Web Filtering
by G Hunt |
May 3, 2018 |
Web Filtering
Managed Service Providers (MSPs) now have the option of providing an additional layer of security to their clients to protect against web-based cyberattacks now that TitanHQ’s powerful 100% cloud-based web filtering solution, WebTitan, has been incorporated into the Kaseya IT Complete suite. The Kaseya technology alliance partner (TAP) program is highly regarded and brings together some of the world’s leading providers of IT solutions for MSPs, including Bitdefender, Cisco, and Dell. The Kaseya IT Complete platform provides MSPs with easy access to a wide range of managed service-ready software, including cybersecurity, cloud management, endpoint management, network management, identity & access management, and disaster & recovery services. The platform makes it easy for MSPs to expand the services they provide to their clients and deliver invaluable solutions quickly and efficiently. The platform has been developed to help MSPs increase revenue by providing profitable new services, automate the delivery of those services, and add more value by exceeding SLAs. The ease at which the solutions can be delivered saves MSPs valuable time, allowing them to free up staff to work on strategic projects. MSPs have access to a wide range of cybersecurity solutions through the platform, but one notable gap was an easy to deploy web filtering solution. The addition of WebTitan to the Kaseya platform allows MSPs to add another layer of security to better protect their clients from web-based threats and malware and ransomware downloads. Being DNS-based, the solution can be quickly deployed with no need for any software downloads, hardware purchases, or site visits and can be deployed and configured in a matter of minutes. The integration of WebTitan into the Kaseya IT Complete platform was completed in time for the Kaseya Connect conference, which is taking place this week in Las Vegas, Nevada. The event will be attended by some of the top MSPs from around the world. “Kaseya is a partner we have admired for a long time and I’m delighted to announce this integration,” said Ronan Kavanagh, CEO of TitanHQ. “With over 10 million endpoints under their management it...
by G Hunt |
April 20, 2018 |
Cybersecurity News, Internet Security News
There have been significant developments relating to exploit kits in the past few days. The threat actors behind the Magnitude exploit kit have now changed their malicious payload, and the EITest malware distribution network that directed traffic to exploit kits has finally been sinkholed. Magnitude Exploit Kit Switches to GandCrab Ransomware Delivery Exploit kit activity is at a fraction of the level of 2015 and 2016, and in 2017 there was a 62% reduction in the development of exploit kits according to research from Recorded Future. However, exploit kit activity has not fallen to zero and the malicious code is still widely used to deliver malware and ransomware underscoring the continued need for technologies to block these attacks such as web filtering solutions and the continued need to keep on top of patching. Exploit kits often leverage vulnerabilities in Java and Adobe Flash, although more recently it has been Microsoft vulnerabilities that have been exploited due to the fall in Java vulnerabilities and the phasing out of Adobe Flash. One exploit kit that is still being used in extensive attacks, albeit attacks that are highly geographically targeted, is the Magnitude exploit kit. For the past seven months, the Magnitude exploit kit has been delivering the Magniber ransomware payload almost exclusively in South Korea. However, there has been a notable change in the past few days with it also being used to distribute GandCrab ransomware, with the latter not restricted geographically and capable of infecting English language Windows devices. While early variants of GandCrab ransomware were cracked and free recovery of files was possible, there is no known decryptor for the current version of GandCrab ransomware being distributed via Magnitude. While Adobe Flash and Microsoft exploits were commonly used, Magnitude is now using a fileless technique to load the ransomware. This technique makes it much harder to detect. According to Malwarebytes, “The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.” Once run, the payload is injected into explorer.exe, files are encrypted, and...
by G Hunt |
March 20, 2018 |
Cybersecurity News, Internet Security News
Web-based malware attacks via exploit kits were commonplace in 2016, although in 2017 this mode of attack fell out of favor with cybercriminals, who concentrated on spam email to deliver their malicious payloads. Exploit kit activity is now at a fraction of the level of 2016, although 2017 did see an increase in activity using the Rig and Terror exploit kits. Now, a recent discovery by Proofpoint could see exploit kit activity start to increase once again. A new traffic distribution system is being offered on darknet marketplaces that helps cybercriminals direct users to sites hosting exploit kits and conduct web-based malware attacks. Traffic distribution systems – also known as TDS – buy and sell web traffic and are used to direct web users from one website to another. When a user clicks on a link that is part of a TDS system, they are directed to a website without their knowledge – a website that could host an exploit kit and trigger a malware download. The new TDS – known as BlackTDS – requires threat actors to direct traffic to the service, which then filters that traffic and directs individuals to exploit kits based on their profile data. The service maximizes the probability of the exploit kit being able to download malware onto their device. The service can also be used to determine which malware will be downloaded, based on the profile of the user. Threat actors that sign up to use the service can inexpensively select the exploit kits and malware they want installed with all aspects of the malware distribution service handled by the developers of BlackTDS. The developers also claim their cloud-based TDS includes fresh HTTPS domains that have not been blacklisted and that it is difficult for their cloudTDS to be detected by security researchers and sandboxes. Using spam campaigns and malvertising, threat actors can direct traffic to BlackTDS with all aspects of drive-by downloads handled by the developers. Campaigns being run using BlackTDS have been directing users to the RIG-v, Sundown, and Blackhole exploit kits which are used to download a wide range of keyloggers, ransomware, and other malware variants. The provision of this malicious service...
by G Hunt |
February 21, 2018 |
Web Filtering
A new bill has been introduced that proposes mandatory use of WiFi filters in libraries in Idaho to prevent wireless networks from being used to view obscene content. Current legislation in the state only applies to wired networks. In many other states, web filters in libraries are only required for libraries that wish to obtain discounts on their internet services under the e-Rate program. Many libraries choose not to apply for such discounts to enable them to continue to provide full access to all forms of Internet content, instead choosing to implement policies and procedures covering acceptable usage of their computers and WiFi networks. Policies and procedures are not seen as sufficient in Idaho, which already has one of the strictest laws in the United States covering internet filtering in libraries. In 2011, legislation was introduced that made it mandatory for library web filters to be implemented on any computers that can be used by minors. The bill that was passed was scaled back, with the original bill calling for mandatory use of Internet filters on all library computers. The new resolution was introduced by an Idaho House State Affairs committee this week along with a new bill – proposed by Rep. Lance Clow (R-Twin Falls) – that requires all libraries in the state to expand their Internet filtering controls to include their WiFi networks. The concern is that simply connecting to library WiFi networks may allow users to gain access to obscene content. “Families are torn apart because of the proliferation of this material,” said Clow. Pornography is “creating a public health crisis.” The resolution says the use of pornography has been “linked to a reduced desire in young men to marry, dissatisfaction in marriage, and infidelity.” The committee wholeheartedly backed the resolution and the new bill, even changing the language to make it clear that young women were also adversely affected by obscene images. A similar resolution was introduced in Utah, on which the Idaho resolution was based. The use of WiFi filters in libraries is unlikely to cause too many problems, since many filtering solutions that have been implemented already have the...
by G Hunt |
February 5, 2018 |
Cybersecurity News, Email Archiving
Today has seen the announcement of a new partnership between TitanHQ – the leading provider of email and web filtering solutions for MSPs – and the international consulting, coaching, and peer group organization HTG. The announcement was made at the Q1 HTG Peer Groups meeting at the Pointe Hilton Squaw Peak Resort, Phoenix, Arizona. The partnership sees TitanHQ’s web filtering solution – WebTitan; its cloud-based anti-spam service – SpamTitan; and its email archiving solution – ArcTitan made immediately available to the HTG community. TitanHQ has developed innovative cybersecurity solutions specifically for managed service providers to help them provide even greater protection to their clients from the ever-increasing volume of email and Internet-based threats. The multiple award-winning solutions have now been adopted by more than 7,500 businesses and 1,500 MSPs, helping to protect them from malware, ransomware, viruses, phishing, botnets, and other cyber threats. HTG is a leading peer group association that was recently acquired by the global technology giant ConnectWise. HTG helps businesses plan and execute strategies to drive forward growth and increase profits. Its consultants and facilitators share wisdom, provide accountability, and build meaningful relationships with businesses to help them succeed in today’s highly competitive marketplace. The new partnership will see TitanHQ join HTG Peer Groups as a Gold vendor, making the firm’s MSP-friendly cybersecurity solutions immediately available to the HTG community. “We’re delighted to welcome TitanHQ on board for 2018. As soon as the initial discussion started we knew they would make a great match for our community, as web security is a key area for our members in 2018,” said HTG Peer Groups founder, Arlin Sorensen. HTG Peer Groups Founder Arlin Sorensen (Left); TitanHQ CEO Conor Madden (Right) “WebTitan web filter was built by MSP’s for MSP’s and this exciting relationship with HTG Peer Groups is a continuation of that process. It allows us to listen to the opportunities and difficulties faced by MSP senior executives while also allowing us to share how we became a successful web...
by G Hunt |
January 31, 2018 |
Web Filtering
Delegate Dave A. LaRock (R) and State Sen. Richard Hayden Black (R) have proposed a new bill in the Virginia General Assembly that would require a web filter on internet-enabled devices sold or distributed in the state of Virginia. House Bill No. 1592, also referred to as the The Human Trafficking Prevention Act, is intended to reduce the availability of pornography, which is believed will reduce the level of human trafficking in Virginia. Mandatory Web Filter on Internet-Enabled Devices in Virginia The bill calls for a web filter on all internet-enabled devices. The filtering mechanism would be required to block all obscene items, including obscene images, obscene performances, and obscene exhibitions, in addition to child pornography and unlawful images/videos of people that have been recorded and/or distributed without consent. The bill does not amount to a ban on pornography in Virginia, as it would be possible for purchasers of Internet-enabled devices – which includes computers, laptops, tablets, and smartphones – to legally disable the content blocking mechanism. To do so would require an individual to prove to the vendor or distributor of the device, by means of an official photographic ID, that they are over 18 years of age. The distributor of the device must receive a written receipt confirming a written warning has been provided advising of the dangers of unblocking the content filter. Anyone purchasing a device must also pay a one-time digital access fee of $20 to have the web filter lifted, in addition to any fee charged by the distributor or seller of the device to remove the web filtering capability on the device. The $20 fee would be paid into a Virginia Prevention of Human Trafficking Victim Fund, while the charges applied by the seller/distributor could be retained. The Virginia Prevention of Human Trafficking Victim Fund would be used solely for supporting victims of human trafficking and to pursue criminal prosecutions in human trafficking cases. There will be stiff financial penalties and potentially jail time for any seller/distributor who fails to apply the web filter. Removal of the filter without paying the fee would similarly be...
by G Hunt |
January 24, 2018 |
Cybersecurity News, Internet Security News
According to Kaspersky Lab, one of the most dangerous threats to mobile users is Skygofree malware – A recently discovered Android malware threat that has been described as the most powerful Android malware variant ever seen. Skygofree malware has only recently been detected, but it is the product of some serious development. Kaspersky Lab believes it has been in development for more than three years. The result is a particularly nasty threat that all users of Android devices should take care to avoid. Once it is installed on a device, it has access to a considerable amount of data. It also has some rather impressive capabilities, being capable of 48 different commands. Among its arsenal is the ability to take control of the camera and snap pictures and take videos without the knowledge of the user. It has access to geolocation data so is capable of tracking your every move. Where you go, as well as where you have been. Skygofree malware will steal call records and discover who you have spoken to and when and will read your text messages. The malware can also record conversations and background noise, both for telephone calls and when the user enters a specific location – based on geolocation data – that has been set by the attacker. Whenever you are in range of a WiFi network that is controlled by the attacker, the device will automatically connect, even if WiFi is turned off. It also has access to all information in the phone’s memory, can check your calendar to tell what you have planned, and intercept WiFi traffic. You also cannot privately communicate using WhatsApp with Skygofree malware installed. It abuses the Android Accessibility Service and can view your messages. Skype conversations are similarly not secure. As if that was not enough, the malware also serves as a keylogger, recording all data entered on the device. With such an extensive range of functions, this powerful new malware variant is clearly not the work of an amateur. It is believed to be the product of an Italian intercept and surveillance company called Negg, that is known to work with law enforcement agencies. Kaspersky Lab researcher Alexey Firsh said, “Given the...
by G Hunt |
December 20, 2017 |
Cybersecurity Advice, Cybersecurity News
Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones. The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed. The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage. In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover. The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll. Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days...
by G Hunt |
December 12, 2017 |
Web Filtering
A new Kentucky web filtering law have been proposed that will make it mandatory for all vendors of Internet-enabled devices in the state of Kentucky to have pornography filters installed that will prevent users from accessing adult content. Similar laws have been proposed in other U.S. states to deal with the growing social problems that are caused by pornography. The proposed Kentucky web filtering law is virtually a carbon copy of bills that are being considered in Alabama, North Dakota, and South Carolina. The proposed Kentucky web filtering law was introduced by Rep. Dan Johnson (R-Mt. Washington). The aim is not to make it impossible to access pornography in Kentucky, only to make it harder. If Kentuckians want to use their Internet-enabled devices to access obscene material such as pornography, they will be required to pay a fee of $20 to have the web filtering controls removed. The fee could be paid on purchase of the device or at a later date. Lifting the web filter would require proof of age to be supplied and a consent form to be signed. This opt-in approach to adult content is seen as the best way to prevent many of the problems that arise from use of pornography, and to make it much more difficult for minors to view adult web content. As with other similar web filtering laws that have been proposed, the fees would be directed, in part, to crime victim compensation funds as well as for law enforcement and to add to state funds. If the Kentucky web filtering law is passed, it would make the supply of PCs and mobile phones without filtering software a Class A misdemeanour. Selling an Internet-enabled device to a minor without web filtering software to block pornography would be a class C felony, In Alabama, the proposed laws would see the Class A misdemeanour attract a fine of up to $6,000 and a jail term of up to a year, while the Class C felony would be punishable with a $30,000 fine and up to 10 years in jail. Laws proposed in Alabama, South Carolina and North Dakota also require a mechanism to be introduced that would allow webpages and websites that have not been blocked by the filter to be easily reported. A call center or website would need to...
by G Hunt |
November 30, 2017 |
Cybersecurity News, Internet Security News
Kaspersky Lab has named ransomware as one of the key threats of 2017, and one that continues to plague businesses the world over. Ransomware attacks in 2017 are down year on year, but ransomware attacks on businesses are up. Ransomware attacks in 2016 were bad, but this year there have been three major attacks that have gone global – WannaCry in May, NotPetya in June, and most recently, the Bad Rabbit attacks in October. Many of the ransomware attacks in 2017 have been far more sophisticated than in 2015 and 2016, while attackers are now using a wider variety of tactics to install the malicious code. At the start of 2016, ransomware was primarily being installed using exploit kits, before attackers switched to spam email as the main method of delivery. Spam email remains one of the most common ways for ransomware to be installed, although each of the above three attacks used exploits for unpatched vulnerabilities. Those exploits had been leaked online by the hacking group Shadow Brokers, all of which had been developed and used by the NSA. While not severe as WannaCry, NotPetya and BadRabbit, exploits were also used by AES-NI and Uiwix ransomware variants. Threat actors are also using remote desktop protocol to gain access to systems to install ransomware, while the use of exploit kits is once again on the rise. There has been a noticeable change in targets since 2015 when ransomware started to be favored by cybercriminals. Consumers were the main targets, although cybercriminals soon realized there was more to be made from attacking businesses. In 2016, 22.6% of ransomware attacks were on business users. The Kaspersky Lab report shows that ransomware attacks on businesses are becoming far more common, accounting for 26.2% of all attacks in 2017. Out of the businesses that experienced a ransomware attack in 2017, 65% said they lost access to a significant amount of data, and in some cases, all of their data. Some businesses have prepared for the worst and have developed ransomware response plans and now have multiple copies of backups, with at least one copy on an unnetworked device. In the event of an attack, data can be recovered. Others have not been so...
by G Hunt |
November 17, 2017 |
Cybersecurity Advice, Cybersecurity News
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks. The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year. LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension. The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers. Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed. The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password,...
by G Hunt |
October 24, 2017 |
Cybersecurity News, Internet Security News
The Magnitude exploit kit is being used to deliver a new malware variant – Magniber ransomware. While the Magnitude EK has been used in attacks throughout the Asia Pacific region, the latest attacks are solely taking place in South Korea. Ransomware and malware attacks in Europe and the Americas are primarily conducted via spam email. Exploit kits having fallen out of favor with cybercriminals over the past year. However, that is not the case in the Asia Pacific region, where exploit kit attacks are still common. An exploit kit is a website toolkit that scans visitors’ browsers for exploitable vulnerabilities. When a vulnerability is identified, it is exploited to download malware onto the user’s system. The download occurs silently and in the case of a ransomware attack, the user is only likely to discover the attack when their files have been encrypted. Magniber ransomware takes its name from the Magnitude EK and Cerber ransomware, the ransomware variant that it has replaced. At present, Magniber ransomware is solely targeting users in South Korea. If the operating system is not in Korean, the ransomware will not execute. While it is not unusual for ransomware campaigns to involve some targeting, it is rare for attacks to be targeted on a specific country. Up until recently, the Magnitude exploit kit was being used to download Cerber ransomware. FireEye reports that those attacks were concentrated in the Asia Pacific region. 53% of attacks occurred in South Korea, followed by the USA (12%), Hong Kong (10%), Taiwan (10%), Japan (9%), and Malaysia (5%). Small numbers of attacks also occurred in Singapore and the Philippines. At the end of September, Magnitude EK activity fell to zero, but on October 15, the payload was updated and attacks were solely conducted in South Korea. To avoid analysis, Magniber ransomware checks whether it is running in a virtual environment. A check is also performed to identify the system language. If the system language is Korean, data is encrypted with AES128 and encrypted files are given the .ihsdj extension. After encryption, the ransomware deletes itself. If the system language is not Korean, the ransomware exists. At...
by G Hunt |
October 23, 2017 |
Web Filtering
The EU’s proposed Internet copyright filter has not proven popular with digital rights groups. The Internet copyright filter provision, detailed in Article 13 of the Digital Single Market proposals, would require the Internet to be policed to prevent the online publication of copyrighted content. At present, if an individual decides to share content online and that material is protected by copyright, the holder of the copyright can submit a request to have the material taken down. The process can take some time before the material is removed, during which time the information can be viewed and potentially downloaded. The proposed Internet copyright filter would improve protections for copyright holders. Online service providers such as Facebook, Twitter, WordPress, YouTube, and Dropbox would be required to constantly scan uploaded content to check the material is not protected by copyright. If it is, the content would need to be removed immediately. The Internet copyright filter would certainly go some way toward protecting the rights of copyright holders and would make it harder for music, movies, TV shows, and other video content to be uploaded and viewed by the public. Unsurprisingly, the proposed measure has attracted considerable support from the entertainment industry. However, there has been considerable opposition to the proposed Internet copyright filter by digital rights groups such as the Electronic Frontier Foundation, Human Rights Watch, Reporters Without Borders, Open Rights Group, European Digital Rights and the Civil Liberties Union for Europe. In total, 56 organizations have added their name to an open letter to EU policymakers calling for Article 13 to be dropped. Those organizations believe that while there are benefits to Article 13, the Internet copyright filter would be impossible to implement without also violating the freedom of expression detailed in Article 11 of the Charter of Fundamental Rights, as well as imposing excessive restrictions on citizens’ fundamental rights. If passed, Internet companies would be forced to take down content to avoid possible legal liability, and that would undoubtedly see them erring on the side of...
by G Hunt |
October 12, 2017 |
Internet Security News, Web Filtering
A Social Community Partnership employee fired for viewing pornography at work took legal action against her employer for unfair dismissal. However, Ireland’s Workplace Relations Commission (WRC) has upheld the Partnership’s decision to fire the employee, confirming the sanction was appropriate. In May 2016, the employee was discovered to have viewed pornography on her work computer and was promptly fired for gross misconduct. While the employee denied viewing pornography at work, a review of access logs on her computer revealed pornographic websites had been accessed on seven occasions between September and November 2015. The material accessed included depictions of rape and the abduction of girls. While viewing pornography at work is unacceptable in any office, the nature of the material that was accessed made this an egregious violation of the Partnership’s acceptable Internet usage policy, especially considering the Social Community Partnership works to support children and families. Lack of Individual Logins Makes it Difficult to Attribute Inappropriate Internet Access to Individual Employees The case was not clear cut, as the computers in the reception area where she worked did not require secure logins for each employee. The employee also denied that she had viewed pornography and claimed two other workers used the same computers. She also said that other employees could have used the computers when she was not at her desk. To determine that the employee was the person responsible for violating the company’s acceptable Internet use policy, the Partnership had to compare Internet logs against the work schedule. Multiple employees were found to have been working on four of the seven occasions, but the employee was the only person scheduled to work in the reception area on three of the occasions when pornography was accessed. The employee suggested the sites could have been popups, although the claim was rejected by her employer. To determine whether access was due to a malware infection, an external computer expert was called in to conduct a scan of the computer. The scan confirmed no malware was present that could have redirected the browser to...
by G Hunt |
October 11, 2017 |
Cybersecurity News, Internet Security News
A massive Pornhub malvertising campaign has been detected that potentially resulted in millions of malware infections in the United States, Canada, UK, Australia and beyond. Malvertising is the term given to malicious adverts that dupe website visitors into visiting websites where malware is downloaded or to sites that are used to phish for login credentials. These malverts often appear on legitimate websites, adding to their legitimacy. The malicious sites that users are directed to can download any type of malware – keyloggers, ransomware, spyware or adware. The Pornhub malvertising campaign was used to spread click fraud malware. The hacking group behind the campaign – KovCoreG – used the Kovter Trojan. The malware has persistence and will survive a reboot. Pornhub is one of the most popular adult websites, attracting millions of visitors. The website uses a third-party ad network called Traffic Junky. The attackers managed to sneak their malicious adverts past the controls the ad network has in place against malvertising. The attackers detected the browser being used and redirected users to a website tailored to their browser. The Pornhub malvertising campaign worked on users of Chrome, Internet Explorer/Edge and Firefox. The webpages, which had been expertly crafted to exactly match the colors and fonts of Google, Firefox, and Microsoft and included the relevant logos and branding. The malicious webpages indicated a critical security update was required to secure the user’s browser. Clicking to download the update, and running that update, would result in infection. The Pornhub malvertising campaign was detected by Proofpoint, which notified the ad network and Pornhub. Both acted quickly to remediate the threat, although not before many users had been infected with malware. A Web Filtering Solution Can Block Malvertising Attacks Implementing a web filtering solution in the workplace is not just about preventing your employees from wasting time on Facebook. A web filter is an important part of any layered cybersecurity defense strategy. The latest Pornhub malvertising campaign is a good example of how controlling the websites your employees can access can...
by G Hunt |
September 30, 2017 |
Cybersecurity News, Internet Security News
The cost of cybercrime is 23% higher than last year, according to a new study conducted by the Ponemon Institute on behalf of Accenture. The average annual cost of cybercrime is now $11.7 million per organization, having increased from $9.5 million last year. The Ponemon Institute conducted the 2017 Cost of Cybercrime study on 2,182 security and IT professionals at 254 organizations. Respondents were asked about the number of security breaches they experienced in the past 12 months, the severity of those incidents, and the cost of mitigation. The average number of security breaches experienced by each organization was 130 per year, which is more than twice the number of incidents that were being experienced 5 years ago and 27.4% more than this time last year. The costs of cybercrime were split into four areas: Disruption to businesses processes, data loss, loss of revenue, and damage to equipment. Respondents were asked to rate each based on their cost. While the losses from disruption to the business were not insignificant, they were the least costly. The biggest cost was information loss. The costliest security incidents to resolve were malware attacks, which cost an average of $2.4 million to resolve, although the attacks were considerably more expensive to resolve in the United States where the average losses were $3.82 million per incident. In second place was web-based attacks, costing an average of $2 million globally and $3.4 million in the United States. However, in terms of the amount of disruption caused, insider incidents topped the list, taking an average of 50 days to mitigate. Ransomware attacks took an average of 23 days to resolve. The cost of cybercrime report indicates organizations in the financial services have the highest annual costs, spending an average of $18.28 million per organization. In second place was the energy sector with an average annual cost of $17.20 million. Organizations in the United States had the biggest annual security breach resolution costs, spending an average of $21 million each per year. Bottom of the list was Australia with average annual costs of $5 million. Organizations in the United Kingdom were spending an...
by G Hunt |
September 27, 2017 |
Cybersecurity Advice, Cybersecurity News
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks. Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware. These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ. However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%. The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams. The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails. When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in...
by G Hunt |
September 27, 2017 |
Cybersecurity Advice, Cybersecurity News
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover. The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected. The Cost of a Ransomware Attack Can Run to Millions of Dollars When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites. These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000. In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial. Once an attack has been resolved, networks need to be analyzed to...
by G Hunt |
September 8, 2017 |
Cybersecurity News, Internet Privacy
A massive Equifax data breach was announced yesterday, which ranks as one of the largest data breaches of 2017. Approximately 143 million consumers have been impacted and had their sensitive data exposed and potentially stolen. A data breach at any company can cause considerable fallout, although this incident is particularly bad news for a credit reporting agency. Equifax aggregates and stores vast quantities of highly sensitive consumer data that are used by financial firms to make decisions about the creditworthiness of consumers. The data breach is sure to damage trust in the company. Ironically, Equifax offers credit monitoring and identity theft protection services to companies that experience data breaches to help them protect breach victims. Naturally, all Americans affected by the Equifax data breach will be offered those services free of charge. In fact, Equifax has gone further by agreeing to offer those services free of charge to all U.S. consumers for a period of one year, even if they were not directed affected by the breach. Chairman and Chief Executive Officer, Richard F. Smith, said “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do. I apologize to consumers and our business customers for the concern and frustration this causes.” The Equifax data breach may not be the largest data breach of 2017, but the nature of the datya exposed make it one of the most serious. Highly sensitive data were exposed, including personal information, Social Security numbers, birthdates, driver’s license numbers, and 209,000 consumers had their credit card numbers exposed. These are the exact types of information used by cybercriminals to commit identity theft and fraud. Dispute documents were also stored on the compromised system. Those documents contained a range of personal information of 182,000 consumers. The bulk of the data related to U.S citizens, although some consumers in Canada and the United Kingdom have also been affected by the Equifax data breach. The hacker(s) responsible for the attack had access to Equifax’s systems for a considerable period of time before the breach was...
by G Hunt |
August 31, 2017 |
Cybersecurity News, Internet Security News
Earlier this year, the NeutrinoPOS banking Trojan source code was leaked, leading to several new variants of malware being created, the latest being Jimmy Nukebot. In contrast to its predecessor, which was used to steal bank card information, the latest version has lost that functionality. However, Jimmy Nukebot can perform a wide range of malicious functions, serving as a downloader for a wide range of malicious payloads. The malware also acts as a backdoor which will allow the actors behind the new malware to monitor activity an infected device. Security researchers at Kaspersky Lab have analysed Jimmy Nukebot infections and have seen the malware download a wide range of modules including Monero cryptocurrency mining malware, web-injects similar to those used in NeutrinoPOS, and various other modules that modify the functions of the malware. The malware can take screenshots of an infected device and exfiltrate data and could download any malicious payload onto an infected device. Publication of the source code of malware results in an increase in its popularity. With the malware used in more attacks, the probability of it being detected is much higher. In order to evade detection, considerable modification to the malware is required. This could well be the reason why so many changes have been made to the latest iteration. The authors of Jimmy Nukebot took the original source code of the NeutrinoPOS banking Trojan and totally restructured the malware. The way the new malware has been constructed also makes static analysis much more complicated. The new features of the malware make it a formidable threat. Jimmy Nukebot is able to learn about the system on which it is installed and use that information for exploitation, tailoring the payload it delivers based on its environment rather than performing a pre-set malicious activity immediately upon infection. Since the malware passively collects information and responds accordingly, it is unlikely to trigger AV alerts and may remain undetected. Organizations that have the malware installed are therefore unlikely to be aware that their systems have been compromised. Protecting against threats such as this requires...
by G Hunt |
August 31, 2017 |
Cybersecurity News, Internet Security News
Downloading apps from non-official sources potentially places users at risk, but Google Play Store malware infected apps do exist. Google has controls in place to prevent malicious apps from being uploaded to its app store, but those controls are not always 100% effective. Choosing to download apps only from official stores is no guarantee that the apps will be free from malware. Security researchers recently discovered around 300 apps offered through the Google Play store that appear to be legitimate programs, yet are infected with malware that add infected devices to a large botnet. The botnet was being used to launch distributed denial of service attacks (DDoS) on websites. The botnet, dubbed WireX, comprises of tens of thousands of Android devices that are being used in highly damaging cyberattacks. Devices started to be infected in early July, with a steady rise in additions over the following weeks. Even though numbers of compromised devices grew steadily in July, the botnet was only discovered in early August when the WireX botnet started to be used in small scale DDoS attacks. Since then, larger attacks have taken place, mostly targeting the hospitality sector. Those attacks have clogged websites with junk traffic preventing legitimate users from accessing the sites. Some of WireX DDoS attacks involved as many as 160,000 unique IPs. Since devices could conceivably be used to attack websites with multiple addresses, the size of the botnet has been estimated to be around 70,000 devices. The growth of the botnet was soon attributed to malicious apps, with researchers discovering around 300 Google Play Store malware infected apps. Google has now disabled those apps and is in the process of removing them from devices. The apps included video players, battery boosters, file managers and ringtones. The apps were not simply malware, as users would undoubtedly attempt to delete the apps if they failed to perform their advertised functions. The apps all worked and users who downloaded the apps were unaware that their devices were being used for malicious purposes. The malware used a ‘headless browser’ which was able to perform the functions of a standard...
by G Hunt |
August 24, 2017 |
Cybersecurity Advice, Cybersecurity News
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign. Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded. Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched. Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs. While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit. Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine. The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports...
by G Hunt |
August 23, 2017 |
Cybersecurity Advice, Cybersecurity News
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online. The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school. School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices. CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so. Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitize parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material. While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict...
by G Hunt |
August 16, 2017 |
Web Filtering
Internet filtering laws in the United States are mostly introduced at the state level, although federal legislation has been introduced for schools and libraries – The Children’s Internet Protection Act (CIPA). Typically, Internet filtering laws in the United States are concerned with protecting minors. Laws apply to schools and libraries, although some states also require publicly funded institutions to apply controls to block the accessing of pornography, obscene and other harmful material by minors. However, legislation is now being considered to force vendors or suppliers of Internet-enabled devices to implement Internet filtering technology by default. The aim is not to prevent adults from accessing pornographic material on their personal devices, only to ensure that there are some controls in place. That means all vendors/suppliers of Internet-enabled devices will be required to implement a web filtering control, with the new device owners required to opt in if they wish to view pornography. Opting in must be done in writing and requires proof of age. Consumers will also be required to pay a fee to have the Internet filtering software removed. In South Carolina, legislation has been proposed that would require consumers to pay $20 to have the pornography block removed. The legislation was filed with the South Carolina General Assembly in December 2016. Similar legislation was also proposed in Utah in 2016. Federal Internet Filtering Laws in the United States At the federal level, all schools and libraries are required to comply with CIPA and implement web filters to prevent minors from accessing obscene material, pornographic images, images of child abuse, and other potentially harmful material if they wish to apply for discounts under the E-rate program or accept Library Services and Technology Act grants. If organizations choose not to apply for those grants or receive E-rate discounts, Internet filtering laws in the United States do not apply, at least at the federal level. State-Level Legislation on Internet Controls Internet filtering laws in the United States are applied at the state level and usually concern K12 schools and public libraries....
by G Hunt |
August 11, 2017 |
Cybersecurity Advice
Law firm hacking incidents are up and recent attacks have shown cybersecurity best practices for law firms are not being adhered to. Unless cybersecurity defenses are improved, it is too easy for hackers to gain access to sensitive data. Cybercriminals have their sights firmly set on lawyers, or more specifically, the treasure trove of highly sensitive data stored on their computers and networks. Data that in the wrong hands could be used for blackmail. Clients share highly sensitive information with their legal teams. Lawyers store company secrets, employment contracts and PII, banking details, financial projections, medical records, and naturally information about current and future lawsuits. All of this information is highly valuable to hackers and can be used for blackmail, sold to competitors, or used for all manner of nefarious purposes. It is therefore no surprise that hackers want to attack law firms and that they are increasingly doing just that. Cyberattacks are not only about stealing data. It can also be lucrative to prevent lawyers from gaining access to their clients’ files. Ransomware attacks on law firms can result in sizable payments for the keys to unlock the encryption. For the most part, malware and ransomware attacks on law firms are entirely preventable. Simply adopting standard cybersecurity best practices for law firms will prevent the majority of attacks. One recent ransomware attack on a Providence law firm resulted in a ransom payment of $25,000 being made to the attackers to regain access to the firm’s data. The incident is also a good example of how damaging those attacks can be. Even though payment was made, the law firm lost access to its files for three months, essentially preventing the firm from conducting any business. Lost billings alone cost the firm around $700,000. Malware and ransomware attacks on law firms are common, although they are underreported for obvious reasons. One incident that was covered in the press was the malware attack on DLA Piper. The attack involved NotPetya, the wiper malware that caused chaos for many organizations around the globe in June. DLA Piper lost access to its data causing huge losses....
by G Hunt |
August 3, 2017 |
Cybersecurity News, Internet Security News
A new mobile malware threat has been discovered – Invisible Man Malware – that is being installed via fake software updates. Invisible Man malware is a keylogger that has been designed to obtain banking credentials. While the malware is not new – it has been around for four years – it is frequently updated, with a new variant discovered that takes advantage of the accessibility services on Android devices. As the name suggests, Invisible Man malware runs silently on infected devices unbeknown to the user. The malware is an overlay that sits atop of legitimate banking apps and intercepts inputs as they are entered on the device. It also allows the attackers behind the malware to intercept text messages, in particular, those used for two-factor authentication and codes sent by banks to authorize transactions. Once installed on a device it has administrator rights to all Android accessibility services, is installed as the default SMS app and has rights to send and receive SMS messages, make calls, and access contacts on the phone. It can also take screenshots and prevents itself from being uninstalled, according to Kaspersky Lab. Invisible Man malware has been developed for attacks in Australia, France, Germany, Poland, Singapore, Turkey and the UK, working as a keylogger over 63 banking apps. All data collected is immediately transferred to its C2 server. Kaspersky Lab reports that Invisible Man malware is primarily being installed on devices using fake software updates, specifically fake Flash Player updates on malicious websites via a downloaded apk file. Beware of Fake Software Updates The latest attacks highlight an important point. If you receive a warning on screen telling you that your software is out of date, don’t click and download the update. In this case, the user will be asked to confirm installation, and will be required to provide this app with administrator rights to accessibility services. Fake software updates are one of the most common methods used to distribute malware, bloatware, adware, ransomware and other nasties. Given the frequency of software updates now being released to address recently found vulnerabilities, your software may...
by G Hunt |
July 31, 2017 |
Cybersecurity News, Internet Security News
A new study has shown that cybercriminals have generated ransomware profits in excess of $25 million over the past two years, clearly demonstrating why cryptoransomware attacks have soared. There is big money to be made in this form of cyber extortion. The bad news is that with so many organizations paying to recover their files, the ransomware attacks will continue and will likely increase. Ransomware attacks are profitable because users are still failing to back up their data. Google’s figures suggest that even though the threat of data deletion or encryption is high, only 37% of computer users back up their data. That means if ransomware encrypts files, the only option to recover data is to pay the ransom demand. Figures from the FBI estimated ransomware payments to have exceeded $1 billion in 2016; however, it is difficult to accurately calculate ransomware profits since the authors go to great lengths to hide their activities. Ransomware profits are difficult to track and companies are reluctant to announce attacks and whether payment has been made. Two notable exceptions were the South Korean hosting company Nayana that was attacked and had 153 Linux servers and 3,400 customer websites encrypted. The firm paid 1.2 billion Won – approximately $1 million – for the keys to unlock the encryption. Recently, a Canadian company has reportedly paid a ransom of $425,000 to recover its files, although the identity of the firm is still unknown. Now, a study conducted by Google, with assistance from Chainalysis, the University of California at San Diego, and New York University’s Tandon School of Engineering has shed some light on actual ransomware profits. The study involved an analysis using blockchains and Bitcoin wallets known to have been used to collect ransomware payments. The researchers also used reports from victims and monitored network traffic generated by victims of ransomware attacks to help track where payments were sent. The study looked at the top 34 ransomware strains and determined more than $25 million has been collected in the past two years. 95% of payments were cashed out using the Bitcoin trading platform BTC-e. Google has...
by G Hunt |
July 26, 2017 |
Cybersecurity News, Internet Security News
It has been a long time coming, and we are not quite there yet, but Adobe Flash is about to die. The long, slow drawn out death of Adobe Flash will continue for another three years yet, with Adobe finally confirming that it will be pulling the plug by December 31, 2020. By then, all updates for Adobe Flash will stop and the we will all enter a Flash free age. Until then, Adobe is committed to working with partners to ensure Flash remains as secure as possible and updates will continue until that time. However, Adobe is already trying to encourage businesses to start switching to other standards such as HTML5. The decision to finally put Flash out of its misery was made because other platforms and technology have “matured enough and are capable enough to provide viable alternatives to the Flash player,” according to Adobe. In 2005, Flash was on 98% of all computers, and even three years ago it was being used by 80% of desktop users on a daily basis. Today, helped in no short part but the serious security flaws in the platform and the switch to mobile devices from PCs, usage has fallen to just 14%. Google is not supporting Flash anymore and has not done so for Android since 2012. Apple has never supported the plug-in on its mobile devices and Firefox, Chrome, Edge and Safari no longer run Flash content automatically. Even Internet Explorer will disable Flash by default in 2019, ahead of its official death date the following year. Of course, just stopping updates does not mean that Flash will cease to exist. But given the rate that vulnerabilities in Flash are now being discovered, anyone still using Flash by 2020 will be wide open to attack as soon as the updates stop. However, by then there will be far fewer websites using Flash and fewer devices with the Flash plug-in installed. The Internet will most likely be a safer place without Flash, but what will happen to all the hackers who are currently developing exploits for Flash vulnerabilities? They will not also decide to retire. Instead they will put their efforts into something else. What that is of course remains to be seen. Three years may seem like an awfully long time, but there are still many...
by G Hunt |
July 26, 2017 |
Cybersecurity News, Internet Security News
Stantinko malware may only have recently been detected, but it is far from a new malware variant. It has been in use for the past five years, yet has only recently been identified. During the past five years, Stantinko malware has spread to more than 500,000 devices and has been operating silently, adding infected systems to a large botnet, with the majority of infected machines in Russia and Ukraine. The botnet has primarily been used to run a largescale adware operation. The malware installs the browser extensions Teddy Protection and The Safe Surfing, which appear to users to be legitimate apps that block malicious URLs. These apps are legitimate if downloaded via the Chrome Web Store, but they are not if they are installed by Stantinko. The Stantinko versions contain different code that is used for click fraud and ad injection. ESET reports that additional plugins known to be installed by Stantinko malware include Brute-Force and Search Parser which are used for Joomla/WordPress brute force attacks and to anonlymously search for Joomla/WordPress sites. Remote Administrator is a fully functional back door and Facebook Bot can generate fake likes, create new accounts, or add friends on Facebook, virtually undetected. While click fraud is the primary goal of the attackers, Stantinko malware can perform a wide range of functions. Since Stantinko includes a loader, enabling threat actors to send any code to an infected device via their C2 server and run the code. ESET researchers say the malware uses Windows services to perform backdoor activities and brute force attacks on WordPress and Joomla websites. Once access is gained, the attackers sell on the login credentials to other cybercriminal groups, according to ESET. That’s not all. ESET says Stantinko malware could be used to perform any task on an infected host. The malware and botnet have remained undetected for so long due to their ability to adapt to avoid being detected by anti-malware solutions. The malware also uses code encryption to avoid detection. Users would be unlikely to realize that anything untoward was happening on their machine. The tasks performed by the malware involve low CPU activity...
by G Hunt |
July 21, 2017 |
Internet Privacy, Internet Security News
UK porn filtering controls are expected to be introduced next year to make it harder for minors to access – accidentally or deliberately – pornographic material over the Internet. The government has proposed a new requirement that will make it mandatory for all sites hosting adult or pornographic content to conduct age verification checks before adult content is displayed. From April next year, a yet to be decided regulator – most likely the British Board of Film Classification – will be able to block websites hosting pornography if they do not conduct checks to ensure visitors are over the age of 18. Blocks are likely to be applied at the ISP level and the sites could be barred from taking credit card payments from the UK if they do not comply. The change to UK porn filtering controls would mean minors would be prevented from accessing pornographic material. Digital minister, Matt Hancock, explained the move would mean “UK will have the most robust internet child protection measures of any country in the world.” While many adult websites ask the user if they are over 18 before content is displayed to prevent accidental access, further controls would be required to verify age. One of the easiest ways to do that is by forcing the visitor to submit their credit card details. In the UK, it is not possible for individuals under the age of 18 to be issued with a credit card. The new UK porn filtering controls have been welcomed by some groups – the National Society for the Prevention of Cruelty to Children (NSPCC) for example – but the move has raised many concerns. Age verification checks are likely to result in the operators of the websites maintaining a database of site users, even individuals who do not pay for access. The database is likely not only to include details supplied in the verification checks, but include profiling and viewing histories. It is possible that large volumes of highly sensitive data could be collected on millions of users. Any website that collects sensitive consumer data is a target for hackers. The databases that could be built by adult content providers would be an even bigger target. Not only could information be used for...
by G Hunt |
July 18, 2017 |
Email Archiving
An enterprise email archiving solution allows emails to be retrieved on demand and ensures messages remain usable. Emails must be produced in the event of an audit and during the legal discovery process. Federal laws require organizations to produce emails, such as when a request is made under the Freedom of Information Act. An email archive is searchable and allows emails to be quickly and easily located and accessed when needed. Since recovering emails from backups is a long and complicated process, many companies now use an enterprise email archiving solution such as ArcTitan. ArcTitan makes archiving emails a quick and easy process, freeing up valuable storage space on mail servers. Recovering emails is also rapid and straightforward as the archive is searchable. Even large numbers of emails from multiple email accounts can be recovered in minutes. Multiple searches of the archive can be conducted at the same time, in contrast to Office 365 which restricts searches to two at a time, and the archive can be searched at a rate of up to 30 million emails a second. Recovering multiple emails from backups can take several days. Even though federal laws require emails to be produced on demand, many companies have yet to switch to an email archive and the IRS is not setting a good example. The IRS has recently been discovered to have failed to comply with federal regulations on email storage. The Treasury Inspector General for Tax Administration (TIGTA) recently conducted an audit of the Inland Revenue Service and discovered that IRS policies on email storage do not allow it to consistently ensure records are retained, and that in several cases, the IRS has been unable to produce emails on request. The audit was requested by the Chairman of the Senate Committee on Finance and the Chairman of the House Committee on Ways and Means after the IRS reported that it was unable to produce some documents after receiving Freedom of Information requests. After searching for the documents, the IRS discovered documents had been accidentally deleted. The auditors determined that emails are not automatically archived for all employees and some employees had been instructed to...
by G Hunt |
June 29, 2017 |
Cybersecurity News, Internet Security News
The NotPetya ransomware attacks on Tuesday this week initially looked like another WannaCry-style attack. They used similar NSA exploits to spread infections, ransoms were demanded and like WannaCry, the attacks rapidly spread around the globe. However, closer inspection of NotPetya ransomware has revealed that all may not be as it first appeared. The purpose of ransomware is to lock files with powerful encryption to prevent files from being accessed. A ransom demand is then issued. Payment of the ransom will see the keys to unlock the decryption supplied. Organizations get their files back. The attackers get a big payday. There have been many cases when ransomware has encrypted files, yet the attackers are not capable of supplying the keys. These attacks have tended to be conducted by amateurs or show the authors have been sloppy and failed to check that decryption is possible. If attackers do not make good on their promise to supply valid keys to unlock the encryption, word will soon spread on social media and security websites that paying the ransom will not enable organizations to recover their files. That means the campaign will likely not be profitable. Developing a new ransomware variant is not a quick and easy process. It does not make sense for a threat actor to go to all the trouble of developing ransomware, devising a sophisticated multi-vector campaign to spread the ransomware, but then forget about essential elements that make it possible to receive ransom payments. That is, unless the aim of the campaign is not to make money. In the case of the recent NotPetya ransomware attacks, the actors behind the campaign appear to have made some serious errors if making money was their aim. First, the ransom demand was only $300 per infected machine, which is well below the current average payment demanded by ransomware gangs. As for the errors, they were numerous. Petya ransomware, which NotPetya closely resembles, provides the victim with an installation ID. That ID is unique to the victim. It is used to determine who has paid the ransom. In the latest attacks, the IDs consisted entirely of random characters. As Kaspersky Lab explained, that means it is...
by G Hunt |
June 26, 2017 |
Cybersecurity Advice, Network Security
Confidence in cyber response plans doesn’t appear to be lacking according to a new study conducted by Deloitte. However, that does not mean organizations are prepared for cyberattacks when they occur. The survey revealed that while confidence is high and IT professionals believe they are well prepared to deal with attacks, their cyber response plans may not be effective. The only way to determine whether cyber response plans will function as planned is to conduct regular tests. If plans are not tested, organizations will not be able to determine with any degree of certainty, if their plans will be effective. As the recent Ponemon Institute Cost of a Data Breach study confirmed, the ability to respond quickly to a data breach can reduce breach resolution costs considerably. For that to happen, a response plan must have been developed prior to the breach being experienced and that plan must be effective. The Deloitte study revealed that 76% of business executives were confident that in the event of a cyberattack they would be able to respond quickly and implement their cyberattack response policies. Yet, the study also revealed that 82% of respondents had not tested their response plans in the past year. They had also not documented their plans with business stakeholders in the past year. A lot can change in a year. New software solutions are implemented, configurations change as do personnel. Only regular testing will ensure that plans work and staff know their roles when an attack occurs. Cyberattack simulations are a useful tool to determine how attack response plans will work in practice. As is often the case, plans look great on paper but often fail when put in place. Running simulations every 6 months will help to ensure that a fast and effective response to a cyberattack is possible. However, the survey showed that only 46% of respondents conduct simulations twice a year or more frequently. A data breach can have dire consequences for a company. The study showed that many companies are most concerned about disruptions to business processes as a result of a cyberattack, although loss of trust and tarnishing of a brand should be of more concern. When a data...
by G Hunt |
June 9, 2017 |
Cybersecurity News, Internet Security News
Hackers have been phishing for domain credentials and using the logins to gain access to websites and create malicious subdomains – a process called domain shadowing – and using those subdomains as gates that redirect users to sites loaded with the RIG exploit kit. The RIG exploit kit probes for vulnerabilities in web browsers and exploits flaws to download malware. Those malware downloads usually occur silently without the users’ knowledge. All that is required for infection is an out of date browser or plugin and for the victim to be directed to a website hosting the exploit kit. RIG has primarily been used to download banking Trojans and Cerber ransomware. While use of the exploit kit is nowhere near the level of Angler prior to its demise, the Rig exploit kit is now the leading EK used by cybercriminals and activity has increased sharply in recent months. Cybercriminals have been generating traffic to the malicious subdomains using malvertising campaigns – malicious adverts sneaked onto third party ad networks. Those ads are then syndicated across a wide range of high traffic websites and redirect visitors to the malicious subdomains. Other techniques used to drive traffic to the sites include malicious Chrome popups and iframes inserted into compromised WordPress, Drupal and Joomla! Websites. Tens of thousands of subdomains have been created on legitimate websites that have been compromised by hackers. Cybercriminals are understood to have been obtaining login credentials to websites using malware. The subdomains were mostly created on websites hosted by GoDaddy. The domain registrar has been working with RSA Security and independent security researchers to identify the compromised websites and take down the subdomains. In total, around 40,000 subdomains were taken down in May. While this take down is certainly good news, it is unclear how much of an effect it will have on Rig EK operations as little is known about the RIG infrastructure and the total number of websites that have had malicious subdomains added. However, RSA Security says these takedowns have resulted in “a significant loss of capabilities to RIG operations”. RSA and GoDaddy are working to...
by G Hunt |
May 24, 2017 |
Cybersecurity News, Internet Security News
The Terror exploit kit is a relative newcomer to the EK scene, yet it is evolving rapidly. Since the demise of Angler, exploit kit activity has waned. However, the threat from new exploit kits such as Terror is growing. Exploit kits probe for vulnerabilities in browsers or plugins. When an individual is directed to a website hosting an exploit kit, the EK searches for exploitable vulnerabilities. When exploitable vulnerabilities are discovered, the EK silently downloads malware or ransomware. Exploit kits can be hosted on compromised websites or sites run by the attackers. Cybercriminals use a variety of techniques to get traffic to the sites. Links can be sent via spam email or via instant messaging services and social media sites. Malicious advertisements – termed malvertising – can be hosted on third party ad networks. Those ads are then served in sidebars on any number of legitimate, high traffic websites. Web redirects are also used to divert traffic to malicious sites hosting exploit kits. If an individual with out of date plugins or older browser version visits such a malicious site, and an exploit has been loaded to the kit for a vulnerability in the browser, a malicious payload can be silently downloaded onto the user’s device. In recent months, spam email has become the main attack vector used by cybercriminals. However, exploit kit activity appears to be increasing with the Terror exploit kit fast evolving into a significant threat. The Terror exploit kit used to use a ‘carpet-bombing’ approach, sending a wide range of exploits at the end users system in the hope that one would be effective. Such an approach is not particularly sophisticated. However, Terror has now been updated and attacks can be tailored based on the user’s browser environment. Exploits that have a high probability of being successful are then delivered. The Terror exploit kit can now determine which exploits to drop based on the victim’s browser version, the plugins that have been installed, or patch level, according to the researchers who discovered the update. Protecting against exploit kits requires browsers and plugins to be kept 100% up to date and vulnerability free, which...
by G Hunt |
May 18, 2017 |
Cybersecurity News, Internet Security News
The version of WannaCry ransomware used in Friday’s attacks has been blocked, although new WannaCry ransomware variants have been detected. U.S Escapes WannaCry Relatively Unscathed The total number of computers infected with WannaCry ransomware is now believed to be around 300,000, although the United States escaped relatively unscathed, according to the U.S. Department of Homeland Security (DHS). While it is still unclear exactly how many U.S. organizations have been affected, fewer than 10 organizations have reported a WannaCry ransomware attack to DHS. The ransomware attacks have now stopped, although organizations that have experienced an infection that has resulted in files being encrypted must recover those files from a backup, accept data loss, or pay the attackers for the decryption keys. The attackers have so far made around $81,000 from their ransomware campaign, according to @actual_ransom. With a ransom payment of $300 per infected device, many payments have already been made; however, given the number of devices locked by the ransomware, most victims are not paying the attackers to unlock their files. WannaCry ransomware encryptions were stopped when a security researcher (Malware Tech) from the UK discovered a kill switch while investigating the worm code. In an apparent effort to avoid running in a sandbox or virtual environment, a check was performed on a nonsense domain. If a connection to that domain was successful, the ransomware would exit. If connection to the unregistered domain failed, the ransomware would proceed and encrypt files. By registering that domain, Malware Tech stopped further encryptions. WannaCry Victims Appear to Have Been Contacted by the Attackers In an apparent effort to increase the profits from the campaign, the attackers have generated pop up messages on affected computers saying, “I have already sent decryption keys to many customers who had sent me the correct amounts of bitcoin, and I guarantee the decryptions for such honest customers.” While this message could indicate the attacker has access to infected computers, it is possible that the message was pre-programmed to appear. Paying ransom demands only...
by G Hunt |
May 16, 2017 |
Cybersecurity News, Internet Privacy
Browsing the Internet can result in malware and spyware downloads, malicious software can arrive via spam email, but a fresh-out-of-the-box laptop computer should be totally malware free. But not always. A pre-installed keylogger on HP laptops has recently been identified by Swedish security firm Modzero. Potentially unwanted programs can be found on many new devices. Some serve a purpose but pose a security threat. For instance, in 2014, Lenovo laptop computers were shipped with ‘malware’ already installed that made the devices vulnerable to man-in-the-middle attacks. The program was Superfish. The pre-installed keylogger on HP laptops does not appear to be used for any malicious purposes, although there is considerable potential for the program to be abused. The spyware records all keystrokes on the laptops after a user logs in and stores that information in a local drive. In some situations, the keystrokes will be passed to an API on the laptop. The keylogger was discovered in an audio driver package – Conexant HD Audio Driver Package 1.0.0.46 and earlier versions. The offending file is MicTray64.exe, located in the C:windowssystem32 folder. Each time a user logs in, the program is scheduled to run. The file monitors all keystrokes on the device in order to monitor for special keystrokes. The program was developed by, Conexant, the audio chip manufacturer. The program has been included on HP laptops since December 2015. While the software itself does not exactly pose a threat, the way the program logs the keystrokes allows the recorded keystrokes to be easily accessed. The log file created by the software is stored in the public folder (C:userspublicMicTray.log) and can therefore be accessed by anyone. The file is overwritten each time a user logs in, but any keystrokes recorded during that session could be accessed by anyone with access to the device. Additionally, if the registry key with the filepath is missing or corrupted, the keystrokes will be passed to a local API called OutputDebugString API. Malware installed on the device could potentially allow the log file to be copied, and along with it, all keystrokes from the session. It would also be...
by G Hunt |
May 5, 2017 |
Cybersecurity News, Internet Security News
Pew Research has recently published the results of a study that set out to test cybersecurity awareness in America and find out more about the risks individuals are unwittingly taking when venturing online. The study was conducted on 1,055 adult Americans, who were each asked 13 cybersecurity questions of varying difficulty. Questions included what HTTPS means, what two-factor authentication is, what private browsing means and the level of protection offered by insecure WiFi networks using a VPN. The study showed that cybersecurity awareness in America is poor and consumers are potentially taking major risks online. While all 13 questions should have been answered correctly ‘security aware’ individuals, only 1% were able to answer all questions correctly. A substantial majority of adult Americans that took the questionnaire were only able to answer two of the questions correctly. The median was 5 correct answers out of 13, the mean 5.5, and only 20% of participants were able to answer more than 8 answers correctly. Three quarters of participants were able to identify the most secure password in a list and 73% of respondents were aware that the use of public WiFi networks carries a major risk and should not be used for sensitive activities such as online banking, even if the WiFi network required the use of a password. However, cybersecurity awareness was much worse for all other areas tested by the survey. Just over half of respondents were able to correctly identify what a phishing attack involved, which is a particularly worrying result considering how widespread the use of phishing is. Ransomware has been heavily reported in the press and attacks on businesses have soared, yet fewer than half of survey participants were able to correctly identify what ransomware is and only 46% knew that email was not encrypted by default. Worryingly, only 33% of participants were aware that HTTPS meant traffic was encrypted, suggesting many are entering credit card information into unencrypted websites. Only one in ten participants were able to correctly identify multi-factor authentication, with 71% thinking CAPTCHA was a form of multi-factor authentication rather than...
by G Hunt |
April 28, 2017 |
Cybersecurity News, Internet Privacy
Security researcher Chris Vickery has discovered a Schoolzilla AWS misconfiguration that resulted in the records of 1.3 million students being accidentally left unprotected. Schoolzilla is a student warehouse platform used by K12 schools to track and analyze student data. While data on the platform were protected and access by unauthorized individuals was not possible, that was not the case for a backup file on the platform. Vickery had been conducting scans to identify unprotected Amazon Web Services installations when he noticed a number of unsecured buckets on the Tableau data visualization platform. Further investigation revealed an unprotected ‘sz tableau’ bucket named sz-backups, which was a data repository for backups of the Schoolzilla database. The Amazon S3 bucket had been accidentally configured to allow public access, leaving 1.3 million student records exposed. The records contained sensitive information such as the names and addresses of students, along with test scores, grades, birthdates and some Social Security numbers. Vickery notified Schoolzilla of the error and the company worked quickly to secure the backups. Schoolzilla has now implemented a number of additional technical safeguards to ensure all student data is protected and all affected schools have been contacted and notified of the data exposure. It is unclear exactly how many schools were affected. The Schoolzilla AWS misconfiguration shows just how easy it is for sensitive data to be exposed online. This time it was a security researcher that discovered the exposed data, but cybercriminals are also performing scans for unprotected data. In this case, Schoolzilla was able to confirm that no unauthorized individuals had accessed the file except Vickery. Other companies may not be so fortunate. Schools and other educational institutions are increasingly using AWS and other cloud storage platforms to house student data. Data can be securely stored in the cloud; however, human error can all too easily result in sensitive data being exposed. The incident highlights just how important it is for organizations to conduct security scans and perform penetration tests to ensure that...
by G Hunt |
April 27, 2017 |
Web Filtering
The Human Trafficking and Child Exploitation Prevention Act is a bill that will make it harder for individuals to access pornography on Internet-enabled devices by making manufacturers and retailers of those devices implement a pornography filtering solution by default. Support for the bill is growing, with 12 states having already backed the bill – Alabama, Florida, Georgia, Indiana, Louisiana, New Jersey, North Dakota, Oklahoma, South Carolina, Texas, West Virginia, and Wyoming – and many others are considering implementing similar legislation. While many states have been opposed to introducing legislation that prevents pornography from being accessed, support for the bill has been growing due to the change in how pornography is being portrayed. Rather than being viewed as a moral issue that must be tackled, pornography is now being viewed as a public health crisis. Proponents of the Human Trafficking and Child Exploitation Prevention Act claim viewing pornography is bad for mental health, sexual health, as well as causing damage to relationships. It has been claimed that the availability of pornography is also contributing to the growth of human trafficking for the sex trade. The legislation requires all manufacturers and retailers who make or sell Internet-enabled devices to be required by law to implement a web filtering solution on those devices to block pornography, prostitution hubs, child pornography, obscenity, and revenge pornography on those devices by default. The law will not make it illegal for individuals over the age of 18 to view Internet pornography and other obscene content, but in order to do so they will be required to provide the retailer – or manufacturer – with proof of age. Similar laws are already in place requiring retail stores to prevent minors from being able to view pornographic magazines unless they first provide proof of age. The legislation is the most workable solution to restrict access to pornography. It would not be feasible to require websites to conduct age checks, as there would be no jurisdiction over website owners based outside the United States. Pornography filtering legislation is viewed as the least...
by G Hunt |
April 21, 2017 |
Cybersecurity News, Internet Security News
McAfee has issued a new threat report detailing 2016 malware trends. The decline in new malware samples in the final quarter of 2016 does not suggest that 2017 will see a continued fall in new malware, but the opposite, according to McAfee Labs. 2016 malware trends follow a similar pattern to 2015. The first quarter saw large volumes of new malware discovered, followed by a steady decline over the next three quarters. The same trend was identified in 2015. Far from that decline continuing into 2017, the first quarter figures – which will not be made available until the summer – are likely to follow a similar trend and involve a massive in malware numbers in the first three months of 2017. Further, there has been a steady increase in the number of new malware samples detected year on year, from around 400 million per quarter in 2015 to more than 600 million per quarter in 2016. If that trend continues into 2017, this year is likely to see around 800,000 new malware samples detected each quarter on average. McAfee predicts that there will be around 17 million malware samples by the end of this year. McAfee reports that ransomware has increased steadily over the course of 2016, starting the year with around 6 million samples and finishing the year with over 9 million detected samples. However, the final quarter of 2016 saw a sharp drop in ransomware due to a decline in generic ransomware detections and a fall in the use of Locky. There have been relatively few new Mac OS malware samples detected over the past two years, although Q3, 2016 saw new Mac OS malware increase from around 10,000 to 50,000, with a massive rise to around 320,000 new samples in the final quarter of 2016. By the end of 2016, the total number of Mac OS malware rose to more than 450,000, from around 50,000 at the end of Q4, 2015. The increase mostly involved bundled adware. The switch from exploit kits to email as the main attack vector is evident from the figures for new macro malware, with a sharp rise in Q2, 2016 and a continued rise in Q3. In Q1, there were around 60,000 detections, in Q3 that figure had risen to more than 200,000. The public sector was most affected by security breaches...
by G Hunt |
April 18, 2017 |
Cybersecurity Advice, Cybersecurity News
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions. Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls. Why Are Employees Bypassing Security Controls? Employees bypassing security controls is a major problem, but why is it happening? The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons. In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities. The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity....
by G Hunt |
April 6, 2017 |
Cybersecurity Advice, Cybersecurity News
Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom. Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key. Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk. Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky. As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files. The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws. Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand. Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal...
by G Hunt |
March 30, 2017 |
Cybersecurity Advice, Cybersecurity News
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password. The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone. The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes. Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen. The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations. The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP...
by G Hunt |
March 22, 2017 |
Cybersecurity News, Internet Security News
Educational institutions have been warned about Moodle security flaws that could allow cybercriminals to attack web servers, gain administrative privileges and run malicious code. Many educational institutions use the Moodle platform for their e-learning websites. The platform allows students to access interactive online courses. There are almost 80,000 websites that use the open source platform, many of which are operated by schools, colleges and universities. On Monday this week, Security researcher Netanel Rubin discovered a vulnerability – tracked as CVE-2017-2641 – that could be exploited to run malicious PHP code on an unpatched Moodle server. He pointed out on his blog that the problem does not lie with a single critical security flaw, but a number of smaller vulnerabilities which can be exploited when combined. An attacker could exploit the Moodle security flaws and create hidden administrative accounts; however, in order to exploit the flaws, it would be necessary for the attacker to have an account on the platform. It does not matter what type of account the attacker has, provided it is not a guest account. Since more than 100 million individuals log onto the websites to access courses, obtaining a user account would not pose too much of a problem. The Moodle security flaws could be exploited by attackers to install backdoors in the system allowing persistent access to data stored on a Moodle server, and there is data aplenty. Highly sensitive information about students is stored on the system, including personal information, grades and test data. According to Rubin, the Moodle security flaws affect all versions of the platform tested, including “3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions.” Rubin pointed out that such a large system – Moodle contains more than 2 million lines of PHP code – will almost inevitably have numerous vulnerabilities. In this case, the code has been written by multiple authors which has led to logical flaws being introduced. The problem comes from having too much code, too many developers and a lack of documentation. That is a problem for any system of this size, not just...
by G Hunt |
March 15, 2017 |
Cybersecurity News, Internet Security News
2017 has already seen numerous cyberattacks on educational institutions. 2017 has started particularly badly for the education sector and there is no sign of the cyberattacks abating any time soon. But why is the education sector being so heavily targeted by hackers, cybercriminals, and scammers? It is easy to see why cyberattacks on financial institutions occur. There are substantial funds to be plundered. Cyberattacks on healthcare organizations are also common. Those organizations hold vast quantities of data; data that can be sold for big bucks on the black market and used for all manner of fraud: Medical fraud, identity theft, tax fraud, and insurance fraud for example. However, the education sector is similarly being targeted. K12 schools, colleges, and universities have all been attacked and those attacks have soared in 2017. The list of educational institutions that have reported cyberattacks in 2017 is long. Barely a day goes by without another educational institution being added to the list. Many of the cyberattacks on educational institutions are random, but it is becoming increasingly clear that the education sector is being targeted. There are many reasons why the attacks have soared in recent months. Educational institutions hold vast quantities of valuable data, they have considerable computer resources that can be used by cybercriminals, and in contrast to other industry sectors, educational institutions are not as heavily regulated when it comes to cybersecurity protections. Defenses are relatively poor and educational organizations tend to have relatively few IT staff compared to the corporate sector. In short, the potential profits from cyberattacks on educational institutions are high and attacks are relatively easy to perform. For cybercriminals that is an excellent combination. What Data are Cybercriminals Attempting to Steal? K12 school systems have been targeted by criminals in order to gain access to student data. Social Security numbers of minors are extremely valuable. Dates of birth and Social Security numbers can be used for identity theft and fraud and in the case of minors, fraud is less likely to be identified quickly. Minors...
by G Hunt |
March 14, 2017 |
Cybersecurity Advice, Internet Security News
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused. Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands. However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable. Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed. In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud. One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable...
by G Hunt |
March 7, 2017 |
Cybersecurity Advice, Cybersecurity News
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot. The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document. Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect. Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses. DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC). The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure. While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the...
by G Hunt |
February 28, 2017 |
Cybersecurity News, Internet Privacy
Opposition to pornography filtering in libraries has seen the American Library Association placed on the National Center for Sexual Exploitation (NCOSE) naughty list. Each year, NCOSE publishes a list of the top twelve companies and organizations that it believes are either profiting from pornography or facilitating access. The aim of the list, referred to as the Dirty Dozen, is to name and shame the companies and organizations that are failing to do enough to tackle the growing problem of online pornography. Pornography is only the tip of the iceberg. Hidden underneath is a world of sexual exploitation, prostitution, and sex trafficking. NCOSE sees companies and organizations that fail to take action as being part of the problem, inadvertently – or in some cases deliberately – contributing to the considerable harm that is caused by pornography. This year’s list includes technology and telecoms companies (Amazon, Comcast, Roku) the American Library Association (ALA) and EBSCO, a provider of library resources to schools, colleges, higher education establishments and libraries). Four websites make the list (YouTube, Twitter, Snapchat, and Backpage.com), along with Cosmopolitan Magazine, HBO, and Amnesty International. The ALA is almost a permanent fixture on the NCOSE Dirty Dozen list, having been present for the past five years. It is the ALA’s opposition to the use of pornography filtering in libraries that sees it included year after year. NCOSE says “the ALA zealously encourages public libraries not to install internet filters on public access computers.” By taking such a stance, the ALA is providing patrons – including children – with the means to access sexually explicit and obscene material. ALA told CBN news that “Librarians encourage parents and children to talk with one another. Families have a right to set their own boundaries and values. They do not have the right to impose them on others.” NCOSE doesn’t hold back, saying the ALA stance on pornography filtering in libraries “has turned the once safe community setting of the public library into a XXX space that fosters child sexual abuse, sexual assault, exhibitionism, stalking,...
by G Hunt |
February 23, 2017 |
Cybersecurity News, Internet Security News
A security researcher has discovered a new Google Chrome scam that infects victims’ computers with malware. In contrast to many malware-downloading scams, the new Google Chrome scam is highly convincing and is certain to result in many malware infections. Hackers have installed malicious JavaScript on a number of compromised WordPress websites. The JavaScript modifies the text on a compromised webpage when it is visited using the Google Chrome browser. The text on the website appears as if Google Chrome cannot read the font, with the characters on the site replaced with random fonts and symbols. A popup appears on screen informing the visitor that “the “HoeflerText” font wasn’t found” by Google Chrome. The visitor is told that the webpage they are trying to view cannot be displayed correctly as a result. Visitors are prompted to update their Chrome browser to include the new font by downloading a “Chrome Font Pack.” The Google Chrome scam is convincing. The popup uses the Chrome logo and looks official, with colors and branding that Google would use on its popup windows. The shading used for the “Update” button on the popup window is also accurately reproduced. Furthermore, HoeflerText is a true font. If the user opens a new tab on their browser and Google’s the font, they will discover the font is real, making the Google Chrome scam seem entirely plausible. Clicking the update button will trigger a download of the update file – ChromeFontv7.5.1.exe – which is an executable containing the malware. While attempting to run the executable would normally result in an anti-virus warning being displayed, relatively few anti-virus products are detecting the ChromeFontv7.5.1.exe file as malicious. VirusTotal shows that just 9 out of 59 AV products identify the file as malicious. The Google Chrome scam was uncovered by NeoSmart Technologies researcher Mahmoud Al-Qudsi. He reports that while the Google Chrome scam is highly convincing, there are two signs that the update is not real. First, regardless of the version of Chrome used, the popup says the user has Chrome version 53. The second sign of the scam is the popup says the update file is called...
by G Hunt |
February 17, 2017 |
Cybersecurity News
The hacking of WiFi networks can be highly lucrative for cybercriminals. If WiFi passwords are obtained by hackers, malware can be installed and every user who connects to that network faces a higher risk of having their device and sensitive information stolen. Strong passwords should be set on Wi-Fi networks to make it harder for cybercriminals to guess the passwords. However, a ISP in the United States recently encouraged its customers to make their Wi-Fi passwords less secure, suggesting they change them to show support for their Super Bowl team. Charter Spectrum – the second largest ISP in the United States – sent the following tweet to its customers on January 23, 2017 – “Change your WiFi password and show guests where your loyalty lies! #ThatsMyTeam”. With the Super Bowl fast approaching, the idea was for businesses to show their support for either the New England Patriots or the Atlanta Falcons. By changing their Wi-Fi passwords to GO_ATLANTA or GO_NEWENGLAND they would be telling their customers that they fully supported their local team. It is clear what the intention of the ISP was, although suggesting an easy password for a Wi-Fi network and then tweeting it to customers and followers of the #ThatsMyTeam hashtag was a monumentally bad idea. It is possible that the ISP was trying to suggest that businesses change the name of their WiFi network temporarily. That would not pose any cybersecurity risk, although that is not what the tweet said. The ISP was widely criticized for the tweet on social media sites and the tweet has since been deleted. Making a WiFi password less secure makes it easier for hackers to conduct man in the middle attacks. These attacks are where an attacker intercepts and alters communications between two parties – In this case a person who connects to the WiFi network and the website which they wish to communicate – Their bank or an online store for instance. Email conversations can also be hijacked and communications intercepted. Hackers can eavesdrop on conversations and gather information that can be used in future spear phishing campaigns or highly sensitive login credentials to work networks or secure...
by G Hunt |
February 7, 2017 |
Cybersecurity Advice, Cybersecurity News
Following a massive increase in ransomware attacks, security experts have called for ransomware protection for universities to be augmented Ransomware: A Major Threat to Universities the World Over Ransomware has become one of the biggest data security threats. The healthcare industry has been extensively targeted, as have the financial services, manufacturing, telecoms, and just about every other industry sector. Now, attacks are being conducted on higher education establishments with increased vigor. Universities are attractive targets. They store vast quantities of data. Researchers, teaching staff, and students alike need access to data on a daily basis. Without access, all work grinds to a halt. That means ransom demands are likely to be paid. Secondly, universities use thousands of computers and have tens of thousands of users. Cybersecurity defenses may be good, but with so many individuals with access to Internet facing computers, protecting against targeted attacks on those individuals is a major challenge. Staff and students are being actively targeted as they are the weak links in the security chain. Then there is the issue of academic freedom. While many industries have implemented web filtering solutions to limit the websites that can be visited by staff and students, many universities have been reluctant to restrict Internet access. In a similar vein, university networks tend to be more open than in the business world for example. Businesses tend to severely restrict access to networks. If an attack occurs, the damage is very limited. Open networks tend to result in huge numbers of files and devices being encrypted if an attacker breaks through the security perimeter. Ransomware Protection for Universities Clearly Lacking The number of university ransomware attacks that have been reported by institutions in the United States and Canada in 2016 has reached alarming levels. Many of those universities have been forced to pay the ransom demands to restore access to files. Last year, the University of Calgary was forced to pay $16,000 to restore access after a ransomware attack. Carleton University was also attacked with ransomware, as was Los Angeles...
by G Hunt |
January 31, 2017 |
Cybersecurity Advice, Network Security
Poor cybersecurity practices exist at many US organizations, which are allowing hackers and other cybercriminals to gain access to corporate networks, steal data, and install malware and ransomware. Businesses can implement highly sophisticated cybersecurity defenses, but even multi-million-dollar cybersecurity protections can be easily bypassed if poor cybersecurity practices persist. This month we have seen two reports issued that have highlighted one of the biggest flaws in cybersecurity defenses in US enterprises. Poor password hygiene. The purpose of passwords is to prevent unauthorized access to sensitive data, yet time and again we have seen data breaches occur because of end users’ poor choice of passwords and bad password practices. Earlier this month, SplashData released its annual report on the worst passwords of 2016. The report details the top 25 poorly chosen passwords. This year’s report showed that little had changed year on year. Americans are still very bad at choosing strong passwords. Top of this year’s list of the worst passwords of 2016 were two absolute howlers: 123456 and password. Number three and four were no better – 12345 and 12345678. Even number 25 on the list – password1 – would likely only delay a hacker by a few seconds. Another study also highlighted the extent to which Americans practice poor password hygiene. Pew Research asked 1,040 US adults about their password practices. 39% of respondents said they used the same passwords – or very similar passwords – for multiple online accounts, while 25% admitted to using very simple passwords because they were easier to remember. 56% of 18-29-year-old respondents said that they shared their passwords with other individuals, while 41% of all respondents said they shared passwords with family members. The results of this survey were supported by later research conducted by Telsign, who found a very blasé attitude to online security among U.S. citizens. Although 80% of respondents admitted to being concerned about online security (and half of those claimed to have had an online account hacked in the past year), 73% of respondents´ online accounts are guarded by duplicate passwords and...
by G Hunt |
January 27, 2017 |
Web Filtering
Internet filtering laws in the UK could soon be updated to allow Internet Service Providers (ISPs) to legally block explicit website content. Former UK Prime Minister David Cameron announced in 2013 that his – and his party’s – aim was to implement greater controls over the Internet and to start blocking pornography by default. In the summer of 2013, pornography filters were put in place by most Internet Service Providers in the UK. Major ISPs in the UK now require customers to opt-in if they wanted to use their computers to view online pornography. However, unless requested, pornography filters are applied. However, last year, as part of a new EU ruling covering mobile phone roaming charges, the porn filter in the UK was determined to be illegal. The EU ruled that companies are not permitted to block access to legal website content, only website content that is illegal in member states. The UK opted out of the law after it was passed last year, allowing ISPs to continue to block Internet porn without violating the EU’s ‘Net Neutrality’ laws. However, even though the UK voted out, ISPs were only ever requested to implement porn filters. Internet filtering laws in the UK have never been introduced. The Digital Economy Bill – which has already been passed by the House of Commons – has had a number of amendments added this week, one of which covers the use of Internet filters. If the Bill is written into law, this will be the first legislation in the UK covering the use of Internet filters. The new clause is as follows: “A provider of an internet access service to an end-user may prevent or restrict access on the service to information, content, applications or services, for child protection or other purposes, if the action is in accordance with the terms on which the end-user uses the service.” The UK’s House of Lords will now subject the bill, and the proposed amendments, to close scrutiny next week, examining the Bill line by line. While it is possible that some of the controversial elements of the Bill will be dropped, it is now looking likely that Internet filtering laws in the UK will be introduced. The Bill also requires ISPs in the UK to block...
by G Hunt |
January 20, 2017 |
Cybersecurity Advice, Internet Security News
There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm. However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO. Web Filters in Libraries are Not Only About Internet Control This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action. What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware. Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment. Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted. Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen. The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only...
by G Hunt |
January 17, 2017 |
Cybersecurity Advice
If you use a computer, you are at risk of having your device infected with malware; however, listed below are some useful tips for preventing malware infections. Unfortunately, signature-based anti-malware software is far less effective at preventing infections than in years gone by. Malware developers are now using a wide range of strategies and techniques to prevent traditional anti-malware solutions from detecting and blocking infections. Rely on anti-malware or anti-virus software alone and sooner or later you may find your device has been compromised, your keystrokes are being logged, and your – or your organization’s – data are being stolen. However, there are some straightforward strategies that you can adopt to prevent malware infections and keep your computer, and your network, malware-free. 10 Tips for Preventing Malware Infections Backup Your data OK, a data backup will not prevent a malware infection, but it can help you recover if your computer is infected with ransomware or if your data are corrupted as a result of an infection – or removal of malware. The only way to recover from some infections is to wipe out your system and restore it from a previously known safe point. You must therefore have a safe point that you can use. Nightly backups should be performed. You only then stand to lose 24 hours of data at most. Keep your malware definitions up to date Anti-malware software may not be as effective as it once was, but you do need to give it a fighting chance. If you do not keep your definitions 100% up to date you are asking for trouble. This may sound obvious, but many organizations delay updating malware definitions for forget to set software to update automatically on all devices. Never click on links or open email attachments from unknown senders Cybercriminals target employees as it is far easier to gain access to a corporate network if an employee bypasses their organization’s defences and installs malware. All it takes is for one employee to install malware for attackers to gain a foothold in a network. Ensure that all employees receive anti-phishing training and have at least basic IT security skills. Most data breaches start...
by G Hunt |
January 10, 2017 |
Cybersecurity News, Web Filtering
There is now a new and particularly dangerous ransomware threat to deal with. Spora ransomware could well be the new Locky. Locky and Samas ransomware have proved to be major headaches for IT departments. Both forms of ransomware have a host of innovative features designed to avoid detection, increase infections, and inflict maximum damage, leaving businesses with little alternative but pay the ransom demand. However, there is now a new ransomware threat to deal with, and it could well be even bigger than Locky and Samas. Fortunately, the ransomware authors only appear to be targeting Russian users, but that is likely to change. While a Russian version has been used in attacks so far, an English language version has now been developed. Spora ransomware attacks will soon be a global problem. A considerable amount of time and effort has gone into producing this particularly dangerous new ransomware variant and a decryptor is unlikely to be developed due to the way that the ransomware encrypts data. In contrast to many new ransomware threats that rely on a Command and Control server to receive instructions, Spora ransomware is capable of encrypting files even if the user is offline. Shutting down Internet access will not prevent an infection. It is also not possible to block access to the C&C server to stop infection. Ransomware variants have previously been developed that can encrypt without C&C communication, although unique decryption keys are not required. That means one key will unlock all infections. Spora ransomware on the other hand requires all victims to use a unique key to unlock the encryption. A hard-coded RSA public key is used to generate a unique AES key for every user. That process occurs locally. The AES key is then used to encrypt the private key from a public/private RSA key pair generated for each victim, without C&C communications. The RSA key also encrypts the unique AES keys for each user. Without the key supplied by the attackers, it will not be possible to unlock the encryption. This complex encryption process is only part of what makes Spora ransomware unique. In contrast to many other ransomware variants, the attackers...
by G Hunt |
December 30, 2016 |
Cybersecurity Advice, Network Security
Cybercriminals have embraced ransomware and have been increasingly targeting businesses, yet many business leaders are unsure how to prevent ransomware attacks. Consequently, the risk from ransomware is not being effectively managed, and that may prove costly. Ransomware is a form of malware that is capable of encrypting files on local machines, network drives, and servers. Any computer that is connected to the Internet can potentially be infected. Even without internet access, files may be encrypted if a computer is networked. The latest ransomware variants are capable of spreading laterally within a network and encrypting the data on hundreds of devices. Files required for critical business processes may be encrypted and made inaccessible. A successful attack can result in a company’s operations grinding to a halt. A healthcare ransomware attack can result in patients’ health information becoming inaccessible. An attack on a pharmaceutical company may result in files necessary for drug manufacture being locked, which could affect the quality of products. Lawyers offices may lose essential client information. Few businesses could continue to operate at their full potential during a ransomware attack. The loss of files can prove extremely expensive, far less than the cost of any ransom payment. Many companies therefore are left with little alternative but to pay the ransom demand. Ransom payments are actually made surprisingly frequently. According to a recent study conducted by IBM, 70% of businesses that experienced a ransomware infection ended up paying the attackers to supply the keys to unlock their data. Half of those businesses paid more than $20,000 while 20% paid more than $40,000. Even when the ransom is paid there is no guarantee that a viable key will be supplied to unlock the encryption. Files may therefore be lost forever. One healthcare organization in the United States recently discovered that files can all too easily be lost forever. Three months after ransomware was installed on one of its servers and critical patient health information was encrypted, Desert Care Family and Sports Medicine has still not been able to unlock the encryption nor...
by G Hunt |
November 24, 2016 |
Cybersecurity News, Internet Security News
In the past few days, Facebook Messenger Locky ransomware attacks have been discovered, exploit activity has increased, and malicious spam email volume has increased. Organizations now need to defense against a wide range of attack vectors 2016 – The Year of Ransomware 2016 has seen an explosion in the use of ransomware by cybercriminals and there is no sign of that changing in the near future. More than 200 ransomware families have now been identified, one of the most dangerous being Locky. Locky ransomware was first discovered in February this year, but it has fast become one of the most prolific ransomware variants and has infected thousands of computers. No organization is immune to attack, although the gang behind the infections have been extensively targeting healthcare organizations. A number of U.S. healthcare providers have been forced to pay a ransom demand to recover their data. Rather than cybercriminals having to break through company defenses to gain access to data, then exfiltrate files, and sell those data on the black market – a process that can take weeks before payment is received – ransomware is a quick and easy revenue generator. Payments are made within a few days of infection as many companies cannot continue to function without access to their data. It is not even necessary for cybercriminals to develop their own ransomware. The malicious file-encrypting software can be ‘hired’ from the authors. By using ransomware-as-a-service, anyone with an Internet connection could run a ransomware campaign. Little skill is needed and attacks result in fast payment. It is therefore no surprise that the file-encrypting software has become so popular. Infection can occur via malicious adverts, exploit kits, or via spam email. All of those infection vectors allow the attackers to bypass traditional cybersecurity defenses such as firewalls. Some headway has been made by security researchers and decryptors have been developed for some ransomware variants. Wildfire, Chimera, Shade, TeslaCrypt, and CoinVault have all been cracked. However, Locky has so far resisted security researchers’ efforts to crack it. The authors of the crypto-ransomware are...
by G Hunt |
October 31, 2016 |
Network Security, Web Filtering
Hardware-based web filtering appliances for schools have some advantages, but many K12 schools are saying goodbye to the appliances and are choosing a much more convenient and practical solution. In the United States, K12 schools are required to implement a web filtering solution to control access to the Internet in order to receive E-Rate discounts on Internet access. Even schools that do not participate in the E-rate program need to filter the Internet. Parents are pressuring schools into ensuring the Internet can be accessed safely in schools and want to receive assurances that their children can use the Internet without inadvertently – or deliberately – viewing inappropriate material such as pornography. Twenty four states have also introduced legislation covering children and Internet access in schools. Hardware-Based Web Filtering Appliances for Schools A hardware-based web filtering appliance for schools may appear to tick all the boxes. Hardware devices sit in front of an Internet gateway and filter Internet traffic. They prevent users from accessing websites that are deemed to be dangerous or inappropriate. While hardware-based web filtering appliances for schools can seem like an easy option, many schools are finding that is far from the case. Hardware-based web filtering appliances for schools are fine if there are just a handful of computers accessing the Internet in each classroom, but hardware solutions lack scalability. When the number of devices is increased, more appliances must be purchased. Hardware-based web filtering appliances place limitations on web traffic. When the number of devices simultaneously requiring access to the Interest increases, a bottleneck can occur. It doesn’t matter how much the Internet pipe to a school is increased with an ISP, if a 1GB web filtering appliance is used for example, that will be the limiting factor not a 5GB connection. There is likely to be latency, which can be considerable. One solution is to use multiple hardware devices. This will increase the capacity, although more devices mean an increased maintenance burden on IT departments. Multiple devices mean schools have to find the space to house the...
by G Hunt |
October 14, 2016 |
Cybersecurity Advice, Web Filtering
There are a number of reasons why ransomware attacks have been increasing and why the crypto-ransomware has now become one of the biggest and most worrying threats. However, the main reason is ransomware is extremely profitable. How profitable? According to a recent security report from McAfee Labs, one single ransomware author managed to pull in an incredible $121 million in ransomware payments in the first six months of 2016. Take off the expenses incurred and the author cleared $94 million in profit. That was just one author. There are many. There are now more than 200 different ransomware families and many more variants of each. Fortunately, developing new ransomware is a complicated business that requires considerable programming skill. Unfortunately, there are many individuals who rent ransomware to conduct campaigns and take a cut of the profits. The explosion in use of ransomware in the past two years is a cause for concern for all Internet users, especially for business owners. Unfortunately, the ransomware crisis is unlikely to be resolved any time soon. As long as it is profitable, the attacks will continue. Vincent Weafer, VP of Intel Security’s McAfee Labs, expects the revenues from ransomware infections in 2016 will be of the order of several hundreds of millions of dollars and most likely considerably more. McAfee recorded 1.3 million new ransomware samples in the first half of 2016. The risk of infection with ransomware has increased as authors employ increasingly sophisticated methods of evading detection. Ransomware is also spreading faster and encrypting even more data to ensure victims have no alternative but to pay up. But how is it possible to prevent ransomware attacks? Unfortunately, there is no silver bullet. Prevention requires several different strategies to be adopted. To prevent ransomware attacks, check out the ransomware protection tips below. Ransomware Protection Tips We have listed some ransomware protection tips below that will help you to avoid ransomware infections – And how to avoid paying a ransom should the unthinkable happen. The first rule of ransomware avoidance is backing up your data The no More Ransom Project...
by G Hunt |
September 30, 2016 |
Cybersecurity News, Web Filtering
The threat from malware is now greater than ever before in the history of the Internet. New malware is being developed at alarming rates, and traditional antivirus software developers are struggling to maintain pace and prevent new forms of malware from being installed on endpoints. Not only are malware developers creating ever stealthier information stealers, Trojans, and ransomware, the methods used to install the malicious software are becoming much more sophisticated. Keeping endpoints and networks free from infection is becoming far more complicated, while the cost of dealing with malware infections is increasing. Figures from the Ponemon Institute suggest the average cost of a data breach has now reached $4 million. 2015 saw some of the largest data breaches ever discovered and the situation is getting worse. The 78.8-million record attack on Anthem Inc. may have been one of the worst ever data breaches in terms of the number of individuals affected and the amount of data obtained by the attackers, but 2016 has seen even larger data breaches uncovered. The attack on LinkedIn, which was discovered in May this year, affected 117 million users. The data breach at MySpace resulted in 460 million passwords being obtained by hackers, 111 million of those records also included a username. However, even those massive data breaches were dwarfed by the discovery of the data breach at Yahoo Inc., this month. Hackers were found to have obtained the information of around 500 million individuals. Not all of those data breaches involved the use of malware, but a large percentage of smaller breaches have occurred as a result of malware infections and the threat from ransomware has grown significantly over the past few months. Threat from Malware Greater than Ever Before This month, a study conducted by Proofpoint has cast more light on the seriousness of the threat from malware and the extent to which organizations are being attacked and the seriousness of the threat from malware. The Proofpoint 2016 Security Report shows that throughout 2015, an average of 274 new forms of previously unknown malware were discovered every minute. 971 forms of unknown malware hit...
by G Hunt |
July 25, 2016 |
Web Filtering
The American Civil Liberties Union (ACLU) of Rhode Island has praised the General Assembly for introducing more transparent standards for the use of Internet filters in schools in the state. Since the passing of the Children’s Internet Protection Act (CIPA), K-12 schools and libraries that apply for E-Rate discounts have been required to implement a web filter to restrict access to inappropriate or harmful website content. The web filter must be configured to block obscene images, child pornography, and other content that could be considered harmful to minors. Overzealous Use of School Internet Filters in Rhode Island While schools in Rhode Island have complied with CIPA, many have gone further and have used Internet content filtering software to block far more website content than CIPA requires. Blocking potentially harmful website content protects children from harm; however, schools must take care not to overblock website content. There is a clear difference between pornographic content which contains images of naked individuals and artwork which depicts nudes for example. The former has potential to cause harm to minors, the latter has educational value and should not be blocked. If there are no standards for the use of Internet filters in schools, it is all too easy for valuable educational material to be inadvertently blocked. Three years ago UCLA published a report on how overblocking of website content can harm public education. The report details some of the difficulties staff and students have had accessing valuable website content after web filtering solutions have been implemented in educational establishments in Rhode Island. Internet filters allow website content to be blocked based on categories. Schools may, for instance, choose to block content relating to alcohol. However, the report says some students had tried searching for polyvinyl alcohol – information on which was required for their studies, yet the content was not accessible because the Internet filtering category “alcohol” had been blocked. Students who want to access LGBT information or individuals wishing to find out about sexually transmitted diseases should be able to access that...
by G Hunt |
July 18, 2016 |
Web Filtering
McDonalds and Starbucks have recently announced that they have taken steps to block porn on WiFi networks that can be accessed by their customers. McDonalds restaurants in the United States already have a web filtering solution in place that prevents customers from accessing pornographic material via their in-restaurant WiFi networks. Mature content – such as online streaming of TV shows such as Game of Thrones – will still be possible. Starbucks has also recently followed the lead of McDonalds and will soon implement a web filtering solution to block pornography. McDonalds is the largest fast-food chain in the United States, operating more than 14,000 restaurants. Starbucks is the largest coffee shop chain in the United States, with more than 12,200 outlets in the U.S. Due to the size of the chains, and their popularity with children and families, both organizations have faced pressure from Internet safety organizations to start implementing controls to limit the website content that can be accessed via their WiFi networks. McDonalds Chooses to Block Porn on WiFi Networks in its Restaurants McDonalds started to block porn on WiFi networks available to customers earlier this year. According to a statement issued by the fast-food chain, the corporation was previously unaware that there was a problem with customers accessing pornography inside its restaurants or that consumers wanted restrictions to be placed on its WiFi networks. After the not-for-profit Internet safety organization Enough is Enough reached out to the CEO of McDonalds last year and suggested WiFi network porn filtering should be implemented, the fast-food chain reacted “promptly and positively.” McDonalds recently issued a statement saying “We had not heard from our customers that this was an issue, but we saw an opportunity that is consistent with our goal of providing an enjoyable experience for families.” McDonalds started exploring web filtering solutions to block pornography on WiFi networks in its restaurants and, after researching the available options, McDonalds implemented a WiFi network porn filtering solution in Q1, 2016. Last week, McDonalds announced that a...
by G Hunt |
July 15, 2016 |
Cybersecurity News, Web Filtering
New Locky ransomware variants are frequently developed to keep security researchers on their toes. The malicious ransomware is highly sophisticated and further development allows the gang behind the crypto-ransomware to keep raking in millions of dollars in ransoms. According to security researchers at Avira, a new Locky variant has now been discovered with new capabilities that spell trouble for businesses, even those with highly advanced security systems in place. Now, even rapid detection of Locky will not prevent files from being encrypted. Even if Locky cannot contact its command and control server, it will still execute and encrypt files. Previous Locky ransomware variants would only encrypt files after C&C server contact was established. This means that if Locky is detected on a computer, shutting down the network or blocking communications will not prevent files from being encrypted. This is one of the few options open to organizations to limit the damage caused if ransomware is discovered. New Locky Ransomware Variants Encrypt Without C&C Server Contact Many of the latest ransomware strains use public key cryptography to lock users’ files. They will not encrypt files if systems are taken offline because they require contact with a C&C server to obtain the public-private key pairs that are used to lock files. These are only generated if a connection to the C&C is made. The private key that is used to unlock files is stored on the attacker’s server and never on the local machine that is infected. Without a connection, unique keys for each user cannot be generated. This means that even if millions of computers are locked, one key will unlock them all. By generating a unique key for each infection, a ransom must be paid for each device that is encrypted. Without this, a business would only need to pay one ransom payment to unlock all infected devices. Fortunately, that is the case with the latest Locky strain. If no C&C contact is made, all infected devices will be locked with the same key. That means only one ransom payment may need to be paid. However, if C&C contact is established, the AES encryption key will be encrypted using...
by G Hunt |
July 8, 2016 |
Cybersecurity News, Internet Security News
If you want to keep your computers and network protected, you should ensure that browsers are patched as soon as updates are made available. However, end users may be fooled into taking action to keep their computers secure and inadvertently use fake Firefox updates. Fake FireFox Updates Used to Install the Kovter Trojan Fake Firefox updates are being used by the gang behind the Kovter Trojan. A new version of the fileless malware has been identified recently, and it is infecting users by posing as a fake Firefox update. The cybercriminal gang behind Kovter frequently tweak the malware and come up with new ways of infecting end users. Kovter is a particular worry as it can be particularly difficult to detect. Being fileless, there are no actual files to detect. The malware resides only in the memory, and it ensures it is reloaded into the memory each time a computer is rebooted with a Windows registry component. Kovter can perform a range of malicious activities, such as redirecting users to malicious websites, performing click fraud, downloading other malware, and now also encrypting files. The latest variant discovered by CheckPoint also has ransomware capabilities. When users visit a malicious or infected website they are presented with fake Firefox updates and are urged to download the latest version to keep their computers secure. Researchers at Barkly discovered that the gang behind the latest Kovter campaign are using a legitimate certificate to fool antivirus engines. The certificate was issued to Comodo, although it has since been revoked. Anti-virus engines are also now being updated to detect the malware and block its download. Preventing Drive by Malware Downloads There are a number of steps that can be taken to prevent drive-by downloads of malware such as Kovter. Policies should be implemented that prohibit end users from performing software updates, which should be left to the IT team to handle. Patch management policies should be developed and implemented to make sure that when software updates and patches are issued, they are installed promptly or preferably automatically. Browsers should never be updated outside the normal update process. To...
by G Hunt |
July 7, 2016 |
Web Filtering
A new law has been approved by the House of Representatives that will require government agencies to block pornography on computers used by federal employees. The accessing of pornography in the workplace is a serious issue. While the employees who access the adult material at work may feel like they are doing no harm, the accessing of adult websites carries an unnecessary risk of malware being downloaded onto computers and government networks. The recent massive data breaches experienced by government agencies have highlighted the need for improved protections to be implemented. Eliminating Pornography from Agencies Act Passed by House Rep. Gary Palmer (R-Alabama)-sponsored the bill – the Eliminating Pornography from Agencies Act (H.R. 901) – which is part of a new government reform package. Palmer saw a need to introduce new laws to block pornography on computers after it became clear that the problem was widespread in federal agencies. Federal workers were suspected of accessing pornography at work and internal investigations revealed that a number of workers had been accessing sexually explicit material; in some cases, for many hours each day. One notable instance involved a worker who was suspected of accessing pornography on a federal computer. When EPA Office of the Inspector General (OIG) investigators visited the employee, he was actually viewing pornography at the time. He admitted to accessing the material for two to six hours a day. The Securities and Exchange Commission (SEC) OIG also conducted investigations. A 2010 report indicated 33 employees had been discovered to be accessing pornography at work. Last year, media reports suggested there was a porn crisis in the federal government, saying the problem was serious and widespread. Aside from the huge drain on productivity, if an agency fails to block pornography on computers there is a considerable risk of employees infecting their computers with malware or causing a data breach. The reform bill was passed 241-181. The new law will require agencies to block pornography on computers for all workers, although access will still be permitted for certain individuals who require access to the...
by G Hunt |
June 30, 2016 |
Cybersecurity News, Internet Security News
Mobile ransomware may not be nearly as prevalent as its PC counterpart, but attacks on mobile devices are on the rise according to a new report issued by anti-virus firm Kaspersky Lab. Kaspersky Lab assessed thwarted ransomware attacks on mobile users over a period of two years and saw that the numbers of attacks doubled, signifying a worrying new trend. Between 2014 and 2015, 2.04% of malware attacks on mobile users involved ransomware. Between 2015 and 2016, the percentage of ransomware attacks rose to 4.63%. During that period, 136,532 attacks took place. Kaspersky Lab noted that the ransomware used to infect mobile devices differs considerably from the strains used to infect PC users. While Locky, CryptXXX, and RAA are now the main threats affecting PCs, the main mobile ransomware strains currently being used are Fusob, Small, Svpeng, and Pletor. Mobile ransomware tends not to use encryption to lock files, instead malicious software is developed that blocks users from accessing their device. Oftentimes, this is achieved with a simple HTML overlay. Encryption is more effective on PCs because many users fail to back up their data, or when they do they leave their backup devices connected. Many strains of PC ransomware are able to delete backup files or encrypt them, leaving end users with no alternative but to pay the ransom or lose their data forever. Many mobile users automatically backup their data in the cloud. If data is ever lost or encrypted, files can easily be recovered. However, overlays prevent the user from being able to access their files from the device. With mobile devices victims cannot simply take out a hard drive and plug it into another machine and manually remove malicious files. If an infection takes place, users either have to pay the ransom or replace their device. Provided the ransom is lower, many users will end up paying. Without the need for encryption, the development of mobile ransomware is considerably cheaper. The ransoms that can be demanded may be lower than for PC infections, but campaigns can be highly profitable for cybercriminals. Criminal gangs are also using an affiliate model to spread infections. There is usually no...
by G Hunt |
June 29, 2016 |
Cybersecurity News, Internet Security News
A new threat has recently been discovered by security researchers at Phishme: Bart ransomware. The new ransomware variant is not as sophisticated as Locky and Samsa, but it is still highly effective and poses a risk to businesses. Should end users be fooled into opening spam emails, file recovery will only be possible via backups if the ransom demand is not paid. Bart Ransomware Locks Files in Password-Protected ZIP Files Bart Ransomware bears a number of similarities to other ransomware variants that have been discovered in recent months. If installed on a device, media files, photos, documents, spreadsheets, databases, and a host of other files are located and encrypted. Bart ransomware also encrypts .n64 ROM files, which was previously unique to Locky ransomware. Bart is also delivered using the same Dridex botnet that was used to deliver Locky. Bart ransomware also uses a payment interface that looks very similar to Locky. However, there are notable differences to Locky and other ransomware variants. Bart demands a particularly high payment from its victims. Rather than a demand of 0.5 Bitcoin, Bart asks for 3 Bitcoin per infected machine – Approximately $1988 per device. There are also notable differences in the method used to encrypt files. Bart doesn’t use public key cryptography. Files are added to zip files which are then password protected. In order to unzip files, a password must be supplied. These passwords are only supplied to the victim if the sizeable ransom is paid. Bart also does not use the typical command and control center infrastructure. Most new ransomware variants communicate with the attackers’ command and control center before files are encrypted, but that does not appear to happen with Bart. New Ransomware Variant Delivered via Spam Emails The campaign uses spam emails to deliver malicious Javascript files, which are disguised as image files. End users may be fooled into opening the attachments in the belief they are simply images. However, if the attachments are opened, JavaScript is executed and Rocketloader is downloaded. Rocketloader installs Bart ransomware and is also capable of downloading a variety of other malware. The...
by G Hunt |
June 22, 2016 |
Cybersecurity News, Network Security
There have been a number of high-profile data breaches reported in recent weeks, now Citrix has announced its users have been impacted after receiving multiple reports of GoToMyPC password reuse attacks. An investigation into the attacks revealed that the account compromises were not the result of a Citrix data breach, but that the attacks had been made possible due to poor security practices of some of its users. Passwords Reset After Spate of GoToMyPC Password Reuse Attacks After discovering the GoToMyPC password reuse attacks, Citrix performed a password reset on all users’ accounts to reduce the risk of account compromises. When users next login to the remote desktop access service they will be required to set up a new password before being allowed to access the service. While Citrix has taken steps to protect its own users, simply changing passwords on GoToMyPC will not protect users who share passwords across multiple applications and web services. It is therefore important for users to login to all online accounts that have the same password set and to create new, unique passwords for each. Following the cyberattacks on LinkedIn, MySpace, and Tumblr, login credentials were openly sold on darknet marketplaces. Many individuals purchased the data and have been searching online platforms to find users that have accounts elsewhere. The same passwords are then tried to see if access can be gained. Shortly after these data dumps, numerous Twitter accounts were hacked, including those belonging to a number of high profile celebrities – Katy Perry, Mark Zuckerberg, Tenacious D, and Lana Del Rey for example. While the hacking of a Twitter account may only be an inconvenience for many victims, far more serious hacks have occurred. TeamViewer remote desktop connection software was targeted by attackers who had obtained data from the LinkedIn breach. Users’ accounts were accessed and the software leveraged to obtain access to users’ PayPal accounts and bank accounts, primarily using passwords saved in browsers. The victims had their bank and PayPal accounts emptied. Some individuals also reported that TeamViewer had been used to install ransomware on their...
by G Hunt |
June 21, 2016 |
Cybersecurity News, Internet Security News
Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses. JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads. RAA Ransomware Delivered via Spam Email The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption. First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images. Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made. JavaScript...
by G Hunt |
June 17, 2016 |
Cybersecurity News, Network Security
Each year, the Ponemon Institute conducts an annual benchmark study on the cost of a data breach. The IBM-sponsored report reveals just how damaging data breaches can be to a company’s finances. Responding to a data breach costs companies millions of dollars, and each year the cost rises. Last year, the Cost of a Data Breach study placed the average cost at 3.79 million. This year, the average cost has risen to $4 million. The average cost per stolen record rose from $154 to $158 over the past 12 months. Average Cost of a Data Breach in the United States is $7.01 Million However, those figures are taken from the global data collected for the study. The costs incurred by U.S businesses are much higher. Take the figures for the United States alone, and the average cost is $7.01 million. Last year the average cost of a breach response in the United States was $6.53 million. Organizations in the United States can expect to pay costs of $221 per record, although organizations in the healthcare industry, financial, and life science sector can expect to pay far higher amounts. The cost of a data breach in the healthcare industry is a staggering $402 per record. The data also show that the average number of records exposed per incident also increased. In the United States, the total cost of a data breach rose by 7% over the space of a year, and by 2% per stolen or compromised record. The Ponemon Institute offers some suggestions why the overall cost of a data breach has increased by such a high degree. One of the main reasons is a substantial rise in indirect costs. When an organization suffers a security breach that exposes sensitive data such as credit card numbers, financial information, Social Security numbers, or medical records, consumers are increasingly taking their business elsewhere. The Ponemon Institute refers to this as the abnormal churn rate. Organizations Should Try to Reduce Churn Rate After a Data Breach One of the findings of the research is the higher the churn rate is following a data breach, the higher the cost of the breach will be. Companies that experienced an abnormal churn rate of lower than 1%, had to pay average breach costs of $5.4...
by G Hunt |
June 9, 2016 |
Cybersecurity Advice, Cybersecurity News
The security threat from bloatware was made abundantly clear last year with the discovery of a Lenovo bloatware vulnerability, affecting the Superfish Adware program that came pre-installed on Lenovo laptops. Bloatware is a term used to describe software applications and programs that are largely unnecessary, yet are pre-installed on new computer and laptops. The software programs can slow down computers and take up a lot of memory, yet offer the user little in the way of benefits. They are primarily used to update application features rather than to enhance security. Unfortunately, these pre-installed programs have been discovered – on numerous occasions – to contain security vulnerabilities that can be exploited by malicious actors and used for man-in-the-middle attacks. They can even let attackers run arbitrary code, allow privilege escalation, or perform malicious software updates. Now a new Lenovo bloatware vulnerability has been uncovered. This time it concerns the company’s software updater which has been found to contain a vulnerability that could potentially be exploited allowing man-in-the-middle attacks to be conducted. New Bloatware Vulnerability Found in Lenovo Accelerator Application Updater: Uninstall Recommended The Lenovo Accelerator Application has been pre-installed on a wide range of desktop computers and notebooks shipped pre-installed with Windows 10. In total, well over 100 different models of Lenovo notebooks and desktops have the Lenovo Accelerator Application installed. Lenovo says the application is used to speed up the launching of Lenovo applications and communicates with the company’s servers to determine whether application updates exist. The UpdateAgent pings Lenovo’s servers every 10 minutes to check whether updates have been released. However, the application has recently been discovered to contain a security vulnerability that could be exploited by attackers. DuoLabs investigated a number of companies to check for security vulnerabilities in pre-installed software applications and found that Lenovo’s UpdateAgent was particularly vulnerable to attacks. DuoLabs reported that the updater had “no native security,” and that...
by G Hunt |
June 8, 2016 |
Cybersecurity News, Internet Security News
A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme. The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites. WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site. Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability. After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability. The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code. Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27. Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6. However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed,...
by G Hunt |
June 7, 2016 |
Cybersecurity Advice, Cybersecurity News
The Federal Bureau of Investigation (FBI) has issued a new security alert warning of a new wave of extortion email schemes. The alert was issued after its Internet Crime Complaint Center (IC3) started receiving multiple reports from individuals who had been threatened with the exposure of their sensitive data. Cybercriminals are quick to respond to large-scale data breaches and use the fear surrounding the attacks to scam individuals into paying ransoms, clicking on links to malicious websites, or opening infected email attachments. In recent weeks, the Internet has been awash with news reports of major data breaches that have hit networking sites and a number of popular Internet platforms. Major data breaches affected LinkedIn, MySpace, and Tumblr, and while the stolen data are old, hundreds of millions of individuals have been affected. These cyberattacks occurred in 2012 and 2013, although the data stolen in the attacks have just been listed for sale online. These major data breaches had gone undiscovered until recently. Extortion Email Schemes Threaten Exposure of Sensitive Data Due to the volume of logins that were exposed in these attacks and the popularity of the sites, many individuals may be concerned that their login credentials may have been obtained by hackers. Cybercriminals are taking advantage of this fear and are sending out huge volumes of spam emails advising individuals that their sensitive data have been obtained. In the emails, individuals are told that their name, address, telephone number, credit card details, and other highly sensitive data are being held and that they will be distributed to friends and family if a ransom is not paid. The attackers warn their victims that access to social media accounts has been gained and that the attackers have details of all of the victim’s social media contacts. The scammers are also threatening to email and mail out details of credit card transactions and internet activity to friends, family, and employers, suggesting that the payment to prevent this from happening will be much lower than the cost of a divorce, and low in comparison to the affect it will have on relationships with friends and on...
by G Hunt |
June 2, 2016 |
Cybersecurity News, Internet Privacy
On May 12, the microblogging website Tumblr notified users of a data breach that occurred in 2013. The company had kept quiet about the number of site users that were affected, although it has since emerged that 65 million account credentials were stolen in the Tumblr data breach. Stolen email addresses and passwords were recently offered for sale on a Darknet marketplace called TheRealDeal. Tumblr Data Breach Ranks as One of the 5 Biggest Data Breaches of All Time The massive Tumblr data breach may not be the largest ever discovered, but it certainly ranks as one of the biggest, behind the breach of 360 million MySpace account details, the theft of 164-million LinkedIn account credentials, and the 152 million-record Adobe breach. All of these huge data breaches occurred in 2013 with the exception of the LinkedIn breach, which happened a year earlier. These breaches have something else in common. They were all discovered recently and the stolen data from all four data breaches have been listed for sale on illegal Darknet marketplaces by the same individual: A Russian hacker with the account “peace_of_mind” – more commonly known as “Peace”. It is not clear whether this individual is responsible for all four of these data breaches, but he/she appears to have now obtained all of the data. The person responsible for the theft appears to have been sitting on the data for some time as according to Tumblr, as the login credentials do not appear to have been used. Fortunately, the passwords were salted and hashed. Unfortunately, it would appear that the SHA1 hashing algorithm was used, which is not as secure as the latest algorithms. This means that hackers could potentially crack the passwords. The passwords were also salted so this offers more protection for individuals affected by the Tumblr data breach. However, as a precaution, site users who joined the website in 2013 or earlier should login and change their passwords. Do You Reuse Passwords on Multiple Sites? Even if victims of the Tumblr data breach have changed their password on the site before 2013, they may still be at risk of having their online accounts compromised if their password has been used for...
by G Hunt |
May 27, 2016 |
Cybersecurity News, Internet Privacy
A new phishing activity report published by the Anti-Phishing Working Group (APWG) shows that the threat from phishing websites is greater than any other time in the history of the Internet. The latest phishing activity report shows that in the past six months, the number of phishing websites has increased by a staggering 250%. Most of the new websites were detected in March 2016. The Rising Threat from Phishing Websites Should Not Be Ignored APWG was founded in 2003 in response to the rise in cybercrime and the use of phishing to attack consumers. The purpose of the organization is to unify the global response to cybercriminal activity, monitor the latest threats, and share data to better protect businesses and consumers. In 2004, APWG started tracking phishing and reporting on the growing threat from phishing websites. During the past 12 years, the number of phishing websites being created by cybercriminals has grown steadily; however, the past six months has seen a massive rise in new websites that trick users into revealing sensitive data. APWG reports that there is an increase in new malicious websites around the holiday season. In the run up to the holiday period when online shopping increases and Internet traffic spikes, there are more opportunities to relieve online shoppers of their credit card details, login credentials, and other sensitive data. In late 2015, cybercriminals increased their efforts and there was the usual spike in the number of new phishing websites. However, after the holiday period ended APWG expected activity to reduce. That didn’t happen. New sites were still being created at elevated levels. In the first quarter of 2016, APWG detected 289,371 new phishing websites were created. However, almost half of the new websites – 123,555 of them – were detected in March 2016. Aside from a slight dip in February, the number of new websites created has increased each month. March saw almost twice the number of new sites than were created in December. The figures for Q1 and for March were the highest ever seen. Retail and Financial Sectors Most Frequently Targeted by Phishers Phishers tend to favor well-known brands. The phishing activity...
by G Hunt |
May 26, 2016 |
Cybersecurity News, Internet Security News
Surprisingly, after ESET sent a request for the TeslaCrypt ransomware master key to the criminal gang behind the attacks, they responded by making the decryption key public and even issued an apology. The surprise move signals the end of the ransomware that was used primarily to target gamers TeslaCrypt Ransomware Master Key Released So does the release of the TeslaCrypt ransomware master key mean that the attacks will now stop? The answer to that is a little complicated. Attacks using TeslaCrypt will slow and stop soon, and even if some individuals have their computer files locked by the ransomware they will not need to pay a ransom. Once the TeslaCrypt ransomware master key was made public, security companies started work on decryption tools to unlock infections. ESET have added the key to their TeslaCrypt decryption tool, and Kaspersky Lab similarly used the master key to update the decryption tool it had been using to unlock earlier versions of the ransomware. That does not mean that the criminal gang behind the campaign will stop its malicious activity. It just means that the gang will stop using TeslaCrypt. There are many other types of ransomware that can be used for attacks. In fact, it would appear that TeslaCrypt has now simply been replaced with a new form of ransomware called CryptXXX. According to ESET, many of the distributers of TeslaCrypt have already switched to CryptXXX. Under normal circumstances, contacting a criminal gang and asking for the TeslaCrypt ransomware master key would not have worked. Attackers running profitable ransomware campaigns are unlikely to respond to a polite request asking to unlock an infection without paying a ransom, let alone supply a master key that can be used to unlock all infections. The reason for the release is TeslaCrypt was already being phased out. ESET researcher Igor Kabina noticed that TeslaCrypt infections were slowing, which signaled that either the gang behind the ransomware was phasing it out in favor of a new malware, or that a new and updated version of TeslaCrypt would soon be released. Kabina decided to contact the attackers through the channels set up to allow victims to contact the gang and...
by G Hunt |
May 20, 2016 |
Cybersecurity News, Internet Security News
A new study has recently been published showing the impact of security breaches on brand image, and how the behavior of consumers changes when companies experience data breaches that expose private data. Cyberattacks are now taking place with such frequency that data breaches are now to be expected. It is no longer a case of whether a security breach will occur, it is now just a case of when it will happen. Even with the best protections in place to protect sensitive data, breaches will still occur. Many consumers are aware that the current threat levels are greater than ever and that cyberattacks will occur. However, how do consumers react to breaches of their personal information? Do they forgive and forget or are they taking their business elsewhere? What is the Impact of Security Breaches on Brand Image? The FireEye study set out to examine the impact of security breaches on brand image. 2,000 interviews were conducted on consumers in the United States to find out whether security incidents changed behavior and whether data breaches altered perceptions of companies and trust in brands. The results of the survey clearly show that the failure to invest in robust cybersecurity defenses can have a major impact on revenue. 76% of surveyed consumers claimed they would take their business elsewhere if they believed a company’s data handling practices were poor or that the company was negligent with regard to data security. 75% of respondents said they would likely stop making purchases from a company if they felt that a security incident resulted from a failure of the company to prioritize cybersecurity. Loss of business is not the only problem companies will face following a data breach. If a breach of personal information occurs and data are used by criminals for identity theft or fraud, 59% of consumers would take legal action to recover losses. Even when companies take action to mitigate the risk of losses being suffered by consumers – such as providing identity theft protection services – brand image remains tarnished. Reputation damage after a data breach is suffered regardless of the actions taken by companies to mitigate risk. It can also take...
by G Hunt |
May 20, 2016 |
Cybersecurity News
The not-for-profit technology industry association CompTIA recently released its 2016 International Trends in Cybersecurity report after analyzing the current state of cybersecurity and assessing behaviors and techniques currently being used by organizations around the world to tackle the growing risk of cyberattacks. To compile the report, CompTIA surveyed 1,509 IT security professionals from 12 countries around the world, including Australia, Canada, India, Brazil, Malaysia, Japan, South Africa, the UAE and the UK. The International Trends in Cybersecurity report shows that information security is still a major concern for IT and business executives, which is perhaps no surprise given the number of cybersecurity threats they now have to deal with. The report showed that over the course of the past 12 months, 73% of organizations had experienced at least one security incident and 60% of those security incidents were classed as serious. The highest number of security incidents occurred in India, where 94% of companies experienced a security breach in the past 12 months, closely followed by Malaysia on 89%, and Brazil and Mexico with 87% of companies suffering at least one breach. Japan and the UAE fared the best, with just 39% and 40% of companies self-reporting a security breach. Security incidents involving mobile devices are becoming much more prevalent as the use of the devices increases. 76% of companies across all 12 countries experienced a mobile-related data breach in the past 12 months. In Thailand, 95% of companies had experienced a mobile-related security breach. In the UK, 64% of companies experienced a mobile-related incident. Companies in Japan and the UAE fared the best with 60% of companies experiencing breach of mobile data. Human error continues to be a major cause of security breaches and the situation is getting worse. Companies are tackling the issue with training to improve awareness of cybersecurity issues and ensure security best practices are adopted. Nearly 80% of managers responsible for data security expect cybersecurity to become even more important over the next two years. The increasing reliance on mobile technology and cloud...
by G Hunt |
May 13, 2016 |
Cybersecurity Advice, Network Security
To reduce the risk of malware infections from websites you can avoid certain types of sites that are commonly used by cybercriminals to infect visitors. Sites containing pornography for instance, torrents sites, and online marketplaces selling illegal medication for example. However, while these sites are often compromised with malware or contain malicious code, they are far from the most common sites used by cybercriminals to infect visitors. The unfortunately reality is that browsing the Internet and only visiting what are perceived to be “safe sites” does not mean that you will not be exposed to maware, malicious code, and exploit kits. Hackers are increasingly compromising seemingly legitimate websites to redirect visitors to sites containing exploit kits that download malware and ransomware. Two CBS-affiliated news websites were recently discovered to be hosting malicious adverts that redirect visitors to sites containing the Angler Exploit Kit. MSN has been found to host malvertising in the past, as has Yahoo. A study conducted by anti-virus company Symantec revealed that three quarters of websites contain security vulnerabilities that could potentially be exploited to infect visitors with malware. High Profile Websites Compromised and Used to Deliver Ransomware to Visitors This week, two new websites were found to have been compromised and were used to infect visitors with malware. The celebrity gossip website PerezHilton.com may cause problems for celebrities, but this week it was also causing problems for its visitors. The site attracts millions of visitors, yet few would suspect that visiting the site placed them at risk of having their computer files locked with powerful file-encrypting ransomware. However, that is exactly what has been happening. Hackers compromised an iframe on the site and inserted malicious code which redirected visitors to a website containing the Angler Exploit Kit. Angler probes visitors’ browsers for security vulnerabilities and exploits them; silently download a payload of malware. In this case, the Angler Exploit Kit was used to push Bedep malware, which in turn silently downloaded CryptXXX ransomware onto the victims’...
by G Hunt |
May 11, 2016 |
Cybersecurity Advice, Cybersecurity News
This week, patch Tuesday saw updates issued to address actively exploited security vulnerabilities in Internet Explorer, along with a swathe of fixes for a number of other critical Microsoft security vulnerabilities. In total, Microsoft issued fixes for 51 vulnerabilities this week spread across 16 security bulletins, half of which were rated as important, the other eight being rated as critical. The updates tackle vulnerabilities in Microsoft Edge and Internet Explorer, Windows, the Microsoft .NET Framework, and MS Office; however, it is the browser fixes that are the most important. These include actively exploited security vulnerabilities that can be used to compromise computers if users visit websites containing exploit kits. Security update MS16-051 tackles the CVE-2016-0189 zero-day vulnerability in Internet Explorer, which if exploited, would allow an attacker to gain the same level of privileges as the current user. The flaw could be used to take control of the entire system. The exploit could be used to install new programs on the device, create new accounts, or modify or delete data. The vulnerability modifies the functioning of JScript and VBScript, changing how they handle objects in the computer’s memory. The IE security vulnerability was brought to the attention of Microsoft by researchers at Symantec, who had discovered an active exploit that was being used alongside spear-phishing attacks in South Korea. Users were being directed to a website containing an exploit kit that had been updated with the IE security vulnerability. The MS16-052 security update tackles a vulnerability in Microsoft Edge which similarly changes how objects in the memory are handled. These two updates should be prioritized by sysadmins, although all of the updates should be installed as soon as possible. Even the important updates could potentially be exploited and used to gain control of unpatched computers. Bulletin MS16-054 is also a priority update to patch critical vulnerabilities in Adobe Flash. Since Flash is embedded in both Edge and IE, Microsoft has started issuing updates to address Adobe Flash vulnerabilities. While these security flaws are not believed to...
by G Hunt |
May 6, 2016 |
Cybersecurity Advice, Cybersecurity News
Finding a web security service for MSPs can be a time consuming process. There are a number of solutions that allow MSPs to keep their clients protected from malware and reduce the risk from internal and external threats, yet many are far from ideal for use by MSPs. The ideal web security service for MSPs must have a relatively low cost of ownership. Clients may be more than willing to implement a web security service to deal with the growing range of web-borne threats, but the cost of implementation is a key factor. Many solutions offer all the necessary benefits for the client, but are not practical for use by MSPs. The time taken to install web security solutions and to configure them for each client can reduce profitability. The best web security service for MSPs need to be easy to install and maintain, and have a low management overhead. Low cost solutions that are quick to install and easy to maintain allow MSPs to easily incorporate into existing packages to create a more comprehensive Internet security service. This can increase the value provided to clients, boost client revenue, and help MSPs to win more business and differentiate their company in the marketplace. The ideal web security service for MSPs is available as a white label. This allows the service to be easily incorporated into existing packages. White labeling allows MSPS to strengthen their own brand image rather than promoting someone else’s. Many providers of a web security service for MSPs fall down on customer support. If any issues are experienced, it is essential that an MSP can provide rapid solutions. Industry-leading technical support is essential. WebTitan Cloud – A Web Security Service for MSPs That Ticks All the Right Boxes WebTitan Cloud is an enterprise-class web filtering solution for MSPs that can be used to enforce clients’ acceptable use policies and control the content that can be accessed via their wired and wireless networks. Our DNS-based web filtering solution allows organizations to prevent phishing, stop malware downloads, protect against ransomware and botnet infections, and block spyware and adware. Controls prevent the bypassing of the content filter by...
by G Hunt |
May 5, 2016 |
Cybersecurity Advice, Cybersecurity News
Over the past two weeks there have been three worrying instances of the Angler exploit kit being used to infect website visitors with malware and ransomware. Cybercriminals are increasingly using exploit kits to deliver their malicious payloads and all organizations need to be aware of the risk. Why AUPs May Not Be Sufficient to Keep Networks Secure Many companies advise employees of the types of websites that can be accessed via work networks and which are forbidden. Typically, employees are banned from visiting pornographic websites, using the Internet for the sharing of copyright-protected material, installing shareware or other unauthorized software, and using unauthorized web applications and gaming sites. Employees are provided with a document which they are required to read and sign. They are informed of the actions that will be taken for breaching the rules: verbal and written warnings for example, and in some cases, instant dismissal. These AUPs are usually effective and employees do heed the warnings if they value their jobs. If an employee breaches the AUPs and accesses pornography for instance, action can be taken against that individual. It is probable that no harm will have been caused and the matter can be dealt with by HR. However, if an employee breaches AUPs and visits a website that has been compromised with malware or installs shareware that includes malicious files, taking action against the employee will not undo the damage caused. To better protect networks, AUPs should be enforced with a software solution. By implementing a web filtering solution, HR departments can ensure that inappropriate website content is not accessed, while IT departments can be prevented from having to deal with malware infections. Even if AUPs are followed to the letter, malware may still be downloaded onto the network. The risk has recently been highlighted by two security incidents discovered in the past two weeks. Legitimate Websites Compromised with Angler Exploit Kit Last week, news emerged that a toy manufacturer’s website had been compromised and was being used to infect visitors with malware. The website had been loaded with the Angler exploit kit and...
by G Hunt |
April 30, 2016 |
Cybersecurity Advice, Cybersecurity News
There are some very good reasons why you should block file sharing websites. These websites are primarily used to share pirated software, music, films, and TV shows. It would be unlikely for the owner of the copyright to take action against an employer for failing to prevent the illegal sharing of copyrighted material, but this is an unnecessary legal risk. However, the main risk from using these websites comes from malware. Research conducted by IDC in 2013 showed that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software resulted in spyware and tracking cookies being downloaded to users’ computers 78% of the time. More worryingly, Trojans were downloaded with pirated software 36% of the time. A survey conducted on IT managers and CIOs at the time indicated that malware was installed 15% of the time with the software. IDC determined that overall there was a one in three chance of infecting a machine with malware by using pirated software. Even visiting torrent sites can be harmful. This week Malwarebytes reported that visitors to The Pirate Bay were served malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site containing the Magnitude exploit kit which was used to downloaded Cerber ransomware onto users’ devices. A study conducted by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal checks files against the databases of 47 different anti-virus engines. The research team determined that 50% of pirated files were infected with malware. Dealing with malware from pirated software was determined to take around 1.5 billion hours per year. For businesses the cost can be considerable. IDC calculated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was estimated to be in the order of $350 billion. Time to Block File Sharing Websites? Organizations can monitor devices and check for unauthorized software installations on individual devices; however, by the time a software installation has been discovered, malware is likely to...
by G Hunt |
April 29, 2016 |
Cybersecurity News
One cybercriminal gang has resorted to a mafia-style protection racket to obtain money, although it would appear that businesses are being sent empty DDoS threats. While many companies have sent money to the criminal gang, which claims to be the Armada Collective, there is no evidence to suggest that the gang is following through on its threat of conducting a largescale Distributed Denial of Service attacks. Empty DDoS Threats Still Proving Lucrative for Attackers The gang has been sending emails to businesses threatening them with a powerful DDoS attack if they do not send protection money to the gang. The demands appear to range from 10 to 50 Bitcoin and over 100 organizations have given in to the attackers demands according to DDoS mitigation vendor CloudFlare. So far the gang has gathered around $100,000 in payments, yet no DDoS attacks have been conducted. Armada Collective is the name of a hacking group already known to conduct massive DDoS attacks. The emails claim that the gang is able to deliver a DDoS attack in excess of 1 Tbps per second. The group also claims to be able to bypass security controls set up to protect against DDoS attacks. In case recipients of the email are in any doubt as to who the attackers are and what they are capable of, they are advised to conduct a search on Google. Armada Collective has been known to conduct DDoS attacks up to 500 Gbps. Are the Latest Emails from a Copycat Group? According to CloudFlare, it may not be a case of the hackers not having the capability to pull off a large scale DDoS attack on companies that do not pay, rather the attackers may not be able to tell who has paid and who has not. The emails are reusing Bitcoin addresses so there is no way of confirming which companies have paid. Emails are also being sent containing the same text and payment demands, regardless of the size of the organization. However, the empty DDoS threats or not, many companies are unprepared to take the risk and have paid between $4,500 and $23,000 to stop the attacks. CloudFlare suspects that the extortionists are not who they claim to be. The Armada Collective has not been conducting attacks for some time. CloudFlare...
by G Hunt |
April 28, 2016 |
Cybersecurity Advice, Internet Security News
Organizations are investing in technology to ensure the perimeter defense are not breached; however, it is also important to address the risk of insider data breaches. According to a recent report from Forrester, internal incidents were responsible for more than half of data breaches suffered by firms. Cybercriminals have stepped up their efforts and are attacking organizations with increased vigor, but the report suggests more than half of data breaches are caused by employee errors, oversights, and negligence. Employees are under increasing pressure to get more work completed in less time. This can easily lead to errors being made or shortcuts being taken. Employees may be security minded most of the time, but it is all too easy for sloppy data security practices to creep in. Even with the most robust perimeter security defenses in place, simple mistakes can lead to disaster. Email Borne Attacks Are Still A Major Risk During the past 12 months the volume of spam email has fallen considerably. This is partly due to law enforcement taking down major botnets and the increasing use of efficient spam filters. Even with the reduced volume the threat from spam email is considerable. The Forrester report indicates spam email volume has dropped from almost 89% of all emails in 2014 to 68% of emails in 2015. However, over 91% of all spam emails contain a malicious link and 2.34% contain malicious email attachments. Cybersecurity awareness training has helped to mitigate the risk of insider breaches to some degree but they are still occurring. Most employees now know not to open email attachments from people they do not know, but what about from people they do know? There has been an increase in business email compromise attacks in recent months. These attacks involve the sending of spam and phishing emails from within an organization. These emails are more likely to result in malicious email attachments being opened and links being clicked than emails from strangers. All emails should be treated as suspicious and should be carefully checked, not only those from outside an organization. Employees are aware never to run an executable file that has been sent via email...
by G Hunt |
April 22, 2016 |
Cybersecurity Advice, Cybersecurity News
The healthcare industry has had a hard time in recent months; however, it is far from the only industry being targeted by hackers. Manufacturing company cyberattacks are on the increase and the industry is now second only to healthcare according to a new report from IBM X-Force Research. The manufacturing industry has replaced the financial sector as hackers attempt to gain access to intellectual property. Intellectual property can be sold for big bucks on the black market. $400 Billion Worth of Intellectual Property Is Stolen from U.S. Companies Every Year According to figures from the Federal Bureau of Investigation, each year over $400 billion worth of intellectual property is stolen from the United States and sold overseas. Many of the attacks are conducted by nation-state backed hacking groups, although a number of players have now got in on the act due to the value of data and the relative ease of breaking through manufacturing company cybersecurity defenses. According to the IBM’s 2016 Cyber Security Intelligence Index, manufacturers in the automotive sector were most frequently targeted. Chemical companies were the second most likely to be attacked. 30% of manufacturing company cyberattacks took place on automotive manufacturers. Not only are the potential rewards for successful manufacturing company cyberattacks high, attacks are relatively easy to pull off. A successful attack on a company in the financial sector may be rewarding, but the defenses put in place to keep hackers at bay are usually far more robust than in less well regulated industries such as manufacturing. The manufacturing industry has been relatively slow to improve cybersecurity defenses. Organizations in the healthcare industry are required to comply with the Health Insurance Portability and Accountability Act or HIPAA for short. HIPAA sets a number of minimum standards which must be met by all healthcare organizations. Administrative, technical, and physical safeguards must be implemented to keep patient data protected. The legislation has forced healthcare companies to improve their cybersecurity defenses. Similarly, legislation has been introduced that requires organizations in...
by G Hunt |
April 15, 2016 |
Cybersecurity Advice, Internet Security News
Two new vulnerabilities in QuickTime for Windows have recently been discovered, but a patch to address the flaws will not be issued by Apple. Apple has taken the decision to depreciate QuickTime for Windows and has advised all Windows users to uninstall the software to prevent vulnerabilities from being exploited. Apple intends to keep supporting the OSX version. The latest vulnerabilities in QuickTime for Windows (named ZDI-16-241 and ZDI-16-242) are both heap corruption remote code execution vulnerabilities, both of which allow an attacker to write data outside of an allocated heap buffer. The vulnerabilities could be exploited remotely, although user interaction is required. In order for an attacker to exploit these vulnerabilities the target would be required to open a malicious file or visit a malicious website. One of the vulnerabilities affects the moov atom (ZDI-16-241) while the other (ZDI-16-242) involves a flaw with atom processing. Both could allow data to be written outside of an allocated heap buffer by providing an invalid index. This would allow code to be executed in the context of Windows QuickTime player. Latest Vulnerabilities in QuickTime for Windows Require Uninstallation of the Software The discovery of the new vulnerabilities in QuickTime for Windows spells the end of the software for Windows users. Apple, Trend Micro, and US-CERT have all advised Windows users to uninstall QuickTime ASAP in order to stay protected. These two new vulnerabilities are unlikely to be the last to be discovered. Leaving the software installed will place users at risk of attack. Exploits for the new vulnerabilities are not believed to have been developed yet, and no active attacks are understood to have been conducted, but it is only a matter of time before the vulnerabilities are added to exploit kits. Whenever a software developer takes the decision to stop supporting software it means users must find alternatives. IT departments should ensure that all Windows machines have QuickTime uninstalled as soon as possible. Apple has decided to stop support for QuickTime for Windows as most media programs no longer use QuickTime to play common formats, while HTML...
by G Hunt |
April 14, 2016 |
Cybersecurity News
A recent investigation by cyber security company F-Secure has revealed that corporate network cybersecurity defenses are anything but secure. The company recently assessed the cybersecurity protections in place at a large number of companies and discovered thousands of security vulnerabilities that could all too easily be exploited by hackers. Holes in Corporate Network Cybersecurity Defenses Could be Easily Plugged The company discovered almost 85,000 vulnerabilities in corporate network cybersecurity defenses. 7% of the 100 most common flaws were severe according to National Vulnerability Database standards, and half of those vulnerabilities could be exploited remotely by hackers. In the majority of cases patches were available to address the vulnerabilities yet they had not yet been installed. Numerous system misconfigurations were also discovered which could potentially be exploited by attackers. Simple administrative changes could address many of the vulnerabilities discovered by the researchers. The top ten vulnerabilities discovered by F-Secure had a severity rating of low to moderate. While these vulnerabilities may not allow hackers to gain access to corporate networks, they indicate that the organizations in question do not have strong cybersecurity defenses. If these vulnerabilities were to be discovered by hackers, it could result in the company being probed and tested. In some cases, closer inspection would reveal exploitable weaknesses. Previous research conducted by the United States Computer Emergency Readiness Team (US-CERT) suggests that in 85% of cases, targeted cyberattacks can be prevented by applying patches. However, F-Secure’s research indicates that patch management practices are substandard in many organizations. Even when patches are applied, all too often they are not applied to all systems and vulnerabilities are allowed to remain. If patches are not applied to all systems and vulnerabilities are allowed to persist, it is only a matter of time before corporate network cybersecurity defenses are breached. Internet Threats Now Reaching Critical Levels An Internet security threat report issued by Symantec earlier this month shows...
by G Hunt |
April 8, 2016 |
Cybersecurity Advice, Cybersecurity News
The dramatic rise in business email scams in the past 12 months has prompted the Federal Bureau of Investigation (FBI) to issue a new warning. Companies of all sizes are being targeted with business email compromise scams which relieve companies of tens of thousands if not hundreds of thousands or millions of dollars. The FBI warns that scammers are now going to extraordinary lengths to fool company employees into making transfers of large sums of company funds into hacker’s accounts. These attacks are far from the random email spam campaigns typically associated with email scammers. Companies are extensively researched, individual targets are identified, and carefully crafted emails are sent. A variety of social engineering techniques are employed to convince an individual in the company to make a sizeable bank transfer to the attacker’s account. There are two main variants of these business email scams. The first involves gaining access to the email account of the CEO or a senior executive in the company. This is usually achieved with a spear phishing campaign. This phase of the attack involves researching the company and identifying a target. That target is then sent a spear phishing email in order to gain access to their email login credentials. Once access to an email account has been gained, emails are checked to determine the style of writing used by that individual – How they sign their emails, the terminology they use, and the level of familiarity they have with the second target: An individual that manages money or makes bank transfers for the company. An email is then sent from the executive’s email account requesting a transfer be made. Account details are supplied with a reason for urgency, and an explanation of why the request is being made. Since the emails come from a known source within the company, and the terminology and style of the email matches those typically received by the accounts department, the transfer is often made without being queried. Another variation on the same theme does not require access to an email account. Instead a domain name is purchased that is virtually identical to that used by the target company, often with...
by G Hunt |
April 5, 2016 |
Cybersecurity News, Network Security
2015 may have been the year of the healthcare data breach, but 2016 is fast becoming the year of ransomware with new strains such as Samas ransomware appearing at an alarming rate. Recently the Federal Bureau of Investigation reached out to U.S. businesses, seeking help to deal with the latest Samas ransomware threat. Samas Ransomware Being Used to Encrypt Networks Samas ransomware – also known as Samsa, Samsam, and MSIL – is different from many strains of ransomware that were used by cybercriminals last year. The new ransomware strain is being used to attack businesses rather than consumers. Last year, criminals were sending out ransomware randomly via spam email. Ransom demands of 0.5-1 Bitcoin were the norm, with consumers often willing to pay to recover their files, accounts, photographs, and other important data. However, businesses hold far more valuable data. If criminals are able to infect enterprise computers and encrypt important business files, higher ransom demands can be sent. In many cases those demands have been paid. In order to obtain large ransoms, cybercriminals need to infect networks rather than single computers. If an end user downloads ransomware onto their computer, and that ransomware has the capability to spread laterally and infect other systems, enterprises are more likely to pay to unlock the encryption. Even when viable backups exist, the complexity of some of the ransomware now being used makes paying the ransom an easier and lower cost option. Since some ransomware is capable of deleting backup files, the restoration of data may simply not be an option. Samas ransomware has been reported to delete Volume Shadow Copy Service (VSS) data. Access to Systems is Gained by Cybercriminals Weeks Before Samas Ransomware is Deployed The mode of action of Samas ransomware is different from other families of malicious file-encrypting software such as Locky, CryptoWall, and Cryptolocker. Attackers are exploiting a vulnerability in the JBoss enterprise application platform to compromise an external web server. This is achieved by using a security program called JexBoss. Once access to a server has been gained, attackers mask...
by G Hunt |
April 1, 2016 |
Cybersecurity News, Network Security
The FBI issued warnings last year over the rise in popularity of Bitcoin ransomware, and a few days ago the law enforcement agency reached out to companies requesting assistance to help it tackle the threat from the latest ransomware variants, just days before the malicious software was used on MedStar Health System. Over the last few weeks a number of healthcare institutions have reported being attacked with ransomware, and there is no telling how many companies have had corporate and customer data encrypted by attackers. Many do not like to advertise the fact they have been attacked. While attacks on individuals only result in relatively small ransoms being paid, the same cannot be said for companies. Ransom demands of tens of thousands of dollars are issued, and many companies feel they have little alternative but to pay the ransom demand in order to recover their data. Unfortunately for enterprises, the threat from Bitcoin ransomware is unlikely to go away any time soon. More cybercriminals are getting in on the act and attacks will continue as long as they prove to be profitable. The bad news is Bitcoin ransomware is very effective. Worse still, attacks require little technical skill and cost very little to pull off. Bitcoin Ransomware Kits Mean Little Skill is Required to Pull Off a Successful Attack According to a report in the Italian newspaper La Stampa, the cost of conducting a ransomware attack can be shockingly low and requires little in the way of skill. One reporter at the newspaper set out to discover just how easy it is to buy ransomware and conduct an attack. After visiting underground forums on the darknet, the researcher found a board where ransomware-as-a-service was being offered. One poster on a Russian forum was not only offering ransomware for sale, but made it exceptionally easy for would-be cybercriminals to conduct campaigns. The purchaser would be supplied with the ransomware, distribution tools to send out the malicious file-encrypting software via email and advertising networks, and this Bitcoin ransomware service could be bought for as little as $100. According to the article, the purchaser would be allowed to keep 85% of the...
by G Hunt |
March 31, 2016 |
Cybersecurity Advice, Network Security
There are a number of ways for managed service providers to increase cash flow and boost profits. Efficiency can be improved, staff productivity can be increased, better margins achieved, and new in-house products could be developed. Unfortunately, all of these are easier said than done. The main ways to increase profits by a significant amount is to attract new customers and increase the amount each existing client is spending. If only there was a secret ingredient that MSPs are missing that could help them help to win more business and get each client to spend more! The good news is that for many MSPs, there is such a product. Any MSP that has yet to include a web filtering service into their product portfolio could be missing out on substantial profits. Web Filtering – An Easy Way for MSPs to Increase Profits Filtering the Internet is now essential for many enterprises. In certain Industries it is mandatory for companies to filter the Internet. They need to ensure sensitive data are protected and risk is effectively managed. Networks must be protected from attacks by hackers and with an increasing number of web-borne threats, Internet usage policies alone are not sufficient to keep organizations protected. Those policies need to be enforced and a web filter is the natural choice. In some industries, education for example, it is mandatory for the Internet to be filtered. Minors must be prevented from accessing obscene website content or other material that could be harmful. Even when it is not mandatory to filter the Internet it is often desirable. Hotels, restaurants, transport networks, airports, cafes, and coffee shops are choosing to implement controls to ensure all users enjoy a safe browsing experience. In business, productivity losses from Internet abuse can be considerable. If every employee wasted an hour each day on personal Internet use, the losses to a medium-sized company would be substantial. Some studies suggest even more time is wasted by employees each day on non-work related Internet activities. Failure to filter the Internet can prove costly in many ways. For example, the accessing of adult content in the workplace can lead to the...
by G Hunt |
March 25, 2016 |
Cybersecurity Advice, Cybersecurity News
Web-borne attacks on enterprises are increasing, although it is important not to forget to protect against email attacks, as shown by a recent campaign using the Olympic Vision keylogger. Olympic Vision Keylogger Used in Recent Business Email Compromise Attacks The attackers behind the latest campaign are using the Olympic Vision keylogger to gain access to business email accounts. Trend Micro discovered the latest campaign and was able to trace the attacks and link them to two Nigerian cybercriminals. Trend Micro determined that the current campaign has been conducted in 18 different countries including the United States. Business email accounts contain a wealth of data, which in the wrong hands, could result in considerable damage being caused to an enterprise. However, it is not only data stored in the email accounts that hackers want to obtain. The cybercriminal gang behind the latest attacks have a different purpose. Attacks are being conducted to gain access to business email accounts to use them to send emails to account department employees instructing them to make bank transfers to the attackers’ accounts. Large transfers are often made following a business email compromise (BEC) attack. If hackers can gain access to the email account of a senior executive, they can use that account to send messages to members of staff in the accounts or billing departments requesting transfers be made to their bank accounts. BEC is a highly effective attack strategy. If an email is sent from a CEO to the accounts department requesting an urgent transfer be made, many employees would not think twice before making the transfer as instructed. This social engineering technique takes advantage of the fact that many employees would not question a direct request from a CEO or senior account executive. A transfer is made and the attacker receives the funds, withdraws the money, and closes the account. This often occurs before any red flags are raised, even when the transfer is for tens or hundreds of thousands of dollars. Sophisticated Attacks Being Conducted Using Unsophisticated Malware The Olympic Vision keylogger is not a sophisticated malware. Once installed on a device...
by G Hunt |
March 19, 2016 |
Cybersecurity News, Internet Security News
Cybercriminals are moving away from email attacks and are concentrating on web-based exploits to deliver malware. Email remains a major source of malware, but web-based attacks are now much more prevalent. Web-Based Exploits Increasingly Used to Deliver Malware A recent report from Palo Alto Networks showed that out of just over 68,000 malware samples collected, 25% were delivered via email, whereas 68% were delivered during web-browsing. Those figures were for known malware. When it comes to undetected samples, the figures for web-browsing rose to 90% compared to just 2% delivered via email. Undetected malware samples are those which are not detected by traditional anti-malware and anti-virus solutions. It is easy to see why web-based exploits are being favored by cybercriminals. It takes much longer for web-based exploits to be detected by anti-virus software than email-based attacks. Palo Alto reports that it takes four times as long to detect web-based exploits as it does email-based attacks. Attackers are also able to tweak web-based malware in real-time. Email-based malware needs to be sent out and changes can only be made for each new campaign. In the case of email-based malware attacks, the malicious software is relatively easy to detect by AV companies. They are able to give each malware sample a signature, which makes it much easier to block attacks. In the case of web-based malware this is a much harder task. The malware can be tweaked in real-time, making it harder for AV companies to capture and create a signature. A web server on which malware is hosted can be configured to re-code the malware automatically and generate many thousands of unique malware. Capturing and adding a signature to each simple takes too long. There are many methods that can be employed to reduce the risk of malware infections from web browsing, although one of the easiest preventative steps to take is to use a web filtering solution such as WebTitan. WebTitan allows organizations to carefully control the websites that can be accessed by end users. Palo Alto reported that HTTP proxies were frequently used in malware delivery. The blocking of HTTP proxies and web anonymizers...
by G Hunt |
March 18, 2016 |
Cybersecurity News, Internet Security News
A recent study conducted by the Ponemon Institute on behalf of IBM investigated web application security visibility. The report revealed for the majority of organizations there is none. When it comes to application security, many companies are in the dark and either do not test the apps they use, or do not address the vulnerabilities they discover when they do. 640 application development and security professionals were asked questions about application security and the steps being taken to secure apps. The study also aimed to get an answer to the question, how much do organizations know about the security of the applications they are using on a day to day basis? The results of the survey are worrying. More than a third of companies (35%) perform no application security testing. Consequently, they are unaware if the apps they use have security vulnerabilities. Worse still, 69% of respondents said they were not aware of all of the apps and databases that were in use in their organization. Application Security Visibility Needs to be Improved The study also revealed that more than two thirds (67%) of organizations do not have overall visibility into the state of application security in their respective companies. Out of the organizations that do perform application security testing, more than half do not take steps to address security vulnerabilities they discover. 34% of respondents said urgent security vulnerabilities are not being fixed and 43% said web application security was not a priority in their organization. When asked why thorough testing of applications does not take place, 56% of respondents said it was due to time constraints and organizational pressure to release applications quickly. 55% said that their organization’s developers are too busy to work on application security issues and 70% said they believed their organization invested too little in securing web applications and that insufficient resources were allocated to the task. Developers do not feel that it is their job to ensure applications are secure, and that this task should be conducted by information security professionals employed by their organizations. Another issue is web...
by G Hunt |
March 17, 2016 |
Cybersecurity Advice, Cybersecurity News
Enterprise social media usage policies have only been introduced by 54% of organizations according to a recent social media research study conducted by Osterman Research. Social media use in the workplace has grown significantly in recent years, both personal use of social media sites as well as the use of the platforms for business purposes. However, just over half of enterprises have implemented policies that limit or restrict use of the websites. Enterprises face a choice. Allow the use of the sites and accept that a considerable amount of each employee’s day will be devoted to personal social media site use, or place controls to limit use. These can be restrictions on the times that the sites can be accessed, the amount of time each employee is “allowed” to take as Facetime, or the actions that can be performed on social media sites. There are good reasons for not introducing social media usage policies. Some employers believe social media site use can improve collaboration between employees and departments. Some employers believe social media use can help improve corporate culture and even lead to faster decision making capabilities. However, some studies suggest that employers lose more than an hour each day per employee to social media networks. If that figure is multiplied by the 500 or more employees in an organization, it represents a considerable productivity loss. Many employers do not mind a little time on social media sites each day, provided that usage is kept within reasonable limits. An employee cannot be expected to work productively for a full 8 hours a day, so allowing some social media time can help employees recharge before they get back to working at full speed. If an employee takes 5 minutes every hour to check their Facebook feed, it could actually help to increase the work that they perform each day. Social Media Usage Policies Can Help Employers Manage Security Risk Use of social media platforms is not only about time not spent working. There is a security risk associated with the use of social media networks. That security risk is considerable and the risk is growing. The Osterman Research study revealed the risk of malware delivery...
by G Hunt |
March 12, 2016 |
Internet Security News, Network Security
Effective enterprise patch management policies can greatly improve security posture and prevent cyberattacks; however, many enterprise IT staff are confused about patch management. A new survey conducted by Tripwire suggests that InfoSec staff often confuse patch management with vulnerability mitigation. The complexity of enterprise patch management also leaves many security professionals unsure about when patches should be applied and the impact of applying patches. The Complexity of Enterprise Patch Management Causes Problems for Many IT Security Professionals The Tripwire survey was conducted on 480 IT security professionals and asked questions about enterprise patch management policies at their organizations. The results show that IT staff are struggling to ensure that all systems are maintained in a fully patched state. 67% of respondents said that at least some of the time, they are unsure about which patches need to be applied to certain systems. The complexity of enterprise patch management is a problem. For instance, a patch may be issued to address Adobe Flash vulnerabilities, but it comes bundled with Google Chrome updates. It addresses Flash vulnerabilities in Chrome, where Adobe Flash is embedded, but does not address standalone installations or Flash vulnerabilities in other browsers. 86% of respondents said that issues such as this mean they find it difficult to understand the impact of a patch. It is all too easy for security vulnerabilities to remain after a patch has been applied. Patches are released that address multiple security vulnerabilities, but they do not address those vulnerabilities across all systems. The application of a patch will not necessarily remediate a security vulnerability entirely. According to Tripwire, ““The relationship between patches and vulnerabilities is far more complex than most people think.” There is also considerable confusion between patches and software upgrades. When it comes to addressing security vulnerabilities, a patch may address some, an upgrade may address others, and there is often some overlap. Because of this, organizations struggle to ensure that all software is properly patched and fully up to...
by G Hunt |
March 11, 2016 |
Internet Privacy
Five ISP trade groups have put pen to paper questioning the need for the recently proposed FCC rules for broadband providers, saying they are against regulations specifically aimed at ISPs. They believe that consumer information should be protected based on the sensitivity of the data collected, rather than introducing new regulations specifically for the businesses that collect, store, or use those data. Extensive Set of FCC Rules for ISPs Proposed An extensive set of rules for ISPs have been proposed following the reclassification of broadband as a regulated, common carrier service. The FCC wants to give broadband customers greater choice and control over how their personal data are used. If the proposed FCC rules for broadband providers are passed they would severely limit how ISPs could use consumer data without first obtaining permission from their customers. FCC Chairman Tom Wheeler has proposed that consumers should opt-in to the use of their personal data by their ISPs. Currently, ISPs are not required to obtain permission from their customers before they use or share their personal data. The proposed FCC rules for broadband providers would change this, and require consumers to opt-in before ISPs would be permitted to use or share their data for certain purposes. Under the proposed regulations, data could still be used by ISPs to help them deliver a broadband service that consumers signed up for, for billing purposes, to market improvements to their services, or for other internal reasons on an opt-out basis. However, the new rules would require an opt-in from customers for data use for all other purposes. Proposed FCC Rules for Broadband Providers Would Require Data Breach Notifications to be Sent to Customers The proposed FCC rules for broadband providers would also require ISPs to notify consumers about breaches of their personal data. Wheeler has proposed that broadband providers notify consumers of a breach of personal data within 10 days of the discovery of a breach, far faster than is required by laws in the 40 states that have introduced legislation covering breaches of personal information. Telecoms companies are extensively regulated and...
