Nov 17, 2015 | Cybersecurity Advice, Network Security
In order to manage cybersecurity risk effectively, data protection policies must be developed. However, a new research study conducted by risk and business consulting firm Protiviti, suggests that a third of companies have not yet developed data protection policies. When data protection policies have been implemented, many are insufficient and leave the company vulnerable to a cyberattack.
Data protection policies are inadequate or non-existent in many cases
Over 700 information security professionals and executives were polled and asked about their company’s efforts to keep data secure. Questions were asked about data retention, storage and secure disposal, as well as governance, privacy policies and a wide range of cybersecurity controls. It would appear that many firms were not managing cybersecurity risk effectively, leaving them vulnerable.
Information security solutions may have been implemented, but basic controls such as the development and issuing of data protection policies had been neglected. When policies had been written and implemented, many were insufficient and did not cover even a fraction of the elements necessary to keep systems and data secure. Many security holes were allowed to persist.
To manage cybersecurity risk, start at the top
The board must become involved in cybersecurity decisions and should take a greater interest in keeping their organizations secure. Policies must be developed that set rules for the entire organization, and awareness of data and network security must be improved. All members of staff must be made aware of the current threat levels and a culture of security awareness developed. Best practices must be defined and all users monitored to make sure that those practices are being followed.
The study indicates that board level involvement in cybersecurity issues is becoming more common, yet only 28% of survey respondents indicated there was a current high level of board engagement in such issues. What is even more worrying is there has actually been a fall of 2% in high-level engagement year on year. 15% of respondents said board engagement in cybersecurity matters was low, while a third said engagement was at a medium level, better than in previous years.
You must identify the most critical assets to effectively manage cybersecurity risk
In order to protect assets, they must first be identified. This may sound obvious, but many companies are unsure what their critical assets are according to the study. A number of companies had failed to identify the data that cybercriminals were most likely to try to obtain. Appropriate protections were therefore not being put in place to keep the most sensitive data secure.
Confidence in repelling cyberattacks is low
The majority of organizations are not particularly confident that a targeted attack could be repelled, even though cybersecurity protections had been put in place. Companies were believed to be better at protecting their assets and keeping sensitive data secure than in recent years, although considerable efforts still need to be made.
According to the researchers, a lack of confidence is actually good news, as it should spur companies to keep on developing their security protections.
Nov 16, 2015 | Cybersecurity Advice, Internet Security News, Web Filtering
Think you have to open an infected email attachment or download a file to your computer to acquire a malware infection? Not with the latest memory based malware. Drive-by attacks are taking place that do not need any user-interaction. These file-less malware infections use malware that resides in the computer memory, and RAM memory is not scanned by most anti-virus programs.
The good news is attacks of this nature are rare. The bad news is the malware is being increasingly used by cybercriminals.
Fortunately, malware that resides in the memory doesn’t survive a reboot. Unfortunately, by the time your computer is rebooted, you may have already lost your sensitive data. How often do you reboot? At the end of your working day? That could potentially give a hacker a full 8 hours to record your keystrokes or download files to your computer. A lot of damage can be done in 8 hours.
There is another problem. Hackers are now creating memory-based malware that actually survives a reboot. The malware has been configured to hook into an API. When the computer is restarted, the malware is reloaded back into the RAM.
Memory-based malware exploits security vulnerabilities in outdated software
If a user is convinced to visit a malicious website, or responds to a spam email containing a link to one of those sites as part of a phishing campaign, their computer can be infected almost immediately. A user is usually directed to a web page containing an exploit kit: The Angler exploit kit for example. Code on the website probes the users’ browser for security vulnerabilities. Security vulnerabilities in Adobe Flash or Adobe Reader could be exploited, or Java, Silverlight or any number of plug-ins that the user has installed.
However, instead of the vulnerability being used to download a file to the hard drive, code is inserted into the memory. This does not trigger an Anti-Virus program because no files are downloaded to the computer. This allows the hacker to perform a drive-by cyberattack, stealing information quickly and silently. That information could include login names, passwords, bank account information, or anything entered via the keyboard.
These types of cyberattacks are not new. They have been possible for a long time, but cybercriminals have not favored memory based malware. Unfortunately, memory based malware is being used in exploit kits that are widely available online.
Sometimes a fast and stealthy attack is preferable to a long-term malware infection. If the aim is to avoid detection at all costs, then this is one of the easiest ways to gather intel or data without setting off any alarms. High-profile targets such as governments could be targeted, and they would be none the wiser as next to no trace of an attack is left by memory based malware.
Is an attack inevitable? Can nothing be done to prevent the installation of memory based malware?
The solution is not anti-virus software, but to prevent users from visiting a website that contains the exploit kit. It may not be possible to prevent a drive-by attack once a malicious site has been visited, but it is possible to avoid visiting that site in the first place. Hackers must still direct a user to the malicious site in order for an attack to be possible. There must also be security vulnerabilities in the browser that can be exploited.
To protect your computer from memory-based malware, you must ensure that your web browser and software are kept up to date with the latest security patches. As for avoiding malicious websites that contain the exploit, a web filtering solution should be used. A web filter can block users from visiting malicious sites, or from web ads from being displayed. Website adverts are often used as a method of getting users to visit a malicious website.
Phishing and spam emails containing links to malicious sites can be prevented from being delivered using a powerful spam filtering solution. SpamTitan Technologies offers both solutions. SpamTitan Anti-Spam software protects users by blocking spam emails from being delivered, while WebTitan software can be configured to prevent users from visiting malicious websites.
The threat landscape may be constantly changing, and new exploits used to compromise computers and steal data, but fortunately the risk can be effectively managed.
Nov 13, 2015 | Cybersecurity Advice, Cybersecurity News, Web Filtering
Using a Mac is safer than using a computer running Windows. That’s not to say it is not possible to inadvertently install a virus or malware on a Mac. It is just that hackers tend to focus more on PCs. From a hacker’s perspective, it is better to try to infect as many devices as possible and more people own PCs than Apple devices.
According to research conducted by IDC, sales of Macs have increased by just over 16% this year. However, while accurate figures are difficult to find, approximately 90% of computers use Windows software. This makes the operating system much more likely to be attacked. If you were a hacker would you concentrate on the 90%?
That does not mean that Mac users are immune to attack: BlackHole RAT, OS X Pinhead, Mac Flashback, and Mac Defender all targeted Mac users.
Mac users do face risks and must be cautious when using the Internet. They may not face such high risks, but they can just as easily fall for scams. Phishing websites will also work just as well on Macs users as they will on everyone else. That’s because phishing techniques are employed to fool the user of the device. It doesn’t matter what device is being used to access the Internet.
New phishing scam alerts iTunes users to account limitations
Mac users have recently been targeted by a campaign claiming iTunes accounts have been compromised. Most recently a phishing scam has been launched advising iTunes account holders that their accounts have been limited for security reasons.
They are informed of this by email and are provided with a link. If the link is clicked they are directed to a scam site and must enter information to lift the account limitation. A number of data fields must be completed and a credit card number entered.
This is an easy scam to identify as, even when accounts have been compromised, a service provider would not typically ask for a credit card number for identity verification.
If in doubt, just access your Apple account directly and check to see if there is a problem with your account. Never use the link supplied in an email.
Mac Internet scam reported offering urgent tech support
A Mac internet scam warning was recently issued after the discovery of a new tech support scam. A woman visited a webpage which flashed a warning that her Mac had been infected with malware. She was required to call a phone number to call to speak with tech support. On calling the number she was told she was speaking to an Apple employee, and she was required to pay for tech support to remove the infection. When asked for payment she tried to pay by AMEX, but was told American Express could not be used. This alerted her to the scam. Apple doesn’t have a problem taking AMEX as payment.
If you are warned of a virus infection, you can always visit an Apple store. They will be able to confirm if your Mac has really been infected.
Mac Internet scam warning! Your Mac is Infected with Malware!
Phishing scams targeting Mac users are far more common than malware infections targeting their devices, but malware is always a risk no matter what device is used. However, this year Apple has been targeted. A Mac Internet scam warning was issued earlier this year, again relating to Mac malware infections.
The scam is common with PC users, especially those using illegal file sharing websites, streaming services, and porn sites. However, a number of legitimate websites have been hijacked and are displaying pop-up windows announcing a virus infection has been detected.
The warnings come as a shock to Mac users and many will be convinced to click on the links. They direct the user to malicious websites offering fast and effective disinfection using Anti-Virus/Anti-Malware solutions. A click of a link will download a program called MacDefender that will conduct a full system scan.
The MacDefender Anti-Virus program is nothing of the sort. Instead of removing malware from the Mac, it is a form of malware. The fake Anti-Virus software appears to conduct a scan of the system and identifies apps that have been infected. Popup windows are launched to porn sites and other websites as a scare tactic.
In order to remove the infections, the user is required to purchase a license for the software. To do that a credit card is required. Once the license has been purchased the program stops launching browser windows. It also advises the user that the malware has been removed.
Unfortunately for the victim, they have just given their credit card details to the scammers. Card purchase can be made and the criminals can run up thousands of dollars of debt.
No matter what device you use to access the Internet or email, you are always at risk of falling for a phishing scam or inadvertently installing malware. Fortunately, the risk can be easily managed. WebTitan is available for Windows and OS X, and offers protection from malware, malicious websites and phishing campaigns.
To find out how WebTitan can protect you and your company’s employees, call the sales support team today.
Nov 12, 2015 | Cybersecurity Advice, Internet Security News, Web Filtering
If you want your employees to browse the Internet safely you should try to restrict access to websites that have a valid SSL certificate. It is now common knowledge that SSL certification means a website is secure and can be trusted; but is that true?
Does a SSL Certificate mean a website is safe to use? The answer is a definite no. The HTTPS or a SSL certificate alone is not a guarantee that the website is secure and can be trusted.
Many people believe that a SSL Certificate means a website is safe to use. Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code. It just means that the website is probably safe. In the vast majority of cases the sites will be. Just not always.
Unfortunately, phishers and other cyber criminals have discovered how to exploit trust in SSL certificates. Some phishing websites have valid SSL certificates in place. This means even when you think your employees have been restricted to safe websites, they are still not protected from phishing sites. Relying on a block on sites that do not use SSL certification is a mistake, and potentially a very costly one.
It is a good idea to restrict access to unsecure websites, but further protections will be required if you want to be sure that your employees and your network are properly protected.
Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free DemoWhat is a SSL Certificate?
In short, an SSL Certificate is a file that permanently binds a key to a company’s website. When an SSL certificate is installed on a company’s web server, connections with that website will be secure. Information will be sent via port 443 using the https protocol.
SSL Certificates are used by websites to secure sessions with web browsers. You will be able to tell which websites have an SSL certificate in place because they will have a padlock next the web address. This means that the connection with that website is via a secure connection. The information you enter when connected to the website can be used with confidence, and most importantly, it gives an indication that the site is not malicious.
The SSL Certificate lets a website visitor know that the site is trustworthy and informs those who look that the site belongs to a specific organization. It is important never to enter credit card details or bank information if a website does not have a valid SSL certificate. That would be an unacceptable risk to take.
Facebook, Twitter, and Google use SSL certification. When you visit those sites you will see a padlock next to the URL. If you click on the padlock, you will see the owner of the site and will know that ownership has been verified.
Some phishing websites have obtained SSL Certificates – How is this possible?
Unfortunately, phishing websites with SSL certificates are becoming more common. Many certificate authorities do not have a particularly strict vetting process. There have recently been a number of banking websites set up that use the certificates even though the sites are not genuine.
One recent scam involved the Halifax Bank in the UK. A phishing website was set up using a variation of the real website which is halifax-online.co.uk. The phishing site in question was halifaxonline-uk (do not visit this website). A very similar name, that would likely fool many account holders. Similar scams have been operated using variants of PayPal, and even Symantec has issued 30-day certificates to phishing websites.
The certificates are valid for long enough to allow a phishing campaign to be conducted. The phisher can then repeat the process with a different website, hosted with a different provider with a different SSL certificate.
Unfortunately, these certificates are one of the main ways of checking whether a website can be trusted. With a domain name that looks close enough to the real thing and an SSL Certificate and a padlock, many visitors will be fooled into thinking the website is genuine. When they enter in their login information, the data will be recorded by the site owner and can be used to login to the real website.
Some certificate authorities are better than others and can be trusted more, but unless they can all be trusted it makes a mockery of the SSL certificate. Unfortunately, all the SSL certificate does is confirm that the certificate owner owns the website, not that the particular website can be trusted.
WebTitan offers the additional protection your business needs to ensure access to malicious websites is blocked. See how with a FREE WebTitan demo.
Book Free DemoBlocking access to websites without a valid SSL Certificate
A website with a valid SSL certificate means the website can be trusted more than a site without one. All employers should implement controls restricting access to websites that do not have a valid SSL Certificate, or at least configure settings to alert the user that they are about to connect to a website with an invalid certificate or without one entirely.
It is a simple process to block access to websites that do not have a valid SSL certificate. You can do this through your browser settings or you can modify the hosts file for instance. The former option would be fine for individuals or small businesses with just a few computers. It is not practical do this if you have 1,000 computers, run BYOD, or if your end users have multiple browsers installed.
Make your life easier by implementing a cost effective web filtering solution
By far the easiest solution to protect yourself and your network is to use a web filtering tool. There are many to choose from, but WebTitan from SpamTitan Technologies is one of the best and a highly cost effective solution for SMEs.
Since some disreputable sites have SSL certificates in place, it can be virtually impossible for end users to tell if they are safe or at risk. WebTitan offers the additional protection your business needs to ensure access to malicious websites is blocked, phishing scams are avoided and malware is not downloaded. Without a powerful web filter in place, blocking access to malicious websites will be an uphill battle, and it will only be a matter of time before your network is compromised.
Try WebTitan DNS Filtering for Free today
Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo.
Book Free DemoNov 10, 2015 | Cybersecurity News, Internet Security News, Network Security, Web Filtering
Critical security vulnerabilities in browser plugins have been widely reported in recent months. As soon as one has been found and patched, more are discovered. Zero-day Adobe Flash vulnerabilities (Shockwave Flash) have been some of the most publicized, due to the sheer volume discovered in 2015.
Earlier this year a number of companies pulled the plug on the Flash plugin, deeming it not to be worth the security risk. While it was once the most commonly used way of displaying videos and animations on webpages, the critical vulnerabilities that have been discovered have made it simply too risky to use. There have been many calls for Flash to be retired.
Google Chrome and Firefox stopped supporting Adobe Flash and many companies are moving over to HTML5 which offers the ability to display the same multimedia items without requiring a browser plugin to be used. One of the main problems with a plugin from a security perspective, is it will only be secure if the latest version is installed. Even then, as we have seen with the sheer number of security vulnerabilities found in Adobe Flash, the latest version many not be very secure at all.
If a user has not updated the plugin to the latest version, and an older version is still in use, criminals will be able to take advantage. A visitor to a website containing malware could result in the vulnerabilities being exploited. Exploit kits can be used by hackers to probe for security vulnerabilities in browsers to find out which software can be exploited. Other Adobe plugins can be exploited, such as PDF Reader.
Numerous critical security vulnerabilities in browser plugins discovered
It is not only Adobe plugins that are a problem of course, others company’s plugins also contain vulnerabilities that can be exploited. Even HTML5, which is seen by many as a more secure way of showing multimedia items on websites than Flash, is far from immune and also contains security vulnerabilities. No plugin is even required with HTML5.
In mid-October, Oracle released a security update for its Java software to deal with over twenty new security vulnerabilities that had been discovered. Oracle announced that an update was necessary on all computers as “all but one of those flaws may be remotely exploitable without authentication”. That means that a hacker could potentially exploit the vulnerabilities on any computer with an older version of Java installed, without the need to use a password.
Once critical security vulnerabilities in browser plugins have been announced and details of the flaws released online, the information is out there and available to hackers. Assuming hackers have not already discovered the vulnerabilities themselves.
A website link may not be as genuine as it appears (hovering your mouse arrow over it will not reveal a potentially malicious link!)
There are easy ways to check to see if a web link is legitimate or if the text has been changed so that it appears genuine. If you hover your mouse arrow over the link, the correct URL will be displayed. If end users get into the habit of checking every link before clicking, it will become second nature. Many phishing websites and other nasty web pages can thus be avoided.
Unfortunately, it is not always that simple. There are ways to make a URL appear genuine, even when the mouse arrow is used to check the link.
Some Japanese characters appear to be very similar to a forward slash, while certain Cyrillic characters are displayed as letters. This makes links appear genuine, and can be virtually impossible to spot. If one of these characters is present in a link and is displayed as a standard letter, the webpage could be a fake but would be indistinguishable from the genuine page.
An apparently genuine link could well be a link to a webpage containing malware. Many malicious websites can probe for critical security vulnerabilities in browser plugins.
These worrying issues were recently discussed at the SC Congress in New York, with Salesforce.com’s product security director Angelo Prado and senior product security engineer Xiaoran Wang demonstrating these and other worrying security flaws. They pointed out a particularly scary feature in HTML5 that allows a link to automatically download a file to a computer without the user being taken to the webpage used to host the file.
Protection is required and vigilance is key to avoid becoming a victim
The latest discoveries may make it exceptionally difficult to tell if a link is genuine. Even changing from the security flaw ridden Flash to HTML5 will not necessarily make the Internet a safer place. Fortunately, it is possible to take steps to ensure that end users are better protected, and stopped from visiting malicious websites. That said, it is essential that critical security vulnerabilities in browser plugins are addressed.
IT professionals should also install a web filtering solution such as WebTitan. Links can be blocked and users stopped in their tracks before they reach a malicious website. This type of protection is vital for businesses, schools, colleges and charities.
A visit to a malicious website can result in keyloggers being installed that can record and send passwords and login credentials to a hacker’s command and control center. Devices can become part of botnets and be used to send out huge volumes of spam emails, or computers could be hijacked and used for Bitcoin mining. Worse still, an infected computer, tablet, or Smartphone could be used to launch an attack on a corporate network.
It is also essential to be more security conscious. It may be difficult, or even impossible, to identify all online threats (and those delivered via email or social media networks), but many are obvious if you know what to look for. Staff training on security threats and online/email best practices must be provided if networks are to be kept secure.
It really does pay to take the advice offered by the FBI. Stop. Think. Connect. If in doubt. Do not connect. This should now be a common practice that is second nature. The current volume of data breaches now being reported suggest that for many employees it is not.
Nov 9, 2015 | Cybersecurity Advice, Cybersecurity News, Internet Security News
British mobile phone and broadband provider TalkTalk discovered it had been hacked late last month; however further information has emerged that suggests TalkTalk hacking scams are increasing in number. Over a million customers’ data are apparently being offered for sale on the dark net, with criminals already using the data to defraud victims.
Over four million customers were believed to have been affected by the hacking scandal at first, although not all of the company’s customers are now understood to have been affected.
A criminal investigation was launched a few days after the hack was discovered. Initial reports suggested an Islamic terrorist group from Russia were behind the attack, having publically claimed responsibility. This claim appears to be false.
The Metropolitan Police Cyber Crime Unit acted fast and just a few days after the attack was announced, a 15-year old teenage boy was arrested in Northern Ireland on suspicion of being behind the attack. A few days later, a second arrest was made, this time a 16-year old boy from West London. A 20-year old was arrested in Staffordshire in connection with the hack, and now a fourth individual has been arrested: A 16-year old boy from Norwich has been detained.
1.2 million email addresses obtained by the hackers
The official figures released by TalkTalk are much lower than the initial estimates, but the hack still ranks as one of the biggest UK hacking scandals to be reported in recent years.
A statement released by the company revealed that approximately 1.2 million email addresses had been obtained in the attack, customer names and phone numbers were also stolen, and 21,000 bank account numbers and sort codes were accessed, presumed stolen. A later press release indicated that 156,959 individuals had been affected, and the earlier figure was “bits of data,” including email addresses, names, and phone numbers.
Credit card numbers were compromised, but since they did not contain complete numbers there does not appear to be a risk of them being used inappropriately. However, that is not to say that the data will be useless. Phishers may well devise campaigns to obtain the remaining digits from unwary TalkTalk customers.
It is not clear how the attack was performed as reports have not been confirmed, but it would appear that the attack was made using a blind SQL injection which exploited a vulnerability in a video on a page of the TalkTalk website. The specific vulnerability was not disclosed, although Adobe Flash has been found to contain vulnerabilities that could be exploited by SQL injection. These vulnerabilities were addressed in a recent patch issued by Adobe. SQL injection is the insertion of code that allows access to be gained to a company database. It is a very common technique used by hackers to gain access to corporate databases.
What is clear is that the security staff were distracted dealing with a DDoS (Distributed Denial of Service) attack that was conducted by one of the team of hackers. A DDoS attack bombards a company’s website with huge volumes of traffic, overwhelming it. This is made possible by using systems that have been compromised with a Trojan or have been infected by a botnet.
It would appear that while TalkTalk was dealing with the DDoS attack, the criminals were able to gain access to the company’s data by exploiting the website security vulnerability. A report in the Daily Mail indicates one of the team of hackers behind the attack made a mistake and accidentally disconnected from a service that was being used to hide his real IP address.
Some sources have reported that a ransom demand was issued in which £80,000 was demanded in Bitcoin. If the ransom was not paid the criminals behind the attack would release the data or sell it on dark net websites to criminals. That appears to have already happened, with at least one individual appearing to have clocked up over 500 sales via dark net marketplace, AlphaBay.
Another online criminal was reportedly negotiating a deal to sell details of 500,000 accounts on the dark net, and claimed to have over a million records in his possession.
Businessinsider.com.au claims to have had been in contact with individuals who claim there were part of the attack, with figures of 1.3 million records mentioned. When asked why they carried out the attack, one person claimed it was for “sh*ts and giggles”, another for “lolz”, and “purely to like, own the ISP.” One of the persons behind the attack said it wasn’t for the money. The claim that a ransom was demanded were also denied.
While the total number of records exposed is not clear, and none of the reports from conversations with those claiming to have had a part in it have been confirmed, what is clear is that the security in place at TalkTalk was poor in some cases. One of the boys claims that one account had a password with just three digits. One quote obtained by Business Insider, from an individual operating under the name “Vamp”, claimed that the security in place was “terrible, that’s being honest with you, horrible.”
Reports in the press suggest that the vulnerability was shared, and between 20 and 25 people had access – although 5 individuals were reportedly behind the attack, including two in the UK and two in the U.S.
Beware of TalkTalk hacking scams
TalkTalk hacking scams have already been reported, with some customers having complained about being bombarded with phone calls following the security breach, as criminals attempt to use the contact information obtained to defraud victims. One victim was called after apparently having his internet connection slowed down, and was directed to a website, presumably containing malicious code.
TalkTalk hacking scams could be launched via email since 1.2 million email addresses were compromised in the attack. Phishing campaigns are often used by criminals to get users to reveal sensitive information, visit malicious websites or install malware on computers. The type of information obtained by the hackers, and subsequently sold to online criminals, could easily be used to launch highly convincing campaigns.
All of the company’s customers are advised to be exceptionally cautious, and not to reveal any personal information over the telephone, Internet or via email. TalkTalk hacking scams could be in operation for many months to come so it is vital that all customers remain vigilant and be on their guard.
Being hacked can have serious implications for a brand
A data breach such as this can have a major effect on an organization. Customers will lose trust in the brand, and it is difficult to regain trust once it has been lost. Many of the company’s 4 million customers are expected to change mobile phone/broadband provider as a result.
This is a highly competitive market and there will be no shortage of competitors looking to snap up new customers as a result of the security breach. Following the news of the hack, the company’s share price fell by 10%.
It will not be known for many weeks or months how much of an effect this, and other TalkTalk hacking scams, will have on the company’s brand image, but what is certain is it will certainly have a major financial impact. Many customers are also likely to lose out as scammers seek to take advantage.
