: Well-known security weaknesses are exploited.

All too often enterprise malware attacks are discovered to have occurred as a result of unpatched or outdated software. Oftentimes, patches and software updates have been available for months prior to attacks taking place. One of the best defenses against cyberattacks is to adopt good patch management practices and ensure that software updates are applied within days of release.

Email spam is still used to deliver a wide range of malware and malicious software, yet spam email is easy to block with a robust spam filtering solution such as SpamTitan. Along with staff training on phishing email identification and basic security best practices, malware infections via email can be easily prevented.

It is also strongly advisable to implement an enterprise web filtering solution. Allowing employees full access to the Internet can leave a business susceptible to drive-by malware downloads. A web filtering solution such as WebTitan Gateway – or WebTitan Cloud for Wi-Fi networks – can prevent malicious file downloads, malvertising, and limit the risk of drive-by enterprise malware attacks.

Using a firewall capable of inspecting every packet and validating all entitlements for access is also advisable. Since hackers are also using SSL/TLS encryption to mask C&C communications, it is a wise precaution to use a firewall that incorporates SSL-DPI inspection functionality.

Locky Ransomware: New Threat Installed Using Malicious Word Macros

Locky ransomware is a new threat believed to emanate from the hacking team behind Dridex malware. The new threat is being delivered via spam email and is disguised as a Microsoft Word invoice. If macros are enabled, or if the macro contained in the infected Word file is run, a script will download Locky ransomware: A 32-bit executable file containing a dropper. That dropped malware will run from the %TEMP% folder and will disguise itself as svchost.exe.

Locky ransomware will search for files stored on the infected device and will rename them and add the extension locky. The renamed files cannot be identified by the user. They are given a unique file ID along with a unique ID for each user. Files are locked using RSA-2048 and AES-128 ciphers and all communication between Locky and its command and control server are encrypted.

Once files have been encrypted, a text file will be saved to the desktop detailing the actions that must be taken by the victim in order to restore their files. A bitmap containing the instructions is also set as the user’s wallpaper.

Links are supplied which the user must access via the Tor network and further instructions unique to that user are detailed on a unique webpage for each user. Users are instructed how to buy Bitcoin and how to send the ransom of 0.5 to 1.0 Bitcoin (around $200-$400) to the attackers. Upon paying the ransom the victim will receive a security key which will enable them to unlock their files. Locky ransomware encrypts data stored on local drives, removable media, and ramdisks, although it is also capable of encrypting data on network resources.

Locky ransomware can only be installed if a malicious macro contained in the Word file is run. Opening the infected Word document will not result in the device or network being infected until macros have been enabled. If this happens, the Word document macro will save a file to the device (Troj/Ransom-CGX) which will act as a downloader and will install the ransomware payload.

Once downloaded the payload will start to encrypt a wide range of files. Those files include documents, multimedia files, images, office files, and source code. Shadow copies (VSS files) on the device will also be removed. Even the wallet.dat file is encrypted, leaving Bitcoin users no alternative but to pay the ransom. The ransomware will encrypt files on any connected or mounted drive, and will lock files regardless of the operating system used.

Any user logged in with administrator privileges when Locky ransomware strikes will see a considerable amount of damage caused, leaving them no alternative but to pay the ransom to unlock files. Bear in mind that the above ransom amounts have been seen for individual users. There is no telling what ransom will be demanded if a business user is infected.

How to Protect Against Locky Ransomware Attacks

There are a number of ways that businesses can protect their networks from a Locky ransomware attack. The first is to prevent the malicious word document from being delivered.

  • A robust anti-spam filter can filter out malicious emails and quarantine them, preventing phishing and malicious spam emails from being delivered to end users’ inboxes.

 

  • Staff training is essential in case malicious emails find their way into end users’ inboxes. Employees must be warned of the risks of ransomware and other malware, told how the malicious software is delivered, and how to identify potentially malicious emails. End users must be told never to open a file attachment sent from someone they do not know.

 

  • All devices with Word installed should have macros disabled. If users are required to use macros, they should enable them to work on files and disable the macro function when the task has been completed. If macros are set to run automatically, opening an infected Word document will allow malicious code to run automatically.

 

  • Portable drives should not remain connected when they are not in use.

 

  • Users should never log in as an administrator unless it is strictly necessary. Always log in without administrator rights unless they are necessary for a particular task to be performed and log out afterwards.

 

  • Regularly backup important files (daily) and store backups off site.

 

  • Not all malware is delivered via spam email. Hackers are increasingly using FTP sites, file sharing websites, and compromised websites to deliver malware. Blocking these sites using a web filtering solution such as WebTitan is strongly advisable. WebTitan can also block files commonly used to deliver malware (BAT, SCR, and EXE files).

 

  • Patches should be installed promptly and browsers and plugins updated as soon as patches and updates are released. Security vulnerabilities can be exploited via malicious websites and malware and ransomware downloaded without any user action.

School Web Filter Fails to Prevent Porn from Being Accessed in the Classroom

The failure to use a school web filter could result in children gaining access to hardcore pornography in the classroom. If a school web filter is used, it is essential to ensure that it is configured correctly. Two Canadian parents have just discovered that porn is still accessible via classroom computers after conducting a simple test at their daughters’ school.

In this case, the Internet could only be accessed at the elementary school in Markham, Ontario, using a valid account and Internet access is supervised, so the chance of children viewing adult content is limited. That said, if children want to view porn they would not be prevented from doing so.  The software solution that had been put in place did not block pornography and other adult content from being displayed.

After gaining permission to use her daughter’s Internet login, Eva Himanen conducted a simple search on Google to see whether it was possible for images of an adult nature to be viewed in the classroom. She did this by typing the search terms “porn” and “naked sex” into Google.

Rather than images and search listings being blocked, the search brought up numerous thumbnail images of exactly the material one would expect such as search to produce.  There were also listings of a wide range of porn websites that had not been blocked. A school web filter was allegedly in place, but images were still displayed.

Access to the Internet is controlled by logins and parents and children are required to sign an acceptable use form each year. However, while students may agree not to search for adult website content, that does not prevent them from viewing inappropriate material.

If a child was able to access pornographic images without being spotted by a teacher, it is likely that the Internet use would be discovered. Logs of all websites visited are maintained by the school and are regularly checked. Any websites of an adult nature that are accessed would be tied to an individual child’s login and action would be taken again that individual. However, the damage would have already been done. If one student was to perform such a search and break the rules, other children’s may also be affected.

The Importance of Implementing Robust but Flexible School Web Filter

Blocking access to certain sections of the Internet is straightforward with WebTitan. WebTitan’s school web filter is quick and easy to implement and can offer protection in a matter of minutes. It is possible to block websites by category as well as by keyword term, and blacklists can be uploaded easily.

One of the problems that can occur with a school web filter is the overblocking of website content. It is possible that blocking a particular category of website, or a specific keyword term such as “sex”, would result in some website content being blocked incorrectly. This could potentially prevent individuals from accessing sexual education material, some of which may be required under the curriculum.

A web filter may therefore require a certain degree of fine tuning. False positives will always occur with any web filter, although careful implementation and choice of keyword terms and website categories will keep this to a minimum, while ensuring that harmful content is blocked. Using a flexible, and easy to use school web filter such as WebTitan will make this as straightforward as possible.

WebTitan’s web filtering solutions for schools have a high degree of granularity, allowing potentially harmful content to be easily filtered, while ensuring that valuable educational material is still displayed. It is still important to have allowable use policies in place, but should a student attempt to break the rules, they would still be prevented from viewing adult content, and their actions would be logged to allow action to be taken.

For further information on the full range of features of WebTitan’s school web filtering solutions, contact the sales team today for advice.

Contact Information:

US Sales +1 585 973 5080

UK/EU Sales +44 (0)247 699 3641

IRL +353 91 54 55 00

or email us at info@webtitan.com

The Healthcare Ransomware Threat is Increasing

The healthcare ransomware threat is not new, but the threat of attack is growing. Last week, a healthcare provider in the United States found out just how damaging a ransomware attack can be. Hollywood Presbyterian Hospital experienced a ransomware attack on February 5, resulting in part of its computer network being taken out of action for more than a week.

The healthcare provider’s electronic health record system (EHR) was locked by ransomware and a demand of $17,000 was made by the attackers to supply the security keys. This is not the first time that a healthcare provider has had to deal with a ransomware infection, but attacks on healthcare organizations have been relatively rare.

What makes this attack stand out is the fact that the ransom was actually paid. CEO Allen Stefanek said “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom.”

The Healthcare Ransomware Threat is Very Real

Many businesses in the country have been attacked and have been forced to pay sizable ransoms in order to get a security key to decrypt their locked data. If data is encrypted by attackers, and no backup exists, there is little choice but to pay the ransom and hope that the attackers make good on their promise to supply the security keys.

There is no guarantee that the attackers will pay of course. They could just demand even more money. There have also been cases where the attackers have “tweaked” their ransomware, but accidentally broke it in the process. Even if a ransom was paid, it would not be possible to unlock the data.

Paying a ransom does not therefore guarantee that the security keys will be supplied. In this case, the attackers did make good on their promise and supplied the keys allowing business to return to normal.

The public announcement about the ransomware attack, and the disclosure of the payment of the $17,000 ransom, could potentially lead to even more attacks taking place. That is a big payment for a hacker, yet orchestrating a ransomware campaign is relatively easy, and does not require a major financial outlay. The return on investment will be significant if a healthcare provider is forced to pay a ransom. Since the ransom was paid, this may prompt many more hackers to attack healthcare providers.

Ransomware Attack Raises a Number of Questions

This attack does raise a number of questions. What many security professionals will be asking is why the hospital paid at all. In the United States, healthcare providers are required to make backups and store those data off-site. In event of emergency, such as this, a healthcare provider must be able to restore patient data. This is a requirement of the Health Insurance Portability and Accountability Act (HIPAA). It doesn’t matter what the emergency is, if computers or networks are taken out of action, the protected health information of patients cannot be lost.

The reality however, is that restoring computer systems after a ransomware attack may not be quite as straightforward. It would depend on the extent of the ransomware attack, the number of systems that were compromised, the difficulty of restoring data, and how much data would actually be lost.

Backups should be performed daily, so it is possible that 24 hours of data may have been lost, but unlikely any more. Even if data loss had occurred, it is probably that the data were stored elsewhere and could be recovered. The payment of the ransom suggests that there may have actually been an issue with the backups, or that the cost of recovering data from the backups would have been more than the cost of paying the ransom.

Dealing with the Healthcare Ransomware Threat

Regardless of the reasons why data restoration was not possible, or paying the ransom seemed preferable, other healthcare providers should be concerned. Further attacks are likely to take place, so it is essential that backups are performed regularly, and critically, those backups are tested. A backup of data that cannot be restored is not a backup. It is a false hope.

Furthermore, healthcare providers must ensure employees are trained how to spot a malware and ransomware, and software solutions should be implemented to prevent spam emails from being delivered to inboxes. Staff should be prepared, but it is best not to put the malware identification skills to the test.

Not all ransomware is delivered via spam email. Additional protections must also be put in place to prevent drive-by attacks and malvertising should be blocked. A web filtering solution, such as WebTitan, should also be installed to reduce the risk of ransomware downloads and to enforce safe use of the Internet.

There is no silver bullet that can totally negate the healthcare ransomware threat. It is impossible to make any system 100% secure, but by implementing a range of protections the risk of a ransomware infection can be reduced to an acceptable level. A disaster recovery plan must also exist that will allow data to be restored in the event that an attack does prove to be successful.

Medical Equipment Cybersecurity: Tomographic Scanner Hacked via Hospital Wi-Fi

In recent months, concern has been growing over the lack of medical equipment cybersecurity protections in place at hospitals and medical centers. Healthcare providers are being targeted by cybercriminals for the confidential data they store on patients. Medical devices, and their associated computer hardware, could potentially be targeted by cybercriminals. Medical device security is often overlooked by health IT professionals, and the manufacturers of the devices often fail to make their equipment secure.

Healthcare providers store Social Security numbers, health insurance data, financial information, and the personal information of patients. These data have a high value on the black market as they can be used by criminals to commit identity theft and a multitude of fraud.

Cyberattacks on hospitals and health insurers are increasing, and while cybersecurity protections as a whole are improving, the industry still lags behind other industry sectors when it comes to implementing robust cybersecurity protections. Numerous security vulnerabilities are often allowed to exist, making it relatively easy for hackers to take advantage.

Medical equipment cybersecurity is particularly lax. The devices may not provide easy access to the types of data sought by identity thieves in some cases, but they are networked. If access is gained, attacks on other parts of a healthcare network could take place.

If hackers are able to gain access to a medical device a considerable amount of harm could be caused. A malicious hacker could alter or delete data, crash the device, or steal data stored on the device or the computer connected to it.  If settings can be altered patients could be seriously harmed. Doses of medication could be altered or medical diagnoses or test results changed, with disastrous consequences for the patient.

Expensive equipment could be sabotaged or the devices could be locked with ransomware. The ransomware infection of Hollywood Presbyterian Medical Center this month shows that the threat of malware is very real. In fact, attacks on hospitals can be very lucrative for hackers. The hospital recently paid $17,000 for security keys to unlock its EHR system after a ransomware infection took it out of action.

How Bad Are Medical Equipment Cybersecurity Protections?

So how bad are medical equipment cybersecurity protections? Recently, Sergey Lozhkin of Kaspersky Lab decided to find out. He recently announced the results of his attempts to hack medical devices at the 2016 Security Analyst Summit (SAS 2016) in Tenerife.

Lozhkin set out to hack a hospital and succeeded in doing just that by exploiting a lack of medical device cybersecurity protections at a hospital. The hack started with a search using the Shodan search engine. Lozhkin discovered a number of hospital devices and contacted the owner. Along with his friend, he decided to conduct a penetration test to see just how easy it was to gain access to the devices. The senior managers of the hospital were aware of the test and secured real data to prevent any unauthorized disclosure or data loss as a result of the test.

The first attempt at hacking the medical devices failed. The hospital’s systems administrator had done a good job of securing systems from external attack. However, the second attempt at hacking was successful. Lozhkin decided that instead of attacking from home, he would travel to the hospital and try to attack from within. However, physical access to the hospital was not necessary. He was able to hack the hospital from his car, since he could park outside and gain access to the hospital’s local Wi-Fi network.

Once he hacked the network key he was able to gain access to a tomographic scanner. By exploiting a vulnerability in an application he gained access to the file system of the device and was able to view (fake) patient data. The real data had been secured prior to the test. In this case, the hack was possible because the hospital’s systems administrator had made a fundamental mistake, having connected a medical device to the hospital’s public WiFi network.

Forget Medical Equipment Cybersecurity Protections at your Peril

If medical equipment cybersecurity protections are insufficient, it may be hacktivists or data thieves that gain access to data rather than pen testers. Hospitals must ensure that medical equipment cybersecurity protections are put in place, but security must also be tested to ensure cybersecurity defenses actually prevent access to medical devices and the sensitive data they contain.

Better medical equipment cybersecurity protections must also be incorporated into the design of medical devices by the manufacturers to make sure medical equipment is harder to hack.

California Data Breach Report: Majority of Cyberattacks Easily Preventable

According to a February 2016 California data breach report issued by the California attorney general’s office, the majority of data breaches are easily preventable if basic security measures are adopted. Had companies doing business in the state of California implemented industry best practices and adhered to federal and state regulations, the privacy of millions of Californians would have been protected.

However, that was not the case and over the course of the past 4 years close to 50 million state residents have had their private data exposed as a result of data breaches suffered by government and private organizations.

The California data breach report includes a summary of data breaches reported to the attorney general’s office between 2012 and 2015. From 2012, the California Attorney general’s office needed to be notified of a breach of personally identifiable information if more than 500 state residents were affected.

Between 2012 and 2015, 657 data breaches were reported. 49.6 million state residents had their personally identifiable information exposed.

In almost half of cases, Social Security numbers were obtained by cybercriminals or were exposed as a result of the loss or theft of devices used to store personal information.

2015 was a Bad Year for Data Breaches in California

The California data breach report was compiled following a particularly bad year for Californians. In 2015, 24 million state residents had their personal information exposed. That equates to one in three Californians. To put the figure into perspective, in 2012 only 2.6 million state residents were affected by data breaches.

The California data breach report was compiled to show just how bad the current situation is. According to State attorney general Kamala D. Harris, the report should serve as a “starting point and a call to action for all of us.” The situation must improve.

Harris points out in the introduction to the 2016 Californian data breach report that “many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers,” she goes on to say that if a company chooses to store private and confidential data on state residents, that company has a “legal obligation to adopt appropriate security controls.”

California Data Breach Report Summary

The main findings of the 2016 California data breach report are listed below:

  • The biggest data security threats are malware and hacking
  • Malware and hacking exposed 54 percent of records and accounted for the most data breaches (365)
  • Malware and hacking attacks have grown by 22% in 4 years and caused 58% of breaches in 2015
  • Malware and hacking caused 90% of retail data breaches
  • Physical breaches (loss and theft of devices) accounted for 27% of all reported breaches.
  • Physical breaches are declining: They fell from 27% in 2012 to 17% in 2015
  • Errors and employee/employer negligence accounted for 17% of data breaches
  • Medical records were exposed or stolen in 19% of reported breaches
  • Payment card information was stolen in 39% of data breaches
  • Small businesses reported 15% of data breaches

According to the new California data breach report, the retail sector suffered the most, accounting for a quarter of all data breaches reported in the past four years. Those security incidents resulted in the exposure of 42% of the total number of records exposed in the past four years. The financial sector was in second place with 18% of breaches, while the healthcare sector was third being involved in 16% of data breaches.

Data Breach Prevention – Improve Protection Against Malware

The prevention of cyberattacks requires multi-layered security systems, although in the majority of cases data breaches were found to be the result of a failure to update software and apply patches. The security vulnerabilities that were exploited by hackers or used to install malware had been discovered and patched. In the majority of cases, patches had existed for over a year but had not been installed.

Malware is commonly used as a way of gaining access to computer systems used to store valuable consumer data. Malware is often delivered via spam email campaigns. A robust and powerful anti-spam solution should be implemented to catch malicious emails and prevent them from being delivered to user inboxes.

If staff are also trained to identify malware and potentially harmful emails and attachments, a great deal of malware infections can be prevented. However, email is not the only malware delivery mechanism. Cybercriminals are increasingly using exploit kits to probe for security weaknesses in browsers and browser plugins. Those vulnerabilities can be exploited and used to download malware without any user interaction required.

These infections are referred to as drive-by attacks, and they can occur if a user can be directed to a malicious website or a site that has been compromised by cybercriminals.

Third party advertising networks can contain adverts with malicious links that direct visitors to sites where drive-by attacks can take place. Those adverts can appear on legitimate websites. Even some of the biggest sites on the Internet have been discovered to display malvertising. These threats must be dealt with to prevent data breaches from occurring.

Protecting against malware delivery via the Internet requires a different solution: a web filter.

Protect End Users from Web-Borne Malware Threats with WebTitan

WebTitan offers a range of web filtering solutions for the enterprise to protect end users from web-borne threats such as malware, ransomware, viruses, Trojans, and memory-resident malware threats. Solutions have also been developed to keep Wi-Fi networks and hotspots free from malware.

By implementing a web filtering solution, end users can be prevented from visiting websites known to contain malware and from engaging in risky online behavior. By restricting access to potentially dangerous websites, the risk of a malware or ransomware infection can be greatly reduced.

For further information on the benefits of WebTitan’s web filtering solutions contact the Sales team today:

US Sales +1 585 973 5080

UK/EU Sales +44 (0)247 699 3641

IRL +353 91 54 55 00

Alternatively send an email to sales@webtitan.com or visit the webpages below:

https://www.webtitan.com/webtitan/

https://www.webtitan.com/webtitan-cloud-for-wifi/

TalkTalk Underestimates Cost of a Data Breach

The cost of a data breach can be considerable, as has been clearly demonstrated by the hacking of TalkTalk. The hacking of the UK-based Internet service provider resulted in 157,000 customer accounts being compromised, with 15,656 bank account numbers and sort codes stolen by the hackers.

The group of hackers responsible for the security breach spoke to the media soon after and talked of the poor security at TalkTalk, and how easy it was to gain access to sensitive customer data. One of the hackers even said that in one instance, a three-digit password had been used to secure an account.

The hacking incident triggered a media storm which tarnished the ISP’s image and resulted in many customers changing ISP to one that was perceived to offer better security. As to how many customers have changed their mind about signing up with TalkTalk, that is unlikely to ever be known.

Soon after the discovery of the extent of the data breach, TalkTalk chief executive Dido Harding told the BBC that the company still expected its end of year results to “be in line with market expectations,” and that the data breach would likely result in one-off costs of between £30-£35 million.

However, the ISP seriously underestimated the fallout from the hacking incident, with the current costs now double the initial estimate at £60 million: Enough to make a noticeable dent in the company’s profits. That cost was broken down as one-off costs of around £45 million and a trading impact of £15 million.

The Cost of a Data Breach is Easy to Underestimate

The cost of a data breach is difficult to accurately calculate. It is possible to arrive at a reasonable estimate of the cost of breach resolution measures. The cost of implementing new security controls to prevent future cyberattacks is fairly easy to predict, as is the cost of mailing breach notification letters to customers. What it is much harder to estimate is the loss of business as a result of a breach of customer data.

TalkTalk took the decision to offer customers a free upgrade of services and told those affected financially be the breach that they would be free to leave without penalty. Since customers were not permitted to change without a cost if they had not suffered losses, many had to wait until their contract expired before switching provider. According to the latest figures, the company lost 101,000 customers as a result of the data breach.

The decision to offer a free upgrade of services proved to be a wise move, not only to prevent customers who had been affected by the data breach from leaving, but to convince other customers to stay. The free upgrade has reportedly been taken up by around 500,000 customers. Even with that upgrade, the company understandably experienced a higher churn rate, with many not choosing to renew their contracts when they came to an end.

The total impact on revenue was estimated to be around 3%, although the company appears to now be recovering with the churn rate having improved in the past two months. According to Harding, “Trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.”

Security Risk From Java Runtime Environment Security Highlighted by RAT Discovery

Kaspersky Lab has recently discovered the extent to which a remote access Trojan is being used by cybercriminals, highlighting the security risk from Java Runtime Environment.

Kaspersky Lab discovered that the Adwind remote access Trojan (RAT) discovered in 2012 is being used extensively by cybercriminals to conduct attacks on businesses. The RAT is frequently tweaked to avoid detection with numerous variants currently in use in the wild. The RAT has many names in addition to Adwind, with Alien Spy, JSocket, jRat, and Sockrat just a few of the names of the Adwind malware variants.

The Java-based RAT is now being rented out to criminal gangs to allow them to conduct their opportunistic attacks on companies and individuals, sometimes for as little as $25. Kaspersky Lab estimates that the number of criminals now using the malware has risen to around 1,800. The malware is estimated to be raking in around $200,000 a year for the authors. To date, it is estimated that the RAT has been used to attack as many as 440,000 users.

The frequency of attacks is also increasing. In the past 6 months, around 68,000 new infections have been discovered.

Have You Effectively Managed the Security Risk from Java Runtime Environment?

The latest variant is known as JSocket. The malware is believed to have first appeared in the summer of 2015 and is still being extensively used. The RAT is most commonly spread by phishing campaigns with users fooled into running the Java file, installing the Trojan. While the RAT is primarily distributed by large-scale email spam campaigns, some evidence has been uncovered to suggest it is being used as part of targeted attacks on individuals and organizations.

This is a cross-platform malware that can be used on Windows, Linux, Android, and Mac OS systems. It serves as a backdoor allowing cybercriminals to gain access to the system on which it is installed, effectively allowing them to take control of devices, gather data, log keystrokes, and exfiltrate data. It is also capable of moving laterally. It is written entirely in Java and can be used to attack any system that supports the Java Runtime Environment.

The security risk from Java Runtime Environment is considerable. Kaspersky Lab recommends that all organizations review their use of JRE and disable it whenever possible.

Unfortunately, many businesses use Java-based applications, and disabling or uninstalling JRE is likely to cause problems.  However, it is essential to manage the security risk from Java Runtime Environment to prevent infections from Adwind and its variants.

If there is no need for JRE to be installed on computers, it should be removed. It represents an unnecessary risk that could result in a business network being compromised.

If it is not possible to disable JRE, it is possible to protect computers from Adwind/JSocket. Since this malware is commonly sent out as a Java archive file, the code can be prevented from running by changing the program used to open JAR files.

Have you managed the security risk from Java Runtime Environment? Is JRE unnecessarily installed on computers used to access your network?

What is the Motivation Behind Cyberattacks? Study Offers New Insights

Many security professionals would like to know what is the motivation behind cyberattacks? How much do hackers earn? What actually motivates hackers to attack a particular organization? How long do hackers try before giving up and moving on, and how profitable is cybercrime for the average hacker?

A recent survey commissioned by Palo Alto Networks provides some answers to these questions and offers some insight into the minds of hackers. The results of the survey suggest that cybercrime is not as profitable as many people think. In fact, “the big payday” is actually something of a myth, certainly for the majority of hackers.

There is a common misconception that cyber attackers are tirelessly working to breach the defenses of organizations and are raking in millions from successful attacks; however, the survey results indicate otherwise.

The Ponemon Institute asked 304 threat experts their opinions on the motivation behind cyberattacks, the money that can be made, the time invested by hackers, and how attackers choose their targets.

The respondents, based in Germany, the United States, and the United Kingdom, were all involved in the threat community to varying degrees. 79% of respondents claimed to be involved in the threat community, with 21% of respondents saying they were “very involved.”

What is the motivation behind cyberattacks?

The study cast some light on what is the motivation behind cyberattacks, as well as offering some important insights into the minds of hackers. There is a threat from hacktivists and saboteurs but, in the majority of cases, attackers are not intent on causing harm to organizations. The majority of cybercriminals are in it for the money. The motivation behind 67% of cybercrime is money.

However, in the majority of cases, it would appear that there is not actually that much money to be made. If hackers were to find employment as security professionals and use their skills to protect networks from hackers, they would likely earn a salary four times as high, and they would get sick pay, holiday pay, and medical/dental insurance.

How much do hackers earn?

Anyone interested in how much hackers earn may be surprised to find out it is not actually that much. The study determined that a technically proficient hacker would be able to conduct just over 8 cyberattacks per year, and an average of 41% of those attacks would not result in the attacker receiving any compensation.

The profits from cybercrime were found to be fairly constant regardless of where the criminals were based. In the United States a single cyberattack netted the perpetrator an average of $15,638. In the United Kingdom attackers earned an average of $12,324, and in Germany it was $14,983.

So how much to hackers earn? Take away the cost of the toolkits they purchase – an average of $1,367 – and the Ponemon institute calculated the average earnings for a cyber attacker to be in the region of $28,744 per year. That figure was based on 705 hours spent “on the job” – around 13.5 hours per week. While it is clear that some hackers earn considerably more, the average hacker would be better off getting a real job. IT security practitioners earn 38.8% more per hour.

How can the survey data be used to prevent cyberattacks?

The survey probed respondents to find out how determined hackers were at breaching the defenses of companies. Surprisingly, it would appear that even if the potential prize is big, hackers tend not to spend a great deal of their time on attacks before moving on to easier targets.

72% of hackers are opportunistic and 69% of hackers would quit an attack if a company’s defenses were discovered to be strong. Ponemon determined that an attack on a typical IT security infrastructure took around 70 hours to plan and execute, whereas a company with an excellent infrastructure would take around 147 hours.

However, if a company can resist an attack for 40 hours (less than two days) 60% of attackers would move on to an easier target. Cybercriminals will not waste their time attacking organizations that make it particularly difficult to obtain data. There are plenty of much easier targets to attack.

Install complex, multi-layered defenses and use honeypots to waste hackers’ time. Make it unprofitable for attackers and in the majority of cases attackers will give up and move on to easier targets.

Employee Security Training Can Greatly Improve Security Posture

Employee security training is an essential part of an organization’s defense against cyberattacks, yet many CISOs and CSOs are not conducting regular training. In fact, according to a survey conducted last year on behalf of ClubCISO, one in five CISOs (21%) said they had never given security training to their staff.

This could indicate overreliance on technological security measures to prevent cyberattacks, such as firewalls, anti-virus and anti-malware software, anti-spam filters, and web filters. Organizations may have confidence in their policies and procedures. CISOs may even believe that their organization is unlikely to be attacked. Regardless, of the reason, a lack of training leaves a gaping hole in security defenses.

Employee Security Training Is A Cost-Effective Way of Improving Security Posture

IT departments are well aware that employees are a weak link in the security chain and can all too easily undo all the good work done to keep data and networks secure. All it takes is for one employee to open a Word document and enable malicious macros, visit a compromised website, or inadvertently download malware for a network to be compromised.

If you want to improve your security posture, one of the easiest and most cost-effective ways to protect your network is training employees how to identify security risks. CISOs, CSOs, and IT staff may be well aware that opening an email attachment from someone they don’t know is risky. Not all employees will be so security-minded and may not appreciate the risk they are taking by opening an email attachment or visiting a link sent to them via email. Failing to train employees on these security basics is like leaving your front door unlocked when you go on vacation. A little training can go a very long way.

Employee Security Training Should Not Be A One-Time Event

Many organizations realize that training is important, yet still only conduct security training sessions once a year. Security training may only be given to new recruits when they join a company. The ClubCISO survey revealed that one in five employers only provided training to new employees, and 37% carried out training just once a year. Only 21% said they conducted regular security training sessions.

Furthermore, when training was provided, more than half of organizations had no idea about how effective their training had been. Training was given in a checkbox fashion in order to meet industry security regulations. Once provided, documents could be signed by employees to confirm that training had been provided, which would be sufficient if ever the organization was audited by industry regulators. However, it may not be sufficient to prevent a successful cyberattack. Employee security training is not a one-time event. It should be provided in regular training sessions, knowledge should be tested, and a security culture should be developed.

Getting Staff Cybersecurity Training Right

It is all too easy to purchase a new security product and hope that it is 100% effective and will prevent a cyberattack from being successful, but no system is infallible. Cybersecurity defenses must be multi-layered, and end users must be part of any defense strategy. After all, cybercriminals will target end users as they offer an easy entry point into a corporate network.

Employee security training is not something that is enjoyed by the staff, and many employees would prefer not to have to undergo training. Many employees don’t concentrate and forget their training almost immediately. Conducting a training session is therefore not sufficient by itself. Online security training is similarly unlikely to be particularly effective if the staff is not then tested on their new knowledge of security.

It is therefore important to make employee security training a regular exercise and to follow up training with testing to ensure that it is taken more seriously. Consider rewarding employees for taking part in training exercises. Make sure employees are given support, and if a test is failed, such as a phishing exercise, ensure that employees who need further training are given extra help.

Employee security training is not just something that is beneficial to employers. Employees also benefit. They can use training to keep their own online activities secure outside of the office, or can use training to protect their children when they go online. Explain the relevance and inform employees that the skills they learn can help to keep them safe outside work.

Get the Board to Back Security Training Efforts

All too often there is a lack of awareness of level of risk faced by organizations at the board level. Employee security training may be considered to be an unnecessary use of time and resources. Without board buy-in, CISOs are likely to face an uphill battle.

Employee security training will require support from the board and for that to happen it may be necessary for CISOs to explain the relevance and importance of employee security training. If you feel that your board does not appreciate the benefits, send the board members a dummy phishing email. If they click the link or open a bogus attachment, it may help them to understand the high risk of employees doing the same. Without buy in from the board it will be difficult to develop a worthwhile and effective training program.

With the current threat from malware, ransomware, phishing, and hacking, it is essential to take action to defend all attack surfaces. Since employees are often the weakest link in the security chain, they are a great place to start to improve overall security posture.

WiFi Hotspot Security Top Concern for Security Industry Professionals

A survey recently conducted by the Cloud Security Alliance (CSA) has shed light on the biggest fears of security professionals, with WiFi hotspot security ranking as one of the major concerns. Unsecured WiFi hotspots and rogue WiFi access points ranked as the two of the biggest threats to mobile computing in 2016.

Over 210 security experts took part in the CSA survey, with respondents from all around the world sharing their opinions on the top threats to mobile computing in 2016. It will come as no surprise that WiFi hotspot security is keeping many IT professionals awake at night. The security threats from public WiFi hotspots have long been known to security pros. Unfortunately, more employees are now using their work devices to connect to unsecured public WiFi hotspots.

Unsecured WiFi hotspots are often a hive of criminal activity, with hackers and other cybercriminals quick to take advantage and spy on Internet users. Login names and passwords are stolen, man-in-the-middle attacks take place, and installing malware on mobile devices couldn’t be any easier.

Employees are increasingly using public WiFi in coffee shops and restaurants to check work emails on mobile phones, many professionals work on trains on their commute to work, and hotel WiFi is used by executives on business trips.

If malware can be installed on these workers’ mobile devices, those infections can all too easily be transferred to business networks. Unfortunately, while employers can implement allowable use policies and train staff to be more security aware, preventing employees from using their devices on public WiFi networks is a difficult task. That task is made all the more difficult for organizations with a BYOD policy that permits the use of personal Smartphones and laptops.

81% of Security Pros Concerned about WiFi Hotspot Security

Eight out of ten IT security professionals ranked WiFi hotspot security as one of their biggest concerns, with the risk of data theft and network compromise only likely to get worse as portable device use grows. One of the biggest problems is rogue WiFi hotspots set up by cybercriminals. Hackers know all too well that a great many Internet users will connect to WiFi automatically, without even checking the legitimacy of a free WiFi network.

To protect users’ devices and keep corporate networks secure, security training must be provided to staff. It is imperative that employees are trained on basic security measures and are made aware of the considerable risk of using unsecured WiFi networks. As security awareness improves, secure WiFi networks will be sought.

Consequently, any business offering a secure WiFi network for customers is likely to win more business. Hotel chains offering secure WiFi are likely to attract more business customers if they provide a secure WiFi network with safeguards to prevent malware infections, man-in-the-middle attacks, and make Internet browsing more secure.

Improving WiFi Hotspot Security with WebTitan Cloud for WiFi

At WebTitan, we are well aware of the risks to device and network security from the use of unsecured WiFi hotspots, and the opportunities that exist for businesses and service providers that can offer safer WiFi access. This is why we developed WebTitan Cloud for WiFi.

WebTitan Cloud for WiFi offers service providers and businesses a low cost method of securing WiFi networks, allowing a safe browsing environment to be created for clients, guests, and customers.

WebTitan Cloud for WiFi allows providers of WiFi hotspots to restrict the sites that can be visited, reducing the risk of malware infections and the nefarious activity often associated with unsecured wireless WiFi.

Many wireless WiFi providers are deterred from implementing a web filtering solution due to the complexity of the task, especially when multiple routers are used across a number of different locations. However, our 100% cloud-based solution makes securing multiple WiFi hotspots a quick, easy, and painless process.

WebTitan Cloud for WiFi Benefits

  • 100% cloud-based web filtering solution requiring no software installation
  • Secure WiFi hotspots even with dynamic or changing IP’s
  • Straightforward management with an easy to follow cloud-based administration control panel
  • Central control of a limitless numbers of routers in any number of locations
  • A full suite of reporting functions to gather valuable customer intel
  • Secure WiFi access for any device that joins the network
  • No impact on broadband speed

 

Find out how you can benefit from improving your WiFi hotspot security by calling the WebTitan team today

Cost of Bot Fraud to Rise to 7 Billion in 2016

The cost of bot fraud in 2016 is likely to rise to a staggering $7.2 billion, according to a new report by the Association of National Advertisers (ANA).

2015 Bot Baseline study places the cost of bot fraud at over $7 billion

The study, conducted in conjunction with WhiteOps, shows that despite efforts to reduce the impact of bot fraud, criminal gangs are still managing to game the online advertising industry. Advertisers are being tricked into thinking that real visitors are viewing their adverts and are paying for those visits, when in actual fact a substantial percentage come from bots.

For some companies the losses were shocking. The highest losses were reported to have cost one company $42 million over the course of the year. However, even smaller companies did not escape unscathed. The cost of bot fraud for the least affected advertiser was $250,000.

ANA studied 1,300 advertising campaigns conducted by 49 major companies over a period of two months from August 1, 2015., to September 30, 2015. The results of the study were then extrapolated to provide the cost of bot fraud for 2016.

The study examined more than 10 billion ad impressions to determine the percentage that were real visitors. To distinguish bot visits from the human visits, ANA/WhiteOps added detection tags to the advertising campaigns under study.

The same study was conducted back in 2014 and this year’s results show that virtually nothing has changed, with just a fall in bot fraud of just 0.2% registered. The level of bot fraud has remained constant, although the cost to companies has increased.

In 2014, online advertisers were estimated to have lost around $5 billion to bot fraud, with the rise in cost of bot fraud due to an expected increase in advertising investment over the course of the next 12 months.

Last year, brands suffered an average of $10 million in losses to bot fraud. That’s an average of $10 billion paid to advertise to bots. For 25% of companies, 9% of impressions go to non-human traffic.

Methods of bot detection have improved, but they are clearly not having much of an effect on the cost of bot fraud for advertisers. As detection methods improve, bot operators have improved their ability to obfuscate their bot visits.

Unfortunately, it is difficult to distinguish bot traffic from real traffic as more residential IP addresses are being used, and the bots are becoming better at mimicking real browsing habits.

Data Privacy Concerns in Britain Highlighted by New Study

A new study has revealed that British consumers are becoming increasingly worried about how companies are using the data they provide online. Data privacy concerns in Britain are now at a level where more people worry about their data and how it is being used than about losing their main source of income.

The National Cyber Security Alliance GB Consumer Privacy Index/TRUSTe study results were released in time for European Data Protection Day on January, 28: An international day which aims to improve consumer awareness of data privacy issues, and encourages businesses to do more to ensure that stored data are properly protected.

Now in its tenth year, Data Protection Data (Data Privacy Day in the United States), is recognized by over 47 EU countries. A number of privacy initiatives are launched on January 28, and efforts are made to improve awareness of the types of data that are being collected on consumers, how they are being used, and the risks that come from providing those data to companies.

This year, there is a major focus on increasing awareness of how companies are sharing the data that are provided to them by consumers.

Study reveals major data privacy concerns in Britain

The online survey, conducted by Ipsos, took a representative sample of 1,000 individuals in the UK and probed attitudes to data privacy and the measures currently being adopted by consumers to protect online privacy. Respondents were asked about online browsing habits from a privacy perspective, and trust issues they had with websites and web applications.

955 respondents said they were concerned about their privacy online and 364 respondents said they had stopped using an app or website in the past 12 months due to privacy concerns. For many of the respondents, online privacy was such a concern that they worried more about the use and exposure of their data than losing their primary source of income. British online privacy concerns ranked 10 percentage points higher than the fear of loss of the main source of income.

Concern can be explained, in part, by the lack of transparency about how consumer data is being used by companies, and with whom they are being shared. 1 in 4 respondents claimed not to know how companies were using and sharing their data.

Privacy fears were shown to be affecting how consumers view businesses and appear to influence the use of online services. Of the individuals who were concerned about their online privacy, 76% limited their online activities as a result.

The lack of transparency about how data is used can have a serious impact on business. 89% of respondents said they avoid companies that they do not believe will do enough to protect their privacy. The message to businesses is: Fail to explain what is done with data and consumers will take their business elsewhere.

How are British privacy concerns affecting online activity?

The survey examined privacy concerns in Britain and how those concerns affected online activity in the past 12 months.

  • 46% claimed to have withheld personal information from online companies
  • 23% stopped an online transaction due to privacy concerns
  • 53% did not click on an advert as they were worried about their privacy
  • 31% avoided downloading an app or product due to a perceived privacy risk

More than half of respondents (54%) do not trust businesses to be able to store and protect their personal information online and 51% said they do not feel they are in control of their online data.

One of the ways that companies can improve trust is by allowing consumers to remove their data on request. 43% said that they would trust a company more if they were made aware how they could remove personal information if they so required.

Interestingly, while data privacy concerns in Britain are high, the majority of respondents did little to protect their privacy. For instance, 58% of respondents were aware they could delete cookies from their computers, yet only 49% did. Location tracking on Smartphones can be turned off and 44% of respondents were aware of this, yet only 28% actually disabled the feature. Only 12% of respondents read privacy policies, yet 31% claimed that they knew that they could be read.

With data privacy concerns in Britain so high, businesses that fail to do enough to secure data and protect consumer privacy are likely to lose out to companies that do. Furthermore, once online trust is lost, it can be difficult to regain.

Hidden Scripts on Servers Redirecting Users to Malicious Websites

Anti-virus software company Symantec has uncovered a new global web server infection. Hidden scripts on servers are redirecting website visitors to potentially malicious websites. So far over 3,500 hidden scripts on servers have been identified, which are being triggered when website visitors land on the compromised site. That visitor is then directed to a potentially malicious website.

This is a mass injection on a truly global scale. Hidden scripts on servers in over 75 countries have been discovered, although almost half of the compromised websites are located in the United States. 47% of infections were discovered in the U.S., 12% were discovered on servers in India, with the UK, Italy, and Japan accounting for 6% each. France, Canada, and the Russian Federation each had 5% of infections, with 4% discovered in Australia and Brazil.

The majority of compromised websites were used by businesses, and .edu, .gov, and other government websites had also been compromised.

Hidden scripts on servers pose a significant threat to website visitors

At the present moment in time the scrips have not been found to direct users to websites where drive-by malware downloads occur, nor have visitors been redirected to websites infected with malware. However, there is considerable potential for criminals to alter the scripts to deliver visitors to websites capable of delivering malware. A network of servers could be being built for a future global attack.

The malicious code injection can be found before the </head> tag. The injected JavaScript code set to run 10 seconds after the user’s browser has loaded the page. The script is used to launch multiple other scripts to mask the action from the visitor.

The scripts are understood to currently be used to collect data on users, which Symantec lists as including host IP address, Flash version, referrer, search term queries, page title, monitor resolution, user language, and URL page address. The hidden scripts could potentially be used for a wide range of malicious purposes.

All of the infections so far detected have affected a specific website content management system, although that CMS has not been disclosed. All website administrators are advised to check their websites and search for any injected code.

Should any code be located, it is not just a case of changing the administrator password and removing the script from the site. Backdoors may also have been installed and full webserver sanitization is likely to be required to totally remove the infection.

Common Data Security Threats MSPs Must Address

MSPs must not forgot to address the following common data security threats if they are to keep their clients protected from cyberattacks.

Failure to prevent malware & ransomware installation can be an expensive business. Multi-million-dollar liability lawsuits may follow if insufficient security measures have been implemented to prevent a cyberattack.

Unfortunately, all too often too little is done to keep networks protected from these common data security threats.

Common data security threats MSPs must address!

Listed below are five common data security threats that must be addressed by MSPs, yet they are all too often overlooked.

Anti-phishing protection is essential

Employees have long been known to be a major security risk. There will always be at least one employee in an organization who is a little green when it comes to protecting themselves and their work computer from hackers.

Any organization that fails to adequately protect against the risk of employee errors compromising the network will suffer a network security incident sooner rather than later. One of the biggest mistakes made is employees responding to phishing emails.

Employees must be made aware of the high risk of phishing. Hackers are now targeting individual employees with highly sophisticated campaigns. Targets are researched via Facebook and other social media networks, the senders of emails have their names and addresses spoofed, and clever campaigns are devised to get end users to download malware or visit malicious websites. Regular training on basic security such as phishing avoidance and scam email identification is therefore essential.

Take control of mobile devices used to connect to the network

Phishing is far from the only employee security risk. Employees are now bringing their own devices to work, and these devices pose a major security risk if not effectively managed. If a single employee manages to get their own personal device infected with malware, the infection could all too easily spread to a corporate network.

It is therefore essential not only to limit the individuals who are able to use personal devices for work purposes, but to ensure that any device used for work purposes is routinely monitored.

If employees are permitted to use personal devices for work, or remove laptop computers from company premises, it is essential that sensitive data stored on those devices is encrypted. Mobile devices are frequently lost or stolen and represent a considerable data security risk.

Prepare for a wave of malware attacks on Macs

Over the past few years, using a Mac meant you were protected from malware and viruses; however, last year new malware started to appear that specifically targeted Apple devices. While anti-malware protection for Macs was something that could previously be ignored, that is now no longer the case.

The volume of malware targeting Macs is expected to continue to increase this year as Apple’s market share grows. It is now important for all organizations to start preparing for a new wave of Mac attacks.

Implement a robust web filtering solution

Cybercriminals are increasing using legitimate websites to serve malware to website visitors. Recently, the MSN home page was discovered to be hosting malvertising, showing that even some of the biggest internet sites may not be entirely safe. It is therefore essential to implement a web filtering solution that can block malvertising, as well as malicious websites known to deliver drive-by malware payloads.

To keep users and networks protected, it is essential to implement safe search, block pharming URLs, malware and phishing sites, tunneling software, and malicious adverts. To avoid negative impact on the business, use a web filtering solution such as WebTitan, which offers a high degree of granularity. This will allow different individuals and users to be assigned different privileges to maximize protection and minimize the negative impact on the business.

Develop patch management policies and plug security holes promptly

Zero-day security vulnerabilities are being discovered on an almost daily basis. Once identified, exploits are rapidly shared via Darknet communities. If security vulnerabilities are allowed to remain, it is only a matter of time before they will be used for an attack. It is therefore essential that software is kept up to date and patches are installed as soon as they are released.

However, due to the sheer volume of devices, applications, operating systems, and plugins now in use, keeping on top of all of the upgrades and patches can be overwhelming. Patches must be found, installed, and tested, and all procedures must be documented for compliance purposes. Due to the security risk posed by out of date software, if the task of managing patches is becoming unmanageable, it may be time to consider using an automated patch management solution.

Worst Passwords of 2015 Revealed

If you want to keep your accounts secure, it is probably best not to use the word password as your password. However, you could do worse according to a list of the worst passwords of 2015 that has recently been published. 123456 is a much worse choice.

The list of the worst passwords of 2015 would be comical were it not for the fact that so many people actually use these words, phrases, and numerical sequences to (barely) secure their accounts. Send the list around your organization and you may even hear a few gasps as users open the document to discover that their cunning password has been revealed to the masses.

The worst passwords of 2015 list contains some absolute howlers, but also some that users may think are actually quite. Sadly though, passw0rd is not that difficult for a hacker to guess. 1qaz2wsx is better, but not by much. That also makes it onto this year’s top 25 list.

Unsurprisingly with a new Star Wars film having just been released there are a few new entries along that theme. Solo makes it on the list, as does Princess, and StarWars. Minus the capital letters of course. Leia is not on there, but that does not mean it is a good choice either.

People are very bad at choosing passwords

The list of the worst passwords of 2015 serves as a reminder that we are very bad at choosing passwords. We would all like a password that is easy to remember and can be used across all accounts, especially hackers.

Even if a password does not make it into the top 25 list of the worst passwords of 2015, instead it earned place 499, it would not keep an account secured for long if a hacker attempts to crack it. Password dictionaries are compiled, updated, and used by hackers to gain access to accounts, and it doesn’t take long to run through a list of the top 1000 password choices and try them all. If a word is in the Oxford or Merriam Webster English dictionary it will be on a hackers list as well.

The best approach to take when choosing a password is to make sure it can’t actually be remembered very easily. The longer and more complicated the password is, the harder it will be for a hacker to crack it. Special characters must be used, numbers, capital letters, and lower case as well. Since some end users will ignore this advice, it is essential to enforce the minimum number of characters and the use of capitals, numbers, and special characters.

According to SplashData, the company that compiled the list of the worst passwords of 2015, in order to keep accounts secure it is essential to create one that is hard to remember for all accounts, and to use a password manager so they do not need to be remembered. The company suggests the use of its own one of course.

However, the most popular password manager – LastPass – was recently shown not to be as secure as people may think. Hackers could all too easily spoof the viewport and obtain even the most difficult-to-guess password.

A complex, difficult-to-guess password for each site along with a password manager to help remember it is a good option, and it will help to keep accounts secure and will save sys admins from having to keep resetting user passwords.

However, the password itself is the problem really. That is what really needs to be changed. Any password-based security system is vulnerable and even two-factor authentication is not infallible.

The best choice for keeping accounts secure is to use biometric factors to verify identity, but sadly, at present the technology is too expensive for many companies to implement. The good news is the technology is becoming cheaper and before the decade is out an alternative to passwords could well be affordable enough for many businesses to implement. We will then finally be well on our way to consigning passwords to the history books.

SpashData’s List of list of the worst passwords of 2015

Listed below is SpashData’s list of the worst passwords of 2015, together with the list for 2014 for comparison. You can see that even with the increase in reported hacking incidents, many people are still choosing unsecure passwords.

the worst passwords of 2015

LastPass Phishing Vulnerability Discovered and Published

LastPass, the most popular password manager is susceptible to phishing attacks. A LastPass phishing vulnerability was recently uncovered, which could spell disaster for some LastPass users.

Could your password manager be spoofed?

One cybersecurity problem faced by business users and consumers alike is how to keep track of an increasing number of passwords. Password sharing between websites is big security no-no and for maximum security passwords must be complex and changed frequently.

A secure password needs to contain a mix of capital and lowercase letters, non-sequential numbers, special characters, and ideally should be 11 characters long. It must not include any personal information or dictionary words. In short, each password must be next to impossible to remember. Just in case you do manage to memorize it, it is essential to change it often. At least every three months, but preferably every month.

The solution for many people, business users alike, is to use a password manager. This has the advantage of remembering your passwords for you, although it has the disadvantage of exposing every one of your passwords should the unthinkable happen and the password manager be hacked.

Fortunately, when it comes to the latter, the chances are very slim. Password managers are robust and secure, right? Well that would depend on which password manager you use. If you use LastPass for instance, the most popular password manager, those passwords may not be quite as secure as many people think.

At last weekend’s ShmooCon conference, Praeside Inc., CTO Sean Cassidy demonstrated a LastPass phishing vulnerability and showed just how easy it is to spoof the LastPass password manager and obtain login credentials. The bad news is the technique is so effective it is highly unlikely that the user would even know that his or her password has been compromised.

LastPass phishing vulnerability can be exploited with very little skill

The LastPass phishing vulnerability is easy to exploit and has left many security professionals wondering whether this technique is already being used by cybercriminals to gain access to passwords. LastPass has announced that it has patched the problem and has increased security to make it harder for user details to be phished.

Cassidy discovered the LastPass phishing vulnerability some time ago. When logged out, or when a session expires, a browser notification or viewport is displayed requesting the user log back in. However, what happens if that browser window is spoofed? If the user can be redirected to a malicious website where a spoofed version of that browser window is displayed, they could be fooled into entering their login name and password, revealing it to the phisher.

If the spoofed viewport was convincing the user would enter their credentials and be none the wiser that they had been phished. Cassidy set out to prove this by creating an exact copy of the LastPass login screen and using it on a site he had purchased called chrome-extension.pw. The login screen was not just realistic; it was an exact copy. Cassidy took it from the source code of the webpage. It was identical to the real login prompt in every way.

LastPass phishing vulnerability used to capture login credentials

If the user is logged out with a known Cross-Site Request Forgery (CSRF), a spooked viewport can be displayed. Instead of being taken to the real site, they are directed to a page that just looks like the LastPass one. When the login details are entered they are sent to the LastPass API and are verified. The user will be unaware, and the attacker would have the master password. Even if 2FA is enabled a similar process can be set up to get the second authentication factor.

According to Cassidy, a security measure designed to alert the user if their account has been accessed from an unusual IP address would not be triggered if 2FA had been enabled on the account.

lastpass-2fa-spoof

LastPass has now made a change and the email alert will be sent to the user regardless of whether they have 2FA set up or not. Should they be phished, they will at least be aware of it. LastPass has also blocked websites from logging users out and further security measures are planned that will notify users bypassing the viewport.

However, since Cassidy has released the tool that demonstrates the LastPass phishing vulnerability and how it can be exploited, it is possible that other attackers could take advantage and create their own versions. LastPass has issued a statement confirming that with the email verification corrected and a patch issued to resolve other security vulnerabilities, the issue is resolved. It would only be possible for the phishing attempt to succeed if the user’s email account has been compromised.

Kaspersky Lab Uncovers Microsoft Silverlight Security Vulnerability

A Microsoft Silverlight security vulnerability is something of a rarity. The application framework may be similar to Adobe Flash, but it does not contain nearly as many security vulnerabilities. In fact, it is exceptionally rare for a bug to be discovered. In this case, Kaspersky Lab identified the security flaw which could potentially allow remote code execution.

Microsoft has now addressed the security flaw (CVE-2016-0034) in its latest MS16-006 patch which was released on Tuesday. Kaspersky Lab has now published an analysis of the security flaw.

It is essential for the patch to be installed. While the vulnerability is not believed to have already been exploited, it is possible for the patch to be reverse engineered. According to Brian Bartholomew of Kaspersky Lab, “it’s not that difficult to produce a weaponized version of it.”

Rare Microsoft Silverlight security vulnerability investigated by Kaspersky Lab researchers

Kaspersky Lab researchers may not have been the first people to have discovered the Microsoft Silverlight security vulnerability. They decided to investigate a potential Microsoft Silverlight security vulnerability that had alledgedly been discovered by Russian hacker Vitaliy Toropov. He claimed to have written an exploit for the Microsoft Silverlight security vulnerability, which he was trying to get Hacking Team to buy. At the time they were more interested in Adobe Flash zero-day exploits and ignored the Microsoft Silverlight security vulnerability.

Kaspersky Lab decided to investigate due to the potential damage that could be caused by a Silverlight bug. The vulnerability could potentially be used to attack both Windows and OS X devices running Microsoft Silverlight 5 or Microsoft Silverlight 5 Developer Runtime. Users could be targeted with a phishing email and convinced to visit a website where a drive-by download would occur and load a malicious Silverlight application, regardless of the browser they were using.

Kaspersky Lab did discover it the security vulnerability, although whether it is the same vulnerability that Toropov had managed to develop an exploit for is not known. However, it is one less security issue to worry about now that it has been patched by Microsoft.

Microsoft Fixes Critical Windows Security Flaws

The first security update of the year for Microsoft may have only included 9 security bulletins, but six of them have been marked as critical. The critical Windows security flaws include 7 bugs that permit the remote execution of code, one that allows elevation of privileges. A vulnerability affecting Microsoft Exchange Server has also been discovered and patched to prevent spoofing.

The updates include patches for 25 separate vulnerabilities. These critical Windows security flaws should be addressed as soon as possible to keep systems protected. While not all of these security flaws have been published, it is possible for a patch to be reverse engineered to allow a hacker to take advantage of the vulnerabilities in unpatched machines.

Critical Windows security flaws patched in latest Microsoft security update

Although seven critical Windows security flaws have been identified and addressed, one of the most serious is the MS16-005 security bulletin. This is one of the remote code execution vulnerabilities, but it is the one most likely to be exploited by hackers as the vulnerability has been publicly disclosed. The vulnerability affects Windows’ kernel-mode drivers and makes it possible for a hacker to trigger an Address Space Layout Randomization (ASLR) bypass. All that would be required would be to get the user to visit a malicious website.

MS16-001 is critical for users of Internet Explorer. This security flaw affects versions 8, 9 and 10 of the web browser. This will be the last security update for Internet Explorer 8 and 10, with Microsoft now having stopped providing security support. Internet Explorer 9 security updates will continue to be provided for Windows Vista and Windows Server 2008 SP2, but users of IE 8 and 10 should now upgrade to IE 13 to ensure continued support is received.

This memory corruption vulnerability affects VBScript engine and could be exploited by getting an individual to visit a malware-compromised website. This would allow an attacker to gain the same privileges as the current user. If that user had administrative privileges, and attacker would be able to gain control of the computer and install programs, or delete or modify data. The same vulnerability has been addressed for VBScript in MS16-003.

While not marked as critical, any user of Outlook Web Access (OWA) should ensure that MS16-10 is applied. This patch addresses four separate vulnerabilities that could potentially be exploited and used for a business email compromise (BEC).

While only marked as important, Outlook administrators are likely to disagree. An attacker could exploit this vulnerability to make a phishing email appear as if it had been sent from within an organization. This would make the phishing email difficult for employees to identify, and would likely result in a large number of employees compromising their computers.

Microsoft has also patched a bug in Silverlight (MS16-006), which was identified by Kaspersky Lab. The bug is particularly risky for anyone operating Microsoft Silverlight across multiple platforms. The patch plugs a runtime remote code execution vulnerability.

Rovnix Malware Being Used to Attack Japanese Banks

Security researchers at IBM’s X-Force have identified a worrying new Rovnix malware strain that is being used in a spate of cyberattacks on Japanese banks.

Rovnix malware is nothing new. It has been around for a couple of years but it is now ranking as one of the top ten most popular malware strains to be used for attacks on financial institutions. It may not be used nearly as often as Dyre, Neverquest, Dridex, Zeus or Gozi, – the top 5 malware currently being used by cybercriminals – but it is particularly nasty and is highly persistent. Worse still, the new strain of the malware is only recognized by 7% of anti-virus software vendors.

New Rovnix Malware Strain Is Particularly Worrying for Japan’s Banks

The latest wave of attacks on Japanese banks signal a major departure from the usual attacks being conducted by cybercriminal gangs in Europe. Previously, they have concentrated on attacking European banks and Japan has been left well alone. That is no longer the case. In fact, IBM’s X-Force has described the latest wave of attacks as “an onslaught.” The criminal gang behind the latest Rovnix malware attack has already targeted 14 Japanese banks since the start of December last year.

The language barrier has prevented cybercriminal gangs from targeting Japans banks in the past, but they have now got around the problem and have developed their campaign in Japanese. Each campaign has been tailored for each of the banks under attack.

As with campaigns conducted in Europe, the primary means of malware delivery is spam email. A spam message contains a zip file with a fairly innocuous waybill detailing the delivery of a parcel from a courier company. Opening the attachment and viewing the waybill will result in a downloader being launched that will load Rovnix malware onto a device.

Highly Sophisticated Rovnix Malware Defeats Two-Factor Authentication

One of the most worrying features of Rovnix malware is its elaborate web injection mechanism which mimics the banks web pages. When an end user visits the bank’s webpage the malware injects Javascript and shows the user modified sections of the banks webpage. Login credentials are stolen, but crucially, so is the second password which enables a transaction to be conducted.

More worrying is some users are being prompted to download an app to their mobile phone. Doing that will result in their SMS messages being compromised. When the bank sends an authorization code to the mobile device, the cybercriminals will use that code to authorize a fraudulent transfer, defeating the two-factor authentication used by the bank.

Rovnix malware tends to be used to target one country at a time, but that may not necessarily always be the case. It can be quickly and easily adapted to attack any country’s banks. Rovnix malware is highly sophisticated and can be tailored to attack different institutions and evade detection. Even before the malware is installed, it can scan a device and determine which security protections are installed. It then uses a wide range of mechanisms to evade detection.

Internet Explorer Security Risk Warning as Microsoft Pulls Plug on IE 8,9, 10

Microsoft has announced it will be pulling the plug on old versions of Internet Explorer and will be withdrawing software security support on IE 8, 9, and 10 from Tuesday January 12, 2016. An Internet Explorer security risk warning has been issued as older versions of the web browser will be more vulnerable to cyberattack from tomorrow.

Microsoft will only be issuing security updates and providing technical support for Internet Explorer 11 and Microsoft Edge from January 13, 2015. All users have been urged to upgrade to Internet Explorer 11 if running windows 7 or 8.1, with Windows 10 users requested to make the switch to Microsoft Edge by Wednesday, January 13.

The news shouldn’t come as a major surprise as Microsoft first made the announcement about discontinuing support for older versions of IE 18 months previously, but that said, many IT departments and individual users have not yet upgraded. Duo Security have calculated 36% of IE users are running versions 9 or 10.

The problem for many enterprises is web applications have been developed to work on Internet Explorer 9 or 10, and consequently an upgrade may require changes to be made to those applications to ensure they work optimally on Edge or IE11.

The good news is that only one version change will be required. Microsoft has confirmed that although earlier versions of the browser are being retired, it has promised to continue offering support for IE11 for the lifespan of Windows 7, 8, and 10. The same applies to the Microsoft Edge browser.

Internet Explorer Security Risk Will Increase Following Next IE11 Update

The Internet Explorer security risk will not increase substantially overnight. It is highly improbable that hackers have exploits lined up that can be used on older versions. However, when software is discontinued, it is the issuing of the next patch on the supported version that is the critical date.

In the case of Internet Explorer, cybercriminals will be able to assess what is updated in the next release. When IE11 is patched, it will be highly probable that many of the vulnerabilities that are addressed will also affect previous IE versions.

Hackers could develop exploits for those unpatched vulnerabilities to attack individuals running older browser versions. The Internet Explorer security risk will increase substantially.

It is much easier for cybercriminals to exploit vulnerabilities in browsers than unpatched software installed on devices. All that is required is to direct the user to an infected website containing the appropriate exploit kit for the user’s device to be infected.

Companies in highly regulated industries such as the financial services and healthcare should ensure their browsers are updated before support is stopped. Running any machine on outdated and unsupported software will violate industry regulations. This could result in significant financial penalties being incurred.

Alternative to Passwords Will Be Standard in Next 10 Years

If there is one thing that sysadmins can guarantee happening on an almost daily basis, it is users forgetting their passwords. As passwords need to become more complex to avoid them being guessed, users struggle to remember them.

This is no surprise of course. Research has shown that passwords of 6 characters, especially those that only contain lowercase letters, are no obstacle to cybercrimnals. They can all too easily be cracked.  Unfortunately, even though many users are aware that passwords must contain special characters, upper and lower case letters, and at least one number, far too many individuals still use simple and easy to remember passwords. There is a tradeoff between security and convenience, and all too often end users opt for the latter.

Ideally, for maximum security, dictionary words should not be included and passwords should contain 11 randomly generated characters, including upper and lower case letters, numbers and special characters. Companies are now learning than while complex passwords are inconvenient, that inconvenience is a small price to pay, especially when compared to the cost of dealing with a data breach.

Secure password controls are now being introduced by majority of companies

A survey conducted last year by Ping Identity suggests that the majority of companies have now implemented enhanced controls to ensure secure passwords are chosen by end users. 82% of respondents rated their company’s password controls as good or excellent, and claim their IT departments are forcing them to regularly change passwords to ensure hackers do not have long to crack them. 76% indicated they are required to change their passwords every 1-3 months.

While this is good news, the same survey revealed that password sharing is still common. Half of enterprise employees share their secure passwords between work and personal accounts. 37% of respondents said they shared passwords with family members and almost half admitted reusing passwords for work accounts.

A recent survey conducted by SecureAuth, a provider of multi-factor authentication systems, confirmed that passwords are now too complex for many end users to remember. 308 IT security professionals took part in the survey, and 85% said that their helpdesk was frequently contacted by users that have forgotten their passwords on a frequent basis. 37% of respondents said that employees were calling the helpdesk all the time in this regard.

A majority of IT security professionals believe that passwords alone are no longer secure enough to use by themselves to protect networks. 66% claimed they are now using multi-factor authentication controls.

Many would like to move away from passwords entirely, but unfortunately at the current time the technology that must be used to allow other, more secure user authentication controls to be implemented are prohibitively expensive. A retina or fingerprint scan may be ideal, but few companies would be willing to pay for the technology.

That said, over the next decade things are likely to change. Or so it is hoped. The survey showed that 91% of cybersecurity professionals believed that over the course of the next decade the password will cease to exist. Other more secure methods of user authentication will be introduced to replace the humble password and the cost of the technology is likely to fall sufficiently to make this a reality. However, for the time being, helpdesk staff are likely to have to continue to spend a considerable amount of time retrieving and resetting passwords.

Hackable Bug Found In World’s Most Secure Smartphone

What is arguably the world’s most secure Smartphone may not be quite as secure as users have been led to believe. A hackable bug has been discovered that allows Silent Circle’s Blackphone 1 to be hijacked.

On its release, Silent Circle’s Blackphone was billed as being the first Smartphone designed with privacy at the core of its design. The phone looks like any other Smartphone and functions just like an Android device. However, it runs on Silent OS, a custom-designed Android OS that to all intents and purposes closes all possible backdoors. At least, that was the plan. It turns out that not all backdoors have actually been closed.

Backdoor Exists in World’s Most Secure Smartphone

Researchers at SentinalOne have discovered that one backdoor exists that allows the ultra-secure Smartphone to be hijacked by hackers. While the user will believe their phone calls and text messages are perfectly secure, a hacker could be listening in to calls and monitoring the numbers that are being dialed or received. The security flaw would also allow an attacker to read text messages sent or received, change caller ID settings, mute the modem speaker, kill the modem, silently check numbers, make calls via the phone, or force conference calls with other individuals.

A person attempting to call the user of a hijacked Blackphone could have that phone call directed to the attacker without the Blackphone user being aware that the call is taking place.

The Blackphone security vulnerability is not in the software, but is a security flaw in the device’s inbuilt modem. The modem contains an open socket which potentially allows a hacker to run radio commands. The open port could potentially have been used by the developers of the phone for debugging functions, yet the internal port was not secured before its release. A simple oversight maybe, but one which potentially leaves the phone wide open to attack by hackers.

The vulnerability could potentially be exploited via a malicious app, or it is conceivable that the owner of the phone could be targeted with a phishing campaign and convinced to run malicious code.

Researchers do not believe that the vulnerability has been exploited in the wild, and a software update has now been issued to address the vulnerability. All users must update to 1.1.13 RC3 or above to secure their device. Now that the vulnerability has been disclosed the update is critical.

A bug in a Smartphone is to be expected, but for one to exist in what is supposedly one of the world’s most secure Smartphone is something of a worry. Furthermore, this is not the only Blackphone bug discovered. Last year a Blackphone security vulnerability was uncovered in its secure messaging application. The memory corruption vulnerability could be exploited remotely by a hacker and used to gain the privileges of the messaging application. This would enable the attacker to decrypt the Blackphone’s encrypted messages, read contact information, run code, or write to external storage.

2016 Security Threats: Where Your Next Attack May Come From

2014 was a bad year for IT security professionals, and thanks to some large scale cyberattacks, 2015 was not much better. However, what does 2016 have in store? What will be the biggest 2016 security threats? Some predictions for the coming year are listed below:

2016 Security Threats: What does the coming year have in store?

What is abundantly clear is that 2016 security threats will increase in number. The cyberattack surface is growing with more devices and device types to attack than ever before. Cybersecurity budgets may have been increased for 2016, but funding has not been increased by nearly enough for many IT departments. Tackling the biggest 2016 security threats will be a big ask, and vulnerabilities will remain that can be exploited.

Phishing will continue to be an effective attack option

Enterprise cybersecurity defenses are becoming more sophisticated, passwords are becoming more secure, and two-factor authentication is becoming the norm. It is certainly now harder for cybercriminals to successfully attack many companies. Unfortunately end users are still a major weak point that cybercriminals will continue to exploit. Many major cyberattacks in 2015 had their roots in phishing attacks and the attacks are expected to continue in 2016.

Unless staff members receive training on how to identify phishing emails and spot malicious websites, they are likely to fall for phishing scams. Major data breaches are likely to be discovered in 2016 that have been made possible due to phishing schemes.

IoT device hacks a growing cause for concern

If you thought that the hacking of IoT devices was something to be dealt with next year or later, you may find you will end up regretting not securing your devices sooner. It may not be time to worry about your refrigerator being hacked, but as was demonstrated quite clearly in 2015, IoT hacks are not a future problem. They are a clear and present danger. Valasek’s and Miller’s successful hacking of a Jeep Cherokee proved that. Medical devices are also high up the list of potential targets, and could be used as an easy entry point into healthcare networks. Hacks of IoT devices are likely to start in earnest in 2016.

Difficult-to-Detect attacks will increase

Traditional malware will continue to pose a major threat to consumers and businesses, but difficult-to-detect attacks are on the increase. Memory-resident and other fileless malware attacks will increase in prevalence in 2016. As security software gets better at identifying malicious software, cybercriminals will take advantage of security vulnerabilities in BIOS, firmware, and drivers. These attacks are difficult to detect, but are fortunately also difficult to execute. Until memory scanning technology is implemented by the majority of organizations, these attacks are likely to proliferate.

Apple Devices to be targeted

As Apple’s market share increases, attacking Apple devices will become more profitable. With Apple now having a 13.5 percent share of global smartphone sales and 7.5 percent of the desktop market, the devices are likely to be attacked with increasing regularity.

While the devices were previously considered to be secure, new iOS and OS X malware has been discovered. That malware doesn’t just pose a risk for users of jail-broken devices. In 2015, XcodeGhost found its way into the Apple App Store, and this is unlikely to be the last malware to target the Apple devices. Further Masque attacks can also be expected in 2016. Apple device owners may have a rude awakening in 2016 if they remain complacent about security.

Card-Not-Present (CNP) Fraud to Increase

Thanks to the introduction of new payment technologies, it is becoming harder for criminals to conduct point-of-sale attacks, but the data stored by retailers is still not well protected. Cyberattacks on retailers will concentrate on obtaining data for digital fraud, and an increase in card-not-present (CNP) fraud can be expected. In the EU, CNP fraud rose by 21% last year and faster growth is expected in 2016.

Healthcare industry will continue to be targeted

At the end of 2014, many security experts predicted that 2015 would be a rough year for the healthcare industry, but few could have imagined how rough it would get and how quickly cyberattacks would occur. It didn’t take long. Within two months, two healthcare hacking incidents were reported that made previous data breaches look tiny by comparison. The attack on Premera BlueCross exposed a whopping 11 million healthcare records, but even that was tiny compared to the 78.8 million records exposed in the hack of Anthem Inc. Over 113 million healthcare records were exposed or stolen in 2015.

In 2016, the healthcare industry is likely to continue to be targeted by hackers. The data they store is of high value and security defenses are still relatively poor.

TeslaCrypt Ransomware Attacks on the Rise

Gamers have been put on high alert following news that TeslaCrypt ransomware attacks are on the increase. The file-encrypting malware was first identified in March of this year, but this month the number of attempted attacks has skyrocketed.

TeslaCrypt ransomware does not specifically attack computer game players, but it is gamers that are most likely to have to pay the ransom if their computers are infected. TeslaCrypt ransomware is likely to encrypt game files, maps, saved games, mods, and even game software, leaving gamers with little choice but to pay the ransom or lose everything.

About a month after the discovery of TeslaCrypt ransomware, security researchers had developed a tool that could be used to de-crypt files. However, during the past few months, the authors of the malware have been busy tweaking TeslaCrypt. The decryption tool that was developed in April is no longer guaranteed to work.

Businesses now being targeted with TeslaCrypt Ransomware

Not only has TeslaCrypt ransomware evolved, it has been sold on the black market to cybercriminals. The authors appear to have been selling their ransomware-as-a-service, and while they have had relatively few takers, that has now changed.

Known infections have remained relatively low throughout the course of the year, but December has seen a major increase. The number of attempted attacks in November remained fairly constant at approximately 200 per day. By mid-December that figure increased to around 1,800 per day.

The ransomware is also no longer just being used to target gamers, in fact, better rewards can be gained from attacking businesses. This fact has not been lost on the cybercriminals behind the latest wave of TeslaCrypt ransomware attacks.

The ransomware is known to encrypt 185 types of files, and while many of those are specific to gaming software, the file-encrypting malware is particularly damaging for businesses. If infected, files can be decrypted, but only if the ransom is paid or the malware is removed. Infected computers will have file extensions changed to a .vvv extension and files be encrypted.

User will have files saved to their desktops directing them to websites where they will be required to pay a ransom to unencrypt their files. Any business that has failed to perform a backup of their data may have little alternative but to pay the ransom.

Due to the increase in reported attacks in December, all businesses are advised to exercise extreme caution. Backups should be performed daily, and end users should be told to be particularly vigilant. The attack vector being used for the latest wave of attacks is mostly spam email. Account department executives are being targeted and fooled into opening file attachments which have been masked to appear to be invoices and receipts in pdf or doc formats. The subject lines typically refer to an order, invoice, or bank transfer.

The criminals behind TeslaCrypt ransomware have developed advanced obfuscation JavaScript code which helps to get their malware past anti-virus software.

The best way to prevent an attack is to ensure that spam emails are not delivered to end users and to make sure that end users know never to open an email attachment sent from an unknown user.

iOS Malware Boom Expected in 2016

The rise in popularity of Macs, Macbooks, and iPhones has seen even more consumers make the switch from desktops and Android phones. As the number of Apple users grows, so too will the threat from malware. While previously thought of as totally secure, Apple devices have now been attacked and those attacks are likely to continue. Some security experts are now predicting an OS X and iOS malware boom in 2016, as hackers and cybercriminals attempt to tap into Apples user base.

Hackers have previously concentrated on Windows due to the sheer number of users using the operating system. It is more profitable to attack a system that virtually everyone uses rather than a system used by relatively few individuals.

Apple devices are more secure than their Windows-based counterparts, although in recent months a number of chinks have been found in Apples armor. Hackers are expected to take advantage with increasing frequency over the course of the next 12 months.

One of the ways that cybercriminals have started to attack apple users is via malicious apps that have been sneaked into the Apple App store. The Masque attack in 2014 replaced legitimate apps with nasty versions, and other methods have been developed that have allowed hackers to sneak malicious programs onto user’s devices.

First iOS Malware Discovered in the Wild in 2015

iOS malware may be less common than malware designed to attack Windows, but we have already seen a major increase in malicious programs designed to attack Apple devices. OS X malware has increased nine-fold over the course of the past year according to Symantec, and in October the first iOS malware – YiSpecter – that was capable of attacking non-jailbroken devices was discovered. This iOS malware implements malicious functionalities in iOS and is capable of downloading, installing, and launching malicious apps, displaying adverts, and uploading user data to remote servers. The iOS malware attack mostly affected users in Taiwan and China, but attacks such as this are expected to take place worldwide in 2016.

A fix for this iOS malware was rapidly issued by Apple, and the latest versions of the operating system is now immune to YiSpecter attacks. However, this is just the first of a number of new iOS malware that can be expected over the next few months.

Apple Pay is also expected to be targeted in 2016. The payment system was unveiled in 2014 amid claims that it was immune from attack and could not be used to commit fraud, yet only a few months later it was discovered that Apple Pay was being used to commit fraud. Accounts could be used with stolen credit card numbers and purchases made using iPhones.

Apple users are still less likely to be targeted by hackers than Windows users, but the devices are far from immune from attack. As more users make the switch to Apple and its market share increases, hackers are likely to respond and start targeting Apple software with increasing regularity and iOS malware will increase.

Juniper Networks Backdoor: Further Information Emerges

Further information has emerged on the Juniper Networks backdoor discovered last week, which suggests the NSA had a hand in the installation of a backdoor in the company’s source code.

Last week, a Juniper Networks backdoor was discovered after the company identified unauthorized code which could potentially allow hackers to gain access to secure communications and data that its customers had protected with its firewalls.

The malicious code would allow a hacker to decipher encrypted communications protected by the company’s Netscreen firewalls. It is not known at this stage how the code was installed, and whether this was an inside job or if it was inserted remotely. But what is known, is the person or group responsible installed the Juniper Networks backdoor as a result of an inherent weakness in the system. They were also helped by a coding configuration error believed to have been made by a company employee.

Juniper Networks Backdoor Installed Using NSA-Introduced Weakness

One security researcher, Ralf-Philipp Weinmann of German firm Comsecuris, has claimed that the weakness in the Dual_EC had been put there by the NSA, who championed the use of Dual_EC. It is not known whether the NSA or one of its spying partners was responsible for changing the source code, but it would appear that the NSA had, perhaps inadvertently, introduced a weakness that ultimately led to the system being compromised.

The weakness in the code that was first uncovered in 2007. The flaw was uncovered in the Dual_EC algorithm by two Microsoft researchers: Dan Shumow and Niels Ferguson. The Dual_EC algorithm had just been approved by NIST, and was used with three random number generators. Together, the encryption was believed to be secure enough to use to protect government data.

However, Shumow and Ferguson were able to demonstrate that the elliptic curve-based Dual_EC system could allow hackers to predict a random number used by the algorithm, which would make the encryption susceptible to being hacked.

Specific elliptic curve points were used as part of the random number generator. If one of those points was not a randomly generated number, and the person responsible for determining that point also generated a secret key, any holder of that key could potentially crack the encryption as it would be possible to determine the random number used by the algorithm. If that number could be predicted, the encryption could be cracked. Dan Shumow and Niels Ferguson believed this would be possible with just 32 bytes of output, if the key was known.

The flaw in Dual_EC is believed to be an intentional backdoor in the encryption that was introduced by the NSA, according to documents published by Edward Snowden. However, this was deemed not to be a problem as a second random number generator was used by Juniper. The second random number generator was supposed to have been used for the encryption, meaning even someone with a secret key would not be able to predict the random number used.

However, a coding error resulted in the original random number generator being used, rather than the second one. Someone had managed to break into the system and use their own constant, consequently, the encryption could be cracked.

The Juniper Networks backdoor has now apparently been plugged with the company recently issuing a patch to fix the problem. However, it would appear that the Juniper Networks backdoor had existed for at least three years.

Anti-Phishing Solutions for Enterprises

Over the past few years, the number of anti-phishing solutions for enterprises has grown considerably. This is no surprise considering the volume of phishing emails now being used to target businesses. Phishing has become the leading strategy used by hackers and cybercriminals to gain access to corporate networks.

Phishing is not confined to email. Social media websites are also commonly used to spread phishing links, and hackers are compromising websites with increasing frequency and are installing malicious code. Malicious adverts are also used by cybercriminals to drive traffic to bogus websites where drive by malware attacks take place and criminals phish for sensitive information.

Fail to use any anti-phishing solutions and your employees will need to become experts at identifying phishing emails and malicious websites. Unfortunately, a recent study has shown that end users are not particularly good at identifying phishing emails. In fact, should a phishing email arrive in an employee’s inbox, it could be 50/50 as to whether that employee will respond.

Need for Robust Anti-Phishing Solutions for Enterprises Highlighted by Recent Phishing Report

A recent study of 400 companies conducted by PhishMe has produced some alarming figures. The company provides staff training to enterprises to help employees identify and avoid phishing emails. Training exercises were conducted that simulated phishing attacks. Over 4,000 fake phishing emails were sent to employees during the study. The company used numerous phishing templates that closely mirrored the phishing emails being sent by cybercriminals.

Phishing emails were sent requesting the recipients to action to update their computer software. Links to fake news stories were sent. Email recipients were sent special offers and emails mimicked office communications. The latter were found to have the highest overall response rates.

While many employees can identify a phishing email, when emails were sent with the subject “Unauthorized Access,” the average response rate across all industry sectors was 34%. When simulated phishing emails were sent with the subject “File from Scanner,” the average response rate was 36%.

However, some response rates were even higher. When the firm analyzed the results from failed package delivery phishing simulations, 49% of employees in the education industry were found to have responded to the emails. Agriculture and biotech/pharmaceutical company employees did not fare much better. 41% of employees responded to the campaigns. In the telecoms and media sectors, the response rate was 37%.

The study showed just how likely it is for untrained employees to fall for phishing emails. If a similar campaign was launched by a cybercriminal, as many as 4 or more employees out of 10 may fall for the scam and install malware or disclose sensitive information.

What Anti-Phishing Solutions for Enterprises Should be Used?

The study highlighted the importance of conducting staff training to teach employees how to identify phishing emails, but training alone is insufficient. Employees must have their knowledge put to the test. Phishing simulation emails should be sent to employees and the more frequently knowledge is tested – and feedback provided – the better employees become at identifying phishing campaigns.

Anti-phishing solutions for enterprises should also be implemented to reduce the volume of phishing emails that reach employees’ inboxes. It pays not to place too much reliance on end users to always be able to identify phishing emails.

Implementing a robust spam filtering solution is therefore essential. Spam filtering solutions reduce the volume of phishing emails that are delivered to employee inboxes. If as many as 49% of employees have been shown to respond to phishing emails, a spam filtering solution is essential. SpamTitan blocks 99.9% of all email spam, which gives your organization more than a fighting chance of resisting phishing attacks.

Training staff how to identify a phishing email can reduce the likelihood of individuals responding to a scam; however, identifying malicious websites can be much harder, especially when websites are hosting exploit kits. It may be impossible to tell whether a site is probing the browser or plug-ins for security vulnerabilities.

To prevent drive-by malware attacks a software solution is required. A web filtering solution such as WebTitan will provide protection from malicious websites, hijacked sites, and malvertising. Blocking access to websites known to host malware, and filtering the internet to prevent risky sites from being visited, will help you to reduce the risk of phishing attacks to the minimal level.

A recent Spiceworks survey conducted on 200 IT security professionals revealed that 51% of organizations had suffered a malware incident and 38% suffered a phishing attack in 2015. Fail to take any action to combat the risk from malware and phishing attacks and it is only a matter of time before your organization is attacked.

Apple Malware Infections Double in a Year

Hackers are concentrating on developing mobile malware that targets Android devices, but Apple malware infections are increasing. Furthermore, security researchers are predicting Apple malware infections will grow steadily over the course of the next 12 months.

Apple malware infections are on the increase

Over the course of the past 12 months the number of Apple malware infections have doubled, and the problem is only likely to get worse for users of iOS devices according to security researchers.

Last year, researchers at Symantec discovered between 10,000 and 70,000 new Apple malware infections every month. This year there has been a 7-fold increase in malicious software infections affecting Apple OS X computers up until the end of September. Symantec has already discovered 400,363 Macs that have been infected with malware.

The researchers did point out that only 10 new types of Apple-infecting malware have been discovered so far this year, with the bulk of the OS X malware infections involving “grayware”. These are not purposely designed malicious software programs, rather apps that are capable of serving malicious adverts or tracking user behavior.

New malicious software that targets iOS is increasing, but only 7 new types of malware have been discovered by Symantec so far this year. That should be compared with the 9,839 new mobile malware variants that have been discovered to be targeting target Android devices.

There is a growing malware problem, but Apple remains the safest mobile platform

Users of Apple devices have had it easy for many years. Hackers have developed malware capable of infecting Apple devices, but there are far bigger gains to be had from developing malware that targets Windows and Android devices. The majority of iOS malware can also only infect devices that have been jailbroken, so most users remain relatively safe.

Apple’s share of the mobile device market is relatively small, and while the number of units expected to be shipped in the next 5 years is expected to grow, so too will the number of Android devices. IDC has predicted there will be a 2.2% drop in Apple’s market share over the course of the next 5 years, although with  237 million to 274.5 million Apple devices expected to be shipped, there will be plenty of devices for hackers to attack. In fact, in 2015, Apple device ownership is expected to grow by 23% according to IDC.

No need to panic just yet, but there is cause for concern

It is not yet time to panic, but there is growing concern over the number of Apple malware infections that are now being discovered. The majority of new mobile device malware now being discovered targets Android devices, and Apple remains the safest choice. What is clear is iOS and OS X are no longer as safe as they were once believed to be, and users of Apple devices should not become complacent.

Infections are possible and any user of a jailbroken Apple device who fails to take precautions against malicious software could well live to regret that decision.

3 PC Rise in Corporate Malware Attacks in 2015, Say Kaspersky

According to research conducted by Internet security firm Kaspersky Lab, corporate malware attacks have increased by 3% year-on-year. In 2015, 58% of companies had been attacked with malware on at least one occasion and the motivation for conducting corporate malware attacks are numerous. Not all attackers are demanding a ransom.

Reasons for corporate malware attacks

In many cases, corporate malware attacks are conducted for financial reasons – but not always. There has been an increase in hacktivism and attacks on business competitors. According to research conducted by Kaspersky/B2B International, 28% of suspects in cyberattacks were believed to be attempting to simply disrupt a company’s operations.

Corporate malware attacks by competitors are believed to be increasing and in many cases the attackers are known. This is certainly the case for DDoS attacks. 48% of companies claimed to know the source of DDoS attacks they had suffered and 12% believed that the source was a specific competitor. 11% of attacks were conducted by political activists, while government backed groups accounted for 5% of attacks.

The mode of attack on corporate targets differs from attacks on consumers according to Kaspersky Lab.

There has been an increase in exploitation of legitimate software programs, with office programs used to attack companies three times as often as attacks on consumer targets. Internet-based attacks were commonly conducted on business customers. 29% of businesses claimed to have been exposed to Internet threats, while 41% of businesses were attacked via portable storage devices. Attacks on mobile devices have also increased as criminals have realized the ease at which the devices can be compromised and the wealth of data that are stored on the devices.

Cryptolocker infections double in 2015

Cryptolocker ransomware infections have increased substantially in recent months. There have been twice as many infections in 2015 as were recorded in 2014. According to Kaspersky, over 50,000 corporate devices were locked by Cryptolocker in 2015. Corporate customers have been given little alternative but to pay ransoms to get their data unlocked. Unfortunately, even when a ransom was paid, security keys were not always provided or did not work.

DDoS attacks being commissioned by business competitors

Attacks conducted for financial gain are still the most common, especially in the Telecom and manufacturing industry. Survey respondents from both industries claimed that ransoms were demanded in 27% of DDoS cyberattacks. Overall, 17% of attacks involved the disruption of services until a ransom was paid. In 18% of cases, DDoS attacks were conducted to distract IT security professionals while hackers went to work on other systems, as was the case with the recent attack on Internet and mobile phone service provider, TalkTalk. Companies appear to be increasingly attempting to gain a competitive edge by paying for hackers to disrupt the operations of their competitors.

2015: The year of the PoS attack!

2015 has also been a year of attacks on Point of Sale terminals. Retailers have been targeted by hackers trying to gain access to PoS data, oftentimes by installing malware capable of recording data from transactions. Kaspersky Lab managed to block more than 11,500 PoS hacks in 2015. 70% of hacks of PoS terminals involved malicious software that had only been developed this year. These attacks are likely to increase over the course of the next 12 months.

Cryptowall Malware Just Got a Whole Lot More Dangerous

Cryptowall malware has been a major threat since it was first released on the unsuspecting world in September 2014. It did not take long for the malware to evolve, with a second version seen within a matter of weeks. A third incarnation was released at the start of the year. Now the game plan has changed again with the fourth version of Cryptowall malware now identified in the wild. The developers of the ransomware are keen to keep IT security experts and security software developers on their toes. They also want to continue to rake in millions of dollars in ransoms. The new version guarantees they will.

Cryptowall Malware is Now Harder to Spot, Easier to Obtain, and is a Whole Lot Nastier

As if it was not hard enough to prevent a Cryptowall malware infection, the developers of the ransomware have made it nastier and easier to infect computers. It is now capable of being installed by drive-by download.

The malware has also been packaged up with the Pony Trojan. Pony is nothing new, although that doesn’t make it any less dangerous. Pony is a password stealer that has been redeveloped and updated over the years. It has been predominantly spread via email spam in the past, and has most commonly been seen as an attached executable, or sent in compressed form in a .cab, .rar, or .zip file.

However, more recently it has been sent disguised as a document. Usually as a Word document but most commonly as a PDF file. The file is not a document of course. It is an executable with the extension masked. When double clicked, the Pony will be set loose.

Recently, the Pony Trojan has been sent via a link in spam email. Clicking the link will not take the user to a website as expected, instead it will attempt to download the malware. The file will be masked as a different type of file, even though it is an executable. The user is more likely to download a .SCR (screensaver) file with an adobe reader icon as it looks fairly innocuous. Regardless of how it is installed, it’s actions are the same. It will steal usernames, passwords, FTP and SSH credentials, and also Bitcoin, Litecoin, Primecoin, and Feathercoin.

Once credentials have been stolen, the user will be directed to a malicious website where they will be subjected to the Angler Exploit Kit – the most widely used exploit kit and attack tool. Angler takes advantage of security vulnerabilities in users’ browser plugins via drive-by attacks. Those attacks will unleash the final payload: The latest version of Cryptowall malware.

Cryptowall Malware Leaves Victims Little Choice but to Pay the Ransom

The latest incarnation of the ransomware locks files with powerful encryption but also encrypts filenames. Unfortunately, with the latest version your files will be encrypted but you won’t know what files they are. The latest version uses different obfuscation methods to make it even harder to detect and it has much improved communication capabilities.

Victims are not so much told they have to pay a ransom, but are instead politely urged to pay for security software to protect against Cryptowall malware. The attackers say please more than once when suggesting payment be made to unlock files.

Unfortunately, you will have to pay the $700 security software charge to unlock your files if you have not performed a recent backup of your data. Otherwise your files will be lost forever.

To protect against the malware, make sure backups are regularly performed and ensure that all browsers, plugins and security software are kept bang up to date.

Insider Phishing Scams Targeting UK Tech Companies

Criminals are using a new tactic to con money out of small to medium-sized businesses and startups, and are now using insider phishing scams to convince account department executives to make fraudulent bank transfers. The insider phishing scams are highly convincing, and a number of company executives have already fallen for the scams. Thousands of pounds have already been transferred into the bank accounts of criminals. By the time the fraudulent bank transfers are discovered, the money is long gone and cannot be recovered.

Insider phishing scams are targeting specific individuals in the accounts department

A number of similar insider phishing scams have been seen in recent months. Workers are sent an email from their boss asking them to transfer money from their personal account to help cover an essential bill. These scams tend to work on small businesses that are likely to experience cashflow difficulties.

Employees fall for the scams and make the transfers as they are fearful of their employer and want to appear keen and willing to help. The latest insider phishing scams appear to me much more targeted. Criminals already know the names of the individuals working in the accounts department and are targeting the person most likely to respond.

These people are sent an email from their boss, are referred to by name, and the email address used to send the message appears, at first glance at least, to be genuine.

A brief message is sent asking for a transfer of several thousand points to be made, and the bank account and sort code information are provided in the email. The victim is informed that their boss will send them further information to allow the payment to be entered into the company accounts. The victim is also asked to send an email back confirming when the transfer has been made.

The scam is clever. By asking for a confirmation, the victim will most likely reply to the same email and not follow up for a couple of days or so. By that time the transfer will have cleared, the money taken out of the criminal’s account, and it will not be possible to recall the funds.

Fake domain names being registered to conduct insider phishing scams

If an email was sent from an email address with a non-company domain it would be unlikely to result in a bank transfer being made. Even a busy accounts department executive would check who sent the email before making a transfer of £20,000. To get around this problem, criminals are registering a very similar domain name to that used by the target company.

Typically, the domain name used will be virtually identical to the one used by the company, with one minor change: One character will be replaced with another. The most effective way to do this is to replace an L with an i, or a 1 with a lower case L, or vice versa. The different domain name is then unlikely to be noticed. Instead of “Littlewoods”, the domain “Litt1lewoods” or “Littiewoods” would be used.

The success of these insider phishing scams relies on the email being as genuine as possible. The email must also be sent to the right account executive. If the request appears unusual – being sent to a person who would not typically make a bank transfer for example – it would appear suspicious and would likely be questioned.

After the domain name has been purchased, the format of the company’s email addresses must be discovered. Then the name of the chief executive and the company’s financial controller. The criminal behind the campaign can send the scam email.

The victims are therefore researched beforehand. The correct individual is identified and they – and they alone – are sent the transfer request. It has been hypothesized that the reason these insider phishing scams are being conducted on tech companies is they are more likely to be easy to research.

There have been numerous reports of these insider phishing scams being conducted in recent weeks. Some individuals have fallen for the scams and have made large transfers to the criminal’s account as requested.

How to protect against insider phishing scams

It is essential that all staff members are warned about these insider phishing scams and told to be vigilant. Protecting against these attacks must start at the top. Email requests to make transfers may be convenient, but employers must set up policies that require accounts executives to verify the request, by telephone, before they are made.

A few years ago, spam emails were very easy to spot. They were sent out in bulk, contained numerous typos and grammatical errors, and on the whole were very easy to identify as being fake. That is no longer the case. Scammers are now taking time to develop highly convincing campaigns to fool specific individuals into revealing personal information or making large bank transfers. The effort put into these campaigns is worth the effort. The criminals are much more likely to get the victim to take the required action.

In addition to instilling a security aware culture in an organization, one of the best protections is to purchase a robust spam filtering solution. An email sent from a domain closely matching the company´s own domain name would be caught by the spam filter and directed to the email quarantine folder. Training is good, but preventing insider phishing emails from being delivered is a much more reliable method of stopping employees from falling for these phishing scams.

Google Account Phishing Email Prompts AG Warning

Miss. attorney general Jim Hood has issued a warning to state residents to be extra vigilant after receiving a convincing Google account phishing email.

The latest Google account phishing scam attempts to fool users into revealing their passwords by warning users that they need to review the terms and conditions of their account. The reason the email claims Google requires this is due to changes made to government regulations. Users must check the new T&Cs in order to maintain compliance with government regulations.

A link to do this was supplied in the email. Clicking the link would direct users to a page that appeared to be from Google; however, this was part of the scam. Users were asked to login and were presented with a standard Google login page, but when they did, their information was recorded and sent to a hacker.

While this scam appeared convincing, there was a tell-tale sign that the request was not genuine. The request to enter account details contained a spelling error in the word “account.” This is not an error that Google would make.

Google Account Phishing Email Scams

Google account phishing email scams are being conducted with increasing frequency. Two other Google account scams were spotted in the summer and are still being used by criminals to gain access to users’ email accounts.

Gmail Phishing Scam

This scam is not new. It was first discovered by Symantec early last year but it is still active. A new batch of spam emails was sent to Gmail account holders over the summer, which fooled many people into revealing their Gmail passwords.

Gmail offers anti-spam protection, although hackers were able to bypass the controls. The emails appeared to have been sent by Gmail administrators. The messages contained a link to a Google Drive document. Clicking the URL directed users to the document, but they needed to enter their login credentials to view it. Users entered their information and were able to view the document; however, what they would not have realized is they had also just compromised their accounts.

In this case, the link they were sent in the email directed them to a folder on Google Drive that had a preview page. The preview page looked like a standard Google login prompt. When the users entered their details, the login credentials were recorded by a PHP script and the data was sent to the hacker’s command and control center located in the United Arab Emirates. That attack was made possible as the hackers were able to fake Google’s SSL encryption. The faked SSL encryption was sufficient to bypass the anti-spam controls and fooled users into revealing their login credentials by exploiting their trust in Google.

Spear phishing attack targeting Gmail account holders

The Gmail password recovery feature is being exploited by hackers using social engineering techniques to get users to provide access to their Gmail accounts. This Google account phishing email scam also exploits users trust in Google.

Provided an attacker knows the mobile phone number of a victim as well as their email address, they are able to attempt this scam.

It starts with the attacker using the password recovery feature on Gmail to resend a user’s password. The attacker enters the victims email address and opts to have the second step of the authentication process send an SMS to the user’s phone.

The user is sent a verification code to their mobile phone, which is closely followed by a text from the attacker. The attacker claims to be from the Google account management team and asks for their activation code. Since the attacker already has the email address, he or she can then use the code to complete the password reset function. Only the attacker will then be able to access the users Gmail account.

New Facebook Video Phishing Scam Uncovered

It is almost every day that a Facebook video phishing scam is discovered, and yesterday was no exception. Scammers are increasingly looking to take advantage of Facebook’s drive to compete with YouTube as the go to place for watching video content.

Latest Facebook video phishing scam offers Facebook video application for free

The social media website is now actively encouraging users to upload videos to the site; videos are now playing automatically in live feeds when the mouse arrow is hovered over a post, and scammers are taking advantage by offering users an easy way to upload and view videos via mobile devices. The Facebook video phishing scam is likely to catch out many users of the site.

Video posts are now common on the social media platform due to the ease at which users can take videos using their mobile phones. Those users naturally want an effortless way of sharing their video content with friends and family. What better way of doing this than with a Facebook video app? Simply download the app and you can share your self-generated video content with a tap of the screen!

Unfortunately for the user, the app being offered is fake. It will make sharing information effortless, but not the information that the user will want to be shared. Any Facebook user that falls for the scam will instantly share their login credentials and friends list with a cybercriminal.

Facebook video phishing scam displayed via a popup browser window

The new Facebook video phishing scam is being advertised via a popup window that appears virtually identical to the genuine Facebook website. The Facebook search bar appears as normal, along with the icons at the top of the page that every user will be very familiar with. A casual glance at the URL is likely to arouse little suspicion as the site address starts with “Facebook”.

Closer inspection will show that this is not a genuine Facebook page. The popup window has been seen on two variants of the real domain name: Facebooksk.info & Facebookstls.com. This is a sure sign that this is a Facebook video phishing scam and that the free Facebook video app being offered is not genuine.

These popups appear when the user clicks on an advert offering a free Facebook video application that users can download to their device. The adverts can also pop up on the screen while browsing websites that have been infected with adware.

The fake Facebook video app has so far only been seen in Spanish; although English-speaking users should also be wary. An English language version is sure to be released soon.

Before being allowed to download the free Facebook video application, users must first confirm they are over 18 years old. Age verification is required before the user will be permitted to download the app. In order to do this, the user will have to enter their username and password. The login box has been created to closely mimic one used by the genuine Facebook site.

When the user enters their information and clicks on the login box, a PHP script will run that sends the data to the hacker behind the Facebook video phishing scam.

Once login credentials have been provided, the hacker will be able to login to the victim’s account, and access that user´s friend list. Phishing links will then be sent out to all of the users friends. The contents of the account, including all of the security settings, can also be accessed.

This Facebook video phishing scam is one of many now doing the rounds on the social media platform. All site users must exercise caution before logging in or divulging any sensitive information via the social media platform. Not all Facebook scams are this obviously fake and easily identified. Scammers are devising ever more sophisticated ways to get users to compromise their own accounts.

Intuit Security Warning Scam: Quicksbooks Users Targeted

Users of the Intuit Quickbooks accounting software package are being targeted by scammers. Emails have been sent to users of the software warning them that they need to update their web browsers for ‘the best online experience’. They are issued with this news via an email with the heading ‘Intuit Security Warning’.

Spam email campaigns often urge users to make urgent changes to address security flaws and contain stern warnings to urge users to take action quickly. Often a threat is included or a very short timescale is given for action to be taken. While this email is sent with the subject of ‘Intuit Security Warning’, it looks fairly innocuous. There is no threat, it is well written and has appropriate branding. The email is sent from a credible email address at support.intuit.com and is sent to a “newsletters” email group. This Intuit security warning does not appear to be a phishing email.

The reason given for a web browser update is Intuit is performing an update on November 5, 2015. There is no warning that failure to update browsers will have any ill effects other than the service provided would not be optimal. This is what makes this email scam particularly dangerous. The Intuit security warning email would be unlikely to set alarm bells ringing with users of the software.

Intuit Security Warning email contains link to trojan downloader

If users hover their mouse arrows over the link contained in the email it reveals the true web address. This is not the Intuit website, although the link is credible. Clicking the link will launch a browser window that will display a browser update page that looks exactly as it should. The user will be told that their browser is out of data and should be updated.

A message window will then be launched offering a zip file download, which is also appropriately named based on the default web browser used on the device: FirefoxUpdate.zip for example.

However, the zip file contains malware that will be installed on the user’s device. Even downloading the file is unlikely to set any alarm bells ringing. The scam has been developed to appear perfectly normal. Users are highly unlikely to realize they have been fooled into downloading malware.

Consumers and businesses are likely to receive the Intuit security warning email, which should be deleted. The email itself is not malicious and will not infect a device. That requires manual action on the part of the user. However, the email is very convincing and does not follow the format of “typical” phishing emails. As a result, it is probable that many users will inadvertently do as the Intuit security warning email recommends, and will inadvertently infect their devices with malware.

How to keep end users’ devices and networks malware free

Hackers may be developing ever more complex methods of deceiving users and infecting computers, but oftentimes it is the simplest methods that prove to be the most effective. Even security conscious individuals may inadvertently fall for email scams such as this. For that reason, it is important for IT security professionals not to place too much reliance on staff training. There will always be users who fall for phishing campaigns and email scams, and inadvertently install malware on their computers or the network.

There are two highly effective methods that can be used alongside staff training to protect against email scams and phishing campaigns: Anti-spam software and a web filtering solution. Anti-spam software will prevent emails such as this from being delivered to user’s inboxes, while web filtering software will restrict the sites that users can visit. With both installed, IT security professionals can be confident that, even if end users are targeted by hackers or other cybercriminals, the network will remain protected from malware.

Bitcoin Black Friday: Bargain Hunters Beware!

The biggest online shopping day of the year may be Cyber Monday, but for the Bitcoin community it is Bitcoin Black Friday.

Bitcoin has grown in popularity with the online community as a secure alternative method of paying for goods and services online. On Bitcoin Black Friday, transactions using the currency increase substantially. Last year, on November 28th, more Bitcoin transactions took place than on any single day in the history of the currency. This year promises to be even bigger.

Bitcoin Black Friday is a day when bitcoin buyers are given amazing discounts on their online purchases, and are able to pick up amazing deals on jewelry, holidays, gifts, electronic gadgets, domain registrations, and much more. The only condition being all purchases must be made using Bitcoin. Last year over 600 online retailers took part and offered special offers to kick start the holiday shopping season. In 2015, the number of participating merchants is expected to be double that figure.

Since the online currency can be used to make anonymous purchases, it has proven popular with online criminals. Bitcoin Black Friday is the day when theft of Bitcoin increases substantially. It is also a day when users of the currency are fooled into revealing their personal information to criminals.

Bitcoin Black Friday Phishing Website Launched

Criminals have targeted Black Friday purchasers by launching a new website offering bargains galore. The site offers numerous discounts for purchasers, with many apparently genuine deals.

The website bitcoinblackfriday.info is a rip off of a genuine offer site; piggybacking on the name of the genuine dotcom version of the site.

The rip off site looks similar in style to the genuine article but, instead of providing visitors with real offers, it links to phishing websites that will relieve users of their personal information and Bitcoin. These mock websites were set up to closely mimic real sites, albeit with slight differences. Unless visitors had used the real site before and were familiar with the layout, they would likely be convinced that they were visiting a genuine online retailer. Most of the phishing websites linked to from the .info site were set up in in the past few days. This is a clear sign that the sites are not genuine, but few people would likely check before making a purchase.

It is not clear whether the owner of the .info website was aware that the site was being used to host links to phishing websites or if the domain had specifically been set up with phishing in mind.

The links contained on the .info version of the website look convincing. For instance, adverts were placed on the website that link to variants of popular store names such as “buy-trezor.com” instead of “buytreznor.com.” Many purchasers are therefore likely to be fooled.

Since many deals were not available until Black Friday, the site requested users to leave their email addresses in order to be sent information about the best deals as soon as they were released on the big day. Any person who did will not only receive Black Friday offers, but their email addresses are likely to be used to send further email scams.

Bitcoin users should be wary. It is not only credit cards that online criminals seek. Bitcoin and personal information are just as valuable to online thieves. On Bitcoin Black Friday, when special deals are offered for a very limited time, users should be extra careful. The golden rule is to always take time to verify the genuineness of a website before parting with any money or divulging any personal information.

Phishing Warning Issued as IRS e-Services Scam Discovered

The discovery of a new IRS e-Services scam has prompted the Internal Revenue Service to kick off its Security Awareness Tax Tips with a phishing warning.

New IRS e-Services Scam Reported

IRS tax scams are nothing new. In fact the IRS regularly issues warnings about new phone and email scams. Criminals frequently devise new scams to get U.S. consumers to reveal personal information. However, the latest IRS e-Services scam targets tax practitioners and attempts to get users to reveal their IRS e-Services login credentials.

As is the case with most phishing campaigns, a highly realistic email is sent requesting action to be taken to address a matter that requires a user’s urgent attention. Many IRS phishing scams warn of immediate suspension of an account; although the latest IRS e-Services scam says this has already happened. In order to lift the suspension on the account, the user must click on the link contained in the email and update their Electronic Filing Identification Numbers (EFINs).

The email warns “Our account surveillance have detected some suspicious activities over your account and to maintain the security we have temporarily disabled some functions on your account.”

Users are provided with a link which they must click on in order to reactivate all functions on their account. After clicking the link, users are asked to verify their identity by entering in their username and password.

The link contained in the email may appear genuine, but it will direct the user to a phishing website that will capture the username and password as they are entered.

Gaining access to IRS e-Services is potentially very lucrative for criminals. The service allows tax professionals to conduct a number of services online on behalf of their clients. Access to one of these accounts can potentially allow the scammers to gain access to a wealth of data that can be used to commit identity theft and tax fraud. Should access to the account be gained, criminals would be able to obtain details of past tax returns and other client account details.

The email appears to have been sent from a genuine IRS email address. The new IRS e-Services scam shows that sender email addresses cannot be trusted as a way of checking the genuineness of emails.

Tax professionals have been warned not to click on the link contained in the phishing email and to delete it. The IRS has told users that it does not initiate conversations with individuals via email, social media channels, or text message. The IRS will also not request that users reveal their passwords.

The IRS will soon be launching its new “Taxes. Security. Together” initiative ahead of the 2016 tax season. The campaign is aimed at improving awareness of phishing scams and other methods used by criminals to get unsuspecting users to reveal their tax information.

New Critical Android Vulnerability Discovered

A new critical Android vulnerability has been discovered that could potentially allow Android Smartphones to be hijacked by hackers without any user interaction required. The vulnerability affects Chrome JavaScript v8 – and not just older devices but the latest models now being released. Even the Nexus 6, one of the most advanced and secure Android phones, contains the vulnerability.

Hackers could potentially use the exploit to install apps on the device without any user interaction. The apps could be given permissions to access all communications made through the device. The new critical Android vulnerability was demonstrated at the recent Tokyo PacSec conference. Full details of the exploit have been shared with Google and a patch is currently being developed to plug the security hole.

This is just one more critical Android vulnerability to be discovered, and it will not be the last. Fortunately, this time the security hole was found by a security expert rather than a hacker.

Fake ID critical android vulnerability still exists on many Smartphones

Last year, researchers at Bluebox Security discovered another critical vulnerability which affects all Android Smartphones running KitKat (version 2.1 to 4.4). The critical Android vulnerability affects millions of devices,

The vulnerability, named Fake ID, potentially allows hackers to develop apps that can exploit a flaw in the way the devices deal with security certificates. The vulnerability can be used to gain privileges granted to other applications – even those with high levels of privileges such as Google Wallet.

Fortunately, to exploit this critical Android vulnerability, hackers would need to convince the user to download a malicious app to their device, which would be difficult if the user only used Google Play Store to obtain new apps.

However, StageFright – a critical Android vulnerability discovered this summer – is potentially much more serious. The bug enables a hacker to remotely execute code on an Android phone and escalate privileges. StageFright allows a hacker to attack an Android device via a video sent by MMS text message. The attack is possible via the libStageFright mechanism.

Android phones running Google Hangouts would potentially be vulnerable and could be exploited without the user’s knowledge as the app processes video automatically before the message is viewed by the user.

Due to how patches are rolled out, Smartphones could still be vulnerable to both Fake ID and StageFright, even though patches have now been released.

When a new critical security vulnerability is discovered, a patch is rapidly developed to plug the security hole. Even when a patch is issued, it can take some time before it is rolled out and installed on each device. The speed depends on the carrier. Patches are rolled out quickly in some cases – Google Nexus and LG for example – but slower with other brands such as Samsung and HTC.

Often updates to the operating system are packaged together with manufacturer updates and are not rolled out immediately. Sometimes they are not rolled out at all, leaving some phones particularly vulnerable to attack.

A recent study conducted by the University of Cambridge showed that 87% of Smartphones contain at least one critical Android vulnerability, and many contain more than one.

Reducing Security Risk from Android Devices

BYOD has grown in popularity in recent years, and many employers are now allowing employees to bring their own mobile devices to work. While not all allow the use of personal laptops, employees are commonly allowed to use their Smartphones at work, and even use them to connect to their employer’s network.

Any employer operating BYOD, should carefully consider which devices are allowed to connect to the corporate network. Some Smartphones are safer than others and will involve much lower network security risk. Allow devices to connect that can be easily compromised, and they could be used as a platform to launch an attack on the network.

Ransomware Protection: SMBs Must Get Prepared

SMB ransomware infections can be time-consuming, expensive, or catastrophic. Which category an infection falls into will, to a large extent, depend on how you have prepared. If you run a SMB, ransomware protection is essential.

Ransomware protection is no longer an option, it is a necessity

It may not simply be a case of paying a ransom to recover your data. Data may be permanently lost. There is no guarantee that a security key will work, or will even be provided if a ransom is paid.

Unfortunately, ransomware is here to stay. Criminals have found it to be one of the best methods of obtaining untraceable money from victims. Ransoms are paid in Bitcoin – or via other anonymous payment systems – and infecting computers is exceptionally easy in many cases.

Ransomware will continue to be used as long as it proves profitable for cybercriminals. The profits from Cryptowall infections alone are estimated to be in the region of $325 million (£215 million) and the ransomware was only developed and released in September 2013. With such high profits, ransomware is here to stay – so businesses need to get prepared.

Importance of ransomware protection highlighted by Power Worm variant

Infected with ransomware? It’s not the end of the world, you could just pay the ransom. Unfortunately, that does not necessarily mean you will get your data back. Take the latest Power Worm variant for example.

Not all hackers diligently prepare their malware. Sometimes mistakes are made. The latest variant of Power Worm is a good example. The developers of the ransomware attempted to make decryption a more straightforward process, but made a critical error. The Power Worm variant they created encrypts files, but deletes the security keys to unlock them.

Even if a ransom is paid, data will not be unlocked. An infection will mean data will be permanently and irrevocably encrypted. This has not stopped the users of the ransomware from asking for a payment of 2 Bitcoin to decrypt the data. It just prevents them from making good on their promise.

There is never any guarantee that a security key will be provided even if a ransom is paid but, with this infection, it is simply not possible. This latest ransomware highlights the importance of implementing ransomware protection strategies to deal with infections when they occur. If you don’t, it could spell total disaster.

Ransomware protection strategies

Unfortunately, while ransomware is spread via spam email and social media networks, exploit kits are now being used to infect computers by taking advantage of security vulnerabilities. Fortunately, there are a number of ways you can protect against a malware infection.

Regularly back up your data on a separate device

A ransomware infection need not spell disaster, even if the criminal behind the infection does not unlock your data. If you have a backup, an infection is a pain, but you can recover your data.

Install a robust spam filter

Ransomware is often spread via infected email attachments. Configure your spam filter to block executable files, and you can prevent malicious email attachments from being delivered to users’ inboxes.

Show hidden file extensions

Windows often hides known file extensions. Criminals take advantage of this. If they name an executable file report.pdf.exe, when Windows hides the extension, it will appear as report.pdf. Users may inadvertently open an executable file believing it to be harmless. Make sure file extensions are shown to reduce the chance of accidental infections.

Make sure Remote Desktop Protocol (RDP) is disabled

You may use RDP to provide support to end users on your network, but hackers can exploit RDP to gain access to devices and install malware without any user interaction. If you do not use RDP, or can get away without using it, make sure that it is disabled on all internet enabled devices.

Make sure browsers are kept up to date and patches installed

Exploits are used to probe browsers for security vulnerabilities that can be exploited. It is therefore essential that the latest version of web browsers are always installed, and patches and updates are installed as soon as they are made available.

Install web filtering software

Ransomware is often installed using drive-by attacks. Malicious websites are not always easy to identify, but the sites can be blocked if web filtering software is employed. Stop end users from visiting malicious websites and you will greatly reduce the risk of ransomware being installed.

How to Identify a Malicious Website

If you want to keep your computers and networks protected from malware, it is important to train your staff how to identify a malicious website. You should also install a powerful web filtering solution to ensure your employees’ malicious website identification skills are never put to the test.

Cybercriminals are developing ingenious ways of compromising networks

Scammers and cybercriminals used to mainly send out emails with infected attachments. Double clicking on the attachment would result in the computer, and possibly the network, being infected with malware. Oftentimes, this action would go undetected by anti-virus software programs. A full system scan would need to be conducted before the malicious software was identified.

Computer users are now much wiser and know never to open file attachments that have been sent to them by unknown individuals, and certainly never to double click on an executable file. Hackers and other cybercriminals have therefore needed to get smarter, and are now developing ever more sophisticated ways of obtaining user credentials and getting people to install malware manually. One of the ways they are doing this is by developing malicious websites.

End users are contacted via email and are sent links to websites along with a valid reason for visiting the site. Links to malicious websites are also frequently sent out in social media posts or are placed in third party website adverts. Some sites are hijacked and visitors are redirected to fake sites automatically.

What is a malicious website?

Malicious websites host malware or are used to phish for sensitive information. In the case of the latter, users are tricked into revealing sensitive data such as login credentials for online banking websites.

Malware may require some user interaction before it is installed. Visitors may be tricked into downloading a security program, for instance, by being informed their computer is already infected with malware. They may be offered a free screensaver, or asked to download a fake PDF invoice.

Increasingly, malicious websites are used to host exploit kits. Exploit kits probe visitors’ browsers to identify security vulnerabilities that can be exploited without any user interaction required. If a vulnerability is detected, malware can be installed automatically on the computer or network. This method of cyberattack is called a drive-by download. Drive-by downloads can involve malware being installed onto the computer’s hard drive, a network drive, or even loaded into the computer’s memory.

Learning how to identify a malicious website is important if you want to prevent your computer from being infected, and it is essential for system administrators and other IT professionals to conduct staff training to help end users avoid these dangerous sites.

How to identify a malicious website

There are some easy ways to tell if a website is attempting to install malware:

  • The website asks you to download software, save a file, or run a program
  • Visiting the website automatically launches a download window
  • You are asked to download an invoice or receipt, such as a PDF file, .zip or .rar, or an executable file or .scr screensaver file

A malicious website may also tell you:

  • Your computer is already infected with malware
  • Your plug-ins or browser are out of date
  • You have won a competition or free prize draw. You may also be offered free money or vouchers that require you to enter your credit card or banking information

If you are asked to download any files or update your software, conduct a check of the site via Google and try to determine whether the site is genuine. If in doubt, do not download any files.

If you are told your browser is out of date, visit the official browser website and check your version number. Only ever download updates from official websites.

If you have accidentally visited a drive-by download site, by the time that you have connected it may be too late to prevent malware from being downloaded. To protect against drive by downloads you must ensure that your browser, add-ons, and plugins are 100% up to date. You should also use a software solution to block access to drive-by download sites.

How to block end users from visiting a malicious website

Even legitimate websites can be hacked and used to host malicious code. They may use advertising networks that are used by cybercriminals to direct visitors to malware-hosting websites. The best defense is to block these adverts and malicious websites.

Blocking access to these websites is a simple process. All it requires is a powerful web filtering solution to be installed. WebTitan web filtering solutions for the enterprise will help you keep your network secure by preventing users from visiting sites known to host malware.

WebTitan uses two powerful anti-malware and anti-phishing engines – Kaspersky Lab and Clam AV – to detect malware-hosting websites. When malicious sites are detected; they will be blocked. WebTitan can also be configured to block access to questionable or illegal content.

If employees are trained how to identify a malicious website, and web filtering software is installed, your networks will be much better protected from malware infections.

A Honeypot for Malware Can be of Great Benefit to Your Organization

Have you been considering implementing a honeypot for malware? Attracting malware may seem counterintuitive but there are great benefits to be had from setting up a honeypot. You will attract malware regardless, so why not make sure it gets installed somewhere safe?

Practical advice about implementing a honeypot for malware

A honeypot for malware can be highly beneficial for an organization; however, it is important to set it up correctly and to commit enough resources for maintenance and upkeep. A honeypot for malware will be of little use if it can easily be identified as a fake system, and even worse if it can be used as a platform to attack your real system.

Listed below are some tips and pointers to get started:

How much interaction are you looking for?

When setting up a honeypot for malware, you need to decide on the level of interaction you want. How much leeway will you give an attacker? How much activity are you willing to allow? Generally speaking, the more interaction you want to allow, the more time you will need to spend setting up your malware honeypot and maintaining it.

You must also bear in mind that the more interaction you allow, the higher the risk of the attacker breaking out of the honeypot and launching an attack on your real systems. High-interaction malware honeypots actually run real operating systems. If you are happy with low-level interaction, you can use emulation and it will require less maintenance and involve less risk.

Off the shelf malware honeypot systems are perhaps the easiest place to start, although there are open-source options available that can be tweaked to suit your needs. Just because you use a commercial honeypot, it doesn’t mean you need to spend big. There are many free options to try out.

Honeypots for malware and more…

A package is usually the logical place to start before progressing to open-source options or expensive, comprehensive honeypot systems. You can gauge how beneficial running a honeypot for malware is. If it proves to be useful, you can commit more time and resources to developing a fully customized honeypot for your organization. You can also start with a honeypot for malware and, if you are happy with the results, also set up a honeypot for SCADA/ICS and your web services.

We suggest the following to get started:

Honeyd

A great choice for simulating multiple hosts and services on a single machine using virtualization. This low-interaction honeypot allows a convincing network to be set up involving numerous operating systems such as Windows, Linux, and Unix at the TCP/IP stack level. Capable of identifying remote hosts passively.

Kippo

A SSH server honeypot with medium interaction. Excellent logging capabilities allowing a rerun of an attack to be viewed. Kippo allows complete file systems to be created.

Dionaea

A good honeypot for malware. Windows-based.

Ghost USB

A honeypot for malware spread via USB drives.

Glastopf

A honeypot with low interaction that emulates web vulnerabilities that can be exploited using SQL injection.

Thug

A honeyclient (client-side honeypot) that emulates a web browser. A useful tool for exploring and interacting with a malicious website to determine what malicious code and objects it contains

Powerful honeypot packages

There are three excellent comprehensive honeypot packages listed below. It may be better to pay for these packages than to commit the time and resources to developing your own custom honeypot system.

KFSensor

A Windows-based honeypot system with excellent functionality and flexibility. It is expensive, but it is the choice of professionals.

MHN

MHN, or Modern Honeypot Network to give it its full name, is open source allowing for easy configuration and customization, with an extensive range of tools. Operates using a Mongo database.

HoneyDrive

A virtual appliance (OVA) with Xubunti for Linux. A good range of analysis tools is provided, along with a choice of 10 pre-installed honeypot software packages.

Your honeypot may be detected!

It may only be a matter of time before your honeypot is detected, and when that happens the information is likely to be shared with other hackers. Fortunately, there are many different packages to choose from and custom honeypots can be created. Hackers cannot therefore look for a single signature to identify a system as a honeypot.

There are common tell-tale signs that a system is a honeypot. We recommend taking action to address the following issues if you want to make sure your honeypot is not detected as a fake system.

  • Ensure there is system activity – One sure sign of a fake system is it is not being used by anyone!
  • You make it far too easy to compromise the system – setting “password” as the password for example
  • Odd ports are left open and out of the ordinary services are being run
  • Hardly any software has been installed
  • Default configurations of software and operating systems have been installed
  • The file structure is too regular, and file names are obviously fake – file names such as “user password list” and “staff social security numbers” are unrealistic

Also worth considering is whether to include a deception port. A deception port is an open port that will allow an attacker to detect a honeypot. What is the point? This will show any would-be attacker that they are dealing with an organization that has devoted a lot of time and effort to cybersecurity. That, in itself, may be enough to convince attackers to look elsewhere and pursue much easier targets.

Do you think a honeypot is worth the effort?

Lack of Cybersecurity Funding? Cost-Effective Solutions for IT Professionals

A chronic lack of cybersecurity funding is a common problem. Network administrators and IT managers alike must learn to deal with a small budget and do more with the money they have available. Unfortunately, budgets are unlikely to be increased substantially, even when faced with new threats and a greater risk of suffering cyberattacks. You will be expected to do your job with the money that has been allocated. At best you may get a slight funding increase for next year. In the meantime, you will just need to do your best. Your best must also be good enough.

Get organized and stop wasting time on repetitive tasks

You will get request after request via your support line, and many support tickets will be submitted requiring you to do the same thing over and over again. You can spend time dealing with the same problems, commit an extraordinary amount of time to fixing the same email, network, hardware, and software issues, but that is time and money that could be spent on other more important tasks. What you must do is tackle these problems and determine the root cause. Sort these out, and the support tickets will stop. It will take longer initially, but will save you a considerable amount of time in the long run.

Deal with a lack of cybersecurity funding by saving money and achieving more in less time

You may be thinking that is easier said than done. There may not be money to spend on new hardware or software. You cannot pay for solutions if the money is not available. There is a solution though. You can address these problems by cutting back on the time and resources devoted to other tasks. Like tackling the root cause of malware issues, virus infections, phishing scams, and many system malfunctions.

You can prevent a great deal of support tickets and save a lot of time by implementing two software solutions that have been designed to stop network administrators, IT helpdesk staff, and IT managers wasting time. A lack of cybersecurity funding need not mean you have to leave your network open to hacker attack, or leave your end users (and your network) exposed.

SpamTitan and WebTitan are two cybersecurity solutions that are cost-effective, easy to implement, and easy to manage. They will also help to keep your end users and network protected. A lack of cybersecurity funding need not spell disaster.

Coping with a lack of cybersecurity funding: SpamTitan and WebTitan anti-spam and web filtering solutions

SpamTitan offers IT professionals an easy option for dealing with email spam and the problems it causes. Cut down on the common reasons for end users submitting support tickets and calling IT support helplines, and save time and money. Your resources can then be diverted to dealing with more critical IT issues.

SpamTitan will clean inbound and outbound emails and will prevent issues created by:

  • Spam and bulk emails
  • Malware and viruses
  • Dangerous email attachments
  • Spam websites and spam hosts
  • Phishing emails and malicious links
  • Outbound spam
  • IP address blocking and blacklisting
  • Rate threshold violations
  • IT related business reputation damage

WebTitan web filtering solutions keep users protected and cut back on wasted time from:

  • Spyware
  • Malware
  • Drive-by attacks
  • Malicious websites
  • Social media usage issues
  • Accessing of inappropriate content
  • Loss of bandwidth
  • Malicious adverts
  • Inappropriate Internet use
  • Rogue app threats

For further information on how WebTitan and SpamTitan can save your company – and the IT department – time and money, visit: www.spamtitan.com and www.webtitan.com

Porn Malvertising Targets Top Porn Site Visitors

Porn websites are often considered to be rife with malware, although the major websites spend big to keep their sites malware free. That said, a recent porn malvertising campaign hit one of the largest adult websites placing millions of site visitors at risk of infecting their devices.

Viewing Internet Porn Can Give you a Nasty Infection

Cybercriminals have targeted a number of adult websites over the past few weeks, with one of the Internet’s largest porn sites, one of those affected. The cyberattack was quickly dealt with once discovered, but not before many of the site’s half a billion monthly web visitors were displayed malicious adverts.

SSL Malvertising Campaign Hits Top Porn Site

The malvertising campaign that targeted the top porn site was not new. It has previously affected some other notable websites that attract huge volumes of monthly traffic. MSN.com was affected, as was Yahoo. The cybercriminals behind the campaigns then started to target porn websites and other adult web portals.

The malvertising campaign was delivered via the Ad serving network TrafficHaus. Adverts offers a sex messenger dating app. Download the sex messenger app, and you will be presented with a wide range of suitable partners looking for temporary love in your area. No download was actually required to get infected. Provided a security vulnerability existed the malware would be downloaded automatically.

The campaign cleverly included a number of security checks to ensure the adverts were only served to genuine web visitors with a browser version that was vulnerable to the exploit kit being used. Only Internet Explorer users were displayed the adverts provided they lacked certain security products. These checks allowed the hackers behind the campaign to ensure that real people were targeted and honeypots were avoided.

Visitors being displayed the adverts were subjected to the Angler exploit kit: The most commonly used exploit kit to deliver malware.

Second Porn Malvertising Campaign Hits Same Major Porn Site

This was not the only porn malvertising campaign that affected the top porn site. Some of the site’s visitors were recently hit with a ransomware attack known as browlock. Visitors have their web browsers locked with a page that they are unable to remove warning them that they have been caught viewing illegal pornography. The page in this case, showed a warning from Interpol. This porn malvertising scam was similar to the FBI browserlock campaigns previously seen.

In order to unlock their browsers and to avoid arrest, the porn malvertising campaign warned victims that their browser has been locked, files had been encrypted, and they were being recorded using their device’s audio and video capabilities. Users were given a time limit in which to pay to have the lock lifted.

Porn malvertising campaigns can be highly effective and victims are left with little alternative but to pay ransoms. It is possible to protect against infections and drive by malware downloads. If security vulnerabilities do not exist, they cannot be exploited, and if adverts are not displayed users cannot be infected. For the latter, a web filtering solution is the best option.

Apple Malware Attack Affects 225,000 Device Owners

Apple device security is particularly robust, yet the company’s operating systems are far from impregnable as a recent Apple malware attack has shown. Apple device users have recently been targeted by hackers believed to be operating out of China. The Apple malware attack has so far resulted in the credentials of approximately 225,000 iPhone users being obtained by the hackers.

KeyRaider Responsible for Apple Malware Attack

The malware in question has been named KeyRaider. Fortunately, only device owners who have jailbroken their iPhones are at risk of infection. Jailbreaking an iPhone will allow banned apps to be installed on the devices, but the process also introduces a vulnerability that can be exploited by hackers. KeyRaider attacks devices that have been jailbroken using Cydia: The most popular jailbreaking tool for Apple devices.

Device GUID as well as Apple account user names and passwords have successfully been stolen by KeyRaider. The malware can steal user credentials, Apple purchasing information, private keys, and Apple push notification certificates.

Once infected, user credentials are uploaded to a command and control server, and those data are made accessible to other individuals. The information can be used to purchase apps for Apple devices without the user being charged, instead the charges for the purchases are applied to infected users’ accounts.

To date it has been estimated that as many as 20,000 individuals have downloaded software that allows them to obtain Apple apps for free at the expense of other Apple device users. In some cases, users’ devices have been locked and attackers have demanded ransoms to be paid to unlock the infected iPhones and iPads.

The Apple malware attack was discovered by Palo Alto Networks and China’s WeipTech, although services have now been developed that are capable of detecting devices that have been infected with the malware.

iOS App Store applications being infected with malware

Palo Alto Networks has also recently issued a warning over IOS App Store applications that have been infected with malware. To date, 39 different apps have been discovered to have been infected, placing users of non-jailbroken Apple devices at risk of compromising their iPhones and iPads. Hackers were able to copy and alter Xcode development tools used by iOS app developers, and have been able to infect genuine applications by injecting malicious code.

It is not just relatively obscure apps that have been infected. WeChat is used by hundreds of millions of Apple device owners, and the app was one of those infected with malicious code. That said, the developers of the app, Tencent, have investigated the issue have reported that the malware has not been able to steal user credentials.

The malware infections are understood to be used to steal iCloud login credentials and Chinese security researchers have discovered close to 350 different mobile apps that have been injected with malicious code. Those apps include some of the most popular Apple apps being downloaded in China, such as Didi Kuaidi.

Some of the Chinese App Store apps discovered to have been compromised

hacked iPhone apps

The recent Apple malware attacks have come as a surprise to many security researchers and users who considered Apple devices to be perfectly safe. While Apple is without any shadow of a doubt the safest mobile platform, owners of the devices should not consider iOS to be 100% safe.

Cisco Router Malware Discovered

According to reports from FireEye, IT security professionals do not only need to be concerned about malware attacks on computers, servers, and Android devices: Cisco router malware has now been discovered.

Cisco router malware discovered on 79 devices to date

Cisco router malware is highly sophisticated and particularly worrying. The malware can survive a restart and will be reloaded each time. Cisco router malware is also highly versatile and can be tweaked to suit an attacker’s needs. It has been found to support up to 100 different modules.

The malware was first discovered in Ukraine, although the infections have now spread to 19 different countries around the world; including the US, UK, Germany, China, Canada, India and the Philippines. At this stage it is not clear who created the malware, or what the main purpose is.

It is also not clear whether the malware has been installed via exploited vulnerabilities. It is possible that routers have been hijacked as a result of default logins not being changed, or weak passwords being set.

It is known that Cisco router malware is sophisticated and it appears to have been professionally developed. This had lead security researchers to believe that foreign governments have had a hand in its development. Should that be the case, it is likely that the main purpose of the malware is spying. While it has been known for some time that router malware is possible in theory, this is the first time that malware had been discovered to affect routers in the wild.

SYNful Knock came as a big surprise to many security professionals

The malicious software is called SYNful Knock and it serves as a fully functional backdoor allowing remote access of networks. The attacks are also silent in many cases, and hackers are able to use the malware without risk of detection.

To date, the United States has been targeted by the cybercriminals behind the malware infections, with 25 of the 79 infections discovered in the U.S. That said, the infection was discovered to have affected an ISP which was hosting 25 infected routers. Lebanon has also been targeted and 12 infections discovered in the country, while 8 of the 79 infections have been found in Russia.

The infections were discovered using ZMap. Four full scans of public IPv4 addresses were probed for signs of the malware by sending out TCP SYN packets. At this stage it would appear that only Cisco routers have been affected by SYNful Knock, but there is concern that other manufacturers’ routers may also be infected with malware. Researchers are now investigating to find out if router malware is a more widespread problem.

Malicious Web Adverts Spread Infections Among Daters

Nasty malware infections have been spread via the world’s largest dating website, which has been serving malicious web adverts to its visitors. Individuals trying to attract a new partner via the Match.com’s UK site may have found out that it is much easier to attract malware.

Malicious web adverts used for drive-by malware downloads

Users of the dating website were not required to download any malware manually. Their browsers were probed for security vulnerabilities that could be exploited without any user interaction required. Provided they were enticed to click on one of the malicious website adverts served via Match.com, they would be directed to a site that contained an exploit kit. That exploit kit would then download malicious software onto their devices, delivering a payload of ransomware without their knowledge. Files would subsequently be locked by Cryptowall ransomware until such time that the victim paid a ransom.

Match.com is hugely popular and attracts over 5 million visitors every month in the UK alone. The potential for infection with malware was considerable, although it is not known how many individuals have been infected as a result of clicking on the malicious web adverts.

Malicious web adverts can be placed on popular sites for just a few cents

Malicious web adverts are displayed via ad networks that popular websites use as an additional revenue source. Code is placed on a website and adverts will be displayed.

Participants in the ad programs are able to select the websites where they want their adverts displayed. The cost of displaying each advert is set by the popularity of the website. For just a few cents, the criminals behind the malvertising campaign were able to target Match.com’s users. Reportedly for a cost of just 36 cents. Malvertisers were keen to take advantage of the huge traffic that the site attracts.

Most websites serve adverts of some description. They are an essential revenue stream that site owners can ill afford to ignore. While ad networks do vet the companies that sign up, some rogue advertisers invariable get past the controls and manage to get their malicious web adverts displayed. Once discovered, the accounts are blocked by the ad networks, although not before the malicious website adverts have been displayed to millions of individuals.

Once Match.com discovered that its site was being used to display malicious website adverts, to protect its site visitors the company temporarily suspended all advertising until the problem was addressed. Unlike the Ashley Madison hack, no user data was exposed as a result of the security breach.

How to protect against malicious web adverts

Malvertising campaigns are increasingly common but attacks can be easily prevented. Drive by downloads are possible, but users will need to be directed to a website hosting an exploit kit. They must have a browser that can be exploited.

Protecting against malicious web adverts requires all browsers and browser plugins to be kept up to date. As soon as a new version of a browser or plugin is available for download it must be installed.

When zero-day vulnerabilities are discovered security professionals get to work developing patches to plug the security holes. There is a lag however, and during that time users will be at risk.

For the individual the risk may be relatively low, but for an employer with tens or hundreds of end users, that risk will be considerable. One of the best methods to ensure corporate networks and devices are protected is to employ a web filtering solution such as WebTitan.

WebTitan can be configured to block third party adverts from being displayed on websites. If adverts are not displayed, they cannot be clicked and end users’ devices and corporate networks will be protected from drive-by malware downloads.

Lessons Learned from the Ashley Madison Data Breach

Did you think the Ashley Madison data breach was mildly humorous? Did you think that it serves the people right for cheating on their husband, wife or life partner? If you did, you certainly didn’t have an account with the online cheating website. Those who did simultaneously broke out in a cold sweat when they realized the website had been hacked and the perpetrator was threatening to make the data public.

Ashley Madison data breach exposed millions of confidential records

The Impact Team was the hacking group behind the Ashley Madison data breach. The company announced it had hacked the company’s database on the Tor network. The hackers claimed they would release details of the website’s patrons – people looking to have extra-marital affairs – if the company did not shut down its website. Avid Life Media Ltd., the company behind Ashley Madison, did not agree to close its business. The hackers then made good on their promise and started publishing data. A large data dump caused many of the website’s subscribers to panic.

The methods used by the attackers to gain access to the website have not been disclosed, although they were able to obtain the records of more than 30 million individuals in the attack. Unfortunately for the people who have had their privacy violated, there is little that can be done apart from take precautions with their financial accounts. Their data cannot be un-exposed and it is out there and can be used by whoever finds it. That will mean phishers, cybercriminals, identity thieves, and anyone who has taken an objection to their extra-marital activities may try to expose them.

A data breach can seriously damage a company’s reputation

This was a high profile breach due to the nature of the website and the total confidentiality that is expected and demanded by the company’s clients. A data breach such as this has potential to cause considerable damage to a brand with a marketing strategy and service that depends on privacy. However, brand reputation damage occurs following any security breach. Target, Anthem Inc., eBay, OPM. All have had their reputations damaged to varying degrees as a result of security breaches and data theft.

Many IT professionals believe that it is not a case of whether a security breach will be suffered, but when it will happen. A great many security professionals believe that most companies have already suffered a security breach. They just do not know yet.

Lessons learned from the Ashley Madison data breach

Consumers can learn lessons from the Ashley Madison data breach. They should be aware that disclosing any information increases the risk of someone else accessing that information.

The lessons for consumers are:

  • If you want to do anything in secret, the Internet is probably not the best place to do it
  • When disclosing information of a sensitive nature, ask yourself what the consequences would be if someone found out or exposed that information
  • Would you be able to recover from a breach of that information?
  • Is the service or product more or less important than it being kept a secret?
  • No matter how secure a website, service, or application claims to be, there is always a risk of a security breach being suffered
  • There is never a 100% guarantee of privacy online – All networks and systems are vulnerable to attack

Businesses must conduct a risk analysis

Businesses must also consider the risks to data security. Many security threats exist, and they must all be effectively managed. In order to determine what risks exist, an organization must conduct a thorough risk analysis. It is only possible to address and manage risk if a company knows what security vulnerabilities exist. Unfortunately, many hackers already know about the data security risks that are present, as well as how they can be exploited.

Once a risk is identified, unless state or federal legislation demand that the risk is addressed, a company must decide what measures to employ, and whether they are actually worthwhile.

To do that a company must calculate the annualized rate of occurrence (ARO) of a security breach via a given vulnerability, which means how often a vulnerability is likely to be exploited in any given year. Then the company must determine the repercussions from that vulnerability being exploited. How much the security breach would cost to resolve. That figure is the single loss expectancy (SLE). Once these figures are known it is possible to determine the annual loss expectancy (ALE) by multiplying those two figures. A decision can then be taken about how the risk can be managed.

Sean Doherty, Head of Research & Development at TitanHQ recently pointed out that “the notion of having ‘perfect security’ is ludicrous”. What must be done is to make it as hard as possible for systems to be infiltrated and data stolen. It is essential to implement good security measures which will be sufficient to repel attacks from all but the most skilled, motivated, and determined individuals. There is no such thing as zero risk, but it is possible to manage risk and get it down to a minimal level.

The Ever Changing Role of a Systems Administrator

The role of a systems administrator is certainly challenging, mainly because it is constantly changing. This is the way it always has been since the role of a systems administrator was first defined. Now if you were to write down the role of a systems administrator, it would virtually be out of date before the ink had dried.

The role of a systems administrator evolves quickly. That is the very nature of the job. For many sys admins, that is what makes the job so interesting and enjoyable.

Anyone contemplating entering the professions should not be afraid of hard work. They also need to know that they will need a lot of training, and even more experience in order to excel in the position.

The role of a systems administrator over the next five years

Over the course of the next five years there is expected to be 12% growth for systems and network administrators according to the US Bureau of Labor Statistics. The last report issued by the BLS indicated a much higher growth rate, but it has now been adjusted and matches the average of all industries tracked by the BLS.

In years gone by you may have been able to get away with just having a MCSA qualification to become a good systems administrator. Today, that is not nearly enough. Not only will you need to know your way around Microsoft, you will also need to become an expert in every system used by your employer.

To excel in the role of a systems administrator you must be technically gifted, and you will need to be something of a jack of all trades. New technology is frequently introduced and part of the role of a systems administrator is to get to grips with that technology quickly. After all, you will be required to configure it, troubleshoot it, and repair it as necessary. The role of the systems administrator has grown enormously since IT has become so pervasive in business.

Fortunately, it is much easier to access training and information resources than ever before. Vendor websites provide a wealth of information, Udemy and other online learning resources can easily be accessed, and social media networks and online forums allow a sys admin to tap into the knowledge of colleagues and other sys admins when help is required.

How important is certification?

You will need an MCSA certificate to get your first job, but in order to retain your position, or even to progress and get a better paid job, further qualifications may be required. But not necessarily. They look great on a CV and can impress potential employers, but experience really does counts. If you know your stuff and have experience it does make sense to get certificated, but never underestimate the value of experience over a piece of paper. Certification is not everything.

If you want to take on the role of a systems administrator be sure to learn these technologies!

A system administer should be familiar with emerging technologies, but there are some tech trends that are an absolute must to become familiar with. These include:

  • Software-as-a-service
  • Cloud services
  • Virtualization
  • Voice Over IP (VoIP)
  • Technologies that can automate tasks performed by a sys admin

Automation of daily sys admin tasks

Automation of sys admin tasks will not mean you will be ultimately made redundant. It means you can use your time more efficiently. You will need to be familiar with the tools that allow you to automate a lot of tasks. They are essential for managing large, complex networks.

Without any automation of daily tasks, the role of a system administer would be an absolute nightmare. Imaging trying to keep track of system messages for a network with 1000 connected devices if you did not have a centralized logging system!

While automation is vital, it is not without its problems. Automation can make the management of a computer network easier, but on a day to day basis your job is likely to be much more complicated, especially when it comes to troubleshooting problems.

Let’s say you have a red X showing on your management dashboard. What does that red X mean? Well, it could mean any number of things. For instance:

There could be a problem with the device hosting the dashboard, or it could be caused by a routing error. It could be a cable issue, or a problem with the device itself. It may be an error with the discovery protocol, or maybe the network dashboard is faulty. Automation may save time, but it doesn’t necessarily mean it is always quicker and easier to resolve problems. It also requires a sys admin to undergo further training on the automation system itself and the equipment used to host it.

In order to be able to automate tasks you will need to learn a scripting language such as Python or Windows PowerShell. One thing is for sure. If you are planning on becoming a sys admin you will need to learn at least one scripting language before you get your first job. As for the others, they can be learned on the job.

Use of SaaS and the Cloud is Increasing

You must be familiar with cloud archiving and backups as these have proven to be invaluable in improving efficiency. Many man-hours have been cut by using the cloud for routine data operations. However, that said, there is now a need for sys admins to become familiar with APIs – Application Programming Interfaces.

With many companies now using outsourced cloud services, the sys admins role has become much more valuable. Without a sys admin, businesses would have no alternative but to believe what cloud service salespersons say. An experienced sys admin will be able to assess the services being offered and determine whether they have the required functionality to adequately serve the needs of the business.

The Two V’s – VoIP and Virtualization

Many companies are taking advantage of the huge cost savings possible by switching from traditional telephone services to VoIP. Unfortunately, while business leaders love the cost savings, users do not like the potential downtime. In fact, they can be pretty intolerant. They expect 99.999% uptime like they get with traditional telephony. It is therefore essential that sys admins understand network load dynamics and are able to successfully implement and maintain VoIP services.

Businesses nowadays use many virtual networks, which add new levels of abstraction. They also require advanced knowledge of switching and routing. It is therefore essential that a good working knowledge of virtualization is acquired.

The role of a system administrator requires these skills…

A study conducted by the Association for Information Systems (AIS) and Association for Computing Machinery (ACM), detailed in the IS 2010 Curriculum Guidelines, suggests an individual in the role of a systems administrator must have the following skills and attributes in order to succeed in the position:

  • Creative, analytical, and critical thinking skills
  • Excellent communication and negotiation skills
  • Collaboration and leadership skills
  • Good mathematical knowledge

Do you think you have what it takes? If you do, make sure you are aware of all the critical technologies. Work on your mathematical and communication skills, and make sure you expand your social network. Many companies are looking for experience, which can make it hard to get your first position. Hang in there. If you can prove your knowledge and demonstrate your skills, you should be able to get your first position. And we wish you the very best of luck with that.

Why Using Exchange for Archiving Email is Wrong and an Email Archiving Solution is Essential

Many people are using Microsoft Exchange for archiving email and some people do not archive email at all. Both are big mistakes. To find out why, it is important to know what true email archiving actually is.

What is email archiving?

Email archiving means more than just clearing your inbox. An email archive is a technical term used to describe a permanent and unalterable record of email data.

An email archive is essential for businesses and depending where a business is located, and the industry in which it operates, will determine just how important an email archive is.

An email archive is required in case of litigation, and government audits will require emails to be retrieved from an archive.

It is important to make a distinction between an email archive and an email backup because the two terms are frequently confused. Both are important, but they are used in different situations.

An email backup is a store of emails that can be recovered in case of emergency. If email data is lost, corrupted, or accidentally deleted, a copy can be recovered from a backup. Email backups will restore email accounts to the state they were in when the backup was made. Backups therefore need to be performed daily, but also weekly and monthly. Each time a backup is made, it will usually overwrite a previous copy. Email backups are not permanent.

An email archive is different. It is a permanent store of email data. An archive is searchable, and individual emails can be retrieved as necessary.

Why is it important to have an email archive?

One of the main benefits of an email archive is to reduce the storage space required for individual mailboxes. Smaller mailboxes are faster to search and retrieve information. The mailbox should only contain a working copy of email from the last few days or weeks. The remaining emails should be moved to an archive where they can be retrieved as and when necessary.

Email archiving is a legal requirement in many countries around the world. It is necessary to maintain an email archive to comply with specific industry regulations, as well as country and state laws. An archive is also required for eDiscovery. If legal action is taken against a business, it must be possible for emails, and documents sent via email, to be retrieved. These must be provided during litigation.

eDiscovery can prove extremely expensive if an email archiving solution is not used. If documents or emails are requested they can be obtained from an archive. If they need to be obtained from individual computers, the time required to locate the emails would be considerable. You may even need to search every computer in your organization. If you run a small business and have 20 computers and email accounts, this would take quite a while. If you run a business with 10,000 computers and email accounts, you could be in real trouble if you don’t have an email archive.

eDiscovery requirements mean an email archive must be searchable, and therefore the organization of the archive is critical. How so? Well, that is best illustrated with an example. An executive criminal case involving Nortel Networks resulted in 23 million pages of electronic email records being delivered by the prosecution. That is a lot of data. Unfortunately, the data was in a bit of a mess because it had not been well organized. So much of a mess that Ontario Superior Court Justice Cary Boswell ordered the prosecution to re-present it to the defense in a comprehensible format. It was described as an “unsearchable morass.”

Organizing 23 million pages of email takes a considerable amount of time. It is therefore important to get the structure of the archive correct from the outset.

Can I use Microsoft Exchange for archiving email?

Is it possible to use Microsoft Exchange for archiving email?  Since the 2007 version was issued, Microsoft has included the option to use Exchange for archiving email in its journaling and personal archive functions.

However, there is a problem with using Exchange for archiving email. The journaling function does not work as a true email archive. Using Exchange for archiving email can cause many problems.

Reasons why Exchange for archiving email can cause problems for businesses

  • MS Exchange does not allow email in its archive to be effectively indexed and searched
  • Individual email account holders can create personal PSTs and store email on their computers
  • Individual PSTs may not meet the requirements of eDiscovery
  • There are no data retention configuration settings in journaling

The journaling function doesn’t really satisfy the requirements of businesses, but what about the Personal Archive? Can that be used? Unfortunately, while that does offer some enhanced email archiving functionality using the Personal Archive of Exchange for archiving email will also cause problems.

Let us take a look at the functionality of the personal email archive in the 2010 release. Exchange 2010 is better for email archiving than the 2007 release, but there are still some major issues.

In Exchange 2010, it is possible to create a mailbox archive for each email account. The purpose of the archive is to free up space in the mailbox. This is a get around for restrictive mailbox quotas. The archive is intended to be used as a medium-term store for additional emails that the user does not want to delete, but does not need in the mailbox for day to day operations. They are not really email archives, but secondary mailboxes. They lack the functionality of a true email archive.

Exchange users have two options for their personal archive, regardless of whether it is located in the production database or in the cloud. The archive can be configured to move messages automatically after a set period of time (based on retention tags) or the task can be performed manually as and when required.

There are two main drawbacks to using an Exchange personal archive. For many organizations the main disadvantage is the cost: It is necessary to purchase an enterprise client access license or CAL, or to purchase Office 2010 Professional Plus if Outlook is required.

Even Microsoft points out that it may not be wise to use personal archives in Exchange for archiving email, stating they “may not meet your archiving needs.” Does that seem an odd statement to make? That is because it is not a true email archive. It is a personal one.

Users are able to choose what information is loaded into the personal archive. They can also delete emails from the archive. That is no good for regulatory compliance and eDiscovery. There is a get around though. It is possible to meet certain eDiscovery and regulatory compliance requirements when using Exchange for archiving email. Users can be given Discovery Management roles, and can perform indexing and multiple mailbox searches. Unfortunately, the Control Panel in Exchange 2010 is difficult to use, especially for eDiscovery purposes.

Some of these issues have been addressed in Exchange 2013, but there are still eDiscovery issues. Users have far too much control over their personal archives and mailboxes. They have the ability to create their own policies and apply personal settings to their mailboxes and archives. They can potentially bypass corporate email storage policies. Unfortunately, unless Litigation Hold or In-Place Hold is applied to each and every mailbox, the administrator is incapable of overriding settings that have been applied by each user.

Is it possible to use Microsoft Exchange for archiving email if SharePoint 2013 is used?

The issue of eDiscovery has been tackled by Microsoft. It is possible to use SharePoint 2013 to perform searches of all mailboxes, but there are even problems with this added eDiscovery feature.

For a start, it is necessary to buy SharePoint 2013 and that has a cost implication. It is also necessary to use cloud storage and keep the data on an Exchange server, otherwise the In-Place Discovery tools of Exchange will not work.

There is another issue. That is the storage space you will require. Every email that has ever been sent or received through MS Exchange will need to be stored. Over time your email “archive” will become immense. Over 90% of the emails stored in that archive will never need to be accessed. It will involve paying an unnecessary cost and searching through all those emails will take a long time. Recovering emails will be particularly slow.

A true archive will remove a significant proportion of the 90% of emails that you will never need to access, and search and recovery time can be greatly reduced.

You cannot consider the archiving function of MS exchange to be a true email archive that will meet all compliance and eDiscovery needs.

The ArcTitan approach to email archiving

ArcTitan is a true email archiving solution that has been custom designed to meet compliance and eDiscovery requirements, as well as meeting data storage needs.

Key Features of ArcTitan Email Archiving

exchange-for-email-archiving-1

Network Security Checklist for SMBs

Network Security Checklist for SMBs

Our network security checklist for SMBs acknowledges the fact that many small-to-medium sized businesses do not have the resources to dedicate to their network security. However, network security is essential. Without protection against hackers and malware, an SMB´s survival could be under threat.

Consequently, our network security checklist for SMBs contains common sense approaches to network security that can be implemented for little or no cost. Indeed, it is in an SMB´s best interest to adopt these best practices before even considering a “comprehensive security solution” software package – which would be ineffective without first taking the steps below.

Start by conducting a risk assessment

The first item on our network security checklist for SMBs is to assess your risk levels and the consequences of an attack on your network. In order to do this, you will need to know:

  • What information is stored
  • How is it stored
  • Who has access to the information
  • How is the information protected
  • What would be the consequences of a successful cyber-attack on your business

Develop an acceptable usage policy

Most hackers use the weakest link in your network security to launch attacks – your employees. Consequently it is essential that you develop an acceptable usage policy to advise your employees how they should use systems and resources while at work. Some factors you may want to consider when compiling an acceptable usage policy include social media use and the use of private devices (including USBs) in the workplace.

The policy should be accompanied by appropriate employee training. This will help you to assess whether you employees understand acceptable usage and can identify security risks. The U.S. Chamber of Commerce has an excellent online “Test Your Internet Security IQ” quiz that can be printed off and distributed among your employees. The results are likely to surprise you.

Change your passwords regularly – all of them!

Most business owners will be aware of the necessity to change user passwords regularly, but how often is regularly? Once a year? Once a quarter? In order to develop solid network security, you should be changing passwords at least once a month – and not just those of your user accounts.

Servers, routers and switches all have passwords (or should have). When was the last time you changed your Wi-Fi password? Also remember that many devices have default passwords. You should change them immediately after installation and then change them regularly thereafter.

Identify your vulnerabilities

There are plenty of free online tools that offer network security checks, but you have to be careful to use a reputable one to ensure you are not infecting your system with hidden malware. Metasploit is one of the best resources for network security testing we have identified. For identifying vulnerabilities on individual operating systems and devices, we recommended choosing from the list provided by StaySafeOnline.

Protect your network against malware

Having just mentioned malware, this seems a good time to include the subject in our network security checklist for SMBs.

You can protect your network against malware by using some existing tools in your system – for example in browser settings. You should strengthen your protection by adjusting the content filters, pop-up blockers, cookie and certificate settings. This not only needs to be done on all your company´s hardware, but on personal mobile devices if they connect to the company´s Wi-Fi.

One wise investment is an email filter. Spammers often use emails as a means to con employees into exposing network vulnerabilities, but if the emails do not arrive in employee inboxes, the risk is eliminated. An email filter is not necessarily an expensive investment, and it can be deployed in various ways to filter out the potentially catastrophic consequences of an employee clicking on a link which allows a hacker to install malware on your network.

Avoid data loss and data lock with back ups

According to research conducted by Kroll Ontrack, 40 percent of data loss is attributable to human error – either due to inadvertently deleting a file or folder, or by spilling a drink on a piece of IT hardware. Regular backups ensure that the data can be recovered with minimal disruption.

Regular backups also prevent your company being held to ransom if ransomware is installed on your network. Ransomware encrypts all your data with a key that only the person demanding the ransom has access to. The threat of your company being held to ransom can be eliminated if you are able to restore data from a recent back up.

There is a variety of back up options available for SMBs – file or volume synching, cloud backup, traditional backup software, and replication. The most appropriate option will depend on the volume of data your company produces.

Control software installations

Controlling the installation of software on the server or on any device is especially important because software is increasingly open-source and could introduce new vulnerabilities. For example, it may be convenient to install remote access software on your server, but this provides potential attackers with another gateway to penetrate your network. Software installations should be decisions you make with the same considerations as with other business decisions – weighing up the benefits against the risks.

Similarly the use of personal devices or software-as-a-service (SaaS) applications can also introduce risks to the network´s security. The use of personal devices and SaaS applications should have the same controls as would be applied to on-site company resources to avoid data loss, the installation of malware on the network and attacks from hackers.

Don´t ignore software updates

The final box to tick on our network security checklist for SMBs is not to ignore software updates. Software updates are released for a purpose – usually to patch vulnerabilities that have been discovered since the software´s installation.

From a security perspective, it is essential to apply software updates as soon as they are released. This applies to operating system software (Windows, Mac OS, Linux), security software such as antivirus software and standard programs. Some network security solutions have automatic software updates, and you should choose these whenever such an option is available.

Benefits of Teaching Hacking Techniques

This article explores the benefits of teaching hacking techniques. Why on earth would I want to do that you may ask? Isn’t that the same as telling someone how to rob a bank? Well, it is, but teaching hacking techniques does have a lot of benefits. For a start, it is essential if you want to be able to defend a network from an attack by a skilled black hat. You must be able to think like a hacker in order to protect a network from one, but you need a real hacker to tell you if your network has been properly secured.

Teaching hacking techniques is like training a new army of hackers!

Let’s take a look at the three “types of hacker”. First there is the black hat hacker (boo, hiss). This rather nasty individual is intent on causing havoc with their malicious ways. They want to destroy, disrupt, and rob.

According to Robert Moore (2005), a black hat hacker is someone who “violates computer security for little reason beyond maliciousness or for personal gain.”

Then there is the white hat hacker. A white hat hacker uses his or her skills for good (hooray!) They are computer security experts who want to protect computer systems from attack.

Then there is the gray hat hacker. This individual is somewhere between the black and white. They are often called ethical hackers, and these are the individuals that perform penetration testing (pentesting). These individuals behave exactly like a black hat would, minus the maliciousness. Their goal is to find vulnerabilities and exploit them to show whether it can be done. They must gain access and be able to cause havoc. To do that they must be as good as a black hat hacker.

There is not much difference between an ethical hacker and a black hat hacker. In fact, on black hat forums you will not only find articles aimed at improving the skills of black hat hackers, but also articles aimed at gray hats and white hats. For example, two articles below have recently been posted on a black hat hacking website:

  1. “Harnessing GP²Us – Building Better Browser Based Botnets”
  2. “Hybrid Defense: How to Protect Yourself From Polymorphic 0-days”

The benefits of teaching hacking techniques

You can’t become a hacker from reading a few articles on the internet. Sure you can learn a thing or two, but before you can call yourself a hacker you must be able to demonstrate that you can actually put your knowledge into practice. The best hackers, of all colors, are those who have spent countless hours poking around inside computer systems and studying networks and network devices first hand.

In fact, if you want to be an ethical hacker you must have the skills of a black hat hacker. You will need to be taught, you will need to study, and you will need to practice. Teaching hacking techniques will actually help to build up an army of hackers that can use their skills for good.

If you want to get into pentesting you will need to work hard. Typically, you will need to have passed A+ certification, Network+, Security+, and obtained CCNA, CISSP or TICSA certification. You will need to have worked in tech support and information security. You will need hands on experience. Then, and only then, will you be able to become a Certified Ethical Hacker (CEH).

Of course, it is important that you then only every use your skills for good, even though you would be capable of using those skills for nefarious financial gain or to cause malicious harm.

The danger of teaching hacking techniques

Teaching hacking techniques has potential to create a whole army of hackers that could cause considerable harm, yet without people who have the same abilities as black hat hackers, how would it be possible to properly conduct penetration testing?

According to a recent Bloomberg article, gray hats “break into computer networks and digital devices to find holes before the bad guys do”. They are heroes. Take Barnaby Jack for example. He showed how it is possible to hack ATM machines and get them to churn out cash. His insights resulted in banks enhancing their security measures to make sure that criminals could not take advantage of the same security flaws.

Sure it is important to learn defensive strategies to protect systems from attack, but if you really want to beat bad guys at their game, teaching the hacking techniques used by the bad guys is essential. It is vital that gray hats are taught hacking from an offensive perspective as well as a defensive one!

DNS and Network Security: The Dreaded DDoS Attack

DNS, network security and the feared DDoS attack!

The purpose of the DNS – or the Domain Name System to give it its full title – is to turn the IP addresses that are required by network servers into domain names that are far easier for humans to use and remember. DNS is what allows you to use “Google.com” instead of having to type in or remember “http://173.194.39.78/”. You can consider DNS to be the main directory service of the Internet or the Internet’s phone book.

The Domain Name System (DNS) in Action

When you use a web browser to visit a website, the first thing that must happen is the web browser must contact your current DNS server. It must find out the IP address of the website you are trying to access by using its name. You may run your own DNS server or it can be run by your Internet Service Provider. If you use a router, your router may forward DNS requests to your ISP. A DNS request is not made every time you visit a website. Once a request has been made, your computer will cache the response and will remember the IP address for a limited period of time.

DNS is very useful, but it is also problematic as it can be attacked. A DNS DDoS attack can cause a great deal of damage.

DNS Cyberattacks

Because DNS servers serve as a phone book, they must be available to anyone with Internet access. This means that hackers can access DNS servers. They can also attack them.

Viruses and malware can change your default DNS server and replace it with a malicious one which would direct a visitor to another site. For example, a copy of a site such as Twitter or a bank website could be located at a different IP address. A visitor would believe that they are on the legitimate site because that is what their browser address bar tells them. This may throw up a certificate error message, so it is important to pay attention to any invalid certificate messages. This is an indication that the site is not legitimate.

What are DNS DDoS attacks?

Distributed Denial of Service attack (DDoS) attacks are part of a hacker’s arsenal that is used often. DDoS attacks can cause a lot of damage. They can cause damage so severe that hardware may need to be replaced.

DDoS attacks on DNS servers will start with the hacker attempting to locate a DNS responder. Once the target’s DNS responder has been located, the hacker can launch a Distributed Denial of Service attack (DDoS). That DDoS attack can be conducted on the resolver, or it is possible to conduct an attack on other systems. In a DDoS attack, the target will receive millions of replies from numerous IP addresses around the world. Some of those will be real, some will be spoofed IP addresses.

Oftentimes, the purpose of a DDoS attack is to bring down a website and stop anyone from visiting a particular website. In a DDoS attack, traffic is sent from multiple sources and overwhelms a site. A denial-of-service attack is relatively easy to block as the IP addresses being used can be throttled. A distributed DoD attack is different, because the traffic comes from all over the world. In many cases, IP addresses are spoofed. An attacker would not want his or her real IP addresses to be shown.

DDoS attacks are conducted using a botnet, which is a network of zombie PCs that have been infected by a hacker. They are used to send traffic to the target. The botnet controls those machines, and the botnet is controlled by the attacker.

Hackers can conduct their DDoS attacks not with the aim of killing a site or web service, but to hide other activity. A DDoS attack requires an IT department’s immediate attention and resources. Staff must prevent software and hardware damage and try to keep the website available. While they fight the DDoS attack, other hackers in the group get to work on other parts of the network. This is why it is vital after suffering a DDoS attack to conduct a full system security check and audit the network. You must determine whether hackers have gained access to your network while you were fighting fires.

The Spamhaus DDoS Attack

A DDoS attack, especially one which sends enormous volumes of traffic, are usually short-lived. However, during the time that the attack takes place it can cause permanent damage. Sometimes extremely large attacks are conducted that can bring down even the best defended systems. Take Spamhaus for example. Unsurprisingly, this anti-spam service is something of a target, what with it being a 34-hour anti-spam operation. It servers billions of DNS requests, it has robust defenses, but it is not immune to attack.

In March 2013, Spamhaus suffered an enormous DNS DDoS attack. After receiving one DNS request from a spoofed IP address, a packet was sent and more servers started participating in the attack, then more. Then more. According to the Spamhaus report on the attack, 30,000 DNS resolvers took part.

It is possible to block certain IP addresses to counter an attack. When an attack involves so many different IP addresses, it is impossible to block them all. Because the range of IP addresses used was so large, it was not possible to throttle packets from specific IP addresses being used in the attack.

Is It Possible to Prevent a DNS Attack?

To prevent DNS attacks, you must be able to identify malicious web traffic. Traffic using port 53 for example is often just zone transfers syncing slave servers with masters, but the port can be used by attackers. It is therefore essential to block port 53 zone transfers from any unauthorized slave name server.

If you want to prevent a DNS attack it is important that you do not have an open responder that will respond to requests from any Internet address.

  • stop your DNS from being an open responder. Restrict in-house recursive servers and only allow your own company’s IP subnets. It is essential to keep your resolver private
  • You can use DNS response rate limiting when you configure your authoritative DNS servers. Set response rates and limit source addresses in a given time period. It may be possible to shut down an attack before the full force is felt by your server
  • Throttle DNS traffic by packet type
  • Monitor IP addresses to see which are using the most bandwidth. Your ISP can help you with this
  • Add variability to outgoing requests. This will make it harder for an attacker to get a response accepted
  • Overprovision your server – Make sure you have sufficient bandwidth to absorb an attack. Since some attacks can exceed over 100 Gbps this may not be possible in all cases, but not all attackers have that kind of capacity

SMBs Can Minimize Cybersecurity Risk with Good Risk Management Strategies

All companies must make efforts to minimize cybersecurity risk, but for small to medium sized businesses it is critical. The very survival of the business may well depend on it.

Small to medium-sized businesses must minimize cybersecurity risk

The same types of data are stored by SMBs as multi-national corporations; it is just the volume of data that differs. Just because a smaller volume of data is stored, it doesn’t mean that SMBs are not targeted by cybercriminals. In fact, many hackers choose to attack SMBs because the security defenses employed are not nearly so robust.

Large corporations can invest millions in cybersecurity defenses. SMBs do not have nearly so much cash to devote to protecting their networks from attack. They also do not have very much capital to cover the cost of a data breach when it occurs. A large corporation can easily absorb the cost of a data breach. Take Anthem Inc., for example. The health insurance company suffered the largest healthcare data breach ever reported. The breach had started many months previously but was discovered in February of this year.

78.8 million records were obtained by the hackers responsible for the attack. The cost of dealing with that data breach has been estimated to be somewhere in the region of $100 million to $1 billion. No small business could survive such a breach. Of course, Anthem was covered by an insurance policy which should cover the first 100 million. The company also made $17.02 billion profit in 2014. Even if the cost of resolution is $1 billion it will barely be felt.

In 2010, a study conducted by the Gartner Group indicated that major data breaches resulted in the immediate collapse of 43% of small to medium-sized businesses. Some managed to soldier on for up to 2 years before folding. Only 49% of companies lasted for more than 2 years.

Cyberattacks on SMBs are increasing

There are a number of reasons why SMBs are now being targeted. It is not only a lack of effort made to minimize cybersecurity risk.

  • SMBs can’t afford to investigate attacks and find out the identities of the attackers
  • They don’t have the budgets to prosecute hackers if they do find them
  • Cybersecurity defenses lack the sophistication necessary to thwart many attacks
  • Staff training does not tend to be so extensive
  • SMBs can’t afford to employ the very best IT security professionals
  • SMBs often work as suppliers to large corporations and their networks can serve as a launch pad for an attack on those corporations

The cybersecurity attack on Target is a good example of the latter. An HVAC vendor was attacked with the purpose of gaining access to Target’s network.

It is not all bad news

Most SMBs have the fundamentals right. They have good cybersecurity defenses in place. They just need a little improvement. Fortunately, it does not take much more effort or resources to raise the standard and significantly improve defenses against cyberattacks.

Adopting some simple “best practices” is all that is required to reduce the probability of a cyberattack being successful in many cases. It is possible to minimize cybersecurity risk to the point that the majority of online criminals will give up and search for easier targets.

Best practices to adopt to minimize cybersecurity risk

Listed below are some easy to implement best practices that can help minimize cybersecurity risk and keep networks and sensitive data protected from malicious insiders and outsiders.

Separation of duties

You would not give a cashier a copy of the safe key, or give a purchaser the ability to sign off orders and write checks for suppliers. If you give one individual access to everything, you are exposing your company to an unnecessary amount of risk. That individual may be 100% trustworthy, but if that person is targeted by a spear phishing campaign, and they have access to all computer systems, should that attack prove successful everything could be lost.

Administrative privileges should be limited. Spilt passwords so an IT support worker enters half of a password, with the remaining half entered by his or her manager.

The rule of least privilege

Access to systems and data should be restricted to the minimum necessary information to allow a job to be performed. Rather than give full control to one person, separate duties between staff members and you will minimize network and cybersecurity risk

Do not allow multiple staff members to have access to systems that they don’t really need access to. If you operate two shifts, restrict access to data systems to two members of staff, one for each shift. One or two supervisors can also be given access on the same basis.

Due Diligence and Due Care

A minimum level of protection should be maintained at all times, and the level of due care must meet industry regulations. A program of maintenance must exist to ensure that due care is supported. This is referred to as due diligence. You must ensure that a system exists to monitor for any abuse of privileges or data access rights, and the opportunity for individuals to commit fraud or steal data must be kept to a minimum level.

Implement physical controls to protect equipment used to store data

All equipment used to store sensitive data must be kept under lock and key. Data backups must be secured, and since they are stored offsite, they should be encrypted.

Perform background checks on all members of staff

Any organization that fails to conduct a background check on a new member of staff before access to sensitive data is provided could be classed as negligence. You can’t tell from looking and asking if a new recruit has a criminal record.

Rotate responsibilities

Cross-train staff so they are capable of performing a number of different duties. This will allow you to provide cover in the event of absence from work. If you then rotate duties, it is easier to identify employee theft and insider attacks. Employees can then audit the work of each other.

Maintain access logs

If you do not monitor data access attempts, you will not be able to tell if a member of staff is trying to steal data. Make sure a data trail is left to allow you to determine when employees are accessing data. Make sure the logs are checked frequently and always follow up on any discrepancies discovered.

If you follow these best practices, you should be able to minimize cybersecurity risk effectively. You may not be able to prevent all cyberattacks, but if one does occur, you will at least be able to identify it rapidly and minimize the damage caused.

Adobe Flash Exploit Delivering Cryptowall Ransomware

Last week, a zero-day vulnerability in Adobe Flash Player was patched. Users of the multimedia player can now run the software safely, without facing a risk of having their devices compromised by a new Adobe Flash exploit. Provided the patch has been installed.

Adobe Flash exploit being used to drop ransomware on unpatched devices

Any computer with Flash set to run automatically is at risk if the latest version of the software – Version 18.0.0.194 – has not been installed. Since the latest version of the software was released on June 23, the Adobe Flash exploit has been found in the wild. Hackers are using the Magnitude exploit kit to drop Cryptowall ransomware on unpatched computers. It took only four days since the release of the Adobe patch for an exploit to be packed into Magnitude.

The latest version of Flash Player has been released to deal with the vulnerability known as CVE-2015-3133. This vulnerability allows hackers to remotely execute code to take advantage of a bug in the software. The Adobe Flash exploit is being used to automatically drop ransomware on unpatched devices.

The vulnerability is also being exploited by at least one hacking group. APT3, a hacking group based in China, has already devised a phishing email campaign to take advantage of the Flash vulnerability. The vulnerability has been known since the start of June, and hackers were quick to exploit it. It took Adobe three weeks to develop the patch, during which time all users of the software – which is most people using the Windows operating systems – have been at risk of attack.

When computers are infected, APT3 is moving infections laterally to compromise multiple hosts. Furthermore, backdoors are being installed so that even when the malware is identified and removed, access to networks is still possible.

APT3 is well known for exploiting zero-day vulnerabilities and is using the current phishing campaign to target companies in specific industry sectors. Their current targets are in the aerospace, construction, defense, engineering, and the telecommunications industries.

There is a serious risk of malware infection from phishing emails, malicious website adverts, and malicious links on social media websites. Those links send traffic to websites containing the Magnitude exploit kit. If anyone visits a website hosting the exploit kit, ransomware and other malware can be installed automatically if the latest version of Adobe Flash Player has not been installed.

Attackers are targeting users of Windows 7 (and below) via Internet Explorer and users of Firefox on computers running on Windows XP.

Fortunately, installation of the latest version of the software will prevent the Adobe Flash exploit from being used to drop Cryptowall malware. The current version of the malware, Cryptowall 3.0, requires infected users to pay a ransom of $300 to unencrypt files. System administrators have spent the past week ensuring all devices are updated with the latest version of the software.

Are you at risk from the Adobe Flash exploit? Have you managed to install v18.0.0.194 on all your networked computers?

Best Firewall Security Zone Segmentation Setup

Regardless of the size of your company, or what type of TCP/IP setup you have, a hardware firewall is essential. It is one of the most fundamental network security elements. It provides basic protection and is capable of preventing many attacks on your network from being successful. It is therefore essential that you have the best firewall security zone segmentation setup.

What is the best firewall security zone segmentation setup?

Today, networks typically extend outside of the firewall perimeter, but that said, they do tend to have a well-defined structure. Your network should therefore have:

  • An internal network zone
  • An untrusted external network
  • One or more intermediate security zones

Each of your intermediate security zones – commonly Layer3 network subnets with multiple workstations and/or servers – should contain systems which can be protected in a similar fashion. They are groups of servers that have similar requirements. They can be protected with a firewall on the application level, or more typically, on the Port and IP level.

Perimeter firewall security zone segmentation

Unfortunately, the perimeter network topology that is best for you may differ considerably from the one that you used for your previous company. Your current network will naturally be different and have its own requirements and different functions. Your perimeter security zone segmentation will have to therefore be set up to match the unique needs of your business. That said, there are a number of best practices to follow when devising your network perimeter.

To help explain a typical network perimeter, we have illustrated this in the diagram below. Your network may differ, but the illustration shows a typical setup used by many enterprises. You may use two firewalls, or only have one DMZ (Demilitarized) zone. The red arrows show the traffic direction permitted by the firewall

perimiter_security2

Security zone segmentation: Setting up your DMZ (Demilitarized Zones)

Your equipment and sections of your network that will be most susceptible to attack will be the parts that face the public and are connected to the internet. These will include your web servers, email servers, and DNS for example. If an attack on your network is attempted, this is where it is most likely to occur. It is therefore important to be able to minimize the potential for damage if one of those attacks is successful and one or more of your servers is compromised.

To do this, it is important to set up a DMZ or Demilitarized zone. A DMZ is basically a Layer3 subnet that is isolated. In our example we have included two, as this set up offers the best protection for our internal zone. In your case one may be appropriate or three or four, depending on the size of your network, number of servers etc.

DMZ1

You are going to have to have at least one public facing server that is accessible via the Internet. Traffic flow must be restricted for security, so it should only be possible for traffic to go from the Internet to your DMZ1. It is also essential that you only have the necessary TCP/UDP ports open. All other must be closed. Your DMZ1 should host your DNS, Proxy server, Email server, and web server.

DMZ2

For the best protection, you should never have your databases located on the same hardware as your web server. Database are likely to need to be accessed via your web server, but they should be set up in a different DMZ. In this example, we have set up DMZ2 where we have placed the application servers and database servers. You can see from the red traffic arrows that these servers can be accessed directly from the internal zone, and also from DMZ1. They can therefore be accessed from the Internet, but only indirectly via DMZ1.

It is also important to have your web application server and a front end web server located in different DMZs.

Using the above setup, if one server is compromised, say one of your application servers in DMZ2 via DMZ1, the attacker will not be able to access to your internal zone.

You should configure your firewall to allow traffic between both of your DMZs, but only on specific ports. Traffic between your internal zone and your DMZ2 is possible, but this should be limited.  Traffic may be necessary for performing data backups for instance or for accessing an internal management server for example.

Your internal security zone

Located in the internal security zone will be your end user workstations, your file servers, and other critical internal servers. You will also have internal databases located in the internal zone, Active Directory servers, and many business applications.

It is essential that there is no direct access from the Internet to your internal security zone. Any user requiring Internet access must not be permitted to access the Internet directly. Internet access must only be possible via a proxy server, which should be located in DMZ1.

It is essential to have security zone segmentation, although the setup you choose must reflect your business requirements. Our example of a typical security zone segmentation setup is ideal for the enterprise environment. Use this and it should ensure you have solid network security.

Common Security Assumptions that Place Data at Risk of Exposure

Even IT security professionals are guilty of developing bad habits and making some of the common security assumptions that place data at risk. There is now a legion of cybercriminals ready to take advantage of security vulnerabilities that have been allowed to develop. If you don’t correct bad security habits, there are criminals ready to take advantage.

Protecting company assets from cyberattacks used to be a fairly straightforward process. Many attackers were opportunistic and amateurish. They would hunt for companies or individuals with little to no security, and would take advantage. Spam emails would be sent out in the millions in the hope that some individuals would respond. Those emails were not even run through a spell check. They were easy to identify.

Today, the situation is very different. Sure, there are still many amateurs out there, but today’s cybercriminal is a different beast entirely. The men, women, and even children who are conducting attacks are organized, highly motivated, and they possess a wide range of skills. They are professional and their job is to make money online. They do that by taking it off of other people.

The attack surface is now broader than ever before and the threat landscape is constantly changing. Keeping data safe is no longer easy.

How is it possible to defend data with a constantly changing threat landscape?

It is difficult to keep networks and data secure, but it is far from impossible. It is essential not to make some of the common security assumptions that leave data unprotected, and to take a step by step approach and ensure that all Internet connected devices are secured.

Virtually everyone now has at least one Internet-connected device. Many people have several. With Internet-connected devices being so common and an essential part of daily life, one would think that we have all become quite good at ensuring those devices are secure. Unfortunately, that is far from being the case.

Furthermore, there are now so many data security threats that it is virtually impossible to keep track of them all. We now need to watch out for viruses, malware, spyware, rootkits, and ransomware. Then there are denial-of-service attacks to prevent. Cyberterrorists want to delete and corrupt data and take businesses down. Scammers are using social engineering techniques to obtain login credentials. Even your ex may be uploading and sharing compromising photographs of you online. The digital threats now faced by everyone are considerable. For sys admins it is even worse. So how is it possible to protect against all of these threats?

The best place to start is by determining what needs to be protected. There are many threats, but what is it that attackers all want? The answer to that is data. They may want to steal it, share it, corrupt it or delete it, but regardless of their intention, the worry is data. To protect data, you must know what data you have and where they are stored.

To protect your assets, you must first define your assets!

The first step to take if you want to protect data is to determine what data cybercriminals would like to obtain. This may seem obvious. Criminals want your bank account password and login name and your credit card numbers. However, that is not all they are after. One of the most common security assumptions is thieves are only after financial information. In fact, more money can be obtained from other data.

Assets you must protect

Cybercriminals want more than just your banking information. They would love to steal…

  • Social Security numbers
  • Government ID numbers
  • Passport details
  • Medical records
  • Insurance IDs and provider names
  • Financial records
  • Credit card numbers
  • Health insurance payment histories
  • Online passwords
  • Email addresses and passwords
  • Personal data such as dates of birth, genders, ages, addresses, & telephone numbers
  • Employment histories and employer names
  • Information that allows security questions to be guessed
  • Education histories
  • Business plans
  • Legal documents
  • Trade secrets

Many common security assumptions lead to data theft and financial loss

Once you have identified all the data that need to be protected, you must determine where those data are located. Where is information stored, and who has been given access? You must also forget a lot of the common security assumptions that many people are guilty of making. Common security assumptions invariably leave data exposed. What are these common security assumptions? One of the biggest is that the people that are trusted to secure data are putting all of the necessary safeguards in place to make sure information is secured. That is not necessarily the case.

If you want to keep your data secure, you need to develop some good habits and stop all the bad ones.

Bad security habits to eradicate

  • Not being aware what data you have
  • Not being aware where data are saved
  • Being unaware of your bad habits
  • Leaving data security to others
  • Storing data in multiple locations when it is not necessary
  • Sharing passwords with friends, family members, or work colleagues
  • Reusing passwords across multiple online accounts
  • Using passwords that are easy to guess
  • Believing most of the stuff you read on the internet or receive in an email
  • Trusting an email because it has been sent from someone you trust
  • Writing your login credentials down so you can remember them
  • Installing apps and software without checking authenticity
  • Giving out too much information about yourself online
  • Oversharing personal information on social media websites

Good security habits to develop

  • Using secure passwords containing letters, numbers, upper and lower case characters and special characters
  • Changing passwords at least every three months
  • Using a different password for each online service
  • Keeping your password totally private and not even sharing it with your partner
  • Keeping abreast of the latest data security news
  • Setting software to update automatically
  • Checking for security patches and software updates on a daily or weekly basis
  • Not storing your passwords in your browser database
  • Locking your devices (phone, tablet, desktop, laptop) with a security mechanism
  • Encrypting your communications
  • Not always answering truthfully when asked about your personal information online
  • Using a web filtering solution to block malicious websites
  • Stopping and thinking before taking any action online
  • Assuming that all email attachments are malware until you determine otherwise
  • Using powerful anti-spam, anti-malware, and anti-virus software on all devices
  • Ensuring devices do not automatically connect to open Wi-Fi networks
  • Not installing any software on work computers unless authorized to do so by your IT department

Develop good habits, stop making common security assumptions, and eradicate your bad habits and you will be much less likely to become a victim of a cyberattack!

Five Common Business Network Security Myths

Unfortunately, common business network security myths have led many small to medium sized business owners to believe they are well protected against hackers, malicious insiders, and online criminals. They perceive their network to be secure, but that confidence may be misplaced.

Sure, they know they are not impervious to attack but, on balance, confidence in their ability to prevent a cyberattack is high. Even if an attack is suffered, they think they will be able to identify it quickly enough in order to protect their data. However, the reality is that confidence is often based on some widespread business network security myths. The reality is many businesses are wide open to attack.

Common business network security myths that need busting

Some of the commonest business network security myths are listed below. Make sure that all of your IT staff are aware of the following misconceptions. Expel these business network security myths and you will be able to gain a much better understanding of how well your business, and its data, are actually protected:

It is easy to avoid phishing campaigns

That may have been true a few years ago. It used to be easy to spot a phishing or scam email. However, the situation has now changed. Phishing schemes have become much more sophisticated and it can be very difficult to identify scam emails, certainly by the majority of employees. Many of the major security breaches suffered over the past few years have started with a member of staff responding to a phishing campaign. The massive data breach at Target is a good example. Hackers gained access to Target via a HVAC company used by the retailer. Malware was installed on that company’s network. The attack on Target was launched from there.

I trust my employees not to expose data or infect my network

Your employees may not knowingly compromise your network or reveal sensitive company information but, due to the high phishing risk, they may do so inadvertently. Even after training employees to be more security aware, they can still accidentally fall for a scam and install malware on your network.

That is not the only problem. Your loyal and trusted employees may not turn out to be quite so loyal when they leave for another job. The Wall Street Journal recently conducted a data security survey, and half of employees admitted to taking confidential company data with them when they left their employment.

My business is too small to be targeted by cybercriminals

Cybercriminals want to gain access to as much data as possible. They want to infect as many computers with malware as possible and build bigger botnets. They also want to sabotage companies that they feel are doing harm, or acting irresponsibly. That means larger corporations are targeted. They have more data, they have more computers, and they tend to cause the most offense – by damaging the environment or making obscene profits, for example. They are also more of a challenge, and many hackers see that as reason enough to try to break through their defenses.

However, don’t think that as a smaller business you are a smaller target. Your defenses will probably be inferior to a multi-national corporation, and criminals like the path of least resistance. Your data is likely to be just as valuable as data held by a larger corporation. You just store a smaller volume of it. Small businesses are being targeted and there is actually a high risk of attack. As was the case with the Target data breach, a small company was targeted first and was used to attack the retailer.

If a cyberattack is suffered, you may not be able to cope with the aftermath. Data suggest that two thirds of small companies end up going out of business within 6 months of suffering a cyberattack.

I have not been hacked, so my security protections are sufficient

How sure are you that you have not been hacked? Many companies do not discover their systems have been compromised for months or even years after an attack has taken place. Take the eBay data breach for example. The massive online marketplace was first attacked in February and it took 3 months for the company, with all of its IT security resources, to determine that data had been stolen.

Network security protections are expensive

If you want the best protection for your company, you do not have to necessarily spend a small fortune, or a large one for that matter. There are many cost-effective protections you can put in place to protect your network from attack. In fact, it is probably not necessary for you to implement advanced threat analytics, but you should use email and web security solutions to protect against phishing attacks.

Weigh up the cost of implementing these software solutions against the cost of suffering a data breach. According to the Ponemon Institute, the average cost per record exposed in a cyberattack is $246. Multiply that by the total number of customer records you have and that will give you an idea of the likely cost of resolution. Unfortunately, small businesses tend to pay much higher costs per exposed record due to economies of scale. Ponemon has also calculated the chance of suffering a data breach over a two-year period is 22%.

Dispel these common business network security myths and you will be taking five steps toward a more secure network, and will actually be much better protected than you currently believe you are.

Is It a Good BYOD Strategy to Not Allow Personal Devices to Connect to the Network?

The Internet of Things of IoT offers a lot of potential, but unfortunately these Internet-connected devices also introduce a considerable amount of risk. The term Internet of Things covers any device that connects to the internet, which includes a wide range of equipment covered by your BYOD policies. As well as a substantial number that are probably not.

IoT includes devices such as traffic lights, GPS units used for cycling or walking, weather monitoring equipment, cars, some new refrigerators and washing machines, and activity trackers. An incredibly wide range of devices. Today, so many electronic devices have been developed that have Internet connectivity the mind boggles.

What’s your Point?

Any device that connects to the Internet and remains connected to the Internet for a long period of time is likely to attract the attention of hackers. They will use various tools to probe those devices. Their aim is to identify potential vulnerabilities that can be exploited. Once those vulnerabilities are located, they will be subjected to attacks, whether by brute force or by a skilled hand. Hackers will attempt to shut devices down (just because they can) or take them over with malicious intent. This will happen. This is not conjecture.

Will an electronic, Internet-connected billboard be hacked? Sure! Someone somewhere will have a humorous message they would like to display. Will someone hack a medical device such as a drug pump and change the dose of morphine that is administered to a patient? Certainly. It has already happened on at least two reported occasions. Both times were by the patients themselves. (it was very easy BTW, they got the instructions from the Internet and upped their own morphine doses!).

If it is possible to hack a device, someone will. It is just a matter of time.

Why not just make sure that all products are secure?

In an ideal world, no Internet connected device would come to market unless it was first made secure. However, this is not an ideal world. In fact, judging by the apparent ease at which hackers can compromise desktops, Smartphones, tablets, and servers, IoT devices shouldn’t pose too many problems. To make matters worse, the developers of these devices often don’t have any idea about the security of their devices. Their aim is to get a useful Internet-connected device on the market, not to prevent them from being hacked.

Many manufacturers have the budgets to develop appropriate security. The problem is that they do not. Don’t get me wrong, this is not always about them cutting corners. Oftentimes they just have no idea about how hackers will be able to take advantage of their devices or why they would choose to do so.

Unfortunately, devices are coming to market faster than it is possible to perform full security testing. Many of those devices are connected to Smartphones, tablets and laptops, from where they can be accessed and controlled. If it is possible to gain access to the equipment remotely, would it be possible to use the IoT device to gain access to the device that is used to control or monitor it? It is a distinct possibility!

How about the apps that are downloaded to control those devices? Could they be hacked? Could malicious apps for controlling a Samsung washing machine find its way into the Google Play Store? How about an app for a device that is part of the critical infrastructure?

The Danger of IoT and BYOD

Many organizations have wholeheartedly implemented a BYOD policy and are now allowing the Smartphones, tablets, and laptops of employees to be used at work. There are numerous advantages to doing this of course. The technology can be leveraged to give the employer benefits that would otherwise be unaffordable to introduce. Employees want to use their own devices at work and are often much more productive as a result. The problem however, is the security risk that these devices introduce, or have potential to introduce, is considerable. Any Internet enabled device that is allowed to connect to a corporate network could potentially be used by a hacker to launch an attack.

To tackle the security threat, a good BYOD strategy must be employed to control use of the devices. Employees must be told what they can and can’t do. Unfortunately, it doesn’t matter what you tell your employees. Some will go against company policies because it’s their device and they believe they can do what they want with it.

It is essential to perform training on security. Employees who are allowed to bring their own devices to work must have it spelled out, very clearly, what the risks are and why controls are put in place. They must be made to understand that the risk from the devices is very real, and policies exist for a very good reason. If they are unwilling to abide by the rules, they should not be permitted to use their devices at work.

A good BYOD strategy?

However, even by adopting a good BYOD strategy, you will allow the traditional security perimeter to be extended to include employees’ homes. Regardless of the controls that are used and the level of training provided, the risk that is introduced could be considerable. Employers should therefore think very carefully about the devices they allow to connect to their network. A good BYOD strategy may in fact be to prevent any BYOD devices from connecting to the network at all!

Bank Phishing Scams Claim Many Victims

The financial sector is reeling from one of the most sophisticated cyberattacks ever seen. The APT-style Carbanak malware attack differs from other APT attacks, as the attackers are not after data. They want cold hard cash and they are getting it. Carbanak has been used to steal funds to the tune of around $500 million. Or up to $1 billion, depending on who you speak to!

The malware, discovered by Kaspersky Lab, uses sophisticated methods for obfuscation so it is hard to identify once it is installed. There isn’t much good news about Carbanak, but one chink in the armor is the method used to get malware installed. That is far from sophisticated. In fact, it is rather simple. Cybercriminals are getting bank employees to install it for them.

Banks that have suffered Carbanak attacks have been lax with security. They have not instructed their employees how to identify bank phishing scams, and they have not been performing scans for malware. It may be hard to detect, but it is important to actually scan a network for malware periodically! Consequently, banks have not detected breaches until a long time after they have occurred.

One of the most sophisticated bank phishing scams is easy to avoid

Carbanak malware is delivered via email. The phishing emails have been sent to large numbers of bank employees, and many have clicked on the malicious links included in the emails. By doing so they inadvertently loaded the malware onto the banks’ administrative computers. Once installed, Carbanak happily collects information and sends it to the criminals’ command and control servers.

The malware logs keystrokes and searches for security vulnerabilities in the network. The data collected is used to make bank transfers to the criminals’ accounts, although the data that is obtained could be used for a number of different crimes. Some security experts estimate that the criminals behind the campaign have managed to steal over $1 billion so far. The bad news, and there is a lot of it, is that they are still continuing to obtain funds. As bank phishing scams go, this is one of the costliest.

Bank phishing scams account for a fifth of all phishing campaigns

There is a considerable amount of disagreement within the security community about the level of sophistication of Carbanak. But that is really beside the point. The malware is installed on computers and remains there undetected for a long time. It is used to obtain huge amounts of money. It doesn’t really matter how sophisticated the malware is.

What is more important is the lack of sophistication of the initial attack. Bank phishing scams are not that difficult to prevent, and this is no different. Bank employees just need to know how to identify phishing emails. Bank phishing scams account for a fifth of all phishing campaigns so to prevent them it is vital that employees receive training to help them identify the scam emails.

It is also essential that after training has been provided that it is followed up with phishing email exercises to test employees’ knowledge. Can they actually identify a phishing email or were they not paying attention during training? Don’t leave that to chance, as it could prove costly!

Bank phishing emails are very convincing

The criminals behind bank phishing scams have spent a long time crafting very credible emails. The emails need to be realistic, as bank employees would not open an attachment in order to find out about a $1,000,000 inheritance they have got from an unknown Saudi relative (some do!). Cybercriminals are now developing very convincing emails, and are even running them through a spelling and grammar check these days.

Bank phishing emails provide a legitimate reason for taking a particular action. Typically, the reason is to:

  • Verify account details to prevent fraud
  • Upgrade security software to keep systems secure
  • Perform essential system maintenance
  • Take action to protect customers from fraud
  • Perform identity verification to allow a refund to be processed
  • Verify identity to allow packages to be delivered by couriers

The aim of most bank phishing scams is to get users to click on a link to a website that will download malware onto their computer, or to get them to open an email attachment (zip file) that contains malware, or to install malware in the belief they are opening a PDF or word file.

The Three Main Types of Bank Phishing Scams

Bank phishing scams can be highly varied, but generally fall into one of three main categories:

Opportunistic Attacks

Opportunistic attacks are the most common types of phishing attacks and they tend to be the easiest to identify. Millions of spam emails are sent containing malicious links or attachments in the hope that some individuals will install the malware they contain or link to. This type of phishing campaign is often used to deliver ransomware. Criminals often use links to websites containing common exploit kits to download malware onto machines.

Zero Day

A zero-day attack is one that exploits a known security vulnerability that has not yet been patched. Researchers are discovering new security vulnerabilities on a daily basis, but it takes time for software developers to issue patches to protect users. It takes more skill to conduct this sort of campaign as the hacker must develop a way of exploiting a vulnerability. However, the same shotgun approach is used to deliver the malware that exploits the vulnerability. The favored delivery method is mass spam email.

APT (Advanced Persistent Threat)

The third type of phishing attack is the one that was used for Carbanak. This type of phishing campaign also exploits zero-day vulnerabilities, but in contrast to ransomware that acts fast and makes the presence of the malware infection abundantly clear, APT attacks remain hidden for a long period of time. They are stealthy and their aim is to steal data. That said, in the case of Carbanak the attack was used to steal money.

These attacks tend to be targeted. Banks, financial institutions, healthcare organizations, and government departments are all targeted using this type of phishing campaign. Malware is not sent using mass spam emails, but the targets are typically researched and spear phishing emails are sent.

How to defend against these targeted bank phishing scams

Carbanak has been used for bank phishing scams for close to two years now so it is nothing new. What is peculiar about the campaign is it uses tactics that are more commonly seen in state-sponsored attacks for spying on governments and those used by cyberterrorists. The attack on Sony, for instance, started with a phishing email of this ilk.

Unfortunately, while the first two types of phishing emails are relatively easy to block with anti-spam solutions and phishing email filters, it is much harder to block APT spear phishing emails. They tend not to contain links to known malware sites, and are often sent from email accounts that have already been compromised. They also contain links to legitimate websites that have been infected with malware. They can be hard to identify and block.

There are steps that can be taken to reduce the risk of an attack being successful. It is essential to provide staff members with training to help them identify phishing emails. Employees must be aware of the common signs to look for and must be told to be extremely cautious with emails. Email attachments are a potential danger, but do employees know the danger of clicking links? Make sure they do!

Training exercises has been shown to be highly beneficial. The more times employees are tested on their phishing email identification skills, the better they become at identifying email scams.

It is also essential to ensure that patches are installed as soon as they are released. Zero-day attacks will take place until the security vulnerabilities are addressed. This applies to the likes of Adobe Flash, Microsoft products, and any software application.

Patches are issued frequently, so it can be almost overwhelming to keep on top of them all, but that is what is needed.

Perform regular training – and conduct refresher courses – and make sure regular security audits of the entire network infrastructure take place. It all takes time, effort, and involves a considerable cost. That said, the cost will be considerably lower than the cost of dealing with a Carbanak malware attack.

Measures to Increase System Security

Use these measures to increase system security

Measures to increase system security not only reduce the possibility of your system being hacked but, should a hacker gain access despite your best efforts, limit the amount of damage he or she can do.

In-depth measures to increase system security – like the measures we will be discussing in this article – prevent hackers who have penetrated your firewall from running amok throughout your network and compromising device after device.

The border device is the first line of defense

The first of the measures to increase system security you should implement concerns your border device. This will either be a router or a firewall, and you can use access lists to block unwanted inbound traffic.

Depending on your network design, find out if your network should be getting routing updates from Interior Gateway Routing Protocols such as OSPF, RIP and EIGRP.

You should also conduct routing updates on MPLS and BGP protocols – being in mind that if you do not need these protocols you should disable them, as routing updates can consume a load of bandwidth.

Block all requests that might originate from a private network. These would naturally include 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8, but don´t forget about:

Measures-to-Increase-System-Security-1

One of the best measures to increase system security is a DMZ. DMZs add an additional layer of security to a local area network (LAN) and can be used to create a “border within a border”. You can install a firewall between devices that exchange data with the outside world (web servers, mail servers etc.) and protect the rest of your network behind a DMZ to prevent attacks from hackers, malware, viruses and Trojans.

The advantage of firewalls is that most traffic to the rest of your network is blocked by default. They are relatively easy to install and, although inconvenient for administrators that like to ping to check connectivity, are great for security. On the other hand, servers, routers, and switches tend to require a significant amount of configuration to toughen up your defenses.

One thing you can do to reduce the amount of work required is take advantage of any automated measures to increase system security provided by the manufacturer. These can restrict access from private and public IP addresses, shut down interfaces that are not required and disable unneeded services.

Special consideration should be paid to authentication servers and IPS/IDS devices. Depending on your organization´s preferences for service availability and security, these can either be set to “fail-open” – in which case all traffic is permitted if the device fails – or “fail-close” where, if the device fails, all connectivity is broken.

A special word about router security

Although routers come with built-in IPS/IDS modules and firewall software, the access list (ACL) is one of the most powerful tools at your disposal to enhance your network security. ACLs allow you to configure individual interfaces according to your specific traffic and data needs. Here are just a few of the measures to increase system security you can take using ACLs:

Measures-to-Increase-System-Security-2

Switch and port security

Some switches and servers offer private VLANs that limit traffic between devices even more. Whenever possible they should be used to create different networks for management and data traffic. However, make sure your switch ports are configured with STP extensions to support BPDU guard. This allows authorized users to attach home routers and switches to the network.

Effective port security protects against eavesdropping and similar attacks. If your organization requires a high security environment, it is possible to configure a port to only accept MAC address connections. The issue with this level of security is that it restricts BYOD policies and makes hardware upgrades and office moves significantly more complicated.

In-depth measures provide higher security levels

The above measures to increase system security go deep into the heart of your system to deliver defense in depth. It is important to go beyond border security to ensure the integrity of your network and many of these measures can be changed as necessary as technology and organizational requirements evolve.

How to Deal with a Website Phishing Attack

Attacked by phishers? This is what you need to know

The last thing most website administrators want to hear is that they have to deal with a website phishing attack. No website is immune from phishing attacks and sometimes, no matter what measures you put in place to prevent such a scenario, your website can be compromised – with the subsequent loss of reputation and probable decline in search engine positioning.

The knee-jerk reaction of some administrators is to deal with a website phishing attack by immediately removing the compromising files and resetting passwords. However, by taking a little extra time to gather all the information about the uploaded content, administrators can ensure they find all the website´s vulnerabilities and completely clear the website of any further phishing content that may be dormant in their system.

This guide on how to deal with a website phishing attack discusses how to gather the information you need to clear your site of phishing content, what to do with the compromised files once you have found them and how best to prevent the risk of further phishing attacks in the future. We recommend that, if necessary, you engage professional help to accelerate the cleaning process in order that your website can be restored as quickly as possible, removed from any website blacklist and recover its position in the search engines.

Before you do anything else, back up your system.

Location, Location, Location

The first step of how to deal with a website phishing attack is finding the location of the phishing content. Often you will have been provided with a report about specific files by your hosting provider, but sometimes the information provided for you is limited. Security experts we have spoken to recommend Sucuri Sitecheck (https://sitecheck.sucuri.net/) to identify the location of the phishing content.

It is important not to make any changes to directories or delete files until you have completed a full investigation of your system. This is because making changes and deleting files as you go reduces the chances of you finding the source of the attack. Without finding the source, you may not discover where you vulnerabilities are and you will leave your system open to further phishing attacks in the future.

During your investigation, it is important to keep notes as you go along. Record the full path to any phishing sites you find in addition to any malicious files, code injections, and scripts with unsafe code. Also keep track of their timestamps and any related log entries. We will explain more about this below. At the end of your investigation you will be able to refer to your notes in order to determine the best course of action to take to remove the malicious items and help prevent repeat attacks in the future.

An example of how to deal with a website phishing attack

For our example of how to deal with a website phishing attack, we are going to assume that we have received a report of a WordPress phishing link (http://www.example.com/Apple/securelogin.html) running on a cPanel Linux/Unix Apache web server. Links such as these are commonly used by hackers for phishing attacks; however, there are many different variations as the complexity of phishing evolves.

Most security professionals asked to deal with a website phishing attack will be able to complete the following procedures within 15-20 minutes on a standard sized web site. If you are attempting these procedures without professional help, or you have a larger-than-average website to clean, allow some extra time to complete your investigations and address the issues that you find.

Start by reviewing the timestamps of the affected files

To review the timestamps of the affected files, you should use the “stat” command on the infected file you already know about.

how-to-deal-with-a-website-phishing-attack-1

As you are looking for anomalies, one of the first things you will notice is that the “Modify” and “Change” dates are two days apart. This is because the “Modify” date refers to the content of the file, while the “Change” date refers to the metadata. The “Modify” date is usually the most significant, but take a note of both in case you need to use the “Change” date later in your investigation.

Now compare your timestamps with your logs

Now that you have the time when the content of the file was changed, you can compare it to your logs. The Apache access log is the most common place you will find the information you are looking for (alternatively you may find an upload recorded in the FTP logs or the cPanel logs).

As you are going to see the POST commands, it is best to filter the Apache access log for POST, date, and hour, like so:

how-to-deal-with-a-website-phishing-attack-2

It is important to keep in mind that the timestamps will not match up exactly with the log records. The Apache access log records the time the file was accessed at the start of the transaction, while the file system timestamps records when the last transaction was written to the file.

Using the ARIN database and GeoIP to establish phishing content

The likely outcome of filtering the logs in POST, date, and hour order is that several hundred entries like the one below will appear:

how-to-deal-with-a-website-phishing-attack-3

There are several indicators of unauthorized activity in this entry. There should not be a PHP file in this directory. There is no referrer link provided for the HTTP/1.0 protocol and, although the request is identified as Googlebot, once the IP address is checked against the ARIN database (http://whois.arin.net/) or the GeoIP Tool (http://www.geoiptool.com/) you will find that it does not belong to Google.

Common hacker tactics can throw you off the trail

Now that you have identified a trail to follow, it should be easy to find the source of the phishing attack – or so you might think. Consequently, when you try to examine the “xXx.php” file through the stat facility, you may get an answer like this:

how-to-deal-with-a-website-phishing-attack-4

This indicates that the file has been moved or deleted by the attacker to throw you off the trail. If the file still exists in your system, it should become apparent later on.

If this happens to you, go back to the Apache access log to review the “Change” time you noted earlier. This should give you a link to a different file which has a different IP and user agent. For example:

how-to-deal-with-a-website-phishing-attack-5

This file does not appear to be scripted like the previous entry.  However, the attacker(s) is POSTing to a file in the theme which is unusual. If you review the contents of the file to see if what was being attempted during the phishing attack, you will get an obfuscated PHP code like the one that appears in the image below:

how-to-deal-with-a-website-phishing-attack-6

This PHP code does not necessarily mean that the content is malicious, and you should be able to use UnPHP.net to decode it. Even when the service does not decode it completely, you should be able to extract enough information to establish whether the code is malicious or unsafe.

There are valid reasons for doing this and it could really be part of the theme.  You can use UnPHP.net to decode it.  While that service doesn’t always completely decode it, usually it will give you enough information to determine whether it is malicious or unsafe.

As we know the file was used by the attacker (because the stat facility was unable to locate the original PHP file), add whatever you discover to your list and keep following the trail using the timestamps and log entries.

Don´t stop until there is nowhere else to look

You should always follow this same process on the “js.php” file. You are likely to find that the process leads to other files to trace, points to a vulnerability in your application or theme, or you could find more files that point back on themselves. You should also filter the logs a little differently to view all the POST’s from any unauthorized IPs that are identified:

how-to-deal-with-a-website-phishing-attack-7

By using the above command, you are likely to find something similar to the following:

how-to-deal-with-a-website-phishing-attack-8

These results indicate either that a password has been compromised or that there is a vulnerability in WordPress. You could review the logs further to find out which it is or, to save time, apply updates if they are available and reset all administrator passwords.

Continue your investigation with recently modified files and directories

Once you have exhausted the list of known malicious files you have discovered, you need to be a little bit creative to find any remaining items. For this part of the investigation you need to start in the document root directory. Examine the directory structure and the most recently modified files using the following command:

 # ls -lrt

You should find directories with the name of a third-party company or directories that do not follow your directory-naming conventions. You should extend your investigation to look for any files with timestamps out of sync with surrounding files. As previously, you will need to examine the content and relevant log entries for any suspicious items you find.

To establish the existence of any phishing content, it is recommended to examine each directory 2 to 3 levels deep from the document root directory. Within each directory examine the directory structure and any contents of the files that appear out of place. If they appear to be malicious, compare them to the Apache access logs and note everything you find.

Finally, you should go back to the root directory and run some targeted searches. Start by searching for any files that have a “Modified” date within the last seven days – assuming you have chosen to deal with a website phishing attack immediately of being informed by your hosting provider. If you have already found malicious content aged older than a week, you may have to go back further in time; but you can narrow the list down using the grep command and filter out files you are already aware of.

how-to-deal-with-a-website-phishing-attack-9

It is sometimes useful to investigate files with recent “Change” dates. Most commonly the results will not differ too much from the “mtime” enquiry, but there could be some key findings.

how-to-deal-with-a-website-phishing-attack-10

Another enquiry you should conduct is for Symlinks. Symlinks are often used in an attempt to break out of a user’s account. Most websites do not use Symlinks at all and they are almost always safe to remove. You can enquire about the presence of Symlinks by using the following command:

how-to-deal-with-a-website-phishing-attack-11

The final enquiry you should make is:

how-to-deal-with-a-website-phishing-attack-12

This is a command often used to detect code obfuscation, common with malicious code. This will naturally unearth many items that are valid elements of your site, and you will need to crosscheck each file with the coding and log file access to ensure they are not only valid elements, but safe and protected code.

Remove the malicious files and reset compromised passwords

Once you have completed the investigation, you can start removing the phishing content. Delete any malicious files that have been uploaded and clean any code injected files. Malicious code injections can be cleared using a file editor, and usually you will find the added code on the first or last line of a file.

If you have identified any patterns with the malicious requests in the logs, you can block future unauthorized access with .htaccess rules. For example, if all of the requests were from the same subnet or location you could block them temporarily until you have fully secured your site.

You can now update any applications on your site and repair any insecure scripts you found during the investigation. When updating your software be sure to check for things like Timthumb and TinyMCE as they are frequently overlooked.  If you’re running a CMS like WordPress then updating the following is usually enough to repair any issues you find:

  • the WordPress core,
  • all plugins,
  • and themes.

If you have a custom-built website, it is likely you will have found an unsecure upload form during the investigation. You will need to add validation to the script to prevent the form´s misuse in the future. The simplest method of achieving this is to password-protect the form so only you can use it.

De-Listing from a blacklist

Now your website is clean, safe and phishing-content free. However, potential visitors to your website are still seeing a safety warning due to your site being blacklisted. Fortunately, getting de-listed from blacklists is straightforward.

Potential visitors to your website will most likely be warned away by Google’s Safe Browsing. You can use https://www.google.com/safebrowsing/report_error/ to request a de-listing. Google will crawl your website again and check for any issues. If none are found, you should be removed from the blacklist shortly.

Minimizing your website´s vulnerability

The most common mistakes causing phishing attacks and security issues are the same across the board – unapplied updates, weak passwords, test accounts, and unsecure custom scripts. We mentioned at the top of this article that, despite the measures you put in place, you might again have to deal with a phishing attack. However, the less vulnerable your website it, the less likely it is to be attacked – phishers will simply consider your website too difficult to manipulate and move somewhere else.

Neglected development sites also need to be made secure. If hackers gain access to your development site via a vulnerability, they will also have access to your regular site. If you use a development site – or have used one in the past – do not neglect its security.  Ideally all development sites and test accounts should be removed once their purpose has been fulfilled.

In order to minimize your website´s vulnerability and reduce the risk of having to deal with a website phishing attack, take advantage of these helpful hints:

how-to-deal-with-a-website-phishing-attack-13

Benefits of Honeypots – There’s More to Honeypots Than Wasting Hackers’ Time

There are many benefits of honeypots, and all organizations should take the time to set them up. Honeypots are designed to catch a hacker’s eye so that their efforts will be drawn to attacking your honeypot rather than a system where they could cause some serious harm.

There are many benefits of honeypots!

A honeypot is a system that is set up with the singular purpose of being attacked. It is a system designed to be exploited, hacked, infected with malware, and generally abused by a malicious third party. Why should I do that you may ask? Well, there are many benefits.

You may wonder why you should spend your time, effort, and money setting up a system that will attract hackers? Why you should deliberately create a system with weakened defenses that will be exploited? Why even attract interest from malicious third parties?

There are three very good reasons why you should. First. You will be wasting a hacker’s time, and time spent attacking a system that is safe is time not spent hacking a system that will damage your organization if the hacker succeeds.

Secondly, by setting up a honeypot you will be able to see who is attacking you and the methods that are being used. This will give you a very good idea of the types and robustness of the defenses you need to install to protect your real systems and data from attack.

Thirdly, an attack on a honeypot is likely to frustrate a hacker and stop them from hacking your real computer systems.

Security researchers are well aware of the benefits of honeypots. They have been vital in the study of hackers’ behavior. They can be used to determine how systems are attacked and are also a very useful part of a system’s defenses. It is not a question of whether you should set up a honeypot, but rather why you have not already done so.

There are many different types that can be implemented. You can set up a dummy system with an entire network topology if you wish. You can have many different hosts, you can include a wide range of services, and even different operating systems. In short, an entire system can be set up to be attacked.

There are many options, but we have listed two popular honeypots below: Honeyd and Kippo.

The Honeyd honeypot

This is a small daemon that can be used to create a network containing many virtual hosts. Each of those hosts can be set up and configured differently. You can run a range of arbitrary services on each, and configure them to appear as if they are running different operating systems. For network simulation purposes, you can create tens of thousands of different hosts on your LAN using Honeyd if you so wish. You can use Honeyd to hide your real system, identify threats, assess risk, and improve your security posture.

Honeyd benefits

  • Simulate multiple virtual hosts simultaneously
  • Identify cyberattacks and assign hackers a passive-fingerprint
  • Simulate numerous TCP/IP stacks
  • Simulate network topologies
  • Set up real FTP and HTTP servers, and even UNIX applications under virtual IP addresses

The lowdown on Honeyd

We invited a guest sys admin (Arona Ndiaye) to provide input on the Honeyd honeypot to get the perspective of a Linux administrator. She mainly uses Linux and *nix systems, and has tried out Honeyd to get an idea of how it works, what it can do, and  its functionality. She installed it on Kali Linux, which was a simple process requiring a single line to be added to his sources.list file, running apt-get update & apt-get install honeyd.

A few tweaks were needed to ensure the firewall had the correct permissions set, along with some simple text editing in a configuration file. That was all that was needed. If any problems are encountered, or more detailed information is required, it is all available on the honeyd website. Most people find the easiest way to get started is to play with the system and to try to attack it, which is what she did.

She was particularly impressed with the information that can be gathered on attacks and scans. The methods of attack were recorded in intricate detail, including how it was possible to for hackers to fool NMAP. The overall verdict was “seriously impressive.”

The Kippo honeypot

We also put Kippo to the test; another popular honeypot. Kippo is used to create a dummy SSH server, which allows attackers to conduct brute force attacks. The honeypot can be set with a root password that is particularly easy to guess, such as a simple string of numbers: 123456 for example.

Set up the honeypot with an entire file system, or even better, clone a real system for added believability. The aim is to convince the hacker that he or she is attacking a real system. Once the attacker has successfully managed to login to the system, everything they subsequently do will be recorded. All actions will be logged, so it is possible to see exactly what happens when a system is attacked.

What is particularly good about Kippo is how detailed the fake system can be. You can really waste a lot of a hacker’s time and get an accurate picture of exactly what they are trying to achieve, the files they upload and download, what malware and exploits they install, and where they put them. You can then use a virtual machine to analyze the attack in detail when you have the time.

Set up combo-honeypots to create a highly elaborate network

Both Kippo and Honeyd are open source, so it is possible to tweak both honeypots to suit your own needs and requirements. You can even combine the two to build up extremely elaborate networks – specifying specific file contents and creating fake systems that appear perfectly real. How much time you spend doing this, and the level of detail you want to add, is up to you. If you really want to find out exactly how the systems are attacked to better prepare your real system, these are exceptionally good tools to use.

Adding a honeypot can help to improve your security, but simply setting one up will not. Unfortunately, you will need to invest some time in setting up a realistic network and it will need to be updated and maintained. It must be treated like any other machine or system you use in order for it to be effective. You must also make sure that it is isolated or insulated. Creating a fake system that is easy to attack shouldn’t give a hacker an easy entry point into your real system!

Summary: Main Benefits of Honeypots

  1. Observe hackers in action and learn about their behavior
  2. Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
  3. Create profiles of hackers that are trying to gain access to your systems
  4. Improve your security posture
  5. Waste hackers’ time and resources

Have you taken advantage of the benefits of honeypots? What have you been able to learn about attackers?

You Need to Learn How to Think Like a Hacker to Secure Your Network

If you watch Scorpion on CBS, you will be familiar with Walter. Walter knowns how to think like a hacker. He is one.

In fact, Walter was an malicious as a child. He hacked the government and got up to all sorts of mischief. You may view him as something of a villain, but you would be wrong. Walter may have been on the wrong side of the fence while a child, but now he works for the government and his hacking prowess is being used for good. There is nothing evil or wrong about the ability to hack, it is only how those skills are used that determines whether you are right or wrong.

You should learn how to think like a hacker!

Walter is good at his new job because he is a hacker. He therefore knows exactly how to think like a hacker. While penetration testers and reformed black hat hackers make good white hat hackers, it is possible for a hacking mindset to be developed by anyone. A sysadmin can learn how to think like a hacker!

If you want to determine how secure your network really is, you need to learn how to think like a hacker. You need to take a look at your network as if you were an outsider. Look at it as a whole. Look at the attack surface. Gain an external perspective and see it how a would-be attacker would see it.

A hacker intending on attacking your organization would start with a little research. That person would check the public face of your network, pick up information here and there, get a good picture of your network as a whole, and then use that information when attacking your company.

Take a look at your network with a fresh pair of eyes

If you wanted a new job and had secured an interview, before you attended you would conduct a little research on the company. You would need to find out some basic information. You would likely be asked about the company in the interview.

You would need to take a look at the company website, you would run a few searches through Google, you would take a look at the company’s Twitter and Facebook accounts. You would gather web-based information.

If you really wanted the job you would also gather some information from people as well. You would email anyone you knew who worked at the company and you would ask them about what it is like to work there. You would ask others their opinion of the company.

This is how a hacker would start investigating your company. With that in mind, it would therefore be important to:

  • Perform a whois search
  • Check to find out what is being said about your company on social media sites
  • What employees of the company are saying and sharing online?
  • What data does your company voluntarily give away? Do you advertise any aspect of your network structure? How many state-of-the-art servers you have for instance? What software you use? It is much easier to find an exploit if you know what software a company uses!
  • Search for your company on Google, Bing, Yahoo, and DuckDuckGo. See what information is revealed, and not just on pages 1-10!
  • Use Google hacking tools and see what documents, PDFs, and spreadsheets are available publicly. You may be surprised at what has been indexed!
  • Check out the social media profiles of your company employees – Is one member of staff a particular security risk? Do they list every aspect of their life on Facebook? Would they be a likely target of a spear phishing attack? Would a hacker have all the information they need to guess that individual’s password? Over-sharers are often the targets of phishing campaigns. So much can be learned about them online!

Hackers love phishing – it’s so easy to be handed access to data!

If you can find an easy way to hack a company would you choose that? Of course you would! You wouldn’t want to do any more work than you have to, and neither would a hacker. If you wanted to guess a password, you wouldn’t start with “hj&*HUI23YEW(.” “ You would try “QWERTY,” or “password”, or “bigguy”, or “123456” first.

Hackers will similarly start with the easiest route first, and that means trying to take advantage of some people’s naivety when it comes to IT security. Phishing is one of the easiest ways to gain access to login credentials. It is also one of the easiest security vulnerabilities to address. How would your employees deal with a phishing attack?

That is something best not left to chance!

  • Send out a regular newsletter to explain common social engineering and phishing techniques that are used by hackers
  • Show employees how to identify a phishing email
  • Conduct regular phishing email tests. Research shows that the more practice staff members have at identifying phishing emails, the better they become at spotting a scam. When a real phishing email is received, they are more likely to identify it correctly before any damage is done.
  • If new IT security policies are introduced, make sure they are explained to employees in person. This will help to make sure that they are read, understood, and their importance is made clear.

What happens when an attack does occur and a system is compromised?

You will no doubt spend an extraordinary amount of time putting defenses in place to repel an attack, but what happens if an attack is successful? Have you put defenses in place that will limit the damage caused or will an attacker manage to go from one device to another once the security perimeter is breached?

Switch and router manufacturers often have scripts that can be used for lockdowns. It is possible to disable unneeded interfaces and services, and restrict public and private addresses. Have you done this? A hacker would check this!

Learn how to think like a hacker and you will be able to make your network more secure

There is a very good reason why organizations spend big bucks on white hat hackers and get them to attempt to break through defenses and find the weak points in systems. If you learn how to think like a hacker you will be helping your organization enormously.

Start thinking like a hacker and view every node and end user as a potential entry point into your network, and it will make it easier for you to design network defenses and keep your equipment and data well secured.

Beebone Botnet Shut Down by Europol

The infamous and particularly dangerous Beebone botnet has finally been taken out of action following a joint initiative between Europol and the FBI. The Beebone botnet was believed to be controlling well over 100,000 computers late last year, and while many of the botnet infections have since been cleaned, around 12,000 computers are still believed to be infected with the malware.

Beebone botnet used to infect computers with malware

The botnet may have been relatively small, only involving around 12K computers, but it was particularly nasty. It was used to download other malware onto the computers, including password stealers, rootkits, fake security software and a host of other malicious programs. Any computer fallen victim to Beebone is therefore likely to be infected with a wide range of other malware.

The Beebone botnet proved difficult to locate

The Joint Cybercrime Action Taskforce of Europol struggled to locate the servers used for the Beebone botnet. Part of the reason was the software being used was particularly effective at avoiding detection. The polymorphic software was able to reconfigure itself frequently making it incredibly difficult to track down. Traditional signature detection methods of botnet identification were ineffective since the software was able to change its signature up to 19 times per day.

Beebone was also able to determine when it was under attack. When it detected it was being isolated or studied, it triggered a change in its unique identifier. The Beebone botnet was one of the most sophisticated ever seen.

Operation Beebone sinkholes almost 100 domains

The key to shutting down the botnet was to interfere with its ability to communicate with its command and control servers. Hacker’s instructions were thus prevented from reaching the software. In order to shut it down, the Joint Cybercrime Action Taskforce and the FBI enlisted the help of Intel Security, Shadowserver, and Kaspersky Lab and the joint operation was finally successful.

Once the malware had been isolated, the Joint Cybercrime Action Taskforce was able to identify and sinkhole around 100 domains used to communicate with the malware.

Unfortunately, while the botnet is believed to have been effectively shut down, this is only a temporary fix. Domains have been sinkholed but this is only a short-term solution. Any computer that has been infected must now be cleaned. That means some 12,000 or so computers must have the infection removed and that process is not straightforward.

The malware removal process can now start in earnest

Removing the malware is easy. Many tools have been developed to do this. In order for an infection to be cleaned, the owner of the infected computer will need to use one of those tools. For that to happen, the owner must be aware that their computer has been infected and most do not. That means Internet Service Providers will need to notify individuals known to be infected. That process may take some time but it can now start.

It is essential that all users clean the infection. It is possible that the malware installed on their computers could be reactivated if not removed.

Best Patch Management Practices

All operating systems have security issues

Best patch management practices enable you keep on top of the security issues that are constantly being discovered. It seems as soon as one patch is released to deal with xyz security issue, another issue is discovered and another patch released.

For IT professionals, this never-ending release of patches can be a nightmare to manage, but it is essential that best patch management practices are adopted to prevent hackers exploiting operating system vulnerabilities.

All operating systems have security issues, and no operating system is less prone to them than another. Below we provide an overview of some of the most recently discovered security issues affecting the major operating systems.

Windows network security issues

In the last forty years, Windows has done much to mitigate the risk of certain vulnerabilities, but the Wintel 8086 architecture has several inherent issues that are not easily resolved. For example, one process should not be able to read the memory of another. Consequently Windows is susceptible to buffer overflow attacks in which a hacker adds their own instructions to the end of a field.

In this example, a hacker could look in the computer´s memory for .DLLs to load and run. Some older .DLLs do not have the security requirement that programs are signed before they can be executed and, if there is no root certificate for the signature, an error is thrown.

In some scenarios, a hacker does not need to exploit a buffer overflow to load and run a .DLL – the computer user does it for them. This most commonly occurs when a browser loads an ActiveX control like the Adobe Shockwave platform using the OBJECT and CLASSID HTML tags.

This code, for example, would be how you would instruct Adobe Shockwave play a video on a specific URL:

best-patch-management-practices-1

Brian Krebs, a former Washington Post IT blogger and now writing for Krebs on Security, believes that best patch management practices are not enough to cope with the security issues on Adobe Shockwave and, in 2014, he published an article Why You Should Ditch Adobe Shockwave.

Krebs claims that 80 percent of webmasters have already quit using Adobe Shockwave because of security issues. He references a security expert that says because of security issues with Adobe Shockwave, “an attacker may be able to execute arbitrary code with the privileges of the user.”

However, before you decide to abandon best patch management practices for Adobe Shockwave, we recommend that you read the comments at the end of the article to understand some of the other issues that can arise from ditching the platform.

Macs have security issues too

Contrary to popular belief, Mac operating systems are not without security issues of their own – maybe not as many as Windows operating systems, but it is still advisable to adopt best patch management practices if you want to blockade your computer(s) from would-be hackers.

Google’s security researchers recently found this issue with the Bluetooth drive on Yosemite:

best-patch-management-practices-2

You can´t get away from security issues if you use a Linux OS

Just because Linux is an open source operating system, it does not mean it is free of security issues. One massive vulnerability was discovered in February 2015 which, had a hacker discovered it before a security researcher, could have been used multiple times over to devastating effect as it affected the root directory of Samba – a tool which allows the sharing of drives between Linux and Windows.

best-patch-management-practices-3

Best patch management practices

To avoid hackers exploiting vulnerabilities in your computer´s operating system, it is crucial that you adopt best patch management practices. Stay on top of patching, patch all applications and operating systems. If you are responsible for the security of a workplace network, layered network security, continuous security audits, and employee education about security threats are also essential.

SMEs with a small IT unit may be able to assign one employee to keep up-to-date with security issues by following security bloggers such as Brian Krebs and subscribing to security bulletins. If you software supplier is a cloud vendor, some of the best patch management practices will already be taken care of. However, it can save a lot of grief further down the line if you do not rely too heavily on your software vendor and keep abreast of best patch management practices.

SpamTitan Technologies: An Irish Cybersecurity Company to Watch in 2015

Ireland is famous for many things, but cybersecurity technology would not come top of many peoples list of famous Irish exports. However, that is fast changing thanks to an Irish cybersecurity firm called SpamTitan Technologies.

Irish CyberSecurity Company Ranks in Cybersecurity Ventures’ Top 125

SpamTitan Technologies is the top Irish cybersecurity firm according to the recent “Cybersecurity 500” list produced by Californian Security Research organization, Cybersecurity Ventures, having been ranked in position 123 out of the top 500 firms.

Cybersecurity Ventures compiled the list of the world’s top internet, email, and network security firms to help companies of all sizes pick the most appropriate IT security partners. The CV top 500 list is aimed at IT security professionals, CISOs, CIOs and VCs, and helps them to find the best products and best partners to assist them keep their confidential data secured and their networks protected from attack.

No company pays to be included in the list, and the companies are not selected on size or revenue. Instead they are chosen based the quality of the products and services offered. The list is compiled by obtaining recommendations from security experts on efficiency, effectiveness, speed, ease of implementation, and usability of the products.

Galway-based SpamTitan Technologies is an up and coming Irish cybersecurity firm that specializes in developing powerful solutions that allow small to medium sized enterprises to tackle the growing problem of hacking, data theft, and sabotage. Online criminals are targeting corporations of all sizes and many small to medium sized businesses are struggling to repel attacks. There are many possible attack vectors and the threat landscape is constantly changing, but some of the biggest threats to data and network security are targeting employees. Workers are widely regarded as the weakest link in the security chain.

SpamTitan Technologies provides powerful, cost-effective, and easy to implement email and Internet security solutions that help businesses increase protections against malicious outsiders. The company’s products help businesses reduce the risk of data breaches and network infiltration by keeping employees’ devices protected and reducing the opportunities given to cybercriminals to launch an attack.

Over the past couple of years there has been a decline in the volume of spam emails being sent. Just a few years ago over 70% of the total number of emails sent were actually spam. Botnets have recently been taken down and one of the world’s most active spammers has been arrested. This year spam email accounted for just under 50% of total email volume.

This is certainly good news. Less time is spent dealing with annoying emails. However, the risk of harm to equipment and finances does not appear to be reducing at the same rate. In fact, the risk of suffering losses due to the activities of cybercriminals is increasing. Spam email volume may be decreasing, but the quality and sophistication of spam email attacks has increased. Spam email still represents a major threat to businesses.

SpamTitan Technologies is tackling the issue. The company’s Anti-Spam solutions use two powerful anti-virus engines to scan incoming and outgoing email, with independent tests showing a catch rate of 99.7%, while the false positive rate is virtually zero. Less spam is delivered to employees’ inboxes, reducing the risk of malware and viruses being delivered.

The Irish cybersecurity firm also offers protection from the growing online phishing threat. Spam email volume is falling, but the number of malicious websites being created is increasing. Online criminals are switching their mode of attack and are targeting Internet and social media users. SpamTitan Technologies’ WebTitan web filtering solution offers protection from phishing websites and sites containing malicious code. Phishing attempts are blocked, users are prevented from visiting malicious websites, and their computers are kept free from malware. So are the networks those computers connect to.

There may not be many Irish cybersecurity firms in the list – just three in fact – but SpamTitan has been rated the hottest prospect and is the Irish cybersecurity company to watch in 2015. NetFort was also named in the list, with the Network Security monitoring company just creeping into the top 500 list at position 498. PixAlert, the IT governance and compliance firm, placed inside the top 350 global firms at position 332.

Millions Stolen in World’s Biggest Cyberattack

The world’s biggest cyberattack to date has been pulled off by the Carbanak hacking team. It resulted in $1 billion being obtained from more than 100 financial institutions around the world. Who says crime doesn’t pay!

This robbery is on an altogether different scale. The scam has been in operation for over two years according to a recent report by Kaspersky Labs, one of the providers of anti-virus protection present in SpamTitan and WebTitan security products.

The gang is a truly International network of hackers and online criminals, with members understood to be located in Ukraine, Russia, China and many European countries. The gang profits by making fraudulent transfers from corporate bank accounts. The money is transferred to the criminals’ accounts, withdrawn, and is never seen again.

The attacks are still being conducted and the gang has hit organizations all over the world. Their targets are numerous. Companies in the United States, United Kingdom, Germany, China, Hong Kong, Switzerland, Morocco, Ireland, Australia, Ukraine, Russia, India, Pakistan, Norway, Spain, France, Poland, Czech Republic, Bulgaria, Brazil, Canada, and Iceland have all been targeted and had their bank accounts plundered.

The criminal activities were uncovered recently and a global effort is underway to bring Carbanak down. INTERPOL, Europol, and other law enforcement agencies are joining forces with providers of anti-virus and IT security products to identify those responsible, break the crime ring, and bring the individuals to justice. The problem? The methods used to obtain the money had not been seen before, and the exact way the gang obtained funds remained a mystery until very recently. This was the most sophisticated attack method ever seen according to Kaspersky Labs. The bad news is it is still in operation. Knowing how it works does not make catching the criminals much easier.

How are they managing to get so much money, virtually undetected?

The scam starts with a single employee in an organization responding to a spear phishing email. The individual is targeted by gaining information about him or her. That information is then used to craft an email that is likely to elicit the desired response: The downloading of Carbanak malware onto the user’s computer.

The malware is then used to launch an attack that allows access to the internal network of the company to be gained. From there the criminals locate system administrators with access to the company’s surveillance systems. The CCTV systems used by the financial institution are then accessed and the video feeds and files viewed. The criminals look at what happens on the screens of the members of staff who service cash transfer systems. The necessary data is recorded and the actions of the staff copied. Money is moved out of company accounts the exact same way the staff would do it.

The scheme is bold, ingenious, and incredibly scary. By operating in this fashion it does not matter whether each bank has a different software system. It makes no difference. The criminals don’t even use hacks. All that is required is network access. Their activities can be easily hidden behind legitimate actions made by staff.

A virtually perfect crime that is meticulously planned

The criminals were able to operate and leave next to no clues as to how they obtained funds. The scheme shows that no system is perfectly safe and impervious to attack. However, the scam started with a spear phishing campaign and protections can be put in place to prevent phishing emails from being delivered.

In this case, the initial targets were meticulously researched. The spear phishing emails then designed to get malware installed. However, if phishing emails are blocked and phishing websites cannot be accessed, then it is possible to prevent access from being gained.

If users can be prevented from opening infected attachments, visiting malware-infected websites or installing malicious plugins, users can be prevented from infecting corporate networks.

Emails can be blocked with a powerful anti-Spam solution, malicious websites blocked with web filtering software, and employees can be trained about how to be more security conscious. This applies to personal use of the Internet at home as well as the office. It is personal online activity that allows cyber criminals to gain so much information about their targets and devise effective phishing campaigns. It is not an option to just provide IT security staff with training. This must be extended to all individuals within an organization to protect against attack.

There is no one single solution that can be employed to offer total protection. A layered approach is required with numerous different security solutions employed.

We recommend including some of the following components:

  • Robust firewalls
  • Anti-Virus protection for firewalls
  • Separate Email Gateway Anti-Virus software
  • Desktop and Server AV Protection (a different engine to those used on the firewalls)
  • Anti-Spam solutions (SpamTitan includes Clam and Kaspersky AV protection)
  • Web Filtering Technology (WebTitan also includes dual AV engines)
  • Securing of Wi-Fi networks (no open networks)
  • Regular Anti-Virus and Anti-Malware scans
  • Full system security audits to check for vulnerabilities
  • Good password management
  • Regular staff training sessions on IT security
  • Network activity monitoring
  • Social media network controls

Guide to LDAP for System Administrators

Our guide to LDAP is intended to save you time, make you more productive, and remove some of the frustrations that LDAP tends to create.

A Guide to LDAP for System Administrators

This guide to LDAP primarily serves as an introduction. If you are just starting out, this guide to LDAP should be just what you are looking for. Well, we hope it is. However, you may still find our guide to LDAP useful even if you think you know all there is to know about LDAP!

LDAP – Lightweight Directory Access Protocol

LDAP is a protocol for accessing information directories. It is used in e-mail programs and web browsers to allow lookup queries to be run. LDAP is also used by Active Directory, and if you run a large website, it can be useful to use LDAP for authentication. LDAP is also used for management systems. The main advantage of LDAP is it is quick and has been developed for high speed reads.

Forget about SQL for access. LDAP doesn’t use it. Instead ldapmodify and ldapsearch commands are used. LDAP also uses different search criteria, something referred to as Polish notation.

For example, you could perform a lookup:

(& (cn=Holmes)(st=122b Baker Street)

That search would be used to find all individuals with a common name (cn) of Holmes, who are living in (st) 122b Baker Street.

Common name is used for the main attribute of the search and will locate the record. LDAP also uses Uid.

You must include the operator & (AND) which will connect the two criteria. A “|” (pipe) is OR in Polish notation.

However, it is much simpler to perform searches if you don’t use Polish notation.

guide-to-LDAP-1

In the above example, the search criteria used would be cn=Holmes, and the attributes to return are detailed in the last three fields (cn uid st)

What does an LDAP record look like?

The DN should be familiar to you as it is the same as that used in an SSL certificate. Using our example, the LDAP record would look like this:

guide-to-LDAP-2

Pay attention to the objectclass attribute. This is just like a table schema. Each objectclass is used for a different additional attribute, which could be any number of fields such as telephone number, assigned mysteries, etc. etc.

If you want to check the LDAP schema, you can query cn=schema

DN (Domain Name)

The DN or domain name is the first line in an LDAP record. It will tell you the exact address in the Directory Tree (DIT).  This will tell you which organizational unit (ou) the record belongs to.

dn: cn=detectives, dc=Britain, dc=com

objectclass: OrganizationalUnit

cn=detectives

Groups

The records can belong to groups, in this case the group is “detectives.”

guide-to-LDAP-3

The uniqueMember group attribute is used to keep track of members of the group. The DN is listed for each of the unique members of the group in the above example.

You will find that some LDAP servers will list groups in two ways. For example, Novell eDirectory will list the members of the group on the group record, and the individual groups that each user is a member of on the user record. The attribute “MemberOf” is used in this regard.

LDIF format

LDAP servers have LDAP records stored in native format. LDIF (LDAP interchange format) is used to add and delete records. To delete a record, we would use the following (Note the second line of the record is the operation.)

guide-to-LDAP-4

And to add a record…

guide-to-LDAP-5

LDAP replication

You are likely to find that your main problem with the operation of LDAP, and providing LDAP support, is ensuring that replication continues to work. You are likely to discover quite quickly that replication of one LDAP server will result in a substantial cache backlog.

If you are conducting a round robin operation, and your configuration has the web server looking at a number of different LDAP servers, an error condition may be caused.

A situation could arise where someone signs up for a website and is prevented from logging on. This is because it could take time for a user to be added on a record on one LDAP server and for that entry to be replicated on a second LDAP server.

Ldapsearch commands are used to monitor replication. For example, if you use Oracle, you would conduct a search using cn=replica

LDAP cache management

It is important to use as large a cache as possible if you have a high capacity, high volume LDAP server. That said, make sure you know the available memory on the machine. If you have sufficient memory, it should be possible to cache the full LDAP database. By doing this you will be able to reduce seek time for search operations.

LDAP account maintenance

As a system administrator you are likely to have to spend a considerable amount of your time resetting user passwords. This is one of the main ways you can determine if it is a user error that is preventing an individual from being able to login, or whether the problem is something more serious.

If possible, set up your website so the user can reset their own password. If not, use the Sun LDAP or Active Directory graphical interface to reset passwords.

Since you have much better uses of your time than resetting user passwords, if you find that a big chunk of your day is spent resetting passwords, try this…

Save an LDIF file and use ldapmodify against it to change the uid of the user. This will save you quite a bit of time, plus it is easier than using the graphical interface!

Password.ldif:

guide-to-LDAP-6

Recipient verification and sender authentication are essential if you want to maintain secure email flow.

A large proportion of spam email – and malware contained in those emails – can be blocked once you have identified trusted senders.

SpamTitan can be configured to ‘synchronize’ with your LDAP server, and by doing so, will create accounts for domain users automatically.

Bear in mind that ArcTitan can be used to archive LDAP records. We hope that you never have a need for disaster recovery, but if you do, recovery is easy as your LDIF records will be kept in the same permanent storage.

New US Cybersecurity Legislation to Be Proposed

President Barack Obama is set to propose new US cybersecurity legislation this week in an effort to tackle the growing problem of cybercrime. Recent high profile hacks on government organizations have caused considerable embarrassment and there is growing concern that the US government is losing the war on cybercrime and that it can do little to prevent attacks from foreign-government backed hacking groups.

New US cybersecurity legislation will increase the government’s power to prosecute cybercriminals

New US cybersecurity legislation is seen as the answer to the government’s inability to prevent cyberattacks. Further intel is required, new powers needed to pursue criminals, and also to take action over criminal activity that takes place outside its borders.

Currently private companies are unwilling to share cyberthreat intel with the government, and improved collaboration and intel sharing with the private sector is seen as critical in the fight against cybercrime.

The proposed US cybersecurity legislation would make it much easier for the courts to take action to shut down criminal botnets and would discourage the sale of spyware. It will also expand the current Racketeering Influenced and Corrupt Organizations Act. This would give the government greater power to prosecute individuals engaged in cybercriminal activity, such as the selling or renting of botnets. It would also increase the government’s power to prosecute for the selling of government information outside US geographical boundaries.

The new US cybersecurity legislation is being pushed through in the wake of a particularly embarrassing hack of the U.S. Central Command’s Twitter account. Hackers managed to gain access to the Twitter account and post pro-ISIS content. Action was already being planned following a host of major cybersecurity incidents such as the attack on Sony, which has been attributed to a hacking team backed by North Korea. The Twitter hack was last straw for many, and will be used to help push through the new legislative package.

In the words of President Obama, the attacks “show how much more work we need to do, both public and private sector, to strengthen our cybersecurity.”

US cybersecurity legislation to offer private companies targeted liability protection

Private companies will be forced to share their cyberthreat intelligence with the government, although they will receive “targeted liability protection.” Even president Obama admitted to not knowing exactly what that meant.

The problem with sharing intelligence data is the threat of subsequent lawsuits. The liability protection is supposed to relieve any fears of legal action for the disclosure of information, although private companies may require more convincing.

Under the current proposals, private companies would be permitted to remove information about individuals before sharing data. Previous attempts to introduce new US cybersecurity legislation have failed due to the unwillingness of private companies to leave themselves wide open to litigation.

Part of the new legislative package is likely to include a new data breach notification law that would require all organizations to report hacking incidents to the government as well as requiring them to provide further information about cybersecurity breaches and data theft to consumers.

While few would argue that new US cybersecurity legislation is required, many privacy proponents are uncomfortable with the wording being used in the proposed legislative package, which they claim is intentionally vague.

Holiday Season Sees Employees Ignore Basic Web Security Practices

Holiday shopping season is almost upon us. Not only does Thanksgiving weekend signal the start of the Christmas shopping rush, the two busiest online shopping days of the year fall either side of Thanksgiving weekend – Black Friday and Cyber Monday. With bargains galore to be found online, basic web security practices often go out the window.

Unfortunately, this is a bad time to forget or ignore basic web security practices. Black Friday and Cyber Monday are busy days for cybercriminals. Christmas may be a time for giving, but Cyber Monday and Black Friday are days when cybercriminals are receiving. It is when their phishing campaigns really pay dividends.

Thanksgiving Weekend: The busiest 4 days of the year for online retailers

80% of annual online sales take place in just one month: From Thanksgiving Day to Christmas Day. In fact, Thanksgiving weekend – from Black Friday to Cyber Monday – is the busiest online shopping period of the year. It is when the majority of online sales are made and also the time when the most online purchasers are defrauded.

80% of all online sales will take place over the coming month, and 80% of those purchases will be made during office hours. Unsurprisingly, the run up to Christmas is a very busy time for system administrators and other IT security professionals. It is not a time to wind down and relax.

Cyber Monday is more than just a marketing invention. The Monday after Thanksgiving saw shoppers head online in the millions. It was already one of the busiest online shopping days of the year. Retailers then took advantage and started offering discounts on purchases to attract web visitors to their own online stores. Now, many retailers compete by offering huge discounts in an attempt to get visitors to purchase their products. It is now a day when there are amazing bargains to be had.

Basic web security practices are ignored on Cyber Monday

Offers are frequently only made available for a very short period of time. The aim being to get visitors to buy now! Some retailers may only offer a particular discount for an hour on Cyber Monday. They know that any visitor who doesn’t buy while on their site will be unlikely to return. They will just take advantage of another retailer’s offer. Because of the huge opportunity to save money, there is a buying frenzy on Cyber Monday and basic web security practices are temporarily forgotten.

Employees spend hours on websites on Cyber Monday instead of working, and many fall for online scams, visit phishing websites, download malware, and generally take more risks than they normally would. It is a bad day to be an IT professional.

How can online shopping be controlled and risk managed?

Robert Half Technology recently conducted a survey that indicated over a fifth of CIOs permit employees to spend some time shopping online while at work, but their Internet activities are monitored. A little personal online time is OK, but any employee found to be abusing the good nature of their employer faces disciplinary action.

In order to give employees this perk and also effectively manage security risk, these companies employ a web filtering solution. They are able to manage risk by restricting the websites that their employees are allowed to visit. Typically, they would be prevented from accessing websites that do not have a valid security certificate.

These employers are also able to prevent certain individuals from doing any shopping online. If online shopping exceeds acceptable limits, the privilege can easily be taken away. A web filtering solution can also be employed to prevent users from visiting malicious websites and from being displayed adverts containing malicious code.

This is essential. There is a considerable risk from cyberattacks and malware infections from personal use of online shopping sites and social media networks. Each year, 431 million individuals become victims of online scams, phishing attacks, and other cybercrimes. The cost of cybercrime is considerable. Over $114 billion is lost to online criminals every year. The decision not to address phishing, spam, malware, and cyberattack risks is one that is likely to be regretted.

Business Data Retention Laws: What You Need to Know

It is not only firms in the financial services, education, and healthcare industries that need to be aware of business data retention laws. All companies in the United States must comply with business data retention laws, even if a firm is not covered under HIPAA, Gramm Leach Bliley, Franks-Dobbs, or SOX. The same applied for companies with a European base. The EU also has business data retention laws.

It is a crime to violate business data retention laws

Did you know that the simple act of permanently deleting an email could get you in hot water? If you delete the contents of a backup tape, or reuse the wrong one, you may even be looking at a spell in jail. How long? Up to 20 years if you do it knowingly, with malicious intent. The deletion of data is a serious crime. If a business operating in the financial sector is audited, and cannot show auditors certain emails, the SEC (Security and Exchange Commission) is likely to issue a heavy fine.

The laws covering data are complex. Different regulations call for different data retention periods. Some states have implemented data retention laws with even stricter controls than federal regulations. Some companies providing services to organizations in different business sectors, may have to comply with different laws depending on the firm they are currently working with. As a precaution, many companies in the United States decide to keep data indefinitely. Getting something wrong is too easy, and the risk for doing so too high.

All data must be backed up and stored off site. The backups must be physically secured, and should be encrypted. They must also be tamper-proof. In the event of emergency, it must be possible to restore data in its entirety, and information may need to be retrieved if a lawsuit is filed or if an audit must take place.

Not sure which data retention laws apply? Listed below is a brief summary. Please bear in mind that data retention laws are updated from time to time. At the time of publishing, the information contained in this article is up to date.

HIPAA – The Health Insurance Portability and Accountability Act (1996)

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and covers healthcare providers, healthcare clearinghouses, health insurers and business associates of HIPAA-covered entities. The legislation was signed into law by Bill Clinton, and initially was intended to protect Americans and keep them covered with health insurance in the event of job loss.

Since its introduction, the legislation has been updated with stricter requirements concerning data privacy and security, and the safeguards that must be implemented to ensure that Protected Health Information (PHI) is secured at all times. Rules were introduced to protect the privacy of patients and dictate when, and to whom, data can be disclosed. HIPAA also stipulates the actions that must be taken if data is accidentally exposed. HIPAA requires medical data to be retained for a minimum of six years after the last data of treatment. However, some states require data to be kept for 7 years or longer. HIPAA is only a minimum standard. States are permitted to introduce even stricter business data retention laws.

SOX – Sarbanes-Oxley Act (2002)

The Sarbanes-Oxley Act of 2002 was introduced in the wake of the Enron scandal. Businesses must be able to verify the accuracy of their financial statements. It is all well and good for a company to report to investors and stakeholders that everything is financially in order, but they must be able to prove that is the case. In the case of Enron, the information provided was inaccurate. Deliberately inaccurate. SOX was introduced to protect investors from fraud.

Under SOX, all financial data must be retained for a minimum period of seven years, which extends to email, since email is often used to communicate account information. Email communications discussing business operations must also be retained for 7 years.

UK business data retention laws

In the UK, business data retention laws apply, although different time scales apply to different data types and formats. A UK business must keep records of accounts for 3 years, although businesses in the financial services must keep data for six years. Emails must be kept for a year, as must text messages. If you are an Internet Service Provider (ISP) you must keep logs of Internet connection data for a period of a year, and ISPs and web hosts must keep records of the websites their customers have visited for a period of four days.

European business data retention laws

In Germany, all business communication data must be retained for a period of six years, although data relating to accounts and payroll must be kept for a decade. Different laws apply throughout Europe and are beyond the scope of this post. If you want to find out more about the different business data retention laws in Europe, take a look at the guide produced by Iron Mountain on this link.

Convenient solutions for archiving old email data

Data backups should be performed on a daily basis, and those backup tapes stored securely off site for the period of time dictated by industry regulations. Email is best stored in an archive. Archives are searchable and convenient. If an email is accidentally deleted and needs to be recovered, an email archive will allow this. It is far easier restoring an email from an archive than restoring an entire email account from a backup tape.

ArcTitan is a convenient and cost-effective solution for archiving old emails. ArcTitan features a natural language browser that allows searches to be performed, and individual emails can be rapidly located and restored. If you want to ensure compliance with business data retention laws, and have the flexibility to be able to retrieve old email data for audits (and when users accidentally delete important emails), ArcTitan is the answer.

Cyberattacks on Universities Grow: Time to Boost Defenses

All computer users are at risk of downloading malware or computer viruses. The malicious software is sent out in bulk mail, and everyone will receive an infected email attachment or a link to a malicious website at some point. Often on a daily basis. However, individuals are not typically targeted by cybercriminals. Attacks on individuals are usually random. Business on the other hand are being targeted, and there have been an increasing number of cyberattacks on universities and other higher education institutions in recent months.

Successful cyberattacks on universities can allow criminals to steal highly valuable data. Those data can be sold on the black market to identity thieves and fraudsters for big money.

Cyberattacks on universities and educational institutions are a growing cause for concern

The reason for the cyberattacks on universities are: A) Universities store a lot of student data; B) They often store Social Security numbers which are very valuable to identity thieves; C) They use tools to facilitate collaboration, which makes attacks easier to pull off; and D) Students and professors tend to use a much wider range of software than a typical business – The more software systems are used; the higher the risk of vulnerabilities existing that can be exploited.

After a number of successful cyberattacks on universities, higher education institutions have been forced to improve defenses. They have had to re-evaluate the way they are configuring their networks and implement new policies covering Internet usage and data security.

One of the main problems is the range of software used by universities and the tools that must be offered to students to allow them to learn, collaborate, and conduct research. University networks are also highly complicated and particularly difficult to manage. It is therefore easy for security vulnerabilities to be missed.

This year, major attacks have been suffered by a number of universities in the United States, and there are still 4 months left of the year. More will undoubtedly be suffered before the year is out.

One of the biggest was suffered by the University of Maryland in February. Hackers were able to steal the data of 300,000 individuals, including their full names, dates of birth, and Social Security numbers: The three data elements that are required to commit identity theft with ease.

A data breach of a similar scale was suffered by North Dakota University. In this case, hackers gained access to a server in October, 2013, although it took four months for the data breach to be discovered. Approximately 290,000 records were obtained by a hacker in that cyberattack.

How are cyberattacks on universities conducted?

News that hackers are increasingly targeting universities is no surprise. Cyberattacks on universities have been occurring for years. In the majority of cases, those attacks are thwarted, but cybercriminals are getting sneaky and a lot better at sidestepping security defenses. Many attacks are now starting with spear phishing campaigns. Individuals are researched and cunning schemes developed to convince them to open malware-infected email attachments or visit malicious websites that steal their login credentials.

The cyberattack on North Dakota University is understood to have involved a spear phishing element. Interestingly, three IT professionals were placed on administrative leave last month. They were part of the team responsible for Internet security. According to an internal investigation, the employees “didn’t think server security was part of their job.” IT managers take note!

The cost of mitigating risk after cyberattacks on universities is considerable

The Ponemon Institute has calculated the cost of cyberattacks on universities, and estimates the cost of mitigation following a successful attack to be $111 per record. Why is the cost so high? Teams of forensic investigators have to analyze servers and entire networks to determine which data were accessed and who has been affected. The investigations are painstaking and take weeks to conduct.

Since Social Security numbers and other highly sensitive data are obtained in many of the attacks, credit monitoring services must be offered to the victims, along with identity theft resolution services. All individuals must be mailed a breach notification letter. The cost of mailing the letters alone can be considerable. Then there are class-action lawsuits filed by the breach victims. They often seek $1,000 per head in damages.

The Maricopa County Community College District data breach was estimated to have cost $17.1 million, and that doesn’t include the cost of class-action lawsuits. The University of Maryland data breach will similarly cost millions to resolve. Then there is the damage caused to a university’s reputation. It is difficult to determine what effect such a massive data breach will have in that regard.

Considering the cost of resolution, it is perhaps understandable that cyberattacks on universities are not always published. Some security experts have estimated that only half of successful attacks are actually reported.

When you consider the astronomical cost of data breach resolution, the cost of implementing cybersecurity defenses does not seem so high.

Tighten Password Security or You Will Be Hacked!

According to recent research, the number of stolen password and username combos for sale on the Internet is around 360 million. That number is likely to grow substantially, as hackers are targeting companies and are stealing login credentials. If you don’t tighten password security, hackers may be able to break through your security defenses. It could be your customers’ credentials for sale on the Internet if you make it too easy for hackers.

Usernames and passwords being openly sold online

Adobe was targeted by hackers, and in October they succeeded in obtaining approximately 153 million usernames and passwords. They were subsequently listed for sale online. Cupid Media was hacked, and the dating website had approximately 42 million passwords stolen in the attack. Then there was the Target data breach. 110 million passwords (and other other highly sensitive data) were stolen.

What do hackers do with stolen passwords?

What is happening with all of these passwords? Do criminals buy passwords just to gain access to credit card numbers used on these companies’ websites? In many cases that is the reason why criminals want passwords and usernames.

For around $2, it is possible to purchase usernames and passwords for accounts on Amazon or Walmart. Criminals can use the accounts to purchase high value goods. However, an address must be provided to deliver the goods, and that is best avoided when using stolen data.

What many online criminals use these login names and passwords for is to gain access to other personal information: Information that can be used for much more lucrative crimes, such as tax fraud, identity theft, medical & insurance fraud. If criminals can use personal passwords to gain access to employers’ computer systems, malware could be installed and huge quantities of data stolen. If access to corporate bank accounts can be gained, transfers can be made and millions obtained.

Amazon passwords are being bought, but Twitter login credentials carry a higher price. Criminals believe, often rightly so, that the information can be used to gain access to Facebook and LinkedIn accounts. They are much more valuable than Amazon or Walmart accounts. The platforms are a mine of information and data can be gained that will allow spear phishing campaigns to be developed. Not only against the individual whose account has been compromised, but also those of their entire network of friends and work colleagues.

Password sharing practiced by 50% of Internet users

A single password can be extremely valuable, as passwords are often shared across multiple platforms and Internet accounts. If a password can be used to gain access to a banking website, funds can be transferred to hackers’ accounts. However, hackers often try to obtain Social Security numbers. They can be used for identity theft, the proceeds of which can be far greater than the individual’s bank balance.

Stolen passwords are used to maintain a database of passwords called the Rainbow Tables. These tables are used to crack passwords. If one encrypted password can be cracked, hackers may be able to use it to crack other passwords used by the same business.

One password can also be tried on other online accounts, and all too often access to social media accounts and even online banking and work accounts can be gained. Recent surveys suggest that over half of all Internet users share passwords across multiple websites. If your Twitter account is hacked, and the same password has been used for your work email account, bank account, and Facebook account, your identity could be stolen, your employer hacked, and your bank account emptied.

Do you need to tighten password security?

Internet users also make it far too easy for passwords to simply be guessed. Did you know…

  • Fewer than 4% of Internet users incorporate special characters in their passwords
  • 60% create passwords using a limited number of alpha-numeric characters
  • Almost a third of people use passwords of 6 characters or less
  • Over half use easy to guess passwords (Many still use “password”)

These figures strongly suggest that many companies must tighten password security. They are allowing employees to use passwords that are very weak.

How to tighten password security

If you want to make passwords more secure, the best place to start is by preventing the use of unsecure passwords. What do hackers try first when attempting to guess passwords?

  1. Names: pets, children, street names
  2. Any personal information that can be found on a Facebook or Twitter accounts (favorite bands, model of car owned, favorite book or film)
  3. Nicknames
  4. Dates: Own birthdate, that of your partner or children, date you got married etc.
  5. Dictionary words
  6. Sequential letters on a keyboard – ‘qwerty’, ‘dfghjkl’, or ‘zxcvbnm’ for example

Tighten password security by enforcing password controls

Telling employees to create secure passwords will help, but there will always be some members of staff who ignore the rules. To ensure strong passwords are chosen, you will need to enforce rules. Prevent weak passwords from being created and make sure passwords have:

  • More than 6 characters
  • Contain at least one number
  • Contain at least one capital letter
  • Contain at least one lower case letter
  • Contain at least one special character

Contractor Security Risk Management Advice

If you want to keep your network as secure as possible, don’t let anyone connect to it. That is not particularly practical advice of course. Employees must be allowed access, and when devices are allowed to connect to a network, risk is introduced. There will always be some level of risk involved unless a network is entirely closed, but what about allowing contractors, partners and suppliers to connect? Collaboration is important. If you manage access, there can be great rewards to be gained. However, get contractor security risk management wrong and it could spell disaster.

Contractor security risk management: A choice between access and security

Many companies face a choice. They can opt for productivity and practicality, and accept a reasonably high security risk, or they can make changes to address risk at the expense of productivity. Take U.S. bank Wachovia for example. The bank was one of the largest in the United States, yet during the great recession it took a merger with Wells Fargo to keep it afloat.

How did two banks operating two separate email systems manage to collaborate securely? Wells Fargo used Microsoft Outlook for email, while Wachovia had chosen Lotus Notes. It was possible to send an email between the two, but end users could not send encrypted emails. The solution was to move Wachovia over to Outlook, but this was not a quick and simple a process.

The banks decided changing to one system would cause too many problems and instead they opted to just send unencrypted email. This involved some risk, but it was deemed to be preferable to the nightmare of migrating an entire company over to the new system. They ran Lotus Notes and Outlook together, insecurely, for a number of years. Productivity was deemed to be more important than security in this instance. The decision came down to a simple case of risk over reward, or cost versus benefit.

When it comes to contractor security risk management, you may adopt a similar approach. If the risk is higher than the rewards, then address the risk. If the rewards are higher and the risk fairly low, go with the rewards. To make that decision, you need to have figures. Rewards are relatively easy to calculate in terms of increased profits. Risk may be a little harder to translate into a figure.

Assign a value to risk when developing contractor security risk management strategies

Rewards may be increases in profit, products shipped, reduction in time to market, reduction in wasted hours, or even a fall in support calls. Productivity is defined as output per employee, multiplied by the number of employees. A monetary value is therefore relatively easy to assign.

When developing your contractor security risk management strategies, you must be able to do the same with risk. You will need to determine your output and your input, and for that you will need to follow the COBIT 5 governance framework.

Under COBIT 5, you must maintain a risk profile. Each type of data kept by your company must be assigned a score. The score is determined by the impact loss, theft, or corruption of that data would have on the business. It must be possible to quantify risk in order for decisions to be made as part of the contractor security risk management process.

Once you have identified the risks, and assigned each risk a value, you can then put those inputs into your contractor security risk management calculations.

Reducing risk when collaborating with contractors and suppliers

You may require contractors to have access to a system as this will save time and money. A good example is a project with multiple subcontractors; a construction project for example. If each subcontractor can enter their own data, this is often preferable, as it reduces the possibility of errors being introduced. Some software is designed with collaboration in mind; Lotus Notes or Oracle Primavera for example – the latter being specifically developed for use with large construction projects. However, before access to any system is allowed, risks must be managed. That can be achieved by:

Providing training

Explain the security risks and how they can be reduced or mitigated. Issue best practice guidelines, such as physically securing devices, password management policies, phishing and hacking risk management, connection of USB drives, and Smartphone use etc.

Scanning all devices connecting to a network

It is no longer necessary to give contractors and suppliers access to shared network drives or your LAN in many cases. They could use desktop or mobile apps, and could connect to cloud services used by your company. If LAN access is required, then they must install the necessary security software that you use. Anti-virus, anti-malware, Anti-spam, and web filtering solutions will be required. Their devices must also be regularly scanned for infections.

Blocking social media access

Social media website use introduces risk. Corporate computers, which are connected to the LAN, should not be used to access social media websites. Personal devices can be used for that instead. Internet use on LAN-connected devices must be limited to reduce the risk of drive-by attacks and accidental downloading of malware. A web filter should be employed to manage the websites that can be visited.

Conducting security audits

You will no doubt already be conducting audit on billing, and also the quality of the services provided, but also make sure you conduct security audits. You need to make sure that your contractors are not exposing you to unnecessary risk and are following the best practice guidelines that you have issued.

How the Target Hack Would have been Worthless with Encrypted Credit Cards

Encrypted credit cards? Don´t they already exist?

Encrypted credit cards have been around for a long time now – or, at least, credit cards with a limited amount of encryption. The magnetic strip on the back of each credit card is encrypted, and so is some of the data in the more recent chip-and-PIN cards, but basically the security offered by most encrypted credit cards is, well, basic.

When you go shopping in a store like, let´s say Target, the retailer provides an electronic terminal for you to scan “encrypted” credit cards. The terminal sends your card´s identifying data to the credit card company´s servers to verify that you have the funds to pay for your purchases.

Although the electronic transfer of information is encrypted in transit and at rest, there is a weak point in the process during which the data is decrypted into clear text so that it can be read by the payment processing software. In Target´s case it was the point of sale (POS) electronic terminal where the weak point was located.

The Target hack was on a massive scale

Hackers used the weak spot in Target´s POS electronic terminals to steal the details of 110 million credit and debit cards. Not just the credit card numbers were taken, but their PIN numbers and the card holder´s address, email and phone number – suggesting that Target´s customer database was also hacked (because encrypted credit cards do not have your email address on the magnetic strip).

Initially the retail giant tried to cover-up the hack, but as shoppers started reporting unauthorized purchases on their credit accounts, Target had to come clean and admit to the data breach. As a result, the lawsuits are flying in, Congress called the company negligent and attorney generals in every state in the country are looking into the matter.

The damage to Target – both financially and in terms of lost reputation – will be billions of dollars

Yet the hack could have been worthless

Had the retail industry adopted properly secure encrypted credit cards, the hack of Target´s database would have been worthless. Properly secure encrypted credit cards work not by storing the credit card number and PIN on the magnetic strip, but by storing a random encrypted number and a public key.

When a purchase is made at a store like, let´s say Target, the retailer does not need the credit card number or PIN, just an authorization code so that the card can be charged. So, when the credit card is used, the random encrypted number and card holder´s public key is transmitted to the credit card issuer. The credit card issuer sends back an authorization code that just the credit card would be able to read.

This “PKI encryption” at the point of sale would mean that any hacked credit card details would be worthless to the hacker. It would cost billions of dollars to introduce a system for properly secure encrypted credit cards to be used in the retail industry, and there seems to be no consensus between banks, retailers, and credit card issuers on what standards should be used.

Google already making strides towards genuinely secure payments

Google has already addressed the problem of genuinely secure payments with the introduction of its Digital Wallet. The Digital Wallet works by isolating credit and debit card data and processing it outside of the Android operating system in a chip they called the Secure Element (SE).

Google´s plan of keeping credit card data out of the reach of malware running in the operating system has really taken off. Many companies are in a battle to come out on top in the lucrative market for credit card fees. Because of a lack of consensus, few manufacturers are adding the SE chip to mobile devices or the near-field communications chips needed to radio encrypted data from encrypted credit cards to the POS terminals.

Because of the lack of consensus between banks, retailers and credit card issuers, and a lack of knowledge about which way encrypted credit cards are headed – if at all – many more retail companies are likely to experience a similar attack to that witnessed by Target.

Discover How to Block CryptoLocker Ransomware

Ever since the announcement of the discovery of a new and particularly dangerous virus called CryptoLocker, consumers and IT professionals have been searching for information about how to block CryptoLocker Ransomware.

Once installed, ransomware encrypts data and prevents it from being accessed or unlocked without the correct security key being input. Unfortunately, it is not possible for the encryption to be cracked.

CryptoLocker Ransomware has been designed to make it almost impossible for businesses to continue trading unless they pay criminals considerable sums of money to release their data. System files are targeted and locked with two separate types of encryption. The victim is then instructed to pay a ransom or their files will be deleted. Payment must be made using Moneypak or Bitcoin, so the funds are untraceable.

The criminals behind the malware are not concerned about whose system is infected. They just want as many people as possible to pay their ransoms. The first infections required a ransom of $100 to be paid to unlock computers. That price has now risen to $300 with the latest version of the malware. However, there is no telling what ransom will be demanded. Anyone infected is at the mercy of the criminals behind the malware attack.

Payment must be made quickly and the threats of file deletion are very real. If payment is not made within 72 hours of the virus being installed, files are deleted forever.

CryptoLocker Ransomware has been shared and downloaded via social media networks, although many victims have received the virus via infected email attachments. The email is sent indiscriminately from an unknown sender and contains ZIP or EXE files infected with the virus.

How to Block CryptoLocker Ransomware

It is possible to prevent a computer or server from being infected by simply deleting a spam email containing the virus. However, it is not easy to tell whether a .exe or .zip file is genuine, or if it contains the virus. The simple solution is to avoid downloading or opening these file attachments. Individuals should be wary about these attachments anyway as they are often used to install viruses or malware.

IT professionals need to be particularly careful. The more employees an organization has, the greater the risk of individuals downloading or opening the malicious attachments. It is strongly advisable to send out a virus warning via email to all business email accounts warning of the new virus. Regardless, some staff members will not read the emails or will ignore the advice provided and install CryptoLocker.

The best way to block CryptoLocker Ransomware is to use an Anti-Spam solution such as SpamTitan. SpamTitan Technologies Anti-Spam software can detect CryptoLocker Ransomware and prevent the malware from being installed by quarantining the email. This will ensure end users’ computers and personal devices are protected. If a business has its network or computers taken out of action, the cost of decrypting is unlikely to be $300. The criminals can name their price.

Have you backed up your data?

If your computer or network has been infected it does not mean that you will lose everything. You can restore your data from a backup, but that would require a current backup to have been made. It is therefore vital to conduct data backups regularly to protect against ransomware. They should be scheduled to ensure they are never missed.

You should also test your backups to make sure that data can actually be restored. Restoring data from backups can be labor and time intensive. Systems can be taken out of action and business lost as a result. The cost of implementing solutions to prevent CryptoLocker and other malware infections is likely to be far lower than the cost of removing viruses and malware from a network.

Employee Libel on Social Media: Employers May Be Found Liable

Sexual harassment in the workplace and unfair dismissal were two of the main reasons for legal action being taken against employers; however, now employee libel on social media websites can be added to that list. It is now far easier for libelous comments to not only be made public, but to be shared with hundreds, thousands, or even millions of people. All at the click of a mouse. In recent months, a number of cases have been filed in the courts for employee libel on social media.

Employee libel on social media sites is commonplace

It is very easy for individuals to post comments about individuals and companies. Those comments can result in legal action being taken against an employer. Defamation of character, slander, and libel are common. Lord McAlpine is taking legal action for defamation of character after he was accused of being a pedophile on social media sites such as Twitter.

A tweet can be sent that is then retweeted by a number of different account holders. Tens become hundreds, and hundreds become hundreds of thousands, as the comment or tweet goes viral. If an employee tweets a personal opinion using a work account, an employer may be found liable for damages.

Even if a company is not found liable for damages, the negative press that is received by a high profile court case has serious potential to damage a company’s reputation. That could result in loss of business, and customers may leave for competitors in their droves.

Confidential corporate information being posted online

Most employees have social media accounts, and while not all will post sensitive information or disparaging comments, some will. A recent survey conducted on social media use revealed that one in five people have a secret or personal information revealed by others on social media websites. 73% of employers thought their employees shared too much information on social media platforms. Data from Facebook indicates that 3.5 billion snippets of information are posted on the site every week of every year. Many of those comments could prove harmful to an employer.

Not worried about employee libel on social media? You should be!

There is a common misconception that if an employer has not instructed an employee to post something on social media sites, they will not be liable for damages. That is not necessarily the case. Some court cases may clear the employer of liability, but others have seen employers liable for the actions of their employees. Material posted on social media websites is now admissible in court.

The problem is growing. Many employees have been fired for comments posted on Facebook and Twitter, with their actions considered to be gross misconduct. Comments posted by employees about their employer, or activities that take place at work, have resulted in a number of job losses. Virgin Atlantic recently fired 13 cabin crew members for posting disparaging remarks about the company on social media websites.

Companies are now forced to keep a close check on what is being said about them by their employees on social media sites. Lawsuits have been filed against individuals for posting sensitive data or libelous comments on Facebook and other social media platforms, and companies have been taken to court for the actions of their employees. If libelous comments are posted using an employer’s account, or on an employer’s equipment, a lawsuit may be filed and the employer found liable.

Legal action may be taken for vicarious liability even if it is clear that a comment has been posted that was not sanctioned by an employer. If an employer fails to monitor employee use of social media accounts, fails to take action to remove libelous comments, or has not issued social media usage policies to the staff, the courts may decide damages need to be paid.

How to avoid being liable for employee libel on social media

Issue employees with guidelines on social media site usage even if social media access is not permitted from the workplace. Employees must be told about what is acceptable and unacceptable. If employees are not informed of the rules, how can they be expected to follow them? What is obvious to an employer may not be obvious to employees.

For instance, employees should be instructed not to post personal opinions using company accounts. These may appear as if they have come from the company itself. Any comments that are sexist, racist, discriminatory, or could be considered defamatory, must not be posted on social media. It may be necessary to provide definitions. Not everyone will be aware of what counts as a discriminatory or defamatory comment.

After issuing social media policies to employees, make sure a signature is obtained to confirm those policies have been received and read. Should an employee break the rules, an employer must be able to show that the employee was informed of a company’s social media policies.

Dorkbot Malware Spotted on Facebook Chat

Facebook invests heavily in security protections for its users and advertisers; however hackers have been using a new variant of Dorkbot malware and have been using Facebook chat to infect users’ devices.

Dorkbot malware is a W32 worm that spies on internet users and records passwords and other sensitive information. This type of malware is also capable of blocking websites and preventing security updates, and has been linked to some DDoS attacks. Dorkbot malware is often delivered via messages linked to social media networks.

The worm is often installed as it looks innocent. Many users are fooled by the name the hackers have given the attachment: Facebook-profile-pic-<randomnumber>-JPEG.exe. Users see the Facebook-profile-pic name, and the JPEG, but miss the .exe on the end.

Dorkbot malware is also spread by infecting USB drives. Often this happens by creating a RECYCLER folder and registering it as the recycle bin on the removable drive. The worm creates an autorun.inf file to ensure it is automatically copied onto any device the USB connects to. However, it is also spread via instant messaging services using the Internet Relay Chat Protocol (IRC), and has recently been identified on Facebook chat. The Facebook Dork Malware variant was discovered to have exploited a security vulnerability in the MediaFire file-sharing website. Recently it was identified on Skype, but until now it had not been seen on Facebook chat.

Dorkbot malware can be controlled remotely by a hacker and configured to send messages to all Facebook contacts in an infected user’s account. A link is often sent that, if clicked, will run and install the malware on the device used to access the message. A hacker can control how fast Dorkbot malware spreads. It may not necessarily be used to instantly send messages to friend lists. Since many Facebook users share friends, if they were bombarded with numerous messages in a short space of time their suspicions would likely be roused.

Unfortunately, users trust Facebook. Sure they are aware that the social media network uses their data and shares that information with third party advertisers, but the company is generally trusted to be malware and virus free. Unfortunately, that is far from being the case. Facebook and other social media networks are full of malicious links and posts. Hackers and cybercriminals take advantage of trust in the website which allows them to infect huge volumes of users with malware.

Users may have passwords stolen, but there is an even bigger risk for businesses. Corporate secrets and login credentials could be stolen by Dorkbot malware and sent to hackers’ command and control centers.

Defenses must therefore be employed to reduce the risk of employees inadvertently infecting their work computers and networks. If a BYOD scheme is in operation the risk is even higher.

Since Dorkbot malware can be spread via USB drives, one Facebook user could end up infecting multiple computers, while the hacker could send Dorkbot malware to all of their work colleagues via Facebook chat.

Fail to implement robust, multi-layered security defenses and the consequences for your business could be severe!

Skype Account Vulnerabilities Reported

Skype offers businesses a way to cut telecommunication costs, while simultaneously improving communication between employees and making it easier for customers to get in touch. However, many companies have failed to deal with Skype account vulnerabilities and are leaving their networks exposed to attack. Hackers are exploiting Skype account vulnerabilities to install malware and gain access to corporate networks.

Have you checked for Skype account vulnerabilities recently?

Barely a day passes without a new software vulnerability being discovered. Even some of the most widely used software contains numerous security flaws that can be exploited by hackers, and VOIP services are no exception. Even Skype has been found to contain security flaws that can be exploited by cybercriminals. Recent news reports have highlighted the risk faced by many corporate users of the Voice Over IP service.

The latest Skype security risk to be discovered takes advantage of lax security controls in the account recovery process. The security flaw can potential allow hackers to gain access to user accounts. Skype is extremely popular, and over 700 million accounts have been opened around the world. Unsurprisingly, the popularity of the VOIP service has made it an attractive target. If a security flaw can be found, the potential for exploiting users is considerable.

Skype was created in Estonia in 2003. It did not take long for the VOIP service to become the most popular software chat and VOIP call platform. It offers a free way to communicate with friends and family, no matter where they are located in the world. Calls can be made free of charge to other Skype users, and even the paid service allows telephone calls to be made incredibly cheaply. It is not hard to see why Skype has become so popular.

The Skype account recovery feature can be exploited

Skype can be used to communicate over the internet without risking malware infections or exposing sensitive information, but Skype account vulnerabilities do exist. The software is robust and contains a number of security features designed to protect users and keep their accounts secure. Unfortunately, not all features of the software are robust. Recently the VOIP software has received a considerable amount of criticism after it was discovered that hackers could exploit Skype account vulnerabilities to gain control of user accounts.

One software security researcher, with the account @TibitXimer, claimed that his account had been compromised not once, but on six separate occasions. He has issued a warning to all users of the software saying that the same Skype account vulnerabilities could be used by hackers to gain control of any of the 700 million user accounts.

The account does not actually need to be hacked. All a criminal needs do is get in touch with the Skype support team. With only a limited amount of account information, a criminal could be provided with access to an account. TibitXimer claimed that all a hacker needs to provide is a first name and a last name, 3-5 contacts, and an email address. Information that is not particularly difficult to obtain.

This is just one of a few Skype account vulnerabilities to be discovered in recent months. Until recently it was possible to sign up for an account with an email address that had already been used to create a Skype Account. Once the account was set up, it was possible to gain access to the first account that was created, by using the company’s password reset option.

Additional security controls should be adopted

There are a number of additional security controls that could be adopted to make the VOIP platform more secure. Many websites, especially online banking sites, require security questions to be set and answered correctly before passwords are reset. Two factor authentication could also be used. This would ensure that an account could only be accessed by a criminal if the mobile phone of a user had been stolen, and their Skype account name and email address determined.

One way a Skype user can reduce the risk of their account being hijacked is to set up an email account specifically for use with Skype. If an email address is shared across numerous websites, there is a greater probability of criminals attempting to compromise the account.

What is the Risk of Digital Life Hacking? Are You in Danger?

Many people are concerned about identity theft and believe that the risk of digital life hacking is considerable. Others think that having their digital life hacked, stolen, and taken over by someone else is something that only happens in the movies or to an unfortunate few. How real is the risk of being targeted by cybercriminals?

What is the risk of digital life hacking for the average person?

If you have ever bought anything online, operate a Facebook or Twitter account, have used online forms or have an online bank account, you are actually at risk of having your digital life hacked and stolen. Disclosing any information online will place you at a higher risk of having your personal information stolen than if you kept all of that information to yourself. What many people fail to realize is there is a considerable risk of online theft if precautions are not taken.

Take mobile phone applications or social media accounts as an example. When you download the former, you must agree to give the app access to a considerable amount of your data. Check what features the app wants to access before you next want to install one. You will find that it can access your location, your personal data, interact with other apps, and may even require you to agree to let it access your microphone. The T&Cs will also tell you that the information recorded will be shared with third parties in many cases.

You may trust the app, but who are those third parties? And can you trust them? How secure are their security protections? The fact is that it is not only one app that will have your data. A number of different company’s may be provided with it as well.

When you enter information on Social media, you are giving that data away. Facebook makes a tidy profit out of selling personal information to advertisers. This is how the company runs the website without charging people to have an account.

Facebook may have excellent security, but not all online services, websites and mobile apps do. They also share information with businesses for promotional or advertising purposes, and there is no way to tell how good those companies’ security is, because you will not even know who those companies are.

Any information released in the Internet or entered into an online form or social media post could potentially be given to someone else.

Are you handing your digital life to a hacker?

Digital life hacking does occur, and with alarming frequency. Online criminals are earning an estimated $100 billion a year according to FBI figures. Crime is rife online, and the victims are numerous.

Every time you enter personal information online you could be compromising that data. Compromise enough and your identity can be stolen. You may not display your year of birth on Facebook, but it is not hard to guess if you have listed your graduation year. You may be surprised at how much information can actually be gained just from accessing your Facebook page.

It doesn’t take a hacker to commit identity theft in many cases. Just about anyone could do it if they are sufficiently motivated. Information can be gathered from social media accounts, a spear phishing email devised and sent with a link to a malicious website. Click that link and malware can be installed on your computer, and all of your data can then be obtained. The risk of digital life hacking can therefore be considerable, and many people make it far too easy for online criminals.

How to reduce the risk of digital life hacking

Don’t Panic – If your information is “out there,” it cannot be retrieved. But you can take steps to reduce the level of data exposure. Try searching for yourself online, see how your social media profiles look to others who are not in your friend circle. Type in your name and phone number into Google and see if you can be found. Use your address, home town, job title or the company you work for. That will give you an idea of how much information exists online. Once you know, you can then take steps to remove that information.

Do not link accounts – You may want everyone to be able to find you online, but that means criminals can too. It is not a good idea from a digital security standpoint to link all of your social media accounts together. You could be making it far too easy for someone to steal your identity or target you with a phishing campaign.

Two-factor authentication is your friend – Two-factor authentication uses two methods of verifying your identity. A username/password combo and your mobile phone number or email address. Many authentication systems use three systems of user identification, including a knowledge factor, a possession factor, and an inherence factor: Something that you know, have in your possession, and something that you are. The latter being a retinal scan or fingerprint. Always make sure you use online services that have at least two-factor authentication.

Back up your data – Not everyone is out to steal your identity. Some may just want to sabotage your life. If your accounts are deleted or corrupted, make sure you have a copy of your data so all is not lost. Back up all of your digital data securely, and preferably encrypt that backup. You wouldn’t want that file to be stolen.

Facebook Graph Search Privacy Issues Cause Concern

Facebook Graph Search privacy issues have been caused concern, especially for business owners. They are worried that their confidential information will be used by the social network and shown in the search results. As a result, many companies and individuals are now clearing out their post history of any information they do not want to be viewed by just anyone. They are running out of time because Facebook Graph Search has started rolling out today.

What are the Facebook Graph Search privacy issues?

One problem with the new search feature comes not from the information than an individual has posted, but what their friends, family, and work colleagues have uploaded to the site. Pictures can be uploaded, individuals tagged, and people mentioned in posts and articles uploaded by others. Any information about a company that has been posted could potentially be listed by the new search feature.

For individuals this may be seen as an invasion of privacy, but the problem for businesses is potentially far more severe. If an employee posts confidential information about a company, this information could be included in the Facebook Graph Search results and listed in search engines

Facebook contains a lot of personal information. Any photo, post or snippet of information uploaded to the website is no longer private. It can be used by Facebook subject to the privacy settings stipulated by the user. One of the problems Facebook has is how to use all of that data, how to sort it and allow it to be searched.

Facebook Graph Search is one of the ways the site is getting around this problem. It is also a response to complaints that it is very difficult to actually find any information on the site. Huge amounts of data exist, but searching is still a problem for users.

When a search query is entered, the new search function will trawl through the various strands of information on the site and returns results that relate to that search query. Facebook will also include some Bing results. No one knows how good the search function will be, but many have Facebook Graph Search privacy concerns. The data that will be displayed in the results is anyone’s guess at the moment.

Facebook’s attitude to users’ privacy is causing concern

Anyone who uploads a post, image, or photo to Facebook is potentially sharing that information with a lot of people. Facebook can use all of the uploaded information, and does. Profiles are created on users, allowing highly targeted adverts to be shown. Advertisers pay considerable sums of money to get their advertising campaigns placed in front of very specific subsets of individuals. Many people are now concerned about what else Facebook is doing with the data it has collected. Privacy policies are so long and complicated they are rarely read, and even less commonly understood. They also keep changing.

For example, users may have selected the most private settings for their pages and posts, but they cannot opt out of the graph search function. Mark Zuckerberg has already said that over time, all data uploaded to the website will be part of the new search tool.

When the new feature was first announced it caused few waves. Now that the search function is active, many people are worried. Businesses especially so. Research has shown that 73% of employees share a little too much company information on the social media network. Confidential information could therefore easily show up in the searches and be exposed.

Do you think Facebook is only concerned with building a huge library of data about every user?

Do you have Facebook Graph Search Privacy concerns?

Bring Your Own Device Best Practices

The popularity of BYOD is growing. Employers realize there are great benefits to be gained from allowing end users to use their personal devices in the workplace. The thought of BYOD may send shivers down the spines of IT security professionals but, as long as Bring Your Own Device best practices are implemented and followed by BYOD participants, network security may not be placed at risk.

BYOD advantages and disadvantages

Employees now own a variety of devices, many of which are of a higher standard than the equipment supplied by their employers. They have laptop computers, home computers, tablets and Smartphones, and are used to the way their devices work. Coming to the office and experiencing a technological downgrade can be frustrating. It is therefore no surprise that most employees would prefer to bring their own equipment to work with them, rather than use employer supplied devices.

Employees who are allowed to bring their own devices to work tend to be happier and more productive. They are used to the way their devices work, everything is easy to find, and they do not have to learn to use a different operating system. Their devices are usually powerful and fast, and tasks can be performed efficiently. Hardware is often upgraded regularly. Operating systems take an extraordinary amount of time for companies to roll out following a new release, yet many employees upgrade quickly.

Employers do not have to upgrade their computer equipment or buy hundreds of Smartphones for the staff that will be out of date in a couple of years. Employees cover the cost of purchasing their equipment and the benefits are gained by employers. Employers may get benefits from adopting a BYOD scheme, but there are associated risks. There is no such thing as a free lunch! But do the advantages of BYOD outweigh the risks?

Disadvantages of BYOD

There disadvantages of BYOD. Network security issues and the time that must be invested in order for IT departments to establish, monitor, and maintain BYOD schemes.

Not all personally owned devices will have the necessary security protections, and some may fall short of company requirements. IT departments will need to assess all devices and support a much wider range of equipment than they would normally need to. IT professionals do not have any say in the devices that employees buy, as they are bought for personal use, not for use at work.

Instead of 100 desktop computers to maintain, IT departments may need to accommodate 100 laptops, 100 Smartphones, and 100 tablets, in addition to all the desktops. All of those devices will need to connect to the network.

It is difficult to control what employees do and access on their devices outside of working hours. The risk that comes from those devices is therefore considerable. Malware and viruses could be accidentally downloaded and detecting malicious software is complicated. Worse still, Android phones are now being increasingly targeted by cybercriminals.

So what can be done to make the devices more secure and how can risk be managed? The answer is to implement policies to control the use of personal devices, restrict the devices that can be used to connect to the network, and to ensure Bring Your Own Device best practices are adopted (and that the Bring Your Own Device best practices are adhered to by staff members).

Bring Your Own Device Best Practices

Adopt these Bring Your Own Device best practices and you will find it much easier to keep your network secure and malware free. Fail to develop policies to cover BYOD, or fail to get staff to follow these Bring Your Own Device best practices and the disadvantages of BYOD are likely to outweigh the advantages.

  • Decide which devices you will support based on those that offer the necessary security controls
  • Check each Smartphone before authorizing its use to make sure it has not been jailbroken
  • Introduce policies to cover allowable uses of the devices
  • Devise policies for user groups, with different rules, regulations, and privileges for each, as appropriate
  • Develop policies to cover the use of Wi-Fi and ban or restrict use on open networks
  • Restrict the apps that can be downloaded, and from where (only from the Google Play Store, for example)
  • Segregate work data and personal data
  • Use software that permits remote wiping of data
  • Ensure controls are in place to allow devices to be locked remotely
  • Install a secure text message package if sensitive data needs to be communicated
  • Install an anti-spam and anti-malware solution
  • Ensure anti-virus software is used and set to update automatically
  • Train staff on data privacy and security best practices
  • Speak to employees to find out how they use their devices to identify security risks
  • Implement a software solution to monitor and manage BYOD – it will save time and money in the long run
  • Develop a support policy – dictate what support will be provided
  • Implement a policy to cover data when an employee leaves the company

Have you already adopted your own Bring Your Own Device best practices?

Are there any Bring Your Own Device best practices that your company has implemented that we have not listed? Do let us know!

Have You Done Enough to Stop IP Theft Attacks?

Cybercriminals want to steal data, but not only the data you hold on your customers. IP theft attacks are being conducted with increasing frequency. Unfortunately, many companies have no idea that their intellectual property is being stolen. 

Customer data must be protected at all times. Cybercriminals seek financial information such as credit card numbers, as well as personal information like Social Security numbers and insurance information. These data are extremely valuable. They can be used to commit identity theft and financial, medical, and tax fraud. Safeguards must be implemented to keep these data secure, but don’t forget your company’s most prized assets: Your intellectual property.

IP theft attacks are commonplace – In fact, your IP may have already been stolen and sold to your competitors!

It is a sad fact, but organizations’ prized information is being stolen under IT departments’ noses and many are not even aware that attackers have breached defenses and are stealing data. IP theft attacks are a very real problem, as revealed by the latest annual Data Breach Investigations Report (DBIR) from Verizon. The report highlights the extent of the problem. Who is stealing data, how they are getting in, and worryingly, how long it takes for cases of IP theft to be discovered.

Who needs to worry about IP theft attacks?

Intellectual property (IP) includes company secrets, copyrighted information, product designs, new product information, patent information, and trade secrets. IP also includes any data that your company stores that would benefit your organization’s competitors if they were to obtain it. Since all organizations store at least some IP, IP theft attacks should be a cause for concern for all.

Companies in the public administration and financial sectors are those most commonly suffering IP theft attacks. If competitors can obtain the data of rivals it can give them a wide range of strategic and competitive advantages. These industry verticals account for two thirds of reported IP theft data breaches according to the Verizon report. Verizon’s research also shows that IP theft attacks are not short-lived. They typically last for months or even years.

What are the main threat agents?

According to Verizon, threat agents can be split into three categories: external agents (hackers and other cybercriminals), internal agents (employees), and partners (Business associates and vendors). The majority of IP theft attacks are caused by external agents.

87% of IP theft attacks studied by researchers involved external agents. However, internal agents were involved in 46% of data breaches involving intellectual property theft. It does not take a genius to work out that external agents are therefore recruiting insiders to help them conduct IP theft attacks. (since you are probably wondering, partners were involved in 1% of attacks.)

Who is being recruited? While you may think that sys admins and IT professionals are the most likely individuals to be recruited due to the level of system privileges they are likely to have, they were actually the third most likely employees to be recruited. Account executives were in second place, but the most individuals were actually regular employees.

How are IP theft attacks taking place?

Even the most security-lax organization does not store its most valuable data in a location that is easy to attack. The type of information that is targeted usually resides deep within an organizations network. Successful IP theft attacks require a considerable amount of skill, and do not typically involve bored teenagers working out of their bedrooms.

IP theft attacks involve state-sponsored hacking groups, hacktivist groups, and organized criminal gangs. The main threat action is abuse of system access and privileges, which accounted for 45% of breaches. Next was the use of stolen login credentials at 34%, pretexting was third and involved in 32% of attacks, followed by good old fashioned bribery in fourth place, accounting for 28% of attacks along with embezzlement and skimming, also on 28%.

Timeline for IP theft attacks

Verizon analyzed the timeline for attacks, which revealed that cybercriminals act fast. They get in, steal data quickly, but they do not then get out. In fact, they stay there undetected and continue to steal IP for years. Alarmingly, most organizations do not know an attack has taken place until many months has passed.

The time between the initial attack and initial compromise is hours, not days. 77% of data breaches occur in seconds, minutes, or hours after the initial attack. When it comes to detection of IP theft attacks, in 31% of cases it is a matter of years later. 17% of attacks are discovered months down the line, 20% take weeks, and 19% take hours. No attacks were discovered less than an hour after the attack had taken place, which means that even in the case of quick discovery of an attack, 77% of organizations would have already had their IP stolen.

How can IP theft attacks be prevented?

Unfortunately, since attackers use a wide variety of means to obtain access to IP, there is not a single method that can be employed to prevent the theft of IP. Organizations must therefore employ a variety of measures to keep their networks and data protected. A common sense, evidence-based approach must be adopted. A full risk assessment must be conducted and all security vulnerabilities must be found and addressed.

When it comes to protecting your assets, a risk assessment is a good place to start. However, when it comes to the staff, it makes sense to start protecting your organization before any employee starts work. Conduct background checks on new members of staff before you give them any privileges, and then monitor all employees and conduct access audits. That means you will need a system that logs data access and someone must be given the task of checking access logs. You should also have an alarm system that flags any unauthorized data access attempts.

Secondly, make sure you conduct security awareness training. Phishing is commonly used by external agents to gain login credentials. Make sure all staff members know how to identify a malicious email attachment, phishing email, and a malicious website.

Phishing prevention strategies must be developed and implemented

Make sure employees know they need to report potential phishing attacks. They are often conducted on multiple members of staff at the same time. Speed is key to avoiding a successful phishing attack. If attempts are reported, action can be taken to prevent other employees from falling for the scam.

It is essential to prevent malware from being installed, so therefore important to run regular scans to identify it when it has been.

Conduct application testing and perform code reviews. Work with your application developers and help them to write more secure code.

IP theft attacks will occur, but the damage caused when they do can be limited. According to Verizon, “All too often, evidence of events leading to breaches was available to the victim but was neither noticed nor acted upon.” It is therefore essential to develop a security aware culture. Make sure staff members know to look for suspicious and anomalous activity and make sure they report it. Then investigate it immediately!

Beware of 2012 London Olympics Spam Email Cyberattacks

2012 London Olympics spam email campaigns are already being sent, even though we are still months away from the opening ceremony. The run up to a big sporting tournament sees many sports fans download malware to their devices, and many reveal sensitive information by taking part in competitions to win free tickets. When people are excited. they tend to take more risks; and people are very excited about the Olympics – especially those living in the British Isles.

2012 London Olympics spam email ticket scams are already being sent

How often do the Olympics come to a country close enough for it to be feasible to actually attend an event or two? For most people that is very rare occurrence. People living in Britain or Ireland will see the 2012 sports extravaganza as finally being within reach. Unfortunately, with the combined population of the UK and Ireland being around 68 million people, there are too many to fit into the London Olympic stadium and the other venues hosting this year’s Olympic events. Tickets are therefore difficult to obtain and are in short supply.

A ticketing system exists that allows people to enter their names for the events they want to see. However, it is something of a lottery as to whether a ticket can actually be purchased, and only a lucky few will get to see their preferred events.

Where there is high demand for tickets and a short supply, there is money to be made. Touts buy up tickets to sell at an inflated price. Online criminals have got in on the act and are taking advantage of the huge popularity of the sports events to launch Olympic ticket scams. Many of these scams are delivered by email.

Unwanted tickets are being offered online, touts are pushing their over-priced tickets, and cybercriminals are selling fake tickets to popular events. It is therefore a time to be ultra-cautious, and you should not buy tickets from unauthorized sellers. If that means you cannot get to see an event, that is unfortunately just the way it is. If you are offered a ticket via email by a stranger, it is almost certain that it is a scam.

That scam may not just be designed to get you to pay £1,000 for your fake ticket. In many cases, the purpose of the spam email is to get you to reveal your bank account details, credit card number, or install malware on your computer or portable device.

Phishing attacks are popular with cybercriminals, and unsurprisingly many 2012 London Olympics spam email campaigns have been devices to get sports fans to reveal their bank account details and credit card numbers.

Individuals are also being targeted with spear phishing emails. Instead of sending millions of emails offering tickets to the 100M final or opening ceremony, some scammers are researching their targets to maximize the probability of getting a response.

There is no point offering 3-day event tickets to your average soccer fan. They are unlikely to respond. However, if you know a soccer fan that is planning to travel to London from France, offering that person a ticket to see a France soccer game is likely to get a better response – especially if they are known to be in the UK at the time and have said on social media they are trying to get a ticket. Criminals research individuals on social media and create highly targeted phishing emails.

Employers must be particularly careful as Olympic fever will grip many workers. They may respond to a 2012 London Olympics spam email at work and inadvertently download a virus or nasty malware. Protecting the network is going to be harder over the coming months.

Now is therefore a good time to issue warnings to staff to be wary. Advise employees of the methods that can be used to identify spam email and you will minimize the probability of an employee responding. Such tactics are reasonably effective at preventing malware infections and accidental disclosures of confidential company information.

Unfortunately, all it takes is for one individual to respond to a 2012 London Olympics spam email for a network to be compromised, so other tactics should also be employed. We recommend installing an Anti-Spam solution to stop the 2012 London Olympics spam email campaigns from ever reaching end users.

As for Anti-phishing protections, a web filter is the ideal solution. This will prevent users from visiting Olympics-themed websites that have been infected with malware or contain malicious code.

Address Web Security Vulnerabilities or Suffer the Consequences

Do you have a limited IT security budget? Have you been able to implement all of the IT security controls you need to keep your network secure? It is unlikely that you have addressed all web security vulnerabilities effectively, as the majority of small to medium-sized businesses simply cannot afford to implement highly sophisticated controls to keep their networks properly protected from cyberattacks. Even large businesses with huge revenues and obscene annual profits are not able to prevent all cyberattacks from occurring.

You may want to implement data loss prevention software, social media website management systems, complex multi-layered network security systems, and a wide range of anti-malware and anti-virus solutions, but cybersecurity budgets can only be stretched so far!

The trick is to become an expert in assessing risk. Conduct a through risk assessment, identify all security vulnerabilities, determine which pose the largest risk, and spend your budget accordingly to minimize risk as best as you can. Fortunately, a number of cost-effective solutions can be implemented that will reduce risk to an acceptable level. These can easily be implemented by small to medium-sized businesses. Unfortunately, doing nothing and hoping for the best is not an option. Hackers are not only targeting large corporations. They know that budgetary constraints make small to medium-sized businesses particularly vulnerable to attack.

Calculate the cost of not addressing web security vulnerabilities

Small business owners may be loathed to spend money on security solutions to protect their systems from attack and keep their data secure. Many choose not to bother, only to suffer a cyberattack. It’s only then that they find out the cost of not addressing web security vulnerabilities. That cost can be considerable, and all too often catastrophic. Many companies fold within six months of suffering a cyberattack.

What is the cost of a cyberattack? According to a study conducted by Osterman Research, the cost of not addressing web security vulnerabilities is considerable. Its researchers determined that the failure to take precautions against hackers would likely cost the average company approximately $278,000 over a period of four years.

Compare this to the cost of implementing a web filtering solution to prevent end users from falling for a phishing campaign, or accidentally downloading malware, and the price seems very low indeed. WebTitan will protect a company with 500 users from as little as $4,250. Some companies provide similar solutions that cost $108,000!

Osterman researchers took a provider that charged $27,000 per year for the service as an example. That may seem like a lot of capital to commit to one cybersecurity defense, but it is only $54 per user per year. Compare that to the likely cost of suffering cyberattacks over a 12-month period ($85 per user, per year) and the cost saving would be $14,000 per year. With WebTitan the cost saving would be $103,750 over a four-year period. That is a saving of over $25,000 per year.

The cost of implementing cybersecurity defenses may seem high, but it is important to bear in mind the cost of not implementing a solution to deal with web security vulnerabilities and the impact those costs would have on the business.

Sloppy IT Security Practices: Slow Patching of Software

You may have installed highly sophisticated and expensive cybersecurity defenses, but have you forgotten any of the basic security measures, such as enforcing strong passwords, conducting regular malware scans, and installing software patches promptly? Many companies invest heavily in IT security, yet still have sloppy IT security practices. A recent report by M86 suggests that system administrators are forgetting some very basic security measures.

Eradicate sloppy IT security practices

Tightening up network security controls should start with the eradication of sloppy IT security practices. Hackers like a nice easy entry point into a corporate network and unpatched software gives them that.

The M86 report revealed that one of the most commonly used exploits targets an ActiveX vulnerability that existed in early versions of Internet Explorer. Microsoft released a patch to correct the vulnerability in 2006. That’s six years ago. Hackers are still using that vulnerability to gain access to computers and networks. Some companies have not upgraded to the latest version of the browser. Others have not done so since 2006.

This is just one of a myriad of security flaws that have been discovered in computer software. Barely a day goes by without a new security vulnerability being discovered in common software used by businesses around the world. As soon as a vulnerability is discovered, exploits are developed to take advantage. Any company that does not install patches as soon as they are released will be leaving themselves extremely vulnerable to attack. Many exploits have been used for several months, and some for several years because software updates have not been installed.

PDF spam has been linked to a vulnerability discovered by Symantec in March 2010, Sophos discovered 14-month vulnerability was still being extensively used by hackers, and numerous other security companies have discovered similar exploits used on outdated software.

Don’t forget to implement basic security measures

There is no excuse for not upgrading regularly used software, but remember to also update older software that is still occasionally used. You may miss a patch, but a hacker is unlikely to.

There are other basic security measures that are still not being implemented. Take email spam for example. Many companies have yet to install an email spam filter to prevent spam and phishing emails from being delivered to employees’ inboxes.

Web filtering solutions are still not being used to prevent end users from visiting malicious websites or viewing pornography and gambling sites at work. Password controls are still not being used to prevent weak passwords from being set by end users.

Expensive anti-virus, anti-malware, and anti-spyware solutions may be implemented, yet definitions are not updated daily and network scans are not being scheduled.

Regardless of how large your security budget is and how good your cybersecurity protections are, if you forget some of the basics your network will remain extremely vulnerable to attack!

Have you gone back to basics and corrected sloppy IT security practices? You may be surprised to find out how many have been allowed to persist!

24 Million Accounts Compromised in Zappos Data Breach

A network security incident was recently reported by online footwear and apparel retailer Zappos.com. The Zappos data breach was one of the largest ever reported to have been suffered by a United States-based retailer.

Zappos data breach affects 24 million customers

Full details of the Zappos data breach have not been made public, although it is understood that a hacker managed to gain access to one of the servers in Kentucky that was used by the online retail giant. Once access was gained, the hacker responsible for the attack was able to access part of the company’s internal computer network and systems, and managed to obtain data held on approximately 24 million of the company’s customers. The Zappos data breach did not only affect US-based customers. Customers from countries all around the world were affected.

No credit card details were obtained in the cyberattack, as those data were stored on a different server; but personal information of customers was exposed, including their names, addresses, contact telephone numbers and some billing information. The Zappos data breach highlights the problems even large companies can have keeping data secure.

Big Name Brands Suffer Big Data Breaches

The Zappos data breach was one of a number suffered by well-known companies in recent months. Cybercriminals have been attacking large corporations and accessing their huge databases in order to steal customer data and corporate secrets.

Sony was attacked this year and hackers were able to steal the account details of 20 million purchasers of its computer games. Some credit card numbers were stolen, as well as names, addresses, email addresses, and contact telephone numbers. Some of the stolen data have been listed for sale on darknet websites. The information is purchased by cybercriminals and used for phishing attacks and spam email campaigns.

Cybercriminals are able to sidestep even highly complex cybersecurity defenses by targeting employees with phishing campaigns. Spammers send out emails in the millions in the hope that a few individuals will respond and install malware. In the case of Epsilon, employees were targeted with spear phishing emails. These were highly targeted, and proved to be very effective.

Epsilon reported that approximately 50 of its clients were affected by the data breach. Epsilon holds email lists for its clients. Some of those lists contain a considerable amount of data. The exact number of email addresses obtained by the hackers has not been disclosed, but Epsilon is understood to hold billions of email addresses and has 2,500 corporate clients. This data theft could well be the biggest ever recorded.

Is it possible to prevent cyberattacks?

Is it possible to prevent cyberattacks? Many small to medium-sized business owners may be wondering if there is much point paying for cybersecurity defenses if they can be so easily side-stepped. After all, if big corporations suffer attacks, what chance do they have of preventing an attack?

It is true that it is not possible to implement defenses than can eliminate all risk of an attack being suffered, but it is possible to keep risk to a minimal level by implementing multi-layered security systems. An intelligent approach, using a number of different strategies, will give the best protection. If no effort is made to secure a network, it will be attacked.

Anti-virus and anti-malware software are a must, as are robust firewalls. However, hackers often target employees with phishing campaigns. Employees are seen as the weakest link, and the easiest way of gaining access to a corporate network. Protections must therefore be put in place to prevent these attacks from succeeding. The best defenses are those that prevent phishing emails from reaching employees, and prevent employees from visiting phishing websites and falling for social media phishing attacks.

Email spam is easy to block with an anti-spam solution such as SpamTitan. Malicious websites can be blocked with WebTitan, which can also be configured to offer protection from social media phishing campaigns and malicious website ads.

With these controls in place, SMBs will be well protected from cyberattacks and should be able to do enough to convince all but the most skilled and determined hackers to give up and find an easier target.

Beware of Typosquatting and URL Hijacking This Holiday Season

If you have lazy fingers or tend to type a little too quickly, you will no doubt have come across typosquatting and URL hijacking before. These are two techniques used to obtain website visitors by piggybacking on the popularity of big online brands. Typosquatters are people who register domain names that are very similar to a major brand, but contain typos. There is Goole.com and Gooogle.com for instance, or Fcaebook.com, and numerous other variants.

The variants are now much more numerous than they used to be. Many new domains have been registered in recent years by typosquatters. The big brands are unhappy to say the least. They see this as an infringement of copyright and many have filed lawsuits against the owners of the sites to get them taken down. Both Google and Facebook have taken legal action already.

Is typosquatting and URL hijacking harmless?

If someone registers a variant of Facebook they are likely to attract many visitors a day, but are they actually doing any harm? People will realize they have mis-typed and just visit the correct site. No harm done. However, that is not always the case with typosquatting and URL hijacking.

The websites usually contain adverts and the owners of the sites make money from displaying them, and even more if the adverts are clicked. Is that taking money away from the big brands? Apparently it is, and we are not talking cents here. According to a study conducted in 2010 by the Washington DC-based Internet consulting company Fair Winds Partners, this form of URL hijacking costs the owners of the legitimate sites around $285 million per year in lost advertising revenues, lost sales, and other expenses.

Recently, some of the fake websites have been used by cybercriminals for phishing campaigns, and many contain malware. The ad networks used on the sites can contain links to malware-infected websites, and a number of criminals have used the sites and the huge traffic volume they receive to launch fake competitions. The information gathered from entrants is used for spear phishing campaigns. The winners of the competitions (everyone who enters) is sent a link to claim their prize or an attachment to open. The aim is to get them to install malware or reveal their bank account details.

Ad Networks make the practice of typosquatting and URL hijacking very profitable

Typosquatters are able to make money from URL hijacking by using ad networks, and there are plenty to choose from. Some are choosy about the sites that they accept to be part of their network, others less so. Some of those ad networks do not vet the placers of adverts very carefully, allowing cybercriminals to place ads that are syndicated across thousands of websites. When the adverts are clicked, they direct the visitor to a malware-infected website or a phishing site.

A simple typo made when attempting to visit a website can start a chain of events that leads to a computer, or the network it connects to, being infected with malware. This can result in criminals gaining access to sensitive data.

With Christmas fast approaching, the sites are now being used to show Christmas special offers. After that they will show cut price deals during the January sales. Careless typists are likely to see a lot of adverts, and may even click on a few. That could prove to be a very expensive mistake.

Typos will always be made from time to time, and that means there will always be a risk that employees will accidentally visit these malicious websites.

Web filters can be used to block access to the typosquatters websites, and web filtering solutions such as WebTitan can stop malicious adverts from being displayed. It may not be possible to make workers type more carefully 100% of the time, but a web filter will ensure that a company is properly protected should a typo be made.

Stop Using Email at Work and Improve Employee Productivity

Email is a drain of productivity for many companies. Employees spend an extraordinary amount of time sending and receiving work emails, sifting through spam, and sending personal messages to friends and family. Ban the use of email and you could see a major increase in productivity, but is it actually possible to stop using email at work without that decision negatively impacting the business? The CEO of Atos believes it is. The decision has been taken to ditch email by 2012. Totally. Atos is not a small company either. It employs 50,000 people.

Atos will be going ‘Old School’. Instead of email, employees will pick up the telephone and speak to people. They will also stand up, walk over to their colleagues, and talk to them rather than fire a quick email. Electronic communication will not be abandoned entirely, as the company will use collaboration tools such as instant messaging programs. They will not be sending messages via email, but chatting to each other using instant messaging instead.

If employees stop using email at work, they will be more productive. Well, that is the theory at least. CEO Thierry Breton believes this to be the case. In fact, if you are waiting for a response to an email that you sent him, you will be waiting a long time. According to The Daily Telegraph, he has not sent a corporate email in three years!

Stop using email at work – It kills productivity!

Many employers wish they could stop using email at work. A huge amount of time is wasted dealing with email. Email is used for everything, even communications that are not best suited to the system.

The majority of email volume is taken up with spam, and even finding a genuine email can be difficult at times. With a powerful anti-spam solution installed, spam and other productivity-killing bulk email can be filtered out. However, time will still be wasted.

A short email is often an ideal way to communicate, but drafting long, complicated emails to convey difficult concepts (or send extensive amounts of data) is perhaps not wise. A face to face meeting or conference call may be better. Many workers resort to email when they really should choose another method of communication.

Banning the use of email entirely is perhaps going a little over the top, but you should consider reducing the volume of emails that are sent. Stop the use of email in certain situations and you will be able to improve the productivity of your workforce and eliminate a lot of wasted time.

Stop using email at work when you need to…

Find out something quickly or get a quick yes or no – Pick up the phone and stop wasting time waiting for a response

Send or receive confidential or sensitive data – If you don’t have encrypted email, you should not be sending information via the email network. Use secure cloud services for example.

Send complex information or instructions – Long emails are not read carefully. People tend to skim read. Essential information can be missed. Audio visual presentations, or other face to face communication methods, are usually preferable.

Conduct staff training – You can send reminders or virus warnings, but all training should be conducted face to face. Otherwise you will not easily be able to find out if information has been taken in and understood.

Communicate when you are very annoyed or upset – It is tempting to type out your emotions and rant via email. You can very easily let your emotions get the better of you and not only do something you will later regret, you will waste both your time and that of other people. E-rage can also seriously damage your career prospects.

Start using other methods of communication

You may hate social media, but there are benefits over email. Sometimes a Tweet may be a better way of getting a message out to a large number of people. Instant messaging services have numerous benefits. They do, after all, promote conversation.

Use of the telephone has reduced, but it is often much more productive to actually speak to someone. Face to face communication is still the best way to communicate in many cases, and thanks to VOIP it is possible to have face to face conversations with people in satellite offices.

Email cannot be eliminated. It is better for many business tasks. Sending quotes to customers for example. Instant messenger cannot be used for that.

If you want to improve productivity, don’t stop using email at work. Just restrict email use, and use other methods of communication when it is more appropriate to do so.

Could you stop using email at work? Could you improve productivity by reducing email usage?

Fake Online Pharmacies Fool Users into Downloading Malware

Why go out to the shops when you can do all of your shopping from the comfort of your own home? All you need is a computer and an Internet connection and you can have products delivered to your door. Unsurprisingly, the ease of buying products online has meant many Internet-connected households order in a lot of products from online stores. Fake online stores catch out many unwary Internet shoppers, and now a number of fake online pharmacies have been identified. Criminals know consumers want cheap drugs.

Fake online pharmacies catch out many online shoppers

There are many legitimate online stores offering great deals on products. Without the expense of maintaining a brick and mortar store and employing numerous members of staff to run it, retailers are able to pass on their cost savings on to customers.

According to research conducted by The Nielsen Company, Internet purchases have been made by 85% of individuals who have an Internet connection at home or work. Internet sales are booming, and over the next few years the volume of purchases made online is only likely to increase.

Internet surfers must be able to find online stores in order to make purchases. Retailers therefore spend a lot of money on website advertising. Advertising on popular websites that attract high traffic costs a lot of money, yet there are cheaper alternatives. Small blogs, Internet forums, and social media sites offer a cheaper option for promoting online stores. They also tend to have less restrictive criteria and do not vet advertisers so thoroughly.

Online criminals have realized they are able to get adverts to their fake stores accepted by ad networks and the above sites. One of the largest growing scams is fake online pharmacies. The high cost of pharmaceutical products has driven many consumers to find discounts online. Pharma products are essentials, and there are considerable savings to be made from buying online. There are many legitimate online discount pharmacies, but there are also an increasing number of fake online pharmacies on the Internet.

Fake online pharmacies carry a health risk and a network security risk

Many fake online pharmacies actually sell drugs, but often they have been secured from overseas. Expiry dates are fast approaching, and many drugs are sold that have not received FDA approval. Many of these do not list the risks associated with the products as would be required in order to receive FDA approval. The risk of individuals coming to harm is therefore considerable.

Many of these fake online pharmacies don’t actually ship any drugs. They are phishing sites used by cybercriminals to obtain the credit card details of consumers. Many of these sites are also used to infect visitors’ devices with malware. Not only can bargain hunters’ health be affected, these fake online stores pose a serious security risk.

Many consumers do not have Internet access at home, but they do at work. Employees spend some of their working day making online purchases and searching for online discounts. Employers that fail to monitor and control access to these websites could be placing their networks at risk.

Fortunately, fake online pharmacies and other bogus and dangerous websites can be easily identified and blocked. Provided of course that the correct software is installed. Companies that implement a web filtering solution are able to block employees from visiting the majority of these dangerous websites. Online adverts can also be easily blocked to prevent employees for falling for phishing scams or downloading malware.

Fail to implement a web filtering solution and your employees may not only be placing their health in jeopardy, they may also inadvertently compromise your network!