A successful CEO fraud scam that resulted in a fraudulent bank transfer being made from company accounts to a cyberattacker has cost the CEO his job.
CEO Fraud Scan Results in Losses of 40.9 Million Euros
Earlier this year, FAAC – an Austrian aircraft component manufacturer – was targeted by attackers who managed to pull off an audacious 50 million Euro ($55 million) CEO fraud scam. A wire transfer was made for 50 million euros by an employee of the firm after receiving an email request to transfer the funds from CEO Walter Stephan. The email was a scam and had not been sent by the CEO.
Unfortunately for FAAC, the CEO fraud scam was discovered too late and the transfer of funds could not be stopped. While the company was able to recover a small percentage of its losses, according to a statement released by FAAC, the company lost 41.9 million Euros as a result of the attack which contributed to annual pretax losses of 23.4 million Euros.
The bank transfer represented approximately 10% of the company’s entire annual revenue. Given the high value of the transfer it is surprising that the transfer request was not queried in person – or over the telephone with the CEO.
The CEO and the employee who made the transfer were investigated but do not appear to have been involved in the scam. The attackers were not believed to be linked to FAAC in any way.
Heads Roll After Huge Losses Suffered
Earlier this year, FAAC sacked its chief finance officer as a direct result of the scam. The CEO was recently sacked following a meeting of the company’s supervisory board. Stephan had worked at the company as CEO for 17 years.
This CEO fraud scam is one of the largest ever reported, although this type of scam is becoming increasingly common. Earlier this year the FBI issued an advisory about the high risk of CEO fraud scams following many attacks on U.S companies over the past year. In April, the FBI reported that $2.3 billion has been lost as a result of this type of scam.
CEO email fraud involves a member of the accounts department being sent an email from the CEO – or another senior executive – requesting a bank transfer be made from the company accounts. A reason is usually supplied as to why the transfer request needs to be made, and why it must be made urgently.
Oftentimes, the scammer and the target exchange a few emails. An email is initially sent asking for a transfer to be made, followed by another email containing details of the recipient account where the funds must be sent and the amount of the transfer. The scams are effective because the request appears to come from within the company from a senior executive or CEO. Oftentimes the attackers manage to compromise the CEO’s email account, and spend time researching the style the CEO uses for emails and who transfer requests have been sent to in the past.
According to the FBI, the average transfer amount is between $25,000 and $75,000, although much larger scams have been pulled off in the past. Irish budget airline Ryanair fell victim to a CEO fraud scam and wired $5 million to a Chinese bank, although the funds were able to be recovered. The Scoular Co., wired $17.2 million to scammers in February last year, while Ubiquiti suffered a loss of $46.7 million as a result of a CEO fraud scam.
Easy Steps to Prevent CEO Email Fraud
There are steps that can be taken that can greatly reduce the risk of these scams being successful.
- Implement policies that require all bank transfers – or those above a certain threshold – to be authorized by telephone or through other communication channels.
- Ensure bank transfer requests are authorized by a supervisor and are not left to one single employee
- Configure spam filters to block spoofed domains to prevent scam emails from being delivered
- Provide training to all accounts department staff and warn of the risk of CEO fraud scams
Resolving a hospital ransomware infection may not be as easy as paying the attackers’ ransom demand, as was shown by the Kansas Heart Hospital ransomware attack last week.
Hospital Ransomware Infection Not Removed After Ransom Paid
The Kansas Heart Hospital ransomware attack which occurred last week was the latest in a string of attacks on healthcare organizations in the United States. Ransomware was accidentally installed on a hospital worker’s computer and files were locked and prevented from being accessed.
A ransom demand was received demanding payment for decryption keys to unlock the infection. The decision was taken to pay the ransom to resolve the hospital ransomware infection quickly.
After the ransom was paid, the attackers did not make good on their promise and failed to unlock all of the files. Some Instead the hospital was issued with a second ransom demand.
In this case, the initial ransom demand was relatively low. Ransomware attackers typically demand a fee of approximately $500 per device to unlock an infection. If multiple computers have been infected, that figure is then multiplied by the number of devices that need to be decrypted.
Ransomware locks each individual machine separately, and a different key is required to unlock each one. Otherwise a victim could pay up and then publish their key and no one else would be required to pay.
Kansas Heart Hospital did not disclose how much was paid, but this could well have been the fee to unlock a single machine. However regardless of the amount, the incident shows that even if a ransom is paid there is no guarantee that the attackers will play ball and make good on their promise. Further demands may be made from more Bitcoin. Resolving a hospital ransomware infection may not necessarily mean just paying the ransom demand.
Healthcare Industry Under Attack
Over the past few months the healthcare industry has come under attack from criminals using ransomware. Some authors of ransomware have taken steps to prevent healthcare providers’ computers from being attacked by their ransomware by including checks to determine the environment in which the ransomware has been installed. However, not all attackers feel they have a moral responsibility to prevent attacks which could cause people to come to physical harm.
Hollywood Presbyterian medical center, Alvarado Hospital Medical Center, King’s Daughters’ Health, Kentucky’s Methodist Hospital, California’s Chino Valley Medical Center and Desert Valley Hospital, and MedStar Health have all been attacked with ransomware this year.
That list is likely to continue to grow. Hospitals and medical centers are attractive targets for ransomware gangs. Many healthcare organizations have under-invested in cybersecurity measures to protect their networks and many hospital employees have not received extensive training in security awareness. This makes it easy for attackers to install ransomware.
Furthermore, if patient data are locked this can have a negative effect on patient health. If patients are at risk of harm, organizations are much more likely to respond to ransom demands and pay up to ensure patients do not suffer. If patients are harmed as a direct result of poor investment in cybersecurity or mistakes that have been made by healthcare employees, healthcare organizations are likely to face lawsuits that could result in damages far in excess of the ransom being demanded.
With attacks likely to continue, healthcare providers must take steps to prevent ransomware attacks from occurring, and develop policies that can be implemented immediately upon discovery of a ransomware attack. As the Kansas Heart hospital ransomware attack has shown, paying a ransom is no guarantee that the file encryption will be unlocked. Hospitals may find that they still have to recover files from backups or explore other means of unlocking infections.
The threat from Cerber ransomware has increased substantially after the gang behind the file-encrypting software have leveraged Dridex botnets to deliver a malicious payload that loads the ransomware onto users’ devices.
Cerber ransomware was first discovered in the wild in February 2016, but researchers at security firm FireEye noticed a massive increase in infections in recent weeks. Initially, Cerber ransomware infections occurred as a result of visiting malicious websites hosting the Nuclear or Magnitude exploit kits. Nuclear and Magnitude probe visitors’ browsers for a number of zero day vulnerabilities, although infections primarily occurred by exploiting a vulnerability in Adobe Flash (CVE-2016-1019). Now the ransomware is being installed via infected files sent via spam email.
Cerber differs from many ransomware strains by being able to speak to victims. The ransomware is able to use text-to-speech to tell victims they have been infected and that their files have been encrypted.
Massive Increase in Cerber Ransomware Infections Discovered in April
The number of infections remained relatively low since the discovery of the new ransomware earlier this year; however, there was a massive spike in infections around April 28 according to FireEye. The ransomware was being downloaded using Microsoft Word macro downloaders.
The attached files are usually disguised as invoices, receipts, or purchase orders, while the emails – written in English – urge the user to open the attachment. If macros are enabled on the computer a VBScript will be installed in the victim’s %appdata% folder. If macros are not enabled users will be prompted to enable them in order to view the contents of the file. Doing so will guarantee infection.
Once installed, the script performs a check to determine whether the infected computer has an Internet connection by sending an HTTP request to a website. If an Internet connection is present, the script will perform a HTTP Range Request, that will ultimately result in the final stage of the infection. FireEye reports the technique has previously been used to deliver the financial Trojans Dridex and Ursnif.
Cerber has been configured to encrypt Word documents, emails, and Steam gaming files, which are given a “.cerber” extension. To unlock the encryption, the victims are told to visit one of a number of websites with the domain “decrypttozxybarc”. Further instructions are then provided on how to unlock the encryption, although a Bitcoin ransom must first be paid. In addition to encrypting files, Cerber ransomware adds the victim’s computer to a spambot network.
The ransomware uses a number of obfuscation techniques to avoid detection by spam filters and anti-virus programs. If the emails are delivered and the macros are allowed to run, victims’ files will be encrypted. To prevent infection, it is important to have macros disabled and to be extremely cautious about opening email attachments, and never to open files deliver via email from an unknown sender. The decrypttozxybarc domain should also be added to web filter blacklists.
There are a number of companies that offer web filtering services for MSPs; however, while many managed service providers are happy to provide web filtering to their clients if the service is requested, web filtering is not generally offered to clients as part of an MSP’s range of standard Internet services. Yet, by leveraging web filtering services for MSPs it is possible to substantially increase profits for very little effort.
Web filtering services for MSPs have been developed to be easy to implement, easy to sell to clients, and straightforward to manage, so why are more MSPs not offering web filtering to their clients as part of their Internet services?
Some MSPs may feel that there is not much of a market for web filtering. Draconian Internet usage policies may ensure that Internet access is not abused, yet highly restrictive Internet policies can have a negative impact on staff morale and productivity. Most employees can be trusted to get all of their daily tasks completed, while still occasionally checking Facebook, purchasing something on Amazon, and viewing the occasional YouTube video.
However, providing totally free access to the Internet is unwise. Not preventing employees from accessing illegal and inappropriate website content can cause employers many problems. Some of those problems can prove very costly to resolve. Any organization that has not chosen to filter the Internet – even to a minimal degree – may not be aware of the risks. If MSPs explain these risks, they are likely to find many of their clients will want to sign up for web filtering services.
What are the Main Benefits of Using Web Filtering Services?
There are two main reasons for using a web filter to control Internet content:
Reducing the Risk of Malware Infections
As we have seen in recent months, there is a clear and present danger of a serious malware infection. Cyberattacks are taking place with increasing regularity, new malware is being released at alarming rates, and cybercriminals have embraced ransomware and are using it to extort money out of businesses.
IT teams struggle to implement patches promptly, leaving their networks at risk of attack. This is mainly due to the frequency at which patches are released. Keeping all software – including web browsers and plugins – 100% up to date, 100% of the time is an uphill struggle.
If end users visit malicious websites containing exploit kits, malware and ransomware can be easily loaded onto networks. Issuing staff members with acceptable use policies (AUPs) can reduce the probability of end users visiting high-risk websites, while policies can help to reduce the risk from shadow IT installations, but unless those policies are enforced there is a risk that some employees will break the rules.
Numerous organizations have experienced phishing attacks even when training has been provided on how to identify phishing emails. Unfortunately, scammers are getting much better at crafting highly convincing emails to fool users into visiting websites containing exploit kits that can download malware.
Business email compromise scams have been increasing in recent months, prompting the FBI to issue warnings due to the high risk of attack. Scammers are impersonating CEOs, CISOs, and executives to get end users to visit websites and divulge their login credentials or download malware.
With so many Internet threats to deal with, policies are no longer enough to keep organizations’ networks free from malicious software and infections can prove very costly to resolve.
Controlling Personal Use of the Internet
Many companies take a relaxed attitude to personal Internet use, provided it is kept within certain limits. This is arguably the best option for employers and employees. Blocking personal access to the Internet can have a negative effect on staff morale, and all employees will need to use the Internet from time to time for personal reasons.
That said, there will always be some members of staff that choose to abuse their Internet access and this can lead to serious problems for employers. Not only is there a risk of malware infections, abuse of the Internet can have legal implications for employers. The use of illegal file sharing websites for copyright-infringing downloads, the accessing of illegal website content such as child pornography, or even the viewing of legal pornography in the workplace can cause many HR issues.
Of course, web filtering is not only about blocking access. It allows companies to monitor use of the Internet and identify employees who are breaking the rules before serious HR or legal issues arise. Web filtering also allows organizations to place limits on online activities at certain times of the day to ensure the workforce remains productive and bandwidth is not wasted.
Summary of the Benefits of Filtering the Internet
- Blocks malware, ransomware, botnets, adware, and spyware installations
- Prevents the accessing of illegal website content
- Stops the downloading and installation of shadow IT
- Prevents bandwidth wastage
- Allows employers to monitor employees’ Internet usage
- Prevents many HR issues
- Helps organizations to comply with industry regulations
- Can help to increase employee productivity
Benefits of Web Filtering Services for MSPs
- Protects clients from Internet threats
- Easily increases client revenue
- Helps MSP’s to attract more clients and win new business
- Allows MSPs to provide a more comprehensive range of Internet services
Web Filtering Services for MSPs can be Easily Incorporated into Existing Service Packages
Web filtering services for MSPs no longer require expensive appliances to be purchased, and it is not necessary to use local IT support teams to visit clients to install and configure web filters. In fact, it is not even necessary to install software on clients’ devices or servers at all. Clients can have their Internet filtered within 5 minutes of them saying yes to a sales representative if cloud-based web filtering services are used.
Cloud-based web filtering services for MSPs require clients to make a small change to their DNS settings, something that even the most technically inept employee could be talked through over the phone. By pointing the DNS to the service provider’s servers, the Internet can be filtered quickly and painlessly.
Web filtering services for MSPs can be easily offered to clients alongside managed service providers’ solutions. WebTitan Cloud – and WebTitan Cloud for WiFi – are offered as web filtering services for MSPs without any branding. MSPS are able to add their own logos and corporate color schemes, tailor block pages, and customize reports with their own branding. If required, MSPs can also host the solution within their own infrastructure or use a private cloud for clients.
The management overhead is low and the configuration of new accounts is quick and easy. New client accounts can be set up in approximately 20 minutes. Even reporting is taken care of with a full suite of pre-configured, schedulable reports, including instant email alerts.
The cost for the client is low with only a small spend required per user, per year, and the margins offered by TitanHQ on web filtering services for MSPs are generous. This allows MSPs to easily increase profits, in some cases, by tens of thousands of dollars.
If you want to attract new business, increase client spending, and easily increase profits, web filtering services for MSPs could well be the answer.
For further information on our web filtering services for MSPs, including a product demonstration and details of pricing, contact our sales team today.
This week, a new critical Symantec vulnerability has been discovered that enables an attacker to trigger a memory buffer overflow, allowing root-level control over a system to be gained without any user interaction. The cross-platform security vulnerability affects many Symantec and Norton anti-virus software releases.
Critical Vulnerability in Symantec AVE Scan Engine is “As Bad as it Can Possibly Get”
The critical fault has been found in the core scanning engine used in both Norton and Symantec anti-virus software, including Norton antivirus, and Symantec’s Scan Engine, Endpoint Antivirus, and Email Security, although other products may also be affected. The vulnerability affects Windows, Mac, Linux, and UNIX platforms.
Since the scan engine intercepts all system input and output, the vulnerability could be exploited by an attacker by simply sending a file attachment to a user’s inbox. The user would not even be required to open the file in order for the vulnerability to be exploited.
The vulnerability could therefore allow an attacker to take full control of the device on which the software has been installed with no user interaction necessary. The vulnerability has been described as “as bad as it can possibly get” by Tavis Ormandy – the researcher at Google Project Zero who discovered the security flaw.
Ormandy said that if the vulnerability is exploited it causes kernel memory corruption on Windows because “the scan engine is loaded into the kernel (wtf!!!).” It must be said, unpacking malware in the kernel was perhaps not the best decision. Ormandy also discovered a number of other remote code execution security vulnerabilities in Symantec products.
The new critical Symantec vulnerability has now been addressed – AVE version 2018.104.22.168 – although the remaining vulnerabilities have yet to be remediated. Users of Symantec and Norton branded products will have to wait until a patch is made available.
According to an advisory issued by Symantec, the critical vulnerability affects the AVE scanning engine and occurs “when parsing malformed portable-executable header files.” If one of these malformed portable-executable header files is downloaded in an application or document, or if a malicious website is visited which downloads one of these files onto the device, the flaw could be exploited. The flaw could also be exploited if an attacker sends one of these files to the user as an email attachment, or even if a link is sent in an email. The parsing of the malformed file would be triggered.
Symantec reported that “Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation.”
The critical Symantec vulnerability needs to be remediated as soon as possible. If you run Symantec anti-virus software and your system is not set to update automatically, it is essential to perform a manual Symantec LiveUpdate to address the issue. A patch is expected to be released in the next few days to address the other serious vulnerabilities discovered by Ormandy.
The 2012 LinkedIn data breach was believed to have resulted in the theft of 6.5 million emails and encrypted passwords; however, the data breach appears to be worse than previously thought with considerably more data stolen. Those data have now been listed for sale on a darknet marketplace, prompting LinkedIn to contact a substantial percentage of its users to get them to change their passwords.
117 Million Unsalted SHA-1 Hashes and Corresponding Usernames from 2012 LinkedIn Data Breach Listed for Sale
A hacker called “Peace” listed 117 million LinkedIn email and encrypted password combinations for sale this week. LinkedIn believes the data has also come from the 2012 LinkedIn data breach. The data were in the same format as the 6.5 million passwords and email combinations that were previously listed for sale. The latest batch of data has been listed or sale for a reported $2,200.
The passwords stolen in the 2012 LinkedIn data breach were unsalted SHA-1 hashes. While the passwords are encrypted, they are poorly protected and can easily be cracked with relative ease.
Soon after the 2012 LinkedIn data breach the 6.5 million account details were offered for sale on a Russian hacking forum. Motherboard reports that as many as 90% of those passwords were able to be cracked. This now places 18 times as many users at risk of having their accounts compromised.
LinkedIn users that joined the professional networking website after the 2012 data breach will not be affected by the data sale, although older users of the site could be at risk, especially if the password they used for their LinkedIn account has been used other logins elsewhere online.
Individuals who tend to use the same passwords on multiple websites or those who recycle old passwords are advised to change their passwords on their banking websites, social media profiles, email accounts, and other online sites if there is a possibility that they have used the same password as they used on LinkedIn prior to the 2012 breach.
The 2012 LinkedIn data breach was possible because security at the time was not particularly robust, although that has since been addressed. LinkedIn now salts its hashes, uses two factor authentication, and also email challenges. Since being alerted to the listing of the password/username combos, LinkedIn has been contacting affected users and attempting to invalidate passwords and force users to reset.
It is strongly advisable to login to LinkedIn and change your password as a precaution if you are unsure whether you have changed your password since 2012.
Each year, the Ponemon Institute conducts a benchmark survey on healthcare data privacy and security. The surveys give a picture of the state of healthcare data security, highlight the main threats faced by the healthcare industry, and offer an insight into the main causes of healthcare data breaches. This week, the Ponemon Institute released the results of its 6th annual benchmark study on healthcare data privacy and security.
Over the past 6 years, the main causes of healthcare data breaches have changed considerably. Back in 2010/2011 when the two healthcare data privacy and security surveys were conducted, the main causes of healthcare data breaches were lost and stolen devices, third party errors, and errors made by employees.
Breaches caused by the loss and theft of unencrypted devices such as laptops, smartphones, tablets, and portable storage devices such as zip drives has fallen considerably in recent years. Due to the high risk of loss and theft – and the cost of risk mitigation following a data breach and compliance fines – healthcare organizations are keeping tighter controls on portable devices. Staff have been trained to be more security conscious and many healthcare organizations have chosen to use data encryption on portable devices. However, lost/stolen devices and mistakes by employees and third parties are still the root cause of 50% of healthcare data breaches.
Healthcare Data Privacy and Security Study Shows Criminals Caused 50% of Healthcare Data Breaches
Data breaches caused by the loss and theft of portable devices may be in decline, but the same cannot be said of cyberattacks, which have increased considerably. When the first benchmarking study was conducted in 2010, 20% of data breaches were caused by hackers and other cybercriminals. By 2015, the figure had risen to 45%. This year criminals have been responsible for 50% of healthcare data breaches.
Healthcare data breaches have increased in volume, frequency, and severity. Prior to 2015, the largest healthcare data breach exposed 4.7 million patient health records. Data breaches that exposed more than 1 million healthcare records were very rare. However, in 2015, the Anthem Inc. breach exposed 78.8 million healthcare records, Premera BlueCross recorded a cyberattack that exposed 11 million records, and Excellus Blue Cross Blue Shield reported a breach of 10 million records. These data breaches were caused by criminals who gained access to systems using phishing techniques.
Phishing remains a major cause for concern, as is malware, although over the course of the past 12 months a new threat has emerged. Ransomware is now the second biggest cause for concern for healthcare security professionals. DDoS attacks remain the biggest worry as far as cyberattacks are concerned.
The purpose of ransomware and DDoS attacks is to cause widespread disruption. Healthcare IT professionals are right to be concerned. Both of these types of cyberattack have potential to have a hugely detrimental effect on the care that is provided to patients, potentially disrupting healthcare operations to such a degree that patients can actually come to physical harm.
Healthcare organizations have been investing more heavily in data security technologies to prevent breaches, yet these measures have not been sufficient to stop breaches from occurring. The report indicates that 89% of healthcare organizations suffered a data breach in the past two years, 79% suffered more than one breach, and 45% experienced more than five data breaches.
The cost of healthcare data breaches is considerable. The Ponemon Institute calculates the average cost to resolve a data breach to be $2.2 million for healthcare providers. The average cost of a business associate data breach is $1 million. The total cost each year, to mitigate risk and resolve data breaches, has been estimated by Ponemon to be $6.2 billion for the industry as a whole.
Healthcare Organizations Need to Increase Cybersecurity Efforts
Cybersecurity budgets may have increased over the years, but too little is being spent on healthcare data privacy and security data. Even with the increased risk, 10% of healthcare organizations have actually decreased their cybersecurity budgets, and more than half (52%) said their budgets have stayed the same this year.
Further investment is needed to tackle the growing threat and to prevent criminals from gaining access to data and locking it with ransomware.
Education also needs to be improved and greater care taken by healthcare employees to prevent accidental disclosures of data and mistakes that open the door to cybercriminals. Employee negligence was rated as the top cause for concern by both healthcare providers and business associates of healthcare organizations. Unless greater care is taken to prevent data breaches and healthcare organizations are held more accountable, the data breach totals will only rise.
The Federal Trade Commission (FTC) is conducting a study to investigate the security update practices of mobile device manufacturers. The study is being conducted amid concern that mobile device manufacturers are not doing enough to ensure owners of mobile devices are protected from security threats.
Security Update Practices of Mobile Device Manufacturers Leave Mobile Users Exposed to Attack
A number of new and highly serious threats have emerged in recent years which allow attackers to remotely execute malicious code on mobile devices if users visit a compromised website. One of the most serious threats comes from the Stagefright vulnerability discovered last year.
The Stagefright vulnerability could potentially be exploited to allow attackers to gain control of Android smartphones. It has been estimated that as many as one billion devices are prone to attack via this vulnerability. Google released an Android update to fix the vulnerability, yet many mobile phone users were unable to update their devices as the manufacturer of their device, or the mobile carrier they used, did not allow the updates to be installed. Because of this, many smartphone owners are still vulnerable to attack.
Even when device manufacturers do update their devices there are often long delays between the issuing of the fix and the rolling out of updates. When a rollout is executed, it can take a week or more before all device owners receive their updates. During that time users are left vulnerable to attack.
The FTC wants to find out more about the delays and the rationale behind the slow rolling out of updates.
FTC and FCC Join Forces and Demand Answers from Carriers and Device Manufacturers
The FTC has joined forces with the Federal Communications Commission (FCC) for the study and has ordered smartphone manufacturers and developers of mobile device operating systems to explain how security updates are issued, the reasoning behind the decision to delay the issuing of security updates, and for some device manufacturers, why security updates are not being issued.
While the study is primarily being conducted on manufacturers of devices running the Android platform, although Apple has also been ordered to take part in the study, even though its devices are the most secure. Apple’s security update practices are likely to serve as a benchmark against which other manufacturers will be judged. Manufacturers that use the Android platform that will take part in the study include Blackberry, HTC, LG, Motorola and Samsung. Google and Microsoft will also take part.
The FTC is asking operating system developers and mobile manufacturers to disclose the factors that are considered when deciding whether to issue updates to correct known vulnerabilities. They have been asked to provide detailed information on the devices they have sold since August 2013, if security vulnerabilities have been discovered that affect those devices, and if and when those vulnerabilities have been – or will be – patched.
The FCC has asked questions of mobile phone carriers including the length of time that devices will be supported, the timing and frequency of updates, the process used when developing security updates, and whether device owners were notified when the decision was taken not to issue a security update for a specific device model.
Whether the study will result in better security update practices of mobile device manufacturers remains to be seen, although the results of the study, if published in full, will certainly make for interesting reading.
Last week, the website of a major toy manufacturer was discovered to have been compromised and was being used to infect visitors with ransomware. The website of Maisto was loaded with the Angler exploit kit that probed visitors’ browsers for exploitable vulnerabilities. When vulnerabilities were discovered, they were exploited and ransomware was downloaded onto visitors’ devices. In this case, the ransomware used was CryptXXX.
Many ransomware infections require a system rebuild and restoration of data from a backup. If a viable backup does not exist there is no alternative but to pat the attackers for an encryption. Fortunately, in this case there is an easy fix for a CryptXXX infection. The ransomware-encrypted files can be decrypted for free according to Kaspersky Lab. However, there are many malicious strains of ransomware that are not so easy to remove.
While decrypting files locked by CryptXXX is possible, that is not the only malicious action performed by the ransomware. CryptXXX is also an information stealer and can record logins to FTP clients, email clients, and steal other data stored in browsers. It can even steal bitcoins from local wallets.
CryptXXX is now being used in at least two major exploit kit attack campaigns according to researchers from Palo Alto Networks. While Locky ransomware was extensively used in March this year – deployed using the Nuclear exploit kit – the attackers appear to have switched to the Angler exploit kit and the Bedep/CryptXXX combo.
How to Block Exploit Kits from Downloading Malware
To protect end users’ devices and networks from malware downloads and to block exploit kits, system administrators must ensure that all browser plugins are kept up to date. Exploit kits take advantage in security vulnerabilities in a wide range of plugins, although commonly vulnerabilities in Flash and Java are exploited. These two browser plugins are used on millions of machines, and new zero-day vulnerabilities are frequently discovered in both platforms. Cybercriminals are quick to take advantage. As soon as a new vulnerability is identified it is rapidly added to exploit kits. Any machine that contains an out-of-date plug in is at risk of attack.
It takes time for patches to be developed and released when a new zero-day vulnerability is discovered. Keeping all devices up to date is a time consuming process and sys admins are unlikely to be able to update all devices the second a patch is released. To effectively protect devices and networks from attacks using exploit kits, consider using a web filtering solution.
A web filter can be used to block websites containing exploit kits and thus prevent the downloading of malware, even if patches have not been installed. The best way to block exploit kits from downloading malware is to ensure that end users never visit a website containing an exploit kit!
A web filter should not be an excuse for poor patch management practices, but web filtering software can ensure devices and networks are much better protected.
Finding new revenue avenues for MSPs can be difficult. There are many ways for MSPs to increase client spending and win new business, although new revenue avenues for MSPs that are easy to implement and manage, are straightforward to sell to clients, and also offer good margins are few and far between. Fortunately, there is a product that can easily be incorporated into existing client offerings which is highly desirable, has a low management overhead, and offers MSPs excellent margins. That service is WebTitan Cloud. WebTitan Cloud is a web filtering service that has been developed with MSPs in mind.
New Revenue Avenues for MSPs: Internet Filtering-as-a-Service
The benefits of WebTitan Cloud are considerable. Our web filtering solution can be used to protect virtually all organizations from a wide range of Internet threats: Something that is increasingly important given the increase in phishing attacks and the proliferation of malware and ransomware in recent years. The cost of resolving malware infections is considerable, and data theft and loss can have catastrophic consequences for SMBs. Heavy fines can be issued by regulators for data breaches, and reputation damage from customer data theft can be considerable.
Employees need to be provided with Internet access to work efficiently; however, Internet access is often abused. Employees are wasting a considerable amount of time each day on personal Internet use. Social media networks are accessed, gambling sites used at work, and gaming sites used by many employees during working hours. By limiting access to these websites organizations can greatly increase the productivity of the workforce. Filtering the Internet to prevent employees and customers from accessing inappropriate website content can also prevent HR issues from developing and can reduce legal risk.
Our web filtering solution can also be used to manage bandwidth. Most organizations face bandwidth issues at some point, yet with careful configuration of our web filter, bandwidth can be effectively managed. Bandwidth-heavy Internet services can be limited to ensure that fast Internet access can be enjoyed by all.
WebTitan Cloud – An Easy Way for MSPs to Increase Profits
WebTitan Gateway is a powerful web filtering product that can keep networks protected from web-borne threats and can be used to control the content that can be accessed by employees and customers. While WebTitan Gateway can be offered by MSPs to their clients, TitanHQ has developed a new product that has been tailored to the specific needs of managed service providers.
WebTitan Cloud is a 100% cloud-based web filtering solution that requires no software installations and no hardware purchases. Our web filtering service can be applied in a matter of minutes without the use for on-the-ground IT support teams. Being DNS-based, all that is required is a small change to DNS settings. Point the DNS to our servers and website content can be filtered in as little as 2 minutes.
Configuring new clients’ web filtering settings is a quick and easy process. It takes approximately 20 minutes to add a new client and upload their Internet policy settings. Furthermore, configuring client accounts is a straightforward admin task requiring no technical skill. If clients want to manage their own settings, they can be provided with their own login and administrative roles can be easily delegated. With WebTitan Cloud, filtering the Internet could not be any simpler.
A Web Filtering Service that’s a Perfect Fit for MSPs
There are many companies now offering a web filtering service that can be used by MSPs, but few offer a product or service that has been created with MSPs in mind. With many solutions the cost of implementation is high, margins for MSPs are low, implementation is impractical, and management causes major headaches. On top of that, the lack of white label options means clients could easily end up going direct and cutting an MSP out of the equation. WebTitan Cloud is different.
WebTitan Cloud is offered as a white label, allowing MSPs to easily incorporate a web filtering service into their existing product offerings. MSPs are able to add their own logos, configure block screens, and change color schemes to match their own corporate branding. A range of APIs are also included to make integration with back-office systems as easy as possible. We even offer multiple hosting options. WebTitan Cloud can be run on our servers, in a private cloud, or even within an MSP’s infrastructure.
With WebTitan Cloud, MSPs can start providing a much more comprehensive Internet service to clients and easily boost their profits. For further information on WebTitan Cloud, how our service can be incorporated into your existing portfolios, and for details of pricing, contact our sales team today.
The risk of phishing attacks has increased considerably over the past 12 months, according to a new data breach report from Verizon. Ransomware attacks are also on the rise. The two are often used together to devastating effect as part of a three-pronged attack on organizations.
Firstly, cybercriminals target individual employees with a well-crafted phishing campaign. The target is encouraged to click a link contained in a phishing email which directs the soon-to-be victim to a malicious website. Malware is then silently downloaded to the victim’s device.
The malware logs keystrokes to gain access to login credentials which allows an attacker to infiltrate email accounts and other systems. Infections are moved laterally to compromise other networked devices. Stolen login credentials are then used to launch further attacks, which may involve making fraudulent bank transfers or installing ransomware on the network.
The Risk of Phishing Attacks is Growing
Verizon reports that due to the effectiveness of phishing and the speed at which attackers are able to gain access to networks, the popularity of the technique has grown substantially. In years gone by, phishing was a technique often used in nation-state sponsored attacks on organizations. Now there is a high risk of phishing attacks from any number of different players. Even low skilled hackers are now using phishing to gain access to networks, steal data, and install malware. Out of the nine different incident patterns identified by the researchers, phishing is now being used in seven.
Phishing campaigns are also surprisingly effective. Even though many companies now provide anti-phishing training, attempts to educate the workforce to minimize the risk of phishing attacks is not always effective. The 2016 Verizon data breach report suggests that when phishing emails are delivered to inboxes, 30% of end users open the emails. In 2015 the figure was just 23%. Rather than employees getting better at identifying phishing emails they appear to be getting worse. Even worse news for employers is 13% of individuals who open phishing emails also double click on attached files or visit the links contained in the emails.
Ransomware Attacks Increased 16% in a Year
Ransomware has been around for the best part of a decade although criminals have favored other methods of attacking organizations. However, over the past couple of years that has changed and the last 12 months has seen a significant increase in ransomware attacks on businesses. According to the data breach report, attacks have increased by 16% in the past year. As long as companies pay attackers’ ransom demands attacks are likely to continue to increase.
How Can Web Filtering Software Prevent Ransomware Infections and Reduce the Risk of Phishing Attacks
Defending a network from attack requires a wide range of cybersecurity defenses to be put in place. One of the most important defenses is the use of web filtering software. A web filter sits between end users and the Internet and controls the actions that can be taken by end users as well as the web content they are allowed to access.
A web filter can be used to block phishing websites and malicious sites where drive-by malware downloads take place. Web filtering software can also be configured to block the downloading of files typically associated with malware.
Training employees how to avoid phishing emails can be an effective measure to reduce the risk of phishing attacks, but it will not prevent 100% of attacks, 100% of the time. When training is provided and web filtering software is used, organizations can effectively manage phishing risk and prevent malware and ransomware infections. As phishing attacks and ransomware infections are on the increase, now is the ideal time to start using web filtering software.
The recent rise in ransomware infections has been attributed to the proliferation of ransomware-as-a-service, with many malicious actors now getting in on the act and sending out spam email campaigns to unsuspecting users.
Ransomware-as-a-Service Proliferation is a Major Cause for Concern
The problem with ransomware-as-a-service is how easy it is for attackers with relatively little technical skill to pull off successful ransomware attacks. All that is needed is the ability to send spam emails and a small investment of capital to rent the ransomware. The malicious software is now being openly sold as a service on underground forums and offered to spammers under a standard affiliate model.
The malware author charges a nominal fee to rent out the ransomware, but takes a large payment on the back end. Providers of ransomware-as-a-service typically take a cut of 5%-25% of each ransom. Spammers get to keep the rest. Renters of the malicious software cannot access the source code, but they can set their own parameters such as the payment amount and timescale for paying up.
SMBs Increasingly Targeted by Attackers
While individuals were targeted heavily in the past and sent ransom demands of around $400 to $500 to unlock their family photographs and other important files, attackers and now extensively targeting businesses. Often the same model is used with a fee charged by the attackers per install.
When an organization has multiple devices infected with ransomware the cost of remediation is considerable. One only needs to look to Hollywood Presbyterian Medical Center to see how expensive these attacks can be. The medical center was forced to pay a ransom of $17,000 to unlock computers infected with ransomware, in addition to many man-hours resoling the infection once the encryption keys had been supplied. Not to mention the cost of reputation damage and clearing the backlog due to the shutting down of its computers for over a week.
Warning Issued About the Insider Ransomware Threat
As if the threat from ransomware was not enough, researchers believe the situation is about to get a whole lot worse. Ransomware-as-a-service could be used by a malicious insider to infect their own organization. With insider knowledge of the locations and types of data critical to the running of the business, an insider would be in the best position to infect computers.
Insiders may also be aware of the value of the data and the cost to the business of losing data access. Ransoms could then be set accordingly. With payments of tens of thousands of dollars possible, this may be enough to convince some employees to conduct insider attacks. Since finding hackers offering ransomware-as-a-service is not difficult, and network access has already been gained, insiders may be tempted to pull off attacks.
To counter the risk of insider ransomware attacks businesses should develop policies to make it crystal clear to employees that attackers will be punished to the full extent of the law. Software solutions should be put in place to continuously monitor for foreign programs installed on networks and network privileges should be restricted as far as is possible. Employees should have their network activities monitored and suspicious activity should be flagged and investigated. It is not possible to eliminate the risk of insider attacks, but it is possible to reduce risk to a minimal level.
IT professionals are well aware of the shadow IT risk. Considerable risk is introduced by employees installing unauthorized software onto their work computers and mobile devices. However, this has been clearly illustrated this week following the discovery of a new malware by the Talos team. To date more than 12 million individuals are believed to have installed the new Trojan downloader.
Seemingly Genuine Software Performs a Wide Range of Highly Suspect System Actions
Many users are frustrated by the speed of their PC and download tools that will help to resolve the problem, yet many of these are simply bloatware that perform no beneficial functions other than slowing down computers. These can be used to convince users to pay for additional software that speeds up their PCs, or worse. The software may perform various nefarious activities.
It would appear that the new malware is of this ilk. Furthermore, it is capable of being exploited to perform a wide range of malicious actions. The software performs a wide range of highly suspect functions and has potential to steal information, gain administration rights, and download malicious software without the user’s knowledge.
The new malware has been referred to as a “generic Trojan” which can check to see what AV software is installed, detect whether it has been installed in a sandbox, determine whether remote desktop software has been installed, and check for security tools and forensic software.
By detecting its environment, the malware is able to determine whether detection is likely and if so the malware will not run. If detection is unlikely a range of functions are performed including installing a backdoor. The backdoor could be used to install any number of different programs onto the host machine without the user’s knowledge.
So far more than 7,000 unique samples have been discovered by Talos. One common theme is the use of the word “Wizz” throughout the code, with the malware communicating with “WizzLabs.
Analysis of the malware revealed that one of the purposes of the software was to install adware called “OneSoftPerDay”. The company behind this adware is Tuto4PC, a French company that has got into trouble with authorities before for installing PUPs on users’ computers without their knowledge.
By allowing the malware to run, researchers discovered it installed System Healer – another Tito4PC creation – without any user authorization. Whether the malware will be used for nefarious activity other than trying to convince the users to download and pay for PUPs is unclear, but the potential certainly exists. With 12 million devices containing this software, at any point these machines could be hijacked and the software used for malicious purposes.
The Shadow IT Risk Should Not Be Underestimated
The shadow IT risk should not be underestimated by security professionals. Many seemingly legitimate software applications have the capability of performing malicious activities, and any program that does to such lengths to detect the environment in which it is run and avoid detection is a serious concern.
Organizations should take steps to reduce Shadow IT risk and prevent installation of unauthorized software on computers. Policies should be put in place to prohibit the installation of unauthorized software, and software solution should be employed to block installers from being downloaded. As an additional precaution, regular scans should be conducted on networked devices to check for shadow IT installations and actions taken against individuals who break the rules.
Anti-phishing strategies can be employed to protect networks from attack; however, a new report from Verizon shows that phishing is proving more successful than ever. Anti-phishing strategies are being employed, but they are not sufficient to prevent attacks from taking place. End users are still opening phishing emails and divulging their login credentials to attackers.
Anti-Phishing Strategies Are Being Implemented But Employees are Still Falling for Phishing Scams
According to the new report a greater percentage of employees are now falling for phishing scams. Last year’s Verizon Data Breach Report showed that 23% of phishing emails were being opened. This year the number has risen to 30%.
Opening a phishing email does not result in a network being compromised or the attacker gaining access to email accounts. For that to happen, an end user must open an infected email attachment or click on a link to a malicious website.
How often are employees taking this extra step? According to the Verizon data breach report, 12% of end users open the phishing email and double click on an attached file.
A similar percentage (13%) of end users click on the malicious links contained in the emails. These links either direct the user to a website containing an exploit kit or to a site where login credentials or other sensitive data are entered and revealed to attackers.
Anti-phishing methods are being taught to company employees, but attacks are still succeeding with alarming frequency. Phishing is proving to be a highly effective method of cyberattack.
The report also indicates that when attacks are successful attackers have plenty of time to exfiltrate data. Organizations are also finding it much harder to detect breaches when they occur. Attacks are taking minutes from the sending of a phishing email to network access being gained, yet it can take months for breaches to be detected.
Training Alone is Insufficient to Protect Against All Phishing Attacks
Anti-phishing strategies adopted by many organizations are not robust enough to prevent successful attacks. Anti-phishing strategies that rely too heavily on training staff members how to identify phishing emails are likely to fail.
It only takes one employee to respond to a phishing email for a network to be compromised and it is a big ask to expect every employee to identify every phishing email, 100% of the time.
Providing staff members with anti-phishing training can help to reduce risk, although software solutions should also be employed. A robust spam filtering solution should be implemented to ensure the majority of phishing emails are blocked and never delivered to end users’ inboxes. No anti-spam solution is effective 100% of the time, although blocking 99.9% of phishing emails is possible with solutions such as SpamTitan.
Attackers are using ever more sophisticated methods to fool end users into clicking on malicious links. A great deal of time and effort goes into spoofing domains and producing carbon-copy spoof websites. Preventing these websites from being visited is one of the best defenses against phishing attacks. Web filtering solutions can be highly effective way of reducing the risk of a phishing attack being successful.
A web filter can be configured to block phishing websites and other potentially harmful websites. Even if links are clicked, the user is prevented from compromising their device and network.
K-12 schools in the United States have been put on alert after it was discovered that backdoors have been installed on a number of servers running Follet’s Destiny Library Management System. More than 60,000 schools in the United States use Destiny to track school library assets, a number of which now face a high risk of cyberattack.
A security vulnerability in the JBoss platform has recently been used to launch attacks on a number of organizations in the United States. The vulnerability has allowed malicious actors to gain access to servers and install ransomware. The main targets thus far have been hospitals, including Baltimore’s Union Memorial which was infected as a result of a ransomware attack on its parent organization MedStar. The attackers gained access to servers at MedStar and used SamSam ransomware to lock critical files with powerful encryption. The discovery of the ransomware resulted in the forced shutdown of MedStar’s EHR and email causing widespread disruption to healthcare operations.
Over 2000 Backdoors Discovered to Have Been Installed on Servers Running JBoss
Since the attack took place, Cisco’s Talos security team has been scanning the Internet to locate servers that are vulnerable via the JBoss security vulnerability. Earlier this week Talos researchers discovered 3.2 million servers around the world are vulnerable to attack. However, there is more bad news. Attackers have already exploited the security vulnerability and have installed backdoors in thousands of servers. In some cases, multiple backdoors have been installed by a number of different players by dropping webshells on unpatched servers running JBoss. 2,100 backdoors were discovered and 1,600 IP addresses have been affected.
Hospitals have been targeted as they hold a considerable volume of valuable data which are critical to day to day operations. If attackers are able to lock those files there is a high probability that the hospitals will be forced to pay a ransom to unlock the encryption. Hollywood Presbyterian Medical Center had to pay a ransom of $17,000 to unlock files that had been encrypted in a ransomware attack. Schools are also being targeted.
Poor patch management policies are to blame for many servers being compromised. The JBoss security vulnerability is not new. A patch was issued to correct the vulnerability several years ago. If the patch had been applied, many servers would not have been compromised. However, some organizations, including many schools, are not able to update JBoss as they use applications which require older versions of JBoss.
Destiny Library Management System Vulnerabilities Addressed With A New Patch
A number of schools running Destiny Library Management System were discovered to have been compromised by attackers using the JexBoss exploit to install backdoors, which could be used to install ransomware. Follett discovered the problem and has now issued a patch to address the security vulnerability and secure servers running its Destiny Library Management System. The patch plugs security vulnerabilities in versions 9.0 to 13.5, and scans servers to identify backdoors that have been installed. If non-Destiny files are discovered they are removed from the system.
Any school using the Destiny Library Management System must install the patch as a matter of urgency. If the Destiny Library Management System remains unpatched, malicious actors may take advantage and use the backdoors to install ransomware or steal sensitive data.
A new study has confirmed that the healthcare industry faces the highest risk of cyberattacks. Healthcare providers and health plans are being targeted by cybercriminals due to the value of patient data on the black market. A full set of medical records, along with personally identifiable information and Social Security numbers, sells for big bucks on darknet marketplaces. Health data is far more valuable then credit cards for instance.
Furthermore, organizations in the healthcare industry store vast quantities of data and cybersecurity protections are still less robust than in other industry verticals.
The survey was conducted by 451 Research on behalf of Vormetric. Respondents were asked about the defenses they had put in place to keep sensitive data secure, how they rated their defenses, and how they planned to improve protections and reduce the risk of cyberattacks occurring.
78% of respondents rated their network defenses as very or extremely effective, with network defenses having been prioritized by the majority of healthcare organizations. 72% rated data-at-rest defenses as extremely or very effective. While this figure seems high, confidence in data-at-rest defenses ranked second from bottom. Only government industries ranked lower, with 68% of respondents from government agencies rating their data-at-rest defenses as very or extremely effective.
Even though many IT security professionals in the healthcare industry believe their network and data-at-rest defenses to be robust, 63% of healthcare organizations reported having experienced a data breach in the past.
The Risk of Cyberattacks Cannot Be Effectively Managed Simply by Becoming HIPAA-Compliant
Many organizations have been prioritizing compliance with industry regulations rather than bolstering defenses to prevent data breaches. Many healthcare organizations see compliance with the Health Insurance Portability and Accountability Act (HIPAA) as being an effective way of ensuring data are protected.
HIPAA requires all covered-entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to implement administrative, technical, and physical safeguards to keep confidential patient data secure. By achieving “HIPAA-compliance” covered entities will improve their security posture and reduce the risk of cyberattacks, but compliance alone will not ensure that data are protected.
One only needs to look at the Department of Health and Human Services’ Office for Civil Rights breach portal to see that healthcare data breaches are commonplace. Many of the organizations listed in the breach portal have implemented defenses to protect data and are HIPAA-compliant. Compliance has not prevented data breaches from occurring.
The 451 Research survey asked respondents their views on compliance. 68% said it was very or extremely effective at ensuring data were secured. The reality is HIPAA only requires healthcare organizations to implement safeguards to achieve a minimum level of data security. In order to prevent data breaches and effectively manage the risk of cyberattacks, organizations need to invest more heavily in data security.
HIPAA does not, for example, require organizations to protect data-at-rest with encryption. If the network perimeter is breached, there is often little to prevent data from being stolen. Healthcare organizations are focusing on improving network protection but should not forget to protect data-at-rest with encryption. 49% said network security was still the main spending priority over the next 12 months, which was the highest rated security category for investment.
Healthcare organizations did appreciate that investment in technologies to protect data-at-rest was important, with 46% of respondents saying spending would be increased over the next 12 months on technologies such as disk and file encryption to help manage the risk of cyberattacks.
This week has seen the release of new U.S. data breach statistics by the Identity Theft Resource Center (ITRC). The new report reveals the extent to which organizations have been attacked over the past decade, breaking down data breaches by industry sector.
ITRC has been collecting and collating information on U.S. data breaches since 2005. Since records of security breaches first started to be kept, ITRC figures show a 397% increase in data exposure incidents. This year has seen the total number of data breach incidents surpass 6,000, with 851 million individual records now having been exposed since 2015.
U.S. Data Breach Statistics by Industry Sector
The financial sector may have been extensively targeted by cybercriminals seeking access to financial information, but between 2005 and March 2016 the industry only accounts for 7.9% of data breaches. The heavily regulated industry has implemented a range of sophisticated cybersecurity protections to prevent breaches of confidential information which has helped to keep data secure. The business and healthcare sectors were not so well protected and account for the majority of data breaches over the past decade.
Over the course of the past decade financial sector ranked lowest for breaches of Social Security numbers. The largest data security incident exposed 13.5 million records. That data breach occurred when data was on the move.
At the other end of the scale is the business sector, which includes the hospitality industry, retail, transport, trade, and other professional entities. This sector had the highest number of data breaches accounting for 35.6% of all data breaches reported in the United States. Those breaches exposed 399.4 million records.
ITRC’s U.S. data breach statistics show that the business sector was the most frequently targeted by hackers over the course of the past decade, accounting for 809 hacking incidents. Hackers were able to steal 360.1 million records and the industry accounted for 13.6% of breaches that exposed credit and debit card numbers. The huge data breaches suffered by Home Depot and Target involved the exposure of a large percentage of credit and debit card numbers.
Healthcare Sector Data Breaches Behind the Massive Rise in Tax Fraud
The business sector was closely followed by the healthcare industry, which has been extensively targeted in recent years. ITRC reports that the industry accounted for 16.6% of data breaches that exposed Social Security numbers. Since 2005, over 176.5 million healthcare records have been exposed and over 131 million records were exposed as a result of hacking since 2007. That includes the 78.8 million records exposed in the Anthem Inc., data breach discovered early last year.
While hacking has exposed the most records, employee negligence and error were responsible for 371 data breaches in the healthcare industry. Healthcare industry data breaches are believed to have been responsible for the massive increase in tax fraud experienced this year. Tax fraud surged by 400 percent in 2016.
Government organizations and military data breaches make up 14.4% of U.S data breaches over the past decade, with the education sector experiencing a similar number, accounting for 14.1% of breaches. Over 57.4 million Social Security numbers were exposed in government/military data breaches along with more than 389,000 credit and debit card numbers.
The education sector experienced the lowest number of insider data breaches of all industry sectors (0.7%) although 2.4 million records were exposed via email and the Internet.
Cybersecurity Protections Need to Be Improved
The latest U.S. data breach statistics show that all industry sectors are at risk of cyberattack, and all must improve cybersecurity protections to keep data secure. According to Adam Levin, chairman and founder of IDT911, “Companies need to create a culture of privacy and security from the mailroom to the boardroom. That means making the necessary investment in hardware, software and training. Raising employee cyber hygiene awareness is as essential as the air we breathe.”
The risk of Microsoft wireless mouse hijacking has been addressed this week. An optional fix was released as part of the latest KB3152550 Windows update. The update is for Windows 7, 8.1, and 10, although Microsoft has not addressed the flaw in Windows Server.
Earlier this year security researchers from Bastille Networks discovered a vulnerability with wireless mice and keyboards which could potentially be exploited by hackers and used to remotely execute commands on computers. The vulnerability affected a number of providers of wireless mice and keyboards.
The vulnerability – termed MouseJack – can be used to exploit a number of vulnerabilities in the protocols used by the hardware to communicate with computers. Attackers can potentially spoof mice and keyboards, although they would need to be in close proximity to the devices to do so. This could be up to 100M away.
Attackers could use a wireless Internet connection from outside the company premises to take advantage of the MouseJack vulnerability and inject HID packets via USB dongles. Bastille Networks researchers discovered many wireless mice accept keyboard HID packets transmitted to the RF addresses of wireless mice.
The Microsoft update improves security by filtering out QWERTY key packets in keystrokes received by wireless mouse USB dongles.
The risk of Microsoft wireless mouse hijacking is relatively low, although it should not be ignored. All organizations that use wireless Microsoft mice should install the patch. If devices have been set to update automatically the patch should already have been installed.
Unfortunately, there is still a risk of Microsoft wireless mouse hijacking for users of the Sculpt Ergonomic Mouse, which was not fixed in the latest update. Non-Microsoft wireless mice may also still be at risk. Users of other wireless mice should consult the websites of the manufacturers to determine whether patches have been released.
This month Dell SecureWorks released its annual underground hacker markets report. For the past three years, intelligence analysts at Dell SecureWorks have been tracking underground hacking forums and gathering intel. The annual reports provide an interesting insight into the world of cybercrime, and reveal just how little hackers are charging to conduct attacks.
Underground Hacker Markets Report Reveals Wide Range of Corporate Data Being Openly Sold on the Black Market
The underground hacker markets report shows that hackers are selling all types of stolen data, including passports, Social Security cards, driver’s license numbers, bank account details, airline points accounts, and credit card numbers. The latter can be purchased for just $7, while physical Social Security cards are being sold for up to $250.
Hacking services are also being offered cheaply, with the hacking of websites costing around $350, DDoS attacks being sold from $5 per hour to $555 per week, and doxing for under $20. Hacking tutorials are even being offered with multiple sessions available for under $40.
Cybercriminals wishing to launch their own attacks are being offered a wide range of malware at low prices. Remote Access Trojans (RATs) are being sold at cut price rates of $5 to $10 a time. Crypters are being sold for $80-$440, and the Angler exploit kit is available for between $100 and $135. The hackers are also offering total confidentiality and customer support.
The analysts also discovered whole business dossiers being sold via underground forums. The dossiers include email accounts, bank account numbers, and a range of logins and passwords. Those dossiers are being sold openly for as little as $547. With the type of information contained in the dossiers, criminals could drain bank accounts and even apply for credit in company names.
BEC Scams Have Increased 270% In the Past 3 Years
In the past few years business email compromise scams have increased substantially. According to a recent warning issued by the FBI, between October 2013 and August 2015 BEC attacks increased by 270%.
BEC scams are proving to be extremely lucrative for cybercriminals. Figures from the FBI suggest that $1.2 billion has been lost to BEC scams since October 2013. Mattel recently discovered by accident that criminals had succeeded in pulling off a BEC scam involving a $3 million transfer to hackers in China.
The scam took place at a time when the company was undergoing a corporate change, and it would have been successful had the transfer been made on virtually any other weekend in the year. The fact that the transfer was made on a bank holiday gave Mattel time to stop the transfer going through.
Attacks on this scale may not be pulled off regularly, but they are far from unusual. One of the biggest BEC scam losses was reported by the The Scoular Co., recently. The Omaha-based company lost $17.2 million to BEC scammers.
Cybercriminals no longer need to personally gain access to corporate email accounts to pull off these scams. For a very small investment they can buy access to CEO and executive email accounts.
The Dell underground hacker market report indicates cybercriminals can purchase a U.S. corporate email account for around $500, while Gmail, Hotmail and Yahoo accounts can be compromised for around $129.
Symantec’s 2016 Internet security threat report has revealed the lengths to which cybercriminals are now going to install malware and gain access to sensitive data. The past 12 months has seen a substantial increase in attacks, and organizations are now having to deal with more threats than ever before.
Internet Security Threat Report Shows Major Increases in Ransomware, Malware, Web-borne Threats and Email Scams
The new Internet Security Threat Report shows that new malware is being released at a staggering rate. In 2015, Symantec discovered over 430 million unique samples of malware, representing an increase of 36% year on year. As Symantec points out, “Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.”
A new zero-day vulnerability is now being discovered at a rate of one per week, twice the number seen in 2014 and 2013. In 2015, 54 new zero-day vulnerabilities were discovered. In 2014 there were just 24 zero-day exploits discovered, and 23 in 2013.
The 2016 Internet Security Threat Report puts the total number of lost or stolen computer records at half a billion, although Symantec reports that organizations are increasing choosing to withhold details of the extent of data breaches. The breach may be reported, but there has been an 85% increase in organizations not disclosing the number of records exposed in breaches.
Ransomware Attacks Increased 35% in 2015
Ransomware is proving more popular than ever with cybercriminal gangs. In 2015, ransomware attacks increased by 35%. The upward trend in 2015 has continued into 2016. Spear phishing attacks have also increased. While these attacks are often conducted on large organizations, Symantec reports that spear phishing attacks on smaller companies – those with fewer than 250 employees – have been steadily increasing over the past five years. In 2015, spear phishing attacks increased by a staggering 55%.
Cybercriminals may now be favoring phishing attacks and zero-day exploits over spam email scams, but they still pose a major risk to corporate data security. There has also been a rise in the number of software scams. Scammers are getting consumers to purchase unnecessary software by misreporting a security problem with their computer. Symantec blocked 100 million fake technical support scams last year.
75% of Websites Found to Contain Exploitable Security Vulnerabilities
One of the most worrying statistics from this year’s Internet Security Threat Report is over 75% of websites contain unpatched security vulnerabilities which could potentially be exploited by hackers. Even popular websites have been found to contain unpatched vulnerabilities. If attackers can compromise those websites and install exploit kits, they can be used to infect millions of website visitors. Simply being careful which sites are visited and only using well known sites is no guarantee that infections are avoided.
With the dramatic increase in threats, organizations need to step up their efforts and improve cybersecurity protections. Failure to do so is likely to see many more of these attacks succeed.
Companies may be happy to use vendors for a wide range of service that they do not have the resources or skills to conduct in-house, but the vendor data security risk could be considerable, according to a new report issued by security firm Bomgar.
Furthermore, the number of third party vendors used by an average firm has grown substantially in recent years. Bomgar determined that on average 89 separate vendors are accessing company networks every week. With such high volumes of third party companies being given access to corporate networks, data breach risk is high. Especially considering the lack of security controls in place at many companies.
Numerous companies have reported suffering a data breach as a direct result of granting vendors access to their networks. The survey conducted by Bomgar asked 608 IT decision makers from the United States, UK, Germany, and France about vendor access to their networks and IT security. 69% of respondents said their organization had either definitely or probably experienced a vendor-related data breach.
The situation is likely to get much worse. When asked whether reliance on third party vendors would increase over the course of the next two years, three quarters of respondents said that it would. It is not only the vendors employed by organizations that are the problem. In many cases, vendors have vendors and subcontract certain tasks to other companies. 72% of respondents said this was the case, increasing vendor security risk further.
Poor Vendor Data Security Could Lead to a Data Breach
The survey also revealed that only 35% of companies could say with any degree of certainty exactly how many vendors were able to access their networks. Just 34% of companies could tell how many logins had been issued to their vendors. This suggests the majority of companies are exercising poor network access control.
Many organizations are leaving their organization wide open to a vendor-related data breach. The potential for damage is considerable. Rather than limiting network privileges for vendors, 44% of companies said that when it comes to network access they tend to use an all or nothing approach. Rather than limiting data access to the minimum necessary requirement for a task to be performed, full access is granted.
The survey results show that many companies may be underestimating vendor data security risk. 92% of respondents said they trusted their vendors completely or at least most of the time. That said, when asked if they trust vendors too much just over two thirds said yes.
While the Bomgar study appears to show overwhelming trust in security vendors, a separate study conducted by the Ponemon Institute revealed that in the United States trust in vendors is much lower, at least when it comes to reporting security breaches.
The Ponemon survey was conducted on 598 individuals across a range of organizations. Respondents were familiar with vendor data security risk management at their respective organizations.
37% of respondents said they believed their primary vendors would not notify them if a breach of confidential or sensitive data occurred. For subcontractors used by third-party vendors, trust was even lower. 73% said they did not think they would be informed of a breach if it occurred.
Organizations may implement robust security defenses to prevent direct network attacks, but if they fail to ensure their vendors are exercising appropriate data security controls and do not keep tabs on who has access to their network, data breaches are likely to occur.
Law firm data security has come under the spotlight in the past couple of weeks following the publication of a number of news reports on hacking incidents at law firms, and most recently, the huge 11.5 million-document 2.6 terabyte data leak at Panamanian law firm Mossack Fonseca. The latest data leak exposed the offshore banking activities of some of the world’s wealthiest individuals, including 70 current and former world leaders.
Why are Cybercriminals Targeting Law Firms?
Cybercriminals are targeting law firms in an attempt to gain access to data on mergers and acquisitions, email accounts are being hacked to obtain details of bank transfers to reroute funds to hackers’ accounts, and attacks are being conducted to gain access to client data on patents and new products. Corporate data is also being stolen and sold on the darknet.
The banks are putting increasing pressure on law firms to do more to protect their networks from attack, while law enforcement authorities are attempting to get law firms to disclose data breaches when they occur. With law firms now under greater scrutiny, clients are likely to demand assurances that modern – not modest – cybersecurity defenses are put in place to protect their confidential data. However, many reports suggest law firm data security is substandard and incapable of preventing cyberattacks.
Cyberattacks on small law firms that have invested relatively little in cybersecurity defenses are perhaps to be expected; however, the computer networks of some of the biggest law firms in the United States have been compromised. Those include high profile firms such as Cravath Swaine & Moore and Weil Gotshal & Manges.
A report in Crain’s Chicago Business indicated 48 of the most prestigious law firms in the United states had been targeted by a Russian hacker operating out of Ukraine. That individual was targeting law firms with a view to trading stolen M&A data. A number of UK law firms have been attacked by hackers who have gained access to email accounts and hijacked bank transfers, netting over $97 million in the past 18 months.
Law Firm Data Security is Substandard and Lags Behind Other Industries
Many law firms do not disclose data breaches so the true extent to which cyberattacks are occurring is difficult to estimate but, based on recent reports, data breaches are far more prevalent than previously thought. The reports suggest that law firm data security measures need to be improved in light of increased efforts by cybercriminals to break through law firms’ defenses.
A report from Citigroup last month suggested digital security measures employed by law firms were less robust than in many other industries, even though law firms are big targets for cybercriminals and government-backed hackers.
The report indicated that law firms faced a high risk of cyberattacks due to the volume of incredibly valuable data they hold; data that could be used for insider trading or could be sold for big bucks on the black market. M&A data and patent applications were said to be the most highly prized information.
Hackers are exploiting a wide range of security flaws in order to gain access to sensitive data; however, one of the main methods used is phishing. Social engineering techniques are used to get individuals in law firms to reveal login credentials to email accounts, to visit malicious websites that download malware, or open infected email attachments that directly install a host of malware on law firms’ networks.
Many of the attacks are conducted by sending out random spam emails, although individuals within law firms are also being targeted with spear phishing emails. Individual employees are researched and targeted with carefully crafted emails to maximize the change of a response.
The emails are written in native English and include investment and legal terminology. FireEye reported they can even contain detailed information about the inner workings of public companies.
How Can Law Firm Data Security be Improved?
- There are a number of measures that can be employed to reduce the risk of cyberattacks. All staff should receive training to help with the identification of phishing emails and other email scams. This will reduce the risk of individuals accidentally compromising their networks.
- Patch management policies must be introduced. Patches and software updates need to be implemented promptly.
- Spam filtering technology should be implemented to reduce the likelihood of phishing emails and malware being delivered to inboxes.
- The implementation of a web filtering solution can reduce the risk of malware downloads, drive-by attacks, and can block phishing websites from being visited.
- Anti-virus and anti-malware solutions must be kept up to date and regular scans conducted on networked devices and servers.
- Outdated software and unsupported operating systems should be retired and replaced with modern, more secure software.
- Law firms can monitor darknet sites using security solutions to identify when data is being listed for sale.
Unless law firm data security is improved, successful attacks will continue and client and corporate data will be exposed.
In February, the Federal Bureau of Investigation (FBI) issued an alert over a new ransomware called MSIL (AKA Samas/Samsam/Samsa), but a recent confidential advisory was obtained by Reuters, in which the FBI asked U.S. businesses and the software security community for help to deal with the growing enterprise ransomware threat from MSIL.
The new ransomware is particularly nasty as it is capable of infecting networks, not just individual computers. In February, the FBI alert provided details of the new ransomware and how it attacked systems by exploiting a vulnerability in the enterprise JBoss system. Any enterprise running an outdated version of the software platform is at risk of being attacked. The FBI’s list of indicators was intended to help organizations determine whether they had been infected with MSIL.
Just over a month later, the FBI sent out a plea for assistance, requesting businesses to contact its CYWATCH cybersecurity center if they suspected they had been attacked with the ransomware. Any business or security expert with information about the ransomware was also requested to get in touch.
Recent high profile attacks on healthcare organizations and law enforcement have resulted in ransoms being paid to attackers in order to unlock ransomware infections. Oftentimes there is no alternative but to pay the ransom demand in order to recover data. However, paying ransoms simply encourages more attacks.
The Enterprise Ransomware Threat is Now at A Critical Level
Ransomware is not new, but the methods being used by cybercriminals to infect systems is more complex as is the malicious software used in the attacks. The volume of attacks and the number of ransomware variants now in use mean the enterprise ransomware threat is considerable, with some security experts warning that ransomware is fast becoming a national cybersecurity emergency.
The healthcare industry is being targeted as hospitals cannot afford to lose access to healthcare data. Even if electronic patient medical files are not encrypted, systems are being shut down to contain infections. This causes massive disruption and huge costs, which attackers hope will make paying the ransom the best course of action.
Dealing with the enterprise ransomware threat requires a multi-faceted approach. Attackers are using a variety of methods to install ransomware and blocking spam email is no longer sufficient to deal with the problem. MSIL attacks are being conducted by exploiting vulnerabilities in enterprise software systems, end users are being fooled into installing ransomware with social engineering techniques, drive by downloads are taking place and the malicious file-encrypting software is also being sent via spam email.
How to Protect Against Enterprise Ransomware Attacks
The FBI is trying to encourage business users and individuals never to open untrusted email attachments and to ensure they are deleted from inboxes. Fortunately, the high profile attacks on large institutions have put enterprises on high alert. With awareness raised, it is hoped that greater efforts will be made by enterprises to reduce the risk of an attack being successful.
Some of the best protections include:
- Ensuring all software is kept up to date and patches are installed promptly
- Using spam filtering tools to reduce the risk of infected attachments being delivered to end users
- Backing up all systems frequently to ensure data can be restored in the event of an attack
- Conducting regular staff training sessions to help end users recognize phishing emails and malicious attachments
- Disabling macros on all computers
- Using web filtering solutions to prevent drive-by downloads and block malicious websites
- Issuing regular security bulletins to staff when a new enterprise ransomware threat is discovered
Employers are enjoying the benefits of mobile devices but IT security professionals are concerned about the security risk that that comes from the use of Smartphones and tablets. The more devices that are allowed to connect to company networks, the higher the risk, but are mobile device data breaches actually occurring?
There is widespread concern that the devices pose a major security risk, but little data on the extent to which mobile data breaches occur. A new survey sheds some light on just how frequently mobile devices are implicated in data breaches.
Six data security firms* sponsored a survey conducted by Crowd Research Partners which set out to shed some light on the matter. 882 IT security professionals from a wide range of industries were asked a number of questions relating to mobile security and data breaches experienced at their organizations.
More than a Fifth of Companies Have Suffered Mobile Device Data Breaches
The results show that 21% of companies have experienced a mobile device data breaches at some point in the past that affected either devices supplied by their company or used by employees under BYOD policies. However, a further 37% of respondents could not say whether mobile device data breaches had actually occurred, indicating many are at risk of data theft or loss, but would not be able to determine if a data breach had in fact occurred.
Malicious Wi-Fi networks continue to be a problem. 24% of respondents said that BYOD or corporate-supplied devices have connected to malicious Wi-Fi networks at some point in the past. Many companies cannot say whether this has actually happened. Almost half of respondents (48%) could not say with any degree of certainty whether their employees had connected to malicious Wi-Fi networks.
Cybercriminals are developing malware at an alarming rate and mobile devices are now being targeted by many cybercriminal gangs. While the majority of threats affect Android phones, iPhone users are also being targeted. A number of new iOS malware have been discovered in the past year.
Mobile malware is a major problem for businesses. 39% of respondents said users of their networks had, at some point in the past, downloaded malware onto their devices. 35% of respondents were unaware whether this had happened. This suggests more than a third of companies are not monitoring the mobile devices that are allow to connect to corporate networks.
Respondents were asked what measures they were using to protect the mobile devices they allowed to connect to their networks. Only 63% of respondents said they used password protection to keep the devices secure. 49% said they had implemented solutions that enable them to remotely wipe devices that are lost, stolen, or reach the end of their life. 43% use encryption for sensitive data and only 38% said they have policies covering data removal at employee separation or device disposal.
34% said that when an employee leaves their organization ensures data is wiped from mobile devices 100% of the time. 13% said this occurred more than half of the time, and 16% said this happened less than half of the time. Most alarmingly, 23% were unaware if they wiped devices and 14% said they never wipe data from employees’ devices when they leave the company.
43% reported using mobile device management (MDM), 28% used endpoint security tools such as anti-malware programs, and 27% used network access controls.
Many IT security professionals are worried about the risk posed by mobile devices and are concerned about mobile device data breaches. The survey results show there is good reason for them to be concerned. Many companies are failing to implement policies and procedures to effectively manage mobile device security risks.
*The online survey was sponsored by Bitglass, Blancco Technology Group, Check Point Technologies, Skycure, SnoopWall and Tenable Network Security. The survey was conducted on members of the LinkedIn Information Security Community.
Today is World Backup Day – a day when awareness of the need to backup data is raised around the world. It is a day when companies that are not backing up their critical data are encouraged to do so, and companies that do are encouraged to take a close look at their data backup policies and procedures to make sure that they are up to scratch.
World Backup Day 2016 is More Important Than Ever
World Backup Day may be an opportunity for companies to sell you a host of products and services associated with disaster recovery – a number of software companies offering backup services sponsor the day – but this year the day is more important than ever. This week, a large not-for-profit health system in the United States discovered just how important it is to have a fully functional backup of all critical data.
MedStar Health, a network of 10 hospitals and more than 250 outpatient facilities in the Washington D.C. area, was hit with a ransomware infection that compromised 18 computers. It could have been far worse had rapid action not been taken to shut down its network to prevent the lateral spread of the ransomware infection.
Fortunately, systems are now being restored and it appears that the reported ransom demand of $18,500 will not need to be paid. Many companies would not be in a position to decide whether or not to pay the ransom. If a viable copy of data has not been stored securely on an isolated drive, the ransom would have to be paid. Losing critical data would simply not be an option.
MedStar Health is not the only healthcare organization to have suffered a ransomware attack in recent weeks. In the United States, Methodist Hospital in Kentucky, and Chino Valley Medical Center, Desert Valley Hospital, and Hollywood Presbyterian Medical Center in California have all been attacked, as was Canada’s Ottawa Hospital. All of those attacks have occurred in the past two months.
It is not just the healthcare industry that is under attack; however, many companies prefer not to announce that they have had their systems infiltrated and data encrypted by attackers. Ransoms are quietly paid in order to get the security keys to unlock the encryption.
30% of Users Have Never Backed Up Their Data
Even though the loss of data could prove catastrophic for companies, many organizations are not backing up data as frequently as they should. Some do not test the backups they perform to make sure that in the event of an emergency, data can actually be recovered.
Almost a year ago to the day, the Tewksbury Police Department in Massachusetts was given no alternative but to pay a ransom to have its files unlocked. A backup of data had been recently performed, but that file was corrupted. The only non-corrupted backup file the Police Department had was more than 18 months old.
The figures on the World Backup Day website indicate 30% of users have never backed up their data, even though the loss of files would cause considerable anguish. Figures from Backblaze suggest that since 2013 (from when the World Backup Day figures were taken) things have improved and the figure now stands at 25%.
Companies Need to Review Backup Policies
For companies, a single backup of data is not sufficient protection. Multiple backup files can reduce risk. If one backup file is corrupted, it will not spell disaster. Those backups must be stored off-site, but should not be connected to a computer network. Backup files can also be encrypted by ransomware if the drive on which they are stored remains connected to a network.
There are many other ways that data can be accidentally deleted or lost. There may not be an option to simply pay a ransom to recover valuable data. Without a viable backup data could be lost forever. WBD figures suggest that 29% of data incidents are the result of accidents.
Performing frequent backups is a complex task given the huge volumes of data now being stored by organizations. Today is a good day to reassess policies, procedures and software, to test backups, and to make sure that when (not if) disaster strikes, valuable data will not be lost.
AceDeceiver iPhone malware can attack any iPhone, not just those that have been jailbroken. The new iOS malware has recently been identified by Palo Alto Networks, and a warning has been issued that the new method of attack is likely to be copied and used to deliver other malware.
Malware Exploits Apple DRM Vulnerability
Many iPhone users jailbreak their phones to allow them to install unofficial apps, yet the act can leave phones open to malware infections. One of the best malware protections for iPhones is not to tamper with them. Most iPhone malware are only capable of attacking jailbroken phones. However, AceDeceiver is different.
The new malware exploits a vulnerability in Apple’s Digital Rights Management (DRM) mechanism allowing it to bypass iPhone security protections. AceDeceiver iPhone malware is capable of fooling FairPlay into thinking it is a legitimate app that has been purchased by the user.
Users that have installed a software tool called Aisi Helper to manage their IPhones are most at risk of infecting their phones. While Aisi Helper can be used to manage iPhones and perform tasks such as cleaning devices and performing backups, it can also be used to jailbreak phones to allow users to install pirated software. To date more than 15 million iPhone owners have installed Aisi Helper and face a high risk of an AceDeceiver malware attack.
The software tool has been around since 2013 and is mainly used as a method of distributing pirated apps. While the software has been known to be used for piracy, this is the first reported case of it being used to spread malware. Palo Alto Networks reports that some 6.6 million individuals are using the software tool on a regular basis, many of whom live in China. This is where most of the AceDeceiver iPhone malware attacks have taken place to date.
The software tool can be used to install AceDeceiver onto iPhones without users’ knowledge. The malware connects the user to an app store that is controlled by the attackers. Users must enter in their AppleID and password and the login credentials are then sent to the attackers’ server. While Palo Alto Networks has discovered that IDs and passwords are being stolen, they have not been able to determine why the attackers are collecting the data.
AceDeceiver Malware Attacks Non-Jailbroken iPhones
Protecting against AceDeceiver iPhone malware would appear to be simple. Don’t install Aisi Helper. However, that is only one method of delivery of AceDeceiver iPhone malware. In the past 7 months three different AceDeceiver malware variants have been uploaded to the official Apple App store. The three wallpaper apps managed to get around Apple’s code reviews initially to allow them to be made available on the Apple App store. They also passed subsequent code reviews.
Once Apple was made aware of the malicious apps the company removed from the App store. However, that is not sufficient to prevent users’ devices from being infected. According to Palo Alto’s Claud Xiao, an attack is still possible even though the apps have been removed from the App store. Apparently, all that is required is for the malicious apps to gain authorization from Apple once. They do not need to be available for download in order for them to be used for man-in-the-middle attacks. The vulnerability has not been patched yet, but Palo Alto has warned that even patching the problem will still leave users of older iPhones open to attack.
AceDeceiver iPhone Malware Attack Method Likely to be Copied
Xiao warned that this new method of malware delivery is particularly worrying because “it doesn’t require an enterprise certificate. Hence, this kind of malware is not under MDM solutions’ control, and its execution doesn’t need the user’s confirmation of trusting anymore.” Palo Alto believe the attack technique is likely to be copied and used to spread new malware to iPhone users.
A new USB-based malware has recently been discovered that poses a serious security risk to enterprises. While USB-based malware is not new, the discovery of Win32/PSW.Stealer.NAI – also known as USB Thief – has caused particular concern.
New USB-Based Malware Leaves No Trace of Infection or Data Theft
The malware is only transmitted via USB drives and leaves no trace of an attack on a compromised computer. Consequently, it is incredibly difficult to detect. The malware is capable of stealing and transmitting data, yet users will be unaware that their data has been being stolen.
The new USB-based malware was recently discovered by security firm ESET. The discovery stands out because the USB-based malware is quite different to other malware commonly used by cybercriminals to steal data.
For a start, the malware has been designed not to be copied and can only be spread via USB devices. The malware derives its key from the USB drive’s device ID, and is bound to the specific portable drive on which it has been installed. If the malware is copied to another drive it will not run because it uses file-names that are specific to each copy of the malware. This means the malware cannot spread and infect systems other than those it is being to attack.
The malware also uses multi-staged encryption that is also bound to the USB drive, which ESET says makes it exceptionally difficult to detect and analyze.
Malware Capable of Attacking Air-Gapped Computers
Many organizations make sure sensitive data is not exposed by not connecting computers to the Internet. However, while air-gaps are an effective protection against most malware attacks, they do not protect against USB-based malware. USB Thief can be used to steal data from air-gapped computers and once the infected USB drive has been disconnected there will be no trace left that any data have been stolen.
It has been hypothesized that the malware has been created to be used in targeted attacks on specific companies in order to steal proprietary enterprise data. ESET has warned that while the USB-based malware is being used only as a data stealer, attackers could tweak the malware to deploy any other malicious payload. This means that the malware could be used to sabotage systems.
ESET reports that the USB-based malware has been used to target companies in Africa and Latin America and warned that detection rates are particularly low. No information has been released to indicate which industries are being targeted with the malware at this point in time.
USB-based malware has previously been used in state-sponsored attacks on organizations. Stuxnet was also used to attack air-gapped systems, predominantly in the Middle East. However, Stuxnet inflected collateral damage as it was capable of self-replicating. It was therefore rapidly picked up and analyzed and action was rapidly taken to block infections.
In this case, the USB-based malware cannot be copied so it is unlikely to spread outside of a targeted system. It is likely to remain incredibly difficult to detect. USB Thief appears to have been extensively tested. Since there is a possibility that it can be identified by G Data and Kaspersky Lab anti-virus solutions, USB Thief performs a quick check to see if those anti-virus solutions are installed. If they have the malware will not run.
Preventing USB-Based Malware Attacks
Disabling autorun for USB drives will have no effect on USB Thief. The USB-based malware does not rely on being automatically run when plugged into a computer. Instead it is inserted into the files of portable applications often stored on USB drives, such as Firefox, TrueCrypt, and NotePad++. When these applications are run, USB Thief will run in the background.
It is possible to take precautions to prevent an attack by disabling USB ports. Even though there is a high risk of infection from an unknown USB drive, many individuals that find USB drives plug them straight into their computers. Staff should therefore be instructed never to plug in a USB drive from an unknown source.
System administrators that do not block malicious Word macros in Office 2016 could be making it far too easy for hackers to compromise their networks. Malicious Word macros are nothing new, but in recent months they have been increasingly been used to deliver ransomware and other nasty malware.
Macros Used in 98% of Office-related Enterprise Malware Attacks
It is common knowledge that executable files are used to deliver malware. Many companies implement a web filter to prevent the downloading of executable files by end users, and spam filters are often configured to prevent attached .exe files from being delivered.
Screensaver files (.SCR) are also commonly used to deliver malware and these too are often blocked by security solutions. Blocking other file types commonly used by attackers, such as batch files (.bat) and compressed files (.zip) can also help to reduce the risk of a malware infection. For the majority of enterprise end users, these files can be blocked without affecting workflows.
However, it is not practical prevent Word documents and other Office files from being emailed or shared. These file types are used by most workers on a day to day basis. They are also being extensively used to deliver malware. According to figures released by Microsoft, office document macros are used in 98% of Office-related attacks on enterprises.
Fail to Block Malicious Word Macros in Office 2016 at your Peril!
There have been a number of recent cases of ransomware being installed after enabling Word macros. Hackers can add malicious scripts to Word macros and install malware without rousing too much suspicion. Word documents are often trusted not to be malicious by many end users.
After a rise in the use of macros to deliver computer viruses, Microsoft made a change to automatically disable macros in Word by default. Opening a Word document therefore required users to manually enable macros before they could be run.
The use of macro viruses went into rapid decline after this security measure was introduced because macros ceased to be a particularly effective method of malware delivery. That was about a decade ago.
However, recently there has been a surge in the use of embedded VBA scripts to deliver malware. Even when system administrators block malicious Word macros in Office 2016 it does not prevent infection. End users are enabling macros in order to open Word documents after being convinced to do so by attackers.
Enterprise end users are sent spam emails containing infected Word documents and are fooled into enabling macros in order to view the documents. When end users open the infected files they are presented with a warning message saying the content of the document cannot be viewed without first enabling macros. The end user does just that, and the malicious VBA script is run. That script then opens a connection to the hackers C&C server and malware is downloaded to the user’s device.
IT departments can conduct training and tell end users to never enable macros, but sooner or, later, one individual will ignore that advice and will inadvertently install malware. Many businesses use macros in their office files, so blocking them from running is simply not an option. So how can businesses block malicious Word macros in Office 2016 without having to stop using macros in documents altogether? Fortunately, Microsoft has come up with a cunning solution.
Microsoft Makes It Easier to Block Malicious Word Macros
Microsoft has responded to the wave of malicious macro attacks by developing a better solution than the one introduced more than a decade ago. A new setting has been added to make it possible to block malicious Word macros in Office 2016 while still being able to use genuine macros. The good news for system administrators is the settings cannot be bypassed by end users who think they know better than their IT department.
System administrators can now apply a group setting that will block macros in Office files that have been obtained from the Internet zone. Microsoft’s definition of the Internet zone includes documents attached to emails that have been sent from outside an organization, as well as documents obtained from cloud storage providers such as Google Drive and Dropbox and from file sharing websites.
Opening and attempting to run macros from these sources will result in a warning being presented to the user saying their system administrator has blocked macros for security reasons. They will not be given the option of bypassing those settings and running the macros. The new setting can be found in the Microsoft Trust Center in the security settings of Word.
Palo Alto Networks has discovered a new spam email campaign that is being used to spread fileless malware via malicious Microsoft Word macros sent as email attachments.
What is Fileless Malware?
Fileless malware, or memory-resident malware, is most commonly associated with drive-by malware attacks via malicious websites. The malware resides in the RAM and is never installed on the hard drive of an infected machine, which means it is difficult to detect because anti-virus software does not check the memory.
Memory-resident malware has not been favored by attackers until recently, as infections do not survive a reboot. However, some fileless malware such as Poweliks uses the registry to ensure persistence. Memory-resident malware is often used to spy on computer activity and record keystrokes.
PowerSniff Fileless Malware Rated as High Threat
The spam email campaign discovered by Palo Alto uses Microsoft Word macros to install the malware. When infected Word documents are opened, malicious macros execute PowerShell scripts and fileless malware is injected into the memory. In the latest case, the malware bears some resemblance to Ursnif malware. Palo Alto call the latest variant PowerSniff.
To date, over 1500 spam emails have been observed by Palo Alto. The emails are not sent out using mass spam email campaigns, but appear to be targeted and include data highly specific to the target. The emails contain the users first name for instance, along with an address or telephone number to make the target believe the email is genuine.
The subject lines and file names used in the emails differ from individual to individual. All of the emails contain an infected Word file along with some pressing reason for the individual to open the document. This can include invoices that urgently need to be paid, details of payments that have not gone through, gift vouchers that needs to be claimed, or reservations that must be confirmed.
The attacks are primarily being conducted on targets in the United States and Europe. The targets are mostly in the professional, hospitality, manufacturing, wholesale, energy, and high tech industry sectors.
The malware is capable of checking if is in a sandbox or virtualized environment, and performs reconnaissance on the victim host. According to Palo Alto researchers, the malware is sniffing out machines that are used for financial transactions, searching for strings such as POS, SALE, SHOP, and STORE. The malware actively avoids machines that are used in the healthcare and education sectors, searching for strings such as nurse, health, hospital, school, student, teacher, and schoolboard and marking these as being of no interest.
Palo Alto has rated the malware a high threat, with activity widespread in the past week. To protect against this type of attack, and others using malicious Word macros, it is essential that macros are automatically disabled in Microsoft Word. Users should deny any request to run macros if they accidentally open an email attachment.
Security firms are reporting that some of the United States ransomware attacks conducted over the past few months have demonstrated a level of sophistication that suggest they are the work of hacking groups previously backed by the Chinese government.
Ransomware attacks have previously been associated with low level cybercriminals who use spam email to send millions of messages out to random targets in the hope that some individuals will install the malicious file-locking software. In many cases, ransomware-as-a-service is being offered to cybercriminals via darknet marketplaces. Cybercriminals therefore do not need to have an extensive knowledge of hacking, and do not need to be highly skilled at conducting intrusions. However, due to the fact that ransomware can be incredibly lucrative, attacks are now being conducted by a wide range of individuals, including skilled hackers.
United States Ransomware Attacks Appear to Have Been Conducted by Former Chinese Government-Backed Hacking Groups
In some cases, the tactics used in the attacks bear the hallmarks of hacking groups known to have previously been involved in state-sponsored attacks on U.S. companies. The ransomware may not have been developed by foreign-government-backed hackers, but the methods and software used to gain entry to company networks and move around certainly appears to be.
Security firms Dell SecureWorks, InGuardians, G-C Partners, and Attack Research have all been called upon to investigate United States Ransomware attacks recently. The Dell team have investigated three highly sophisticated attacks, and the other companies have similarly been called upon to investigate security breaches involving ransomware.
All of the companies have come to the conclusion that these attacks were not the work of run-of-the-mill cybercriminals, and believe a well-known Chinese hacking group was behind the attacks. In one case, an attack on a U.S. company resulted in over 100 computers being locked with the file-encrypting software. Another attack involved 30 computers being locked. Similar large-scale ransomware attacks have also been investigated by the security firms. These attacks, like many conducted on large U.S. companies, have not previously been reported.
APT Tactics Used in Ransomware Attacks
Some of the attacks took advantage of security vulnerabilities in application servers, other used login credentials that were obtained in past Advanced Persistent Threat (APT) attacks on U.S companies. Rather than APT attacks taking place for espionage, the same methods appear to be used to gain access to networks in order to install ransomware.
None of the security firms are able to say with 100% certainty that the attacks were conducted by Chinese hacking groups, although it does appear to be the most logical answer. One theory put forward is that with China now pulling out of cyber-espionage after last year’s agreement with the U.S government, many Chinese hackers who were previously funded by the government are now out of work or are looking for additional income. Since the potential payoff from ransomware attacks is so high, they are now performing attacks on their own.
In some cases, where U.S companies have been compromised by government-sponsored attacks, it has been hypothesized that the hackers are cashing in as they pull out.
Even if Chinese hacking groups are not involved, it is clear is there is considerable money to be made by performing these attacks. Cybercriminal gangs who have previously targeted credit card numbers may now be switching to ransomware due to big potential payoffs.
Since most companies do not declare that they have suffered an attack and paid a ransom, it is difficult to tell exactly how bad the current situation is. But until ransomware ceases to be profitable, United States ransomware attacks are likely to continue.
Websites are being registered on Oman’s top level domain by typosqautters looking to capitalize on mistakes made by Mac users and push Genieo adware. The .om domain is intended to catch out Mac users who type quickly and miss out the c when typing .com website addresses.
Typosquatting is the registration of domain names with transposed or missed letters in an attempt to cash in on traffic intended for other websites. Goole.com being a good example. The site has been registered and uses an Ask Jeeves search bar to provide search engine functions to bad typists. The website has been reported to attract 1000 visitors a day, the vast majority of which have mistyped google.com.
However, in the case of the .om domain the typosquatters have sinister motives. The sites are being used to deliver malware and adware, with the typosquatters appearing to be targeting devices running OS X.
The sites detect the operating system on the device and redirect Windows users to websites where they are bombarded with popup adverts. Mac users are targeted with a fake Adobe Flash update. Downloading the update will install Genieo adware. Genieo adware installs itself as a browser extension on Firefox, Opera, and Chrome and is used to serve ads.
The spate of domain registrations was noticed by security researchers at Endgame, who discovered that over 330 domains had been registered with Oman’s Telecom Regulatory Authority in the past few weeks.
As is common with malicious typosquatters, they have chosen the names of well-known websites that receive large volumes of traffic. Endgame reports that .om sites have been registered for Gmail, Macys, Citibank, and Dell in the past few weeks, along with a host of other well-known brands. The sites appear to have been registered by a number of different typosquatting groups not just one individual. However, a large percentage were found to have been registered by individuals in New Jersey.
A number of different hosting companies have been used, although the site installations are all very similar. Endgame discovered that many of the sites contain vulnerabilities that could allow other parties to hijack the sites. At the present time, it would appear that the typosquatters are only intent on pushing Genieo adware and promote ad networks, although that may not remain the case. With the high number of security vulnerabilities that exist on the sites they could all too easily be hijacked by other individuals and used to deliver malware and ransomware to unsuspecting visitors.
Two new studies indicate the mobile malware threat is increasing at an unpresented rate. Any enterprise that allows smartphones to connect to its network, such as those operating a BYOD policy, faces an increased risk of a cyberattack via those devices.
G DATA Report Warns of Rapidly Increasing Mobile Malware Threat
According to the recent G DATA survey, the mobile malware threat has increased substantially over the course of the past 12 months and shows no sign of abating. The number of new malware variants discovered in 2015 is 50% higher than 2014. In 2015, 2.3 million malware samples targeting Android devices were collected, with a new variant being identified, on average, every 11 seconds. In the final quarter of the year, an alarming 758,133 new malware samples were collected, which represents an increase of 32% from the third quarter.
The main risk is older devices operating outdated versions of Android, although G DATA reports that hackers are developing exploits for security vulnerabilities far faster than in past years. Unless Android operating systems are kept totally up to date, vulnerabilities will exist that can be exploited. Unfortunately, phone manufacturers often delay rolling out operating system updates leaving all devices prone to attack.
Mobile Malware Infections Increasing According to Nokia Threat Intelligence Lab
Earlier this month, a report issued by the Nokia Threat Intelligence Lab suggested that 60% of malware operating in the mobile space targets Android smartphones. While iOS malware was a rarity, that has now changed. Nokia reports that for the first time ever, iOS malware has made the top 20 malware list, which now includes the iOS Xcodeghost and FlexiSpy malware. These two malware account for 6% of global smartphone infections.
Mobile ransomware is also increasing. In 2015, several new mobile ransomware variants were identified. Ransomware is used to lock devices with file-encrypting software. Users are only able to recover their files if a ransom is paid to the attackers. With an increasing number of individuals using their smartphones to store irreplaceable data, and many users not backing up those files, individuals are often given no choice but to pay attackers for a security key to unlock their data.
Nokia reports that the malware now being identified has increased in sophistication and has been written by hackers that know the Android system inside out. Malware is getting harder to detect, and once identified it can be extremely difficult to remove. Nokia reports that many malware variants are highly persistent and can even survive a factory reset.
How to Mitigate Mobile Malware Risk
With the mobile malware threat increasing, organizations must implement new security measures to keep devices secure and protect their networks. Anti-virus and anti-malware solutions should be installed on all devices allowed to connect to business networks to reduce the risk of a malware infection.
Many mobile devices are used for work purposes such as accessing business email accounts. Android malware infections could all too easily result in business data being compromised, while keyloggers could give attackers access to business networks.
Enterprises may not yet be majorly concerned about the rising mobile malware threat, but they should be. With the growing sophistication of today’s mobile malware, a business network compromise is a very real threat.
Enterprises that permit the use of mobile devices for work purposes should limit the actions that can be performed on Wi-Fi networks by implementing a web filtering solution. They should ensure that all BYOD policies stipulate a minimum Android version that can be used, and all devices should be kept up to date with app updates installed promptly. Enterprises should also monitor for jailbroken or rooted devices, and prevent them from being used for work purposes or from connecting to business Wi-Fi networks.
A new report issued by the Institute for Critical Infrastructure highlights the need for organizations to develop ransomware mitigation policies due to the high risk of cyberattacks involving the malicious file encrypting software. The report warns that 2016 will be a year when ransomware wreaks havoc on businesses in the United States, in particular on the U.S critical infrastructure community.
Ransomware is being used by cybercriminals as it is a highly effective method of extorting money from businesses. Businesses need data in order to function, and ransomware prevents them from accessing it. If ransomware is installed on a computer, or worse still spreads to a computer network, critical data needed by the business is encrypted. A ransom demand is issued by the attackers who will not release the decryption keys until the ransom is paid. Without those keys data will remain locked forever. Business are often given no alternative but to give in to the attackers’ demands.
Rampant Ransomware Prompts ICIT to Issue Warning
The report warns organizations of the current dangers, and says that in 2016, “Ransomware is rampant.” Organizations of all sizes are being targeted. The criminal gangs behind the campaigns are targeting healthcare providers, even though their actions place the lives of patients in danger. Police and fire departments have also been targeted, as have educational institutions and businesses. The greater the need for access to data, the bigger incentive organizations have to pay the ransom.
According to the report, “In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.” The cost of that downtime can be considerable. Far more than the ransom demand in many cases.
Unfortunately, as pointed out in the report, it is too difficult and time consuming to track down attackers. They are able to cover their tracks effectively and they take payment in Bitcoin or use other online payment methods that give them a degree of anonymity. Often attacks are conducted across International borders. This makes it simply too difficult for the perpetrators to be found and brought to justice by law enforcement agencies.
Even the FBI has said that it advises companies to pay the ransom in many cases, unless the victims can live without their data. The report says, “no security vendor or law enforcement authority can help victims recover from these attacks.” It is therefore up to each individual organization to put measures in place to protect against ransomware.
Ransomware Mitigation Policies are Essential
Recovering from a ransomware infection can be expensive and difficult. It is therefore imperative that defenses are put in place to prevent ransomware from being installed on computers and networks.
The report suggests four key areas that can help with ransomware mitigation.
- Forming a dedicated information security team
- Conducting staff training
- Implementing layered defenses
- Developing policies and procedures to mitigate risk
An information security team should conduct risk assessments, identify vulnerabilities, and ensure defenses are shored up. Security holes must be plugged to prevent them being exploited. The team must also devise strategies to protect critical assets. They are an essential element of a ransomware mitigation strategy.
Staff training is essential. Employees must be instructed how to identify threats. Employees are often targeted as they are the weakest link in the security chain. It is easiest to get an employee to install ransomware than to attempt a hack in many cases. According to the report, this is one of the most important ransomware mitigation steps to take.
Layered defenses should be implemented to make it harder for attackers to succeed. Organizations should not rely on one form of defense such as a firewall. Antivirus and antimalware solutions should be used, anti-spam filters employed to prevent email attacks, and web filtering solutions should be used to prevent web-borne attacks.
With the threat now having reached critical levels, ransomware mitigation policies are essential. Administrative policies can help reduce the likelihood of an attack being successful. Employees must be aware who they can report suspicious emails and network activity to, and those individuals must be aware how they should act and deal with threats.
It was only a matter of time before a fully functional Mac ransomware was developed. Researchers at Palo Alto Networks have discovered that time has now come, after its Unit 42 team found KeRanger: The first fully functional Mac ransomware to be discovered in the wild. The ransomware was spread via the Transmission file-sharing app.
Fortunately, action has been taken to contain the malicious software before it could be fully exploited; however, this signals a turning point for Apple users. Their devices are no longer safe from ransomware attacks.
Mac Ransomware is No Longer Theoretical
While a Mac ransomware called FileCoder was discovered by Kaspersky Lab in 2014, the malicious software was incomplete and could not be used to infect Apple devices. The discovery of KeRanger shows that Apple users are no longer immune to attack.
Apple has added the signature for the malicious software to its XProtect OS X anti-malware definitions However, any Apple customer that downloaded BitTorrent client Transmission (v 2.9) over the weekend (Between 11:00 PST on March 4, and 19:00 PST on March 5, 2016) could well have downloaded KeRanger, along with any customer who downloaded the file sharing app prior to March 4.
The Mac ransomware bypassed Gatekeeper controls by using a genuine security certificate. The certificate was issued to Polisan Boya Sanayi ve Ticaret A.Ş., of Istanbul and is believed to have been stolen.
The ransomware was included in the Transmission installation files as “General.rtf.” The rich text file looks innocuous enough, but General.rtf is not a document file as the extension suggests, instead it is a Mach-O executable file. The file is copied to ~/Library/kernel_service and is run before the user sees an interface.
Once the ransomware has been activated, it searches the system on which it is installed and will encrypt around 300 different file types, including images, documents, multimedia files, emails, databases, certificates, archives, and source code. The Mac ransomware uses AES encryption to lock any files it finds and is capable of encrypting files saved on connected networks and external drives.
In many cases, ransomware infections cannot be removed and the user is forced to pay a ransom to obtain a security key. However, locked files can potentially be restored from backups. Unfortunately for users infected with KeRanger, the Time Machine system files are also encrypted preventing backup files from being restored.
The Threat Has Been Neutralized Although Action Must Be Taken by Transmission Users
The new Mac ransomware has been neutralized by the revoking of the digital certificate that enables the software to install on OS X, while the developers of Transmission App have removed the infected version from the transmissionbt.com website.
According to Claud Xiao of Palo Alto Networks, if KeRanger has been installed, users will still be at risk of having their files encrypted. The latest version of Transmission will remove the ransomware if it has been installed on users’ Macs.
Any customer who has installed version 2.9 should download the updated version of the file sharing software as soon as possible to prevent their device from being locked by the file-encrypting malware.
Users only have a limited timeframe for doing this. The Mac ransomware will stay hidden and quiet for 3 days following infection. After that it will connect to its C&C and will start encrypting files on the infected device and connected drives. A ransom of 1 Bitcoin (around $400) will then be demanded by the attackers. Only if the ransom is paid will the security key be sent to unlock the encryption. Failure to pay will see files locked forever. Transmission users must ensure they have installed version 2.92 and need to reboot their device after installation.
Protecting Devices from Attack Using WebTitan Web Filtering Solutions
WebTitan Cloud can help enterprises keep their devices free from malware and ransomware by blocking the downloading of file types known to be used by hackers to install malicious software. It is also possible to prevent KeRanger installations by blocking access to file sharing websites. By limiting the actions that can be taken by users and the sites that can be visited, the risk of networks being compromised or infected with malware can be greatly reduced.
WebTitan Cloud and WebTitan Gateway web filtering solutions can reduce reliance on staff training to teach end users how to identify malware, phishing emails, and malicious websites. Blocking risky online behavior can significantly reduce the risk of malware and ransomware infections.
Phishing scams have increased significantly in the past few weeks as cybercriminals step up their campaigns during tax season, with many using a technique referred to as business email compromise to fool victims into sending employee W-2 form data to the attackers.
Beware of Business Email Compromise Campaigns During Tax Season
Some organizations have thwarted attacks, but many have fallen for the phishing scams and have emailed highly sensitive employee data to the criminals behind the campaigns. Business email compromise is used in spear phishing campaigns: Highly targeted and highly convincing attacks on small numbers of employees within an organization.
Most phishing campaigns are random. Emails are sent out by the million in the hope that some individuals will fall for the scams. The email campaigns are not particularly convincing and rely on greed or naiveté in many cases to attract a click or the disclosure of sensitive data.
Business email compromise campaigns on the other hand are much more convincing. They tend to involve very carefully constructed emails, good grammar, do not contain the spelling mistakes common in most spam emails, and are hand written and sent to a very select number of individuals within an organization or to just one person. They are often personal, referring to the target by their first name. They also use business email addresses for the attack. An email sent from within the company, or seemly from within the company, is much more likely to be trusted.
Corporate images are often used, email signatures copied, and the email address of the sender is spoofed. Victims are researched, as are the companies. The key to the success of these campaigns is their realism. The aim is to get an employee to take a specific action without thinking that the request is anything other than genuine. If the scam is successful, the victim may never know that they have been duped.
The email requests, at first glance at least, appear to be genuine. They are sent from a senior executive or the CEO of the company. When they are sent from an authority figure from within the company the request is less likely to be questioned.
In the past few weeks a number of companies have received business email compromise phishing emails and have sent attackers a list of employee W-2 form data, including Social Security numbers, dates of birth, names, and details of employee earnings for the year. These data can be used by the criminals to file false tax returns in the names of company employees.
W-2 Phishing Scams Target Californian Companies
Magnolia Health Corporation recently announced one of its employees had fallen for a business email compromise scam and had sent a full list of employees to the attacker. The mistake was discovered, although not for a week. The attack took place on February 3, 2016.
Also on February 3, Californian company BrightView also received a phishing email requesting employee data and sent information, as requested, to the email scammers. BrightView discovered the mistake the following day.
Polycom, a content collaboration and communication technology also based in California, was attacked in the same manner on February 5, and also fell for the business email compromise scam. California-based Snapchat similarly was fooled by the business email compromise scam and emailed the data of 700 employees to the attackers. Mercy Housing Inc., and Central Concrete Supply Co., also suffered similar attacks recently.
The attacks have not been limited to California. Alaskan Telecommunications company GCI also fell victim to a similar attack, which resulted in the data of 2,500 employees being sent to a scammer.
BEC scams are convincing and employees need to be particularly vigilant especially at this time of year. To reduce the risk of a BEC attack being successful, it is important that staff receive training on how to identify a business email compromise scam. Policies should also be introduced to make it harder for employees to fall for the scams, such as requiring all data requests to be verified by two employees, one of whom should be within the Information Security team.
Until tax season draws to a close we are likely to see even more companies fall for these scams.
The Marcher Trojan was first discovered in the wild around three years ago; however, malware does not remain the same for very long, so it is no surprise to see yet another Marcher Trojan variant appear. This time the method of attack differs substantially from previous incarnations of this money-stealing malware.
Marcher Trojan Delivered Using Fake Adobe Flash Update
This time, attackers are targeting users of online pornography and are attempting to trick them into installing the Marcher Trojan on their Android phones by disguising the malware as an Adobe Flash installer package. Adobe Flash may be on its last legs, but a considerable number of porn websites host Flash videos. Users of pornographic websites therefore need Adobe Flash in order to view adult videos.
The attackers are targeting users of pornographic websites by sending links to new porn sites via SMS messages and spam email. Clicking the links contained in those messages will direct the user to a malicious website where they are asked to download an update to Adobe Flash.
Adobe Flash updates are frequently released due to the high number of zero-day vulnerabilities discovered in the software. Users are therefore likely to think there is nothing untoward about the update. The attackers have named it AdobeFlashPlayer.apk to make the download appear genuine.
After downloading the update, the user is required to change settings on the phone to allow apps from unknown sources to be installed. They are then asked to give the fake Adobe Flash update administrator privileges. Once installed, the owner of the device will be unaware that they have just compromised their Android phone.
The malware will then start communicating with the attackers C&C server and will send a list of the apps installed on the device to the attackers. That information is then used to display the appropriate fake login screens for apps installed on the device. Those login screens record bank and credit card details and send them to the attackers.
Another method of attack used by the malware is to send a MMS message to the user asking them to download the X-Video porn app from the Google Play store. The X-Video app is not malicious and can be installed for free; however, after installing the app the user receives a fake prompt asking them to update their Google Play credit card information.
The Marcher Trojan can also prevent users from visiting the real Google Play store without first entering their payment card details into the fake Google Play payment screen.
Fortunately, the malware is easy to remove. The app can be deactivated and then uninstalled. But the user would need to know they have been infected in order to do that.
Blocking Adult Content to Protect WiFi Network Users
Any business that allows employees to access WiFi network can improve network security by blocking access to adult websites. Preventing WiFi network users from accessing adult sites and other websites commonly used to deliver malware can greatly improve security posture.
The Marcher Trojan is being used to steal money from Android users, although the malware has been used to deliver at least 50 different payloads. Other Trojan downloaders deliver ransomware and other nasty malware. Once on a network the malicious software can cause a considerable amount of damage.
WebTitan can be used to prevent the downloading of files commonly used by hackers to hide malware such as SCR, EXE, and ZIP files. It can also be used to block access to risky websites and those known to contain malware.
For business WiFi networks, a web filter is now becoming less of an option and more of a necessity to prevent malware and ransomware downloads and keep users’ devices and networks malware free.
According to a recent report issued by Pwnie Labs, wireless device security vulnerabilities are not being addressed by enterprises even though many wireless devices can be used as backdoors into corporate networks.
If wireless printers and access points are not secured, hackers can easily use them to gain access to internal networks. Many organizations invest heavily in security defenses but forget to change the default configurations on their wireless printers. Pwnie Labs researchers ascertained that more than half of wireless devices (56%) used by enterprises are HP printers. When default settings are not changed, the devices can be used as a backdoor into corporate networks. HP printers were found to be the most commonly open wireless network, while 35% of wireless access points either did not use encryption or security defenses were found to be particularly weak.
Plugging wireless device security vulnerabilities is not always straightforward. Organizations need to change the default password on the devices, yet many do not do so because it causes connectivity problems. However, if wireless device security vulnerabilities are not addressed they could allow hackers to bypass an organization’s security defenses and gain access to internal networks.
Wireless Device Security Vulnerabilities Are Being Exploited by Hackers
A recent survey conducted on 400 IT security professionals showed that 55% of respondents had already witnessed a cyberattack via wireless devices. 86% said that they were concerned about wireless device security vulnerabilities.
Pwnie Labs found that many wireless printers are left with default settings active, although some do not even have a username and password set allowing anyone to connect. If the wireless printer is hardwired to an Ethernet network, gaining access to the printer via Wi-Fi could allow a hacker to also gain access to the network to which the printer is connected.
The devices are designed to make connection as easy as possible, and this feature can all too easily be exploited by attackers. If an attacker sets up a malicious access point and used the same SSID as that used by the manufacturer to configure the printer, the printer could automatically connect to that network.
To prevent this, remove open wireless networks from the preferred network list on the printer. Alternatively, ensure that the printer does not automatically connect to open wireless networks.
If a wireless printer is used as a network printer via an Ethernet connection, it is essential to disable Wi-Fi functionality to prevent the device from being used as a wireless bridge to the wired network. If there is no need for a wireless printer to be hardwired to a network, ensure that it isn’t and use strong encryption to connect wirelessly to the device.
Printers are not the only devices that can be used in this fashion. All devices with wireless functionality must be subjected to a full risk assessment. If wireless networks are not used by an organization, devices with wireless capability must have the function disabled. If wireless networks are in use, all devices must be carefully configured to reduce the risk of attack.
Last year saw a massive increase in the number of recorded enterprise malware attacks, with hackers also targeting public sector organizations and government agencies with increased frequency. According to the new Dell Security Annual Threat Report, malware attacks virtually doubled in 2015, and reached a staggering 8.19 billion worldwide infections.
The new report makes for worrying reading. The current threat level is greater than ever before and the volume of enterprise malware attacks now taking place has reached unprecedented levels. Organizations that fail to implement robust controls to protect their systems from malware downloads are likely to be attacked.
Dell Reports a 73% Increase in Malware Infections in 2015
To compile the report, Dell gathered data from its Dell SonicWALL Global Response Intelligence Defense network. In 2014, Dell SonicWALL received approximately 37 million unique malware samples. In 2015, that figure increased to 64 million: An increase of 73%. Dell noted increases in malware, ransomware, viruses, Trojans, worms, and botnets in 2015.
Not only is the volume of malware increasing, the vectors used to infect devices and networks are now much broader. Cybercriminals are also getting much better at concealing infections and covering their tracks. When malware is eventually discovered on systems, it has usually been present and active for some time.
Hackers are now using anti-forensic techniques to evade detection, steganography, URL pattern changes, and are modifying their landing page entrapment techniques. Command and Control center communications are also being encrypted making it harder to identify communications from infected devices and systems. Oftentimes, it is communications between malware and C&C servers that allow anti-malware and intrusion prevention systems to identify malware infections.
Spam email is still being used to deliver malicious software although drive-by attacks have increased. IoT devices are also being used to install malware due to the relatively poor security of the devices.
Enterprises now have a much broader attack surface to defend, yet security budgets are often stretched making it difficult for IT security teams to install adequate defenses to repel attacks using such a diverse range of attack vectors. It may not be possible to implement robust defenses to repel all attacks, although by concentrating on the most commonly exploited weaknesses the majority of enterprise malware attacks can easily be prevented.
How to Defend Against Enterprise Malware Attacks
The majority of successful enterprise malware attacks could have been prevented had basic security measures been implemented and had industry security best practices been adopted. Hackers may be using ever more sophisticated methods to infiltrate systems and steal data, but in the majority of cases they do not use zero-day vulnerabilities to attack: Well-known security weaknesses are exploited.
All too often enterprise malware attacks are discovered to have occurred as a result of unpatched or outdated software. Oftentimes, patches and software updates have been available for months prior to attacks taking place. One of the best defenses against cyberattacks is to adopt good patch management practices and ensure that software updates are applied within days of release.
Email spam is still used to deliver a wide range of malware and malicious software, yet spam email is easy to block with a robust spam filtering solution such as SpamTitan. Along with staff training on phishing email identification and basic security best practices, malware infections via email can be easily prevented.
It is also strongly advisable to implement an enterprise web filtering solution. Allowing employees full access to the Internet can leave a business susceptible to drive-by malware downloads. A web filtering solution such as WebTitan Gateway – or WebTitan Cloud for Wi-Fi networks – can prevent malicious file downloads, malvertising, and limit the risk of drive-by enterprise malware attacks.
Using a firewall capable of inspecting every packet and validating all entitlements for access is also advisable. Since hackers are also using SSL/TLS encryption to mask C&C communications, it is a wise precaution to use a firewall that incorporates SSL-DPI inspection functionality.
Locky ransomware is a new threat believed to emanate from the hacking team behind Dridex malware. The new threat is being delivered via spam email and is disguised as a Microsoft Word invoice. If macros are enabled, or if the macro contained in the infected Word file is run, a script will download Locky ransomware: A 32-bit executable file containing a dropper. That dropped malware will run from the %TEMP% folder and will disguise itself as svchost.exe.
Locky ransomware will search for files stored on the infected device and will rename them and add the extension locky. The renamed files cannot be identified by the user. They are given a unique file ID along with a unique ID for each user. Files are locked using RSA-2048 and AES-128 ciphers and all communication between Locky and its command and control server are encrypted.
Once files have been encrypted, a text file will be saved to the desktop detailing the actions that must be taken by the victim in order to restore their files. A bitmap containing the instructions is also set as the user’s wallpaper.
Links are supplied which the user must access via the Tor network and further instructions unique to that user are detailed on a unique webpage for each user. Users are instructed how to buy Bitcoin and how to send the ransom of 0.5 to 1.0 Bitcoin (around $200-$400) to the attackers. Upon paying the ransom the victim will receive a security key which will enable them to unlock their files. Locky ransomware encrypts data stored on local drives, removable media, and ramdisks, although it is also capable of encrypting data on network resources.
Locky ransomware can only be installed if a malicious macro contained in the Word file is run. Opening the infected Word document will not result in the device or network being infected until macros have been enabled. If this happens, the Word document macro will save a file to the device (Troj/Ransom-CGX) which will act as a downloader and will install the ransomware payload.
Once downloaded the payload will start to encrypt a wide range of files. Those files include documents, multimedia files, images, office files, and source code. Shadow copies (VSS files) on the device will also be removed. Even the wallet.dat file is encrypted, leaving Bitcoin users no alternative but to pay the ransom. The ransomware will encrypt files on any connected or mounted drive, and will lock files regardless of the operating system used.
Any user logged in with administrator privileges when Locky ransomware strikes will see a considerable amount of damage caused, leaving them no alternative but to pay the ransom to unlock files. Bear in mind that the above ransom amounts have been seen for individual users. There is no telling what ransom will be demanded if a business user is infected.
How to Protect Against Locky Ransomware Attacks
There are a number of ways that businesses can protect their networks from a Locky ransomware attack. The first is to prevent the malicious word document from being delivered.
- A robust anti-spam filter can filter out malicious emails and quarantine them, preventing phishing and malicious spam emails from being delivered to end users’ inboxes.
- Staff training is essential in case malicious emails find their way into end users’ inboxes. Employees must be warned of the risks of ransomware and other malware, told how the malicious software is delivered, and how to identify potentially malicious emails. End users must be told never to open a file attachment sent from someone they do not know.
- All devices with Word installed should have macros disabled. If users are required to use macros, they should enable them to work on files and disable the macro function when the task has been completed. If macros are set to run automatically, opening an infected Word document will allow malicious code to run automatically.
- Portable drives should not remain connected when they are not in use.
- Users should never log in as an administrator unless it is strictly necessary. Always log in without administrator rights unless they are necessary for a particular task to be performed and log out afterwards.
- Regularly backup important files (daily) and store backups off site.
- Not all malware is delivered via spam email. Hackers are increasingly using FTP sites, file sharing websites, and compromised websites to deliver malware. Blocking these sites using a web filtering solution such as WebTitan is strongly advisable. WebTitan can also block files commonly used to deliver malware (BAT, SCR, and EXE files).
- Patches should be installed promptly and browsers and plugins updated as soon as patches and updates are released. Security vulnerabilities can be exploited via malicious websites and malware and ransomware downloaded without any user action.
The failure to use a school web filter could result in children gaining access to hardcore pornography in the classroom. If a school web filter is used, it is essential to ensure that it is configured correctly. Two Canadian parents have just discovered that porn is still accessible via classroom computers after conducting a simple test at their daughters’ school.
In this case, the Internet could only be accessed at the elementary school in Markham, Ontario, using a valid account and Internet access is supervised, so the chance of children viewing adult content is limited. That said, if children want to view porn they would not be prevented from doing so. The software solution that had been put in place did not block pornography and other adult content from being displayed.
After gaining permission to use her daughter’s Internet login, Eva Himanen conducted a simple search on Google to see whether it was possible for images of an adult nature to be viewed in the classroom. She did this by typing the search terms “porn” and “naked sex” into Google.
Rather than images and search listings being blocked, the search brought up numerous thumbnail images of exactly the material one would expect such as search to produce. There were also listings of a wide range of porn websites that had not been blocked. A school web filter was allegedly in place, but images were still displayed.
Access to the Internet is controlled by logins and parents and children are required to sign an acceptable use form each year. However, while students may agree not to search for adult website content, that does not prevent them from viewing inappropriate material.
If a child was able to access pornographic images without being spotted by a teacher, it is likely that the Internet use would be discovered. Logs of all websites visited are maintained by the school and are regularly checked. Any websites of an adult nature that are accessed would be tied to an individual child’s login and action would be taken again that individual. However, the damage would have already been done. If one student was to perform such a search and break the rules, other children’s may also be affected.
The Importance of Implementing Robust but Flexible School Web Filter
Blocking access to certain sections of the Internet is straightforward with WebTitan. WebTitan’s school web filter is quick and easy to implement and can offer protection in a matter of minutes. It is possible to block websites by category as well as by keyword term, and blacklists can be uploaded easily.
One of the problems that can occur with a school web filter is the overblocking of website content. It is possible that blocking a particular category of website, or a specific keyword term such as “sex”, would result in some website content being blocked incorrectly. This could potentially prevent individuals from accessing sexual education material, some of which may be required under the curriculum.
A web filter may therefore require a certain degree of fine tuning. False positives will always occur with any web filter, although careful implementation and choice of keyword terms and website categories will keep this to a minimum, while ensuring that harmful content is blocked. Using a flexible, and easy to use school web filter such as WebTitan will make this as straightforward as possible.
WebTitan’s web filtering solutions for schools have a high degree of granularity, allowing potentially harmful content to be easily filtered, while ensuring that valuable educational material is still displayed. It is still important to have allowable use policies in place, but should a student attempt to break the rules, they would still be prevented from viewing adult content, and their actions would be logged to allow action to be taken.
For further information on the full range of features of WebTitan’s school web filtering solutions, contact the sales team today for advice.
US Sales +1 585 973 5080
UK/EU Sales +44 (0)247 699 3641
IRL +353 91 54 55 00
or email us at email@example.com
The healthcare ransomware threat is not new, but the threat of attack is growing. Last week, a healthcare provider in the United States found out just how damaging a ransomware attack can be. Hollywood Presbyterian Hospital experienced a ransomware attack on February 5, resulting in part of its computer network being taken out of action for more than a week.
The healthcare provider’s electronic health record system (EHR) was locked by ransomware and a demand of $17,000 was made by the attackers to supply the security keys. This is not the first time that a healthcare provider has had to deal with a ransomware infection, but attacks on healthcare organizations have been relatively rare.
What makes this attack stand out is the fact that the ransom was actually paid. CEO Allen Stefanek said “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom.”
The Healthcare Ransomware Threat is Very Real
Many businesses in the country have been attacked and have been forced to pay sizable ransoms in order to get a security key to decrypt their locked data. If data is encrypted by attackers, and no backup exists, there is little choice but to pay the ransom and hope that the attackers make good on their promise to supply the security keys.
There is no guarantee that the attackers will pay of course. They could just demand even more money. There have also been cases where the attackers have “tweaked” their ransomware, but accidentally broke it in the process. Even if a ransom was paid, it would not be possible to unlock the data.
Paying a ransom does not therefore guarantee that the security keys will be supplied. In this case, the attackers did make good on their promise and supplied the keys allowing business to return to normal.
The public announcement about the ransomware attack, and the disclosure of the payment of the $17,000 ransom, could potentially lead to even more attacks taking place. That is a big payment for a hacker, yet orchestrating a ransomware campaign is relatively easy, and does not require a major financial outlay. The return on investment will be significant if a healthcare provider is forced to pay a ransom. Since the ransom was paid, this may prompt many more hackers to attack healthcare providers.
Ransomware Attack Raises a Number of Questions
This attack does raise a number of questions. What many security professionals will be asking is why the hospital paid at all. In the United States, healthcare providers are required to make backups and store those data off-site. In event of emergency, such as this, a healthcare provider must be able to restore patient data. This is a requirement of the Health Insurance Portability and Accountability Act (HIPAA). It doesn’t matter what the emergency is, if computers or networks are taken out of action, the protected health information of patients cannot be lost.
The reality however, is that restoring computer systems after a ransomware attack may not be quite as straightforward. It would depend on the extent of the ransomware attack, the number of systems that were compromised, the difficulty of restoring data, and how much data would actually be lost.
Backups should be performed daily, so it is possible that 24 hours of data may have been lost, but unlikely any more. Even if data loss had occurred, it is probably that the data were stored elsewhere and could be recovered. The payment of the ransom suggests that there may have actually been an issue with the backups, or that the cost of recovering data from the backups would have been more than the cost of paying the ransom.
Dealing with the Healthcare Ransomware Threat
Regardless of the reasons why data restoration was not possible, or paying the ransom seemed preferable, other healthcare providers should be concerned. Further attacks are likely to take place, so it is essential that backups are performed regularly, and critically, those backups are tested. A backup of data that cannot be restored is not a backup. It is a false hope.
Furthermore, healthcare providers must ensure employees are trained how to spot a malware and ransomware, and software solutions should be implemented to prevent spam emails from being delivered to inboxes. Staff should be prepared, but it is best not to put the malware identification skills to the test.
Not all ransomware is delivered via spam email. Additional protections must also be put in place to prevent drive-by attacks and malvertising should be blocked. A web filtering solution, such as WebTitan, should also be installed to reduce the risk of ransomware downloads and to enforce safe use of the Internet.
There is no silver bullet that can totally negate the healthcare ransomware threat. It is impossible to make any system 100% secure, but by implementing a range of protections the risk of a ransomware infection can be reduced to an acceptable level. A disaster recovery plan must also exist that will allow data to be restored in the event that an attack does prove to be successful.
In recent months, concern has been growing over the lack of medical equipment cybersecurity protections in place at hospitals and medical centers. Healthcare providers are being targeted by cybercriminals for the confidential data they store on patients. Medical devices, and their associated computer hardware, could potentially be targeted by cybercriminals. Medical device security is often overlooked by health IT professionals, and the manufacturers of the devices often fail to make their equipment secure.
Healthcare providers store Social Security numbers, health insurance data, financial information, and the personal information of patients. These data have a high value on the black market as they can be used by criminals to commit identity theft and a multitude of fraud.
Cyberattacks on hospitals and health insurers are increasing, and while cybersecurity protections as a whole are improving, the industry still lags behind other industry sectors when it comes to implementing robust cybersecurity protections. Numerous security vulnerabilities are often allowed to exist, making it relatively easy for hackers to take advantage.
Medical equipment cybersecurity is particularly lax. The devices may not provide easy access to the types of data sought by identity thieves in some cases, but they are networked. If access is gained, attacks on other parts of a healthcare network could take place.
If hackers are able to gain access to a medical device a considerable amount of harm could be caused. A malicious hacker could alter or delete data, crash the device, or steal data stored on the device or the computer connected to it. If settings can be altered patients could be seriously harmed. Doses of medication could be altered or medical diagnoses or test results changed, with disastrous consequences for the patient.
Expensive equipment could be sabotaged or the devices could be locked with ransomware. The ransomware infection of Hollywood Presbyterian Medical Center this month shows that the threat of malware is very real. In fact, attacks on hospitals can be very lucrative for hackers. The hospital recently paid $17,000 for security keys to unlock its EHR system after a ransomware infection took it out of action.
How Bad Are Medical Equipment Cybersecurity Protections?
So how bad are medical equipment cybersecurity protections? Recently, Sergey Lozhkin of Kaspersky Lab decided to find out. He recently announced the results of his attempts to hack medical devices at the 2016 Security Analyst Summit (SAS 2016) in Tenerife.
Lozhkin set out to hack a hospital and succeeded in doing just that by exploiting a lack of medical device cybersecurity protections at a hospital. The hack started with a search using the Shodan search engine. Lozhkin discovered a number of hospital devices and contacted the owner. Along with his friend, he decided to conduct a penetration test to see just how easy it was to gain access to the devices. The senior managers of the hospital were aware of the test and secured real data to prevent any unauthorized disclosure or data loss as a result of the test.
The first attempt at hacking the medical devices failed. The hospital’s systems administrator had done a good job of securing systems from external attack. However, the second attempt at hacking was successful. Lozhkin decided that instead of attacking from home, he would travel to the hospital and try to attack from within. However, physical access to the hospital was not necessary. He was able to hack the hospital from his car, since he could park outside and gain access to the hospital’s local Wi-Fi network.
Once he hacked the network key he was able to gain access to a tomographic scanner. By exploiting a vulnerability in an application he gained access to the file system of the device and was able to view (fake) patient data. The real data had been secured prior to the test. In this case, the hack was possible because the hospital’s systems administrator had made a fundamental mistake, having connected a medical device to the hospital’s public WiFi network.
Forget Medical Equipment Cybersecurity Protections at your Peril
If medical equipment cybersecurity protections are insufficient, it may be hacktivists or data thieves that gain access to data rather than pen testers. Hospitals must ensure that medical equipment cybersecurity protections are put in place, but security must also be tested to ensure cybersecurity defenses actually prevent access to medical devices and the sensitive data they contain.
Better medical equipment cybersecurity protections must also be incorporated into the design of medical devices by the manufacturers to make sure medical equipment is harder to hack.
According to a February 2016 California data breach report issued by the California attorney general’s office, the majority of data breaches are easily preventable if basic security measures are adopted. Had companies doing business in the state of California implemented industry best practices and adhered to federal and state regulations, the privacy of millions of Californians would have been protected.
However, that was not the case and over the course of the past 4 years close to 50 million state residents have had their private data exposed as a result of data breaches suffered by government and private organizations.
The California data breach report includes a summary of data breaches reported to the attorney general’s office between 2012 and 2015. From 2012, the California Attorney general’s office needed to be notified of a breach of personally identifiable information if more than 500 state residents were affected.
Between 2012 and 2015, 657 data breaches were reported. 49.6 million state residents had their personally identifiable information exposed.
In almost half of cases, Social Security numbers were obtained by cybercriminals or were exposed as a result of the loss or theft of devices used to store personal information.
2015 was a Bad Year for Data Breaches in California
The California data breach report was compiled following a particularly bad year for Californians. In 2015, 24 million state residents had their personal information exposed. That equates to one in three Californians. To put the figure into perspective, in 2012 only 2.6 million state residents were affected by data breaches.
The California data breach report was compiled to show just how bad the current situation is. According to State attorney general Kamala D. Harris, the report should serve as a “starting point and a call to action for all of us.” The situation must improve.
Harris points out in the introduction to the 2016 Californian data breach report that “many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers,” she goes on to say that if a company chooses to store private and confidential data on state residents, that company has a “legal obligation to adopt appropriate security controls.”
California Data Breach Report Summary
The main findings of the 2016 California data breach report are listed below:
- The biggest data security threats are malware and hacking
- Malware and hacking exposed 54 percent of records and accounted for the most data breaches (365)
- Malware and hacking attacks have grown by 22% in 4 years and caused 58% of breaches in 2015
- Malware and hacking caused 90% of retail data breaches
- Physical breaches (loss and theft of devices) accounted for 27% of all reported breaches.
- Physical breaches are declining: They fell from 27% in 2012 to 17% in 2015
- Errors and employee/employer negligence accounted for 17% of data breaches
- Medical records were exposed or stolen in 19% of reported breaches
- Payment card information was stolen in 39% of data breaches
- Small businesses reported 15% of data breaches
According to the new California data breach report, the retail sector suffered the most, accounting for a quarter of all data breaches reported in the past four years. Those security incidents resulted in the exposure of 42% of the total number of records exposed in the past four years. The financial sector was in second place with 18% of breaches, while the healthcare sector was third being involved in 16% of data breaches.
Data Breach Prevention – Improve Protection Against Malware
The prevention of cyberattacks requires multi-layered security systems, although in the majority of cases data breaches were found to be the result of a failure to update software and apply patches. The security vulnerabilities that were exploited by hackers or used to install malware had been discovered and patched. In the majority of cases, patches had existed for over a year but had not been installed.
Malware is commonly used as a way of gaining access to computer systems used to store valuable consumer data. Malware is often delivered via spam email campaigns. A robust and powerful anti-spam solution should be implemented to catch malicious emails and prevent them from being delivered to user inboxes.
If staff are also trained to identify malware and potentially harmful emails and attachments, a great deal of malware infections can be prevented. However, email is not the only malware delivery mechanism. Cybercriminals are increasingly using exploit kits to probe for security weaknesses in browsers and browser plugins. Those vulnerabilities can be exploited and used to download malware without any user interaction required.
These infections are referred to as drive-by attacks, and they can occur if a user can be directed to a malicious website or a site that has been compromised by cybercriminals.
Third party advertising networks can contain adverts with malicious links that direct visitors to sites where drive-by attacks can take place. Those adverts can appear on legitimate websites. Even some of the biggest sites on the Internet have been discovered to display malvertising. These threats must be dealt with to prevent data breaches from occurring.
Protecting against malware delivery via the Internet requires a different solution: a web filter.
Protect End Users from Web-Borne Malware Threats with WebTitan
WebTitan offers a range of web filtering solutions for the enterprise to protect end users from web-borne threats such as malware, ransomware, viruses, Trojans, and memory-resident malware threats. Solutions have also been developed to keep Wi-Fi networks and hotspots free from malware.
By implementing a web filtering solution, end users can be prevented from visiting websites known to contain malware and from engaging in risky online behavior. By restricting access to potentially dangerous websites, the risk of a malware or ransomware infection can be greatly reduced.
For further information on the benefits of WebTitan’s web filtering solutions contact the Sales team today:
US Sales +1 585 973 5080
UK/EU Sales +44 (0)247 699 3641
IRL +353 91 54 55 00
Alternatively send an email to firstname.lastname@example.org or visit the webpages below:
The cost of a data breach can be considerable, as has been clearly demonstrated by the hacking of TalkTalk. The hacking of the UK-based Internet service provider resulted in 157,000 customer accounts being compromised, with 15,656 bank account numbers and sort codes stolen by the hackers.
The group of hackers responsible for the security breach spoke to the media soon after and talked of the poor security at TalkTalk, and how easy it was to gain access to sensitive customer data. One of the hackers even said that in one instance, a three-digit password had been used to secure an account.
The hacking incident triggered a media storm which tarnished the ISP’s image and resulted in many customers changing ISP to one that was perceived to offer better security. As to how many customers have changed their mind about signing up with TalkTalk, that is unlikely to ever be known.
Soon after the discovery of the extent of the data breach, TalkTalk chief executive Dido Harding told the BBC that the company still expected its end of year results to “be in line with market expectations,” and that the data breach would likely result in one-off costs of between £30-£35 million.
However, the ISP seriously underestimated the fallout from the hacking incident, with the current costs now double the initial estimate at £60 million: Enough to make a noticeable dent in the company’s profits. That cost was broken down as one-off costs of around £45 million and a trading impact of £15 million.
The Cost of a Data Breach is Easy to Underestimate
The cost of a data breach is difficult to accurately calculate. It is possible to arrive at a reasonable estimate of the cost of breach resolution measures. The cost of implementing new security controls to prevent future cyberattacks is fairly easy to predict, as is the cost of mailing breach notification letters to customers. What it is much harder to estimate is the loss of business as a result of a breach of customer data.
TalkTalk took the decision to offer customers a free upgrade of services and told those affected financially be the breach that they would be free to leave without penalty. Since customers were not permitted to change without a cost if they had not suffered losses, many had to wait until their contract expired before switching provider. According to the latest figures, the company lost 101,000 customers as a result of the data breach.
The decision to offer a free upgrade of services proved to be a wise move, not only to prevent customers who had been affected by the data breach from leaving, but to convince other customers to stay. The free upgrade has reportedly been taken up by around 500,000 customers. Even with that upgrade, the company understandably experienced a higher churn rate, with many not choosing to renew their contracts when they came to an end.
The total impact on revenue was estimated to be around 3%, although the company appears to now be recovering with the churn rate having improved in the past two months. According to Harding, “Trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.”
Kaspersky Lab has recently discovered the extent to which a remote access Trojan is being used by cybercriminals, highlighting the security risk from Java Runtime Environment.
Kaspersky Lab discovered that the Adwind remote access Trojan (RAT) discovered in 2012 is being used extensively by cybercriminals to conduct attacks on businesses. The RAT is frequently tweaked to avoid detection with numerous variants currently in use in the wild. The RAT has many names in addition to Adwind, with Alien Spy, JSocket, jRat, and Sockrat just a few of the names of the Adwind malware variants.
The Java-based RAT is now being rented out to criminal gangs to allow them to conduct their opportunistic attacks on companies and individuals, sometimes for as little as $25. Kaspersky Lab estimates that the number of criminals now using the malware has risen to around 1,800. The malware is estimated to be raking in around $200,000 a year for the authors. To date, it is estimated that the RAT has been used to attack as many as 440,000 users.
The frequency of attacks is also increasing. In the past 6 months, around 68,000 new infections have been discovered.
Have You Effectively Managed the Security Risk from Java Runtime Environment?
The latest variant is known as JSocket. The malware is believed to have first appeared in the summer of 2015 and is still being extensively used. The RAT is most commonly spread by phishing campaigns with users fooled into running the Java file, installing the Trojan. While the RAT is primarily distributed by large-scale email spam campaigns, some evidence has been uncovered to suggest it is being used as part of targeted attacks on individuals and organizations.
This is a cross-platform malware that can be used on Windows, Linux, Android, and Mac OS systems. It serves as a backdoor allowing cybercriminals to gain access to the system on which it is installed, effectively allowing them to take control of devices, gather data, log keystrokes, and exfiltrate data. It is also capable of moving laterally. It is written entirely in Java and can be used to attack any system that supports the Java Runtime Environment.
The security risk from Java Runtime Environment is considerable. Kaspersky Lab recommends that all organizations review their use of JRE and disable it whenever possible.
Unfortunately, many businesses use Java-based applications, and disabling or uninstalling JRE is likely to cause problems. However, it is essential to manage the security risk from Java Runtime Environment to prevent infections from Adwind and its variants.
If there is no need for JRE to be installed on computers, it should be removed. It represents an unnecessary risk that could result in a business network being compromised.
If it is not possible to disable JRE, it is possible to protect computers from Adwind/JSocket. Since this malware is commonly sent out as a Java archive file, the code can be prevented from running by changing the program used to open JAR files.
Have you managed the security risk from Java Runtime Environment? Is JRE unnecessarily installed on computers used to access your network?
Many security professionals would like to know what is the motivation behind cyberattacks? How much do hackers earn? What actually motivates hackers to attack a particular organization? How long do hackers try before giving up and moving on, and how profitable is cybercrime for the average hacker?
A recent survey commissioned by Palo Alto Networks provides some answers to these questions and offers some insight into the minds of hackers. The results of the survey suggest that cybercrime is not as profitable as many people think. In fact, “the big payday” is actually something of a myth, certainly for the majority of hackers.
There is a common misconception that cyber attackers are tirelessly working to breach the defenses of organizations and are raking in millions from successful attacks; however, the survey results indicate otherwise.
The Ponemon Institute asked 304 threat experts their opinions on the motivation behind cyberattacks, the money that can be made, the time invested by hackers, and how attackers choose their targets.
The respondents, based in Germany, the United States, and the United Kingdom, were all involved in the threat community to varying degrees. 79% of respondents claimed to be involved in the threat community, with 21% of respondents saying they were “very involved.”
What is the motivation behind cyberattacks?
The study cast some light on what is the motivation behind cyberattacks, as well as offering some important insights into the minds of hackers. There is a threat from hacktivists and saboteurs but, in the majority of cases, attackers are not intent on causing harm to organizations. The majority of cybercriminals are in it for the money. The motivation behind 67% of cybercrime is money.
However, in the majority of cases, it would appear that there is not actually that much money to be made. If hackers were to find employment as security professionals and use their skills to protect networks from hackers, they would likely earn a salary four times as high, and they would get sick pay, holiday pay, and medical/dental insurance.
How much do hackers earn?
Anyone interested in how much hackers earn may be surprised to find out it is not actually that much. The study determined that a technically proficient hacker would be able to conduct just over 8 cyberattacks per year, and an average of 41% of those attacks would not result in the attacker receiving any compensation.
The profits from cybercrime were found to be fairly constant regardless of where the criminals were based. In the United States a single cyberattack netted the perpetrator an average of $15,638. In the United Kingdom attackers earned an average of $12,324, and in Germany it was $14,983.
So how much to hackers earn? Take away the cost of the toolkits they purchase – an average of $1,367 – and the Ponemon institute calculated the average earnings for a cyber attacker to be in the region of $28,744 per year. That figure was based on 705 hours spent “on the job” – around 13.5 hours per week. While it is clear that some hackers earn considerably more, the average hacker would be better off getting a real job. IT security practitioners earn 38.8% more per hour.
How can the survey data be used to prevent cyberattacks?
The survey probed respondents to find out how determined hackers were at breaching the defenses of companies. Surprisingly, it would appear that even if the potential prize is big, hackers tend not to spend a great deal of their time on attacks before moving on to easier targets.
72% of hackers are opportunistic and 69% of hackers would quit an attack if a company’s defenses were discovered to be strong. Ponemon determined that an attack on a typical IT security infrastructure took around 70 hours to plan and execute, whereas a company with an excellent infrastructure would take around 147 hours.
However, if a company can resist an attack for 40 hours (less than two days) 60% of attackers would move on to an easier target. Cybercriminals will not waste their time attacking organizations that make it particularly difficult to obtain data. There are plenty of much easier targets to attack.
Install complex, multi-layered defenses and use honeypots to waste hackers’ time. Make it unprofitable for attackers and in the majority of cases attackers will give up and move on to easier targets.
Employee security training is an essential part of an organization’s defense against cyberattacks, yet many CISOs and CSOs are not conducting regular training. In fact, according to a survey conducted last year on behalf of ClubCISO, one in five CISOs (21%) said they had never given security training to their staff.
This could indicate overreliance on technological security measures to prevent cyberattacks, such as firewalls, anti-virus and anti-malware software, anti-spam filters, and web filters. Organizations may have confidence in their policies and procedures. CISOs may even believe that their organization is unlikely to be attacked. Regardless, of the reason, a lack of training leaves a gaping hole in security defenses.
Employee Security Training Is A Cost-Effective Way of Improving Security Posture
IT departments are well aware that employees are a weak link in the security chain and can all too easily undo all the good work done to keep data and networks secure. All it takes is for one employee to open a Word document and enable malicious macros, visit a compromised website, or inadvertently download malware for a network to be compromised.
If you want to improve your security posture, one of the easiest and most cost-effective ways to protect your network is training employees how to identify security risks. CISOs, CSOs, and IT staff may be well aware that opening an email attachment from someone they don’t know is risky. Not all employees will be so security-minded and may not appreciate the risk they are taking by opening an email attachment or visiting a link sent to them via email. Failing to train employees on these security basics is like leaving your front door unlocked when you go on vacation. A little training can go a very long way.
Employee Security Training Should Not Be A One-Time Event
Many organizations realize that training is important, yet still only conduct security training sessions once a year. Security training may only be given to new recruits when they join a company. The ClubCISO survey revealed that one in five employers only provided training to new employees, and 37% carried out training just once a year. Only 21% said they conducted regular security training sessions.
Furthermore, when training was provided, more than half of organizations had no idea about how effective their training had been. Training was given in a checkbox fashion in order to meet industry security regulations. Once provided, documents could be signed by employees to confirm that training had been provided, which would be sufficient if ever the organization was audited by industry regulators. However, it may not be sufficient to prevent a successful cyberattack. Employee security training is not a one-time event. It should be provided in regular training sessions, knowledge should be tested, and a security culture should be developed.
Getting Staff Cybersecurity Training Right
It is all too easy to purchase a new security product and hope that it is 100% effective and will prevent a cyberattack from being successful, but no system is infallible. Cybersecurity defenses must be multi-layered, and end users must be part of any defense strategy. After all, cybercriminals will target end users as they offer an easy entry point into a corporate network.
Employee security training is not something that is enjoyed by the staff, and many employees would prefer not to have to undergo training. Many employees don’t concentrate and forget their training almost immediately. Conducting a training session is therefore not sufficient by itself. Online security training is similarly unlikely to be particularly effective if the staff is not then tested on their new knowledge of security.
It is therefore important to make employee security training a regular exercise and to follow up training with testing to ensure that it is taken more seriously. Consider rewarding employees for taking part in training exercises. Make sure employees are given support, and if a test is failed, such as a phishing exercise, ensure that employees who need further training are given extra help.
Employee security training is not just something that is beneficial to employers. Employees also benefit. They can use training to keep their own online activities secure outside of the office, or can use training to protect their children when they go online. Explain the relevance and inform employees that the skills they learn can help to keep them safe outside work.
Get the Board to Back Security Training Efforts
All too often there is a lack of awareness of level of risk faced by organizations at the board level. Employee security training may be considered to be an unnecessary use of time and resources. Without board buy-in, CISOs are likely to face an uphill battle.
Employee security training will require support from the board and for that to happen it may be necessary for CISOs to explain the relevance and importance of employee security training. If you feel that your board does not appreciate the benefits, send the board members a dummy phishing email. If they click the link or open a bogus attachment, it may help them to understand the high risk of employees doing the same. Without buy in from the board it will be difficult to develop a worthwhile and effective training program.
With the current threat from malware, ransomware, phishing, and hacking, it is essential to take action to defend all attack surfaces. Since employees are often the weakest link in the security chain, they are a great place to start to improve overall security posture.
A survey recently conducted by the Cloud Security Alliance (CSA) has shed light on the biggest fears of security professionals, with WiFi hotspot security ranking as one of the major concerns. Unsecured WiFi hotspots and rogue WiFi access points ranked as the two of the biggest threats to mobile computing in 2016.
Over 210 security experts took part in the CSA survey, with respondents from all around the world sharing their opinions on the top threats to mobile computing in 2016. It will come as no surprise that WiFi hotspot security is keeping many IT professionals awake at night. The security threats from public WiFi hotspots have long been known to security pros. Unfortunately, more employees are now using their work devices to connect to unsecured public WiFi hotspots.
Unsecured WiFi hotspots are often a hive of criminal activity, with hackers and other cybercriminals quick to take advantage and spy on Internet users. Login names and passwords are stolen, man-in-the-middle attacks take place, and installing malware on mobile devices couldn’t be any easier.
Employees are increasingly using public WiFi in coffee shops and restaurants to check work emails on mobile phones, many professionals work on trains on their commute to work, and hotel WiFi is used by executives on business trips.
If malware can be installed on these workers’ mobile devices, those infections can all too easily be transferred to business networks. Unfortunately, while employers can implement allowable use policies and train staff to be more security aware, preventing employees from using their devices on public WiFi networks is a difficult task. That task is made all the more difficult for organizations with a BYOD policy that permits the use of personal Smartphones and laptops.
81% of Security Pros Concerned about WiFi Hotspot Security
Eight out of ten IT security professionals ranked WiFi hotspot security as one of their biggest concerns, with the risk of data theft and network compromise only likely to get worse as portable device use grows. One of the biggest problems is rogue WiFi hotspots set up by cybercriminals. Hackers know all too well that a great many Internet users will connect to WiFi automatically, without even checking the legitimacy of a free WiFi network.
To protect users’ devices and keep corporate networks secure, security training must be provided to staff. It is imperative that employees are trained on basic security measures and are made aware of the considerable risk of using unsecured WiFi networks. As security awareness improves, secure WiFi networks will be sought.
Consequently, any business offering a secure WiFi network for customers is likely to win more business. Hotel chains offering secure WiFi are likely to attract more business customers if they provide a secure WiFi network with safeguards to prevent malware infections, man-in-the-middle attacks, and make Internet browsing more secure.
Improving WiFi Hotspot Security with WebTitan Cloud for WiFi
At WebTitan, we are well aware of the risks to device and network security from the use of unsecured WiFi hotspots, and the opportunities that exist for businesses and service providers that can offer safer WiFi access. This is why we developed WebTitan Cloud for WiFi.
WebTitan Cloud for WiFi offers service providers and businesses a low cost method of securing WiFi networks, allowing a safe browsing environment to be created for clients, guests, and customers.
WebTitan Cloud for WiFi allows providers of WiFi hotspots to restrict the sites that can be visited, reducing the risk of malware infections and the nefarious activity often associated with unsecured wireless WiFi.
Many wireless WiFi providers are deterred from implementing a web filtering solution due to the complexity of the task, especially when multiple routers are used across a number of different locations. However, our 100% cloud-based solution makes securing multiple WiFi hotspots a quick, easy, and painless process.
WebTitan Cloud for WiFi Benefits
- 100% cloud-based web filtering solution requiring no software installation
- Secure WiFi hotspots even with dynamic or changing IP’s
- Straightforward management with an easy to follow cloud-based administration control panel
- Central control of a limitless numbers of routers in any number of locations
- A full suite of reporting functions to gather valuable customer intel
- Secure WiFi access for any device that joins the network
- No impact on broadband speed
Find out how you can benefit from improving your WiFi hotspot security by calling the WebTitan team today
The cost of bot fraud in 2016 is likely to rise to a staggering $7.2 billion, according to a new report by the Association of National Advertisers (ANA).
2015 Bot Baseline study places the cost of bot fraud at over $7 billion
The study, conducted in conjunction with WhiteOps, shows that despite efforts to reduce the impact of bot fraud, criminal gangs are still managing to game the online advertising industry. Advertisers are being tricked into thinking that real visitors are viewing their adverts and are paying for those visits, when in actual fact a substantial percentage come from bots.
For some companies the losses were shocking. The highest losses were reported to have cost one company $42 million over the course of the year. However, even smaller companies did not escape unscathed. The cost of bot fraud for the least affected advertiser was $250,000.
ANA studied 1,300 advertising campaigns conducted by 49 major companies over a period of two months from August 1, 2015., to September 30, 2015. The results of the study were then extrapolated to provide the cost of bot fraud for 2016.
The study examined more than 10 billion ad impressions to determine the percentage that were real visitors. To distinguish bot visits from the human visits, ANA/WhiteOps added detection tags to the advertising campaigns under study.
The same study was conducted back in 2014 and this year’s results show that virtually nothing has changed, with just a fall in bot fraud of just 0.2% registered. The level of bot fraud has remained constant, although the cost to companies has increased.
In 2014, online advertisers were estimated to have lost around $5 billion to bot fraud, with the rise in cost of bot fraud due to an expected increase in advertising investment over the course of the next 12 months.
Last year, brands suffered an average of $10 million in losses to bot fraud. That’s an average of $10 billion paid to advertise to bots. For 25% of companies, 9% of impressions go to non-human traffic.
Methods of bot detection have improved, but they are clearly not having much of an effect on the cost of bot fraud for advertisers. As detection methods improve, bot operators have improved their ability to obfuscate their bot visits.
Unfortunately, it is difficult to distinguish bot traffic from real traffic as more residential IP addresses are being used, and the bots are becoming better at mimicking real browsing habits.
A new study has revealed that British consumers are becoming increasingly worried about how companies are using the data they provide online. Data privacy concerns in Britain are now at a level where more people worry about their data and how it is being used than about losing their main source of income.
The National Cyber Security Alliance GB Consumer Privacy Index/TRUSTe study results were released in time for European Data Protection Day on January, 28: An international day which aims to improve consumer awareness of data privacy issues, and encourages businesses to do more to ensure that stored data are properly protected.
Now in its tenth year, Data Protection Data (Data Privacy Day in the United States), is recognized by over 47 EU countries. A number of privacy initiatives are launched on January 28, and efforts are made to improve awareness of the types of data that are being collected on consumers, how they are being used, and the risks that come from providing those data to companies.
This year, there is a major focus on increasing awareness of how companies are sharing the data that are provided to them by consumers.
Study reveals major data privacy concerns in Britain
The online survey, conducted by Ipsos, took a representative sample of 1,000 individuals in the UK and probed attitudes to data privacy and the measures currently being adopted by consumers to protect online privacy. Respondents were asked about online browsing habits from a privacy perspective, and trust issues they had with websites and web applications.
955 respondents said they were concerned about their privacy online and 364 respondents said they had stopped using an app or website in the past 12 months due to privacy concerns. For many of the respondents, online privacy was such a concern that they worried more about the use and exposure of their data than losing their primary source of income. British online privacy concerns ranked 10 percentage points higher than the fear of loss of the main source of income.
Concern can be explained, in part, by the lack of transparency about how consumer data is being used by companies, and with whom they are being shared. 1 in 4 respondents claimed not to know how companies were using and sharing their data.
Privacy fears were shown to be affecting how consumers view businesses and appear to influence the use of online services. Of the individuals who were concerned about their online privacy, 76% limited their online activities as a result.
The lack of transparency about how data is used can have a serious impact on business. 89% of respondents said they avoid companies that they do not believe will do enough to protect their privacy. The message to businesses is: Fail to explain what is done with data and consumers will take their business elsewhere.
How are British privacy concerns affecting online activity?
The survey examined privacy concerns in Britain and how those concerns affected online activity in the past 12 months.
- 46% claimed to have withheld personal information from online companies
- 23% stopped an online transaction due to privacy concerns
- 53% did not click on an advert as they were worried about their privacy
- 31% avoided downloading an app or product due to a perceived privacy risk
More than half of respondents (54%) do not trust businesses to be able to store and protect their personal information online and 51% said they do not feel they are in control of their online data.
One of the ways that companies can improve trust is by allowing consumers to remove their data on request. 43% said that they would trust a company more if they were made aware how they could remove personal information if they so required.
Interestingly, while data privacy concerns in Britain are high, the majority of respondents did little to protect their privacy. For instance, 58% of respondents were aware they could delete cookies from their computers, yet only 49% did. Location tracking on Smartphones can be turned off and 44% of respondents were aware of this, yet only 28% actually disabled the feature. Only 12% of respondents read privacy policies, yet 31% claimed that they knew that they could be read.
With data privacy concerns in Britain so high, businesses that fail to do enough to secure data and protect consumer privacy are likely to lose out to companies that do. Furthermore, once online trust is lost, it can be difficult to regain.
Anti-virus software company Symantec has uncovered a new global web server infection. Hidden scripts on servers are redirecting website visitors to potentially malicious websites. So far over 3,500 hidden scripts on servers have been identified, which are being triggered when website visitors land on the compromised site. That visitor is then directed to a potentially malicious website.
This is a mass injection on a truly global scale. Hidden scripts on servers in over 75 countries have been discovered, although almost half of the compromised websites are located in the United States. 47% of infections were discovered in the U.S., 12% were discovered on servers in India, with the UK, Italy, and Japan accounting for 6% each. France, Canada, and the Russian Federation each had 5% of infections, with 4% discovered in Australia and Brazil.
The majority of compromised websites were used by businesses, and .edu, .gov, and other government websites had also been compromised.
Hidden scripts on servers pose a significant threat to website visitors
At the present moment in time the scrips have not been found to direct users to websites where drive-by malware downloads occur, nor have visitors been redirected to websites infected with malware. However, there is considerable potential for criminals to alter the scripts to deliver visitors to websites capable of delivering malware. A network of servers could be being built for a future global attack.
The scripts are understood to currently be used to collect data on users, which Symantec lists as including host IP address, Flash version, referrer, search term queries, page title, monitor resolution, user language, and URL page address. The hidden scripts could potentially be used for a wide range of malicious purposes.
All of the infections so far detected have affected a specific website content management system, although that CMS has not been disclosed. All website administrators are advised to check their websites and search for any injected code.
Should any code be located, it is not just a case of changing the administrator password and removing the script from the site. Backdoors may also have been installed and full webserver sanitization is likely to be required to totally remove the infection.
MSPs must not forgot to address the following common data security threats if they are to keep their clients protected from cyberattacks.
Failure to prevent malware & ransomware installation can be an expensive business. Multi-million-dollar liability lawsuits may follow if insufficient security measures have been implemented to prevent a cyberattack.
Unfortunately, all too often too little is done to keep networks protected from these common data security threats.
Common data security threats MSPs must address!
Listed below are five common data security threats that must be addressed by MSPs, yet they are all too often overlooked.
Anti-phishing protection is essential
Employees have long been known to be a major security risk. There will always be at least one employee in an organization who is a little green when it comes to protecting themselves and their work computer from hackers.
Any organization that fails to adequately protect against the risk of employee errors compromising the network will suffer a network security incident sooner rather than later. One of the biggest mistakes made is employees responding to phishing emails.
Employees must be made aware of the high risk of phishing. Hackers are now targeting individual employees with highly sophisticated campaigns. Targets are researched via Facebook and other social media networks, the senders of emails have their names and addresses spoofed, and clever campaigns are devised to get end users to download malware or visit malicious websites. Regular training on basic security such as phishing avoidance and scam email identification is therefore essential.
Take control of mobile devices used to connect to the network
Phishing is far from the only employee security risk. Employees are now bringing their own devices to work, and these devices pose a major security risk if not effectively managed. If a single employee manages to get their own personal device infected with malware, the infection could all too easily spread to a corporate network.
It is therefore essential not only to limit the individuals who are able to use personal devices for work purposes, but to ensure that any device used for work purposes is routinely monitored.
If employees are permitted to use personal devices for work, or remove laptop computers from company premises, it is essential that sensitive data stored on those devices is encrypted. Mobile devices are frequently lost or stolen and represent a considerable data security risk.
Prepare for a wave of malware attacks on Macs
Over the past few years, using a Mac meant you were protected from malware and viruses; however, last year new malware started to appear that specifically targeted Apple devices. While anti-malware protection for Macs was something that could previously be ignored, that is now no longer the case.
The volume of malware targeting Macs is expected to continue to increase this year as Apple’s market share grows. It is now important for all organizations to start preparing for a new wave of Mac attacks.
Implement a robust web filtering solution
Cybercriminals are increasing using legitimate websites to serve malware to website visitors. Recently, the MSN home page was discovered to be hosting malvertising, showing that even some of the biggest internet sites may not be entirely safe. It is therefore essential to implement a web filtering solution that can block malvertising, as well as malicious websites known to deliver drive-by malware payloads.
To keep users and networks protected, it is essential to implement safe search, block pharming URLs, malware and phishing sites, tunneling software, and malicious adverts. To avoid negative impact on the business, use a web filtering solution such as WebTitan, which offers a high degree of granularity. This will allow different individuals and users to be assigned different privileges to maximize protection and minimize the negative impact on the business.
Develop patch management policies and plug security holes promptly
Zero-day security vulnerabilities are being discovered on an almost daily basis. Once identified, exploits are rapidly shared via Darknet communities. If security vulnerabilities are allowed to remain, it is only a matter of time before they will be used for an attack. It is therefore essential that software is kept up to date and patches are installed as soon as they are released.
However, due to the sheer volume of devices, applications, operating systems, and plugins now in use, keeping on top of all of the upgrades and patches can be overwhelming. Patches must be found, installed, and tested, and all procedures must be documented for compliance purposes. Due to the security risk posed by out of date software, if the task of managing patches is becoming unmanageable, it may be time to consider using an automated patch management solution.
If you want to keep your accounts secure, it is probably best not to use the word password as your password. However, you could do worse according to a list of the worst passwords of 2015 that has recently been published. 123456 is a much worse choice.
The list of the worst passwords of 2015 would be comical were it not for the fact that so many people actually use these words, phrases, and numerical sequences to (barely) secure their accounts. Send the list around your organization and you may even hear a few gasps as users open the document to discover that their cunning password has been revealed to the masses.
The worst passwords of 2015 list contains some absolute howlers, but also some that users may think are actually quite. Sadly though, passw0rd is not that difficult for a hacker to guess. 1qaz2wsx is better, but not by much. That also makes it onto this year’s top 25 list.
Unsurprisingly with a new Star Wars film having just been released there are a few new entries along that theme. Solo makes it on the list, as does Princess, and StarWars. Minus the capital letters of course. Leia is not on there, but that does not mean it is a good choice either.
People are very bad at choosing passwords
The list of the worst passwords of 2015 serves as a reminder that we are very bad at choosing passwords. We would all like a password that is easy to remember and can be used across all accounts, especially hackers.
Even if a password does not make it into the top 25 list of the worst passwords of 2015, instead it earned place 499, it would not keep an account secured for long if a hacker attempts to crack it. Password dictionaries are compiled, updated, and used by hackers to gain access to accounts, and it doesn’t take long to run through a list of the top 1000 password choices and try them all. If a word is in the Oxford or Merriam Webster English dictionary it will be on a hackers list as well.
The best approach to take when choosing a password is to make sure it can’t actually be remembered very easily. The longer and more complicated the password is, the harder it will be for a hacker to crack it. Special characters must be used, numbers, capital letters, and lower case as well. Since some end users will ignore this advice, it is essential to enforce the minimum number of characters and the use of capitals, numbers, and special characters.
According to SplashData, the company that compiled the list of the worst passwords of 2015, in order to keep accounts secure it is essential to create one that is hard to remember for all accounts, and to use a password manager so they do not need to be remembered. The company suggests the use of its own one of course.
However, the most popular password manager – LastPass – was recently shown not to be as secure as people may think. Hackers could all too easily spoof the viewport and obtain even the most difficult-to-guess password.
A complex, difficult-to-guess password for each site along with a password manager to help remember it is a good option, and it will help to keep accounts secure and will save sys admins from having to keep resetting user passwords.
However, the password itself is the problem really. That is what really needs to be changed. Any password-based security system is vulnerable and even two-factor authentication is not infallible.
The best choice for keeping accounts secure is to use biometric factors to verify identity, but sadly, at present the technology is too expensive for many companies to implement. The good news is the technology is becoming cheaper and before the decade is out an alternative to passwords could well be affordable enough for many businesses to implement. We will then finally be well on our way to consigning passwords to the history books.
SpashData’s List of list of the worst passwords of 2015
Listed below is SpashData’s list of the worst passwords of 2015, together with the list for 2014 for comparison. You can see that even with the increase in reported hacking incidents, many people are still choosing unsecure passwords.
LastPass, the most popular password manager is susceptible to phishing attacks. A LastPass phishing vulnerability was recently uncovered, which could spell disaster for some LastPass users.
Could your password manager be spoofed?
One cybersecurity problem faced by business users and consumers alike is how to keep track of an increasing number of passwords. Password sharing between websites is big security no-no and for maximum security passwords must be complex and changed frequently.
A secure password needs to contain a mix of capital and lowercase letters, non-sequential numbers, special characters, and ideally should be 11 characters long. It must not include any personal information or dictionary words. In short, each password must be next to impossible to remember. Just in case you do manage to memorize it, it is essential to change it often. At least every three months, but preferably every month.
The solution for many people, business users alike, is to use a password manager. This has the advantage of remembering your passwords for you, although it has the disadvantage of exposing every one of your passwords should the unthinkable happen and the password manager be hacked.
Fortunately, when it comes to the latter, the chances are very slim. Password managers are robust and secure, right? Well that would depend on which password manager you use. If you use LastPass for instance, the most popular password manager, those passwords may not be quite as secure as many people think.
At last weekend’s ShmooCon conference, Praeside Inc., CTO Sean Cassidy demonstrated a LastPass phishing vulnerability and showed just how easy it is to spoof the LastPass password manager and obtain login credentials. The bad news is the technique is so effective it is highly unlikely that the user would even know that his or her password has been compromised.
LastPass phishing vulnerability can be exploited with very little skill
The LastPass phishing vulnerability is easy to exploit and has left many security professionals wondering whether this technique is already being used by cybercriminals to gain access to passwords. LastPass has announced that it has patched the problem and has increased security to make it harder for user details to be phished.
Cassidy discovered the LastPass phishing vulnerability some time ago. When logged out, or when a session expires, a browser notification or viewport is displayed requesting the user log back in. However, what happens if that browser window is spoofed? If the user can be redirected to a malicious website where a spoofed version of that browser window is displayed, they could be fooled into entering their login name and password, revealing it to the phisher.
If the spoofed viewport was convincing the user would enter their credentials and be none the wiser that they had been phished. Cassidy set out to prove this by creating an exact copy of the LastPass login screen and using it on a site he had purchased called chrome-extension.pw. The login screen was not just realistic; it was an exact copy. Cassidy took it from the source code of the webpage. It was identical to the real login prompt in every way.
LastPass phishing vulnerability used to capture login credentials
If the user is logged out with a known Cross-Site Request Forgery (CSRF), a spooked viewport can be displayed. Instead of being taken to the real site, they are directed to a page that just looks like the LastPass one. When the login details are entered they are sent to the LastPass API and are verified. The user will be unaware, and the attacker would have the master password. Even if 2FA is enabled a similar process can be set up to get the second authentication factor.
According to Cassidy, a security measure designed to alert the user if their account has been accessed from an unusual IP address would not be triggered if 2FA had been enabled on the account.
LastPass has now made a change and the email alert will be sent to the user regardless of whether they have 2FA set up or not. Should they be phished, they will at least be aware of it. LastPass has also blocked websites from logging users out and further security measures are planned that will notify users bypassing the viewport.
However, since Cassidy has released the tool that demonstrates the LastPass phishing vulnerability and how it can be exploited, it is possible that other attackers could take advantage and create their own versions. LastPass has issued a statement confirming that with the email verification corrected and a patch issued to resolve other security vulnerabilities, the issue is resolved. It would only be possible for the phishing attempt to succeed if the user’s email account has been compromised.
A Microsoft Silverlight security vulnerability is something of a rarity. The application framework may be similar to Adobe Flash, but it does not contain nearly as many security vulnerabilities. In fact, it is exceptionally rare for a bug to be discovered. In this case, Kaspersky Lab identified the security flaw which could potentially allow remote code execution.
Microsoft has now addressed the security flaw (CVE-2016-0034) in its latest MS16-006 patch which was released on Tuesday. Kaspersky Lab has now published an analysis of the security flaw.
It is essential for the patch to be installed. While the vulnerability is not believed to have already been exploited, it is possible for the patch to be reverse engineered. According to Brian Bartholomew of Kaspersky Lab, “it’s not that difficult to produce a weaponized version of it.”
Rare Microsoft Silverlight security vulnerability investigated by Kaspersky Lab researchers
Kaspersky Lab researchers may not have been the first people to have discovered the Microsoft Silverlight security vulnerability. They decided to investigate a potential Microsoft Silverlight security vulnerability that had alledgedly been discovered by Russian hacker Vitaliy Toropov. He claimed to have written an exploit for the Microsoft Silverlight security vulnerability, which he was trying to get Hacking Team to buy. At the time they were more interested in Adobe Flash zero-day exploits and ignored the Microsoft Silverlight security vulnerability.
Kaspersky Lab decided to investigate due to the potential damage that could be caused by a Silverlight bug. The vulnerability could potentially be used to attack both Windows and OS X devices running Microsoft Silverlight 5 or Microsoft Silverlight 5 Developer Runtime. Users could be targeted with a phishing email and convinced to visit a website where a drive-by download would occur and load a malicious Silverlight application, regardless of the browser they were using.
Kaspersky Lab did discover it the security vulnerability, although whether it is the same vulnerability that Toropov had managed to develop an exploit for is not known. However, it is one less security issue to worry about now that it has been patched by Microsoft.
The first security update of the year for Microsoft may have only included 9 security bulletins, but six of them have been marked as critical. The critical Windows security flaws include 7 bugs that permit the remote execution of code, one that allows elevation of privileges. A vulnerability affecting Microsoft Exchange Server has also been discovered and patched to prevent spoofing.
The updates include patches for 25 separate vulnerabilities. These critical Windows security flaws should be addressed as soon as possible to keep systems protected. While not all of these security flaws have been published, it is possible for a patch to be reverse engineered to allow a hacker to take advantage of the vulnerabilities in unpatched machines.
Critical Windows security flaws patched in latest Microsoft security update
Although seven critical Windows security flaws have been identified and addressed, one of the most serious is the MS16-005 security bulletin. This is one of the remote code execution vulnerabilities, but it is the one most likely to be exploited by hackers as the vulnerability has been publicly disclosed. The vulnerability affects Windows’ kernel-mode drivers and makes it possible for a hacker to trigger an Address Space Layout Randomization (ASLR) bypass. All that would be required would be to get the user to visit a malicious website.
MS16-001 is critical for users of Internet Explorer. This security flaw affects versions 8, 9 and 10 of the web browser. This will be the last security update for Internet Explorer 8 and 10, with Microsoft now having stopped providing security support. Internet Explorer 9 security updates will continue to be provided for Windows Vista and Windows Server 2008 SP2, but users of IE 8 and 10 should now upgrade to IE 13 to ensure continued support is received.
This memory corruption vulnerability affects VBScript engine and could be exploited by getting an individual to visit a malware-compromised website. This would allow an attacker to gain the same privileges as the current user. If that user had administrative privileges, and attacker would be able to gain control of the computer and install programs, or delete or modify data. The same vulnerability has been addressed for VBScript in MS16-003.
While not marked as critical, any user of Outlook Web Access (OWA) should ensure that MS16-10 is applied. This patch addresses four separate vulnerabilities that could potentially be exploited and used for a business email compromise (BEC).
While only marked as important, Outlook administrators are likely to disagree. An attacker could exploit this vulnerability to make a phishing email appear as if it had been sent from within an organization. This would make the phishing email difficult for employees to identify, and would likely result in a large number of employees compromising their computers.
Microsoft has also patched a bug in Silverlight (MS16-006), which was identified by Kaspersky Lab. The bug is particularly risky for anyone operating Microsoft Silverlight across multiple platforms. The patch plugs a runtime remote code execution vulnerability.
Security researchers at IBM’s X-Force have identified a worrying new Rovnix malware strain that is being used in a spate of cyberattacks on Japanese banks.
Rovnix malware is nothing new. It has been around for a couple of years but it is now ranking as one of the top ten most popular malware strains to be used for attacks on financial institutions. It may not be used nearly as often as Dyre, Neverquest, Dridex, Zeus or Gozi, – the top 5 malware currently being used by cybercriminals – but it is particularly nasty and is highly persistent. Worse still, the new strain of the malware is only recognized by 7% of anti-virus software vendors.
New Rovnix Malware Strain Is Particularly Worrying for Japan’s Banks
The latest wave of attacks on Japanese banks signal a major departure from the usual attacks being conducted by cybercriminal gangs in Europe. Previously, they have concentrated on attacking European banks and Japan has been left well alone. That is no longer the case. In fact, IBM’s X-Force has described the latest wave of attacks as “an onslaught.” The criminal gang behind the latest Rovnix malware attack has already targeted 14 Japanese banks since the start of December last year.
The language barrier has prevented cybercriminal gangs from targeting Japans banks in the past, but they have now got around the problem and have developed their campaign in Japanese. Each campaign has been tailored for each of the banks under attack.
As with campaigns conducted in Europe, the primary means of malware delivery is spam email. A spam message contains a zip file with a fairly innocuous waybill detailing the delivery of a parcel from a courier company. Opening the attachment and viewing the waybill will result in a downloader being launched that will load Rovnix malware onto a device.
Highly Sophisticated Rovnix Malware Defeats Two-Factor Authentication
More worrying is some users are being prompted to download an app to their mobile phone. Doing that will result in their SMS messages being compromised. When the bank sends an authorization code to the mobile device, the cybercriminals will use that code to authorize a fraudulent transfer, defeating the two-factor authentication used by the bank.
Rovnix malware tends to be used to target one country at a time, but that may not necessarily always be the case. It can be quickly and easily adapted to attack any country’s banks. Rovnix malware is highly sophisticated and can be tailored to attack different institutions and evade detection. Even before the malware is installed, it can scan a device and determine which security protections are installed. It then uses a wide range of mechanisms to evade detection.
Microsoft has announced it will be pulling the plug on old versions of Internet Explorer and will be withdrawing software security support on IE 8, 9, and 10 from Tuesday January 12, 2016. An Internet Explorer security risk warning has been issued as older versions of the web browser will be more vulnerable to cyberattack from tomorrow.
Microsoft will only be issuing security updates and providing technical support for Internet Explorer 11 and Microsoft Edge from January 13, 2015. All users have been urged to upgrade to Internet Explorer 11 if running windows 7 or 8.1, with Windows 10 users requested to make the switch to Microsoft Edge by Wednesday, January 13.
The news shouldn’t come as a major surprise as Microsoft first made the announcement about discontinuing support for older versions of IE 18 months previously, but that said, many IT departments and individual users have not yet upgraded. Duo Security have calculated 36% of IE users are running versions 9 or 10.
The problem for many enterprises is web applications have been developed to work on Internet Explorer 9 or 10, and consequently an upgrade may require changes to be made to those applications to ensure they work optimally on Edge or IE11.
The good news is that only one version change will be required. Microsoft has confirmed that although earlier versions of the browser are being retired, it has promised to continue offering support for IE11 for the lifespan of Windows 7, 8, and 10. The same applies to the Microsoft Edge browser.
Internet Explorer Security Risk Will Increase Following Next IE11 Update
The Internet Explorer security risk will not increase substantially overnight. It is highly improbable that hackers have exploits lined up that can be used on older versions. However, when software is discontinued, it is the issuing of the next patch on the supported version that is the critical date.
In the case of Internet Explorer, cybercriminals will be able to assess what is updated in the next release. When IE11 is patched, it will be highly probable that many of the vulnerabilities that are addressed will also affect previous IE versions.
Hackers could develop exploits for those unpatched vulnerabilities to attack individuals running older browser versions. The Internet Explorer security risk will increase substantially.
It is much easier for cybercriminals to exploit vulnerabilities in browsers than unpatched software installed on devices. All that is required is to direct the user to an infected website containing the appropriate exploit kit for the user’s device to be infected.
Companies in highly regulated industries such as the financial services and healthcare should ensure their browsers are updated before support is stopped. Running any machine on outdated and unsupported software will violate industry regulations. This could result in significant financial penalties being incurred.
If there is one thing that sysadmins can guarantee happening on an almost daily basis, it is users forgetting their passwords. As passwords need to become more complex to avoid them being guessed, users struggle to remember them.
This is no surprise of course. Research has shown that passwords of 6 characters, especially those that only contain lowercase letters, are no obstacle to cybercrimnals. They can all too easily be cracked. Unfortunately, even though many users are aware that passwords must contain special characters, upper and lower case letters, and at least one number, far too many individuals still use simple and easy to remember passwords. There is a tradeoff between security and convenience, and all too often end users opt for the latter.
Ideally, for maximum security, dictionary words should not be included and passwords should contain 11 randomly generated characters, including upper and lower case letters, numbers and special characters. Companies are now learning than while complex passwords are inconvenient, that inconvenience is a small price to pay, especially when compared to the cost of dealing with a data breach.
Secure password controls are now being introduced by majority of companies
A survey conducted last year by Ping Identity suggests that the majority of companies have now implemented enhanced controls to ensure secure passwords are chosen by end users. 82% of respondents rated their company’s password controls as good or excellent, and claim their IT departments are forcing them to regularly change passwords to ensure hackers do not have long to crack them. 76% indicated they are required to change their passwords every 1-3 months.
While this is good news, the same survey revealed that password sharing is still common. Half of enterprise employees share their secure passwords between work and personal accounts. 37% of respondents said they shared passwords with family members and almost half admitted reusing passwords for work accounts.
A recent survey conducted by SecureAuth, a provider of multi-factor authentication systems, confirmed that passwords are now too complex for many end users to remember. 308 IT security professionals took part in the survey, and 85% said that their helpdesk was frequently contacted by users that have forgotten their passwords on a frequent basis. 37% of respondents said that employees were calling the helpdesk all the time in this regard.
A majority of IT security professionals believe that passwords alone are no longer secure enough to use by themselves to protect networks. 66% claimed they are now using multi-factor authentication controls.
Many would like to move away from passwords entirely, but unfortunately at the current time the technology that must be used to allow other, more secure user authentication controls to be implemented are prohibitively expensive. A retina or fingerprint scan may be ideal, but few companies would be willing to pay for the technology.
That said, over the next decade things are likely to change. Or so it is hoped. The survey showed that 91% of cybersecurity professionals believed that over the course of the next decade the password will cease to exist. Other more secure methods of user authentication will be introduced to replace the humble password and the cost of the technology is likely to fall sufficiently to make this a reality. However, for the time being, helpdesk staff are likely to have to continue to spend a considerable amount of time retrieving and resetting passwords.
What is arguably the world’s most secure Smartphone may not be quite as secure as users have been led to believe. A hackable bug has been discovered that allows Silent Circle’s Blackphone 1 to be hijacked.
On its release, Silent Circle’s Blackphone was billed as being the first Smartphone designed with privacy at the core of its design. The phone looks like any other Smartphone and functions just like an Android device. However, it runs on Silent OS, a custom-designed Android OS that to all intents and purposes closes all possible backdoors. At least, that was the plan. It turns out that not all backdoors have actually been closed.
Backdoor Exists in World’s Most Secure Smartphone
Researchers at SentinalOne have discovered that one backdoor exists that allows the ultra-secure Smartphone to be hijacked by hackers. While the user will believe their phone calls and text messages are perfectly secure, a hacker could be listening in to calls and monitoring the numbers that are being dialed or received. The security flaw would also allow an attacker to read text messages sent or received, change caller ID settings, mute the modem speaker, kill the modem, silently check numbers, make calls via the phone, or force conference calls with other individuals.
A person attempting to call the user of a hijacked Blackphone could have that phone call directed to the attacker without the Blackphone user being aware that the call is taking place.
The Blackphone security vulnerability is not in the software, but is a security flaw in the device’s inbuilt modem. The modem contains an open socket which potentially allows a hacker to run radio commands. The open port could potentially have been used by the developers of the phone for debugging functions, yet the internal port was not secured before its release. A simple oversight maybe, but one which potentially leaves the phone wide open to attack by hackers.
The vulnerability could potentially be exploited via a malicious app, or it is conceivable that the owner of the phone could be targeted with a phishing campaign and convinced to run malicious code.
Researchers do not believe that the vulnerability has been exploited in the wild, and a software update has now been issued to address the vulnerability. All users must update to 1.1.13 RC3 or above to secure their device. Now that the vulnerability has been disclosed the update is critical.
A bug in a Smartphone is to be expected, but for one to exist in what is supposedly one of the world’s most secure Smartphone is something of a worry. Furthermore, this is not the only Blackphone bug discovered. Last year a Blackphone security vulnerability was uncovered in its secure messaging application. The memory corruption vulnerability could be exploited remotely by a hacker and used to gain the privileges of the messaging application. This would enable the attacker to decrypt the Blackphone’s encrypted messages, read contact information, run code, or write to external storage.
2014 was a bad year for IT security professionals, and thanks to some large scale cyberattacks, 2015 was not much better. However, what does 2016 have in store? What will be the biggest 2016 security threats? Some predictions for the coming year are listed below:
2016 Security Threats: What does the coming year have in store?
What is abundantly clear is that 2016 security threats will increase in number. The cyberattack surface is growing with more devices and device types to attack than ever before. Cybersecurity budgets may have been increased for 2016, but funding has not been increased by nearly enough for many IT departments. Tackling the biggest 2016 security threats will be a big ask, and vulnerabilities will remain that can be exploited.
Phishing will continue to be an effective attack option
Enterprise cybersecurity defenses are becoming more sophisticated, passwords are becoming more secure, and two-factor authentication is becoming the norm. It is certainly now harder for cybercriminals to successfully attack many companies. Unfortunately end users are still a major weak point that cybercriminals will continue to exploit. Many major cyberattacks in 2015 had their roots in phishing attacks and the attacks are expected to continue in 2016.
Unless staff members receive training on how to identify phishing emails and spot malicious websites, they are likely to fall for phishing scams. Major data breaches are likely to be discovered in 2016 that have been made possible due to phishing schemes.
IoT device hacks a growing cause for concern
If you thought that the hacking of IoT devices was something to be dealt with next year or later, you may find you will end up regretting not securing your devices sooner. It may not be time to worry about your refrigerator being hacked, but as was demonstrated quite clearly in 2015, IoT hacks are not a future problem. They are a clear and present danger. Valasek’s and Miller’s successful hacking of a Jeep Cherokee proved that. Medical devices are also high up the list of potential targets, and could be used as an easy entry point into healthcare networks. Hacks of IoT devices are likely to start in earnest in 2016.
Difficult-to-Detect attacks will increase
Traditional malware will continue to pose a major threat to consumers and businesses, but difficult-to-detect attacks are on the increase. Memory-resident and other fileless malware attacks will increase in prevalence in 2016. As security software gets better at identifying malicious software, cybercriminals will take advantage of security vulnerabilities in BIOS, firmware, and drivers. These attacks are difficult to detect, but are fortunately also difficult to execute. Until memory scanning technology is implemented by the majority of organizations, these attacks are likely to proliferate.
Apple Devices to be targeted
As Apple’s market share increases, attacking Apple devices will become more profitable. With Apple now having a 13.5 percent share of global smartphone sales and 7.5 percent of the desktop market, the devices are likely to be attacked with increasing regularity.
While the devices were previously considered to be secure, new iOS and OS X malware has been discovered. That malware doesn’t just pose a risk for users of jail-broken devices. In 2015, XcodeGhost found its way into the Apple App Store, and this is unlikely to be the last malware to target the Apple devices. Further Masque attacks can also be expected in 2016. Apple device owners may have a rude awakening in 2016 if they remain complacent about security.
Card-Not-Present (CNP) Fraud to Increase
Thanks to the introduction of new payment technologies, it is becoming harder for criminals to conduct point-of-sale attacks, but the data stored by retailers is still not well protected. Cyberattacks on retailers will concentrate on obtaining data for digital fraud, and an increase in card-not-present (CNP) fraud can be expected. In the EU, CNP fraud rose by 21% last year and faster growth is expected in 2016.
Healthcare industry will continue to be targeted
At the end of 2014, many security experts predicted that 2015 would be a rough year for the healthcare industry, but few could have imagined how rough it would get and how quickly cyberattacks would occur. It didn’t take long. Within two months, two healthcare hacking incidents were reported that made previous data breaches look tiny by comparison. The attack on Premera BlueCross exposed a whopping 11 million healthcare records, but even that was tiny compared to the 78.8 million records exposed in the hack of Anthem Inc. Over 113 million healthcare records were exposed or stolen in 2015.
In 2016, the healthcare industry is likely to continue to be targeted by hackers. The data they store is of high value and security defenses are still relatively poor.
Gamers have been put on high alert following news that TeslaCrypt ransomware attacks are on the increase. The file-encrypting malware was first identified in March of this year, but this month the number of attempted attacks has skyrocketed.
TeslaCrypt ransomware does not specifically attack computer game players, but it is gamers that are most likely to have to pay the ransom if their computers are infected. TeslaCrypt ransomware is likely to encrypt game files, maps, saved games, mods, and even game software, leaving gamers with little choice but to pay the ransom or lose everything.
About a month after the discovery of TeslaCrypt ransomware, security researchers had developed a tool that could be used to de-crypt files. However, during the past few months, the authors of the malware have been busy tweaking TeslaCrypt. The decryption tool that was developed in April is no longer guaranteed to work.
Businesses now being targeted with TeslaCrypt Ransomware
Not only has TeslaCrypt ransomware evolved, it has been sold on the black market to cybercriminals. The authors appear to have been selling their ransomware-as-a-service, and while they have had relatively few takers, that has now changed.
Known infections have remained relatively low throughout the course of the year, but December has seen a major increase. The number of attempted attacks in November remained fairly constant at approximately 200 per day. By mid-December that figure increased to around 1,800 per day.
The ransomware is also no longer just being used to target gamers, in fact, better rewards can be gained from attacking businesses. This fact has not been lost on the cybercriminals behind the latest wave of TeslaCrypt ransomware attacks.
The ransomware is known to encrypt 185 types of files, and while many of those are specific to gaming software, the file-encrypting malware is particularly damaging for businesses. If infected, files can be decrypted, but only if the ransom is paid or the malware is removed. Infected computers will have file extensions changed to a .vvv extension and files be encrypted.
User will have files saved to their desktops directing them to websites where they will be required to pay a ransom to unencrypt their files. Any business that has failed to perform a backup of their data may have little alternative but to pay the ransom.
Due to the increase in reported attacks in December, all businesses are advised to exercise extreme caution. Backups should be performed daily, and end users should be told to be particularly vigilant. The attack vector being used for the latest wave of attacks is mostly spam email. Account department executives are being targeted and fooled into opening file attachments which have been masked to appear to be invoices and receipts in pdf or doc formats. The subject lines typically refer to an order, invoice, or bank transfer.
The best way to prevent an attack is to ensure that spam emails are not delivered to end users and to make sure that end users know never to open an email attachment sent from an unknown user.
The rise in popularity of Macs, Macbooks, and iPhones has seen even more consumers make the switch from desktops and Android phones. As the number of Apple users grows, so too will the threat from malware. While previously thought of as totally secure, Apple devices have now been attacked and those attacks are likely to continue. Some security experts are now predicting an OS X and iOS malware boom in 2016, as hackers and cybercriminals attempt to tap into Apples user base.
Hackers have previously concentrated on Windows due to the sheer number of users using the operating system. It is more profitable to attack a system that virtually everyone uses rather than a system used by relatively few individuals.
Apple devices are more secure than their Windows-based counterparts, although in recent months a number of chinks have been found in Apples armor. Hackers are expected to take advantage with increasing frequency over the course of the next 12 months.
One of the ways that cybercriminals have started to attack apple users is via malicious apps that have been sneaked into the Apple App store. The Masque attack in 2014 replaced legitimate apps with nasty versions, and other methods have been developed that have allowed hackers to sneak malicious programs onto user’s devices.
First iOS Malware Discovered in the Wild in 2015
iOS malware may be less common than malware designed to attack Windows, but we have already seen a major increase in malicious programs designed to attack Apple devices. OS X malware has increased nine-fold over the course of the past year according to Symantec, and in October the first iOS malware – YiSpecter – that was capable of attacking non-jailbroken devices was discovered. This iOS malware implements malicious functionalities in iOS and is capable of downloading, installing, and launching malicious apps, displaying adverts, and uploading user data to remote servers. The iOS malware attack mostly affected users in Taiwan and China, but attacks such as this are expected to take place worldwide in 2016.
A fix for this iOS malware was rapidly issued by Apple, and the latest versions of the operating system is now immune to YiSpecter attacks. However, this is just the first of a number of new iOS malware that can be expected over the next few months.
Apple Pay is also expected to be targeted in 2016. The payment system was unveiled in 2014 amid claims that it was immune from attack and could not be used to commit fraud, yet only a few months later it was discovered that Apple Pay was being used to commit fraud. Accounts could be used with stolen credit card numbers and purchases made using iPhones.
Apple users are still less likely to be targeted by hackers than Windows users, but the devices are far from immune from attack. As more users make the switch to Apple and its market share increases, hackers are likely to respond and start targeting Apple software with increasing regularity and iOS malware will increase.
Further information has emerged on the Juniper Networks backdoor discovered last week, which suggests the NSA had a hand in the installation of a backdoor in the company’s source code.
Last week, a Juniper Networks backdoor was discovered after the company identified unauthorized code which could potentially allow hackers to gain access to secure communications and data that its customers had protected with its firewalls.
The malicious code would allow a hacker to decipher encrypted communications protected by the company’s Netscreen firewalls. It is not known at this stage how the code was installed, and whether this was an inside job or if it was inserted remotely. But what is known, is the person or group responsible installed the Juniper Networks backdoor as a result of an inherent weakness in the system. They were also helped by a coding configuration error believed to have been made by a company employee.
Juniper Networks Backdoor Installed Using NSA-Introduced Weakness
One security researcher, Ralf-Philipp Weinmann of German firm Comsecuris, has claimed that the weakness in the Dual_EC had been put there by the NSA, who championed the use of Dual_EC. It is not known whether the NSA or one of its spying partners was responsible for changing the source code, but it would appear that the NSA had, perhaps inadvertently, introduced a weakness that ultimately led to the system being compromised.
The weakness in the code that was first uncovered in 2007. The flaw was uncovered in the Dual_EC algorithm by two Microsoft researchers: Dan Shumow and Niels Ferguson. The Dual_EC algorithm had just been approved by NIST, and was used with three random number generators. Together, the encryption was believed to be secure enough to use to protect government data.
However, Shumow and Ferguson were able to demonstrate that the elliptic curve-based Dual_EC system could allow hackers to predict a random number used by the algorithm, which would make the encryption susceptible to being hacked.
Specific elliptic curve points were used as part of the random number generator. If one of those points was not a randomly generated number, and the person responsible for determining that point also generated a secret key, any holder of that key could potentially crack the encryption as it would be possible to determine the random number used by the algorithm. If that number could be predicted, the encryption could be cracked. Dan Shumow and Niels Ferguson believed this would be possible with just 32 bytes of output, if the key was known.
The flaw in Dual_EC is believed to be an intentional backdoor in the encryption that was introduced by the NSA, according to documents published by Edward Snowden. However, this was deemed not to be a problem as a second random number generator was used by Juniper. The second random number generator was supposed to have been used for the encryption, meaning even someone with a secret key would not be able to predict the random number used.
However, a coding error resulted in the original random number generator being used, rather than the second one. Someone had managed to break into the system and use their own constant, consequently, the encryption could be cracked.
The Juniper Networks backdoor has now apparently been plugged with the company recently issuing a patch to fix the problem. However, it would appear that the Juniper Networks backdoor had existed for at least three years.
Over the past few years, the number of anti-phishing solutions for enterprises has grown considerably. This is no surprise considering the volume of phishing emails now being used to target businesses. Phishing has become the leading strategy used by hackers and cybercriminals to gain access to corporate networks.
Phishing is not confined to email. Social media websites are also commonly used to spread phishing links, and hackers are compromising websites with increasing frequency and are installing malicious code. Malicious adverts are also used by cybercriminals to drive traffic to bogus websites where drive by malware attacks take place and criminals phish for sensitive information.
Fail to use any anti-phishing solutions and your employees will need to become experts at identifying phishing emails and malicious websites. Unfortunately, a recent study has shown that end users are not particularly good at identifying phishing emails. In fact, should a phishing email arrive in an employee’s inbox, it could be 50/50 as to whether that employee will respond.
Need for Robust Anti-Phishing Solutions for Enterprises Highlighted by Recent Phishing Report
A recent study of 400 companies conducted by PhishMe has produced some alarming figures. The company provides staff training to enterprises to help employees identify and avoid phishing emails. Training exercises were conducted that simulated phishing attacks. Over 4,000 fake phishing emails were sent to employees during the study. The company used numerous phishing templates that closely mirrored the phishing emails being sent by cybercriminals.
Phishing emails were sent requesting the recipients to action to update their computer software. Links to fake news stories were sent. Email recipients were sent special offers and emails mimicked office communications. The latter were found to have the highest overall response rates.
While many employees can identify a phishing email, when emails were sent with the subject “Unauthorized Access,” the average response rate across all industry sectors was 34%. When simulated phishing emails were sent with the subject “File from Scanner,” the average response rate was 36%.
However, some response rates were even higher. When the firm analyzed the results from failed package delivery phishing simulations, 49% of employees in the education industry were found to have responded to the emails. Agriculture and biotech/pharmaceutical company employees did not fare much better. 41% of employees responded to the campaigns. In the telecoms and media sectors, the response rate was 37%.
The study showed just how likely it is for untrained employees to fall for phishing emails. If a similar campaign was launched by a cybercriminal, as many as 4 or more employees out of 10 may fall for the scam and install malware or disclose sensitive information.
What Anti-Phishing Solutions for Enterprises Should be Used?
The study highlighted the importance of conducting staff training to teach employees how to identify phishing emails, but training alone is insufficient. Employees must have their knowledge put to the test. Phishing simulation emails should be sent to employees and the more frequently knowledge is tested – and feedback provided – the better employees become at identifying phishing campaigns.
Anti-phishing solutions for enterprises should also be implemented to reduce the volume of phishing emails that reach employees’ inboxes. It pays not to place too much reliance on end users to always be able to identify phishing emails.
Implementing a robust spam filtering solution is therefore essential. Spam filtering solutions reduce the volume of phishing emails that are delivered to employee inboxes. If as many as 49% of employees have been shown to respond to phishing emails, a spam filtering solution is essential. SpamTitan blocks 99.9% of all email spam, which gives your organization more than a fighting chance of resisting phishing attacks.
Training staff how to identify a phishing email can reduce the likelihood of individuals responding to a scam; however, identifying malicious websites can be much harder, especially when websites are hosting exploit kits. It may be impossible to tell whether a site is probing the browser or plug-ins for security vulnerabilities.
To prevent drive-by malware attacks a software solution is required. A web filtering solution such as WebTitan will provide protection from malicious websites, hijacked sites, and malvertising. Blocking access to websites known to host malware, and filtering the internet to prevent risky sites from being visited, will help you to reduce the risk of phishing attacks to the minimal level.
A recent Spiceworks survey conducted on 200 IT security professionals revealed that 51% of organizations had suffered a malware incident and 38% suffered a phishing attack in 2015. Fail to take any action to combat the risk from malware and phishing attacks and it is only a matter of time before your organization is attacked.
Hackers are concentrating on developing mobile malware that targets Android devices, but Apple malware infections are increasing. Furthermore, security researchers are predicting Apple malware infections will grow steadily over the course of the next 12 months.
Apple malware infections are on the increase
Over the course of the past 12 months the number of Apple malware infections have doubled, and the problem is only likely to get worse for users of iOS devices according to security researchers.
Last year, researchers at Symantec discovered between 10,000 and 70,000 new Apple malware infections every month. This year there has been a 7-fold increase in malicious software infections affecting Apple OS X computers up until the end of September. Symantec has already discovered 400,363 Macs that have been infected with malware.
The researchers did point out that only 10 new types of Apple-infecting malware have been discovered so far this year, with the bulk of the OS X malware infections involving “grayware”. These are not purposely designed malicious software programs, rather apps that are capable of serving malicious adverts or tracking user behavior.
New malicious software that targets iOS is increasing, but only 7 new types of malware have been discovered by Symantec so far this year. That should be compared with the 9,839 new mobile malware variants that have been discovered to be targeting target Android devices.
There is a growing malware problem, but Apple remains the safest mobile platform
Users of Apple devices have had it easy for many years. Hackers have developed malware capable of infecting Apple devices, but there are far bigger gains to be had from developing malware that targets Windows and Android devices. The majority of iOS malware can also only infect devices that have been jailbroken, so most users remain relatively safe.
Apple’s share of the mobile device market is relatively small, and while the number of units expected to be shipped in the next 5 years is expected to grow, so too will the number of Android devices. IDC has predicted there will be a 2.2% drop in Apple’s market share over the course of the next 5 years, although with 237 million to 274.5 million Apple devices expected to be shipped, there will be plenty of devices for hackers to attack. In fact, in 2015, Apple device ownership is expected to grow by 23% according to IDC.
No need to panic just yet, but there is cause for concern
It is not yet time to panic, but there is growing concern over the number of Apple malware infections that are now being discovered. The majority of new mobile device malware now being discovered targets Android devices, and Apple remains the safest choice. What is clear is iOS and OS X are no longer as safe as they were once believed to be, and users of Apple devices should not become complacent.
Infections are possible and any user of a jailbroken Apple device who fails to take precautions against malicious software could well live to regret that decision.
According to research conducted by Internet security firm Kaspersky Lab, corporate malware attacks have increased by 3% year-on-year. In 2015, 58% of companies had been attacked with malware on at least one occasion and the motivation for conducting corporate malware attacks are numerous. Not all attackers are demanding a ransom.
Reasons for corporate malware attacks
In many cases, corporate malware attacks are conducted for financial reasons – but not always. There has been an increase in hacktivism and attacks on business competitors. According to research conducted by Kaspersky/B2B International, 28% of suspects in cyberattacks were believed to be attempting to simply disrupt a company’s operations.
Corporate malware attacks by competitors are believed to be increasing and in many cases the attackers are known. This is certainly the case for DDoS attacks. 48% of companies claimed to know the source of DDoS attacks they had suffered and 12% believed that the source was a specific competitor. 11% of attacks were conducted by political activists, while government backed groups accounted for 5% of attacks.
The mode of attack on corporate targets differs from attacks on consumers according to Kaspersky Lab.
There has been an increase in exploitation of legitimate software programs, with office programs used to attack companies three times as often as attacks on consumer targets. Internet-based attacks were commonly conducted on business customers. 29% of businesses claimed to have been exposed to Internet threats, while 41% of businesses were attacked via portable storage devices. Attacks on mobile devices have also increased as criminals have realized the ease at which the devices can be compromised and the wealth of data that are stored on the devices.
Cryptolocker infections double in 2015
Cryptolocker ransomware infections have increased substantially in recent months. There have been twice as many infections in 2015 as were recorded in 2014. According to Kaspersky, over 50,000 corporate devices were locked by Cryptolocker in 2015. Corporate customers have been given little alternative but to pay ransoms to get their data unlocked. Unfortunately, even when a ransom was paid, security keys were not always provided or did not work.
DDoS attacks being commissioned by business competitors
Attacks conducted for financial gain are still the most common, especially in the Telecom and manufacturing industry. Survey respondents from both industries claimed that ransoms were demanded in 27% of DDoS cyberattacks. Overall, 17% of attacks involved the disruption of services until a ransom was paid. In 18% of cases, DDoS attacks were conducted to distract IT security professionals while hackers went to work on other systems, as was the case with the recent attack on Internet and mobile phone service provider, TalkTalk. Companies appear to be increasingly attempting to gain a competitive edge by paying for hackers to disrupt the operations of their competitors.
2015: The year of the PoS attack!
2015 has also been a year of attacks on Point of Sale terminals. Retailers have been targeted by hackers trying to gain access to PoS data, oftentimes by installing malware capable of recording data from transactions. Kaspersky Lab managed to block more than 11,500 PoS hacks in 2015. 70% of hacks of PoS terminals involved malicious software that had only been developed this year. These attacks are likely to increase over the course of the next 12 months.
Cryptowall malware has been a major threat since it was first released on the unsuspecting world in September 2014. It did not take long for the malware to evolve, with a second version seen within a matter of weeks. A third incarnation was released at the start of the year. Now the game plan has changed again with the fourth version of Cryptowall malware now identified in the wild. The developers of the ransomware are keen to keep IT security experts and security software developers on their toes. They also want to continue to rake in millions of dollars in ransoms. The new version guarantees they will.
Cryptowall Malware is Now Harder to Spot, Easier to Obtain, and is a Whole Lot Nastier
As if it was not hard enough to prevent a Cryptowall malware infection, the developers of the ransomware have made it nastier and easier to infect computers. It is now capable of being installed by drive-by download.
The malware has also been packaged up with the Pony Trojan. Pony is nothing new, although that doesn’t make it any less dangerous. Pony is a password stealer that has been redeveloped and updated over the years. It has been predominantly spread via email spam in the past, and has most commonly been seen as an attached executable, or sent in compressed form in a .cab, .rar, or .zip file.
However, more recently it has been sent disguised as a document. Usually as a Word document but most commonly as a PDF file. The file is not a document of course. It is an executable with the extension masked. When double clicked, the Pony will be set loose.
Recently, the Pony Trojan has been sent via a link in spam email. Clicking the link will not take the user to a website as expected, instead it will attempt to download the malware. The file will be masked as a different type of file, even though it is an executable. The user is more likely to download a .SCR (screensaver) file with an adobe reader icon as it looks fairly innocuous. Regardless of how it is installed, it’s actions are the same. It will steal usernames, passwords, FTP and SSH credentials, and also Bitcoin, Litecoin, Primecoin, and Feathercoin.
Once credentials have been stolen, the user will be directed to a malicious website where they will be subjected to the Angler Exploit Kit – the most widely used exploit kit and attack tool. Angler takes advantage of security vulnerabilities in users’ browser plugins via drive-by attacks. Those attacks will unleash the final payload: The latest version of Cryptowall malware.
Cryptowall Malware Leaves Victims Little Choice but to Pay the Ransom
The latest incarnation of the ransomware locks files with powerful encryption but also encrypts filenames. Unfortunately, with the latest version your files will be encrypted but you won’t know what files they are. The latest version uses different obfuscation methods to make it even harder to detect and it has much improved communication capabilities.
Victims are not so much told they have to pay a ransom, but are instead politely urged to pay for security software to protect against Cryptowall malware. The attackers say please more than once when suggesting payment be made to unlock files.
Unfortunately, you will have to pay the $700 security software charge to unlock your files if you have not performed a recent backup of your data. Otherwise your files will be lost forever.
To protect against the malware, make sure backups are regularly performed and ensure that all browsers, plugins and security software are kept bang up to date.
Criminals are using a new tactic to con money out of small to medium-sized businesses and startups, and are now using insider phishing scams to convince account department executives to make fraudulent bank transfers. The insider phishing scams are highly convincing, and a number of company executives have already fallen for the scams. Thousands of pounds have already been transferred into the bank accounts of criminals. By the time the fraudulent bank transfers are discovered, the money is long gone and cannot be recovered.
Insider phishing scams are targeting specific individuals in the accounts department
A number of similar insider phishing scams have been seen in recent months. Workers are sent an email from their boss asking them to transfer money from their personal account to help cover an essential bill. These scams tend to work on small businesses that are likely to experience cashflow difficulties.
Employees fall for the scams and make the transfers as they are fearful of their employer and want to appear keen and willing to help. The latest insider phishing scams appear to me much more targeted. Criminals already know the names of the individuals working in the accounts department and are targeting the person most likely to respond.
These people are sent an email from their boss, are referred to by name, and the email address used to send the message appears, at first glance at least, to be genuine.
A brief message is sent asking for a transfer of several thousand points to be made, and the bank account and sort code information are provided in the email. The victim is informed that their boss will send them further information to allow the payment to be entered into the company accounts. The victim is also asked to send an email back confirming when the transfer has been made.
The scam is clever. By asking for a confirmation, the victim will most likely reply to the same email and not follow up for a couple of days or so. By that time the transfer will have cleared, the money taken out of the criminal’s account, and it will not be possible to recall the funds.
Fake domain names being registered to conduct insider phishing scams
If an email was sent from an email address with a non-company domain it would be unlikely to result in a bank transfer being made. Even a busy accounts department executive would check who sent the email before making a transfer of £20,000. To get around this problem, criminals are registering a very similar domain name to that used by the target company.
Typically, the domain name used will be virtually identical to the one used by the company, with one minor change: One character will be replaced with another. The most effective way to do this is to replace an L with an i, or a 1 with a lower case L, or vice versa. The different domain name is then unlikely to be noticed. Instead of “Littlewoods”, the domain “Litt1lewoods” or “Littiewoods” would be used.
The success of these insider phishing scams relies on the email being as genuine as possible. The email must also be sent to the right account executive. If the request appears unusual – being sent to a person who would not typically make a bank transfer for example – it would appear suspicious and would likely be questioned.
After the domain name has been purchased, the format of the company’s email addresses must be discovered. Then the name of the chief executive and the company’s financial controller. The criminal behind the campaign can send the scam email.
The victims are therefore researched beforehand. The correct individual is identified and they – and they alone – are sent the transfer request. It has been hypothesized that the reason these insider phishing scams are being conducted on tech companies is they are more likely to be easy to research.
There have been numerous reports of these insider phishing scams being conducted in recent weeks. Some individuals have fallen for the scams and have made large transfers to the criminal’s account as requested.
How to protect against insider phishing scams
It is essential that all staff members are warned about these insider phishing scams and told to be vigilant. Protecting against these attacks must start at the top. Email requests to make transfers may be convenient, but employers must set up policies that require accounts executives to verify the request, by telephone, before they are made.
A few years ago, spam emails were very easy to spot. They were sent out in bulk, contained numerous typos and grammatical errors, and on the whole were very easy to identify as being fake. That is no longer the case. Scammers are now taking time to develop highly convincing campaigns to fool specific individuals into revealing personal information or making large bank transfers. The effort put into these campaigns is worth the effort. The criminals are much more likely to get the victim to take the required action.
In addition to instilling a security aware culture in an organization, one of the best protections is to purchase a robust spam filtering solution. An email sent from a domain closely matching the company´s own domain name would be caught by the spam filter and directed to the email quarantine folder. Training is good, but preventing insider phishing emails from being delivered is a much more reliable method of stopping employees from falling for these phishing scams.
Miss. attorney general Jim Hood has issued a warning to state residents to be extra vigilant after receiving a convincing Google account phishing email.
The latest Google account phishing scam attempts to fool users into revealing their passwords by warning users that they need to review the terms and conditions of their account. The reason the email claims Google requires this is due to changes made to government regulations. Users must check the new T&Cs in order to maintain compliance with government regulations.
A link to do this was supplied in the email. Clicking the link would direct users to a page that appeared to be from Google; however, this was part of the scam. Users were asked to login and were presented with a standard Google login page, but when they did, their information was recorded and sent to a hacker.
While this scam appeared convincing, there was a tell-tale sign that the request was not genuine. The request to enter account details contained a spelling error in the word “account.” This is not an error that Google would make.
Google Account Phishing Email Scams
Google account phishing email scams are being conducted with increasing frequency. Two other Google account scams were spotted in the summer and are still being used by criminals to gain access to users’ email accounts.
Gmail Phishing Scam
This scam is not new. It was first discovered by Symantec early last year but it is still active. A new batch of spam emails was sent to Gmail account holders over the summer, which fooled many people into revealing their Gmail passwords.
Gmail offers anti-spam protection, although hackers were able to bypass the controls. The emails appeared to have been sent by Gmail administrators. The messages contained a link to a Google Drive document. Clicking the URL directed users to the document, but they needed to enter their login credentials to view it. Users entered their information and were able to view the document; however, what they would not have realized is they had also just compromised their accounts.
In this case, the link they were sent in the email directed them to a folder on Google Drive that had a preview page. The preview page looked like a standard Google login prompt. When the users entered their details, the login credentials were recorded by a PHP script and the data was sent to the hacker’s command and control center located in the United Arab Emirates. That attack was made possible as the hackers were able to fake Google’s SSL encryption. The faked SSL encryption was sufficient to bypass the anti-spam controls and fooled users into revealing their login credentials by exploiting their trust in Google.
Spear phishing attack targeting Gmail account holders
The Gmail password recovery feature is being exploited by hackers using social engineering techniques to get users to provide access to their Gmail accounts. This Google account phishing email scam also exploits users trust in Google.
Provided an attacker knows the mobile phone number of a victim as well as their email address, they are able to attempt this scam.
It starts with the attacker using the password recovery feature on Gmail to resend a user’s password. The attacker enters the victims email address and opts to have the second step of the authentication process send an SMS to the user’s phone.
The user is sent a verification code to their mobile phone, which is closely followed by a text from the attacker. The attacker claims to be from the Google account management team and asks for their activation code. Since the attacker already has the email address, he or she can then use the code to complete the password reset function. Only the attacker will then be able to access the users Gmail account.
It is almost every day that a Facebook video phishing scam is discovered, and yesterday was no exception. Scammers are increasingly looking to take advantage of Facebook’s drive to compete with YouTube as the go to place for watching video content.
Latest Facebook video phishing scam offers Facebook video application for free
The social media website is now actively encouraging users to upload videos to the site; videos are now playing automatically in live feeds when the mouse arrow is hovered over a post, and scammers are taking advantage by offering users an easy way to upload and view videos via mobile devices. The Facebook video phishing scam is likely to catch out many users of the site.
Video posts are now common on the social media platform due to the ease at which users can take videos using their mobile phones. Those users naturally want an effortless way of sharing their video content with friends and family. What better way of doing this than with a Facebook video app? Simply download the app and you can share your self-generated video content with a tap of the screen!
Unfortunately for the user, the app being offered is fake. It will make sharing information effortless, but not the information that the user will want to be shared. Any Facebook user that falls for the scam will instantly share their login credentials and friends list with a cybercriminal.
Facebook video phishing scam displayed via a popup browser window
The new Facebook video phishing scam is being advertised via a popup window that appears virtually identical to the genuine Facebook website. The Facebook search bar appears as normal, along with the icons at the top of the page that every user will be very familiar with. A casual glance at the URL is likely to arouse little suspicion as the site address starts with “Facebook”.
Closer inspection will show that this is not a genuine Facebook page. The popup window has been seen on two variants of the real domain name: Facebooksk.info & Facebookstls.com. This is a sure sign that this is a Facebook video phishing scam and that the free Facebook video app being offered is not genuine.
These popups appear when the user clicks on an advert offering a free Facebook video application that users can download to their device. The adverts can also pop up on the screen while browsing websites that have been infected with adware.
The fake Facebook video app has so far only been seen in Spanish; although English-speaking users should also be wary. An English language version is sure to be released soon.
Before being allowed to download the free Facebook video application, users must first confirm they are over 18 years old. Age verification is required before the user will be permitted to download the app. In order to do this, the user will have to enter their username and password. The login box has been created to closely mimic one used by the genuine Facebook site.
When the user enters their information and clicks on the login box, a PHP script will run that sends the data to the hacker behind the Facebook video phishing scam.
Once login credentials have been provided, the hacker will be able to login to the victim’s account, and access that user´s friend list. Phishing links will then be sent out to all of the users friends. The contents of the account, including all of the security settings, can also be accessed.
This Facebook video phishing scam is one of many now doing the rounds on the social media platform. All site users must exercise caution before logging in or divulging any sensitive information via the social media platform. Not all Facebook scams are this obviously fake and easily identified. Scammers are devising ever more sophisticated ways to get users to compromise their own accounts.
Users of the Intuit Quickbooks accounting software package are being targeted by scammers. Emails have been sent to users of the software warning them that they need to update their web browsers for ‘the best online experience’. They are issued with this news via an email with the heading ‘Intuit Security Warning’.
Spam email campaigns often urge users to make urgent changes to address security flaws and contain stern warnings to urge users to take action quickly. Often a threat is included or a very short timescale is given for action to be taken. While this email is sent with the subject of ‘Intuit Security Warning’, it looks fairly innocuous. There is no threat, it is well written and has appropriate branding. The email is sent from a credible email address at support.intuit.com and is sent to a “newsletters” email group. This Intuit security warning does not appear to be a phishing email.
The reason given for a web browser update is Intuit is performing an update on November 5, 2015. There is no warning that failure to update browsers will have any ill effects other than the service provided would not be optimal. This is what makes this email scam particularly dangerous. The Intuit security warning email would be unlikely to set alarm bells ringing with users of the software.
Intuit Security Warning email contains link to trojan downloader
If users hover their mouse arrows over the link contained in the email it reveals the true web address. This is not the Intuit website, although the link is credible. Clicking the link will launch a browser window that will display a browser update page that looks exactly as it should. The user will be told that their browser is out of data and should be updated.
A message window will then be launched offering a zip file download, which is also appropriately named based on the default web browser used on the device: FirefoxUpdate.zip for example.
However, the zip file contains malware that will be installed on the user’s device. Even downloading the file is unlikely to set any alarm bells ringing. The scam has been developed to appear perfectly normal. Users are highly unlikely to realize they have been fooled into downloading malware.
Consumers and businesses are likely to receive the Intuit security warning email, which should be deleted. The email itself is not malicious and will not infect a device. That requires manual action on the part of the user. However, the email is very convincing and does not follow the format of “typical” phishing emails. As a result, it is probable that many users will inadvertently do as the Intuit security warning email recommends, and will inadvertently infect their devices with malware.
How to keep end users’ devices and networks malware free
Hackers may be developing ever more complex methods of deceiving users and infecting computers, but oftentimes it is the simplest methods that prove to be the most effective. Even security conscious individuals may inadvertently fall for email scams such as this. For that reason, it is important for IT security professionals not to place too much reliance on staff training. There will always be users who fall for phishing campaigns and email scams, and inadvertently install malware on their computers or the network.
There are two highly effective methods that can be used alongside staff training to protect against email scams and phishing campaigns: Anti-spam software and a web filtering solution. Anti-spam software will prevent emails such as this from being delivered to user’s inboxes, while web filtering software will restrict the sites that users can visit. With both installed, IT security professionals can be confident that, even if end users are targeted by hackers or other cybercriminals, the network will remain protected from malware.
The biggest online shopping day of the year may be Cyber Monday, but for the Bitcoin community it is Bitcoin Black Friday.
Bitcoin has grown in popularity with the online community as a secure alternative method of paying for goods and services online. On Bitcoin Black Friday, transactions using the currency increase substantially. Last year, on November 28th, more Bitcoin transactions took place than on any single day in the history of the currency. This year promises to be even bigger.
Bitcoin Black Friday is a day when bitcoin buyers are given amazing discounts on their online purchases, and are able to pick up amazing deals on jewelry, holidays, gifts, electronic gadgets, domain registrations, and much more. The only condition being all purchases must be made using Bitcoin. Last year over 600 online retailers took part and offered special offers to kick start the holiday shopping season. In 2015, the number of participating merchants is expected to be double that figure.
Since the online currency can be used to make anonymous purchases, it has proven popular with online criminals. Bitcoin Black Friday is the day when theft of Bitcoin increases substantially. It is also a day when users of the currency are fooled into revealing their personal information to criminals.
Bitcoin Black Friday Phishing Website Launched
Criminals have targeted Black Friday purchasers by launching a new website offering bargains galore. The site offers numerous discounts for purchasers, with many apparently genuine deals.
The website bitcoinblackfriday.info is a rip off of a genuine offer site; piggybacking on the name of the genuine dotcom version of the site.
The rip off site looks similar in style to the genuine article but, instead of providing visitors with real offers, it links to phishing websites that will relieve users of their personal information and Bitcoin. These mock websites were set up to closely mimic real sites, albeit with slight differences. Unless visitors had used the real site before and were familiar with the layout, they would likely be convinced that they were visiting a genuine online retailer. Most of the phishing websites linked to from the .info site were set up in in the past few days. This is a clear sign that the sites are not genuine, but few people would likely check before making a purchase.
It is not clear whether the owner of the .info website was aware that the site was being used to host links to phishing websites or if the domain had specifically been set up with phishing in mind.
The links contained on the .info version of the website look convincing. For instance, adverts were placed on the website that link to variants of popular store names such as “buy-trezor.com” instead of “buytreznor.com.” Many purchasers are therefore likely to be fooled.
Since many deals were not available until Black Friday, the site requested users to leave their email addresses in order to be sent information about the best deals as soon as they were released on the big day. Any person who did will not only receive Black Friday offers, but their email addresses are likely to be used to send further email scams.
Bitcoin users should be wary. It is not only credit cards that online criminals seek. Bitcoin and personal information are just as valuable to online thieves. On Bitcoin Black Friday, when special deals are offered for a very limited time, users should be extra careful. The golden rule is to always take time to verify the genuineness of a website before parting with any money or divulging any personal information.
The discovery of a new IRS e-Services scam has prompted the Internal Revenue Service to kick off its Security Awareness Tax Tips with a phishing warning.
New IRS e-Services Scam Reported
IRS tax scams are nothing new. In fact the IRS regularly issues warnings about new phone and email scams. Criminals frequently devise new scams to get U.S. consumers to reveal personal information. However, the latest IRS e-Services scam targets tax practitioners and attempts to get users to reveal their IRS e-Services login credentials.
As is the case with most phishing campaigns, a highly realistic email is sent requesting action to be taken to address a matter that requires a user’s urgent attention. Many IRS phishing scams warn of immediate suspension of an account; although the latest IRS e-Services scam says this has already happened. In order to lift the suspension on the account, the user must click on the link contained in the email and update their Electronic Filing Identification Numbers (EFINs).
The email warns “Our account surveillance have detected some suspicious activities over your account and to maintain the security we have temporarily disabled some functions on your account.”
Users are provided with a link which they must click on in order to reactivate all functions on their account. After clicking the link, users are asked to verify their identity by entering in their username and password.
The link contained in the email may appear genuine, but it will direct the user to a phishing website that will capture the username and password as they are entered.
Gaining access to IRS e-Services is potentially very lucrative for criminals. The service allows tax professionals to conduct a number of services online on behalf of their clients. Access to one of these accounts can potentially allow the scammers to gain access to a wealth of data that can be used to commit identity theft and tax fraud. Should access to the account be gained, criminals would be able to obtain details of past tax returns and other client account details.
The email appears to have been sent from a genuine IRS email address. The new IRS e-Services scam shows that sender email addresses cannot be trusted as a way of checking the genuineness of emails.
Tax professionals have been warned not to click on the link contained in the phishing email and to delete it. The IRS has told users that it does not initiate conversations with individuals via email, social media channels, or text message. The IRS will also not request that users reveal their passwords.
The IRS will soon be launching its new “Taxes. Security. Together” initiative ahead of the 2016 tax season. The campaign is aimed at improving awareness of phishing scams and other methods used by criminals to get unsuspecting users to reveal their tax information.
Hackers could potentially use the exploit to install apps on the device without any user interaction. The apps could be given permissions to access all communications made through the device. The new critical Android vulnerability was demonstrated at the recent Tokyo PacSec conference. Full details of the exploit have been shared with Google and a patch is currently being developed to plug the security hole.
This is just one more critical Android vulnerability to be discovered, and it will not be the last. Fortunately, this time the security hole was found by a security expert rather than a hacker.
Fake ID critical android vulnerability still exists on many Smartphones
Last year, researchers at Bluebox Security discovered another critical vulnerability which affects all Android Smartphones running KitKat (version 2.1 to 4.4). The critical Android vulnerability affects millions of devices,
The vulnerability, named Fake ID, potentially allows hackers to develop apps that can exploit a flaw in the way the devices deal with security certificates. The vulnerability can be used to gain privileges granted to other applications – even those with high levels of privileges such as Google Wallet.
Fortunately, to exploit this critical Android vulnerability, hackers would need to convince the user to download a malicious app to their device, which would be difficult if the user only used Google Play Store to obtain new apps.
However, StageFright – a critical Android vulnerability discovered this summer – is potentially much more serious. The bug enables a hacker to remotely execute code on an Android phone and escalate privileges. StageFright allows a hacker to attack an Android device via a video sent by MMS text message. The attack is possible via the libStageFright mechanism.
Android phones running Google Hangouts would potentially be vulnerable and could be exploited without the user’s knowledge as the app processes video automatically before the message is viewed by the user.
Due to how patches are rolled out, Smartphones could still be vulnerable to both Fake ID and StageFright, even though patches have now been released.
When a new critical security vulnerability is discovered, a patch is rapidly developed to plug the security hole. Even when a patch is issued, it can take some time before it is rolled out and installed on each device. The speed depends on the carrier. Patches are rolled out quickly in some cases – Google Nexus and LG for example – but slower with other brands such as Samsung and HTC.
Often updates to the operating system are packaged together with manufacturer updates and are not rolled out immediately. Sometimes they are not rolled out at all, leaving some phones particularly vulnerable to attack.
A recent study conducted by the University of Cambridge showed that 87% of Smartphones contain at least one critical Android vulnerability, and many contain more than one.
Reducing Security Risk from Android Devices
BYOD has grown in popularity in recent years, and many employers are now allowing employees to bring their own mobile devices to work. While not all allow the use of personal laptops, employees are commonly allowed to use their Smartphones at work, and even use them to connect to their employer’s network.
Any employer operating BYOD, should carefully consider which devices are allowed to connect to the corporate network. Some Smartphones are safer than others and will involve much lower network security risk. Allow devices to connect that can be easily compromised, and they could be used as a platform to launch an attack on the network.
SMB ransomware infections can be time-consuming, expensive, or catastrophic. Which category an infection falls into will, to a large extent, depend on how you have prepared. If you run a SMB, ransomware protection is essential.
Ransomware protection is no longer an option, it is a necessity
It may not simply be a case of paying a ransom to recover your data. Data may be permanently lost. There is no guarantee that a security key will work, or will even be provided if a ransom is paid.
Unfortunately, ransomware is here to stay. Criminals have found it to be one of the best methods of obtaining untraceable money from victims. Ransoms are paid in Bitcoin – or via other anonymous payment systems – and infecting computers is exceptionally easy in many cases.
Ransomware will continue to be used as long as it proves profitable for cybercriminals. The profits from Cryptowall infections alone are estimated to be in the region of $325 million (£215 million) and the ransomware was only developed and released in September 2013. With such high profits, ransomware is here to stay – so businesses need to get prepared.
Importance of ransomware protection highlighted by Power Worm variant
Infected with ransomware? It’s not the end of the world, you could just pay the ransom. Unfortunately, that does not necessarily mean you will get your data back. Take the latest Power Worm variant for example.
Not all hackers diligently prepare their malware. Sometimes mistakes are made. The latest variant of Power Worm is a good example. The developers of the ransomware attempted to make decryption a more straightforward process, but made a critical error. The Power Worm variant they created encrypts files, but deletes the security keys to unlock them.
Even if a ransom is paid, data will not be unlocked. An infection will mean data will be permanently and irrevocably encrypted. This has not stopped the users of the ransomware from asking for a payment of 2 Bitcoin to decrypt the data. It just prevents them from making good on their promise.
There is never any guarantee that a security key will be provided even if a ransom is paid but, with this infection, it is simply not possible. This latest ransomware highlights the importance of implementing ransomware protection strategies to deal with infections when they occur. If you don’t, it could spell total disaster.
Ransomware protection strategies
Unfortunately, while ransomware is spread via spam email and social media networks, exploit kits are now being used to infect computers by taking advantage of security vulnerabilities. Fortunately, there are a number of ways you can protect against a malware infection.
Regularly back up your data on a separate device
A ransomware infection need not spell disaster, even if the criminal behind the infection does not unlock your data. If you have a backup, an infection is a pain, but you can recover your data.
Install a robust spam filter
Ransomware is often spread via infected email attachments. Configure your spam filter to block executable files, and you can prevent malicious email attachments from being delivered to users’ inboxes.
Show hidden file extensions
Windows often hides known file extensions. Criminals take advantage of this. If they name an executable file report.pdf.exe, when Windows hides the extension, it will appear as report.pdf. Users may inadvertently open an executable file believing it to be harmless. Make sure file extensions are shown to reduce the chance of accidental infections.
Make sure Remote Desktop Protocol (RDP) is disabled
You may use RDP to provide support to end users on your network, but hackers can exploit RDP to gain access to devices and install malware without any user interaction. If you do not use RDP, or can get away without using it, make sure that it is disabled on all internet enabled devices.
Make sure browsers are kept up to date and patches installed
Exploits are used to probe browsers for security vulnerabilities that can be exploited. It is therefore essential that the latest version of web browsers are always installed, and patches and updates are installed as soon as they are made available.
Install web filtering software
Ransomware is often installed using drive-by attacks. Malicious websites are not always easy to identify, but the sites can be blocked if web filtering software is employed. Stop end users from visiting malicious websites and you will greatly reduce the risk of ransomware being installed.
If you want to keep your computers and networks protected from malware, it is important to train your staff how to identify a malicious website. You should also install a powerful web filtering solution to ensure your employees’ malicious website identification skills are never put to the test.
Cybercriminals are developing ingenious ways of compromising networks
Scammers and cybercriminals used to mainly send out emails with infected attachments. Double clicking on the attachment would result in the computer, and possibly the network, being infected with malware. Oftentimes, this action would go undetected by anti-virus software programs. A full system scan would need to be conducted before the malicious software was identified.
Computer users are now much wiser and know never to open file attachments that have been sent to them by unknown individuals, and certainly never to double click on an executable file. Hackers and other cybercriminals have therefore needed to get smarter, and are now developing ever more sophisticated ways of obtaining user credentials and getting people to install malware manually. One of the ways they are doing this is by developing malicious websites.
End users are contacted via email and are sent links to websites along with a valid reason for visiting the site. Links to malicious websites are also frequently sent out in social media posts or are placed in third party website adverts. Some sites are hijacked and visitors are redirected to fake sites automatically.
What is a malicious website?
Malicious websites host malware or are used to phish for sensitive information. In the case of the latter, users are tricked into revealing sensitive data such as login credentials for online banking websites.
Malware may require some user interaction before it is installed. Visitors may be tricked into downloading a security program, for instance, by being informed their computer is already infected with malware. They may be offered a free screensaver, or asked to download a fake PDF invoice.
Increasingly, malicious websites are used to host exploit kits. Exploit kits probe visitors’ browsers to identify security vulnerabilities that can be exploited without any user interaction required. If a vulnerability is detected, malware can be installed automatically on the computer or network. This method of cyberattack is called a drive-by download. Drive-by downloads can involve malware being installed onto the computer’s hard drive, a network drive, or even loaded into the computer’s memory.
Learning how to identify a malicious website is important if you want to prevent your computer from being infected, and it is essential for system administrators and other IT professionals to conduct staff training to help end users avoid these dangerous sites.
How to identify a malicious website
There are some easy ways to tell if a website is attempting to install malware:
- The website asks you to download software, save a file, or run a program
- Visiting the website automatically launches a download window
- You are asked to download an invoice or receipt, such as a PDF file, .zip or .rar, or an executable file or .scr screensaver file
A malicious website may also tell you:
- Your computer is already infected with malware
- Your plug-ins or browser are out of date
- You have won a competition or free prize draw. You may also be offered free money or vouchers that require you to enter your credit card or banking information
If you are asked to download any files or update your software, conduct a check of the site via Google and try to determine whether the site is genuine. If in doubt, do not download any files.
If you are told your browser is out of date, visit the official browser website and check your version number. Only ever download updates from official websites.
If you have accidentally visited a drive-by download site, by the time that you have connected it may be too late to prevent malware from being downloaded. To protect against drive by downloads you must ensure that your browser, add-ons, and plugins are 100% up to date. You should also use a software solution to block access to drive-by download sites.
How to block end users from visiting a malicious website
Even legitimate websites can be hacked and used to host malicious code. They may use advertising networks that are used by cybercriminals to direct visitors to malware-hosting websites. The best defense is to block these adverts and malicious websites.
Blocking access to these websites is a simple process. All it requires is a powerful web filtering solution to be installed. WebTitan web filtering solutions for the enterprise will help you keep your network secure by preventing users from visiting sites known to host malware.
WebTitan uses two powerful anti-malware and anti-phishing engines – Kaspersky Lab and Clam AV – to detect malware-hosting websites. When malicious sites are detected; they will be blocked. WebTitan can also be configured to block access to questionable or illegal content.
If employees are trained how to identify a malicious website, and web filtering software is installed, your networks will be much better protected from malware infections.
Have you been considering implementing a honeypot for malware? Attracting malware may seem counterintuitive but there are great benefits to be had from setting up a honeypot. You will attract malware regardless, so why not make sure it gets installed somewhere safe?
Practical advice about implementing a honeypot for malware
A honeypot for malware can be highly beneficial for an organization; however, it is important to set it up correctly and to commit enough resources for maintenance and upkeep. A honeypot for malware will be of little use if it can easily be identified as a fake system, and even worse if it can be used as a platform to attack your real system.
Listed below are some tips and pointers to get started:
How much interaction are you looking for?
When setting up a honeypot for malware, you need to decide on the level of interaction you want. How much leeway will you give an attacker? How much activity are you willing to allow? Generally speaking, the more interaction you want to allow, the more time you will need to spend setting up your malware honeypot and maintaining it.
You must also bear in mind that the more interaction you allow, the higher the risk of the attacker breaking out of the honeypot and launching an attack on your real systems. High-interaction malware honeypots actually run real operating systems. If you are happy with low-level interaction, you can use emulation and it will require less maintenance and involve less risk.
Off the shelf malware honeypot systems are perhaps the easiest place to start, although there are open-source options available that can be tweaked to suit your needs. Just because you use a commercial honeypot, it doesn’t mean you need to spend big. There are many free options to try out.
Honeypots for malware and more…
A package is usually the logical place to start before progressing to open-source options or expensive, comprehensive honeypot systems. You can gauge how beneficial running a honeypot for malware is. If it proves to be useful, you can commit more time and resources to developing a fully customized honeypot for your organization. You can also start with a honeypot for malware and, if you are happy with the results, also set up a honeypot for SCADA/ICS and your web services.
We suggest the following to get started:
A great choice for simulating multiple hosts and services on a single machine using virtualization. This low-interaction honeypot allows a convincing network to be set up involving numerous operating systems such as Windows, Linux, and Unix at the TCP/IP stack level. Capable of identifying remote hosts passively.
A SSH server honeypot with medium interaction. Excellent logging capabilities allowing a rerun of an attack to be viewed. Kippo allows complete file systems to be created.
A good honeypot for malware. Windows-based.
A honeypot for malware spread via USB drives.
A honeypot with low interaction that emulates web vulnerabilities that can be exploited using SQL injection.
A honeyclient (client-side honeypot) that emulates a web browser. A useful tool for exploring and interacting with a malicious website to determine what malicious code and objects it contains
Powerful honeypot packages
There are three excellent comprehensive honeypot packages listed below. It may be better to pay for these packages than to commit the time and resources to developing your own custom honeypot system.
A Windows-based honeypot system with excellent functionality and flexibility. It is expensive, but it is the choice of professionals.
MHN, or Modern Honeypot Network to give it its full name, is open source allowing for easy configuration and customization, with an extensive range of tools. Operates using a Mongo database.
A virtual appliance (OVA) with Xubunti for Linux. A good range of analysis tools is provided, along with a choice of 10 pre-installed honeypot software packages.
Your honeypot may be detected!
It may only be a matter of time before your honeypot is detected, and when that happens the information is likely to be shared with other hackers. Fortunately, there are many different packages to choose from and custom honeypots can be created. Hackers cannot therefore look for a single signature to identify a system as a honeypot.
There are common tell-tale signs that a system is a honeypot. We recommend taking action to address the following issues if you want to make sure your honeypot is not detected as a fake system.
- Ensure there is system activity – One sure sign of a fake system is it is not being used by anyone!
- You make it far too easy to compromise the system – setting “password” as the password for example
- Odd ports are left open and out of the ordinary services are being run
- Hardly any software has been installed
- Default configurations of software and operating systems have been installed
- The file structure is too regular, and file names are obviously fake – file names such as “user password list” and “staff social security numbers” are unrealistic
Also worth considering is whether to include a deception port. A deception port is an open port that will allow an attacker to detect a honeypot. What is the point? This will show any would-be attacker that they are dealing with an organization that has devoted a lot of time and effort to cybersecurity. That, in itself, may be enough to convince attackers to look elsewhere and pursue much easier targets.
Do you think a honeypot is worth the effort?
A chronic lack of cybersecurity funding is a common problem. Network administrators and IT managers alike must learn to deal with a small budget and do more with the money they have available. Unfortunately, budgets are unlikely to be increased substantially, even when faced with new threats and a greater risk of suffering cyberattacks. You will be expected to do your job with the money that has been allocated. At best you may get a slight funding increase for next year. In the meantime, you will just need to do your best. Your best must also be good enough.
Get organized and stop wasting time on repetitive tasks
You will get request after request via your support line, and many support tickets will be submitted requiring you to do the same thing over and over again. You can spend time dealing with the same problems, commit an extraordinary amount of time to fixing the same email, network, hardware, and software issues, but that is time and money that could be spent on other more important tasks. What you must do is tackle these problems and determine the root cause. Sort these out, and the support tickets will stop. It will take longer initially, but will save you a considerable amount of time in the long run.
Deal with a lack of cybersecurity funding by saving money and achieving more in less time
You may be thinking that is easier said than done. There may not be money to spend on new hardware or software. You cannot pay for solutions if the money is not available. There is a solution though. You can address these problems by cutting back on the time and resources devoted to other tasks. Like tackling the root cause of malware issues, virus infections, phishing scams, and many system malfunctions.
You can prevent a great deal of support tickets and save a lot of time by implementing two software solutions that have been designed to stop network administrators, IT helpdesk staff, and IT managers wasting time. A lack of cybersecurity funding need not mean you have to leave your network open to hacker attack, or leave your end users (and your network) exposed.
SpamTitan and WebTitan are two cybersecurity solutions that are cost-effective, easy to implement, and easy to manage. They will also help to keep your end users and network protected. A lack of cybersecurity funding need not spell disaster.
Coping with a lack of cybersecurity funding: SpamTitan and WebTitan anti-spam and web filtering solutions
SpamTitan offers IT professionals an easy option for dealing with email spam and the problems it causes. Cut down on the common reasons for end users submitting support tickets and calling IT support helplines, and save time and money. Your resources can then be diverted to dealing with more critical IT issues.
SpamTitan will clean inbound and outbound emails and will prevent issues created by:
- Spam and bulk emails
- Malware and viruses
- Dangerous email attachments
- Spam websites and spam hosts
- Phishing emails and malicious links
- Outbound spam
- IP address blocking and blacklisting
- Rate threshold violations
- IT related business reputation damage
WebTitan web filtering solutions keep users protected and cut back on wasted time from:
- Drive-by attacks
- Malicious websites
- Social media usage issues
- Accessing of inappropriate content
- Loss of bandwidth
- Malicious adverts
- Inappropriate Internet use
- Rogue app threats
For further information on how WebTitan and SpamTitan can save your company – and the IT department – time and money, visit: www.spamtitan.com and www.webtitan.com
Porn websites are often considered to be rife with malware, although the major websites spend big to keep their sites malware free. That said, a recent porn malvertising campaign hit one of the largest adult websites placing millions of site visitors at risk of infecting their devices.
Viewing Internet Porn Can Give you a Nasty Infection
Cybercriminals have targeted a number of adult websites over the past few weeks, with one of the Internet’s largest porn sites, one of those affected. The cyberattack was quickly dealt with once discovered, but not before many of the site’s half a billion monthly web visitors were displayed malicious adverts.
SSL Malvertising Campaign Hits Top Porn Site
The malvertising campaign that targeted the top porn site was not new. It has previously affected some other notable websites that attract huge volumes of monthly traffic. MSN.com was affected, as was Yahoo. The cybercriminals behind the campaigns then started to target porn websites and other adult web portals.
The malvertising campaign was delivered via the Ad serving network TrafficHaus. Adverts offers a sex messenger dating app. Download the sex messenger app, and you will be presented with a wide range of suitable partners looking for temporary love in your area. No download was actually required to get infected. Provided a security vulnerability existed the malware would be downloaded automatically.
The campaign cleverly included a number of security checks to ensure the adverts were only served to genuine web visitors with a browser version that was vulnerable to the exploit kit being used. Only Internet Explorer users were displayed the adverts provided they lacked certain security products. These checks allowed the hackers behind the campaign to ensure that real people were targeted and honeypots were avoided.
Visitors being displayed the adverts were subjected to the Angler exploit kit: The most commonly used exploit kit to deliver malware.
Second Porn Malvertising Campaign Hits Same Major Porn Site
This was not the only porn malvertising campaign that affected the top porn site. Some of the site’s visitors were recently hit with a ransomware attack known as browlock. Visitors have their web browsers locked with a page that they are unable to remove warning them that they have been caught viewing illegal pornography. The page in this case, showed a warning from Interpol. This porn malvertising scam was similar to the FBI browserlock campaigns previously seen.
In order to unlock their browsers and to avoid arrest, the porn malvertising campaign warned victims that their browser has been locked, files had been encrypted, and they were being recorded using their device’s audio and video capabilities. Users were given a time limit in which to pay to have the lock lifted.
Porn malvertising campaigns can be highly effective and victims are left with little alternative but to pay ransoms. It is possible to protect against infections and drive by malware downloads. If security vulnerabilities do not exist, they cannot be exploited, and if adverts are not displayed users cannot be infected. For the latter, a web filtering solution is the best option.
Apple device security is particularly robust, yet the company’s operating systems are far from impregnable as a recent Apple malware attack has shown. Apple device users have recently been targeted by hackers believed to be operating out of China. The Apple malware attack has so far resulted in the credentials of approximately 225,000 iPhone users being obtained by the hackers.
KeyRaider Responsible for Apple Malware Attack
The malware in question has been named KeyRaider. Fortunately, only device owners who have jailbroken their iPhones are at risk of infection. Jailbreaking an iPhone will allow banned apps to be installed on the devices, but the process also introduces a vulnerability that can be exploited by hackers. KeyRaider attacks devices that have been jailbroken using Cydia: The most popular jailbreaking tool for Apple devices.
Device GUID as well as Apple account user names and passwords have successfully been stolen by KeyRaider. The malware can steal user credentials, Apple purchasing information, private keys, and Apple push notification certificates.
Once infected, user credentials are uploaded to a command and control server, and those data are made accessible to other individuals. The information can be used to purchase apps for Apple devices without the user being charged, instead the charges for the purchases are applied to infected users’ accounts.
To date it has been estimated that as many as 20,000 individuals have downloaded software that allows them to obtain Apple apps for free at the expense of other Apple device users. In some cases, users’ devices have been locked and attackers have demanded ransoms to be paid to unlock the infected iPhones and iPads.
The Apple malware attack was discovered by Palo Alto Networks and China’s WeipTech, although services have now been developed that are capable of detecting devices that have been infected with the malware.
iOS App Store applications being infected with malware
Palo Alto Networks has also recently issued a warning over IOS App Store applications that have been infected with malware. To date, 39 different apps have been discovered to have been infected, placing users of non-jailbroken Apple devices at risk of compromising their iPhones and iPads. Hackers were able to copy and alter Xcode development tools used by iOS app developers, and have been able to infect genuine applications by injecting malicious code.
It is not just relatively obscure apps that have been infected. WeChat is used by hundreds of millions of Apple device owners, and the app was one of those infected with malicious code. That said, the developers of the app, Tencent, have investigated the issue have reported that the malware has not been able to steal user credentials.
The malware infections are understood to be used to steal iCloud login credentials and Chinese security researchers have discovered close to 350 different mobile apps that have been injected with malicious code. Those apps include some of the most popular Apple apps being downloaded in China, such as Didi Kuaidi.
Some of the Chinese App Store apps discovered to have been compromised
The recent Apple malware attacks have come as a surprise to many security researchers and users who considered Apple devices to be perfectly safe. While Apple is without any shadow of a doubt the safest mobile platform, owners of the devices should not consider iOS to be 100% safe.
According to reports from FireEye, IT security professionals do not only need to be concerned about malware attacks on computers, servers, and Android devices: Cisco router malware has now been discovered.
Cisco router malware discovered on 79 devices to date
Cisco router malware is highly sophisticated and particularly worrying. The malware can survive a restart and will be reloaded each time. Cisco router malware is also highly versatile and can be tweaked to suit an attacker’s needs. It has been found to support up to 100 different modules.
The malware was first discovered in Ukraine, although the infections have now spread to 19 different countries around the world; including the US, UK, Germany, China, Canada, India and the Philippines. At this stage it is not clear who created the malware, or what the main purpose is.
It is also not clear whether the malware has been installed via exploited vulnerabilities. It is possible that routers have been hijacked as a result of default logins not being changed, or weak passwords being set.
It is known that Cisco router malware is sophisticated and it appears to have been professionally developed. This had lead security researchers to believe that foreign governments have had a hand in its development. Should that be the case, it is likely that the main purpose of the malware is spying. While it has been known for some time that router malware is possible in theory, this is the first time that malware had been discovered to affect routers in the wild.
SYNful Knock came as a big surprise to many security professionals
The malicious software is called SYNful Knock and it serves as a fully functional backdoor allowing remote access of networks. The attacks are also silent in many cases, and hackers are able to use the malware without risk of detection.
To date, the United States has been targeted by the cybercriminals behind the malware infections, with 25 of the 79 infections discovered in the U.S. That said, the infection was discovered to have affected an ISP which was hosting 25 infected routers. Lebanon has also been targeted and 12 infections discovered in the country, while 8 of the 79 infections have been found in Russia.
The infections were discovered using ZMap. Four full scans of public IPv4 addresses were probed for signs of the malware by sending out TCP SYN packets. At this stage it would appear that only Cisco routers have been affected by SYNful Knock, but there is concern that other manufacturers’ routers may also be infected with malware. Researchers are now investigating to find out if router malware is a more widespread problem.
Nasty malware infections have been spread via the world’s largest dating website, which has been serving malicious web adverts to its visitors. Individuals trying to attract a new partner via the Match.com’s UK site may have found out that it is much easier to attract malware.
Malicious web adverts used for drive-by malware downloads
Users of the dating website were not required to download any malware manually. Their browsers were probed for security vulnerabilities that could be exploited without any user interaction required. Provided they were enticed to click on one of the malicious website adverts served via Match.com, they would be directed to a site that contained an exploit kit. That exploit kit would then download malicious software onto their devices, delivering a payload of ransomware without their knowledge. Files would subsequently be locked by Cryptowall ransomware until such time that the victim paid a ransom.
Match.com is hugely popular and attracts over 5 million visitors every month in the UK alone. The potential for infection with malware was considerable, although it is not known how many individuals have been infected as a result of clicking on the malicious web adverts.
Malicious web adverts can be placed on popular sites for just a few cents
Malicious web adverts are displayed via ad networks that popular websites use as an additional revenue source. Code is placed on a website and adverts will be displayed.
Participants in the ad programs are able to select the websites where they want their adverts displayed. The cost of displaying each advert is set by the popularity of the website. For just a few cents, the criminals behind the malvertising campaign were able to target Match.com’s users. Reportedly for a cost of just 36 cents. Malvertisers were keen to take advantage of the huge traffic that the site attracts.
Most websites serve adverts of some description. They are an essential revenue stream that site owners can ill afford to ignore. While ad networks do vet the companies that sign up, some rogue advertisers invariable get past the controls and manage to get their malicious web adverts displayed. Once discovered, the accounts are blocked by the ad networks, although not before the malicious website adverts have been displayed to millions of individuals.
Once Match.com discovered that its site was being used to display malicious website adverts, to protect its site visitors the company temporarily suspended all advertising until the problem was addressed. Unlike the Ashley Madison hack, no user data was exposed as a result of the security breach.
How to protect against malicious web adverts
Malvertising campaigns are increasingly common but attacks can be easily prevented. Drive by downloads are possible, but users will need to be directed to a website hosting an exploit kit. They must have a browser that can be exploited.
Protecting against malicious web adverts requires all browsers and browser plugins to be kept up to date. As soon as a new version of a browser or plugin is available for download it must be installed.
When zero-day vulnerabilities are discovered security professionals get to work developing patches to plug the security holes. There is a lag however, and during that time users will be at risk.
For the individual the risk may be relatively low, but for an employer with tens or hundreds of end users, that risk will be considerable. One of the best methods to ensure corporate networks and devices are protected is to employ a web filtering solution such as WebTitan.
WebTitan can be configured to block third party adverts from being displayed on websites. If adverts are not displayed, they cannot be clicked and end users’ devices and corporate networks will be protected from drive-by malware downloads.
Did you think the Ashley Madison data breach was mildly humorous? Did you think that it serves the people right for cheating on their husband, wife or life partner? If you did, you certainly didn’t have an account with the online cheating website. Those who did simultaneously broke out in a cold sweat when they realized the website had been hacked and the perpetrator was threatening to make the data public.
Ashley Madison data breach exposed millions of confidential records
The Impact Team was the hacking group behind the Ashley Madison data breach. The company announced it had hacked the company’s database on the Tor network. The hackers claimed they would release details of the website’s patrons – people looking to have extra-marital affairs – if the company did not shut down its website. Avid Life Media Ltd., the company behind Ashley Madison, did not agree to close its business. The hackers then made good on their promise and started publishing data. A large data dump caused many of the website’s subscribers to panic.
The methods used by the attackers to gain access to the website have not been disclosed, although they were able to obtain the records of more than 30 million individuals in the attack. Unfortunately for the people who have had their privacy violated, there is little that can be done apart from take precautions with their financial accounts. Their data cannot be un-exposed and it is out there and can be used by whoever finds it. That will mean phishers, cybercriminals, identity thieves, and anyone who has taken an objection to their extra-marital activities may try to expose them.
A data breach can seriously damage a company’s reputation
This was a high profile breach due to the nature of the website and the total confidentiality that is expected and demanded by the company’s clients. A data breach such as this has potential to cause considerable damage to a brand with a marketing strategy and service that depends on privacy. However, brand reputation damage occurs following any security breach. Target, Anthem Inc., eBay, OPM. All have had their reputations damaged to varying degrees as a result of security breaches and data theft.
Many IT professionals believe that it is not a case of whether a security breach will be suffered, but when it will happen. A great many security professionals believe that most companies have already suffered a security breach. They just do not know yet.
Lessons learned from the Ashley Madison data breach
Consumers can learn lessons from the Ashley Madison data breach. They should be aware that disclosing any information increases the risk of someone else accessing that information.
The lessons for consumers are:
- If you want to do anything in secret, the Internet is probably not the best place to do it
- When disclosing information of a sensitive nature, ask yourself what the consequences would be if someone found out or exposed that information
- Would you be able to recover from a breach of that information?
- Is the service or product more or less important than it being kept a secret?
- No matter how secure a website, service, or application claims to be, there is always a risk of a security breach being suffered
- There is never a 100% guarantee of privacy online – All networks and systems are vulnerable to attack
Businesses must conduct a risk analysis
Businesses must also consider the risks to data security. Many security threats exist, and they must all be effectively managed. In order to determine what risks exist, an organization must conduct a thorough risk analysis. It is only possible to address and manage risk if a company knows what security vulnerabilities exist. Unfortunately, many hackers already know about the data security risks that are present, as well as how they can be exploited.
Once a risk is identified, unless state or federal legislation demand that the risk is addressed, a company must decide what measures to employ, and whether they are actually worthwhile.
To do that a company must calculate the annualized rate of occurrence (ARO) of a security breach via a given vulnerability, which means how often a vulnerability is likely to be exploited in any given year. Then the company must determine the repercussions from that vulnerability being exploited. How much the security breach would cost to resolve. That figure is the single loss expectancy (SLE). Once these figures are known it is possible to determine the annual loss expectancy (ALE) by multiplying those two figures. A decision can then be taken about how the risk can be managed.
Sean Doherty, Head of Research & Development at TitanHQ recently pointed out that “the notion of having ‘perfect security’ is ludicrous”. What must be done is to make it as hard as possible for systems to be infiltrated and data stolen. It is essential to implement good security measures which will be sufficient to repel attacks from all but the most skilled, motivated, and determined individuals. There is no such thing as zero risk, but it is possible to manage risk and get it down to a minimal level.
The role of a systems administrator is certainly challenging, mainly because it is constantly changing. This is the way it always has been since the role of a systems administrator was first defined. Now if you were to write down the role of a systems administrator, it would virtually be out of date before the ink had dried.
The role of a systems administrator evolves quickly. That is the very nature of the job. For many sys admins, that is what makes the job so interesting and enjoyable.
Anyone contemplating entering the professions should not be afraid of hard work. They also need to know that they will need a lot of training, and even more experience in order to excel in the position.
The role of a systems administrator over the next five years
Over the course of the next five years there is expected to be 12% growth for systems and network administrators according to the US Bureau of Labor Statistics. The last report issued by the BLS indicated a much higher growth rate, but it has now been adjusted and matches the average of all industries tracked by the BLS.
In years gone by you may have been able to get away with just having a MCSA qualification to become a good systems administrator. Today, that is not nearly enough. Not only will you need to know your way around Microsoft, you will also need to become an expert in every system used by your employer.
To excel in the role of a systems administrator you must be technically gifted, and you will need to be something of a jack of all trades. New technology is frequently introduced and part of the role of a systems administrator is to get to grips with that technology quickly. After all, you will be required to configure it, troubleshoot it, and repair it as necessary. The role of the systems administrator has grown enormously since IT has become so pervasive in business.
Fortunately, it is much easier to access training and information resources than ever before. Vendor websites provide a wealth of information, Udemy and other online learning resources can easily be accessed, and social media networks and online forums allow a sys admin to tap into the knowledge of colleagues and other sys admins when help is required.
How important is certification?
You will need an MCSA certificate to get your first job, but in order to retain your position, or even to progress and get a better paid job, further qualifications may be required. But not necessarily. They look great on a CV and can impress potential employers, but experience really does counts. If you know your stuff and have experience it does make sense to get certificated, but never underestimate the value of experience over a piece of paper. Certification is not everything.
If you want to take on the role of a systems administrator be sure to learn these technologies!
A system administer should be familiar with emerging technologies, but there are some tech trends that are an absolute must to become familiar with. These include:
- Cloud services
- Voice Over IP (VoIP)
- Technologies that can automate tasks performed by a sys admin
Automation of daily sys admin tasks
Automation of sys admin tasks will not mean you will be ultimately made redundant. It means you can use your time more efficiently. You will need to be familiar with the tools that allow you to automate a lot of tasks. They are essential for managing large, complex networks.
Without any automation of daily tasks, the role of a system administer would be an absolute nightmare. Imaging trying to keep track of system messages for a network with 1000 connected devices if you did not have a centralized logging system!
While automation is vital, it is not without its problems. Automation can make the management of a computer network easier, but on a day to day basis your job is likely to be much more complicated, especially when it comes to troubleshooting problems.
Let’s say you have a red X showing on your management dashboard. What does that red X mean? Well, it could mean any number of things. For instance:
There could be a problem with the device hosting the dashboard, or it could be caused by a routing error. It could be a cable issue, or a problem with the device itself. It may be an error with the discovery protocol, or maybe the network dashboard is faulty. Automation may save time, but it doesn’t necessarily mean it is always quicker and easier to resolve problems. It also requires a sys admin to undergo further training on the automation system itself and the equipment used to host it.
In order to be able to automate tasks you will need to learn a scripting language such as Python or Windows PowerShell. One thing is for sure. If you are planning on becoming a sys admin you will need to learn at least one scripting language before you get your first job. As for the others, they can be learned on the job.
Use of SaaS and the Cloud is Increasing
You must be familiar with cloud archiving and backups as these have proven to be invaluable in improving efficiency. Many man-hours have been cut by using the cloud for routine data operations. However, that said, there is now a need for sys admins to become familiar with APIs – Application Programming Interfaces.
With many companies now using outsourced cloud services, the sys admins role has become much more valuable. Without a sys admin, businesses would have no alternative but to believe what cloud service salespersons say. An experienced sys admin will be able to assess the services being offered and determine whether they have the required functionality to adequately serve the needs of the business.
The Two V’s – VoIP and Virtualization
Many companies are taking advantage of the huge cost savings possible by switching from traditional telephone services to VoIP. Unfortunately, while business leaders love the cost savings, users do not like the potential downtime. In fact, they can be pretty intolerant. They expect 99.999% uptime like they get with traditional telephony. It is therefore essential that sys admins understand network load dynamics and are able to successfully implement and maintain VoIP services.
Businesses nowadays use many virtual networks, which add new levels of abstraction. They also require advanced knowledge of switching and routing. It is therefore essential that a good working knowledge of virtualization is acquired.
The role of a system administrator requires these skills…
A study conducted by the Association for Information Systems (AIS) and Association for Computing Machinery (ACM), detailed in the IS 2010 Curriculum Guidelines, suggests an individual in the role of a systems administrator must have the following skills and attributes in order to succeed in the position:
- Creative, analytical, and critical thinking skills
- Excellent communication and negotiation skills
- Collaboration and leadership skills
- Good mathematical knowledge
Do you think you have what it takes? If you do, make sure you are aware of all the critical technologies. Work on your mathematical and communication skills, and make sure you expand your social network. Many companies are looking for experience, which can make it hard to get your first position. Hang in there. If you can prove your knowledge and demonstrate your skills, you should be able to get your first position. And we wish you the very best of luck with that.
Many people are using Microsoft Exchange for archiving email and some people do not archive email at all. Both are big mistakes. To find out why, it is important to know what true email archiving actually is.
What is email archiving?
Email archiving means more than just clearing your inbox. An email archive is a technical term used to describe a permanent and unalterable record of email data.
An email archive is essential for businesses and depending where a business is located, and the industry in which it operates, will determine just how important an email archive is.
An email archive is required in case of litigation, and government audits will require emails to be retrieved from an archive.
It is important to make a distinction between an email archive and an email backup because the two terms are frequently confused. Both are important, but they are used in different situations.
An email backup is a store of emails that can be recovered in case of emergency. If email data is lost, corrupted, or accidentally deleted, a copy can be recovered from a backup. Email backups will restore email accounts to the state they were in when the backup was made. Backups therefore need to be performed daily, but also weekly and monthly. Each time a backup is made, it will usually overwrite a previous copy. Email backups are not permanent.
An email archive is different. It is a permanent store of email data. An archive is searchable, and individual emails can be retrieved as necessary.
Why is it important to have an email archive?
One of the main benefits of an email archive is to reduce the storage space required for individual mailboxes. Smaller mailboxes are faster to search and retrieve information. The mailbox should only contain a working copy of email from the last few days or weeks. The remaining emails should be moved to an archive where they can be retrieved as and when necessary.
Email archiving is a legal requirement in many countries around the world. It is necessary to maintain an email archive to comply with specific industry regulations, as well as country and state laws. An archive is also required for eDiscovery. If legal action is taken against a business, it must be possible for emails, and documents sent via email, to be retrieved. These must be provided during litigation.
eDiscovery can prove extremely expensive if an email archiving solution is not used. If documents or emails are requested they can be obtained from an archive. If they need to be obtained from individual computers, the time required to locate the emails would be considerable. You may even need to search every computer in your organization. If you run a small business and have 20 computers and email accounts, this would take quite a while. If you run a business with 10,000 computers and email accounts, you could be in real trouble if you don’t have an email archive.
eDiscovery requirements mean an email archive must be searchable, and therefore the organization of the archive is critical. How so? Well, that is best illustrated with an example. An executive criminal case involving Nortel Networks resulted in 23 million pages of electronic email records being delivered by the prosecution. That is a lot of data. Unfortunately, the data was in a bit of a mess because it had not been well organized. So much of a mess that Ontario Superior Court Justice Cary Boswell ordered the prosecution to re-present it to the defense in a comprehensible format. It was described as an “unsearchable morass.”
Organizing 23 million pages of email takes a considerable amount of time. It is therefore important to get the structure of the archive correct from the outset.
Can I use Microsoft Exchange for archiving email?
Is it possible to use Microsoft Exchange for archiving email? Since the 2007 version was issued, Microsoft has included the option to use Exchange for archiving email in its journaling and personal archive functions.
However, there is a problem with using Exchange for archiving email. The journaling function does not work as a true email archive. Using Exchange for archiving email can cause many problems.
Reasons why Exchange for archiving email can cause problems for businesses
- MS Exchange does not allow email in its archive to be effectively indexed and searched
- Individual email account holders can create personal PSTs and store email on their computers
- Individual PSTs may not meet the requirements of eDiscovery
- There are no data retention configuration settings in journaling
The journaling function doesn’t really satisfy the requirements of businesses, but what about the Personal Archive? Can that be used? Unfortunately, while that does offer some enhanced email archiving functionality using the Personal Archive of Exchange for archiving email will also cause problems.
Let us take a look at the functionality of the personal email archive in the 2010 release. Exchange 2010 is better for email archiving than the 2007 release, but there are still some major issues.
In Exchange 2010, it is possible to create a mailbox archive for each email account. The purpose of the archive is to free up space in the mailbox. This is a get around for restrictive mailbox quotas. The archive is intended to be used as a medium-term store for additional emails that the user does not want to delete, but does not need in the mailbox for day to day operations. They are not really email archives, but secondary mailboxes. They lack the functionality of a true email archive.
Exchange users have two options for their personal archive, regardless of whether it is located in the production database or in the cloud. The archive can be configured to move messages automatically after a set period of time (based on retention tags) or the task can be performed manually as and when required.
There are two main drawbacks to using an Exchange personal archive. For many organizations the main disadvantage is the cost: It is necessary to purchase an enterprise client access license or CAL, or to purchase Office 2010 Professional Plus if Outlook is required.
Even Microsoft points out that it may not be wise to use personal archives in Exchange for archiving email, stating they “may not meet your archiving needs.” Does that seem an odd statement to make? That is because it is not a true email archive. It is a personal one.
Users are able to choose what information is loaded into the personal archive. They can also delete emails from the archive. That is no good for regulatory compliance and eDiscovery. There is a get around though. It is possible to meet certain eDiscovery and regulatory compliance requirements when using Exchange for archiving email. Users can be given Discovery Management roles, and can perform indexing and multiple mailbox searches. Unfortunately, the Control Panel in Exchange 2010 is difficult to use, especially for eDiscovery purposes.
Some of these issues have been addressed in Exchange 2013, but there are still eDiscovery issues. Users have far too much control over their personal archives and mailboxes. They have the ability to create their own policies and apply personal settings to their mailboxes and archives. They can potentially bypass corporate email storage policies. Unfortunately, unless Litigation Hold or In-Place Hold is applied to each and every mailbox, the administrator is incapable of overriding settings that have been applied by each user.
Is it possible to use Microsoft Exchange for archiving email if SharePoint 2013 is used?
The issue of eDiscovery has been tackled by Microsoft. It is possible to use SharePoint 2013 to perform searches of all mailboxes, but there are even problems with this added eDiscovery feature.
For a start, it is necessary to buy SharePoint 2013 and that has a cost implication. It is also necessary to use cloud storage and keep the data on an Exchange server, otherwise the In-Place Discovery tools of Exchange will not work.
There is another issue. That is the storage space you will require. Every email that has ever been sent or received through MS Exchange will need to be stored. Over time your email “archive” will become immense. Over 90% of the emails stored in that archive will never need to be accessed. It will involve paying an unnecessary cost and searching through all those emails will take a long time. Recovering emails will be particularly slow.
A true archive will remove a significant proportion of the 90% of emails that you will never need to access, and search and recovery time can be greatly reduced.
You cannot consider the archiving function of MS exchange to be a true email archive that will meet all compliance and eDiscovery needs.
The ArcTitan approach to email archiving
ArcTitan is a true email archiving solution that has been custom designed to meet compliance and eDiscovery requirements, as well as meeting data storage needs.
Key Features of ArcTitan Email Archiving
Network Security Checklist for SMBs
Our network security checklist for SMBs acknowledges the fact that many small-to-medium sized businesses do not have the resources to dedicate to their network security. However, network security is essential. Without protection against hackers and malware, an SMB´s survival could be under threat.
Consequently, our network security checklist for SMBs contains common sense approaches to network security that can be implemented for little or no cost. Indeed, it is in an SMB´s best interest to adopt these best practices before even considering a “comprehensive security solution” software package – which would be ineffective without first taking the steps below.
Start by conducting a risk assessment
The first item on our network security checklist for SMBs is to assess your risk levels and the consequences of an attack on your network. In order to do this, you will need to know:
- What information is stored
- How is it stored
- Who has access to the information
- How is the information protected
- What would be the consequences of a successful cyber-attack on your business
Develop an acceptable usage policy
Most hackers use the weakest link in your network security to launch attacks – your employees. Consequently it is essential that you develop an acceptable usage policy to advise your employees how they should use systems and resources while at work. Some factors you may want to consider when compiling an acceptable usage policy include social media use and the use of private devices (including USBs) in the workplace.
The policy should be accompanied by appropriate employee training. This will help you to assess whether you employees understand acceptable usage and can identify security risks. The U.S. Chamber of Commerce has an excellent online “Test Your Internet Security IQ” quiz that can be printed off and distributed among your employees. The results are likely to surprise you.
Change your passwords regularly – all of them!
Most business owners will be aware of the necessity to change user passwords regularly, but how often is regularly? Once a year? Once a quarter? In order to develop solid network security, you should be changing passwords at least once a month – and not just those of your user accounts.
Servers, routers and switches all have passwords (or should have). When was the last time you changed your Wi-Fi password? Also remember that many devices have default passwords. You should change them immediately after installation and then change them regularly thereafter.
Identify your vulnerabilities
There are plenty of free online tools that offer network security checks, but you have to be careful to use a reputable one to ensure you are not infecting your system with hidden malware. Metasploit is one of the best resources for network security testing we have identified. For identifying vulnerabilities on individual operating systems and devices, we recommended choosing from the list provided by StaySafeOnline.
Protect your network against malware
Having just mentioned malware, this seems a good time to include the subject in our network security checklist for SMBs.
You can protect your network against malware by using some existing tools in your system – for example in browser settings. You should strengthen your protection by adjusting the content filters, pop-up blockers, cookie and certificate settings. This not only needs to be done on all your company´s hardware, but on personal mobile devices if they connect to the company´s Wi-Fi.
One wise investment is an email filter. Spammers often use emails as a means to con employees into exposing network vulnerabilities, but if the emails do not arrive in employee inboxes, the risk is eliminated. An email filter is not necessarily an expensive investment, and it can be deployed in various ways to filter out the potentially catastrophic consequences of an employee clicking on a link which allows a hacker to install malware on your network.
Avoid data loss and data lock with back ups
According to research conducted by Kroll Ontrack, 40 percent of data loss is attributable to human error – either due to inadvertently deleting a file or folder, or by spilling a drink on a piece of IT hardware. Regular backups ensure that the data can be recovered with minimal disruption.
Regular backups also prevent your company being held to ransom if ransomware is installed on your network. Ransomware encrypts all your data with a key that only the person demanding the ransom has access to. The threat of your company being held to ransom can be eliminated if you are able to restore data from a recent back up.
There is a variety of back up options available for SMBs – file or volume synching, cloud backup, traditional backup software, and replication. The most appropriate option will depend on the volume of data your company produces.
Control software installations
Controlling the installation of software on the server or on any device is especially important because software is increasingly open-source and could introduce new vulnerabilities. For example, it may be convenient to install remote access software on your server, but this provides potential attackers with another gateway to penetrate your network. Software installations should be decisions you make with the same considerations as with other business decisions – weighing up the benefits against the risks.
Similarly the use of personal devices or software-as-a-service (SaaS) applications can also introduce risks to the network´s security. The use of personal devices and SaaS applications should have the same controls as would be applied to on-site company resources to avoid data loss, the installation of malware on the network and attacks from hackers.
Don´t ignore software updates
The final box to tick on our network security checklist for SMBs is not to ignore software updates. Software updates are released for a purpose – usually to patch vulnerabilities that have been discovered since the software´s installation.
From a security perspective, it is essential to apply software updates as soon as they are released. This applies to operating system software (Windows, Mac OS, Linux), security software such as antivirus software and standard programs. Some network security solutions have automatic software updates, and you should choose these whenever such an option is available.
This article explores the benefits of teaching hacking techniques. Why on earth would I want to do that you may ask? Isn’t that the same as telling someone how to rob a bank? Well, it is, but teaching hacking techniques does have a lot of benefits. For a start, it is essential if you want to be able to defend a network from an attack by a skilled black hat. You must be able to think like a hacker in order to protect a network from one, but you need a real hacker to tell you if your network has been properly secured.
Teaching hacking techniques is like training a new army of hackers!
Let’s take a look at the three “types of hacker”. First there is the black hat hacker (boo, hiss). This rather nasty individual is intent on causing havoc with their malicious ways. They want to destroy, disrupt, and rob.
According to Robert Moore (2005), a black hat hacker is someone who “violates computer security for little reason beyond maliciousness or for personal gain.”
Then there is the white hat hacker. A white hat hacker uses his or her skills for good (hooray!) They are computer security experts who want to protect computer systems from attack.
Then there is the gray hat hacker. This individual is somewhere between the black and white. They are often called ethical hackers, and these are the individuals that perform penetration testing (pentesting). These individuals behave exactly like a black hat would, minus the maliciousness. Their goal is to find vulnerabilities and exploit them to show whether it can be done. They must gain access and be able to cause havoc. To do that they must be as good as a black hat hacker.
There is not much difference between an ethical hacker and a black hat hacker. In fact, on black hat forums you will not only find articles aimed at improving the skills of black hat hackers, but also articles aimed at gray hats and white hats. For example, two articles below have recently been posted on a black hat hacking website:
- “Harnessing GP²Us – Building Better Browser Based Botnets”
- “Hybrid Defense: How to Protect Yourself From Polymorphic 0-days”
The benefits of teaching hacking techniques
You can’t become a hacker from reading a few articles on the internet. Sure you can learn a thing or two, but before you can call yourself a hacker you must be able to demonstrate that you can actually put your knowledge into practice. The best hackers, of all colors, are those who have spent countless hours poking around inside computer systems and studying networks and network devices first hand.
In fact, if you want to be an ethical hacker you must have the skills of a black hat hacker. You will need to be taught, you will need to study, and you will need to practice. Teaching hacking techniques will actually help to build up an army of hackers that can use their skills for good.
If you want to get into pentesting you will need to work hard. Typically, you will need to have passed A+ certification, Network+, Security+, and obtained CCNA, CISSP or TICSA certification. You will need to have worked in tech support and information security. You will need hands on experience. Then, and only then, will you be able to become a Certified Ethical Hacker (CEH).
Of course, it is important that you then only every use your skills for good, even though you would be capable of using those skills for nefarious financial gain or to cause malicious harm.
The danger of teaching hacking techniques
Teaching hacking techniques has potential to create a whole army of hackers that could cause considerable harm, yet without people who have the same abilities as black hat hackers, how would it be possible to properly conduct penetration testing?
According to a recent Bloomberg article, gray hats “break into computer networks and digital devices to find holes before the bad guys do”. They are heroes. Take Barnaby Jack for example. He showed how it is possible to hack ATM machines and get them to churn out cash. His insights resulted in banks enhancing their security measures to make sure that criminals could not take advantage of the same security flaws.
Sure it is important to learn defensive strategies to protect systems from attack, but if you really want to beat bad guys at their game, teaching the hacking techniques used by the bad guys is essential. It is vital that gray hats are taught hacking from an offensive perspective as well as a defensive one!
DNS, network security and the feared DDoS attack!
The purpose of the DNS – or the Domain Name System to give it its full title – is to turn the IP addresses that are required by network servers into domain names that are far easier for humans to use and remember. DNS is what allows you to use “Google.com” instead of having to type in or remember “http://22.214.171.124/”. You can consider DNS to be the main directory service of the Internet or the Internet’s phone book.
The Domain Name System (DNS) in Action
When you use a web browser to visit a website, the first thing that must happen is the web browser must contact your current DNS server. It must find out the IP address of the website you are trying to access by using its name. You may run your own DNS server or it can be run by your Internet Service Provider. If you use a router, your router may forward DNS requests to your ISP. A DNS request is not made every time you visit a website. Once a request has been made, your computer will cache the response and will remember the IP address for a limited period of time.
DNS is very useful, but it is also problematic as it can be attacked. A DNS DDoS attack can cause a great deal of damage.
Because DNS servers serve as a phone book, they must be available to anyone with Internet access. This means that hackers can access DNS servers. They can also attack them.
Viruses and malware can change your default DNS server and replace it with a malicious one which would direct a visitor to another site. For example, a copy of a site such as Twitter or a bank website could be located at a different IP address. A visitor would believe that they are on the legitimate site because that is what their browser address bar tells them. This may throw up a certificate error message, so it is important to pay attention to any invalid certificate messages. This is an indication that the site is not legitimate.
What are DNS DDoS attacks?
Distributed Denial of Service attack (DDoS) attacks are part of a hacker’s arsenal that is used often. DDoS attacks can cause a lot of damage. They can cause damage so severe that hardware may need to be replaced.
DDoS attacks on DNS servers will start with the hacker attempting to locate a DNS responder. Once the target’s DNS responder has been located, the hacker can launch a Distributed Denial of Service attack (DDoS). That DDoS attack can be conducted on the resolver, or it is possible to conduct an attack on other systems. In a DDoS attack, the target will receive millions of replies from numerous IP addresses around the world. Some of those will be real, some will be spoofed IP addresses.
Oftentimes, the purpose of a DDoS attack is to bring down a website and stop anyone from visiting a particular website. In a DDoS attack, traffic is sent from multiple sources and overwhelms a site. A denial-of-service attack is relatively easy to block as the IP addresses being used can be throttled. A distributed DoD attack is different, because the traffic comes from all over the world. In many cases, IP addresses are spoofed. An attacker would not want his or her real IP addresses to be shown.
DDoS attacks are conducted using a botnet, which is a network of zombie PCs that have been infected by a hacker. They are used to send traffic to the target. The botnet controls those machines, and the botnet is controlled by the attacker.
Hackers can conduct their DDoS attacks not with the aim of killing a site or web service, but to hide other activity. A DDoS attack requires an IT department’s immediate attention and resources. Staff must prevent software and hardware damage and try to keep the website available. While they fight the DDoS attack, other hackers in the group get to work on other parts of the network. This is why it is vital after suffering a DDoS attack to conduct a full system security check and audit the network. You must determine whether hackers have gained access to your network while you were fighting fires.
The Spamhaus DDoS Attack
A DDoS attack, especially one which sends enormous volumes of traffic, are usually short-lived. However, during the time that the attack takes place it can cause permanent damage. Sometimes extremely large attacks are conducted that can bring down even the best defended systems. Take Spamhaus for example. Unsurprisingly, this anti-spam service is something of a target, what with it being a 34-hour anti-spam operation. It servers billions of DNS requests, it has robust defenses, but it is not immune to attack.
In March 2013, Spamhaus suffered an enormous DNS DDoS attack. After receiving one DNS request from a spoofed IP address, a packet was sent and more servers started participating in the attack, then more. Then more. According to the Spamhaus report on the attack, 30,000 DNS resolvers took part.
It is possible to block certain IP addresses to counter an attack. When an attack involves so many different IP addresses, it is impossible to block them all. Because the range of IP addresses used was so large, it was not possible to throttle packets from specific IP addresses being used in the attack.
Is It Possible to Prevent a DNS Attack?
To prevent DNS attacks, you must be able to identify malicious web traffic. Traffic using port 53 for example is often just zone transfers syncing slave servers with masters, but the port can be used by attackers. It is therefore essential to block port 53 zone transfers from any unauthorized slave name server.
If you want to prevent a DNS attack it is important that you do not have an open responder that will respond to requests from any Internet address.
- stop your DNS from being an open responder. Restrict in-house recursive servers and only allow your own company’s IP subnets. It is essential to keep your resolver private
- You can use DNS response rate limiting when you configure your authoritative DNS servers. Set response rates and limit source addresses in a given time period. It may be possible to shut down an attack before the full force is felt by your server
- Throttle DNS traffic by packet type
- Monitor IP addresses to see which are using the most bandwidth. Your ISP can help you with this
- Add variability to outgoing requests. This will make it harder for an attacker to get a response accepted
- Overprovision your server – Make sure you have sufficient bandwidth to absorb an attack. Since some attacks can exceed over 100 Gbps this may not be possible in all cases, but not all attackers have that kind of capacity
All companies must make efforts to minimize cybersecurity risk, but for small to medium sized businesses it is critical. The very survival of the business may well depend on it.
Small to medium-sized businesses must minimize cybersecurity risk
The same types of data are stored by SMBs as multi-national corporations; it is just the volume of data that differs. Just because a smaller volume of data is stored, it doesn’t mean that SMBs are not targeted by cybercriminals. In fact, many hackers choose to attack SMBs because the security defenses employed are not nearly so robust.
Large corporations can invest millions in cybersecurity defenses. SMBs do not have nearly so much cash to devote to protecting their networks from attack. They also do not have very much capital to cover the cost of a data breach when it occurs. A large corporation can easily absorb the cost of a data breach. Take Anthem Inc., for example. The health insurance company suffered the largest healthcare data breach ever reported. The breach had started many months previously but was discovered in February of this year.
78.8 million records were obtained by the hackers responsible for the attack. The cost of dealing with that data breach has been estimated to be somewhere in the region of $100 million to $1 billion. No small business could survive such a breach. Of course, Anthem was covered by an insurance policy which should cover the first 100 million. The company also made $17.02 billion profit in 2014. Even if the cost of resolution is $1 billion it will barely be felt.
In 2010, a study conducted by the Gartner Group indicated that major data breaches resulted in the immediate collapse of 43% of small to medium-sized businesses. Some managed to soldier on for up to 2 years before folding. Only 49% of companies lasted for more than 2 years.
Cyberattacks on SMBs are increasing
There are a number of reasons why SMBs are now being targeted. It is not only a lack of effort made to minimize cybersecurity risk.
- SMBs can’t afford to investigate attacks and find out the identities of the attackers
- They don’t have the budgets to prosecute hackers if they do find them
- Cybersecurity defenses lack the sophistication necessary to thwart many attacks
- Staff training does not tend to be so extensive
- SMBs can’t afford to employ the very best IT security professionals
- SMBs often work as suppliers to large corporations and their networks can serve as a launch pad for an attack on those corporations
The cybersecurity attack on Target is a good example of the latter. An HVAC vendor was attacked with the purpose of gaining access to Target’s network.
It is not all bad news
Most SMBs have the fundamentals right. They have good cybersecurity defenses in place. They just need a little improvement. Fortunately, it does not take much more effort or resources to raise the standard and significantly improve defenses against cyberattacks.
Adopting some simple “best practices” is all that is required to reduce the probability of a cyberattack being successful in many cases. It is possible to minimize cybersecurity risk to the point that the majority of online criminals will give up and search for easier targets.
Best practices to adopt to minimize cybersecurity risk
Listed below are some easy to implement best practices that can help minimize cybersecurity risk and keep networks and sensitive data protected from malicious insiders and outsiders.
Separation of duties
You would not give a cashier a copy of the safe key, or give a purchaser the ability to sign off orders and write checks for suppliers. If you give one individual access to everything, you are exposing your company to an unnecessary amount of risk. That individual may be 100% trustworthy, but if that person is targeted by a spear phishing campaign, and they have access to all computer systems, should that attack prove successful everything could be lost.
Administrative privileges should be limited. Spilt passwords so an IT support worker enters half of a password, with the remaining half entered by his or her manager.
The rule of least privilege
Access to systems and data should be restricted to the minimum necessary information to allow a job to be performed. Rather than give full control to one person, separate duties between staff members and you will minimize network and cybersecurity risk
Do not allow multiple staff members to have access to systems that they don’t really need access to. If you operate two shifts, restrict access to data systems to two members of staff, one for each shift. One or two supervisors can also be given access on the same basis.
Due Diligence and Due Care
A minimum level of protection should be maintained at all times, and the level of due care must meet industry regulations. A program of maintenance must exist to ensure that due care is supported. This is referred to as due diligence. You must ensure that a system exists to monitor for any abuse of privileges or data access rights, and the opportunity for individuals to commit fraud or steal data must be kept to a minimum level.
Implement physical controls to protect equipment used to store data
All equipment used to store sensitive data must be kept under lock and key. Data backups must be secured, and since they are stored offsite, they should be encrypted.
Perform background checks on all members of staff
Any organization that fails to conduct a background check on a new member of staff before access to sensitive data is provided could be classed as negligence. You can’t tell from looking and asking if a new recruit has a criminal record.
Cross-train staff so they are capable of performing a number of different duties. This will allow you to provide cover in the event of absence from work. If you then rotate duties, it is easier to identify employee theft and insider attacks. Employees can then audit the work of each other.
Maintain access logs
If you do not monitor data access attempts, you will not be able to tell if a member of staff is trying to steal data. Make sure a data trail is left to allow you to determine when employees are accessing data. Make sure the logs are checked frequently and always follow up on any discrepancies discovered.
If you follow these best practices, you should be able to minimize cybersecurity risk effectively. You may not be able to prevent all cyberattacks, but if one does occur, you will at least be able to identify it rapidly and minimize the damage caused.
Last week, a zero-day vulnerability in Adobe Flash Player was patched. Users of the multimedia player can now run the software safely, without facing a risk of having their devices compromised by a new Adobe Flash exploit. Provided the patch has been installed.
Adobe Flash exploit being used to drop ransomware on unpatched devices
Any computer with Flash set to run automatically is at risk if the latest version of the software – Version 126.96.36.199 – has not been installed. Since the latest version of the software was released on June 23, the Adobe Flash exploit has been found in the wild. Hackers are using the Magnitude exploit kit to drop Cryptowall ransomware on unpatched computers. It took only four days since the release of the Adobe patch for an exploit to be packed into Magnitude.
The latest version of Flash Player has been released to deal with the vulnerability known as CVE-2015-3133. This vulnerability allows hackers to remotely execute code to take advantage of a bug in the software. The Adobe Flash exploit is being used to automatically drop ransomware on unpatched devices.
The vulnerability is also being exploited by at least one hacking group. APT3, a hacking group based in China, has already devised a phishing email campaign to take advantage of the Flash vulnerability. The vulnerability has been known since the start of June, and hackers were quick to exploit it. It took Adobe three weeks to develop the patch, during which time all users of the software – which is most people using the Windows operating systems – have been at risk of attack.
When computers are infected, APT3 is moving infections laterally to compromise multiple hosts. Furthermore, backdoors are being installed so that even when the malware is identified and removed, access to networks is still possible.
APT3 is well known for exploiting zero-day vulnerabilities and is using the current phishing campaign to target companies in specific industry sectors. Their current targets are in the aerospace, construction, defense, engineering, and the telecommunications industries.
There is a serious risk of malware infection from phishing emails, malicious website adverts, and malicious links on social media websites. Those links send traffic to websites containing the Magnitude exploit kit. If anyone visits a website hosting the exploit kit, ransomware and other malware can be installed automatically if the latest version of Adobe Flash Player has not been installed.
Attackers are targeting users of Windows 7 (and below) via Internet Explorer and users of Firefox on computers running on Windows XP.
Fortunately, installation of the latest version of the software will prevent the Adobe Flash exploit from being used to drop Cryptowall malware. The current version of the malware, Cryptowall 3.0, requires infected users to pay a ransom of $300 to unencrypt files. System administrators have spent the past week ensuring all devices are updated with the latest version of the software.
Are you at risk from the Adobe Flash exploit? Have you managed to install v188.8.131.52 on all your networked computers?
Regardless of the size of your company, or what type of TCP/IP setup you have, a hardware firewall is essential. It is one of the most fundamental network security elements. It provides basic protection and is capable of preventing many attacks on your network from being successful. It is therefore essential that you have the best firewall security zone segmentation setup.
What is the best firewall security zone segmentation setup?
Today, networks typically extend outside of the firewall perimeter, but that said, they do tend to have a well-defined structure. Your network should therefore have:
- An internal network zone
- An untrusted external network
- One or more intermediate security zones
Each of your intermediate security zones – commonly Layer3 network subnets with multiple workstations and/or servers – should contain systems which can be protected in a similar fashion. They are groups of servers that have similar requirements. They can be protected with a firewall on the application level, or more typically, on the Port and IP level.
Perimeter firewall security zone segmentation
Unfortunately, the perimeter network topology that is best for you may differ considerably from the one that you used for your previous company. Your current network will naturally be different and have its own requirements and different functions. Your perimeter security zone segmentation will have to therefore be set up to match the unique needs of your business. That said, there are a number of best practices to follow when devising your network perimeter.
To help explain a typical network perimeter, we have illustrated this in the diagram below. Your network may differ, but the illustration shows a typical setup used by many enterprises. You may use two firewalls, or only have one DMZ (Demilitarized) zone. The red arrows show the traffic direction permitted by the firewall
Security zone segmentation: Setting up your DMZ (Demilitarized Zones)
Your equipment and sections of your network that will be most susceptible to attack will be the parts that face the public and are connected to the internet. These will include your web servers, email servers, and DNS for example. If an attack on your network is attempted, this is where it is most likely to occur. It is therefore important to be able to minimize the potential for damage if one of those attacks is successful and one or more of your servers is compromised.
To do this, it is important to set up a DMZ or Demilitarized zone. A DMZ is basically a Layer3 subnet that is isolated. In our example we have included two, as this set up offers the best protection for our internal zone. In your case one may be appropriate or three or four, depending on the size of your network, number of servers etc.
You are going to have to have at least one public facing server that is accessible via the Internet. Traffic flow must be restricted for security, so it should only be possible for traffic to go from the Internet to your DMZ1. It is also essential that you only have the necessary TCP/UDP ports open. All other must be closed. Your DMZ1 should host your DNS, Proxy server, Email server, and web server.
For the best protection, you should never have your databases located on the same hardware as your web server. Database are likely to need to be accessed via your web server, but they should be set up in a different DMZ. In this example, we have set up DMZ2 where we have placed the application servers and database servers. You can see from the red traffic arrows that these servers can be accessed directly from the internal zone, and also from DMZ1. They can therefore be accessed from the Internet, but only indirectly via DMZ1.
It is also important to have your web application server and a front end web server located in different DMZs.
Using the above setup, if one server is compromised, say one of your application servers in DMZ2 via DMZ1, the attacker will not be able to access to your internal zone.
You should configure your firewall to allow traffic between both of your DMZs, but only on specific ports. Traffic between your internal zone and your DMZ2 is possible, but this should be limited. Traffic may be necessary for performing data backups for instance or for accessing an internal management server for example.
Your internal security zone
Located in the internal security zone will be your end user workstations, your file servers, and other critical internal servers. You will also have internal databases located in the internal zone, Active Directory servers, and many business applications.
It is essential that there is no direct access from the Internet to your internal security zone. Any user requiring Internet access must not be permitted to access the Internet directly. Internet access must only be possible via a proxy server, which should be located in DMZ1.
It is essential to have security zone segmentation, although the setup you choose must reflect your business requirements. Our example of a typical security zone segmentation setup is ideal for the enterprise environment. Use this and it should ensure you have solid network security.
Even IT security professionals are guilty of developing bad habits and making some of the common security assumptions that place data at risk. There is now a legion of cybercriminals ready to take advantage of security vulnerabilities that have been allowed to develop. If you don’t correct bad security habits, there are criminals ready to take advantage.
Protecting company assets from cyberattacks used to be a fairly straightforward process. Many attackers were opportunistic and amateurish. They would hunt for companies or individuals with little to no security, and would take advantage. Spam emails would be sent out in the millions in the hope that some individuals would respond. Those emails were not even run through a spell check. They were easy to identify.
Today, the situation is very different. Sure, there are still many amateurs out there, but today’s cybercriminal is a different beast entirely. The men, women, and even children who are conducting attacks are organized, highly motivated, and they possess a wide range of skills. They are professional and their job is to make money online. They do that by taking it off of other people.
The attack surface is now broader than ever before and the threat landscape is constantly changing. Keeping data safe is no longer easy.
How is it possible to defend data with a constantly changing threat landscape?
It is difficult to keep networks and data secure, but it is far from impossible. It is essential not to make some of the common security assumptions that leave data unprotected, and to take a step by step approach and ensure that all Internet connected devices are secured.
Virtually everyone now has at least one Internet-connected device. Many people have several. With Internet-connected devices being so common and an essential part of daily life, one would think that we have all become quite good at ensuring those devices are secure. Unfortunately, that is far from being the case.
Furthermore, there are now so many data security threats that it is virtually impossible to keep track of them all. We now need to watch out for viruses, malware, spyware, rootkits, and ransomware. Then there are denial-of-service attacks to prevent. Cyberterrorists want to delete and corrupt data and take businesses down. Scammers are using social engineering techniques to obtain login credentials. Even your ex may be uploading and sharing compromising photographs of you online. The digital threats now faced by everyone are considerable. For sys admins it is even worse. So how is it possible to protect against all of these threats?
The best place to start is by determining what needs to be protected. There are many threats, but what is it that attackers all want? The answer to that is data. They may want to steal it, share it, corrupt it or delete it, but regardless of their intention, the worry is data. To protect data, you must know what data you have and where they are stored.
To protect your assets, you must first define your assets!
The first step to take if you want to protect data is to determine what data cybercriminals would like to obtain. This may seem obvious. Criminals want your bank account password and login name and your credit card numbers. However, that is not all they are after. One of the most common security assumptions is thieves are only after financial information. In fact, more money can be obtained from other data.
Assets you must protect
Cybercriminals want more than just your banking information. They would love to steal…
- Social Security numbers
- Government ID numbers
- Passport details
- Medical records
- Insurance IDs and provider names
- Financial records
- Credit card numbers
- Health insurance payment histories
- Online passwords
- Email addresses and passwords
- Personal data such as dates of birth, genders, ages, addresses, & telephone numbers
- Employment histories and employer names
- Information that allows security questions to be guessed
- Education histories
- Business plans
- Legal documents
- Trade secrets
Many common security assumptions lead to data theft and financial loss
Once you have identified all the data that need to be protected, you must determine where those data are located. Where is information stored, and who has been given access? You must also forget a lot of the common security assumptions that many people are guilty of making. Common security assumptions invariably leave data exposed. What are these common security assumptions? One of the biggest is that the people that are trusted to secure data are putting all of the necessary safeguards in place to make sure information is secured. That is not necessarily the case.
If you want to keep your data secure, you need to develop some good habits and stop all the bad ones.
Bad security habits to eradicate
- Not being aware what data you have
- Not being aware where data are saved
- Being unaware of your bad habits
- Leaving data security to others
- Storing data in multiple locations when it is not necessary
- Sharing passwords with friends, family members, or work colleagues
- Reusing passwords across multiple online accounts
- Using passwords that are easy to guess
- Believing most of the stuff you read on the internet or receive in an email
- Trusting an email because it has been sent from someone you trust
- Writing your login credentials down so you can remember them
- Installing apps and software without checking authenticity
- Giving out too much information about yourself online
- Oversharing personal information on social media websites
Good security habits to develop
- Using secure passwords containing letters, numbers, upper and lower case characters and special characters
- Changing passwords at least every three months
- Using a different password for each online service
- Keeping your password totally private and not even sharing it with your partner
- Keeping abreast of the latest data security news
- Setting software to update automatically
- Checking for security patches and software updates on a daily or weekly basis
- Not storing your passwords in your browser database
- Locking your devices (phone, tablet, desktop, laptop) with a security mechanism
- Encrypting your communications
- Not always answering truthfully when asked about your personal information online
- Using a web filtering solution to block malicious websites
- Stopping and thinking before taking any action online
- Assuming that all email attachments are malware until you determine otherwise
- Using powerful anti-spam, anti-malware, and anti-virus software on all devices
- Ensuring devices do not automatically connect to open Wi-Fi networks
- Not installing any software on work computers unless authorized to do so by your IT department
Develop good habits, stop making common security assumptions, and eradicate your bad habits and you will be much less likely to become a victim of a cyberattack!
Unfortunately, common business network security myths have led many small to medium sized business owners to believe they are well protected against hackers, malicious insiders, and online criminals. They perceive their network to be secure, but that confidence may be misplaced.
Sure, they know they are not impervious to attack but, on balance, confidence in their ability to prevent a cyberattack is high. Even if an attack is suffered, they think they will be able to identify it quickly enough in order to protect their data. However, the reality is that confidence is often based on some widespread business network security myths. The reality is many businesses are wide open to attack.
Common business network security myths that need busting
Some of the commonest business network security myths are listed below. Make sure that all of your IT staff are aware of the following misconceptions. Expel these business network security myths and you will be able to gain a much better understanding of how well your business, and its data, are actually protected:
It is easy to avoid phishing campaigns
That may have been true a few years ago. It used to be easy to spot a phishing or scam email. However, the situation has now changed. Phishing schemes have become much more sophisticated and it can be very difficult to identify scam emails, certainly by the majority of employees. Many of the major security breaches suffered over the past few years have started with a member of staff responding to a phishing campaign. The massive data breach at Target is a good example. Hackers gained access to Target via a HVAC company used by the retailer. Malware was installed on that company’s network. The attack on Target was launched from there.
I trust my employees not to expose data or infect my network
Your employees may not knowingly compromise your network or reveal sensitive company information but, due to the high phishing risk, they may do so inadvertently. Even after training employees to be more security aware, they can still accidentally fall for a scam and install malware on your network.
That is not the only problem. Your loyal and trusted employees may not turn out to be quite so loyal when they leave for another job. The Wall Street Journal recently conducted a data security survey, and half of employees admitted to taking confidential company data with them when they left their employment.
My business is too small to be targeted by cybercriminals
Cybercriminals want to gain access to as much data as possible. They want to infect as many computers with malware as possible and build bigger botnets. They also want to sabotage companies that they feel are doing harm, or acting irresponsibly. That means larger corporations are targeted. They have more data, they have more computers, and they tend to cause the most offense – by damaging the environment or making obscene profits, for example. They are also more of a challenge, and many hackers see that as reason enough to try to break through their defenses.
However, don’t think that as a smaller business you are a smaller target. Your defenses will probably be inferior to a multi-national corporation, and criminals like the path of least resistance. Your data is likely to be just as valuable as data held by a larger corporation. You just store a smaller volume of it. Small businesses are being targeted and there is actually a high risk of attack. As was the case with the Target data breach, a small company was targeted first and was used to attack the retailer.
If a cyberattack is suffered, you may not be able to cope with the aftermath. Data suggest that two thirds of small companies end up going out of business within 6 months of suffering a cyberattack.
I have not been hacked, so my security protections are sufficient
How sure are you that you have not been hacked? Many companies do not discover their systems have been compromised for months or even years after an attack has taken place. Take the eBay data breach for example. The massive online marketplace was first attacked in February and it took 3 months for the company, with all of its IT security resources, to determine that data had been stolen.
Network security protections are expensive
If you want the best protection for your company, you do not have to necessarily spend a small fortune, or a large one for that matter. There are many cost-effective protections you can put in place to protect your network from attack. In fact, it is probably not necessary for you to implement advanced threat analytics, but you should use email and web security solutions to protect against phishing attacks.
Weigh up the cost of implementing these software solutions against the cost of suffering a data breach. According to the Ponemon Institute, the average cost per record exposed in a cyberattack is $246. Multiply that by the total number of customer records you have and that will give you an idea of the likely cost of resolution. Unfortunately, small businesses tend to pay much higher costs per exposed record due to economies of scale. Ponemon has also calculated the chance of suffering a data breach over a two-year period is 22%.
Dispel these common business network security myths and you will be taking five steps toward a more secure network, and will actually be much better protected than you currently believe you are.
The Internet of Things of IoT offers a lot of potential, but unfortunately these Internet-connected devices also introduce a considerable amount of risk. The term Internet of Things covers any device that connects to the internet, which includes a wide range of equipment covered by your BYOD policies. As well as a substantial number that are probably not.
IoT includes devices such as traffic lights, GPS units used for cycling or walking, weather monitoring equipment, cars, some new refrigerators and washing machines, and activity trackers. An incredibly wide range of devices. Today, so many electronic devices have been developed that have Internet connectivity the mind boggles.
What’s your Point?
Any device that connects to the Internet and remains connected to the Internet for a long period of time is likely to attract the attention of hackers. They will use various tools to probe those devices. Their aim is to identify potential vulnerabilities that can be exploited. Once those vulnerabilities are located, they will be subjected to attacks, whether by brute force or by a skilled hand. Hackers will attempt to shut devices down (just because they can) or take them over with malicious intent. This will happen. This is not conjecture.
Will an electronic, Internet-connected billboard be hacked? Sure! Someone somewhere will have a humorous message they would like to display. Will someone hack a medical device such as a drug pump and change the dose of morphine that is administered to a patient? Certainly. It has already happened on at least two reported occasions. Both times were by the patients themselves. (it was very easy BTW, they got the instructions from the Internet and upped their own morphine doses!).
If it is possible to hack a device, someone will. It is just a matter of time.
Why not just make sure that all products are secure?
In an ideal world, no Internet connected device would come to market unless it was first made secure. However, this is not an ideal world. In fact, judging by the apparent ease at which hackers can compromise desktops, Smartphones, tablets, and servers, IoT devices shouldn’t pose too many problems. To make matters worse, the developers of these devices often don’t have any idea about the security of their devices. Their aim is to get a useful Internet-connected device on the market, not to prevent them from being hacked.
Many manufacturers have the budgets to develop appropriate security. The problem is that they do not. Don’t get me wrong, this is not always about them cutting corners. Oftentimes they just have no idea about how hackers will be able to take advantage of their devices or why they would choose to do so.
Unfortunately, devices are coming to market faster than it is possible to perform full security testing. Many of those devices are connected to Smartphones, tablets and laptops, from where they can be accessed and controlled. If it is possible to gain access to the equipment remotely, would it be possible to use the IoT device to gain access to the device that is used to control or monitor it? It is a distinct possibility!
How about the apps that are downloaded to control those devices? Could they be hacked? Could malicious apps for controlling a Samsung washing machine find its way into the Google Play Store? How about an app for a device that is part of the critical infrastructure?
The Danger of IoT and BYOD
Many organizations have wholeheartedly implemented a BYOD policy and are now allowing the Smartphones, tablets, and laptops of employees to be used at work. There are numerous advantages to doing this of course. The technology can be leveraged to give the employer benefits that would otherwise be unaffordable to introduce. Employees want to use their own devices at work and are often much more productive as a result. The problem however, is the security risk that these devices introduce, or have potential to introduce, is considerable. Any Internet enabled device that is allowed to connect to a corporate network could potentially be used by a hacker to launch an attack.
To tackle the security threat, a good BYOD strategy must be employed to control use of the devices. Employees must be told what they can and can’t do. Unfortunately, it doesn’t matter what you tell your employees. Some will go against company policies because it’s their device and they believe they can do what they want with it.
It is essential to perform training on security. Employees who are allowed to bring their own devices to work must have it spelled out, very clearly, what the risks are and why controls are put in place. They must be made to understand that the risk from the devices is very real, and policies exist for a very good reason. If they are unwilling to abide by the rules, they should not be permitted to use their devices at work.
A good BYOD strategy?
However, even by adopting a good BYOD strategy, you will allow the traditional security perimeter to be extended to include employees’ homes. Regardless of the controls that are used and the level of training provided, the risk that is introduced could be considerable. Employers should therefore think very carefully about the devices they allow to connect to their network. A good BYOD strategy may in fact be to prevent any BYOD devices from connecting to the network at all!
The financial sector is reeling from one of the most sophisticated cyberattacks ever seen. The APT-style Carbanak malware attack differs from other APT attacks, as the attackers are not after data. They want cold hard cash and they are getting it. Carbanak has been used to steal funds to the tune of around $500 million. Or up to $1 billion, depending on who you speak to!
The malware, discovered by Kaspersky Lab, uses sophisticated methods for obfuscation so it is hard to identify once it is installed. There isn’t much good news about Carbanak, but one chink in the armor is the method used to get malware installed. That is far from sophisticated. In fact, it is rather simple. Cybercriminals are getting bank employees to install it for them.
Banks that have suffered Carbanak attacks have been lax with security. They have not instructed their employees how to identify bank phishing scams, and they have not been performing scans for malware. It may be hard to detect, but it is important to actually scan a network for malware periodically! Consequently, banks have not detected breaches until a long time after they have occurred.
One of the most sophisticated bank phishing scams is easy to avoid
Carbanak malware is delivered via email. The phishing emails have been sent to large numbers of bank employees, and many have clicked on the malicious links included in the emails. By doing so they inadvertently loaded the malware onto the banks’ administrative computers. Once installed, Carbanak happily collects information and sends it to the criminals’ command and control servers.
The malware logs keystrokes and searches for security vulnerabilities in the network. The data collected is used to make bank transfers to the criminals’ accounts, although the data that is obtained could be used for a number of different crimes. Some security experts estimate that the criminals behind the campaign have managed to steal over $1 billion so far. The bad news, and there is a lot of it, is that they are still continuing to obtain funds. As bank phishing scams go, this is one of the costliest.
Bank phishing scams account for a fifth of all phishing campaigns
There is a considerable amount of disagreement within the security community about the level of sophistication of Carbanak. But that is really beside the point. The malware is installed on computers and remains there undetected for a long time. It is used to obtain huge amounts of money. It doesn’t really matter how sophisticated the malware is.
What is more important is the lack of sophistication of the initial attack. Bank phishing scams are not that difficult to prevent, and this is no different. Bank employees just need to know how to identify phishing emails. Bank phishing scams account for a fifth of all phishing campaigns so to prevent them it is vital that employees receive training to help them identify the scam emails.
It is also essential that after training has been provided that it is followed up with phishing email exercises to test employees’ knowledge. Can they actually identify a phishing email or were they not paying attention during training? Don’t leave that to chance, as it could prove costly!
Bank phishing emails are very convincing
The criminals behind bank phishing scams have spent a long time crafting very credible emails. The emails need to be realistic, as bank employees would not open an attachment in order to find out about a $1,000,000 inheritance they have got from an unknown Saudi relative (some do!). Cybercriminals are now developing very convincing emails, and are even running them through a spelling and grammar check these days.
Bank phishing emails provide a legitimate reason for taking a particular action. Typically, the reason is to:
- Verify account details to prevent fraud
- Upgrade security software to keep systems secure
- Perform essential system maintenance
- Take action to protect customers from fraud
- Perform identity verification to allow a refund to be processed
- Verify identity to allow packages to be delivered by couriers
The aim of most bank phishing scams is to get users to click on a link to a website that will download malware onto their computer, or to get them to open an email attachment (zip file) that contains malware, or to install malware in the belief they are opening a PDF or word file.
The Three Main Types of Bank Phishing Scams
Bank phishing scams can be highly varied, but generally fall into one of three main categories:
Opportunistic attacks are the most common types of phishing attacks and they tend to be the easiest to identify. Millions of spam emails are sent containing malicious links or attachments in the hope that some individuals will install the malware they contain or link to. This type of phishing campaign is often used to deliver ransomware. Criminals often use links to websites containing common exploit kits to download malware onto machines.
A zero-day attack is one that exploits a known security vulnerability that has not yet been patched. Researchers are discovering new security vulnerabilities on a daily basis, but it takes time for software developers to issue patches to protect users. It takes more skill to conduct this sort of campaign as the hacker must develop a way of exploiting a vulnerability. However, the same shotgun approach is used to deliver the malware that exploits the vulnerability. The favored delivery method is mass spam email.
APT (Advanced Persistent Threat)
The third type of phishing attack is the one that was used for Carbanak. This type of phishing campaign also exploits zero-day vulnerabilities, but in contrast to ransomware that acts fast and makes the presence of the malware infection abundantly clear, APT attacks remain hidden for a long period of time. They are stealthy and their aim is to steal data. That said, in the case of Carbanak the attack was used to steal money.
These attacks tend to be targeted. Banks, financial institutions, healthcare organizations, and government departments are all targeted using this type of phishing campaign. Malware is not sent using mass spam emails, but the targets are typically researched and spear phishing emails are sent.
How to defend against these targeted bank phishing scams
Carbanak has been used for bank phishing scams for close to two years now so it is nothing new. What is peculiar about the campaign is it uses tactics that are more commonly seen in state-sponsored attacks for spying on governments and those used by cyberterrorists. The attack on Sony, for instance, started with a phishing email of this ilk.
Unfortunately, while the first two types of phishing emails are relatively easy to block with anti-spam solutions and phishing email filters, it is much harder to block APT spear phishing emails. They tend not to contain links to known malware sites, and are often sent from email accounts that have already been compromised. They also contain links to legitimate websites that have been infected with malware. They can be hard to identify and block.
There are steps that can be taken to reduce the risk of an attack being successful. It is essential to provide staff members with training to help them identify phishing emails. Employees must be aware of the common signs to look for and must be told to be extremely cautious with emails. Email attachments are a potential danger, but do employees know the danger of clicking links? Make sure they do!
Training exercises has been shown to be highly beneficial. The more times employees are tested on their phishing email identification skills, the better they become at identifying email scams.
It is also essential to ensure that patches are installed as soon as they are released. Zero-day attacks will take place until the security vulnerabilities are addressed. This applies to the likes of Adobe Flash, Microsoft products, and any software application.
Patches are issued frequently, so it can be almost overwhelming to keep on top of them all, but that is what is needed.
Perform regular training – and conduct refresher courses – and make sure regular security audits of the entire network infrastructure take place. It all takes time, effort, and involves a considerable cost. That said, the cost will be considerably lower than the cost of dealing with a Carbanak malware attack.
Use these measures to increase system security
Measures to increase system security not only reduce the possibility of your system being hacked but, should a hacker gain access despite your best efforts, limit the amount of damage he or she can do.
In-depth measures to increase system security – like the measures we will be discussing in this article – prevent hackers who have penetrated your firewall from running amok throughout your network and compromising device after device.
The border device is the first line of defense
The first of the measures to increase system security you should implement concerns your border device. This will either be a router or a firewall, and you can use access lists to block unwanted inbound traffic.
Depending on your network design, find out if your network should be getting routing updates from Interior Gateway Routing Protocols such as OSPF, RIP and EIGRP.
You should also conduct routing updates on MPLS and BGP protocols – being in mind that if you do not need these protocols you should disable them, as routing updates can consume a load of bandwidth.
Block all requests that might originate from a private network. These would naturally include 192.168.0.0/16, 172.16.0.0/12, and 10.0.0.0/8, but don´t forget about:
One of the best measures to increase system security is a DMZ. DMZs add an additional layer of security to a local area network (LAN) and can be used to create a “border within a border”. You can install a firewall between devices that exchange data with the outside world (web servers, mail servers etc.) and protect the rest of your network behind a DMZ to prevent attacks from hackers, malware, viruses and Trojans.
The advantage of firewalls is that most traffic to the rest of your network is blocked by default. They are relatively easy to install and, although inconvenient for administrators that like to ping to check connectivity, are great for security. On the other hand, servers, routers, and switches tend to require a significant amount of configuration to toughen up your defenses.
One thing you can do to reduce the amount of work required is take advantage of any automated measures to increase system security provided by the manufacturer. These can restrict access from private and public IP addresses, shut down interfaces that are not required and disable unneeded services.
Special consideration should be paid to authentication servers and IPS/IDS devices. Depending on your organization´s preferences for service availability and security, these can either be set to “fail-open” – in which case all traffic is permitted if the device fails – or “fail-close” where, if the device fails, all connectivity is broken.
A special word about router security
Although routers come with built-in IPS/IDS modules and firewall software, the access list (ACL) is one of the most powerful tools at your disposal to enhance your network security. ACLs allow you to configure individual interfaces according to your specific traffic and data needs. Here are just a few of the measures to increase system security you can take using ACLs:
Switch and port security
Some switches and servers offer private VLANs that limit traffic between devices even more. Whenever possible they should be used to create different networks for management and data traffic. However, make sure your switch ports are configured with STP extensions to support BPDU guard. This allows authorized users to attach home routers and switches to the network.
Effective port security protects against eavesdropping and similar attacks. If your organization requires a high security environment, it is possible to configure a port to only accept MAC address connections. The issue with this level of security is that it restricts BYOD policies and makes hardware upgrades and office moves significantly more complicated.
In-depth measures provide higher security levels
The above measures to increase system security go deep into the heart of your system to deliver defense in depth. It is important to go beyond border security to ensure the integrity of your network and many of these measures can be changed as necessary as technology and organizational requirements evolve.
Attacked by phishers? This is what you need to know
The last thing most website administrators want to hear is that they have to deal with a website phishing attack. No website is immune from phishing attacks and sometimes, no matter what measures you put in place to prevent such a scenario, your website can be compromised – with the subsequent loss of reputation and probable decline in search engine positioning.
The knee-jerk reaction of some administrators is to deal with a website phishing attack by immediately removing the compromising files and resetting passwords. However, by taking a little extra time to gather all the information about the uploaded content, administrators can ensure they find all the website´s vulnerabilities and completely clear the website of any further phishing content that may be dormant in their system.
This guide on how to deal with a website phishing attack discusses how to gather the information you need to clear your site of phishing content, what to do with the compromised files once you have found them and how best to prevent the risk of further phishing attacks in the future. We recommend that, if necessary, you engage professional help to accelerate the cleaning process in order that your website can be restored as quickly as possible, removed from any website blacklist and recover its position in the search engines.
Before you do anything else, back up your system.
Location, Location, Location
The first step of how to deal with a website phishing attack is finding the location of the phishing content. Often you will have been provided with a report about specific files by your hosting provider, but sometimes the information provided for you is limited. Security experts we have spoken to recommend Sucuri Sitecheck (https://sitecheck.sucuri.net/) to identify the location of the phishing content.
It is important not to make any changes to directories or delete files until you have completed a full investigation of your system. This is because making changes and deleting files as you go reduces the chances of you finding the source of the attack. Without finding the source, you may not discover where you vulnerabilities are and you will leave your system open to further phishing attacks in the future.
During your investigation, it is important to keep notes as you go along. Record the full path to any phishing sites you find in addition to any malicious files, code injections, and scripts with unsafe code. Also keep track of their timestamps and any related log entries. We will explain more about this below. At the end of your investigation you will be able to refer to your notes in order to determine the best course of action to take to remove the malicious items and help prevent repeat attacks in the future.
An example of how to deal with a website phishing attack
For our example of how to deal with a website phishing attack, we are going to assume that we have received a report of a WordPress phishing link (http://www.example.com/Apple/securelogin.html) running on a cPanel Linux/Unix Apache web server. Links such as these are commonly used by hackers for phishing attacks; however, there are many different variations as the complexity of phishing evolves.
Most security professionals asked to deal with a website phishing attack will be able to complete the following procedures within 15-20 minutes on a standard sized web site. If you are attempting these procedures without professional help, or you have a larger-than-average website to clean, allow some extra time to complete your investigations and address the issues that you find.
Start by reviewing the timestamps of the affected files
To review the timestamps of the affected files, you should use the “stat” command on the infected file you already know about.
As you are looking for anomalies, one of the first things you will notice is that the “Modify” and “Change” dates are two days apart. This is because the “Modify” date refers to the content of the file, while the “Change” date refers to the metadata. The “Modify” date is usually the most significant, but take a note of both in case you need to use the “Change” date later in your investigation.
Now compare your timestamps with your logs
Now that you have the time when the content of the file was changed, you can compare it to your logs. The Apache access log is the most common place you will find the information you are looking for (alternatively you may find an upload recorded in the FTP logs or the cPanel logs).
As you are going to see the POST commands, it is best to filter the Apache access log for POST, date, and hour, like so:
It is important to keep in mind that the timestamps will not match up exactly with the log records. The Apache access log records the time the file was accessed at the start of the transaction, while the file system timestamps records when the last transaction was written to the file.
Using the ARIN database and GeoIP to establish phishing content
The likely outcome of filtering the logs in POST, date, and hour order is that several hundred entries like the one below will appear:
There are several indicators of unauthorized activity in this entry. There should not be a PHP file in this directory. There is no referrer link provided for the HTTP/1.0 protocol and, although the request is identified as Googlebot, once the IP address is checked against the ARIN database (http://whois.arin.net/) or the GeoIP Tool (http://www.geoiptool.com/) you will find that it does not belong to Google.
Common hacker tactics can throw you off the trail
Now that you have identified a trail to follow, it should be easy to find the source of the phishing attack – or so you might think. Consequently, when you try to examine the “xXx.php” file through the stat facility, you may get an answer like this:
This indicates that the file has been moved or deleted by the attacker to throw you off the trail. If the file still exists in your system, it should become apparent later on.
If this happens to you, go back to the Apache access log to review the “Change” time you noted earlier. This should give you a link to a different file which has a different IP and user agent. For example:
This file does not appear to be scripted like the previous entry. However, the attacker(s) is POSTing to a file in the theme which is unusual. If you review the contents of the file to see if what was being attempted during the phishing attack, you will get an obfuscated PHP code like the one that appears in the image below:
This PHP code does not necessarily mean that the content is malicious, and you should be able to use UnPHP.net to decode it. Even when the service does not decode it completely, you should be able to extract enough information to establish whether the code is malicious or unsafe.
There are valid reasons for doing this and it could really be part of the theme. You can use UnPHP.net to decode it. While that service doesn’t always completely decode it, usually it will give you enough information to determine whether it is malicious or unsafe.
As we know the file was used by the attacker (because the stat facility was unable to locate the original PHP file), add whatever you discover to your list and keep following the trail using the timestamps and log entries.
Don´t stop until there is nowhere else to look
You should always follow this same process on the “js.php” file. You are likely to find that the process leads to other files to trace, points to a vulnerability in your application or theme, or you could find more files that point back on themselves. You should also filter the logs a little differently to view all the POST’s from any unauthorized IPs that are identified:
By using the above command, you are likely to find something similar to the following:
These results indicate either that a password has been compromised or that there is a vulnerability in WordPress. You could review the logs further to find out which it is or, to save time, apply updates if they are available and reset all administrator passwords.
Continue your investigation with recently modified files and directories
Once you have exhausted the list of known malicious files you have discovered, you need to be a little bit creative to find any remaining items. For this part of the investigation you need to start in the document root directory. Examine the directory structure and the most recently modified files using the following command:
# ls -lrt
You should find directories with the name of a third-party company or directories that do not follow your directory-naming conventions. You should extend your investigation to look for any files with timestamps out of sync with surrounding files. As previously, you will need to examine the content and relevant log entries for any suspicious items you find.
To establish the existence of any phishing content, it is recommended to examine each directory 2 to 3 levels deep from the document root directory. Within each directory examine the directory structure and any contents of the files that appear out of place. If they appear to be malicious, compare them to the Apache access logs and note everything you find.
Finally, you should go back to the root directory and run some targeted searches. Start by searching for any files that have a “Modified” date within the last seven days – assuming you have chosen to deal with a website phishing attack immediately of being informed by your hosting provider. If you have already found malicious content aged older than a week, you may have to go back further in time; but you can narrow the list down using the grep command and filter out files you are already aware of.
It is sometimes useful to investigate files with recent “Change” dates. Most commonly the results will not differ too much from the “mtime” enquiry, but there could be some key findings.
Another enquiry you should conduct is for Symlinks. Symlinks are often used in an attempt to break out of a user’s account. Most websites do not use Symlinks at all and they are almost always safe to remove. You can enquire about the presence of Symlinks by using the following command:
The final enquiry you should make is:
This is a command often used to detect code obfuscation, common with malicious code. This will naturally unearth many items that are valid elements of your site, and you will need to crosscheck each file with the coding and log file access to ensure they are not only valid elements, but safe and protected code.
Remove the malicious files and reset compromised passwords
Once you have completed the investigation, you can start removing the phishing content. Delete any malicious files that have been uploaded and clean any code injected files. Malicious code injections can be cleared using a file editor, and usually you will find the added code on the first or last line of a file.
If you have identified any patterns with the malicious requests in the logs, you can block future unauthorized access with .htaccess rules. For example, if all of the requests were from the same subnet or location you could block them temporarily until you have fully secured your site.
You can now update any applications on your site and repair any insecure scripts you found during the investigation. When updating your software be sure to check for things like Timthumb and TinyMCE as they are frequently overlooked. If you’re running a CMS like WordPress then updating the following is usually enough to repair any issues you find:
- the WordPress core,
- all plugins,
- and themes.
If you have a custom-built website, it is likely you will have found an unsecure upload form during the investigation. You will need to add validation to the script to prevent the form´s misuse in the future. The simplest method of achieving this is to password-protect the form so only you can use it.
De-Listing from a blacklist
Now your website is clean, safe and phishing-content free. However, potential visitors to your website are still seeing a safety warning due to your site being blacklisted. Fortunately, getting de-listed from blacklists is straightforward.
Potential visitors to your website will most likely be warned away by Google’s Safe Browsing. You can use https://www.google.com/safebrowsing/report_error/ to request a de-listing. Google will crawl your website again and check for any issues. If none are found, you should be removed from the blacklist shortly.
Minimizing your website´s vulnerability
The most common mistakes causing phishing attacks and security issues are the same across the board – unapplied updates, weak passwords, test accounts, and unsecure custom scripts. We mentioned at the top of this article that, despite the measures you put in place, you might again have to deal with a phishing attack. However, the less vulnerable your website it, the less likely it is to be attacked – phishers will simply consider your website too difficult to manipulate and move somewhere else.
Neglected development sites also need to be made secure. If hackers gain access to your development site via a vulnerability, they will also have access to your regular site. If you use a development site – or have used one in the past – do not neglect its security. Ideally all development sites and test accounts should be removed once their purpose has been fulfilled.
In order to minimize your website´s vulnerability and reduce the risk of having to deal with a website phishing attack, take advantage of these helpful hints:
There are many benefits of honeypots, and all organizations should take the time to set them up. Honeypots are designed to catch a hacker’s eye so that their efforts will be drawn to attacking your honeypot rather than a system where they could cause some serious harm.
There are many benefits of honeypots!
A honeypot is a system that is set up with the singular purpose of being attacked. It is a system designed to be exploited, hacked, infected with malware, and generally abused by a malicious third party. Why should I do that you may ask? Well, there are many benefits.
You may wonder why you should spend your time, effort, and money setting up a system that will attract hackers? Why you should deliberately create a system with weakened defenses that will be exploited? Why even attract interest from malicious third parties?
There are three very good reasons why you should. First. You will be wasting a hacker’s time, and time spent attacking a system that is safe is time not spent hacking a system that will damage your organization if the hacker succeeds.
Secondly, by setting up a honeypot you will be able to see who is attacking you and the methods that are being used. This will give you a very good idea of the types and robustness of the defenses you need to install to protect your real systems and data from attack.
Thirdly, an attack on a honeypot is likely to frustrate a hacker and stop them from hacking your real computer systems.
Security researchers are well aware of the benefits of honeypots. They have been vital in the study of hackers’ behavior. They can be used to determine how systems are attacked and are also a very useful part of a system’s defenses. It is not a question of whether you should set up a honeypot, but rather why you have not already done so.
There are many different types that can be implemented. You can set up a dummy system with an entire network topology if you wish. You can have many different hosts, you can include a wide range of services, and even different operating systems. In short, an entire system can be set up to be attacked.
There are many options, but we have listed two popular honeypots below: Honeyd and Kippo.
The Honeyd honeypot
This is a small daemon that can be used to create a network containing many virtual hosts. Each of those hosts can be set up and configured differently. You can run a range of arbitrary services on each, and configure them to appear as if they are running different operating systems. For network simulation purposes, you can create tens of thousands of different hosts on your LAN using Honeyd if you so wish. You can use Honeyd to hide your real system, identify threats, assess risk, and improve your security posture.
- Simulate multiple virtual hosts simultaneously
- Identify cyberattacks and assign hackers a passive-fingerprint
- Simulate numerous TCP/IP stacks
- Simulate network topologies
- Set up real FTP and HTTP servers, and even UNIX applications under virtual IP addresses
The lowdown on Honeyd
We invited a guest sys admin (Arona Ndiaye) to provide input on the Honeyd honeypot to get the perspective of a Linux administrator. She mainly uses Linux and *nix systems, and has tried out Honeyd to get an idea of how it works, what it can do, and its functionality. She installed it on Kali Linux, which was a simple process requiring a single line to be added to his sources.list file, running apt-get update & apt-get install honeyd.
A few tweaks were needed to ensure the firewall had the correct permissions set, along with some simple text editing in a configuration file. That was all that was needed. If any problems are encountered, or more detailed information is required, it is all available on the honeyd website. Most people find the easiest way to get started is to play with the system and to try to attack it, which is what she did.
She was particularly impressed with the information that can be gathered on attacks and scans. The methods of attack were recorded in intricate detail, including how it was possible to for hackers to fool NMAP. The overall verdict was “seriously impressive.”
The Kippo honeypot
We also put Kippo to the test; another popular honeypot. Kippo is used to create a dummy SSH server, which allows attackers to conduct brute force attacks. The honeypot can be set with a root password that is particularly easy to guess, such as a simple string of numbers: 123456 for example.
Set up the honeypot with an entire file system, or even better, clone a real system for added believability. The aim is to convince the hacker that he or she is attacking a real system. Once the attacker has successfully managed to login to the system, everything they subsequently do will be recorded. All actions will be logged, so it is possible to see exactly what happens when a system is attacked.
What is particularly good about Kippo is how detailed the fake system can be. You can really waste a lot of a hacker’s time and get an accurate picture of exactly what they are trying to achieve, the files they upload and download, what malware and exploits they install, and where they put them. You can then use a virtual machine to analyze the attack in detail when you have the time.
Set up combo-honeypots to create a highly elaborate network
Both Kippo and Honeyd are open source, so it is possible to tweak both honeypots to suit your own needs and requirements. You can even combine the two to build up extremely elaborate networks – specifying specific file contents and creating fake systems that appear perfectly real. How much time you spend doing this, and the level of detail you want to add, is up to you. If you really want to find out exactly how the systems are attacked to better prepare your real system, these are exceptionally good tools to use.
Adding a honeypot can help to improve your security, but simply setting one up will not. Unfortunately, you will need to invest some time in setting up a realistic network and it will need to be updated and maintained. It must be treated like any other machine or system you use in order for it to be effective. You must also make sure that it is isolated or insulated. Creating a fake system that is easy to attack shouldn’t give a hacker an easy entry point into your real system!
Summary: Main Benefits of Honeypots
- Observe hackers in action and learn about their behavior
- Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
- Create profiles of hackers that are trying to gain access to your systems
- Improve your security posture
- Waste hackers’ time and resources
Have you taken advantage of the benefits of honeypots? What have you been able to learn about attackers?
If you watch Scorpion on CBS, you will be familiar with Walter. Walter knowns how to think like a hacker. He is one.
In fact, Walter was an malicious as a child. He hacked the government and got up to all sorts of mischief. You may view him as something of a villain, but you would be wrong. Walter may have been on the wrong side of the fence while a child, but now he works for the government and his hacking prowess is being used for good. There is nothing evil or wrong about the ability to hack, it is only how those skills are used that determines whether you are right or wrong.
You should learn how to think like a hacker!
Walter is good at his new job because he is a hacker. He therefore knows exactly how to think like a hacker. While penetration testers and reformed black hat hackers make good white hat hackers, it is possible for a hacking mindset to be developed by anyone. A sysadmin can learn how to think like a hacker!
If you want to determine how secure your network really is, you need to learn how to think like a hacker. You need to take a look at your network as if you were an outsider. Look at it as a whole. Look at the attack surface. Gain an external perspective and see it how a would-be attacker would see it.
A hacker intending on attacking your organization would start with a little research. That person would check the public face of your network, pick up information here and there, get a good picture of your network as a whole, and then use that information when attacking your company.
Take a look at your network with a fresh pair of eyes
If you wanted a new job and had secured an interview, before you attended you would conduct a little research on the company. You would need to find out some basic information. You would likely be asked about the company in the interview.
You would need to take a look at the company website, you would run a few searches through Google, you would take a look at the company’s Twitter and Facebook accounts. You would gather web-based information.
If you really wanted the job you would also gather some information from people as well. You would email anyone you knew who worked at the company and you would ask them about what it is like to work there. You would ask others their opinion of the company.
This is how a hacker would start investigating your company. With that in mind, it would therefore be important to:
- Perform a whois search
- Check to find out what is being said about your company on social media sites
- What employees of the company are saying and sharing online?
- What data does your company voluntarily give away? Do you advertise any aspect of your network structure? How many state-of-the-art servers you have for instance? What software you use? It is much easier to find an exploit if you know what software a company uses!
- Search for your company on Google, Bing, Yahoo, and DuckDuckGo. See what information is revealed, and not just on pages 1-10!
- Use Google hacking tools and see what documents, PDFs, and spreadsheets are available publicly. You may be surprised at what has been indexed!
- Check out the social media profiles of your company employees – Is one member of staff a particular security risk? Do they list every aspect of their life on Facebook? Would they be a likely target of a spear phishing attack? Would a hacker have all the information they need to guess that individual’s password? Over-sharers are often the targets of phishing campaigns. So much can be learned about them online!
Hackers love phishing – it’s so easy to be handed access to data!
If you can find an easy way to hack a company would you choose that? Of course you would! You wouldn’t want to do any more work than you have to, and neither would a hacker. If you wanted to guess a password, you wouldn’t start with “hj&*HUI23YEW(.” “ You would try “QWERTY,” or “password”, or “bigguy”, or “123456” first.
Hackers will similarly start with the easiest route first, and that means trying to take advantage of some people’s naivety when it comes to IT security. Phishing is one of the easiest ways to gain access to login credentials. It is also one of the easiest security vulnerabilities to address. How would your employees deal with a phishing attack?
That is something best not left to chance!
- Send out a regular newsletter to explain common social engineering and phishing techniques that are used by hackers
- Show employees how to identify a phishing email
- Conduct regular phishing email tests. Research shows that the more practice staff members have at identifying phishing emails, the better they become at spotting a scam. When a real phishing email is received, they are more likely to identify it correctly before any damage is done.
- If new IT security policies are introduced, make sure they are explained to employees in person. This will help to make sure that they are read, understood, and their importance is made clear.
What happens when an attack does occur and a system is compromised?
You will no doubt spend an extraordinary amount of time putting defenses in place to repel an attack, but what happens if an attack is successful? Have you put defenses in place that will limit the damage caused or will an attacker manage to go from one device to another once the security perimeter is breached?
Switch and router manufacturers often have scripts that can be used for lockdowns. It is possible to disable unneeded interfaces and services, and restrict public and private addresses. Have you done this? A hacker would check this!
Learn how to think like a hacker and you will be able to make your network more secure
There is a very good reason why organizations spend big bucks on white hat hackers and get them to attempt to break through defenses and find the weak points in systems. If you learn how to think like a hacker you will be helping your organization enormously.
Start thinking like a hacker and view every node and end user as a potential entry point into your network, and it will make it easier for you to design network defenses and keep your equipment and data well secured.