WebTitan https://www.webtitan.com Tue, 16 Jan 2018 15:18:54 +0000 en-US hourly 1 ACLU Criticizes Excessive Internet Filtering Controls in Schools https://www.webtitan.com/blog/internet-filtering-controls-in-schools/ Sun, 31 Dec 2017 14:44:54 +0000 https://www.webtitan.com/?p=3046 The Children’s Internet Protection Act (CIPA) requires Internet filtering controls in schools to be applied to block obscene images, child pornography, or other images that could be harmful to minors. Compliance with the Children’s Internet Protection Act is not mandatory, but a lack of Internet filtering controls in schools means that it is not possible […]

The post ACLU Criticizes Excessive Internet Filtering Controls in Schools appeared first on WebTitan.

]]>
The Children’s Internet Protection Act (CIPA) requires Internet filtering controls in schools to be applied to block obscene images, child pornography, or other images that could be harmful to minors.

Compliance with the Children’s Internet Protection Act is not mandatory, but a lack of Internet filtering controls in schools means that it is not possible to receive discounts under the e-rate program – an initiative that makes telecommunications and Internet services more affordable for schools. The discounts are considerable. Schools can reduce their telecommunications costs by up to 90%.

Consequently, many schools choose to comply with CIPA and apply Internet filtering controls to block inappropriate website content. However, Internet filtering controls in schools are often overly restrictive, and are not only used to block obscene content, but other material with important educational value.

A recent report by the American Civil Liberties Union (ACLU) of Rhode Island, has revealed that many schools are choosing to use their Internet filters to block a broad range of website content – Far more than is necessary to comply with CIPA.

The latest report is a follow-on study from a 2013 investigation into Internet filtering controls in schools in Rhode Island. Four years ago, the ACLU study found that teachers were being hampered by Internet filters and prevented from using the Internet to educate students. Students were also blocked from accessing information relevant to their studies.

Since that initial report was released, the Rhode Island Department of Education (RIDE) released guidance for schools on Internet filtering, following the passage of a new state law that required Internet filtering controls in schools to foster academic freedom.

For the latest report, ACLU requested copies of Internet filtering policies from school districts to determine whether state laws were being followed and if Internet filtering controls in schools had improved following the model policy issued by RIDE.

33 school districts responded to the request, but only five of the schools had an Internet filtering policy in place, and out of those five, three were not in compliance with the new state law.

Critics of Internet filtering controls in schools often point out that in an effort to block obscene and sexual content, topics such as sex education are accidentally blocked. However, the report suggests that the blocking of such content by Rhode Island schools was not always accidental.

It is important for children to be able to have their questions answered on sex. Schools are often the only places where children can access such educational content. UCLU found that it was common for sex education content to be blocked by filters in Rhode Island schools.

Other topics that were commonly blocked were material related to drugs, tobacco, alcohol, terrorism, and religion. ACLU pointed out that the Internet filtering controls prevented students from researching topics such as the medicinal use of marijuana, fetal alcohol syndrome, abortion, or the opioid epidemic in the United States.

Some schools had even more restrictive filers in place that prevented students and staff from accessing topics such as hobbies, dictionaries, news and political websites, humor and information about alternative sexual lifestyles.

The Internet filtering law in Rhode Island requires schools to have an Internet filtering policy that explains why a particular category of website content is blocked to ensure transparency, and to list who is responsible for making the decision about blocking that category.

A mechanism must also be put in place that allows staff and students to request the lifting of a block (whitelisting a website for example) to allow educational content to be accessed. Yet the report showed that in many cases, staff and students had to wait for excessively long periods before their request was honored.

The law requires a list to be maintained of all requests and for those lists to be assessed annually to determine whether filtering controls need to be altered. RIDE’s model Internet filtering policy must also be adopted to ensure academic freedom.

ACLU said, “Without adoption and implementation of strong policies across the board, we will continue to see an array of issues involving the over-filtering of our schools’ Internet systems, which will continue to negatively impact students from accessing information and teachers from making use of helpful educational tools.”

Using a clunky system that blocks valuable content will be damaging to children’s education. Internet content filtering in schools is important, but it is also important for a technological control to be implemented that is not overly restrictive.

With WebTitan, it is possible to block obscene content and to comply with CIPA, without restricting access to important educational content. Category filters are accurate, and thanks to highly granular controls, adjusting filtering settings is a quick and straightforward process. With WebTitan, schools can quickly fine tune their filters and process staff and student requests to unblock content and comply with both CIPA and state laws.

If you are looking for an alternative solution that allows you to carefully control the content that can be accessed over the Internet by staff and students, that allows different controls to be applied for different users and user groups and is easy to use, contact the TitanHQ team today and find out about the difference WebTitan can make.

The post ACLU Criticizes Excessive Internet Filtering Controls in Schools appeared first on WebTitan.

]]>
Are Password Managers Safe? https://www.webtitan.com/blog/password-managers-safe/ Wed, 20 Dec 2017 09:14:24 +0000 https://www.webtitan.com/?p=3042 Passwords should be complex and difficult to guess, but that makes them difficult to remember, so what about using password managers to get around that problem? Are password managers safe and secure? Are they better than attempting to remember passwords for every one of your accounts? First of all, it is worth considering that most […]

The post Are Password Managers Safe? appeared first on WebTitan.

]]>
Passwords should be complex and difficult to guess, but that makes them difficult to remember, so what about using password managers to get around that problem? Are password managers safe and secure? Are they better than attempting to remember passwords for every one of your accounts?

First of all, it is worth considering that most people have a great deal of passwords to remember – email accounts (work and personal), social media accounts, bank accounts, retail sites, and just about every other online service. If you rarely venture online and do not make online purchases, that means you will need to learn a handful of passwords (and change them regularly!).

Most people will have many passwords. Far too many to remember. That means people tend to choose easy to remember – and easy to guess – passwords and tend to reuse passwords on multiple sites.

These poor security practices are a recipe for disaster. In the case of password reuse, if one password is guessed, multiple accounts can be compromised. So, are password managers safe? If that is the alternative, then most definitely.

With a password manager you can generate a strong and impossible to remember password for every online account. That makes each of those accounts more secure. Emmanuel Schalit, CEO of Dashline, a popular password manager, said, “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own.”

That does mean that if the server used by the password manager company is hacked, you do stand to lose all of your passwords. Bear in mind that no server can ever be 100% secure. There have been hacks of password manager servers and vulnerabilities have been discovered (see below). Password managers are not risk-free. Fortunately, password managers encrypt passwords, so even if a server is compromised, it would be unlikely that all of your passwords would be revealed.

That said, you will need to set a master password to access your password manager. Since you are essentially replacing all of your unique passwords with a single password, if the master password is guessed, then your account can be accessed and with it, all of your passwords. To keep password managers safe and secure, it is important to use a strong and complex password for your account – preferably a passphrase of upwards of 12 characters and you should change that password every three months.

If you use a cloud-based password manager, it is possible that when that service goes down, you will not be able to access your own account. Fortunately, downtime is rare, and it would still be possible to reset your passwords. You could also consider keeping a local copy of your passwords and encrypting that file. In a worst-case scenario, such as the password manager company going bust, you would always have a copy. Some services will also allow you to sync your encrypted backups with the service to ensure local copies are kept up to date.

Flaws Discovered in Password Managers

Tavis Ormandy, a renowned researcher from the Google Project Zero team, recently discovered a flaw in Keeper Password Manager that could potentially be exploited to gain access to a user’s entire vault of stored passwords. The Keeper Password Manager flaw could not be exploited remotely without any user interaction. However, if the user was lured onto a specially crafted website while logged into their password manager, the attacker could inject malicious code to execute privileged code in the browser extension and gain access to the account. Fortunately, when Keeper was alerted to the flaw, it was rapidly addressed before the flaw could be exploited.

Last year Ormandy also discovered a flaw in LastPass, one of the most popular password managers. Similarly, that flaw could be exploited by luring the user to a specially crafted webpage via a phishing email. Similarly, that flaw was rapidly addressed. The LastPass server was also hacked the year before, with the attackers gaining access to some users’ information. LastPass reports that while it was hacked, users’ passwords were not revealed.

These flaws do go to show that while password managers are safe, vulnerabilities may exist, and even a password manager can potentially be hacked.

Are Password Managers Safe to Use?

So, are password managers safe? They can be, but as with any other software, vulnerabilities may exist that can leave your passwords exposed. It is therefore essential to ensure that password manager extensions/software are kept up to date, as is the case with all other software and operating systems.

Security is only as good as the weakest link, so while your password manager is safe, you will need to use a complex master password to prevent unauthorized individuals from accessing your password manager account. If that password is weak and easily guessable, it will be vulnerable to a brute force attack.

In addition to a complex master password, you should take some additional precautions. It would be wise not to use your password manager to save the password to your bank account. You should use two-factor authentication so if a new device attempts to connect to any of your online accounts, you will receive an alert on your trusted device or via email.

As an additional protection, businesses that allow the use of password managers should consider implementing a web filtering solution that prevents users from visiting known malicious websites where vulnerabilities could be exploited. By restricting access to certain categories of website, or whitelists of allowable sites, the risk of web-based attacks can be reduced to a low and acceptable level.

Password managers should also be used with other security solutions that provide visibility into who is accessing resources. Identity and access management solutions will help IT managers determine when accounts have been breached, and will raise flags when anomalous activity is detected.

The post Are Password Managers Safe? appeared first on WebTitan.

]]>
HTTPS Phishing Websites Soar as Cybercriminals Embrace SSL https://www.webtitan.com/blog/https-phishing-websites-soar/ Fri, 08 Dec 2017 18:06:08 +0000 https://www.webtitan.com/?p=3014 HTTPS phishing websites have increased significantly this year, to the point that more HTTPS phishing websites are now being registered than legitimate websites with SSL certificates, according to a new analysis by PhishLabs. If a website starts with HTTPS it means that a SSL certificate is held by the site owner, that the connection between […]

The post HTTPS Phishing Websites Soar as Cybercriminals Embrace SSL appeared first on WebTitan.

]]>
HTTPS phishing websites have increased significantly this year, to the point that more HTTPS phishing websites are now being registered than legitimate websites with SSL certificates, according to a new analysis by PhishLabs.

If a website starts with HTTPS it means that a SSL certificate is held by the site owner, that the connection between your browser and the website is encrypted, and you are protected from man-in-the-middle attacks. It was not long ago that a green padlock next to the URL, along with a web address starting with HTTPS, meant you could be reasonably confident that that the website you were visiting was genuine. That is no longer the case, yet many people still believe that to be true.

According to PhisLabs, a recent survey showed that 80% of respondents felt the green padlock and HTTPS indicated the site was legitimate and/or secure. The truth is that all it means is traffic between the browser and the website is encrypted. That will prevent information being intercepted, but if you are on a phishing website, it doesn’t matter whether it is HTTP or HTTPS. The end result will be the same.

Over the past couple of years there has been a major push to move websites from HTTP to HTTPS, and most businesses have now made the switch. This was in part due to Google and Firefox issuing warnings about websites that lacked SSL certificates, alerting visitors that entering sensitive information on the sites carried a risk. Since October, Google has been labelling websites as Not Secure in the URL via the Chrome browser.

Such warnings are sufficient to see web visitors leave in their droves and visit other sites where they are better protected. It is no surprise that businesses have sat up and taken notice and made the switch. According to Let’s Encrypt, 65% of websites are now on HTTPS, compared to just 45% in 2016.

However, it is not only legitimate businesses that are switching to secure websites. Phishers are taking advantage of the benefits that come from HTTPS websites. Namely trust.

Consumer trust in HTTPS means cybercriminals who register HTTPS sites can easily add legitimacy to their malicious websites. It is therefore no surprise that HTTPS phishing websites are increasing. As more legitimate websites switch to HTTPS, more phishing websites are registered with SSL certificates. If that were not the case, the fact that a website started with HTTP would be a clear indicator that it may be malicious and cybercriminals would be at a distinct disadvantage.

What is a surprise is the extent to which HTTPS is being abused by scammers. The PhishLabs report shows that in the third quarter of 2017, almost a quarter of phishing websites were hosted on HTTPS pages. Twice the number seen in the previous quarter. An analysis of phishing sites spoofing Apple and PayPal showed that three quarters are hosted on HTTPS pages. Figures from 2016 show that less than 3% of phishing sites were using HTTPS. In 2015 it was just 1%.

While checks are frequently performed on websites before a SSL certificate is issued, certification companies do not check all websites, which allows the scammers to obtain SSL certificates. Many websites are registered before any content is uploaded, so even a check of the site would not provide any clues that the site will be used for malicious purposes. Once the certificate is obtained, malicious content is uploaded.

The PhishLabs report also shows there is an approximate 50/50 spread between websites registered by scammers and legitimate websites that have been compromised and loaded with phishing webpages. Just because a site is secure, it does not mean all plugins are kept up to date and neither that the latest version of the CMS is in use. Vulnerabilities exist on many websites and hackers are quick to take advantage.

The rise in HTTPS phishing websites is bad news for consumers and businesses alike. Consumers should be wary that HTTPS is no guarantee that website is legitimate. Businesses that have restricted Internet access to only allow HTTPS websites to be visited may have a false sense of security that they are protected from phishing and other malicious sites, when that is far from being the case.

For the best protection, businesses should consider implementing a web filter that scans the content of webpages to identify malicious sites, and that the solution is capable of decrypting secure sites to perform scans of the content.

For more information on how a web filter can help to protect your organization from phishing and malware downloads, give the TitanHQ sales team a call today.

The post HTTPS Phishing Websites Soar as Cybercriminals Embrace SSL appeared first on WebTitan.

]]>
Terdot Trojan Steals Banking Credentials and Hijacks Social Media Accounts https://www.webtitan.com/blog/terdot-trojan/ Fri, 17 Nov 2017 16:40:13 +0000 https://www.webtitan.com/?p=3002 The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code. The Terdot Trojan is not new, having first […]

The post Terdot Trojan Steals Banking Credentials and Hijacks Social Media Accounts appeared first on WebTitan.

]]>
The Terdot Trojan is a new incarnation of Zeus, a highly successful banking Trojan that first appeared in 2009. While Zeus has been retired, its source code has been available since 2011, allowing hackers to develop a swathe of new banking Trojans based on its sophisticated code.

The Terdot Trojan is not new, having first appeared in the middle of last year, although a new variant of the credential-stealing malware has been developed and is being actively used in widespread attacks, mostly in Canada, the United States, Australia, Germany, and the UK.

The new variant includes several new features. Not only will the Terdot Trojan steal banking credentials, it will also spy on social media activity, and includes the functionality to modify tweets, Facebook posts, and posts on other social media platforms to spread to the victim’s contacts. The Terdot Trojan can also modify emails, targeting Yahoo Mail and Gmail domains, and the Trojan can also inject code into websites to help itself spread.

Further, once installed on a device, Terdot can download other files. As new capabilities are developed, the modular Trojan can be automatically updated.

The latest variant of this nasty malware was identified by security researchers at Bitdefender. Bitdefender researchers note that in addition to modifying social media posts, the Trojan can create posts on most social media platforms, and suspect that the stolen social media credentials are likely sold on to other malicious actors, spelling further misery for victims.

Aside from social media infections, the Trojan is distributed via phishing emails. One such spam email campaign includes buttons that appear to be PDF files, although a click will launch JavaScript which starts the infection process. However, Bitdefender researchers note that the primary infection vector appears to be the Sundown exploit kit – exploiting vulnerabilities in web browsers.

Unfortunately, detecting the Terdot Trojan is difficult. The malware is downloaded using a complex chain of droppers, code injections and downloaders, to reduce the risk of detection. The malware is also downloaded in chunks and assembled on the infected device. Once installed, it can remain undetected and is not currently picked up by many AV solutions.

“Terdot goes above and beyond the capabilities of a Banker Trojan. Its focus on harvesting credentials for other services such as social networks and e-mail services could turn it into an extremely powerful cyber-espionage tool that is extremely difficult to spot and clean,” warns Bitdefender.

Protecting against threats such as banking Trojans requires powerful anti-malware tools to detect and block downloads, although businesses should consider additional protections to block the main attack vectors: Exploit kits and spam email.

Spam filtering software should be used to block phishing emails containing JavaScript and Visual Basic downloaders. A web filter is also strongly advisable to block access to webpages known to host malware and exploit kits. Even with powerful anti-virus, web filters, and spam filters, employees should be trained to be more security aware. Regular training and cybersecurity updates can help to eradicate risky behavior that can lead to costly malware infections.

The post Terdot Trojan Steals Banking Credentials and Hijacks Social Media Accounts appeared first on WebTitan.

]]>
Combosquatting: Study Reveals Extent of Use of Trademarks in Web Attacks https://www.webtitan.com/blog/combosquatting/ Thu, 02 Nov 2017 09:53:09 +0000 https://www.webtitan.com/?p=2984 Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials. Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example. Combosquatting is so named […]

The post Combosquatting: Study Reveals Extent of Use of Trademarks in Web Attacks appeared first on WebTitan.

]]>
Combosquatting is a popular technique used by hackers, spammers, and scammers to fool users into downloading malware or revealing their credentials.

Combosquatting should not be confused with typosquatting. The latter involves the purchasing of domains with transposed letters or common spelling mistakes to catch out careless typists – Fcaebook.com for example.

Combosquatting is so named because it involves the purchasing of a domain that combines a trademarked name with another word – yahoofiles.com, disneyworldamusement.info, facebook-security.com or google-privacy.com for example.

The technique is not new, but the extent that it is being used by hackers was not well understood. Now researchers at Georgia Tech, Stony Brook University and London’s South Bank University have conducted a study that has revealed the extent to which hackers, spammers, and scammers are using this technique.

The research, which was supported by the U.S. Department of Defense, National Science Foundation and the U.S. Department of Commerce, was presented at the 2017 ACM Conference on Computer and Communications Security (CCS) on October 31, 2017.

For the study, the researchers analyzed more than 468 billion DNS records, collected over 6 years, and identifed combosquatting domains. The researchers noted the number of domains being used for combosquatting has increased year over year.

The extent to which the attack method is being used is staggering. For just 268 trademarks, they identified 2.7 million combosquatting domains, which they point out makes combosquatting more than 100 times as common as typosquatting. While many of these malicious domains have been taken down, almost 60% of the domains were active for more than 1,000 days.

The team found these domains were used for a wide variety of nefarious activities, including affiliate abuse, phishing, social engineering, advanced persistent threats, malware and ransomware downloads.

End users are now being taught to carefully check domain names for typos and transposed letters to detect typosquatting, but this technique fools users into thinking they are on a website that is owned by the brand included in the domain.

First author of the study, Georgia Tech researcher Panagiotis Kintis, said, “These attacks can even fool security people who may be looking at network traffic for malicious activity. When they see a familiar trademark, they may feel a false sense of comfort with it.”

In order to prevent these types of trademark use attacks, many companies register hundreds of domains that contain their trademark. The researchers found that many of the domains being used by hackers had previously been owned by the holders of the trademark. When the domains were not renewed, they were snapped up by hackers. Many of the malicious domains that had been previously purchased by hackers, had been re-bought by other scammers when they came up for renewal.

Users are being lured onto the domains using a variety of techniques, including the placing of adverts with the combosquatting domains on ad-networks, ensuring those adverts are displayed on a wide variety of legitimate websites – a technique called malvertising. The links are also distributed in spam and phishing emails. These malicious URLS are also frequently displayed in search engine listings, and remain there until complaints are filed to have the domains removed.

Due to the prevalence of this attack technique, organizations should include it in their cyber awareness training programs to alert users to the attack method and ensure they exercise caution.

The researchers also suggest an organization should be responsible for taking these domains down and ensuring they cannot be re-bought when they are not renewed.

The post Combosquatting: Study Reveals Extent of Use of Trademarks in Web Attacks appeared first on WebTitan.

]]>
TitanHQ Provides Insights into Great Innovations in Enterprise WiFi Security at WiFi Now Europe 2017 https://www.webtitan.com/blog/enterprise-wifi-security-wifi-now-europe-2017/ Fri, 27 Oct 2017 13:12:53 +0000 https://www.webtitan.com/?p=2977 TitanHQ Sales Director Conor Madden will be talking enterprise Wi-Fi security at this year’s Wi-Fi Now Europe 2017, explaining some of the key innovations in Wi-Fi security to keep enterprise Wi-Fi networks secure. This will be the fourth time in two years that Conor has provided his insights into Wi-Fi security developments at Wi-Fi Now […]

The post TitanHQ Provides Insights into Great Innovations in Enterprise WiFi Security at WiFi Now Europe 2017 appeared first on WebTitan.

]]>
TitanHQ Sales Director Conor Madden will be talking enterprise Wi-Fi security at this year’s Wi-Fi Now Europe 2017, explaining some of the key innovations in Wi-Fi security to keep enterprise Wi-Fi networks secure.

This will be the fourth time in two years that Conor has provided his insights into Wi-Fi security developments at Wi-Fi Now conferences. Conor will be giving his presentation – Four Great Innovations in Enterprise Wi-Fi – Part One – on the first day of the conference between 12:00 and 12:30.

Conor will explain how DNS-based Wi-Fi security adds an essential layer of security to keep enterprise Wi-Fi networks secure, and will offer insights into how enterprises can easily create customized Wi-Fi services. In addition to Conor’s headline speech, the TitanHQ team will be in attendance and will be demonstrating WebTitan Cloud for Wi-Fi at Stand 23 over the three days of the event. The team will also demonstrate some of the big-ticket deployments from the past 18 months. The team will also explain some of the new refinements and updates that have made WebTitan even more useful and user friendly, including the new API capability that is proving so popular with product managers and engineers.

Wi-Fi Now Europe 2017 – The Premier Conference for the Wi-Fi Industry

The Wi-Fi Now Europe 2017 event brings together leaders, entrepreneurs, innovators, and experts from all areas of the Wi-Fi industry. This year there will be more than 50 speakers including analysts, thought leaders, technology leaders, carriers and service providers. More than 40 companies from all areas of the Wi-Fi industry will be demonstrating their products and services to attendees.

The conferences are a highlight in the calendar for anyone involved in the Wi-Fi industry and provide attendees with an incredible networking opportunity and the chance to learn about the latest advances in Wi-Fi, exciting new products and new services on offer.

The Wi-Fi Now Europe 2017 Conference will be taking place between October 31st and November 2nd at the NH Den Haag Hotel atop The Hague’s World Trade Center Building.

Gold passes give attendees complete access to all events at the 3-day conference, with day passes also available. Advance registration is required for all attendees.

TitanHQ On the Road

It has been a busy few weeks for TitanHQ. The team has been traveling across Europe and the United States, showcasing its web filtering, spam filtering and email archiving solutions.

The Wi-Fi Now Europe 2017 comes hot on the heels of the DattoCon17 conference in London, where the team met with more than 400 MSPs and the ASCII Summit in Washington D.C., where TitanHQ explained how Managed Service Providers can grow their business and easily increase monthly recurring revenues.  Earlier this month, TitanHQ attended the Kaseya Connect Europe IT Management Event and explained about the new integration of WebTitan with Kaseya.

The road trip continues into November in the United States, with TitanHQ attending both the upcoming HTG Meeting in Orlando, FL (Oct 30-Nov 3) and the IT Nation, ConnectWise Conference at the Hyatt Regency, Orlando, between November 8-10, 2017.

The post TitanHQ Provides Insights into Great Innovations in Enterprise WiFi Security at WiFi Now Europe 2017 appeared first on WebTitan.

]]>
Look Beyond HIPAA Compliance to Prevent Healthcare Data Breaches https://www.webtitan.com/blog/hipaa-compliance-prevent-healthcare-data-breaches/ Fri, 27 Oct 2017 08:15:01 +0000 https://www.webtitan.com/?p=2970 Last month saw a significant rise in healthcare data breaches, clearly demonstrating that healthcare providers, health plans, and business associates are struggling to prevent healthcare data breaches. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was introduced to ensure that healthcare organizations implement a range of safeguards to ensure the confidentiality, integrity, and […]

The post Look Beyond HIPAA Compliance to Prevent Healthcare Data Breaches appeared first on WebTitan.

]]>
Last month saw a significant rise in healthcare data breaches, clearly demonstrating that healthcare providers, health plans, and business associates are struggling to prevent healthcare data breaches.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule was introduced to ensure that healthcare organizations implement a range of safeguards to ensure the confidentiality, integrity, and availability of healthcare data. It has now been more than decade since the Security Rule was introduced, and data breaches still occurring with alarming frequency. In fact, more data breaches are occurring than ever before.

September Data Breaches in Numbers

The Protenus Breach Barometer Report for September, which tracks all reported healthcare data breaches, showed there were 46 breaches of protected health information (PHI) in September, with those breaches resulting in the exposure of 499,144 individuals’ PHI. Hacking and IT incidents were cited as the cause of 50% of those breaches, with insiders causing 32.6% of incidents. Loss and theft of devices was behind almost 11% of the month’s breaches. Previous monthly reports in 2017 have shown that insiders are often the biggest cause of healthcare data breaches.

HIPAA Compliance Will Not Prevent Healthcare Data Breaches

HIPAA compliance can go some way toward making healthcare organizations more resilient to cyberattacks, malware and ransomware infections, but simply complying with the HIPAA Security Rule does not necessarily mean organizations will be impervious to attack.

HIPAA compliance is about raising the bar for cybersecurity and ensuring a minimum standard is maintained. While many healthcare organizations see HIPAA compliance as a goal to achieve a good security posture, the reality is that it is only a baseline. To prevent data breaches, healthcare organizations must go above and beyond the requirements of HIPAA.

Detect Insider Breaches Promptly

Preventing insider data breaches can be difficult for healthcare organizations. Healthcare employees must be given access to patient records in order to provide medical care, and there will always be the occasional bad apple that snoops on the records of patients who they are not treating, and individuals who steal data to sell to identity thieves.

HIPAA Requires healthcare organizations to maintain access logs and check those logs regularly for any sign of unauthorized access. The term ‘regularly’ is open to interpretation. A check every six months or once a year could be viewed as regular and compliant with HIPAA regulations. However, during those 6 or 12 months, the records of thousands of patients could be accessed. Healthcare organizations should go above and beyond HIPAA requirements and should ideally implement a system that constantly monitors for unauthorized access or at least conduct access log reviews every quarter as a minimum. This will not prevent healthcare data breaches, but it will reduce their severity.

Close the Door to Hackers

50% of breaches in September were due to hacking and IT incidents. Hackers are opportunistic, and while targeted attacks on large healthcare organizations do occur, most of the time hackers take advantage of long-standing vulnerabilities that have not been addressed. In order to correct those vulnerabilities, they must first be identified, hence the need for regular risk analyses as required by the HIPAA Security Rule. An organization-wide risk analysis should take place at least every year to remain HIPAA compliant, but more frequently to ensure vulnerabilities have not crept in.

Additionally, a check should be performed at least every month to make sure all software is up to date and all patches have been applied. There have been numerous examples recently of cloud storage instances being left unprotected and accessible by the public. There are free tools that can be used to check for exposed AWS buckets for example. Scans should be regularly conducted. Cybercriminals will be doing the same.

Prevent Impermissible Disclosures of PHI

One of the leading causes of PHI disclosures occurs when laptop computers, zip drives, and other portable devices are lost or stolen. While employees can be trained to take care of their devices, thieves will seize any opportunity if devices are left unprotected. HIPAA does not demand the use of encryption, and alternative measures can be used to secure devices, but HIPAA covered entities and their business associates should use encryption on portable devices to ensure that in the event of loss or theft, data cannot be accessed. If an encrypted device is stolen or lost, it is not a HIPAA breach. Using encryption on portable devices is a good way to prevent healthcare data breaches.

Small portable storage devices such as pen drives are convenient, but they should never be used for transporting PHI – They are far too easy to lose or misplace. Use HIPAA-compliant cloud storage services such as Dropbox or Google Drive as they are more secure.

Block Malware and Ransomware Attacks

Malware and ransomware attacks are reportable breaches under HIPAA, and can result in major data breaches. Email is the primary vector for delivering malware, so it is essential for an effective spam filtering solution to be implemented. HIPAA requires training to be provided to employees regularly, but a once-a-year training session is no longer sufficient. Training sessions should take place at least every 6 months, with regular security alerts on the latest phishing threats communicated to employees as and when necessary. Ideally, training should be an ongoing process, involving phishing simulation exercises.

Malware and ransomware can also be downloaded in drive-by attacks when browsing the Internet. A web filtering solution should be used to prevent healthcare employees from visiting malicious sites, to block phishing websites, and prevent drive-by malware downloads. A web filter is not a requirement of HIPAA, but it is an important extra layer of security that can prevent healthcare data breaches.

The post Look Beyond HIPAA Compliance to Prevent Healthcare Data Breaches appeared first on WebTitan.

]]>
Health Tips Used as Lure in Smoke Loader Malware Malvertising Campaign https://www.webtitan.com/blog/smoke-loader-malware/ Thu, 26 Oct 2017 08:05:30 +0000 https://www.webtitan.com/?p=2968 Cybercriminals are delivering Smoke Loader malware via a new malvertising campaign that uses health tips and advice to lure end users to a malicious website hosting the Terror Exploit Kit. Malvertising is the name given to malicious adverts that appear genuine, but redirect users to phishing sites and websites that have been loaded with toolkits […]

The post Health Tips Used as Lure in Smoke Loader Malware Malvertising Campaign appeared first on WebTitan.

]]>
Cybercriminals are delivering Smoke Loader malware via a new malvertising campaign that uses health tips and advice to lure end users to a malicious website hosting the Terror Exploit Kit.

Malvertising is the name given to malicious adverts that appear genuine, but redirect users to phishing sites and websites that have been loaded with toolkits – exploit kits – that probe for unpatched vulnerabilities in browsers, plugins, and operating systems.

Spam email is the primary vector used to spread malware, although the threat from exploit kits should not be ignored. Exploit kits were used extensively in 2016 to deliver malware and ransomware, and while EK activity has fallen considerably toward the end of 2016 and has remained fairly low in 2017, attacks are still occurring. The Magnitude Exploit it is still extensively used to spread malware in the Asia Pacific region, and recently there has been an increase in attacks elsewhere using the Rig and Terror exploit kits.

The Smoke Loader malware malvertising campaign has now been running for almost two months. ZScaler first identified the malvertising campaign on September 1, 2017, and it has remained active throughout October.

Fake advertisements are frequently used to lure users to the malicious sites, although the latest campaign is using weight loss promises and help to quit smoking to attract clicks. Obfuscated JavaScript is incorporated into adverts to redirect users to malicious websites hosting the Terror exploit kit.

Exploit kits can be loaded with several exploits for known vulnerabilities, although the Terror EK is currently attempting to exploit two key vulnerabilities: A scripting engine memory corruption vulnerability (CVE-2016-0189) that affects Internet Explorer 9 and 11, and a Windows OLE automation array RCE vulnerability (CVE-2014-6332) affecting unpatched versions of Windows 7 and 8. ZScaler also reports that three Flash exploits are also attempted.

Patches have been released to address these vulnerabilities, but if those patches have not been applied systems will be vulnerable to attack. Since these attacks occur without any user interaction – other than visiting a site hosting the Terror EK – infection is all but guaranteed if users respond to the malicious adverts.

Smoke Loader malware is a backdoor that if installed, will give cybercriminals full access to an infected machine, allowing them to steal data, launch further cyberattacks on the network, and install other malware and ransomware. Smoke Loader malware is not new – it has been around since at least 2011 – but it has recently been upgraded with several anti-analysis mechanisms to prevent detection. Smoke Loader malware has also been associated with the installation of the TrickBot banking Trojan and Globelmposter ransomware.

To protect against attacks, organizations should ensure their systems and browsers are updated to the latest versions and patches are applied promptly. Since there is usually a lag between the release of a new patch and installation, organizations should consider the use of a web filter to block malicious adverts and restrict web access to prevent employees from visiting malicious websites.

For advice on blocking malvertisements, restricting Internet access for employees, and implementing a web filter, contact the TitanHQ team today.

The post Health Tips Used as Lure in Smoke Loader Malware Malvertising Campaign appeared first on WebTitan.

]]>
IoT Reaper Botnet Growing at Alarming Rate https://www.webtitan.com/blog/iot-reaper-botnet/ Wed, 25 Oct 2017 20:56:20 +0000 https://www.webtitan.com/?p=2965 Last year, the Mirai botnet was used in massive DDoS attacks; however, the IoT Reaper botnet could redefine massive. The Mirai botnet, which mostly consisted of IoT devices, was capable of delivering DDoS attacks in excess of 1 terabit per second using just 100,000 malware infected devices. The IoT Reaper botnet reportedly includes almost 2 […]

The post IoT Reaper Botnet Growing at Alarming Rate appeared first on WebTitan.

]]>
Last year, the Mirai botnet was used in massive DDoS attacks; however, the IoT Reaper botnet could redefine massive. The Mirai botnet, which mostly consisted of IoT devices, was capable of delivering DDoS attacks in excess of 1 terabit per second using just 100,000 malware infected devices.

The IoT Reaper botnet reportedly includes almost 2 million IoT devices, and infections with Reaper malware are growing at an alarming rate. An estimated 10,000 new IoT devices are infected and added to the botnet every day.

Researchers at Qihoo 360, who discovered the new botnet, report that the malware also includes in excess of 100 DNS open resolvers, making DNS amplification – DNS Reflection Denial of Service (DrDoS) – attacks possible.

Check Point has also been tracking a new botnet that includes an estimated 1 million devices, with 60% of the devices the firm tracks infected with the botnet malware. Check Point has called the botnet IoTroop, although it is probable that it is the same botnet as Qihoo 360 has been tracking. Check Point says it is “forming to create a cyber-storm that could take down the Internet.”

While the IoT Reaper botnet has existed for some time, it was not identified until September this year. Previously, the malware used to enslaves IoT devices was installed by taking advantage of default and weak passwords. However, that has now changed, and infections have been growing at an alarming rate as a result.

IoT Reaper is using nine different exploits for known vulnerabilities that have yet to be patched, with routers, cameras, and NVRs being targeted from more than 10 different manufacturers including router manufacturers Netgear, D-Link, Linksys, and surveillance camera manufacturers AvTech, Vacron, and GoAhead.

Unfortunately, while PC users are used to applying patches to keep their computers secure, the same cannot be said for routers and surveillance cameras, which often remain unpatched and vulnerable to infection.

At present the intentions of the actors behind the botnet are not known, but it is highly likely that the botnet will be used to perform DDoS attacks, as has been the case with other IoT botnets. Even though the number of enslaved devices is substantial, researchers believe the botnet is still in the early stages of development and we are currently enjoying the quiet before the storm.

If a botnet involving 100,000 devices can deliver a 1 terabit per second attack, the scale of the DDoS attacks with IoT Reaper could be in the order of tens of terabits per second. Fortunately, for the time being at least, the botnet is not being used for any attacks. The bad news is those attacks could well start soon, and since the malware allows new modules to be added, it could soon be weaponized and used for another purpose.

The post IoT Reaper Botnet Growing at Alarming Rate appeared first on WebTitan.

]]>
WPA2 WiFi Vulnerability Allows Decryption of WiFi Traffic and Injection of Malicious Code https://www.webtitan.com/blog/wpa2-wifi-vulnerability/ Wed, 18 Oct 2017 16:35:15 +0000 https://www.webtitan.com/?p=2958 A critical WiFi security flaw has been discovered by security researchers in Belgium. The WPA2 WiFi vulnerability can be exploited using the KRACK (Key Reinstallation attack) method, which allows malicious actors to intercept and decrypt traffic between a user and the WiFi network in a man-in-the-middle attack. The scale of the problem is immense. Nearly […]

The post WPA2 WiFi Vulnerability Allows Decryption of WiFi Traffic and Injection of Malicious Code appeared first on WebTitan.

]]>
A critical WiFi security flaw has been discovered by security researchers in Belgium. The WPA2 WiFi vulnerability can be exploited using the KRACK (Key Reinstallation attack) method, which allows malicious actors to intercept and decrypt traffic between a user and the WiFi network in a man-in-the-middle attack. The scale of the problem is immense. Nearly every WiFi router is likely to be vulnerable.

Exploiting the WPA2 WiFi vulnerability would also allow a malicious actor to inject code or install malware or ransomware. In theory, this attack method would even allow an attacker to insert malicious code or malware into a benign website. In addition to intercepting communications, access could be gained to the device and any connected storage drives. An attacker could gain full control of a device that connects to a vulnerable WiFi network.

There are two conditions required to pull off KRACK– The WiFi network must be using WPA2-PSK (or WPA-Enterprise) and the attacker must be within range of the WiFi signal.

The first condition is problematic, since most WiFi networks use the WPA2 protocol and most large businesses use WPA-Enterprise. Further, since this is a flaw in the WiFI protocol, it doesn’t matter what device is being used or the security on that device. The second offers some protection for businesses for their internal WiFi networks since an attack would need to be pulled off by an insider or someone in, or very close to, the facility. That said, if an employee was to use their work laptop to connect to a public WiFi hotspot, such as in a coffee shop, their communications could be intercepted and their device infected.

In the case of the latter, the attack could occur before the user has stirred sugar into his or her coffee, and before a connection to the Internet has been opened. That’s because this attack occurs when a device connects to the hotspot and undergoes a four-way handshake. The purpose of the handshake is to confirm both the client and the access point have the correct credentials. With KRACK, a vulnerable client is tricked into using a key that is already in use.

The researchers explained that “our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key.” The researchers also pointed out, “Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can be bypassed in a worrying number of situations.”

The disclosure of this WPA2 WiFi vulnerability has had many vendors franticly developing patches to block attacks. The security researcher who discovered the WPA2 WiFi vulnerability – Mathy Vanhoef – notified vendors and software developers months previously, allowing them to start work on their patches. Even with advance notice, relatively few companies have so far patched their software and products. So far, companies that have confirmed patches have been applied include Microsoft, Linux, Apple, and Cisco/Aruba. However, to date, Google has yet to patch its Android platform, and neither has Pixel/Nexus. Google is reportedly still working on a patch and will release it shortly.

There is also concern over IoT devices, which Vanhoef says may never receive a patch for the WPA2 WiFi vulnerability, leaving them highly vulnerable to attack. Smartphones similarly may not be patched promptly. Since these devices regularly connect to public WiFi hotspots, they are likely to be the most vulnerable to KRACK attacks.

While the WPA2 WiFi vulnerability is serious, there is perhaps no need to panic. At least, that is the advice of the WiFi Alliance – which co-developed WPA2. “There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections.” The WiFi Alliance also explained, “Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member.”

The UK’s National Cyber Security Center pointed out that even with the WPA2 WiFi vulnerability, WPA2 is still more secure than WPA or WEP, also explaining that there is no need to change WiFi passwords or enterprise credentials to protect against this vulnerability. However, businesses and consumers should ensure they apply patches promptly, and businesses should consider developing policies that require all remote workers to connect to WiFi networks using a VPN.

The post WPA2 WiFi Vulnerability Allows Decryption of WiFi Traffic and Injection of Malicious Code appeared first on WebTitan.

]]>