Cybersecurity Advice

Our cybersecurity advice section provides comprehensive information about the latest online security threats – not only the threats from unfiltered spam emails, but also the risks present on the Internet from malvertising and vulnerable websites onto which malware exploit kits may have been loaded by cybercriminals.

We also provide advice on the precautions that can be taken to heighten cybersecurity defenses and mitigate the risk of inadvertently downloading an infection. The message throughout all of our cybersecurity advice is to protect your network and WiFi systems with an email spam filter and web content control solution.

Neptune Exploit Kit Turns Computers into Cryptocurrency Miners

The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign.

Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded.

Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched.

Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs.

While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit.

Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine.

The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports that one such campaign mimics the genuine website highspirittreks[.]com using the domain highspirittreks[.]club. Other campaigns offer a service to convert Youtube videos to MP3 files. The imageryused in the adverts is professional and the malvertising campaigns are likely to fool many web surfers.

The exploits used in the latest campaign are all old, therefore, protecting against attacks simply requires plugins and browsers to be updated. The main exploits take advantage of flaws in Internet Explorer – CVE-2016-0189, CVE-2015-2419, CVE-2014-6332 – and Adobe Flash – CVE-2015-8651, CVE-2015-7645.

Having a computer turned into a cryptocurrency miner may not be the worst attack scenario, although exploit kits can rapidly switch their payload. Other exploit kits are being used to deliver far more damaging malware, which will be downloaded silently without the user’s knowledge. Consequently, organizations should take precautions.

In addition to prompt patching and updating of software, organizations can improve their defences against exploit kits by implementing a web filtering solution such as WebTitan.

WebTitan can be configured to block all known malicious sites where drive-by downloads take place and can prevent malvertisements from directing end users to webpages hosting these malicious toolkits.

To find out more about WebTitan and how it can improve your organization’s security posture, contact the TitanHQ team today.

India’s Central Board of Secondary Education Recommends School Web Filtering Technology

India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online.

The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school.

School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices.

CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so.

Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitize parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material.

While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict Internet content by age groups. Schools should set filtering controls by user groups and restrict access to age-inappropriate websites. Web filtering solutions such as WebTitan allows controls to be easily set for different user groups. The solution can be used to set separate filtering controls for staff and students of differing ages with ease.

Other Internet controls that have been suggested include the rapid blocking usernames/passwords when children leave school, using antivirus solutions to reduce the risk of malware infections, using firewalls to prevent cyberattacks and the theft of children’s sensitive information, and for staff to avoid posting images and videos of their students online.

School Web Filtering Technology from TitanHQ

The benefits of implementing school web filtering technology are clear, but choosing the most cost-effective controls can be a challenge. Appliance based web filters involve a significant initial cost, there is ongoing maintenance to consider, the need for on-site IT support in many cases, and as the number of Internet users increases, hardware upgrades may be necessary.

TitanHQ offers a more cost-effective and easy to manage solution – The 100% cloud-based web filter, WebTitan. WebTitan Cloud and WebTitan Cloud for WiFi make filtering the Internet a quick and easy process. To start filtering the Internet and protecting students from harmful web content, all that is required is to point your DNS to WebTitan. Once that simple change has been made you can be filtering the Internet in minutes.

Both solutions can be easily configured to block different categories of website content, such as pornography, file sharing websites, gambling and gaming websites and other undesirable website content. The solutions support blacklists, allowing phishing and malware-infected sites to be easily blocked along with all webpages identified by the Internet Watch Foundation as containing images of child abuse and child pornography.

These powerful web filtering solutions require no software updates or patching. All updates are handled by TitanHQ. Once acceptable Internet usage policies have been set via the intuitive web-based control panel, maintenance only requires occasional updates such as adding legitimate webpages to whitelists. Even blacklists are updated automatically.

WebTitan also supports remote learning. All students’ devices can be protected while connected to a school’s wired or wireless network. To extend protection beyond the school gates, a WebTitan On-The-Go (OTG) roaming agent can be installed on devices. This will ensure that the content filtering policy will apply no matter where that device connects to the Internet.

If you are keen to implement school web filtering technology for the first time or are unhappy with your current provider, contact the TitanHQ team today and register for your no-obligation Free Trial and see the benefits of WebTitan for yourself before making a decision about a purchase.

Cybersecurity Best Practices for Law Firms

Law firm hacking incidents are up and recent attacks have shown cybersecurity best practices for law firms are not being adhered to. Unless cybersecurity defenses are improved, it is too easy for hackers to gain access to sensitive data.

Cybercriminals have their sights firmly set on lawyers, or more specifically, the treasure trove of highly sensitive data stored on their computers and networks. Data that in the wrong hands could be used for blackmail.

Clients share highly sensitive information with their legal teams. Lawyers store company secrets, employment contracts and PII, banking details, financial projections, medical records, and naturally information about current and future lawsuits. All of this information is highly valuable to hackers and can be used for blackmail, sold to competitors, or used for all manner of nefarious purposes.  It is therefore no surprise that hackers want to attack law firms and that they are increasingly doing just that.

Cyberattacks are not only about stealing data. It can also be lucrative to prevent lawyers from gaining access to their clients’ files. Ransomware attacks on law firms can result in sizable payments for the keys to unlock the encryption.

For the most part, malware and ransomware attacks on law firms are entirely preventable. Simply adopting standard cybersecurity best practices for law firms will prevent the majority of attacks.

One recent ransomware attack on a Providence law firm resulted in a ransom payment of $25,000 being made to the attackers to regain access to the firm’s data. The incident is also a good example of how damaging those attacks can be. Even though payment was made, the law firm lost access to its files for three months, essentially preventing the firm from conducting any business. Lost billings alone cost the firm around $700,000.

Malware and ransomware attacks on law firms are common, although they are underreported for obvious reasons. One incident that was covered in the press was the malware attack on DLA Piper. The attack involved NotPetya, the wiper malware that caused chaos for many organizations around the globe in June. DLA Piper lost access to its data causing huge losses. Losses that are likely to be in the millions.

Part of the problem, especially for smaller law firms, is the high cost of cybersecurity protections. Many law firms simply do not have the budget to cover the cost. They cannot afford to hire skilled cybersecurity professionals to protect their computers and networks, scan for security vulnerabilities and patch and update software. However, the good news is that adopting standard cybersecurity best practices for law firms does not cost big bucks, but it will help firms improve their security posture.

The DLA Piper cyberattack shows that it is not only small law firms that are not following cybersecurity best practices for law firms. Microsoft issued a patch to fix the vulnerability that was exploited by both WannaCry and NotPetya more than two months before the attacks occurred. If the firm had patched promptly, the attack would have been prevented.

Protecting against all cyberattacks is not straightforward, especially with the number of connected devices now used by law firms. However, by adopting the cybersecurity best practices for law firms below and it is possible to reduce risk to an acceptable level.

Cybersecurity Best Practices for Law Firms

Adopting these cybersecurity best practices for law firms will make it harder for hackers to break through defenses and for simple errors to result in costly data breaches.

  • Conduct weekly checks of all software to ensure the latest versions are installed and check for patches and apply them promptly
  • Ensure that ALL sensitive data is backed up using the 3-2-1 approach. 3 copies of data, on two types of media, with one copy stored securely off site
  • Ensure all staff undergo security awareness training covering phishing, social engineering and other threats
  • Develop a password policy that requires the use of strong passwords. Enforce password changes regularly
  • Consider encryption for all sensitive data
  • Use two-factor authentication
  • Use an advanced spam filtering solution to reduce spam and block malicious messages
  • Employ a next-generation firewall
  • Ensure all computers are running supported operating systems and are set to update automatically
  • Implement a web filtering solution to block access to all sites known to host malware and exploit kits and to block links to phishing websites
  • Develop a data breach response plan – When a breach occurs, fast action can greatly reduce the damage caused
  • Engage the services of a third-party security firm to conduct risk analyses to identify vulnerabilities and perform penetration tests
  • Consider outsourcing cybersecurity to a managed service provider that will ensure systems, software and security are effectively managed and all vulnerabilities are addressed
  • Consider cybersecurity insurance – Only 23% of law firms have purchased cybersecurity insurance according to Logicforce.

Study Reveals Misplaced Confidence in Cyber Response Plans

Confidence in cyber response plans doesn’t appear to be lacking according to a new study conducted by Deloitte. However, that does not mean organizations are prepared for cyberattacks when they occur. The survey revealed that while confidence is high and IT professionals believe they are well prepared to deal with attacks, their cyber response plans may not be effective.

The only way to determine whether cyber response plans will function as planned is to conduct regular tests. If plans are not tested, organizations will not be able to determine with any degree of certainty, if their plans will be effective.

As the recent Ponemon Institute Cost of a Data Breach study confirmed, the ability to respond quickly to a data breach can reduce breach resolution costs considerably. For that to happen, a response plan must have been developed prior to the breach being experienced and that plan must be effective.

The Deloitte study revealed that 76% of business executives were confident that in the event of a cyberattack they would be able to respond quickly and implement their cyberattack response policies. Yet, the study also revealed that 82% of respondents had not tested their response plans in the past year. They had also not documented their plans with business stakeholders in the past year.

A lot can change in a year. New software solutions are implemented, configurations change as do personnel. Only regular testing will ensure that plans work and staff know their roles when an attack occurs.

Cyberattack simulations are a useful tool to determine how attack response plans will work in practice. As is often the case, plans look great on paper but often fail when put in place. Running simulations every 6 months will help to ensure that a fast and effective response to a cyberattack is possible. However, the survey showed that only 46% of respondents conduct simulations twice a year or more frequently.

A data breach can have dire consequences for a company. The study showed that many companies are most concerned about disruptions to business processes as a result of a cyberattack, although loss of trust and tarnishing of a brand should be of more concern. When a data breach is experienced, customers often choose to take their business elsewhere resulting in a considerable loss of revenue. A fast and efficient breach response can help restore faith in a brand and reduce the churn rate.

If you want to reduce the impact of a data breach and reduce costs, it is essential for cyber response plans to be developed and tested. With the volume of cyberattacks now occurring, it is highly probable that those plans will need to be implemented. By then it will be too late to determine whether they are effective. That could prove extremely costly.

95% of Companies Have Employees Bypassing Security Controls

A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions.

Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls.

Why Are Employees Bypassing Security Controls?

Employees bypassing security controls is a major problem, but why is it happening?

The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons.

In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities.

The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity. Pornographic websites are often targeted by cybercriminals and used to host malware. Visiting those sites increases the risk of silent malware downloads. 43% of companies said they had found out some employees had been using gambling sites at work, another high-risk category of website and a major drain of productivity.

While employees are provided with email accounts, many are choosing to access web-based accounts such as Gmail. Dtex found that 87% of employees were using web-based email programs on work computers. Not only does this present a security risk by increasing the probability of malware being downloaded, it makes it harder for employers to identify data theft. Dtex says “By completely removing data and activity from the control of corporate security teams, insiders are giving attackers direct access to corporate assets.”

Lack of Control and Visibility

Many companies are unaware that they have employees bypassing security controls because they lack visibility into what is happening on end points. Shadow IT can be installed without the organization’s knowledge, including VPN’s and hacking tools, but what can be done to stop employees bypassing security controls?

Security software can be installed to allow organizations to closely monitor the types of activities that are taking place on work computers. This can allow action to be taken to reduce insider threats. Organizations should also block the use of VPN’s and anonymizers to ensure they have more visibility into employee’s online activities.

One of the easiest ways to block the use of VPNs and anonymizers is to use a web filtering solution. Web filters are increasingly used as a way of preventing productivity losses during the working day. Web filtering solutions can be configured to block specific sites or categories of website.

A web filter, such as WebTitan, can be configured to block access to anonymizer websites, along with other websites that are prohibited under organization’s acceptable use policies.

Some employees find the controls overly restrictive and search for ways to bypass those controls. Organizations should carefully consider what websites and types of websites are blocked. Excessively restrictive controls over personal Internet access can prompt employees to try to bypass security controls. Allowing some personal use may be preferable.

One solution, possible with WebTitan, is to ease restrictions on Internet access by using time controls. To prevent falls in productivity, web filters can be applied during working hours, yet relaxed at other times such as lunch breaks. By allowing some personal Internet use, there is less incentive for employees to attempt to bypass security controls.

WebTitan also produces access logs to allow organizations to carefully monitor online user activity and take action against the individuals discovered to be violating company policies. Automatic reports can also be generated to allow organizations to take more timely action.

Monitoring employee Internet access and installing solutions to provide visibility into end point activity allows organizations to reduce the risk of insider threats and stop employees from engaging in risky behavior.

Free Bart Ransomware Decryptor Released

Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom.

Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key.

Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk.

Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky.

As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files.

The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws.

Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand.

Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal investigation. The Bart ransomware decryptor was developed by Bitdefender after collaborating with both the Romanian police and Europol.

From April 4, 2017, the Bart ransomware decryptor has been made available for free download from the No More Ransom website. If your files have been encrypted by ransomware, it is possible to tell if the culprit is Bart from the extension added to encrypted files. Bart uses the .bart, .perl, or bart.zip extensions.

Bart ransomware may be believed to have links to Locky, although there is no indication that keys have been obtained that will allow a Locky ransomware decryptor to be developed. The best form of defense against attacks is blocking spam emails to prevent infection and ensuring backups of all sensitive data have been made.

Cybersecurity Warning for Healthcare Providers Issued by FBI

The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password.

The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone.

The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes.

Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen.

The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations.     

The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP servers could be used to store illegal material. Healthcare organizations may have cybersecurity solutions in place to monitor for data being exfiltrated, but not data that are being uploaded. Hacking tools could be uploaded to the servers or they could be used to share illegal content.

If FTP servers must be run in anonymous mode, healthcare organizations should ensure the servers only contain data that is publicly available.

FBI Chief Issues Ransomware Advice for Healthcare Providers

At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused.

Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands.

However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable.

Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed.

In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud.

One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable to restore their data due to a corrupted backup file.

At the conference, there were many security professionals offering ransomware advice for healthcare providers, although when it comes to prevention there is no silver bullet. A range of ransomware defenses should be deployed to prevent email and web-borne attacks.

Cybersecurity solutions should be implemented to prevent malicious emails from being delivered to end users. Spam filtering solutions are one of the best defenses against email-borne threats as they block the majority of malicious emails from being delivered to end users. Cybersecurity solutions should also be implemented to prevent web-borne attacks. Web filters block malicious websites from being visited and can be configured to prevent downloads of malicious and suspicious files. Endpoint security solutions should also be considered. They can rapidly detect downloads of malicious files and prevent malicious software from being installed.

Employees must also be informed of the risk of attack and trained to be more cyber aware. Training should be reinforced with exercises to test whether cybersecurity training has been effective. Individuals can then be singled out and provided with further training as necessary.

Comey explained to attendees at the Boston Conference on Cybersecurity that the key to combating cybercrime is collaboration. Cybercrime has escalated in recent years and the problem is not going to be beaten by organizations acting independently. Collaboration between law enforcement organizations and companies across all industries is essential. Comey said all new cyberthreats and details of cyberattacks should be shared with the FBI.

New Fileless Malware Hides Communications in DNS Queries

A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot.

The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document.

Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect.

Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses.

DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC).

The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure.

While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the file as malicious.

Cybercriminals are constantly looking for new methods of bypassing security controls and infecting end users. However, since this threat is delivered via email, that is the point at which it is easiest to block. Infection also requires macros to be enabled. If macros are blocked, the malware will not be executed. Otherwise, since the DNS communications between the malware and the attackers differs from standard DNS communications, inspecting DNS content should enable security professionals to identify infection.

Calls for Ransomware Protection for Universities to Be Augmented

Following a massive increase in ransomware attacks, security experts have called for ransomware protection for universities to be augmented

Ransomware: A Major Threat to Universities the World Over

Ransomware has become one of the biggest data security threats. The healthcare industry has been extensively targeted, as have the financial services, manufacturing, telecoms, and just about every other industry sector. Now, attacks are being conducted on higher education establishments with increased vigor.

Universities are attractive targets. They store vast quantities of data. Researchers, teaching staff, and students alike need access to data on a daily basis. Without access, all work grinds to a halt. That means ransom demands are likely to be paid.

Secondly, universities use thousands of computers and have tens of thousands of users. Cybersecurity defenses may be good, but with so many individuals with access to Internet facing computers, protecting against targeted attacks on those individuals is a major challenge. Staff and students are being actively targeted as they are the weak links in the security chain.

Then there is the issue of academic freedom. While many industries have implemented web filtering solutions to limit the websites that can be visited by staff and students, many universities have been reluctant to restrict Internet access.

In a similar vein, university networks tend to be more open than in the business world for example. Businesses tend to severely restrict access to networks. If an attack occurs, the damage is very limited. Open networks tend to result in huge numbers of files and devices being encrypted if an attacker breaks through the security perimeter.

Ransomware Protection for Universities Clearly Lacking

The number of university ransomware attacks that have been reported by institutions in the United States and Canada in 2016 has reached alarming levels. Many of those universities have been forced to pay the ransom demands to restore access to files.

Last year, the University of Calgary was forced to pay $16,000 to restore access after a ransomware attack. Carleton University was also attacked with ransomware, as was Los Angeles Valley College. According to a Newsweek report in August last year, two thirds of British universities had been attacked with ransomware. Queen’s University in Belfast, Northern Ireland, was one of those attacked. A ransom had to be paid to recover data. One university in the United Kingdom – Bournemouth University – experienced 21 ransomware attacks in the space of 12 months. The list goes on and on.

Malware is also a problem. The University of Alberta discovered a malware infection on 304 computers. A keylogger had been installed which recorded details of all information entered on infected computers, including login details.

It is unsurprising given the extent to which universities are being attacked that there have been numerous calls for ransomware protection for universities to be improved. But how can ransomware protection for universities actually be improved without causing major disruption to staff and students or overly restricting data access?

How Can Ransomware Protection for Universities be Improved?

Universities, like all organizations, must develop a strategy to prevent ransomware attacks and deal with them when they occur. Protections need to be improved to prevent attacks, technology needs to be employed to detect ransomware infections quickly, and policies and procedures must be developed so rapid action can be taken when attacks occur. Rapid action can greatly reduce the harm caused.

No university wants to overly restrict Internet access, but the use of a web filter is strongly recommended. Rather than blocking access to valuable information, an advanced web filtering solution such as WebTitan can be applied to restrict access to malicious websites and to block malware downloads. WebTitan has highly granular controls which allow restrictions to be put in place to prevent ransomware infections, without overblocking website content. Furthermore, Internet access controls can be easily set for different user groups.

At the very least, universities should apply web filtering controls to prevent the accessing of websites that are known to contain malware and should not rely on their anti-virus solution to provide this service.

It is also essential for controls to be applied to the email system to block emails containing malicious links and attachments. SpamTitan blocks 99.97% of spam emails and 100% of known malware using two anti-virus engines for extra protection. SpamTitan not only blocks incoming spam, but also performs scans of outgoing mail to prevent the spread of infections between end users.

Antivirus and anti-malware solutions should also be used and updated automatically. Intrusion detection systems should also be considered to ensure that infections are rapidly identified.

Good patch management policies are also essential to ensure vulnerabilities are not allowed to persist. Applying patches and software updates promptly reduces the risk of vulnerabilities being exploited.

Even with technologies in place, staff and students should be educated about the risk of cyberattacks, phishing, malware and ransomware. Best practices should be distributed via email to all staff and students along with information about any specific cyberthreats.

Unfortunately, unless ransomware protection for universities is greatly improved, the attacks are likely to continue. Cybercriminals view higher education institutions as soft and potentially highly lucrative targets. It is up to universities to take appropriate action to prevent malware and ransomware attacks.

Poor Cybersecurity Practices to Avoid

Poor cybersecurity practices exist at many US organizations, which are allowing hackers and other cybercriminals to gain access to corporate networks, steal data, and install malware and ransomware. Businesses can implement highly sophisticated cybersecurity defenses, but even multi-million-dollar cybersecurity protections can be easily bypassed if poor cybersecurity practices persist.

This month we have seen two reports issued that have highlighted one of the biggest flaws in cybersecurity defenses in US enterprises. Poor password hygiene.

The purpose of passwords is to prevent unauthorized access to sensitive data, yet time and again we have seen data breaches occur because of end users’ poor choice of passwords and bad password practices.

Earlier this month, SplashData released its annual report on the worst passwords of 2016. The report details the top 25 poorly chosen passwords. This year’s report showed that little had changed year on year. Americans are still very bad at choosing strong passwords.

Top of this year’s list of the worst passwords of 2016 were two absolute howlers: 123456 and password. Number three and four were no better – 12345 and 12345678. Even number 25 on the list – password1 – would likely only delay a hacker by a few seconds.

Another study also highlighted the extent to which Americans practice poor password hygiene. Pew Research asked 1,040 US adults about their password practices. 39% of respondents said they used the same passwords – or very similar passwords – for multiple online accounts, while 25% admitted to using very simple passwords because they were easier to remember. 56% of 18-29-year-old respondents said that they shared their passwords with other individuals, while 41% of all respondents said they shared passwords with family members.

The results of this survey were supported by later research conducted by Telsign, who found a very blasé attitude to online security among U.S. citizens. Although 80% of respondents admitted to being concerned about online security (and half of those claimed to have had an online account hacked in the past year), 73% of respondents´ online accounts are guarded by duplicate passwords and 54% of respondents use five or fewer passwords across their entire online life.

While the Pew Research and Telsign surveys did not specifically apply to businesses, these poor password practices are regrettably all too common. Passwords used for corporate accounts are recycled and used for personal accounts, and poor password choices for company email accounts and even network access are common. Although two factor authentication is not a solution to the problem of poor personal cybersecurity practices, only 38% of U.S. companies use it to protect their networks from poor corporate cybersecurity practices.

 

Poor Cybersecurity Practices That Leave Organizations Open to Cyberattacks

Unfortunately, poor cybersecurity practices persist in many organizations. IT departments concentrate on implementing sophisticated multi-layered defenses to protect their networks and data from hackers, yet are guilty of failing to address some of the most basic cybersecurity protections.

The failure to address the following poor cybersecurity practices at your organization will leave the door wide open, and hackers are likely to be quick to take advantage.

More than 4,100 data breaches of more than 500 records were reported by organizations in the United States in 2016*.  Many of those data breaches could have been avoided if organizations had eradicated their poor cybersecurity practices.

Some of the main cybersecurity mistakes made by US companies include:

  • Not conducting a comprehensive, organization-wide risk assessment at least every 12 months
  • The failure to enforce the use of strong passwords
  • Not providing employees with a password manager to help them remember complex passwords
  • The continued use of unsupported operating systems such as Windows XP
  • Failure to apply patches and updates promptly
  • Not restricting the use of administrator accounts
  • Failure to adequately monitor devices for shadow IT
  • Failure to block macros from running automatically
  • Giving employees unnecessary access to data systems and networks
  • Not providing employees with cybersecurity awareness training
  • Not instructing employees on the safe handling of personally identifiable information
  • Failure to conduct anti-phishing simulation exercises
  • Failure to notify new employees and vendors of IT security policies and procedures before data access is provided
  • Not revising and updating IT security policies and procedures at least every six months
  • Failure to change default logins on networked devices
  • Failure to encrypt data on portable storage devices
  • Allowing employees full, unfettered access to the Internet
  • Failure to implement a spam filter to block malicious email messages
  • Failure to monitor applications with access to data
  • Failure to create appropriate access controls
  • Failure to monitor the activity of employees

*2016 Data Breach Report from Risk Based Security

Web Filters in Libraries are Not Just About Internet Control

There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm.

However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO.

Web Filters in Libraries are Not Only About Internet Control

This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action.

What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware.

Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment.

Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted.

Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen.

The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only alternative in cases of ransomware infections. To wipe its entire system and reinstall files from backups. That is not a quick process. It could take weeks; certainly days.

The ransom payment may be avoided, but removing the infection will still result in considerable costs being incurred. Then there is the impact the attack has had on patrons of the city’s libraries. The library system is primarily used by poor and disadvantaged individuals. According to library spokesperson Jen Hatton, “For many of our patrons, we’re their only access to the internet.” Hatton also said, “This is their only access to a computer. Some of them have a smartphone, but they don’t have a data plan. They come in and use the Wi-Fi.”

It is not clear how the infection occurred, although there are two main ways that ransomware is installed: Malicious spam email messages and by visiting malicious websites. Both of these attack vectors can be blocked if appropriate software is installed.

Web Filters in Libraries are an Important Ransomware Defense

A spam filter can be used to filter out malicious messages. Those messages contain attachments, which if opened, infect computers or download ransomware. User interaction is required. If the messages are quarantined and not delivered to users’ inboxes, infection can be prevented.

In the case of malicious links contained in emails – an alternative to attachments – a click will direct the user to a malicious website where ransomware is downloaded. Even if a link is clicked, access to the website can be blocked with a web filter. Web filters in libraries can also be configured to stop patrons and staff from visiting malicious sites while browsing the Internet. If a website that is known to be malicious is accessed – deliberately or accidentally – the site will not be displayed and infection will be blocked. Web filters in libraries can also block the downloading of files that are commonly used to infect computers – executable or JavaScript files for example.

The use of web filters in libraries is therefore not just about limiting access to inappropriate and harmful website content. Web filters in libraries are an important cybersecurity protection that can help to ensure that, come what may, patrons will still be able to access the Internet and borrow books.

10 Tips for Preventing Malware Infections

If you use a computer, you are at risk of having your device infected with malware; however, listed below are some useful tips for preventing malware infections.

Unfortunately, signature-based anti-malware software is far less effective at preventing infections than in years gone by. Malware developers are now using a wide range of strategies and techniques to prevent traditional anti-malware solutions from detecting and blocking infections.

Rely on anti-malware or anti-virus software alone and sooner or later you may find your device has been compromised, your keystrokes are being logged, and your – or your organization’s – data are being stolen.

However, there are some straightforward strategies that you can adopt to prevent malware infections and keep your computer, and your network, malware-free.

10 Tips for Preventing Malware Infections

Backup Your data

OK, a data backup will not prevent a malware infection, but it can help you recover if your computer is infected with ransomware or if your data are corrupted as a result of an infection – or removal of malware. The only way to recover from some infections is to wipe out your system and restore it from a previously known safe point. You must therefore have a safe point that you can use. Nightly backups should be performed. You only then stand to lose 24 hours of data at most.

Keep your malware definitions up to date

Anti-malware software may not be as effective as it once was, but you do need to give it a fighting chance. If you do not keep your definitions 100% up to date you are asking for trouble. This may sound obvious, but many organizations delay updating malware definitions for forget to set software to update automatically on all devices.

Never click on links or open email attachments from unknown senders

Cybercriminals target employees as it is far easier to gain access to a corporate network if an employee bypasses their organization’s defences and installs malware. All it takes is for one employee to install malware for attackers to gain a foothold in a network. Ensure that all employees receive anti-phishing training and have at least basic IT security skills. Most data breaches start with a phishing email.

Ensure operating systems and software are patched promptly

Operating systems, firmware, and all software must be kept up to date. As soon as patches are released, cybercriminals will be reverse engineering them to uncover the vulnerabilities. Don’t delay applying patches. Good patch management policies are essential for preventing malware infections.

Watch out for shadow IT

Downloading pirated software is an excellent way to infect computers with malware. Pirated software is often bundled with malware, spyware, and all manner of nasties. Block the running of executables and keygens if practical. Only install software from trusted sources. As an additional check, before installing software, check the software provider’s MD5 hash against your copy. If it’s a match, install. If not, delete.

Take care with USB drives

Not all malware comes via the web or email. USB drives can easily introduce malware. Make sure your anti-malware solution is configured to automatically scan USB drives before granting system access and never plug in a drive from an unknown source.

Perform regular malware scans

Having anti-virus and anti-malware software will not necessarily mean your system is protected. Full system scans should still be performed. Some infections can slip under the radar. A full scan should be performed at least once a month.

Keep abreast of the latest malware trends

You may have limited time, but it is important to keep abreast of the latest attack trends, cyberattacks, data breaches, and threat reports. Check the warnings from US-CERT, and monitor websites such as DarkReading, CIO, CISO, and The Register. A little research goes a very long way.

Keep mobile devices protected

Mobiles can easily be used to introduce malware onto networks to which they connect. Mobiles are often used on unprotected Wi-Fi hotspots, and the devices are increasingly being targeted by hackers. Ensure security software is installed on mobile devices and security settings on phones are active.

Use a firewall, web, and Wi-Fi filtering

A firewall is essential tool for preventing malware infections, although businesses should consider purchasing a next generation firewall device. Next generation firewalls combine a traditional firewall with other network device filtering functionalities. Web and Wi-Fi filtering solutions are also important. By filtering the Internet, it is possible to prevent drive-by malware downloads and carefully control the risks that employees take.

How to Prevent Ransomware Attacks

Cybercriminals have embraced ransomware and have been increasingly targeting businesses, yet many business leaders are unsure how to prevent ransomware attacks. Consequently, the risk from ransomware is not being effectively managed, and that may prove costly.

Ransomware is a form of malware that is capable of encrypting files on local machines, network drives, and servers. Any computer that is connected to the Internet can potentially be infected. Even without internet access, files may be encrypted if a computer is networked. The latest ransomware variants are capable of spreading laterally within a network and encrypting the data on hundreds of devices.

Files required for critical business processes may be encrypted and made inaccessible. A successful attack can result in a company’s operations grinding to a halt. A healthcare ransomware attack can result in patients’ health information becoming inaccessible. An attack on a pharmaceutical company may result in files necessary for drug manufacture being locked, which could affect the quality of products. Lawyers offices may lose essential client information. Few businesses could continue to operate at their full potential during a ransomware attack.

The loss of files can prove extremely expensive, far less than the cost of any ransom payment. Many companies therefore are left with little alternative but to pay the ransom demand. Ransom payments are actually made surprisingly frequently. According to a recent study conducted by IBM, 70% of businesses that experienced a ransomware infection ended up paying the attackers to supply the keys to unlock their data. Half of those businesses paid more than $20,000 while 20% paid more than $40,000.

Even when the ransom is paid there is no guarantee that a viable key will be supplied to unlock the encryption. Files may therefore be lost forever. One healthcare organization in the United States recently discovered that files can all too easily be lost forever. Three months after ransomware was installed on one of its servers and critical patient health information was encrypted, Desert Care Family and Sports Medicine has still not been able to unlock the encryption nor access its patients’ data.

It is essential to learn how to prevent ransomware attacks and to implement appropriate defenses not only to stop attackers from installing ransomware, but to ensure a system is put in place that will allow data to be recovered without having to resort to paying a ransom.

Recovering from a ransomware attack can be extremely expensive. Ransom payments can be extortionate. Business can be lost while systems are taken out of action. Even applying keys that have been supplied by attackers can be long winded. Each encrypted device has its own key, and those keys must be applied very carefully. A forensic analysis is also important after a ransomware attack to search for backdoors that may have added, as well as to determine if data have been stolen. Additional protections then need to be put in place to prevent future attacks from occurring.

How to Prevent Ransomware Attacks

The first and most important step to take will not prevent ransomware attacks, but it will help you to recover from a ransomware attack promptly without having to resort to paying the ransom. Recovery will depend on you having a viable backup of your data. Total file recovery may not be possible, but it should be possible to recover the vast majority of your files.

For that to be possible, you must ensure that all files on all devices and network drives are backed up. That includes all removable drives such as flash drives. Backup files must be stored on a non-networked drive, in the cloud, or ideally on an air-gapped device – One that is unplugged as soon as the backup is performed. Multiple backups should ideally be made with one copy stored in the cloud and one on a detachable storage device. You should always store backups in multiple files. If one becomes corrupted, you will not lose all of your data.

  • Avoid the use of administrator accounts with extensive privileges as far as is possible. If an administrator account is required, use it and then change to a guest account with limited privileges. This will reduce the damage caused if the user’s machine is infected.
  • Ensure that all software is kept up to date and your organization employs good patch management practices. In particular, ensure browser and plugin updates are applied promptly. Vulnerabilities can all too easily be exploited and used to download ransomware.
  • If plugins are not required, remove them. Adobe Flash in particular, but also Java and Silverlight. If required, they should require activating individually as and when needed.
  • Ensure employees’ computers are configured to show file extensions. If full file extensions are displayed, it is easier to identify potentially malicious files with double extensions.
  • Ensure macros are disabled on all devices. At the very least, ensure macros do not run automatically.
  • Disable Remote Desktop Protocol (RDP) on all devices unless it is absolutely essential.
  • A web filter can be used to prevent end users from visiting malicious websites where ransomware can be downloaded. A web filter can also block malicious third party adverts (malversting).
  • End users should be instructed never to open files from unknown senders or to click on links contained in emails unless 100% sure that the links are genuine.
  • The use of a spam filter is strongly advisable. The spam filter should be configured to aggressively block threats. Executable file attachments should also be automatically quarantined.
Ransomware Protection Tips

Ransomware Protection Tips

There are a number of reasons why ransomware attacks have been increasing and why the crypto-ransomware has now become one of the biggest and most worrying threats. However, the main reason is ransomware is extremely profitable.

How profitable? According to a recent security report from McAfee Labs, one single ransomware author managed to pull in an incredible $121 million in ransomware payments in the first six months of 2016. Take off the expenses incurred and the author cleared $94 million in profit.

That was just one author. There are many. There are now more than 200 different ransomware families and many more variants of each. Fortunately, developing new ransomware is a complicated business that requires considerable programming skill. Unfortunately, there are many individuals who rent ransomware to conduct campaigns and take a cut of the profits.

The explosion in use of ransomware in the past two years is a cause for concern for all Internet users, especially for business owners. Unfortunately, the ransomware crisis is unlikely to be resolved any time soon. As long as it is profitable, the attacks will continue. Vincent Weafer, VP of Intel Security’s McAfee Labs, expects the revenues from ransomware infections in 2016 will be of the order of several hundreds of millions of dollars and most likely considerably more.

McAfee recorded 1.3 million new ransomware samples in the first half of 2016. The risk of infection with ransomware has increased as authors employ increasingly sophisticated methods of evading detection. Ransomware is also spreading faster and encrypting even more data to ensure victims have no alternative but to pay up.

But how is it possible to prevent ransomware attacks? Unfortunately, there is no silver bullet. Prevention requires several different strategies to be adopted. To prevent ransomware attacks, check out the ransomware protection tips below.

Ransomware Protection Tips

We have listed some ransomware protection tips below that will help you to avoid ransomware infections – And how to avoid paying a ransom should the unthinkable happen.

The first rule of ransomware avoidance is backing up your data

The no More Ransom Project is a great initiative. When ransomware variants are cracked and decryptors developed, they are being uploaded onto the No More Ransom site. Victims can then decrypt their files for free. However, there are more than 200 ransomware families and less than 10 free decryptors. You don’t need to have majored in mathematics to work out that the probability of a decryptor being available is rather small. If you want to be able to avoid paying a ransom you must have a viable backup of your data.

The second rule of ransomware avoidance is backing up your data

Without a backup, you will need to pay the ransom if you want your data back. You therefore need to make sure you have a viable backup file. However, multiple backups should be performed. You should have a backup on an external hard drive and a second backup in the cloud. Your external drive must also be disconnected once the backup has been performed.

Keep software up to date

Vulnerabilities are constantly being discovered and patches issued to plug security holes. Even if exploits have not been developed to take advantage of those vulnerabilities, patches can be reverse engineered. Once patches are released, it will only be a matter of time before exploits are developed.  It is therefore essential to apply patches and install software updates promptly. Patches should be prioritized with critical updates applied first.

Remove unnecessary software and browser plugins

If you have browser plugins installed that you never use, remove them. They are an unnecessary risk. Of particular concern are Adobe Flash, Java, and Silverlight. Vulnerabilities are regularly discovered in these plugins and for many businesses they are surplus to requirements. Remove them or at least set them to require manual activation.

Block adverts

Malvertising may not be the most common method of ransomware delivery but the risk should be mitigated nonetheless. Businesses should use an adblocker to prevent malicious adverts from being displayed. Do your employees need to see web adverts? If not, why take the risk?

Filter the Internet

Malicious websites containing exploit kits can probe for a wide range of security vulnerabilities and leverage these to silently download ransomware. WebTitan can be configured to block websites known to contain malware and block sites by category. Categories of websites known to be ‘high risk’ can be blocked, as well as sites that have no work-purpose. Blocking access to certain categories of websites can greatly reduce the risk from web-borne ransomware and malware infections.

Conduct security awareness training

Security awareness training is not just for employees. All individuals in an organization should be taught the security basics from the CEO down. Training should include phishing awareness and avoidance, ransomware and malware, and good security best practices such as never opening emails from unknown sources, not enabling macros, and avoiding clicking links in spam and suspicious emails.

Turn off macros

Macros are used in many organizations, but not by the majority of employees. Macros should be disabled on all devices unless essential, and even then, macros should be enabled manually on documents and spreadsheets if required.

Employ a robust spam filtering solution

A paid-for spam filtering solution should be installed to catch spam emails and prevent delivery. Email is one of the most commonly used ransomware delivery mechanisms. Anti-spam solutions such as SpamTitan can greatly reduce the probability of employees’ security training being put to the test.

Use anti-malware and anti-virus solutions

Employ anti-malware and anti-virus solutions that include a real-time scanning feature and set the solutions to update virus/malware definitions automatically. Full system scans should also be periodically conducted.

New Lenovo Bloatware Vulnerability Discovered

The security threat from bloatware was made abundantly clear last year with the discovery of a Lenovo bloatware vulnerability, affecting the Superfish Adware program that came pre-installed on Lenovo laptops.

Bloatware is a term used to describe software applications and programs that are largely unnecessary, yet are pre-installed on new computer and laptops. The software programs can slow down computers and take up a lot of memory, yet offer the user little in the way of benefits. They are primarily used to update application features rather than to enhance security.

Unfortunately, these pre-installed programs have been discovered – on numerous occasions – to contain security vulnerabilities that can be exploited by malicious actors and used for man-in-the-middle attacks. They can even let attackers run arbitrary code, allow privilege escalation, or perform malicious software updates.

Now a new Lenovo bloatware vulnerability has been uncovered. This time it concerns the company’s software updater which has been found to contain a vulnerability that could potentially be exploited allowing man-in-the-middle attacks to be conducted.

New Bloatware Vulnerability Found in Lenovo Accelerator Application Updater: Uninstall Recommended

The Lenovo Accelerator Application has been pre-installed on a wide range of desktop computers and notebooks shipped pre-installed with Windows 10. In total, well over 100 different models of Lenovo notebooks and desktops have the Lenovo Accelerator Application installed.  Lenovo says the application is used to speed up the launching of Lenovo applications and communicates with the company’s servers to determine whether application updates exist.

The UpdateAgent pings Lenovo’s servers every 10 minutes to check whether updates have been released. However, the application has recently been discovered to contain a security vulnerability that could be exploited by attackers.  DuoLabs investigated a number of companies to check for security vulnerabilities in pre-installed software applications and found that Lenovo’s UpdateAgent was particularly vulnerable to attacks.

DuoLabs reported that the updater had “no native security,” and that “executables and manifests are transmitted in the clear and no code-signing checks are enforced.” The security flaws could allow an attacker to intercept these communications and manipulate responses, even allowing malicious software updates to be performed.

Lenovo has responded by issuing an advisory recommending all owners of the affected devices uninstall the software application. This is a straightforward task that can be performed by accessing the Apps and Features application on a Windows 10 computer, selecting the Lenovo Accelerator Application and manually uninstalling the program.

FBI Warns of Increase in Extortion Email Schemes

The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data.

Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms.

Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected.

These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently.

Extortion Email Schemes Threaten Exposure of Sensitive Data

Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained.

In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts.

The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on social standing.

To stop the distribution of these data, victims are required to pay the attackers anywhere from 2 to 5 Bitcoin – Between $250 and $1,200. A Bitcoin address is sent in the email which the victims must use. This ensures the transaction remains anonymous.

After analyzing the extortion email schemes, the FBI has concluded that the attacks are the work of multiple individuals. The FBI has advised against paying the ransoms as this will only ensure that this criminal activity continues. Paying a ransom is no guarantee that further demands will not be received.

Any person receiving an email that they believe to be an extortion email scheme should contact their local FBI office and send a copy of the email with the subject “extortion E-mail scheme,” along with details of the Bitcoin address where payment has been asked to be sent.

Extortion email schemes are often sent out randomly in spam email; however, responding to an email will alert the attacker that the email account is active and is being checked. The best course of action is to ignore the email, to log into social media accounts and change all passwords, and to carefully monitor bank accounts and credit card statements. The FBI also advises individuals to ensure social media accounts are configured with the highest level of privacy settings and to be extremely careful about sharing any sensitive data online.

How to Reduce Risk of Malware Infections from Websites

To reduce the risk of malware infections from websites you can avoid certain types of sites that are commonly used by cybercriminals to infect visitors. Sites containing pornography for instance, torrents sites, and online marketplaces selling illegal medication for example. However, while these sites are often compromised with malware or contain malicious code, they are far from the most common sites used by cybercriminals to infect visitors.

The unfortunately reality is that browsing the Internet and only visiting what are perceived to be “safe sites” does not mean that you will not be exposed to maware, malicious code, and exploit kits. Hackers are increasingly compromising seemingly legitimate websites to redirect visitors to sites containing exploit kits that download malware and ransomware.

Two CBS-affiliated news websites were recently discovered to be hosting malicious adverts that redirect visitors to sites containing the Angler Exploit Kit. MSN has been found to host malvertising in the past, as has Yahoo. A study conducted by anti-virus company Symantec revealed that three quarters of websites contain security vulnerabilities that could potentially be exploited to infect visitors with malware.

High Profile Websites Compromised and Used to Deliver Ransomware to Visitors

This week, two new websites were found to have been compromised and were used to infect visitors with malware.

The celebrity gossip website PerezHilton.com may cause problems for celebrities, but this week it was also causing problems for its visitors. The site attracts millions of visitors, yet few would suspect that visiting the site placed them at risk of having their computer files locked with powerful file-encrypting ransomware.

However, that is exactly what has been happening. Hackers compromised an iframe on the site and inserted malicious code which redirected visitors to a website containing the Angler Exploit Kit. Angler probes visitors’ browsers for security vulnerabilities and exploits them; silently download a payload of malware. In this case, the Angler Exploit Kit was used to push Bedep malware, which in turn silently downloaded CryptXXX ransomware onto the victims’ devices.

A second malvertising campaign was also conducted that redirected visitors to a different website. The exploit kit used to infect redirected visitors was different, but the end result was the same. A malicious payload was downloaded onto their devices.

Another well-known website was also discovered to have been compromised this week. The website of the world renowned French film production company Pathé was discovered to have been compromised. Hackers had managed to embed malicious code in one of the webpages on the site. The code also redirected users to a site hosting the Angler Exploit Kit, which similarly was used to infect visitors with CryptXXX ransomware.

How to Reduce the Risk of Malware Infections from Websites

Exploit kits take advantage of security vulnerabilities in browsers. To reduce the risk of malware infections from websites it is essential that browsers are kept up to date. That includes all browser plugins. If no security vulnerabilities exist, there would be nothing for exploit kits to exploit.

However, zero-day vulnerabilities are emerging all the time and software manufacturers are not always quick to develop fixes. Adobe was alerted to a new zero-day vulnerability a few days ago, yet they only just released a fix. During that time, the vulnerability could have been exploited using exploit kits. Cybercriminal gangs are quick to incorporate new zero-day vulnerabilities into their exploit kits and do so faster than software companies can release fixes. Ensuring all updates are installed promptly is a great way to reduce the risk of malware infections from websites, but additional measures need to be taken.

If you really want to improve your – or your company’s – security posture and really reduce the risk of malware infections from websites, you should use a web filtering solution. This is particularly important for businesses to ensure that employees do not inadvertently compromise the network. It can be difficult to ensure that all devices used to connect to the network are kept 100% up to date, 100% of the time.

A web filtering solution can be configured to block malvertising, blacklists can be used to prevent compromised websites from being accessed, and malware downloads can be prevented. Along with good patch management practices, it is possible to effectively reduce the risk of malware infections from websites.

Adobe and Microsoft Issue Updates to Address Actively Exploited Security Vulnerabilities

This week, patch Tuesday saw updates issued to address actively exploited security vulnerabilities in Internet Explorer, along with a swathe of fixes for a number of other critical Microsoft security vulnerabilities. In total, Microsoft issued fixes for 51 vulnerabilities this week spread across 16 security bulletins, half of which were rated as important, the other eight being rated as critical.

The updates tackle vulnerabilities in Microsoft Edge and Internet Explorer, Windows, the Microsoft .NET Framework, and MS Office; however, it is the browser fixes that are the most important. These include actively exploited security vulnerabilities that can be used to compromise computers if users visit websites containing exploit kits.

Security update MS16-051 tackles the CVE-2016-0189 zero-day vulnerability in Internet Explorer, which if exploited, would allow an attacker to gain the same level of privileges as the current user. The flaw could be used to take control of the entire system. The exploit could be used to install new programs on the device, create new accounts, or modify or delete data. The vulnerability modifies the functioning of JScript and VBScript, changing how they handle objects in the computer’s memory.

The IE security vulnerability was brought to the attention of Microsoft by researchers at Symantec, who had discovered an active exploit that was being used alongside spear-phishing attacks in South Korea. Users were being directed to a website containing an exploit kit that had been updated with the IE security vulnerability.

The MS16-052 security update tackles a vulnerability in Microsoft Edge which similarly changes how objects in the memory are handled. These two updates should be prioritized by sysadmins, although all of the updates should be installed as soon as possible. Even the important updates could potentially be exploited and used to gain control of unpatched computers.

Bulletin MS16-054 is also a priority update to patch critical vulnerabilities in Adobe Flash. Since Flash is embedded in both Edge and IE, Microsoft has started issuing updates to address Adobe Flash vulnerabilities. While these security flaws are not believed to have been exploited in the wild, it will not be long before they are included in exploit kits.

Microsoft may have fixed its actively exploited security vulnerabilities, but despite Adobe issuing patches for Acrobat, ColdFusion, and Reader on Tuesday, Flash remains vulnerable to attack. Adobe has yet to issue a patch for an actively exploited Flash security vulnerability (CVE-2016-4117) that affects version 21.0.0.226 and all earlier versions of the platform. This vulnerability has been included in exploit kits and can be used to take control of devices. In total, Adobe fixed 92 separate vulnerabilities in its Tuesday update.

Between Microsoft and Adobe, 143 vulnerabilities have been addressed this week. With hackers quick to add the vulnerabilities to website exploit kits, it is essential that patches are installed rapidly. These actively exploited security vulnerabilities also highlight the importance of using a web filtering solution to prevent users from visiting compromised websites where the vulnerabilities can be exploited.

WebTitan Cloud – Game Changing Web Security Service for MSPs

Finding a web security service for MSPs can be a time consuming process. There are a number of solutions that allow MSPs to keep their clients protected from malware and reduce the risk from internal and external threats, yet many are far from ideal for use by MSPs.

The ideal web security service for MSPs must have a relatively low cost of ownership. Clients may be more than willing to implement a web security service to deal with the growing range of web-borne threats, but the cost of implementation is a key factor.

Many solutions offer all the necessary benefits for the client, but are not practical for use by MSPs. The time taken to install web security solutions and to configure them for each client can reduce profitability. The best web security service for MSPs need to be easy to install and maintain, and have a low management overhead.

Low cost solutions that are quick to install and easy to maintain allow MSPs to easily incorporate into existing packages to create a more comprehensive Internet security service. This can increase the value provided to clients, boost client revenue, and help MSPs to win more business and differentiate their company in the marketplace.

The ideal web security service for MSPs is available as a white label. This allows the service to be easily incorporated into existing packages. White labeling allows MSPS to strengthen their own brand image rather than promoting someone else’s.

Many providers of a web security service for MSPs fall down on customer support. If any issues are experienced, it is essential that an MSP can provide rapid solutions. Industry-leading technical support is essential.

WebTitan Cloud – A Web Security Service for MSPs That Ticks All the Right Boxes

WebTitan Cloud is an enterprise-class web filtering solution for MSPs that can be used to enforce clients’ acceptable use policies and control the content that can be accessed via their wired and wireless networks.

Our DNS-based web filtering solution allows organizations to prevent phishing, stop malware downloads, protect against ransomware and botnet infections, and block spyware and adware. Controls prevent the bypassing of the content filter by blocking anonymizer services. Encrypted web traffic is also inspected.

Implementation could not be any easier. There is no need for any hardware purchases or software downloads. All that is required is a change to the DNS to point to our servers and the Internet can be filtered in under 2 minutes.

Configuring each client to incorporate their AUPs is also a quick and easy process requiring no technical expertise. Highly granular controls ensure AUPs can be quickly and easily applied. There is no need to use on premise support teams. Everything can be monitored via the control panel from any Internet browser. There is no hardware or software to maintain and no patches to apply, reducing management overhead considerably. Cloud keys can be supplied to allow guests to bypass organization-wide content control settings, with time-limits applied to prevent abuse.

Reporting is effortless. A full suite of pre-defined reports can be generated automatically and scheduled for each client to allow Internet access to be carefully monitored.

We also offer fully white-labeled solutions for MSPs allowing logos, branding, and corporate color schemes to be easily incorporated. We are also more than happy to allow WebTitan Cloud to be hosted within an MSPs infrastructure.

What Your Customers Get

  • Ransomware, malware, and phishing protection. Protection from malware, ransomware and the web-based component of phishing attacks. More than 60,000 malware iterations are blocked every day.
  • A quick and easy to use DNS filter to manage and control web usage – Block malicious sites and control the web content employees and guest users can access.
  • Easy to implement; Easy to use. Customer accounts are up and running within 20 minutes
  • Improve network performance: A no latency DNS filtering solution that can be used to reduce bandwidth waste and abuse.
  • Highly granular content filtering with flexible user policies
  • Support for dynamic IP’s
  • Works with any device
  • Full reporting suite. WebTitan contains a comprehensive reporting suite providing automated graphical reports and extensive reports on demand.
  • Fully automated updating – Does not add to your patching burden and requires minimal management while ensuring maximum security.
  • Whitelists and blacklists Global whitelists and blacklists and custom categories can be configured to allow/block by full website address or by IP address

Benefits for MSPs

  • Save on customer support time, hours and cost – No more costly ransomware call outs.
  • Easy to deploy, manage and sell our awarded-winning cloud based web filtering solution
  • Simple Integration into your existing service stack through API’s and RMM integrations
  • Competitive pricing with a core focus on the SMB market.
  • Generous margins and monthly billing
  • White labelling – WebTitan can be fully rebranded with your logos and color scheme with us working seamlessly in the background.
  • Set & forget. WebTitan requires minimal IT service intervention
  • Short sales cycle – only a 14 day free trial required to test
  • World class support – The best customer service in the industry with scalable pre-sales and technical support and sales & technical training
  • Multi-tenant dashboard – MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis

To find out more about why WebTitan Cloud is a game changing web security service for MSPs contact our sales team today!

MSP Testimonials

“WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well.” Kristie H. Account Manager

“WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. It has provided us with a stable web filtering platform that has worked well for us for many years. ” Derek A. Network Manager

“WebTitan is outstanding software that helps me a lot in minimizing viruses. The thing I like most about WebTitan is that it is extremely easy to use and configure. I like its clear interface. It lets us block malicious content and spam easily. It is no doubt an amazing product helping us a lot in kicking out harmful bad stuff.” Randy Q. Software Engineer

“By reducing malware-related security incidents, you’re reducing your number one uncontrollable expense: the people on your IT operations team, like your help desk techs.” MSP, Washington, US 

 “Web filtering is one of the, if not the greatest bang for your buck services. It’s built in anti malware has protected our clients, saving us thousands of hours of repair time I am absolutely certain.” MSP, New York, US

“a key part of our security stack as we’ve scaled to over 6,000 managed endpoints, while decreasing virus and malware related tickets by 70%.” MSP, Boston, US

 “It has paid for itself many times over by reducing malware calls.” MSP, Toronto, Canada