Dec 30, 2015 | Cybersecurity News, Internet Security News
The Superfish scandal discovered to affect purchasers of new Lenovo laptops last year showed that ad injection software poses considerable risks to users. Ad injection software risk cannot be easily managed. Even brand new laptops can come installed with software designed to deliver ads to users. Unfortunately, programs such as Superfish can also be used by hackers to conduct man-in-the-middle attacks.
Hackers can potentially exploit security vulnerabilities in ad injection software. In the case of Superfish, the software was pre-installed on Lenovo laptops. In order to serve ads, the software used a self-signed root certificate that generated certificates for secure HTTPS connections. The software substituted existing HTTPS certificates with its own in order to serve ads to users while they browsed the Internet. Unfortunately, if the password for ad injection software is discovered, as was the case with Superfish, HTTPS connections would no longer be secure. Hackers would be able to eavesdrop and steal user data.
Man-in-the-middle (MiTM) techniques are increasing being used to serve adverts while users browse the Internet, but the ad injection software risk of hackers taking advantage is considerable. The software is capable of network layer manipulation, injection by proxy, and can alter DNS settings. These techniques are used to serve adverts, but this is outside the control of the browser and the user. Since these programs can be manipulated and exploited by hackers they also pose a considerable security risk, and one that the user is unable to easily address.
Microsoft takes action to reduce ad injection software risk
The ad injection software risk is considerable, so much so that Microsoft is taking action to tackle the problem. By doing this, Microsoft will hand back choice to the user. The company has updated its criteria for determining what software qualifies as Adware, and has recently announced it will be taking action to reduce risk to users and prevent unwanted behavior by Adware.
Rather than the manufacturer of the equipment or developer of the Adware program dictating the browsing experience for users, Microsoft will be handing back control to the user. Microsoft’s policies now demand that “programs that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.”
Not only will Superfish-style programs be banned by Microsoft, by March 31, 2016 any programs that are detected will be detected and removed.
Dec 29, 2015 | Cybersecurity News, Internet Security News, Web Filtering
With Internet use increasing in schools the UK government has taken the decision to make school web filters mandatory. The government has previously recommended that schools implement web filtering solutions, although many schools have not taken action to curb and monitor Internet use in classrooms. Consequently, children are still able to access adult and other potentially damaging content.
The government is now going to get tougher on schools and will introduce legislation to force primary and secondary schools to filter online content. From September 2016, primary and secondary school children must also be educated about online safety.
How School Web Filters Make the Internet Safer for Kids
The main aim of mandatory school web filters is to prevent them from accessing online pornography at school and other potentially damaging content. The move will make it harder for religious extremists to radicalize children and it is hoped that the implementation of school web filters will help to reduce instances of cyber-bullying.
Some evidence has emerged that shows UK school children who have tried to leave the country, or have travelled to Syria, have been able to access information about Daesh/IS from school computers. Ministers believe that action must be taken to prevent such material from being viewed at school, but to also identify individuals who are attempting to access such material. Greater efforts can then be made to tackle the issue before it is too late. Children must also be educated more about how to stay safe when using social media websites such as Facebook, Twitter, Snapchat, and Instagram.
Proposals were published last week on the introduction of new measures to curb Internet usage in schools, which will include school web filters but also monitoring systems to identify individuals who are attempting to access illegal, dangerous, or inappropriate content. There is also concern that individuals will try to access the same material at home. To tackle that issue, the Department of Education has drafted new guidance for parents to help them keep their children safe at home.
School web filters will prevent all adult content from being accessed from any computer connected to a school network. Websites known to promote IS could also be blocked, along with other potentially harmful content. Children must be allowed Internet access at school as it is now an essential part of their education, but they must only be permitted to use the Internet responsibly. Greater efforts must be made to prevent children from being exploited, radicalized, groomed or recruited by extremists.
The new proposals are to be discussed over the next two months and a consultation will take place, after which the proposals will go to the vote. If adopted, enforcing school web filters will come under the remit of Ofsted.
Sky Implements Automatic Web Filtering to Block Online Pornography
School web filters are only one measure that is required to keep children safe. Protecting minors at home is another matter. Guidance can be given to parents, but that does not mean that all parents will read that information and take action to prevent inappropriate Internet usage at home. Sky Broadband is now planning to do its bit. From 2016, all new customers will be automatically prevented from accessing online pornography at home. New customers will be required to opt in rather than opt out if they want to view pornography. Any content with a rating of 13 years or above will also be automatically blocked until 9pm. At present, new customers are prompted to pick which elements of the Internet will be blocked by Sky web filters when they first access the internet.
Sky will also be backdating this new measure. A statement issued by Sky Broadband indicated this will be applied to all customers who have “joined since November 2013 and have not turned on Sky Broadband Shield”. According to Ofcom, only 30-40 percent of Sky customers have activated its web filter. Other broadband providers are being urged to follow suit. Currently only 6% of BT Broadband customers have implemented parental controls.
Dec 24, 2015 | Cybersecurity News, Internet Security News
EU fines for privacy violations are likely to be issued to companies that fail to implement security measures to prevent their customers’ data from being stolen by cybercriminals. EU fines for privacy violations can be substantial, although the watchdogs that are able to issue them are limited. That is all about to change. The European Union has taken decisive action and will be penalizing companies that do too little to protect their customers.
EU fines for privacy violations apply to any company doing business in EU countries
Last week, negotiators met up in Strasbourg, France, and signed a new deal that will change data protection laws in the EU. It has taken some time for this update to take place, having first been discussed four years ago. There has been much debate about the level to which companies should be held responsible for data breaches, although finally all sides have come to an agreement that better protects consumers, make businesses more responsible, and will not interfere with efforts to bring cybercriminals to justice.
The changes to the law will ensure that more companies are held accountable for their lack of security controls. With the threat of cyberattacks increasing, and a number of major attacks suffered by companies over the past few years, an overhaul of data protection laws in Europe was long overdue.
Current legislation is somewhat patchy, offering limited protection for consumers. Companies in some industries can be fined up to 1 million Euros for privacy violations and the exposure of customer data, while others are allowed to escape without penalties.
The new EU fines for privacy violations will not have a fixed limit. Fines for businesses who are hacked or otherwise expose customer data will be as high as 4% of a company’s global annual sales. The aim of the new law change is to give companies a considerable incentive to invest in cybersecurity protections to keep their customers’ data secure, and improve consumer trust.
The law changes will also require companies doing business in any of the European Union’s 28 member states to disclose data breaches that have exposed consumer data. While privacy groups have welcomed the changes, business groups have not been quite so complimentary.
New EU fines for privacy violations to come into effect in 2018
According to EU Justice Commissioner Vera Jourova, “These new pan-European rules are good for citizens and good for businesses.” She also pointed out in a statement issued after the announcement of the conclusion of the negotiations that consumers and businesses stand to “profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation.”
It will take a further two years for the new laws to come into effect, with the new EU fines for privacy violations expected to start being issued in 2018.
Dec 23, 2015 | Cybersecurity News, Network Security
According to security researchers, the recently discovered Juniper Networks security flaw could have been created by the NSA to spy on Juniper Network customers. Others claim it is the work of a foreign government, although the NSA is still implicated.
Juniper Networks security flaw is a backdoor allowing customers’ information to be decrypted
Juniper Networks has discovered an external third party has inserted code into its software that could be used as a backdoor, potentially allowing hackers to decrypt secure communications and spy on customers’ data.
The networking equipment manufacturer’s corporate virtual private network (VPN) software was discovered to contain rogue code that allowed a security flaw to be exploited for the past three years. The Juniper Networks security flaw could have allowed the internal secure communications of customers to be viewed by hackers. The Juniper Networks security flaw would have allowed all VPN traffic to be monitored.
Juniper Networks security flaw now patched?
According to a statement released by Juniper Networks SVP and chief information officer, Bob Worrall, “Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections.”
If a customer had communications intercepted they would likely to see a log file entry saying “system” had logged in and had a password authenticated. However, it has been proposed that an individual with the skill to insert the code and exploit the flaw would likely also be able to remove traces of a successful login attempt. Consequently, it is not possible to tell with any degree of certainty whether the Juniper Networks security flaw has actually been exploited.
That said, it would be odd for an individual or group of hackers to go to the trouble and expense of creating a sophisticated backdoor that allows secure communications to be monitored, and then not use it in the three years that it has existed.
A patch has now been released to tackle the issue and all customers have been advised to upgrade the software immediately. Whether the patch actually fixes the security flaw is debatable. Some suggest it does not tackle the vulnerability at all, and certainly does not entirely fix the problem.
Government agencies investigate: NSA implicated
The code insertion is being investigated by the FBI, Department of Homeland Security, and the White House National Security Council has also taken an interest.
Junipers’ clients include the U.S. Defense Department, FBI, Justice Department, and the U.S. Government. The sophisticated nature of the hack, together with the types of customers Juniper has, has led many to believe the code insertion is the work of foreign government-backed hackers.
However, not all security experts agree. Some believe that far from Russia, North Korea, or China being behind the hack, it could actually have come from within. Ralf-Philipp Weinmann, CEO of German security research company Comsecuris, has suggested that this could well be the work of the NSA.
He claims the Juniper Networks security flaw was a re-purposed decryption backdoor that had been inserted by the NSA more than a decade ago, albeit indirectly. The Dual_EC encryption algorithm that the NSA had lobbied to be included in encryption standards after discovering a flaw that could be exploited made the hack to be possible.
While the NSA could have inserted the code, even if it didn’t it could certainly have exploited it and used it to eavesdrop.
While the U.S. government, FBI, and others investigate and attention is focused on who may have been able to gain access to highly confidential U.S. data, it should be noted that the U.S. is not the only country that has many high profile customers using Juniper Networks ScreenOS firewalls. The firewalls are popular in Arab countries and the security flaw could have been used by the United States, Israel, UK, and others to eavesdrop on secret communications of Arab states.
Dec 18, 2015 | Cybersecurity News, Internet Security News, Network Security
A recently published 2015 security study has shown cyberattacks are pervasive and are likely to be suffered by virtually all organizations. However, IT security professionals have been taking proactive steps to reduce end user security risk and have also implemented better cybersecurity solutions to keep networks secure. Consequently, they feel much better able to deal with 2016 security threats.
New 2015 security study indicates 80% of organizations have suffered a security incident this year
Optimism appears to be high and many organizations believe they will be able to prevent security incidents from being suffered in 2016, which is great news. Unfortunately, that does not appear to have been the case this year. According to the Spiceworks study, 80% of respondents suffered a security incident in 2015.
Even though 8 out of ten organizations admitted to being attacked this year, they do feel they will be better able to deal with whatever 2016 has in store. Seven out of ten respondents said they would be better equipped to deal with cybersecurity attacks in 2016.
The reason for the optimism is an increased investment in both cybersecurity solutions and the provision of further training to members of staff. A more security conscious workforce means it will be much easier to prevent security breaches caused by malware infections, phishing attacks, and ransomware.
The study indicated that 51% of companies were attacked by malware this year, while 38% suffered phishing attacks. Ransomware is a cause for concern and threats have been reported extensively in the media, yet only 20% of companies actually suffered a ransomware infection.
Theft of corporate data only suffered by 5% of companies
There have been numerous reports of data breaches being suffered in 2015, and hackers have been able to steal corporate data and tens of millions of consumer records, yet the survey indicates only 5% of respondents actually suffered data theft this year. 12% of companies reported instances of password theft during 2015. That said, it is still a major cause of concern. 37% of respondents said they were still worried about the theft of data and passwords.
End user security risk main cause for concern among IT security professionals?
The study revealed what is keeping IT security professionals awake at night, and for the vast majority it is the threat posed by end users. IT security professionals can invest heavily in security defenses to keep hackers at bay, yet all the effort can be undone by the actions of a single employee. 48% of respondents were concerned about end users installing software on their work devices or the use of unauthorized technology. 80% claimed the biggest data security challenge was reducing end user security risk.
IT security pros also rated devices by the level of risk they posed to network security.
Riskiest network connected devices:
- Laptops: 81%
- Desktops: 73%
- Smartphones: 70%
- Tablets: 63%
- IoT Devices: 50%
Measures have been taken to reduce end user security risk
IT security professionals are well aware that it can be a nightmare preventing end users from doing stupid things that result in their devices and corporate networks being compromised. Fortunately, they have realized there is a very simple and effective proactive step that can be taken to reduce end user security risk. That is to provide staff with security training.
The IT department can implement a wide range of sophisticated defenses to prevent security incidents, but if end users install malware on the network, respond to a phishing campaign, or give their login credentials out to a scammer, it will all be for nothing.
Respondents realized there is no use complaining about the risk that end users pose. Action must be taken to reduce end user security risk. By providing training on current threats and network security risks, the staff can be empowered to take action to keep their network secure.
Training employees to be more security conscious and instructing them how to identify scams and avoid malware is a highly effective strategy for reducing network security risk. The study revealed that 73% of IT security professionals have enforced end user data security policies and regular end user security training is now being provided by 72% of IT security pros.
Dec 17, 2015 | Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
In the United States, healthcare phishing emails are being sent in increasing volume by cybercriminals looking for an easy entry point into insurance and healthcare providers’ networks. Healthcare employees are now being targeted with spear phishing emails as they are seen to be the weakest link in the security chain, resulting in HIPAA compliance breaches.
It is after all, much easier to gain entry to a healthcare network or EHR system if malware is installed by nurses, physicians, or administrative staff than it is to find and exploit server and browser security vulnerabilities. It is even easier if a member of staff can be convinced to divulge their email account or network login credentials. Hackers and cybercriminals are devising more sophisticated healthcare phishing emails for this purpose.
Clever healthcare phishing emails could fall any number of staff members
Even well trained IT security professionals have been fooled into responding to phishing scams, so what chance do busy physicians, nurses, and members of the billing department have of identifying healthcare phishing emails?
According to the Department of Health and Human Services’ Office for Civil Rights (OCR), employers will be held responsible if their staff fall for a phishing email, unless they have taken proactive steps to reduce the risk of that occurring.
This week, OCR announced it arrived at a settlement with University of Washington Medicine for a 90,000-record data breach that occurred as a result of staff falling for healthcare phishing emails. The settlement involved UWM paying OCR $750,000.
Small to medium-sized healthcare organizations could also be fined for members of staff accidentally installing malware. UWM may be able to cover such a substantial fine, but the average 1-10 physician practice would be unlikely to have that sort of spare cash available. Such a penalty could prove to be catastrophic.
Why was such a heavy fine issued?
The issue OCR had with UWM was not the fact that a data breach was suffered, but that insufficient efforts had been made to prevent the breach from occurring. U.S. healthcare legislation requires all healthcare organizations to conduct a comprehensive, organization-wide risk assessment to identify potential security vulnerabilities. In this case, University of Washington Medicine had not done this. A risk assessment was conducted, but it did not cover all subsidiaries of the organization, in particular, the medical center whose employee was fooled by the phishing email.
Healthcare phishing emails are such a major data security risk that efforts must be made to reduce the risk to an acceptable level. Had a risk assessment been conducted, the phishing risk would have been identified, and action could have been taken to prevent the breach.
OCR would not expect organizations to always be able to prevent employees from responding to healthcare phishing emails. OCR does expect healthcare organizations to make an effort to reduce risk, such as advising staff members about the threat from healthcare phishing emails, in addition to providing basic data security training at the very least.
Addressing the data security risk from healthcare phishing emails
Since the risk of cyberattack via phishing emails is considerable, healthcare organizations of all sizes must take proactive steps to mitigate the risk of employees falling for the email scams. Staff members must be informed of the very real danger from phishing, and the extent to which cybercriminals are using the attack vector to compromise healthcare networks.
They must be told to be vigilant, as well as being instructed what to look for. Training on phishing email identification must be provided, and in order to satisfy auditors, a signature must be obtained from each member of stall to confirm that training has been received.
Staff members should also have their ability to identify healthcare phishing emails put to the test. They should be sent dummy phishing emails with email attachments and fake phishing links to see if they respond appropriately. If they respond incorrectly after training has been provided, further help with phishing email identification must be given. These processes should also be documented in case auditors come knocking.
Due to the considerable risk of a healthcare phishing attack, and the ease at which networks can be compromised, additional protections must also be employed. Small to medium-sized healthcare organizations that can ill afford a regulatory fine should make sure automated anti-phishing solutions are put in place.
These protections do not need to be expensive. There are cost effective solutions that can be employed that will reduce risk to a minimal and acceptable level. If training is provided and anti-phishing controls have been employed, OCR and other regulatory bodies would be less likely to fine an organization if a phishing-related data breach is suffered.
Deven McGraw, OCR Deputy Director for Health Information Privacy, recently pointed out that it is not possible to totally eliminate risk, but it is possible to reduce risk to an acceptable level. That is what OCR wants to see.
Automated solutions to reduce risk from healthcare phishing emails
To reduce the risk of members of staff responding to phishing campaigns, a powerful email spam solution must be implemented. Anti-spam solutions such as SpamTitan are cost-effective, easy to configure and maintain, and will block 99.98% of all spam emails. If phishing emails are not delivered, staff members cannot respond to them.
An anti-spam solution will not stop members of staff visiting malicious websites when surfing the Internet. Links to these malicious websites are often located in website adverts, on legitimate sites that have been hijacked by hackers, or contained in social media posts. To protect networks from these attack vectors, a web filtering solution should be employed.
WebTitan blocks users from visiting sites known to host malware. The anti-phishing solution can also be used to restrict Internet access to work-related websites. This will greatly reduce the risk from drive-by malware downloads and phishing websites.
Access rights can be configured on an organization-wide level to block malware-hosting sites. Group level privileges can be set to prevent social media networks from being accessed, for example. This control allows certain groups to have access to social media networks for work purposes, while reducing risk that comes from personal use. Individual access rights can also be set if required.
Summary
Provide training to the staff, block email spam and phishing emails from being delivered, and implement a web filter to manage web-borne risks, and not only will it be possible to keep networks and email accounts secure, heavy regulatory fines are likely to be avoided.
