Apr 28, 2017 | Cybersecurity News, Internet Privacy
Security researcher Chris Vickery has discovered a Schoolzilla AWS misconfiguration that resulted in the records of 1.3 million students being accidentally left unprotected.
Schoolzilla is a student warehouse platform used by K12 schools to track and analyze student data. While data on the platform were protected and access by unauthorized individuals was not possible, that was not the case for a backup file on the platform.
Vickery had been conducting scans to identify unprotected Amazon Web Services installations when he noticed a number of unsecured buckets on the Tableau data visualization platform. Further investigation revealed an unprotected ‘sz tableau’ bucket named sz-backups, which was a data repository for backups of the Schoolzilla database.
The Amazon S3 bucket had been accidentally configured to allow public access, leaving 1.3 million student records exposed. The records contained sensitive information such as the names and addresses of students, along with test scores, grades, birthdates and some Social Security numbers.
Vickery notified Schoolzilla of the error and the company worked quickly to secure the backups. Schoolzilla has now implemented a number of additional technical safeguards to ensure all student data is protected and all affected schools have been contacted and notified of the data exposure. It is unclear exactly how many schools were affected.
The Schoolzilla AWS misconfiguration shows just how easy it is for sensitive data to be exposed online. This time it was a security researcher that discovered the exposed data, but cybercriminals are also performing scans for unprotected data. In this case, Schoolzilla was able to confirm that no unauthorized individuals had accessed the file except Vickery. Other companies may not be so fortunate.
Schools and other educational institutions are increasingly using AWS and other cloud storage platforms to house student data. Data can be securely stored in the cloud; however, human error can all too easily result in sensitive data being exposed.
The incident highlights just how important it is for organizations to conduct security scans and perform penetration tests to ensure that vulnerabilities and errors are rapidly discovered and corrected.
Apr 27, 2017 | Web Filtering
The Human Trafficking and Child Exploitation Prevention Act is a bill that will make it harder for individuals to access pornography on Internet-enabled devices by making manufacturers and retailers of those devices implement a pornography filtering solution by default.
Support for the bill is growing, with 12 states having already backed the bill – Alabama, Florida, Georgia, Indiana, Louisiana, New Jersey, North Dakota, Oklahoma, South Carolina, Texas, West Virginia, and Wyoming – and many others are considering implementing similar legislation.
While many states have been opposed to introducing legislation that prevents pornography from being accessed, support for the bill has been growing due to the change in how pornography is being portrayed. Rather than being viewed as a moral issue that must be tackled, pornography is now being viewed as a public health crisis. Proponents of the Human Trafficking and Child Exploitation Prevention Act claim viewing pornography is bad for mental health, sexual health, as well as causing damage to relationships. It has been claimed that the availability of pornography is also contributing to the growth of human trafficking for the sex trade.
The legislation requires all manufacturers and retailers who make or sell Internet-enabled devices to be required by law to implement a web filtering solution on those devices to block pornography, prostitution hubs, child pornography, obscenity, and revenge pornography on those devices by default.
The law will not make it illegal for individuals over the age of 18 to view Internet pornography and other obscene content, but in order to do so they will be required to provide the retailer – or manufacturer – with proof of age. Similar laws are already in place requiring retail stores to prevent minors from being able to view pornographic magazines unless they first provide proof of age.
The legislation is the most workable solution to restrict access to pornography. It would not be feasible to require websites to conduct age checks, as there would be no jurisdiction over website owners based outside the United States. Pornography filtering legislation is viewed as the least restrictive method of controlling who can access pornography.
The Human Trafficking and Child Exploitation Prevention Act will not prohibit individuals from viewing pornography if they wish to do so. However, exercising their right to access obscene content will come at a cost. In addition to providing proof of age, consumers will be required to pay a one off fee of $20 to have the pornography filter lifted. The money collected will go to the state in which the individual resides, and those funds will be directed to a number of groups that are tackling the problem of human trafficking and sexual violence.
Individuals may have to pay further costs to access pornography as retailers and manufacturers will be permitted to charge individuals a fee on top of the $20 state fee for unlocking the pornography filter.
It is possible that the filtering solution used by manufacturers and retailers may not get the balance right 100% of the time. There are likely to be many cases of over-blocking or under-blocking of obscene content. Therefore, the Human Trafficking and Child Exploitation Prevention Act requires a mechanism to be put in place that allows individuals to submit requests to have websites and webpages added to the filter if they contain obscene content and have not been blocked. Similarly, if websites containing acceptable content are incorrectly blocked by the filter, it must be possible for individuals to request that the block be lifted. A call center or website must be made available for this purpose.
Manufacturers/retailers will be required to process requests in a reasonable timeframe. If they fail to do so they will be liable for fines.
Apr 21, 2017 | Cybersecurity News, Internet Security News
McAfee has issued a new threat report detailing 2016 malware trends. The decline in new malware samples in the final quarter of 2016 does not suggest that 2017 will see a continued fall in new malware, but the opposite, according to McAfee Labs.
2016 malware trends follow a similar pattern to 2015. The first quarter saw large volumes of new malware discovered, followed by a steady decline over the next three quarters. The same trend was identified in 2015. Far from that decline continuing into 2017, the first quarter figures – which will not be made available until the summer – are likely to follow a similar trend and involve a massive in malware numbers in the first three months of 2017.
Further, there has been a steady increase in the number of new malware samples detected year on year, from around 400 million per quarter in 2015 to more than 600 million per quarter in 2016. If that trend continues into 2017, this year is likely to see around 800,000 new malware samples detected each quarter on average. McAfee predicts that there will be around 17 million malware samples by the end of this year.
McAfee reports that ransomware has increased steadily over the course of 2016, starting the year with around 6 million samples and finishing the year with over 9 million detected samples. However, the final quarter of 2016 saw a sharp drop in ransomware due to a decline in generic ransomware detections and a fall in the use of Locky.
There have been relatively few new Mac OS malware samples detected over the past two years, although Q3, 2016 saw new Mac OS malware increase from around 10,000 to 50,000, with a massive rise to around 320,000 new samples in the final quarter of 2016.
By the end of 2016, the total number of Mac OS malware rose to more than 450,000, from around 50,000 at the end of Q4, 2015. The increase mostly involved bundled adware.
The switch from exploit kits to email as the main attack vector is evident from the figures for new macro malware, with a sharp rise in Q2, 2016 and a continued rise in Q3. In Q1, there were around 60,000 detections, in Q3 that figure had risen to more than 200,000.
The public sector was most affected by security breaches in 2016, followed by healthcare, online services, finance, and software development. The biggest causes of security incidents, for which the causes are known, were account hijacking, followed by DDoS attacks, targeted attacks, SQL injection and malware. The main methods used for conducting network attacks last year were SSL (33%), DoS (15%), Worms (13%), brute force attacks (13%), and browser-based attacks (15%).
There has been a downward trend in new suspect URLS detected from Q1 2015 to Q2, 2016, although that trend has reversed in the last two quarters of 2016 with new malicious URL detections starting to rise steadily. New phishing URLS ebb and flow, although there was a general upward trend in 2016. McAfee’s figures shows spam email volume has remained fairly constant for the past two years, with the bulk of spam messages delivered using the Necurs botnet in Q3 and Q4, 2016.
Apr 18, 2017 | Cybersecurity Advice, Cybersecurity News, Internet Privacy, Internet Security News, Web Filtering
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions.
Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls.
Why Are Employees Bypassing Security Controls?
Employees bypassing security controls is a major problem, but why is it happening?
The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons.
In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities.
The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity. Pornographic websites are often targeted by cybercriminals and used to host malware. Visiting those sites increases the risk of silent malware downloads. 43% of companies said they had found out some employees had been using gambling sites at work, another high-risk category of website and a major drain of productivity.
While employees are provided with email accounts, many are choosing to access web-based accounts such as Gmail. Dtex found that 87% of employees were using web-based email programs on work computers. Not only does this present a security risk by increasing the probability of malware being downloaded, it makes it harder for employers to identify data theft. Dtex says “By completely removing data and activity from the control of corporate security teams, insiders are giving attackers direct access to corporate assets.”
Lack of Control and Visibility
Many companies are unaware that they have employees bypassing security controls because they lack visibility into what is happening on end points. Shadow IT can be installed without the organization’s knowledge, including VPN’s and hacking tools, but what can be done to stop employees bypassing security controls?
Security software can be installed to allow organizations to closely monitor the types of activities that are taking place on work computers. This can allow action to be taken to reduce insider threats. Organizations should also block the use of VPN’s and anonymizers to ensure they have more visibility into employee’s online activities.
One of the easiest ways to block the use of VPNs and anonymizers is to use a web filtering solution. Web filters are increasingly used as a way of preventing productivity losses during the working day. Web filtering solutions can be configured to block specific sites or categories of website.
A web filter, such as WebTitan, can be configured to block access to anonymizer websites, along with other websites that are prohibited under organization’s acceptable use policies.
Some employees find the controls overly restrictive and search for ways to bypass those controls. Organizations should carefully consider what websites and types of websites are blocked. Excessively restrictive controls over personal Internet access can prompt employees to try to bypass security controls. Allowing some personal use may be preferable.
One solution, possible with WebTitan, is to ease restrictions on Internet access by using time controls. To prevent falls in productivity, web filters can be applied during working hours, yet relaxed at other times such as lunch breaks. By allowing some personal Internet use, there is less incentive for employees to attempt to bypass security controls.
WebTitan also produces access logs to allow organizations to carefully monitor online user activity and take action against the individuals discovered to be violating company policies. Automatic reports can also be generated to allow organizations to take more timely action.
Monitoring employee Internet access and installing solutions to provide visibility into end point activity allows organizations to reduce the risk of insider threats and stop employees from engaging in risky behavior.
Apr 6, 2017 | Cybersecurity Advice, Cybersecurity News
Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom.
Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key.
Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk.
Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky.
As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files.
The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws.
Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand.
Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal investigation. The Bart ransomware decryptor was developed by Bitdefender after collaborating with both the Romanian police and Europol.
From April 4, 2017, the Bart ransomware decryptor has been made available for free download from the No More Ransom website. If your files have been encrypted by ransomware, it is possible to tell if the culprit is Bart from the extension added to encrypted files. Bart uses the .bart, .perl, or bart.zip extensions.
Bart ransomware may be believed to have links to Locky, although there is no indication that keys have been obtained that will allow a Locky ransomware decryptor to be developed. The best form of defense against attacks is blocking spam emails to prevent infection and ensuring backups of all sensitive data have been made.
