Mar 11, 2016 | Internet Privacy
Five ISP trade groups have put pen to paper questioning the need for the recently proposed FCC rules for broadband providers, saying they are against regulations specifically aimed at ISPs. They believe that consumer information should be protected based on the sensitivity of the data collected, rather than introducing new regulations specifically for the businesses that collect, store, or use those data.
Extensive Set of FCC Rules for ISPs Proposed
An extensive set of rules for ISPs have been proposed following the reclassification of broadband as a regulated, common carrier service. The FCC wants to give broadband customers greater choice and control over how their personal data are used. If the proposed FCC rules for broadband providers are passed they would severely limit how ISPs could use consumer data without first obtaining permission from their customers.
FCC Chairman Tom Wheeler has proposed that consumers should opt-in to the use of their personal data by their ISPs. Currently, ISPs are not required to obtain permission from their customers before they use or share their personal data. The proposed FCC rules for broadband providers would change this, and require consumers to opt-in before ISPs would be permitted to use or share their data for certain purposes.
Under the proposed regulations, data could still be used by ISPs to help them deliver a broadband service that consumers signed up for, for billing purposes, to market improvements to their services, or for other internal reasons on an opt-out basis. However, the new rules would require an opt-in from customers for data use for all other purposes.
Proposed FCC Rules for Broadband Providers Would Require Data Breach Notifications to be Sent to Customers
The proposed FCC rules for broadband providers would also require ISPs to notify consumers about breaches of their personal data. Wheeler has proposed that broadband providers notify consumers of a breach of personal data within 10 days of the discovery of a breach, far faster than is required by laws in the 40 states that have introduced legislation covering breaches of personal information.
Telecoms companies are extensively regulated and their ability to use data collected on consumers is limited. They are not permitted to repurpose or sell data collected from phone activity for example. However, the same rules do not currently apply to broadband providers, even though the data collected from Internet searches and online activity can reveal a great deal about individuals.
The new rules would improve consumer privacy, although trade groups such as USTelecom and CTIA have questioned the need for stricter regulations. They argue that consumers are able to protect their privacy by using VPNs or encryption if they are concerned about their privacy and the sharing of their data. The FCC has said that consumers should not have to rely on those services in order to protect their privacy.
However, privacy groups are calling for change, as under current regulations, American consumers do not have any privacy when they go online. An extensive amount of data is being collected on them via their online activity by their ISP. Those data are being used by ISPs in marketing strategies and as part of advertising partnerships and broadband providers are extensively tracking and profiling users. They argue that consumers need to have a greater say in how their data are being used.
The new proposed FCC rules for broadband providers will be debated during the next meeting on March 31. If approved the rules would be open for a period of public comment.
Mar 10, 2016 | Cybersecurity Advice, Network Security, Web Filtering
Ransomware is not new; however, cybercriminals have been using the malicious software with increased frequency in recent months as a sure fire way of generating income. It is now essential to protect networks from ransomware due to the increased risk of attack.
What Is Ransomware?
Ransomware can be considered to be rogue security software. It uses the same encryption that companies are advised to use to protect their data from cyberattackers. It encrypts files to prevent them from being used or accessed. Encrypted files can only be unlocked with a security key. Attackers lock data and demand a ransom to provide the security key. Without the key, the files will remain locked forever. It is therefore important for organizations to take steps to protect networks from ransomware. The threat of attack is increasing and failure to take proactive steps to reduce risk could prove costly.
Why are Ransomware Infections Increasing?
Malware can be used to record keystrokes and gain login credentials to access bank accounts, or to create botnets that can be sold as a service. Corporate secrets can be sold to the highest bidder, or Social Security numbers, names, and dates of birth stolen and sold on to identity thieves. However, attacks of this nature take time and effort. Ransomware on the other hand gives criminals the opportunity to make a quick buck. Several hundred of them in fact.
If a cybercriminal can infect a single machine with ransomware and lock that device, a ransom of between $300 to $500 can be demanded. The ransom must be paid using the virtually anonymous Bitcoin currency. Bitcoin can be bought, sold, traded, and spent without having to disclose any identifying information. Cybercriminals are able to demand ransoms with reasonable certainty that they will not be caught.
Ransomware-as-a-service is being offered on underground networks, meaning cybercriminals do not need to be skilled hackers or programmers. For a payment of between 5% to 20% of the profits and a nominal download fee, criminals are able to use the malware to generate a significant income.
Ransomware is lucrative. One of the most sophisticated strains of ransomware, CryptoWall, has been estimated to have netted its developers around $325 million in profit. Considerably more in fact, since the CyberThreat Alliance figures were calculated in 2015.
It is not difficult to see the attraction of ransomware. Because of the effectiveness of ransomware campaigns, we are only likely to see even more infections in 2016. In fact, this year there have been a number of ransomware infections reported by companies who have failed to protect networks from ransomware infections, leaving them little alternative but to pay to have their data unlocked. The victims include schools, healthcare providers, and even law enforcement departments. All organizations need to protect networks from ransomware or they may be left with little choice but to pay a ransom to unlock their files.
Who Is Being Targeted with Ransomware?
In the majority of cases, individuals and businesses are not actually targeted. Ransomware is sent out randomly via spam email. Oftentimes, millions of emails are sent in a single campaign. It is a numbers game and a percentage of emails will be opened, a smaller number of machines will be infected, and organizations that have failed to protect networks from ransomware are likely to have to pay the ransom.
However, businesses are also being targeted by attackers as the money that can be demanded to unlock devices – and networks – is much higher. A business may decide to pay several thousand dollars to recover critical data. Hackers and cybercriminals know this and are targeting organizations with spear phishing emails designed to get users to visit malicious websites that download ransomware. Spam emails are also sent with the malware disguised as invoices or even image files.
How Much Are Cybercriminals Asking to Unlock Encrypted Devices?
While single users receive $500 demands, the same cannot be said of businesses. Attackers can demand whatever fee they want. In February, Hollywood Presbyterian Hospital felt that paying a $17,000 ransom was the most logical solution considering the cost of data loss, downtime, and the restoration of its systems. The effort required and the cost of rectifying an infection could exceed the ransom cost by several orders of magnitude.
Horry County school district in South Carolina paid a ransom of $8,500 to decrypt 25 servers. The FBI investigated and told the school it had no alternative but to pay the ransom if it wanted to recover its data. In 2015, the Tewkbury, Mass., Police Department was also forced to pay up after it suffered a CryptoLocker attack. While data could be restored from a backup, the most recent file was corrupted and the only viable backup was more than 18 months old. In late February, 2016., Melrose Police Department, Mass., also paid a ransom to unlock files.
Is There an Alternative to Paying A Ransomware Ransom?
Depending on the type of ransomware used by cybercriminals in their attack, it may be possible to unlock data without paying a ransom. In some cases, data may not actually be locked at all. Users may just be fooled into thinking that it is.
Scareware is used to fool users into thinking they have been attacked with ransomware, when in actual fact they have not. Paying the ransom will remove the scareware from the device, but since no files have been encrypted, it is possible to remove the malware without paying the ransom. Many security tools can be used. In fact, that is how the attackers often make their money. By selling victims a security tool to remove their own infection.
Kovtar ransomware is a little different. This malware locks a computer and displays a message that cannot be removed. A lock screen is used which is displayed on boot, which prevents the user from using their device. It resides in the registry, but can be removed without paying a ransom. It has been commonly used as a police scam, claiming the user had visited websites displaying child pornography, even though in all likelihood they did not. It displays an FBI or police department warning, and demands that a payment be made to avoid any further action.
However, ransomware that actually encrypts files is a different beast entirely. Encryption cannot be unlocked without a security key, although it may be possible to restore files from a backup or with a system restore. Provided of course that those files have not also been encrypted. Some ransomware encrypts the files needed to restore data from a backup, or the backup files themselves.
When files have been encrypted, even the FBI has advised individuals to pay the ransom. In 2015, Joseph Bonavolonta, FBI cybercrime chief in Boston, was quoted as saying, “To be honest, we often advise people just to pay the ransom.”
The FBI says that most ransomware attackers are true to their word and supply the keys. That is not necessarily the case though. The keys may not be supplied and the individual could receive a further demand. Some ransomware that has been tweaked has been broken, making it impossible to decrypt locked files. Paying the ransom in such cases would not allow data to be recovered. There is no guarantee that payment of a ransom will result in a working key being provided. It is therefore essential to implement a number of measures to protect networks from ransomware infections.
How to Protect Networks from Ransomware?
There are a number of strategies that can be adopted to protect networks from ransomware infections and to reduce the damage caused if security defenses are breached.
Perform Regular Backups
Performing daily and weekly backups is essential. This measure will not protect networks from ransomware, but it will reduce the damage cause if an infection occurs. Backups of data should ensure files can be recovered. However, backups cannot always be restored. Just as the Tewkbury Police Department. It is essential that backups are not stored on portable devices that are left connected to computers. Ransomware can encrypt portable drives and can scan and lock files on networks, not just on individual devices.
Use a Spam Filter
Ransomware is often spread via spam email. One of the best ways to protect networks from ransomware is to prevent spam email from being delivered. Using a robust spam filtering solution will ensure the majority of malicious emails are caught and quarantined to prevent them from being opened by end users.
SpamTitan blocks 99.9% of spam emails, greatly reducing the likelihood of employees infecting their computers and corporate networks with ransomware.
Train Staff How to Identify Malicious Emails
Staff training is essential and a great way of helping to protect networks from ransomware. Emails are occasionally delivered to inboxes even with a robust spam filter in place. Employees must therefore be made aware of the risk and taught best security practices to avoid compromising their network or infecting their devices. Employees should be told never to open an email attachment that has been sent from someone they do not know. They should always check the email address of the sender carefully. Unfortunately, ransomware is not only spread via spam emails and web-borne attacks are more difficult to identify.
Use WebTitan to Block Malicious Websites
Cybercriminals use malicious advertising – terms malvertising – to lure individuals onto malicious websites where drive-by ransomware downloads take place. These adverts are often placed on legitimate websites via third party advertising networks. Malicious links are also posted on social media networks. Phishing emails also contain links to malicious sites that download ransomware.
One of the best ways that businesses can reduce the risk of a web-borne attack and protect networks from ransomware infections is by limiting the websites that can be accessed via their Wi-Fi and hard-wired networks. Blocking websites known to contain malware, preventing the downloading of file types commonly associated with ransomware, and blocking third party adverts from being displayed can all greatly reduce risk. To do this, a web filter is required.
WebTitan Cloud for Wi-Fi and WebTitan Gateway can be used by businesses, schools, and operators of Wi-Fi networks to reduce the risk of a ransomware attack. WebTitan blocks users from engaging in risky online behaviors and visiting malicious websites. Regardless of the level of training provided to users of computer networks, it is not possible to eliminate risk entirely. Using a web filtering solution to protect networks from ransomware, along with staff training and a spam email filter can greatly improve security posture.
The cost of these protections for businesses, educational institutions, and healthcare organizations is likely to be far lower than the cost of paying a ransom.
Mar 5, 2016 | Cybersecurity News
As if IT security professionals didn’t have enough to worry about, Skycure has uncovered a new accessibility clickjacking proof of concept malware that could be used to spy on corporate and personal emails, as well as steal corporate data stored on mobile devices.
The malware could be used to spy on all activity on an infected device, from recording emails composed via Gmail to details entered into website forms, mobile banking apps, corporate CRM systems, or messaging apps. In contrast to many mobile malware, this form does not require rooting the device and does not need many app permissions. The footprint left by the malware is incredibility difficult to identify and the user is unlikely to be aware that their device has been compromised.
Clickjacking, also known as a UI redress attack, is the act of fooling a user into clicking on a hyperlink that is hidden in an interface underneath seemingly legitimate content. A user could be playing a mobile game and clicking on parts of the screen, yet unbeknown to them, would also be giving authorizations to a malicious mobile application. That could include any number of permissions, or could be used to authorize a download of malware onto the device.
A typical example of clickjacking is where an attacker uses a fake X button which the user clicks to close an advert. If the X also closes a dialog box or an advert, the user is unlikely to be aware that anything untoward has occurred. Yet that X could also trigger a download or give a malicious app permission to access the microphone or all text entered on the device.
Android 4.4 and Below Susceptible to Accessibility Clickjacking
Accessibility clickjacking takes advantage of accessibility APIs, which were introduced in Android 1.6. The purpose of accessibility APIs is to make Android easier to use for people with disabilities, such as the visually impaired. The benefit is the APIs can perform a number of actions so the user doesn’t have to, but that is also the problem. These APIs have access to system-wide tools, and can interact with numerous interfaces. While these APIs are certainly beneficial, they are a potential security risk that can be exploited.
The accessibility clickjacking PoC malware identified by Skycure takes advantage of accessibility APIs, and by doing so can record virtually all activities performed on the device and perform actions without users’ consent.
The example provided involves a game that takes advantage of the accessibility feature, and gets the user to click on certain parts of the screen to progress to the next level. When a click is performed it gives a permission via the underlying software. In the example it gives an application permission to record all keystrokes entered via the Gmail app.
The researchers have warned that not only can this technique be used for keylogging, but a hacker could also use the technique to change admin settings, disable functions, encrypt the device, or delete files. All Android devices except 5.x and above are susceptible to accessibility clickjacking. That is 65% of all Android phones currently in circulation.
Mar 4, 2016 | Cybersecurity News
Researchers at Kaspersky Lab say the recently discovered Android Triada Trojan is one of the most sophisticated Android malware variants yet to be discovered and that it rivals Windows-based malware for complexity. 6 out of 10 Android devices are estimated to be vulnerable to attack by the Triada Trojan. As if that is not bad enough, the malware runs silently and embeds itself in the Android system making it virtually impossible to detect. Nikita Buchka, a junior malware analyst at Kaspersky Lab, said “Once Triada is on a device, it penetrates almost all the running processes, and continues to exist in the memory only.” All of the processes remain hidden, both from the user and application.
It has been discovered in the wild and has primarily been use to infect devices in Russia and Ukraine, suggesting that’s where its authors are based; although it has also been found in India and various other APAC countries. The malware is believed to infect devices via app downloads, in particular those downloaded from untrusted sources rather than the Google Play store. That said, in some cases infected apps have been found in Google Play app store.
Kaspersky Lab researchers say the malware has been developed by “very professional” cybercriminals and suggest the developers are extremely experienced hackers with a deep understanding of the Android platform.
Triada Trojan Capable of Monitoring All Phone Activity
The Triada Trojan is capable of gaining access to all apps running on an infected device and can change the code of the app and monitor all activities on the phone. The malware can intercept SMS messages and reroute them, which is how the researchers believe the malware will make its developers money. They say the malware is likely being used to reroute in-app purchases and direct the funds to the attackers’ accounts.
Not only is the Triada Trojan almost impossible to detect with the majority of Android anti-virus and anti-malware programs, even if it is detected, removing the Triada Trojan from an infected device is exceptionally difficult. Standard removal techniques will not succeed in ridding the device of all elements of the Triada Trojan. To disinfect an infected phone, the user has to jailbreak the Android system and manually remove all of the components.
The new malware can only infect Android 4.4.4 Kitkat and below; however even though two new Android versions have since been released, the majority of Android devices run on Kitkat or earlier versions. 30% of devices run on version 4 or below, and those devices are particularly vulnerable to attack.
Kaspersky Lab researchers have previously warned that Trojans that gain superuser privileges and are being used to display advertising or install apps would eventually be used for far more malicious activities such as rooting malware. 11 different Android malware families are known to gain root access, and three of them work together – Ztorg, Gorpo and Leech. Those malware have collectively been identified as Triada.
The malware uses Zygote to launch application processes, which until the discovery of Triada, was only known to be possible as a proof of concept, and had not been exploited in the wild.
The researchers say that the new “Triada of Ztrog, Gorpo and Leech marks a new stage in the evolution of Android-based threats.”
Mar 3, 2016 | Cybersecurity News, Internet Security News, Network Security
A new report released by the Ponemon Institute suggests data breaches caused by mobile devices are not as rare as previously thought. Last year, Verizon released a data breach report suggesting that while mobile malware is increasing, it is not yet a major threat for attacks on organizations. Attacks are conducted, but they tend to target individuals.
Are Corporate Data Breaches Caused by Mobile Devices?
Verizon determined that only 1% of data breaches use mobile devices as an attack vector. The Ponemon report suggests the figure is far higher, with 67% of respondents claiming the use of mobile devices by employees was certain or likely to have resulted in a beach of sensitive corporate data.
The Ponemon study, which was commissioned by security firm Lookout, set out to cast some light on enterprise mobile security risk. 588 IT security professionals employed by Global 2000 companies in the United States were asked about the threat from mobile devices.
The report suggests there is a disconnect between IT departments and employees when it comes to the data that can be accessed using mobile devices. Many IT departments have implemented controls to limit data access via BYOD or corporate devices. However, employees still appear to be able to access corporate data none the less
The study found significant discrepancies between the data IT departments said could be accessed, and the responses provided by employees. For instance, when both groups were asked about whether confidential or classified documents could be accessed, 33% of employees said access was possible compared to just 8% of IT security professionals. 19% of IT security professionals said mobile devices could not be used to access customer data, yet 43% of employees said the data were accessible via their mobiles.
IT departments must therefore implement better controls to ensure mobile devices cannot be used to access sensitive data, or employees must be trained on the potential risks from using their mobile devices. Policies would also need to be developed to dictate what mobile devices can and cannot be used for.
The Average Infected Mobile Device Costs Organizations $9,485
The report also looked into the cost of data breaches caused by mobile devices. The average infected device was estimated to cost an organization an average of $9,485.
According to the report, mobile malware infections are a real concern. For any given company, many of the devices in use are already be infected with malware. The study suggested that “Of the 53,844 mobile devices in the average Global 2000 enterprise, 1,700 of those devices are infected by malware at any given time.”
When asked about the protections put in place to manage data access by employees, many companies had already implemented a number of safeguards to keep corporate data secure.
47% of organizations used whitelists and blacklists, 40% used mobile device management, while 45% used identity management. However, more than 4 out of 10 respondents said that none of those security measures were used by their organizations.
With the threat from mobile malware high, organizations need to devote more time and resources to mobile device security. Fortunately, this appears to be the case. The Ponemon report indicates that mobile security budgets are increasing and will represent 37% of the IT security budget next year. A considerable improvement on the current 16%.
