Network Security

Far too often, news of data breaches is accompanied by details of the failures in network security that allowed a hacker access to confidential data. Many of these failure are avoidable with adequate precautions such as a spam email filter and mechanism for controlling access to the Internet.

Almost as many breaches in network security can be attributed to poor employee training. Password sharing, unauthorized downloads and poor online security practices can result in hackers gaining easy access to a network and extracting confidential data at will.

It has been well chronicled that hackers will bypass organizations with strong network security and turn their attention to fish that are easier to catch. Make sure your organization does not get caught in the net – implement appropriate web filters and educate your employees on the importance of network security.

New WannaCry Ransomware Variants Identified

The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected.

U.S Escapes WannaCry Relatively Unscathed

The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS).

While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS.

The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys.

The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files.

WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions.

WannaCry Victims Appear to Have Been Contacted by the Attackers

In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear.

Paying ransom demands only encourages attackers to conduct further attacks. Ransom payments can be used by the attackers to fund further ransomware campaigns. There is also no guarantee that the attackers will supply valid keys to unlock data, even if they say they will. The advice from the Federal Bureau of Investigation (FBI) is never to pay a ransom unless it is absolutely necessary.

New WannaCry Ransomware Variants Detected

While the version of WannaCry ransomware used in Friday’s attacks has been stopped, that is not the only version of the ransomware being used. New WannaCry ransomware variants have been identified.

A second version was identified by researcher Matt Suiche. This version also included a kill switch, but used a different domain. Suiche registered that second domain and prevented 10,000 infected machines from having files encrypted.

A third version of Wannacry ransomware was also identified by Kaspersky Lab without the kill switch, although in that case, the ransomware component had been corrupted and infected computers would not have data encrypted.

The WannaCry attacks used the ETERNALBLUE exploit published by Shadow Brokers last month, which takes advantage of a vulnerability in Microsoft Server Message Block 1.0 (SMBv1). The threat from WannaCry may be temporarily over, although WannaCry is not the only threat that uses the ETERNALBLUE exploit and the DoublePulsar backdoor.

Researchers at Proofpoint have identified another threat that similarly uses the exploit to gain access to computers. In this case, the goal is not to encrypt files or even steal data. The attackers install Adylkuzz – a program that hogs computer resources and mines the cryptocurrency Monero.

How to Block the ETERNALBLUE Exploit

Other cybercriminals may also be using the ETERNALBLUE exploit and new WannaCry ransomware variants may be released without the kill switch. To block attacks, organizations should ensure that the MS17-010 patch is applied to plug the vulnerability. Older operating systems (Windows 8, Windows Server 2003, and Windows XP) can also be patched and protected against WannaCry ransomware attacks and other malware that use the ETERNALBLUE exploit. Any organization that has port 445 open should also ensure the port is closed, and if SMB must be used over the Internet, SMB should be used through an internal network via a VPN.

Researchers Discover Pre-Installed Keylogger on HP Laptops

Browsing the Internet can result in malware and spyware downloads, malicious software can arrive via spam email, but a fresh-out-of-the-box laptop computer should be totally malware free. But not always. A pre-installed keylogger on HP laptops has recently been identified by Swedish security firm Modzero.

Potentially unwanted programs can be found on many new devices. Some serve a purpose but pose a security threat. For instance, in 2014, Lenovo laptop computers were shipped with ‘malware’ already installed that made the devices vulnerable to man-in-the-middle attacks. The program was Superfish.

The pre-installed keylogger on HP laptops does not appear to be used for any malicious purposes, although there is considerable potential for the program to be abused. The spyware records all keystrokes on the laptops after a user logs in and stores that information in a local drive. In some situations, the keystrokes will be passed to an API on the laptop.

The keylogger was discovered in an audio driver package – Conexant HD Audio Driver Package 1.0.0.46 and earlier versions. The offending file is MicTray64.exe, located in the C:\windows\system32\ folder.

Each time a user logs in, the program is scheduled to run. The file monitors all keystrokes on the device in order to monitor for special keystrokes. The program was developed by, Conexant, the audio chip manufacturer. The program has been included on HP laptops since December 2015.

While the software itself does not exactly pose a threat, the way the program logs the keystrokes allows the recorded keystrokes to be easily accessed. The log file created by the software is stored in the public folder (C:\users\public\MicTray.log) and can therefore be accessed by anyone.

The file is overwritten each time a user logs in, but any keystrokes recorded during that session could be accessed by anyone with access to the device. Additionally, if the registry key with the filepath is missing or corrupted, the keystrokes will be passed to a local API called OutputDebugString API.

Malware installed on the device could potentially allow the log file to be copied, and along with it, all keystrokes from the session. It would also be possible for keystrokes to be obtained in real-time.

The inclusion of the keylogger on HP laptops was an error according to HP. It was used as a debugging tool and should have been removed in the final version of the product.

HP has responded to the discovery by releasing a patch to fix the issue, which is available from the HP website or via Microsoft Update. All owners of HP laptops purchased since December 2015 should download the patch to mitigate the issue.

Models found to contain the pre-installed spyware include the following 28 models of HP laptops:

  • HP EliteBook 820 G3 Notebook PC
  • HP EliteBook 828 G3 Notebook PC
  • HP EliteBook 840 G3 Notebook PC
  • HP EliteBook 848 G3 Notebook PC
  • HP EliteBook 850 G3 Notebook PC
  • HP ProBook 640 G2 Notebook PC
  • HP ProBook 650 G2 Notebook PC
  • HP ProBook 645 G2 Notebook PC
  • HP ProBook 655 G2 Notebook PC
  • HP ProBook 450 G3 Notebook PC
  • HP ProBook 430 G3 Notebook PC
  • HP ProBook 440 G3 Notebook PC
  • HP ProBook 446 G3 Notebook PC
  • HP ProBook 470 G3 Notebook PC
  • HP ProBook 455 G3 Notebook PC
  • HP EliteBook 725 G3 Notebook PC
  • HP EliteBook 745 G3 Notebook PC
  • HP EliteBook 755 G3 Notebook PC
  • HP EliteBook 1030 G1 Notebook PC
  • HP ZBook 15u G3 Mobile Workstation
  • HP Elite x2 1012 G1 Tablet
  • HP Elite x2 1012 G1 with Travel Keyboard
  • HP Elite x2 1012 G1 Advanced Keyboard
  • HP EliteBook Folio 1040 G3 Notebook PC
  • HP ZBook 17 G3 Mobile Workstation
  • HP ZBook 15 G3 Mobile Workstation
  • HP ZBook Studio G3 Mobile Workstation
  • HP EliteBook Folio G1 Notebook PC

Study Reveals Cybersecurity Awareness in America is Poor

Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online.

The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online.

While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly.

Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password.

However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is.

Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default.

Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites.

Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than just a method of differentiating between a human web visitor and a bot.

The survey showed cybersecurity awareness improved with the level of education in all areas tested by the study. Younger participants (18-29) were also more likely to answer questions correctly than the older age groups.

The share of incorrect answers was relatively low, with many opting to answer the questions with ‘not sure.’ While the survey does not show that cybersecurity awareness is woefully inadequate, it does clearly indicate that when it comes to cybersecurity awareness, there is considerable room for improvement.

While it is the responsibility of every individual to ensure they are aware of the risks when venturing online and should take steps to protect their identities and bank accounts, the survey confirms what many IT security professionals know all too well. Employee cybersecurity awareness is poor and the risk of employees making mistakes that compromise the security of their organization is high.

Cybersecurity training programs clearly need to be improved to raise awareness of the main threats and drill in best practices. However, it is essential that robust defenses are implemented to ensure that business networks are protected from poor security decisions made by employees.

If you would like to find out more about the best cybersecurity solutions that you can implement to keep your business protected from your own employees and how you can reduce reliance on your staff making the right security choices, contact the TitanHQ team today.

Educational Institutions Warned About Moodle Security Flaws

Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code.

Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities.

On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined.

An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem.

The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data.

According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.”

Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just Moodle.

Rubin was able to take advantage of the Moodle security flaws and gain administrative privileges on the server, after which it was child’s play to execute code. Rubin said it was as simple as uploading a new plugin to the server.

Last week Moodle released a patch to address a number of vulnerabilities in the system, although no information was released about what the patch addressed. All users of the system are advised to update to the latest version of the platform and apply the latest security patch as soon as possible.

Failure to update systems and apply patches promptly will leave systems vulnerable to attack, whether it is Moodle or any other platform or software. If patches are not applied it will only be a matter of time before security flaws are exploited to gain access to servers or computers and steal sensitive data.

Cyberattacks on Educational Institutions Have Soared in 2017

2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers?

It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered.  Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example.

However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017.

The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted.

There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector.

In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination.

What Data are Cybercriminals Attempting to Steal?

K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors details can be used for longer.

Universities and school systems also hold considerable amounts of intellectual property and research.  That information can be sold for considerable sums on the black market.

As we have seen on many occasions this year, the personal information of school employees has been targeted by scammers. Emails have been sent requesting W-2 Form data, which are used to file fraudulent tax returns in school employees’ names.

This tax season, the following colleges, universities, schools and school districts have reported that employees have fallen for a W-2 Form phishing scam and have emailed the data of their employees to cybercriminals.

  • Abernathy Independent School District
  • Ark City School District
  • Ashland University
  • Barron Area School District
  • Belton Independent School District
  • Black River Falls School District
  • Bloomington Public Schools
  • College of Southern Idaho
  • Corsicana Independent School District
  • Crotched Mountain Foundation
  • Davidson County Schools
  • Dracut Schools
  • Glastonbury Public Schools
  • Groton Public Schools
  • Independent School District
  • Lexington School District Two
  • Manatee County School District
  • Mohave Community College
  • Morton School District
  • Mount Healthy City Schools
  • Northwestern College
  • Odessa School District
  • Redmond School District
  • Tipton County Schools
  • Trenton R-9 School District
  • Tyler Independent School District
  • Virginian Wesleyan College
  • Yukon Public Schools

As with the healthcare industry, the reliance on data makes schools, colleges, and universities targets for ransomware attacks. Ransomware is used to encrypt data and a ransomware demand is issued to unlock files. In many cases ransoms are paid as no backups of the encrypted data exist.

Some notable cyberattacks on educational institutions that have been reported this year are listed below.

2017 Cyberattacks on Educational Institutions

January 2017

Northside Independent School District in San Antonio, TX, discovered its email system had been hacked. Names, addresses, and dates of birth were potentially stolen. In total, 23,000 individuals were impacted by the incident.

South Washington County Schools in Minnesota discovered that one of its students had hacked into its system and stolen more than 15,000 employee records.

Los Angeles County College was attacked with ransomware in January and was forced to pay a ransom demand of $28,000 to regain access to its files. The attack resulted in most of the college’s infrastructure, including email and voicemail, being encrypted by the ransomware.

February 2017

Horry County Schools in South Carolina was forced to pay a ransom demand of $8,500 to recover data that were encrypted with ransomware. Even though the ransom was paid, systems were taken out of action for over a week as a result of the infection.

These are just a handful of the cyberattacks on educational institutions reported this year. Given the increase in cyberattacks on educational institutions, it is essential that schools, colleges, and universities take action and implement appropriate defences to mitigate risk.

If you are in charge of cybersecurity at your educational organization and you would like to receive tailored advice on some of the best protection measures you can implement to reduce the risk of a cyberattack, contact the TitanHQ team today.

Calls for Ransomware Protection for Universities to Be Augmented

Following a massive increase in ransomware attacks, security experts have called for ransomware protection for universities to be augmented

Ransomware: A Major Threat to Universities the World Over

Ransomware has become one of the biggest data security threats. The healthcare industry has been extensively targeted, as have the financial services, manufacturing, telecoms, and just about every other industry sector. Now, attacks are being conducted on higher education establishments with increased vigor.

Universities are attractive targets. They store vast quantities of data. Researchers, teaching staff, and students alike need access to data on a daily basis. Without access, all work grinds to a halt. That means ransom demands are likely to be paid.

Secondly, universities use thousands of computers and have tens of thousands of users. Cybersecurity defenses may be good, but with so many individuals with access to Internet facing computers, protecting against targeted attacks on those individuals is a major challenge. Staff and students are being actively targeted as they are the weak links in the security chain.

Then there is the issue of academic freedom. While many industries have implemented web filtering solutions to limit the websites that can be visited by staff and students, many universities have been reluctant to restrict Internet access.

In a similar vein, university networks tend to be more open than in the business world for example. Businesses tend to severely restrict access to networks. If an attack occurs, the damage is very limited. Open networks tend to result in huge numbers of files and devices being encrypted if an attacker breaks through the security perimeter.

Ransomware Protection for Universities Clearly Lacking

The number of university ransomware attacks that have been reported by institutions in the United States and Canada in 2016 has reached alarming levels. Many of those universities have been forced to pay the ransom demands to restore access to files.

Last year, the University of Calgary was forced to pay $16,000 to restore access after a ransomware attack. Carleton University was also attacked with ransomware, as was Los Angeles Valley College. According to a Newsweek report in August last year, two thirds of British universities had been attacked with ransomware. Queen’s University in Belfast, Northern Ireland, was one of those attacked. A ransom had to be paid to recover data. One university in the United Kingdom – Bournemouth University – experienced 21 ransomware attacks in the space of 12 months. The list goes on and on.

Malware is also a problem. The University of Alberta discovered a malware infection on 304 computers. A keylogger had been installed which recorded details of all information entered on infected computers, including login details.

It is unsurprising given the extent to which universities are being attacked that there have been numerous calls for ransomware protection for universities to be improved. But how can ransomware protection for universities actually be improved without causing major disruption to staff and students or overly restricting data access?

How Can Ransomware Protection for Universities be Improved?

Universities, like all organizations, must develop a strategy to prevent ransomware attacks and deal with them when they occur. Protections need to be improved to prevent attacks, technology needs to be employed to detect ransomware infections quickly, and policies and procedures must be developed so rapid action can be taken when attacks occur. Rapid action can greatly reduce the harm caused.

No university wants to overly restrict Internet access, but the use of a web filter is strongly recommended. Rather than blocking access to valuable information, an advanced web filtering solution such as WebTitan can be applied to restrict access to malicious websites and to block malware downloads. WebTitan has highly granular controls which allow restrictions to be put in place to prevent ransomware infections, without overblocking website content. Furthermore, Internet access controls can be easily set for different user groups.

At the very least, universities should apply web filtering controls to prevent the accessing of websites that are known to contain malware and should not rely on their anti-virus solution to provide this service.

It is also essential for controls to be applied to the email system to block emails containing malicious links and attachments. SpamTitan blocks 99.97% of spam emails and 100% of known malware using two anti-virus engines for extra protection. SpamTitan not only blocks incoming spam, but also performs scans of outgoing mail to prevent the spread of infections between end users.

Antivirus and anti-malware solutions should also be used and updated automatically. Intrusion detection systems should also be considered to ensure that infections are rapidly identified.

Good patch management policies are also essential to ensure vulnerabilities are not allowed to persist. Applying patches and software updates promptly reduces the risk of vulnerabilities being exploited.

Even with technologies in place, staff and students should be educated about the risk of cyberattacks, phishing, malware and ransomware. Best practices should be distributed via email to all staff and students along with information about any specific cyberthreats.

Unfortunately, unless ransomware protection for universities is greatly improved, the attacks are likely to continue. Cybercriminals view higher education institutions as soft and potentially highly lucrative targets. It is up to universities to take appropriate action to prevent malware and ransomware attacks.

Poor Cybersecurity Practices to Avoid

Poor cybersecurity practices exist at many US organizations, which are allowing hackers and other cybercriminals to gain access to corporate networks, steal data, and install malware and ransomware. Businesses can implement highly sophisticated cybersecurity defenses, but even multi-million-dollar cybersecurity protections can be easily bypassed if poor cybersecurity practices persist.

This month we have seen two reports issued that have highlighted one of the biggest flaws in cybersecurity defenses in US enterprises. Poor password hygiene.

The purpose of passwords is to prevent unauthorized access to sensitive data, yet time and again we have seen data breaches occur because of end users’ poor choice of passwords and bad password practices.

Earlier this month, SplashData released its annual report on the worst passwords of 2016. The report details the top 25 poorly chosen passwords. This year’s report showed that little had changed year on year. Americans are still very bad at choosing strong passwords.

Top of this year’s list of the worst passwords of 2016 were two absolute howlers: 123456 and password. Number three and four were no better – 12345 and 12345678. Even number 25 on the list – password1 – would likely only delay a hacker by a few seconds.

Another study also highlighted the extent to which Americans practice poor password hygiene. Pew Research asked 1,040 US adults about their password practices. 39% of respondents said they used the same passwords – or very similar passwords – for multiple online accounts, while 25% admitted to using very simple passwords because they were easier to remember. 56% of 18-29-year-old respondents said that they shared their passwords with other individuals, while 41% of all respondents said they shared passwords with family members.

The results of this survey were supported by later research conducted by Telsign, who found a very blasé attitude to online security among U.S. citizens. Although 80% of respondents admitted to being concerned about online security (and half of those claimed to have had an online account hacked in the past year), 73% of respondents´ online accounts are guarded by duplicate passwords and 54% of respondents use five or fewer passwords across their entire online life.

While the Pew Research and Telsign surveys did not specifically apply to businesses, these poor password practices are regrettably all too common. Passwords used for corporate accounts are recycled and used for personal accounts, and poor password choices for company email accounts and even network access are common. Although two factor authentication is not a solution to the problem of poor personal cybersecurity practices, only 38% of U.S. companies use it to protect their networks from poor corporate cybersecurity practices.

 

Poor Cybersecurity Practices That Leave Organizations Open to Cyberattacks

Unfortunately, poor cybersecurity practices persist in many organizations. IT departments concentrate on implementing sophisticated multi-layered defenses to protect their networks and data from hackers, yet are guilty of failing to address some of the most basic cybersecurity protections.

The failure to address the following poor cybersecurity practices at your organization will leave the door wide open, and hackers are likely to be quick to take advantage.

More than 4,100 data breaches of more than 500 records were reported by organizations in the United States in 2016*.  Many of those data breaches could have been avoided if organizations had eradicated their poor cybersecurity practices.

Some of the main cybersecurity mistakes made by US companies include:

  • Not conducting a comprehensive, organization-wide risk assessment at least every 12 months
  • The failure to enforce the use of strong passwords
  • Not providing employees with a password manager to help them remember complex passwords
  • The continued use of unsupported operating systems such as Windows XP
  • Failure to apply patches and updates promptly
  • Not restricting the use of administrator accounts
  • Failure to adequately monitor devices for shadow IT
  • Failure to block macros from running automatically
  • Giving employees unnecessary access to data systems and networks
  • Not providing employees with cybersecurity awareness training
  • Not instructing employees on the safe handling of personally identifiable information
  • Failure to conduct anti-phishing simulation exercises
  • Failure to notify new employees and vendors of IT security policies and procedures before data access is provided
  • Not revising and updating IT security policies and procedures at least every six months
  • Failure to change default logins on networked devices
  • Failure to encrypt data on portable storage devices
  • Allowing employees full, unfettered access to the Internet
  • Failure to implement a spam filter to block malicious email messages
  • Failure to monitor applications with access to data
  • Failure to create appropriate access controls
  • Failure to monitor the activity of employees

*2016 Data Breach Report from Risk Based Security

Web Filters in Libraries are Not Just About Internet Control

There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm.

However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO.

Web Filters in Libraries are Not Only About Internet Control

This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action.

What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware.

Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment.

Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted.

Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen.

The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only alternative in cases of ransomware infections. To wipe its entire system and reinstall files from backups. That is not a quick process. It could take weeks; certainly days.

The ransom payment may be avoided, but removing the infection will still result in considerable costs being incurred. Then there is the impact the attack has had on patrons of the city’s libraries. The library system is primarily used by poor and disadvantaged individuals. According to library spokesperson Jen Hatton, “For many of our patrons, we’re their only access to the internet.” Hatton also said, “This is their only access to a computer. Some of them have a smartphone, but they don’t have a data plan. They come in and use the Wi-Fi.”

It is not clear how the infection occurred, although there are two main ways that ransomware is installed: Malicious spam email messages and by visiting malicious websites. Both of these attack vectors can be blocked if appropriate software is installed.

Web Filters in Libraries are an Important Ransomware Defense

A spam filter can be used to filter out malicious messages. Those messages contain attachments, which if opened, infect computers or download ransomware. User interaction is required. If the messages are quarantined and not delivered to users’ inboxes, infection can be prevented.

In the case of malicious links contained in emails – an alternative to attachments – a click will direct the user to a malicious website where ransomware is downloaded. Even if a link is clicked, access to the website can be blocked with a web filter. Web filters in libraries can also be configured to stop patrons and staff from visiting malicious sites while browsing the Internet. If a website that is known to be malicious is accessed – deliberately or accidentally – the site will not be displayed and infection will be blocked. Web filters in libraries can also block the downloading of files that are commonly used to infect computers – executable or JavaScript files for example.

The use of web filters in libraries is therefore not just about limiting access to inappropriate and harmful website content. Web filters in libraries are an important cybersecurity protection that can help to ensure that, come what may, patrons will still be able to access the Internet and borrow books.

How to Prevent Ransomware Attacks

Cybercriminals have embraced ransomware and have been increasingly targeting businesses, yet many business leaders are unsure how to prevent ransomware attacks. Consequently, the risk from ransomware is not being effectively managed, and that may prove costly.

Ransomware is a form of malware that is capable of encrypting files on local machines, network drives, and servers. Any computer that is connected to the Internet can potentially be infected. Even without internet access, files may be encrypted if a computer is networked. The latest ransomware variants are capable of spreading laterally within a network and encrypting the data on hundreds of devices.

Files required for critical business processes may be encrypted and made inaccessible. A successful attack can result in a company’s operations grinding to a halt. A healthcare ransomware attack can result in patients’ health information becoming inaccessible. An attack on a pharmaceutical company may result in files necessary for drug manufacture being locked, which could affect the quality of products. Lawyers offices may lose essential client information. Few businesses could continue to operate at their full potential during a ransomware attack.

The loss of files can prove extremely expensive, far less than the cost of any ransom payment. Many companies therefore are left with little alternative but to pay the ransom demand. Ransom payments are actually made surprisingly frequently. According to a recent study conducted by IBM, 70% of businesses that experienced a ransomware infection ended up paying the attackers to supply the keys to unlock their data. Half of those businesses paid more than $20,000 while 20% paid more than $40,000.

Even when the ransom is paid there is no guarantee that a viable key will be supplied to unlock the encryption. Files may therefore be lost forever. One healthcare organization in the United States recently discovered that files can all too easily be lost forever. Three months after ransomware was installed on one of its servers and critical patient health information was encrypted, Desert Care Family and Sports Medicine has still not been able to unlock the encryption nor access its patients’ data.

It is essential to learn how to prevent ransomware attacks and to implement appropriate defenses not only to stop attackers from installing ransomware, but to ensure a system is put in place that will allow data to be recovered without having to resort to paying a ransom.

Recovering from a ransomware attack can be extremely expensive. Ransom payments can be extortionate. Business can be lost while systems are taken out of action. Even applying keys that have been supplied by attackers can be long winded. Each encrypted device has its own key, and those keys must be applied very carefully. A forensic analysis is also important after a ransomware attack to search for backdoors that may have added, as well as to determine if data have been stolen. Additional protections then need to be put in place to prevent future attacks from occurring.

How to Prevent Ransomware Attacks

The first and most important step to take will not prevent ransomware attacks, but it will help you to recover from a ransomware attack promptly without having to resort to paying the ransom. Recovery will depend on you having a viable backup of your data. Total file recovery may not be possible, but it should be possible to recover the vast majority of your files.

For that to be possible, you must ensure that all files on all devices and network drives are backed up. That includes all removable drives such as flash drives. Backup files must be stored on a non-networked drive, in the cloud, or ideally on an air-gapped device – One that is unplugged as soon as the backup is performed. Multiple backups should ideally be made with one copy stored in the cloud and one on a detachable storage device. You should always store backups in multiple files. If one becomes corrupted, you will not lose all of your data.

  • Avoid the use of administrator accounts with extensive privileges as far as is possible. If an administrator account is required, use it and then change to a guest account with limited privileges. This will reduce the damage caused if the user’s machine is infected.
  • Ensure that all software is kept up to date and your organization employs good patch management practices. In particular, ensure browser and plugin updates are applied promptly. Vulnerabilities can all too easily be exploited and used to download ransomware.
  • If plugins are not required, remove them. Adobe Flash in particular, but also Java and Silverlight. If required, they should require activating individually as and when needed.
  • Ensure employees’ computers are configured to show file extensions. If full file extensions are displayed, it is easier to identify potentially malicious files with double extensions.
  • Ensure macros are disabled on all devices. At the very least, ensure macros do not run automatically.
  • Disable Remote Desktop Protocol (RDP) on all devices unless it is absolutely essential.
  • A web filter can be used to prevent end users from visiting malicious websites where ransomware can be downloaded. A web filter can also block malicious third party adverts (malversting).
  • End users should be instructed never to open files from unknown senders or to click on links contained in emails unless 100% sure that the links are genuine.
  • The use of a spam filter is strongly advisable. The spam filter should be configured to aggressively block threats. Executable file attachments should also be automatically quarantined.
Facebook Messenger Locky Ransomware Attacks Reported

Facebook Messenger Locky Ransomware Attacks Reported

In the past few days, Facebook Messenger Locky ransomware attacks have been discovered, exploit activity has increased, and malicious spam email volume has increased. Organizations now need to defense against a wide range of attack vectors

2016 – The Year of Ransomware

2016 has seen an explosion in the use of ransomware by cybercriminals and there is no sign of that changing in the near future. More than 200 ransomware families have now been identified, one of the most dangerous being Locky.

Locky ransomware was first discovered in February this year, but it has fast become one of the most prolific ransomware variants and has infected thousands of computers. No organization is immune to attack, although the gang behind the infections have been extensively targeting healthcare organizations. A number of U.S. healthcare providers have been forced to pay a ransom demand to recover their data.

Rather than cybercriminals having to break through company defenses to gain access to data, then exfiltrate files, and sell those data on the black market – a process that can take weeks before payment is received –  ransomware is a quick and easy revenue generator. Payments are made within a few days of infection as many companies cannot continue to function without access to their data.

It is not even necessary for cybercriminals to develop their own ransomware. The malicious file-encrypting software can be ‘hired’ from the authors. By using ransomware-as-a-service, anyone with an Internet connection could run a ransomware campaign. Little skill is needed and attacks result in fast payment. It is therefore no surprise that the file-encrypting software has become so popular.

Infection can occur via malicious adverts, exploit kits, or via spam email. All of those infection vectors allow the attackers to bypass traditional cybersecurity defenses such as firewalls.

Some headway has been made by security researchers and decryptors have been developed for some ransomware variants. Wildfire, Chimera, Shade, TeslaCrypt, and CoinVault have all been cracked. However, Locky has so far resisted security researchers’ efforts to crack it.

The authors of the crypto-ransomware are also constantly updating Locky and new variants are regularly being released. At present, there is no decryptor available for Locky infections and victims are faced with three choices if they experience an infection:

  • Accept data loss
  • Pay the ransom demand to obtain a key to unlock data
  • Recover encrypted files from backups

Unfortunately for the victims, recovering encrypted files from backups can be complicated. Locky not only locks files with powerful encryption, the files names and file extensions are also changed. This makes it hard for victims to identify specific files. Locky also deletes Windows Shadow Copies to make it harder for victims to recover their data.

Facebook Messenger Locky Ransomware Attacks Reported

The authors behind Locky have experimented with exploit kits to spread infections, although since the demise of the Angler and Neutrino exploit kits, Locky has primarily been distributed via spam email. Massive spam email campaigns are used to spread the malicious software. Those campaigns involve many millions of emails.

However, earlier this month, security researchers noticed that the cybercriminal gang behind Locky has started to use exploit kits again. The Bizarro Sundown exploit kit has been discovered to be spreading Locky. More worrying, Facebook Messenger Locky ransomware attacks have now been reported.

The Facebook Messenger Locky ransomware attacks were noticed by security researcher Bart Blaze earlier this month. Malicious messages are being sent to Facebook Messenger users which contain an .SVG image file. That image file is not what it seems. It contains the Nemucod downloader – malicious JavaScript code embedded in the image. The code is run when the image file is opened and Nemucod then downloads Locky.

The social media giant has confirmed that Facebook Messenger Locky ransomware attacks have occurred, although Facebook was quick to point out that infections are occurring via “a poorly implemented extension for Google’s Chrome browser.”

Security controls are generally very good at Facebook, but they are not infallible. Facebook Messenger Locky ransomware attacks are a major risk and users must exercise caution.

As with spam email, users should not open any attachments from individuals they do not know. Even when image files and other file types are received via messenger apps and spam email from individuals that are known to the recipient, they should be treated with suspicion.

How to Reduce the Risk of a Ransomware Infection

Businesses need to implement defenses to reduce the risk of a ransomware infection. The consequences for taking no action can be severe.

Ransomware infections can spread laterally through a network and ransomware gangs require payment for each infected machine and can even set the price per infected organization. The Locky ransomware attack on Hollywood Presbyterian Medical Center in February resulted in a ransom payment of $17,000 being made, in addition to the considerable cost associated with removing the infection and recovering from more than a week without access to key information systems.

One of the best defenses against ransomware is WebTitan. WebTitan is an innovative web filtering solution that can be configured to limit access to websites known to host exploit kits. Malicious third-party adverts (malvertising) can be blocked, along with websites that carry a high risk of being exploited by hackers to spread infections.

The best way for businesses to ensure that Facebook Messenger Locky ransomware attacks do not occur is to block Facebook Messenger entirely.  With WebTitan, blocking Facebook Messenger – without blocking the Facebook website- is a quick and easy task.

By limiting the websites that can be visited by employees and blocking Facebook Messenger and other chat platforms, organizations can greatly improve their security posture and prevent ransomware from being installed.

For further information on the full range of features of WebTitan, details of pricing, and how to register for a free no-obligation trial, contact the TitanHQ sales team today.

Forget Hardware-Based Web Filtering Appliances for Schools and Look to the Cloud

Hardware-based web filtering appliances for schools have some advantages, but many K12 schools are saying goodbye to the appliances and are choosing a much more convenient and practical solution.

In the United States, K12 schools are required to implement a web filtering solution to control access to the Internet in order to receive E-Rate discounts on Internet access. Even schools that do not participate in the E-rate program need to filter the Internet. Parents are pressuring schools into ensuring the Internet can be accessed safely in schools and want to receive assurances that their children can use the Internet without inadvertently – or deliberately – viewing inappropriate material such as pornography. Twenty four states have also introduced legislation covering children and Internet access in schools.

Hardware-Based Web Filtering Appliances for Schools

A hardware-based web filtering appliance for schools may appear to tick all the boxes. Hardware devices sit in front of an Internet gateway and filter Internet traffic. They prevent users from accessing websites that are deemed to be dangerous or inappropriate.

While hardware-based web filtering appliances for schools can seem like an easy option, many schools are finding that is far from the case. Hardware-based web filtering appliances for schools are fine if there are just a handful of computers accessing the Internet in each classroom, but hardware solutions lack scalability. When the number of devices is increased, more appliances must be purchased.

Hardware-based web filtering appliances place limitations on web traffic. When the number of devices simultaneously requiring access to the Interest increases, a bottleneck can occur. It doesn’t matter how much the Internet pipe to a school is increased with an ISP, if a 1GB web filtering appliance is used for example, that will be the limiting factor not a 5GB connection. There is likely to be latency, which can be considerable.

One solution is to use multiple hardware devices. This will increase the capacity, although more devices mean an increased maintenance burden on IT departments. Multiple devices mean schools have to find the space to house the appliances. Cooling systems may need to be augmented and more devices means higher energy bills. Hardware-based web filtering appliances for schools can prove to be very costly.

Hardware-based web filtering appliances are now being stretched further still as many schools start increasing the number of devices used by students. While one or two desktop computers used to be sufficient, many schools are now considering one-to-one computing, where each student is issued with a school laptop. However, such an increase in devices places considerable demands on hardware-based web filters and the result is considerable latency.

Then there is the problem of how to protect students when laptop computers are taken home. As we have already seen, some parents have made their schools take back the devices until adequate controls are placed on the devices to restrict Internet content. If software is installed on each laptop – in the form of a local client – the Internet can still be filtered using school hardware-based web filters. The client forwards traffic to the school’s datacenter, and traffic then passes through a web filtering appliance.

This sorts out the problem of Internet filtering, but it also puts more pressure on the datacenter. This may even require additional hardware devices to be purchased. Also, outside of normal school hours, if there are any issues with the datacenter, students will be prevented from accessing the Internet.

The latency and cost issues have spurred many K12 schools to look for an alternative to hardware-based web filtering appliances for schools. The answer has been found in the cloud.

Benefits of Cloud-Based Web Filtering Solutions for Schools

Cloud-based web filtering solutions offer a number of advantages over hardware-based web filtering appliances and solve many problems, especially as schools increase either the number of devices supplied to students or the number of devices that are allowed to connect to the network.

Cloud-based solutions require no hardware purchases and no space in the data center. This offers an initial cost saving as devices do not need to be purchased. No network deployments of client applications also means quick and easy implementation and since there is no hardware to maintain, the burden on IT departments is eased.

Any web filtering solution involves a certain degree of latency, although with cloud-based solutions this is kept to an absolute minimal level. Internet speed is not noticeably reduced and there is no latency within the datacenter itself. When students take hardware off the premises they can still be protected without data needing to be routed back to the schools’ datacenter. An roaming agent can be installed on each school-issued device that is taken off premises or even on students’ personally owned devices to ensure that filtering controls are applied.

Then there is the speed of reaction to web content that should be blocked. When changes need to be made to filtering rules, they can be applied quickly and easily from any location without the need for IT staff to access each hardware appliance. A cloud-based control panel can be accessed from anywhere with an Internet connection and changes can be rapidly made.

Cloud-based solutions are also highly scalable. There is no limit on bandwidth or the number of users. Once a solution is deployed, it doesn’t matter how big the network gets. There is no need to upgrade hardware or purchase any more devices. Additional licenses can be purchased as and when needed. Further, if there is ever a reduction in required capacity, licenses can be adjusted accordingly.

With these and many other benefits, it is no surprise that so many schools are now turning to the cloud for their Internet filtering needs. The cloud is the perfect choice for K12 schools looking to keep their students – and devices – safe and WebTitan Cloud is the ideal solution for K12 schools to filter the Internet.

WebTitan - Web Security for the Education Sector

The TitanHQ team has worked on email anti-spam solutions for schools, web filtering for education, and email archiving for schools for over 20 years. We have a deep understanding of the web security issues that all schools and colleges face when protecting students, staff members, and visitors.

WebTitan is a powerful web security solution that ensures safe Internet browsing for children. The solution provides protection from harmful and obscene web content whether students are studying in the classroom, school library, or offsite and blocks threats such as malware, ransomware, and phishing. WebTitan Web security is available for all devices, including Chromebooks, Windows, and Apple devices, and the solution is quick and easy to implement and maintain.

Benefits of WebTitan

  • Create a safe and secure web browsing environment.
  • Comply with CIPA and qualify for E-Rate discounts
  • Block malicious websites and malware downloads.
  • Block material contained in the child abuse image content URL list (CAIC List) and other third-party blacklists.
  • Accurately filter web content through 53 pre-set categories and up to 10 custom categories.
  • Filter by keyword and keyword score.
  • Inspect encrypted websites.
  • Filter content in 200 languages.
  • Apply time-based filtering controls.
  • Filter the Internet across multiple WiFi hotspots.
  • Protect students when learning remotely.
  • Manage access points through a single web-based administration panel.
  • Delegate management of access points.
  • Schedule and run reports on demand with real time-views of Internet activity and extensive drill down reporting.
  • Integrate the solution into existing security and monitoring systems.

Test WebTitan for Yourself with a Free Trial

WebTitan is currently protecting 10 million students and 2.5 billion DNS requests a day with T-Mobile. With WebTitan, you can quickly and easily protect your students from inappropriate web content, ensure CIPA compliance and create a safe environment for children.

You can also take advantage of a Free Trial of the solution to see for yourself how easy it is to use and maintain, and how effective it is at blocking access to content you do not want to be accessed by students, on or off the network.

 

Beware of Bart Ransomware: The Latest Ransomware Variant Doing the Rounds

A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid.

Bart Ransomware Locks Files in Password-Protected ZIP Files

Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky.

Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device.

There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid.

Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart.

New Ransomware Variant Delivered via Spam Emails

The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware.

The ransomware has been developed to attack users in the west, and will not lock files if the operating system is in Russian, Ukrainian, or Belorussian.

To prevent infection, it is essential that end users do not open the infected email attachments. Since the emails may appear benign to end users, organizations should take steps to prevent the spam emails from being delivered. One way of doing this is to use SpamTitan. SpamTitan can be configured to block zip files and prevent them from being delivered to end users.

If spam emails are not delivered, end users will not be able to inadvertently infect their devices. Furthermore, the cost of deploying SpamTitan is likely to be considerably less than the cost of a single ransom payment to resolve a Bart infection.

GoToMyPC Password Reuse Attacks Prompt Password Reset

There have been a number of high-profile data breaches reported in recent weeks, now Citrix has announced its users have been impacted after receiving multiple reports of GoToMyPC password reuse attacks. An investigation into the attacks revealed that the account compromises were not the result of a Citrix data breach, but that the attacks had been made possible due to poor security practices of some of its users.

Passwords Reset After Spate of GoToMyPC Password Reuse Attacks

After discovering the GoToMyPC password reuse attacks, Citrix performed a password reset on all users’ accounts to reduce the risk of account compromises. When users next login to the remote desktop access service they will be required to set up a new password before being allowed to access the service.

While Citrix has taken steps to protect its own users, simply changing passwords on GoToMyPC will not protect users who share passwords across multiple applications and web services. It is therefore important for users to login to all online accounts that have the same password set and to create new, unique passwords for each.

Following the cyberattacks on LinkedIn, MySpace, and Tumblr, login credentials were openly sold on darknet marketplaces. Many individuals purchased the data and have been searching online platforms to find users that have accounts elsewhere. The same passwords are then tried to see if access can be gained.

Shortly after these data dumps, numerous Twitter accounts were hacked, including those belonging to a number of high profile celebrities – Katy Perry, Mark Zuckerberg, Tenacious D, and Lana Del Rey for example. While the hacking of a Twitter account may only be an inconvenience for many victims, far more serious hacks have occurred.

TeamViewer remote desktop connection software was targeted by attackers who had obtained data from the LinkedIn breach. Users’ accounts were accessed and the software leveraged to obtain access to users’ PayPal accounts and bank accounts, primarily using passwords saved in browsers. The victims had their bank and PayPal accounts emptied. Some individuals also reported that TeamViewer had been used to install ransomware on their computers.

Since many individuals share passwords on personal accounts and business accounts, the latter may also be compromised and that can have highly serious implications.

The Danger of Password Sharing

All organizations face a threat of cyberattacks and sooner or later it is likely that one of those attacks will be successful. If users’ login credentials are obtained, they can be used to access accounts on other web and software platforms.

The spate of recent attacks shows how dangerous it can be to use the same passwords for multiple accounts. While it is certainly convenient to use the same password on multiple platforms, users stand to have their entire online identity hijacked as a result of a single cyberattack on one company.

To limit the damage caused, it is essential to use a unique, complex password for each online account, never to recycle passwords, and to update passwords frequently. Sys admins should ensure that password policies are set that require complex passwords to be created. Password expiration policies should also be developed and implemented. Password managers can be used to help end users keep track of all of their passwords.

JavaScript Based Ransomware Used to Deliver Pony

Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses.

JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads.

RAA Ransomware Delivered via Spam Email

The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption.

First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images.

Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made.

JavaScript Based Ransomware Delivers the Pony Info Stealer

This JavaScript based ransomware also includes the pony info stealer. In contrast to other malware which can download additional malicious files from the Internet, RAA ransomware has the Pony info-stealer embedded as a base64 encoded string. The string is decoded and also saved to the My Documents folder and is then run automatically.

The RAA ransomware is set to run automatically each time the computer is booted, and it will install Pony each time. Since the ransomware runs on boot it will encrypt any of the above file extensions that have been created or downloaded since the last time the ransomware was executed. At present, there is no way of decrypting the files without paying the ransom.

To protect against attacks, end users must be vigilant and not open any files attachments sent from unknown individuals. Sys admins must also ensure that all files are regularly backed up and back up devices are air-gapped.

Cost of a Data Breach Calculated by The Ponemon Institute

Each year, the Ponemon Institute conducts an annual benchmark study on the cost of a data breach. The IBM-sponsored report reveals just how damaging data breaches can be to a company’s finances. Responding to a data breach costs companies millions of dollars, and each year the cost rises.

Last year, the Cost of a Data Breach study placed the average cost at 3.79 million. This year, the average cost has risen to $4 million. The average cost per stolen record rose from $154 to $158 over the past 12 months.

Average Cost of a Data Breach in the United States is $7.01 Million

However, those figures are taken from the global data collected for the study. The costs incurred by U.S businesses are much higher. Take the figures for the United States alone, and the average cost is $7.01 million. Last year the average cost of a breach response in the United States was $6.53 million.

Organizations in the United States can expect to pay costs of $221 per record, although organizations in the healthcare industry, financial, and life science sector can expect to pay far higher amounts. The cost of a data breach in the healthcare industry is a staggering $402 per record. The data also show that the average number of records exposed per incident also increased.

In the United States, the total cost of a data breach rose by 7% over the space of a year, and by 2% per stolen or compromised record. The Ponemon Institute offers some suggestions why the overall cost of a data breach has increased by such a high degree. One of the main reasons is a substantial rise in indirect costs. When an organization suffers a security breach that exposes sensitive data such as credit card numbers, financial information, Social Security numbers, or medical records, consumers are increasingly taking their business elsewhere. The Ponemon Institute refers to this as the abnormal churn rate.

Organizations Should Try to Reduce Churn Rate After a Data Breach

One of the findings of the research is the higher the churn rate is following a data breach, the higher the cost of the breach will be. Companies that experienced an abnormal churn rate of lower than 1%, had to pay average breach costs of $5.4 million. The cost rose to $6.0 million with an abnormal churn rate of between 1% and 2%, while a churn rate of above 4% resulted in average costs of $12.1 million.

The industries most likely to see customers leave and find alternative companies to do business with were healthcare organizations, financial companies, service organizations, and companies operating in the technology and life sciences industries. Public sector companies, research organizations, and the media experienced the lowest churn rates.

Ponemon suggests that one of the best ways to reduce the financial impact of a data breach is to put greater effort into retaining customers and adopting strategies to preserve brand value and reputation. Consumers now understand that data breaches are a fact of life, but they expect action to be taken by organizations that have suffered a breach that exposed their personal information. Issuing breach notifications quickly, offering credit monitoring services to affected individuals, and taking steps to greatly improve security can all help to reduce fallout after a data breach occurs.

Malicious Attacks Cost the Most to Resolve

All data breaches will result in organizations incurring costs, but the cause of a data breach will dictate how high those costs will be. Malicious attacks on organizations were discovered to cost the most to resolve. In the United States, the average cost per record for a malicious or criminal attack was $236. For system glitches the cost was £213 per record, and for human error the cost was $197 per record.

The costs incurred can be reduced significantly if organizations take steps to prepare for data breaches. The Ponemon Institute determined that having an effective breach response plan can greatly reduce the cost of a data breach. When an organization can respond quickly to a breach the costs tend to be much lower.

The average time to contain a data breach was determined to be 58 days. Organizations that were able to contain a data breach in less than 30 days paid an average cost of $5.24 million per breach, compared to $8.85 million when the time to contain the breach exceeded 30 days.

It also pays to invest in technologies that allow organizations to identify breaches quickly when they do occur. The mean time to identify a breach was determined to be 191 days – more than 6 months. When the mean time to identify a breach was less than 100 days, the breach cost was $5.83 million. When the mean time to identify a data breach exceeded 100 days, the mean cost rose to $8.01 million.

The costs of breach resolution are continuing to rise. Organizations should therefore consider investing more heavily in technologies to prevent data breaches and to increase the speed at which they are detected. The results of the study clearly demonstrate that having a tested breach response plan in place is essential if costs are to be reduced.

Threat from Phishing Websites Greater than Ever Before

A new phishing activity report published by the Anti-Phishing Working Group (APWG) shows that the threat from phishing websites is greater than any other time in the history of the Internet. The latest phishing activity report shows that in the past six months, the number of phishing websites has increased by a staggering 250%. Most of the new websites were detected in March 2016.

The Rising Threat from Phishing Websites Should Not Be Ignored

APWG was founded in 2003 in response to the rise in cybercrime and the use of phishing to attack consumers. The purpose of the organization is to unify the global response to cybercriminal activity, monitor the latest threats, and share data to better protect businesses and consumers.

In 2004, APWG started tracking phishing and reporting on the growing threat from phishing websites. During the past 12 years, the number of phishing websites being created by cybercriminals has grown steadily; however, the past six months has seen a massive rise in new websites that trick users into revealing sensitive data.

APWG reports that there is an increase in new malicious websites around the holiday season. In the run up to the holiday period when online shopping increases and Internet traffic spikes, there are more opportunities to relieve online shoppers of their credit card details, login credentials, and other sensitive data.

In late 2015, cybercriminals increased their efforts and there was the usual spike in the number of new phishing websites. However, after the holiday period ended APWG expected activity to reduce. That didn’t happen. New sites were still being created at elevated levels.

In the first quarter of 2016, APWG detected 289,371 new phishing websites were created. However, almost half of the new websites – 123,555 of them – were detected in March 2016. Aside from a slight dip in February, the number of new websites created has increased each month. March saw almost twice the number of new sites than were created in December. The figures for Q1 and for March were the highest ever seen.

Retail and Financial Sectors Most Frequently Targeted by Phishers

Phishers tend to favor well-known brands. The phishing activity report indicates little has changed in this regard. Between 406 and 431 brands are targeted each month. Most of the new sites target the retail industry which accounts for 42.71% of the new phishing websites detected in the first quarter of 2016. The financial sector was second with 18.67% of new sites, followed by the payment service industry with 14,74% and the ISP industry with 12.01%. The remaining 11.87% of new sites targeted a wide range of industries. The United States is the most targeted country and hosts the most phishing websites.

While phishing websites are now favored by cybercriminals, emails continue to be used to send malicious links and malware-infected attachments to consumers and businesses. In January, 99,384 phishing email reports were sent to APWG. The number increased to over 229,000 in February and stayed at that level in March.

APWG also tracked malware infections. In the first quarter of the year, 20 million malware samples were intercepted – an average of 6.67 million malware samples a month.

The report shows how critical it is for business to take action to prevent end users from visiting malicious websites and the seriousness of the threat from phishing websites.

One of the best ways that businesses can reduce the risk of employees visiting phishing websites is to use a web filtering solution. By controlling the sites that can be accessed by employees, the risk of phishing, malware infections, and ransomware attacks can be greatly reduced.

Teslacrypt Ransomware Master Key Released

Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers

TeslaCrypt Ransomware Master Key Released

So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom.

Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware.

That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX.

Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections.

The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and pay the ransom.

Kabina asked for the private decryption keys to unlock all four versions of the ransomware. He was answered within one day and was provided the key for the version he claimed to have been infected with. He then sent another message requesting the release of the latest key to unlock v4 of the ransomware, and noticed on the TeslaCrypt page that the gang had announced that the project had been closed. The universal key had been posted on an anonymous .onion page that can be accessed using the Tor browser.

There is a constant battle between security companies and ransomware developers. Oftentimes, ransomware variants contain flaws that allow antivirus companies to develop decryption tools. When these tools are released attackers work rapidly to repair the security flaw and release a new, more robust version of the ransomware. This was the case with TeslaCrypt. Flaws in the first version allowed a tool to be developed. A decryption tool was released, and version 2 of the ransomware was released. TeslaCrypt is now on the fourth version.

As with Cryptowall, TeslaCrypt has now been shut down; however, CryptXXX is still very much active and is still being updated. Furthermore, the attackers have learnt from their mistakes and have developed CryptXXX to be a much harder nut to crack.

CryptXXX is run alongside a program that monitors the system on which it is run to check if it is in a virtual environment or sandbox or otherwise being probed. If abnormal behavior is identified, the encryption routine is restarted. CryptXXX is also spread via spam email, exploit kits, and malvertising. This means that it is much easier to spread and more attacks are likely to occur. Companies and individuals therefore face a much higher risk of an attack.

The release of the TeslaCrypt ransomware master key is therefore only good news if you have been infected with TeslaCrypt. With the move to CryptXXX it is even more important to have solutions in place to prevent attacks, and a plan in place to deal with an attack when it occurs.

Impact of Security Breaches on Brand Image Assessed

A new study has recently been published showing the impact of security breaches on brand image, and how the behavior of consumers changes when companies experience data breaches that expose private data.

Cyberattacks are now taking place with such frequency that data breaches are now to be expected. It is no longer a case of whether a security breach will occur, it is now just a case of when it will happen. Even with the best protections in place to protect sensitive data, breaches will still occur.

Many consumers are aware that the current threat levels are greater than ever and that cyberattacks will occur. However, how do consumers react to breaches of their personal information? Do they forgive and forget or are they taking their business elsewhere?

What is the Impact of Security Breaches on Brand Image?

The FireEye study set out to examine the impact of security breaches on brand image. 2,000 interviews were conducted on consumers in the United States to find out whether security incidents changed behavior and whether data breaches altered perceptions of companies and trust in brands.

The results of the survey clearly show that the failure to invest in robust cybersecurity defenses can have a major impact on revenue. 76% of surveyed consumers claimed they would take their business elsewhere if they believed a company’s data handling practices were poor or that the company was negligent with regard to data security.

75% of respondents said they would likely stop making purchases from a company if they felt that a security incident resulted from a failure of the company to prioritize cybersecurity.

Loss of business is not the only problem companies will face following a data breach. If a breach of personal information occurs and data are used by criminals for identity theft or fraud, 59% of consumers would take legal action to recover losses.

Even when companies take action to mitigate the risk of losses being suffered by consumers – such as providing identity theft protection services – brand image remains tarnished. Reputation damage after a data breach is suffered regardless of the actions taken by companies to mitigate risk. It can also take a considerable amount of time to regain consumers’ trust. More than half of respondents (54%) said that their impression of companies was negatively impacted after a security breach occurred.

Fast action following a data breach can help to restore confidence, but this is expected by consumers. The survey showed that 90% of consumers expect to be notified of a breach of data within 24 hours of an attack taking place, yet this is something that rarely happens. All too often consumers are made to wait weeks before they are informed of a breach of their personal information.

The study also shows that as a result of large-scale breaches consumers are now much less trusting of companies’ ability to keep data secure. They are also much more cautious about providing personal information. 72% of consumers said they now share less information with companies due to the volume of data breaches now being suffered.

The take home message from the survey is organizations must do more to protect consumer data and to prevent data breaches from occurring. If companies invest heavily in cybersecurity and can demonstrate to consumers that they take privacy and security seriously, the negative impact of security breaches on brand image is likely to be reduced.

How to Reduce Risk of Malware Infections from Websites

To reduce the risk of malware infections from websites you can avoid certain types of sites that are commonly used by cybercriminals to infect visitors. Sites containing pornography for instance, torrents sites, and online marketplaces selling illegal medication for example. However, while these sites are often compromised with malware or contain malicious code, they are far from the most common sites used by cybercriminals to infect visitors.

The unfortunately reality is that browsing the Internet and only visiting what are perceived to be “safe sites” does not mean that you will not be exposed to maware, malicious code, and exploit kits. Hackers are increasingly compromising seemingly legitimate websites to redirect visitors to sites containing exploit kits that download malware and ransomware.

Two CBS-affiliated news websites were recently discovered to be hosting malicious adverts that redirect visitors to sites containing the Angler Exploit Kit. MSN has been found to host malvertising in the past, as has Yahoo. A study conducted by anti-virus company Symantec revealed that three quarters of websites contain security vulnerabilities that could potentially be exploited to infect visitors with malware.

High Profile Websites Compromised and Used to Deliver Ransomware to Visitors

This week, two new websites were found to have been compromised and were used to infect visitors with malware.

The celebrity gossip website PerezHilton.com may cause problems for celebrities, but this week it was also causing problems for its visitors. The site attracts millions of visitors, yet few would suspect that visiting the site placed them at risk of having their computer files locked with powerful file-encrypting ransomware.

However, that is exactly what has been happening. Hackers compromised an iframe on the site and inserted malicious code which redirected visitors to a website containing the Angler Exploit Kit. Angler probes visitors’ browsers for security vulnerabilities and exploits them; silently download a payload of malware. In this case, the Angler Exploit Kit was used to push Bedep malware, which in turn silently downloaded CryptXXX ransomware onto the victims’ devices.

A second malvertising campaign was also conducted that redirected visitors to a different website. The exploit kit used to infect redirected visitors was different, but the end result was the same. A malicious payload was downloaded onto their devices.

Another well-known website was also discovered to have been compromised this week. The website of the world renowned French film production company Pathé was discovered to have been compromised. Hackers had managed to embed malicious code in one of the webpages on the site. The code also redirected users to a site hosting the Angler Exploit Kit, which similarly was used to infect visitors with CryptXXX ransomware.

How to Reduce the Risk of Malware Infections from Websites

Exploit kits take advantage of security vulnerabilities in browsers. To reduce the risk of malware infections from websites it is essential that browsers are kept up to date. That includes all browser plugins. If no security vulnerabilities exist, there would be nothing for exploit kits to exploit.

However, zero-day vulnerabilities are emerging all the time and software manufacturers are not always quick to develop fixes. Adobe was alerted to a new zero-day vulnerability a few days ago, yet they only just released a fix. During that time, the vulnerability could have been exploited using exploit kits. Cybercriminal gangs are quick to incorporate new zero-day vulnerabilities into their exploit kits and do so faster than software companies can release fixes. Ensuring all updates are installed promptly is a great way to reduce the risk of malware infections from websites, but additional measures need to be taken.

If you really want to improve your – or your company’s – security posture and really reduce the risk of malware infections from websites, you should use a web filtering solution. This is particularly important for businesses to ensure that employees do not inadvertently compromise the network. It can be difficult to ensure that all devices used to connect to the network are kept 100% up to date, 100% of the time.

A web filtering solution can be configured to block malvertising, blacklists can be used to prevent compromised websites from being accessed, and malware downloads can be prevented. Along with good patch management practices, it is possible to effectively reduce the risk of malware infections from websites.

WebTitan Cloud – Game Changing Web Security Service for MSPs

Finding a web security service for MSPs can be a time consuming process. There are a number of solutions that allow MSPs to keep their clients protected from malware and reduce the risk from internal and external threats, yet many are far from ideal for use by MSPs.

The ideal web security service for MSPs must have a relatively low cost of ownership. Clients may be more than willing to implement a web security service to deal with the growing range of web-borne threats, but the cost of implementation is a key factor.

Many solutions offer all the necessary benefits for the client, but are not practical for use by MSPs. The time taken to install web security solutions and to configure them for each client can reduce profitability. The best web security service for MSPs need to be easy to install and maintain, and have a low management overhead.

Low cost solutions that are quick to install and easy to maintain allow MSPs to easily incorporate into existing packages to create a more comprehensive Internet security service. This can increase the value provided to clients, boost client revenue, and help MSPs to win more business and differentiate their company in the marketplace.

The ideal web security service for MSPs is available as a white label. This allows the service to be easily incorporated into existing packages. White labeling allows MSPS to strengthen their own brand image rather than promoting someone else’s.

Many providers of a web security service for MSPs fall down on customer support. If any issues are experienced, it is essential that an MSP can provide rapid solutions. Industry-leading technical support is essential.

WebTitan Cloud – A Web Security Service for MSPs That Ticks All the Right Boxes

WebTitan Cloud is an enterprise-class web filtering solution for MSPs that can be used to enforce clients’ acceptable use policies and control the content that can be accessed via their wired and wireless networks.

Our DNS-based web filtering solution allows organizations to prevent phishing, stop malware downloads, protect against ransomware and botnet infections, and block spyware and adware. Controls prevent the bypassing of the content filter by blocking anonymizer services. Encrypted web traffic is also inspected.

Implementation could not be any easier. There is no need for any hardware purchases or software downloads. All that is required is a change to the DNS to point to our servers and the Internet can be filtered in under 2 minutes.

Configuring each client to incorporate their AUPs is also a quick and easy process requiring no technical expertise. Highly granular controls ensure AUPs can be quickly and easily applied. There is no need to use on premise support teams. Everything can be monitored via the control panel from any Internet browser. There is no hardware or software to maintain and no patches to apply, reducing management overhead considerably. Cloud keys can be supplied to allow guests to bypass organization-wide content control settings, with time-limits applied to prevent abuse.

Reporting is effortless. A full suite of pre-defined reports can be generated automatically and scheduled for each client to allow Internet access to be carefully monitored.

We also offer fully white-labeled solutions for MSPs allowing logos, branding, and corporate color schemes to be easily incorporated. We are also more than happy to allow WebTitan Cloud to be hosted within an MSPs infrastructure.

What Your Customers Get

  • Ransomware, malware, and phishing protection. Protection from malware, ransomware and the web-based component of phishing attacks. More than 60,000 malware iterations are blocked every day.
  • A quick and easy to use DNS filter to manage and control web usage – Block malicious sites and control the web content employees and guest users can access.
  • Easy to implement; Easy to use. Customer accounts are up and running within 20 minutes
  • Improve network performance: A no latency DNS filtering solution that can be used to reduce bandwidth waste and abuse.
  • Highly granular content filtering with flexible user policies
  • Support for dynamic IP’s
  • Works with any device
  • Full reporting suite. WebTitan contains a comprehensive reporting suite providing automated graphical reports and extensive reports on demand.
  • Fully automated updating – Does not add to your patching burden and requires minimal management while ensuring maximum security.
  • Whitelists and blacklists Global whitelists and blacklists and custom categories can be configured to allow/block by full website address or by IP address

Benefits for MSPs

  • Save on customer support time, hours and cost – No more costly ransomware call outs.
  • Easy to deploy, manage and sell our awarded-winning cloud based web filtering solution
  • Simple Integration into your existing service stack through API’s and RMM integrations
  • Competitive pricing with a core focus on the SMB market.
  • Generous margins and monthly billing
  • White labelling – WebTitan can be fully rebranded with your logos and color scheme with us working seamlessly in the background.
  • Set & forget. WebTitan requires minimal IT service intervention
  • Short sales cycle – only a 14 day free trial required to test
  • World class support – The best customer service in the industry with scalable pre-sales and technical support and sales & technical training
  • Multi-tenant dashboard – MSP-client hierarchy enables you to keep clients separated and choose whether to manage client settings in bulk or on an individual basis

To find out more about why WebTitan Cloud is a game changing web security service for MSPs contact our sales team today!

MSP Testimonials

“WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well.” Kristie H. Account Manager

“WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. It has provided us with a stable web filtering platform that has worked well for us for many years. ” Derek A. Network Manager

“WebTitan is outstanding software that helps me a lot in minimizing viruses. The thing I like most about WebTitan is that it is extremely easy to use and configure. I like its clear interface. It lets us block malicious content and spam easily. It is no doubt an amazing product helping us a lot in kicking out harmful bad stuff.” Randy Q. Software Engineer

“By reducing malware-related security incidents, you’re reducing your number one uncontrollable expense: the people on your IT operations team, like your help desk techs.” MSP, Washington, US 

 “Web filtering is one of the, if not the greatest bang for your buck services. It’s built in anti malware has protected our clients, saving us thousands of hours of repair time I am absolutely certain.” MSP, New York, US

“a key part of our security stack as we’ve scaled to over 6,000 managed endpoints, while decreasing virus and malware related tickets by 70%.” MSP, Boston, US

 “It has paid for itself many times over by reducing malware calls.” MSP, Toronto, Canada