Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Top 11 Security resolutions for the New Year

2015 has been the worst year so far for security breaches.  Although the state of online security reminds me of that scene in Office Space where Peter says that every day you see him is the worst day of his life, there’s a few things you can do to protect yourself against getting your data and online identity stolen.  If you’re looking for a New Year’s resolution that isn’t “I’m going to buy a gym membership and only go for a week”, try this list (it goes to 11!) on for size.

  1. Change your passwords, just in case – chances are the password database of some online service that you use has been stolen sometime in 2015.  While most companies don’t store the actual password, they do store a password hash (fancy term for encryption, basically) that can sometimes be used to reverse engineer your password.  That can take some time on a powerful computer, so even though the breach might have happened 6 months ago and nobody’s hacked into your account yet, that doesn’t mean you are safe.  Change your passwords regularly, just like you change the batteries in your smoke detectors.
  2. Use a password manager – every security boffin will tell you not to use the same password everywhere.  The problem with that is that we all probably have at least 3 dozen online accounts.  Remembering all those passwords, especially if you change them regularly, just isn’t feasible.  That’s where password managers come in.  Just remember one master password and the password manager software stores all the rest securely for you.  It also fills in your password automatically if you use their browser extension.  Don’t use the browser auto-fill for passwords, as those are usually not stored securely.
  3. Use good passwords – don’t use a password that contains any personal information about yourself, such as your birthday, your dog’s name or your favorite flavor of Ben & Jerry’s ice cream.  Using that information makes it easier to break password hashes in the process mentioned in point 1.  Good passwords should be long and random (that’s what she said!).  If you do take the advice in point 2 and use a password manager, they typically offer a secure random password generator.  If not, you can use this website: https://strongpasswordgenerator.com/
  4. Secure your WiFi – when you plugged in that new wireless router you got for Festivus, you probably didn’t realize that you had to change the password on it.  If you don’t then anyone you let on your wifi (or who breaks in) can log in to your router and do whatever they like.  While the wireless security might also be on by default, it doesn’t hurt to check and make sure it is using the strongest security setting, which is the WPA2 protocol.  To log into your router you generally have to look at the info on the bottom of the device to see how to login and what the default login and password are.  Typically you’ll put the IP address of the router into your browser to get started.  If the only association you have when I mention IP is a joke about a book called The Yellow River, then find the nerdy kid who lives on your street (the one wearing glasses and a Minecraft shirt) and offer them a $25 Gamestop gift card to come secure your router for you.  Remember to notify the kid’s parents first so they don’t think you’re kidnapping him or her.
  5. Change your PIN to something unpredictable – analysis of debit card PINs shows that over a quarter of them are one of 20 common combinations such as 1234 or 0000.  If your PIN is one of the 20 on this list, then go change it right now to something that isn’t on the list.  Also, saying “PIN number” is redundant since PIN stands for “Personal identification number”, so stop saying that.
  6. Freeze your credit – if you get your identity stolen you’ll eventually get it sorted out.  The problem is that will take hundreds of hours of your time, and you might not have access to your bank accounts until you get it cleared up.  Have you tried living without money lately?  It’s not a lot of fun.  If you want a story scarier than the Krampus movie, read this.  You can regularly check your credit reports for new accounts that you didn’t open, but an ounce of prevention is always best.  Call up the credit agencies and freeze your credit.  That way nobody, including you, can open new lines of credit without first unfreezing using a secure procedure.  It’ll also stop you from impulse buying a new Mustang that you can’t afford.  The FTC has a handy guide here.
  7. Turn on two-factor authentication – two-factor authentication is one of the typical stupid names that techies come up with when naming technology.  It should be called something self-explanatory such as “confirm my identity”.  What it means is that when you log into an online service, they text you a passcode after you’ve logged in.  You have to type in the code they text to your phone to confirm it’s really you.  This makes sure that you not only know the password but also have access to your own phone.  Two ways of identifying you – that’s what the phrase “two-factor authentication” means in plain English.   It’s unlikely that a thief will be able to steal your password and your phone at the same time, which is why this makes things more secure.  Good banks and credit unions will have this enabled by default.  Some of your online services or banks might not have it turned on by default, which is dumb of them.  If that’s the case, go into the settings and turn it on, or call them and ask them to turn it on for you.  If your bank or credit union doesn’t offer 2FA (to make the phrase two-factor authentication even more obtuse) then it’s time to switch banking institutions.
  8. Enable a PIN on your phone – yes it’s annoying.  If it bothers you that much, get a phone with a fingerprint reader.  If you don’t, then whoever finds your phone after you leave it in the bar at 3am will have your entire life at their fingertips.  They can reset all your passwords because they have access to your email.  Then they can clean out your bank accounts and leave you with something worse than a hangover the next morning.
  9. Don’t believe anyone who contacts you – you know that guy who comes up to you at the gas station with an empty gas can and a story about a lost wallet?  He’s a con man.  Same goes for the person who calls you pretending to be Microsoft or the email pretending to be from Paypal.  If someone initiates contact with you then chances are they aren’t who they say they are.  If someone calls saying they are from your bank, from the IT department or from Microsoft and starts asking you for credit card numbers, passwords, or to remote into your computer, then hang up on them.  The only legitimate call you’ll get from your bank is when their security department calls you in the middle of your holiday shopping spree to verify that you are the one who made those rash purchases.  In those cases they’ll tell you what transactions were made with your card and ask you to confirm it was you and not a thief who stole your credit card details.
  10. Update all your software – most hackers breaking into online systems use known vulnerabilities that have already been patched.  They look for computers that haven’t been updated to the latest patches.  Run Windows Update to update your operating system and also update any other software you use regularly.  That software will generally have a menu option to check for updates under the Help or About drop-down menu.  Well-written software will check for updates automatically.  A lot of software is not well written.
  11. Don’t open email attachments – especially from people you don’t know.  Even if the email looks like it is from someone you know, it could be that their email account was hacked.  If they didn’t tell you previously to expect an email with an attachment, then don’t open it.  If you get a suspicious email from a friend or family member, call them up and ask them if they really sent it and why they attached a word document that it’s really, really important that you open right now.  Most likely they’ll have no idea what email you are talking about.  For a list of other common online and email scams, check out this page.

Wouldn’t it be nice if technology could be used to make all of the above something you don’t have to think about?  Maybe in about 20 years this will be the case.  In the meantime, it makes sense to spend a few hours protecting yourself now so that you don’t have to spend 100 hours on the phone with banks and creditors sorting out the mess when your identity gets stolen.  Stay safe in 2016!

https://www.youtube.com/watch?v=KOO5S4vxi0o

Quick Tips to Protect Your New (and old) Apple Devices

Apple has projected yet another record holiday for sales, but this should come as no surprise to fellow ‘Macheads’. I myself, am a huge fan of Apple and have been for a quite some time; I still have my iBook, and it still works! My desk is home to an iMac, Macbook, and many other small Apple devices. The one thing that most people believe is that there is no need to worry about security for their beloved Apple devices, which is a bit over inflated. So here are a Full this holiday season.

Top Ten tips for OS X security

  1. Create a standard account (non-admin) for everyday use– Log into the standard account for your everyday activities, and to store your personal information. Whenever an administrator’s password is required, type the admin username, and the appropriate password. This will lead to more password requests than if you were working under an admin account. However these requests should make you think whether you should be entering your password.
  2. Set Gatekeeper to allow Mac App Store and identified developers– Gatekeeper resides under Preferences>Security & Privacy and its main function is to allow the user to control which apps can be run without further escalation and or attention. If you download an application that doesn’t meet the criteria you will not be able to run it.
  3. Stay current with OS X updates– Mac OS X has a built-in software update tool “Software Update”. It’s a good idea to run “Software Update” frequently and install updates when available.
  4. Disable automatic login– Automatic login means that anyone who can access your Mac only needs to start it up to have access to all of your files.
  5. Use the built in Firewall– The firewall can be tuned to your needs whether it be at home, work or travel.
  6. Use a password manager to help prevent phishing attacks– It’s important to create complex, unique passwords, however for most of us, the more complicated the password the easier it is for us to forget it.
  7. Use Mac FileVault for full-disk encryption– FileVault encrypts your entire hard drive using a secure encryption algorithm (XTS-AES 128). You should enable this feature on your Mac because if your hard drive isn’t encrypted, anyone who manages to steal your computer can access any data on it.
  8. Use a Mac anti-virus (WSA)– Let’s face it, Mac malware is real and only getting worse.
  9. Enable iCloud Mac locator and remote wipe– If your system is ever stolen you can log into iCloud.com or use the Find My iPhone app on an iOS device to locate your device, send it a command to lock it, have it issue a sound, or remotely wipe the device.
  10. Use “Secure Empty Trash” to remove data– By default files are simply marked for deletion and not really deleted making file recovery simple. Using Secure Empty Trash things get much more difficult to recover.

Tips to secure your iOS

  1. Enable Passcode Lock. This is one of the key security tips, The stronger the passcode the better. Apple has incorporated a fingerprint scanner in the newer iPhone models which allows users to use their fingerprints for authentication when unlocking their device and making purchases.
  2. Erase all data before selling, trading in, or sending off for repair.
  3. Update. By keeping your apps and operating system up-to-date, you will strengthen the security of your device. You can turn on the automatic downloads feature which will update apps in the background and without the need for you to do anything.
  4. Don’t Jailbreak. Sure, some of the Jailbreak tweaks are cool and can do some fun things but is the lack of security really worth it?
  5. Enable Safari security settings. These settings include blocking pop-ups, disabling autofill, fraud warnings, and the ability to clear cookies/history/cache. Alternatively, you can download Webroot’s secure web browser for iOS.
  6. Disabling Bluetooth/WiFi. There are several freeware tools designed to sniff for Bluetooth and WiFi signals then gather information from open devices. It is also best to not use public WiFi; you don’t really know what the guy sitting at the other table in Starbucks is doing on his computer.
  7. Find my iPhone. This should go without saying, this feature not only helps you find a lost or stolen phone, but it also makes wiping the phone a little harder. I had an iphone stolen and find my iPhone found it five months later… in Canada… someone sold it on ebay.
  8. Disable Siri on Lock screen. Siri is a great tool and assest but she can also talk to much, this will keep her quite until the correct person is able to unlock the device.
  9. Set up a VPN. A Virtual Private Network is a must-have and can bring extra security to anyone who uses their devices on different wireless networks. Some VPN services are free of charge, but some can cost several dollars a week which is more than a fair price for protecting your information.
  10. Turn on two-step verification for Apple ID and iCloud – a great way to prevent issues without someone knowing both the password and the 4-digit verification code.

Webroot’s 2015 SMB Threat Report: An Analysis

Recently, Webroot published 2015 SMB Threat Report: Are organizations completely ready to stop cyberattacks?, which included the results from a survey of 700 SMB decision makers worldwide about their IT security, their readiness for security response, and use of MSP recourses in their environment.

Many SMBs are outsourcing cybersecurity to managed services providers (MSPs) to make up for the lack of time and in-house expertise. According to the report, 81% of respondents agreed such outsourcing would improve their bandwidth for addressing other tasks. With the majority of SMBs surveyed planning to increase their cybersecurity budget in 2016, VARs across a broad variety of industries are beginning to embrace this service-centric relationship with their clients. For customers, choosing to work with an MSP means they avoid installation and maintenance headaches. They also avoid diverting resources towards laborious IT security support tasks or ad hoc break/fix reseller charges.

smb1

Although SMBs appear more aware of cybersecurity-related risks to their organizations, many are still unsure or under-informed about their own readiness to handle such risks even with heavy investments of time into protecting the environments. Incredibly, even with 56% of respondents reporting over 17 hours spent on cybersecurity, 44% are still feeling they have less time to stay up-to-date on threats.

smb2

smb3

Just 37% of IT decision makers surveyed in the US, the UK, and Australia believe their organizations are completely ready to manage IT security and protect against threats. While I am not entirely surprised given the considerable cybersecurity challenges SMBs face, but it’s still an alarmingly low number.

On the flip side, when asked how confident IT decision makers would be that someone on their staff could deal with a cyberattack, a surprising 84% responded confidently. Given the other responses to this survey, this was unexpected and indicates a discrepancy and possible misperception of IT resources, knowledge, and capability to thoroughly address a cyberattack.

smb4

Webroot’s SMB Threat Report makes it clear that the future of security is in need of some change with IT decision makers are stretched thin. In the near future, we should expect a continued movement towards “outsourced IT,” particularly on the cybersecurity front. According to the survey, 81% of respondents believe outsourcing IT solutions would increase their bandwidth to address other areas of their business. In order to reap the full array of benefits, though, IT decision makers must be proactive about identifying MSPs that offer “intelligent cybersecurity” solutions.

Our definition of intelligent? Solutions that are easy to install, can be managed remotely, and provide real-time protection against modern threats. While these are all important qualifications, we expect SMBs to place an increased premium on the “real-time” component.

Russians are not immune to Encrypting Ransomware

CryptoWall 4.0 users have found that Russian users are spared any encryption when the malware is deployed on their system. That’s because it checks for what keyboard is being used and if Russian is detected as the keyboard language then it will kill itself before encryption. This isn’t that much of a surprise since we’ve always known these guys were Russian (at least the spam servers) and target mainly the US and Europe. But everyone is susceptible to encrypting ransomware so here’s a look at a recent encrypting ransomware what will target Russians.

While this encrypting ransomware may look a little different, it’s pretty much the same as the rest; encrypt your files from a phishing email and hold them ransom for bitcoin payment via tor browser. The encryption routine is done using GPG Tool which is an open source encryption tool and appends the file extension to “.vault”

Once you enter the Onion link into a tor browser you’ll be presented with the following pages

The bitcoin currency is continuing its climb

This is the payment portal – The victim is subject to a price increase after 4 days.

This variant also introduces the “freebie” structure where it allows you 4 free file decrypts. This is so you know what the decryption routine is like and know that you’ll get your files back if you do pay the ransom.

Once you’ve paid for the ransom you have access to download the decryption tool from the portal.

MD5 Analyzed:

87c6023bf8922d84927247c15621a02e

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

 

 

 

Threat Recap: Week of Dec 7th

Top 5 Week of Dec. 7

UAE Bank Hack

In the last week, a major financial institution in the United Arab Emirates was hacked, with customer information being ransomed for a sum of nearly $3 million USD. The bank’s refusal to pay the significant ransom lead to the hacker releasing account information of nearly 500 customers, via Twitter. Although the Twitter accounts were shut down, the hacker continued on, contacting customers and demanding they pay a ransom for their information.

Anonymous Targets UN

In response to the arrests of protesters outside the Climate Change Summit in Paris, the hacker group, Anonymous, released sensitive information for nearly 1,500 UN officials. The protest, which started off peacefully, ended with nearly 100 protesters being arrested after clashing with local police.

Malvertising on the Rise

With internet users constantly being bombarded by ads, it’s no surprise that malware authors are joining the game. Using malicious Javascript, the ads can infect computers without the need for any user input, other than navigating to the website originally. Upon arrival on the landing page, the browser is scanned to find any exploitable plugins and, if successful, the malware is downloaded to the computer.

http://www.wired.com/2015/12/hacker-lexicon-malvertising-the-hack-that-infects-computers-without-a-click/

DDoS Attack on UK College Network

Recently, a major academic computer network in the UK fell victim to a targeted DDoS attack that slowed it down significantly and made certain functions unavailable.  The attacks began on Monday and have continued throughout the week, causing severe disruption to many universities across the country. Jisc, the company that operates and provides the network services has claimed that they are working diligently to restore functionality as quickly as possible.

Microsoft Warns of Security Issues after IE EOL

Coming as no surprise to many, Microsoft has confirmed that its flagship browser, Internet Explorer, will be reaching the end of the road. After the launch of Windows 10 and Microsoft Edge, it was only a matter of time before the highly exploited browser had the plug pulled on it. The offical end date for support on older versions will be January 12, 2016, though IE 11 will continue to receive security updates on currently supported Windows operating systems.

What are the security risks with using a router provided by your ISP?

Internet security isn’t just about your devices, but also what connects your devices to the internet.

Here at Webroot we have seen an influx of customers having problems with ads popping up on their devices while SecureAnywhere is reporting a clean scan. They report seeing multiple ads, some pornographic in nature, while connected to their home network—and only that network. Our advanced malware technicians have found that the DNS settings have been changed on the modem router and were causing these ads.

Getting a router from an ISP (Internet Service Provider) comes with several benefits and security risks. For benefits, the ISP technicians are trained on how to set up and support the modem, as well as being able to log into remotely using a backdoor they have set up to assist customers. This is not a setting you, as a user, can change or turn off.

Arris Cable modems are used by many major ISPs (Time Warner Cable, Comcast, Cox Communications, etc.) for this purpose. They are designed so a technician can login and help set up the router remotely for their customers. The backdoor they use has a password generated for it every day by a publically available algorithm (http://tylerwatt12.com/potd/) or—even worse—it’s a hardcoded password. This is not your default username/password, but a backdoor created by the manufacturer.

Once hackers/non-support technicians have access to the router through the technician’s backdoor, they can change the DNS settings to show ads on any device connected to the router. Because all traffic is being routed through the DNS server, your information can be compromised. Router settings can also be changed to allow for telnet access later if they want to get back in for any reason.

There are several ways they can infect your router, but it is usually done remotely by scouring IP addresses and seeing of the username/password of the day set by the algorithm works. Once they have access to the router, they are free to change the DNS settings as they wish.

How can you tell if you have this kind of infection?

If there are devices on your network receiving ads while only connected to that network—not seeing ads when on other networks (such as at a coffee shop or at the office)—and your antivirus software is reporting no threats, this could indicate the router has been accessed by someone outside your ISP’s company.

What can you do to protect your self?

By buying your own router, there will be no backdoor for ISP technicians. The routers you buy tend to last longer and have better configurations (port forwarding, encryption, SSID). However, you will have to set it up yourself, as major ISPs will not support modems that they do not provide.

Securing cable modems is more difficult than other embedded devices as, in most cases, you cannot choose your own device/firmware, and software updates are almost entirely controlled by your ISP. Below is an incomplete list of suspicious routers. You can also contact your ISP and ask them to address this exploit and provide a firmware update OR provide a non-vulnerable modem. 

  • Arris CM820A
  • Arris DG860
  • Arris DG950A
  • Arris TM501A
  • Arris TM602A
  • Arris TM602B
  • Arris TM722G
  • Arris TM802G
  • Arris TM822G
  • Arris TG862
  • Arris TG862A
  • Arris WBM760A

Sources:

Threat Recap: Week of December 4th

Greek Bank Cyber Attacks

Recently, several Greek banks were hit with a cyber attack that brought their systems to a halt for several hours. The hackers, claiming to be a group called the Armada Collective, demanded a bitcoin ransom be paid by Monday evening. The banks refused to pay, however, which caused the group to extend the deadline before unleashing another attack.

ModPOS on the Rise

As we enter the holiday season, a new point-of-sale malware is targeting major national retailers. The malware, named ModPOS, appears to be more advanced than previous POS infections, by using multiple different components to gather as much data as possible and encryption to hide it’s tracks. Fortunately for consumers, many retailers already use point-to-point encryption for payments, with many more expected to follow in the coming months.

Read More: http://www.latimes.com/business/la-fi-modpos-malware-20151125-story.html

Office of Personnel Management Hacked

In the past several months, it has become clear that Chinese hackers gained access to the U.S. Office of Personnel Management and exposed the data of over 20 million federal employees and their families. The Chinese government has stated that they captured the hackers responsible for the attacks, though these reports are still unconfirmed.

Read More: https://www.washingtonpost.com/world/national-security/chinese-government-has-arrested-hackers-suspected-of-breaching-opm-database/2015/12/02/0295b918-990c-11e5-8917-653b65c809eb_story.html

VTech Hack

With high tech toys becoming more prevalant, the risks of children becoming victims of cyber attacks increases as well. The latest breach comes from Hong Kong based toy company, VTech, whose servers were attacked and lead to the exposure of nearly 5 million customers’ data. The hacker, who has remained anonymous, was able to access nearly 200GB of pictures, chat logs between parents and children, and usernames/passwords for those accounts.

Read More: http://arstechnica.com/security/2015/11/hacked-toymaker-leaked-gigabytes-worth-of-kids-headshots-and-chat-logs/

Security in the Health Industry

For quite a while now, most healthcare facilities have lacked the infrastructure for increasing their data security, and simply allowing employees access to most data with a username/password. This has recently changed, and now many hospitals across the U.S. are adding two-factor authentication to their security protocols. This boost in security, along with additional training for employees will decrease the chances of a data breach in the future.

What’s in a name?

Any time a malware variant hits the news we get numerous requests for information. It is typically quite difficult to provide any information based on names that have been given to threats. A simple way to illustrate this is by using a service such as Virustotal and seeing what name other AV companies use for the same threat. I found a recent article about a new threat that contained a link to a write-up by an AV company including MD5 hashes for the file samples used for the write-up. Below are screen shots of the Virustotal results for one of those files.

The first thing I noticed was that there are numerous names that this is detected as, and they are rather inconsistent. Many of the names used are generic, and there are quite a few heuristic detections included in the results. Another thing I noticed was that the name of the malware from the article and the write-up for this file is nowhere to be found. The AV company whose write-up I got the sample from does detect the file, just not by the name that was in the write-up.

What this shows is that, even though this malware sample was found with a specific name, it is widely detected by generic and heuristic detections. The name that it is detected as becomes rather irrelevant. Identifying new malware and taking it apart to determine how it works and what it does is certainly important, but at the end of the day, simply detecting a file as malicious and removing it is what really matters.

Threat Recap: Week of November 20th

A lot happens in the security world, some big and some small, and many stories get lost in the mix. In an effort to keep our readers informed and updated, we present the Webroot ThreatBrief, highlighting 5 major security news stories of the week.

Encrypted messaging apps used for terrorist communication

In the wake of the recent terrorist attacks in Paris, authorities are looking more at encrypted messaging apps as likely communication means for terror organizations. Apps such as Telegram, offer end-to-end encryption for group chats, although the risk in using them is high. Along with the less-than-stellar encryption, the app also uploads your entire Contacts list to Telegram’s servers. In response to the blowback it had been receiving, Telegram has banned nearly 80 ISIS-related channels.

Read more: http://www.nytimes.com/2015/11/17/world/europe/encrypted-messaging-apps-face-new-scrutiny-over-possible-role-in-paris-attacks.html?_r=0

Response Plans for Cyber Attacks

As the risks of cyber attacks increase for businesses, it is becoming crucial to have a response plan in place, to avoid major loss of data. One of the best ways to reduce the chances of a cyber attack is to implement security training for all employees, as negligence is highly likely and the known cause of multiple past breaches. Additionally, it is good to regularly conduct security assessments to determine any vulnerabilities and to have a stronger understanding of what data is being stored and the best method for protecting it.

Read more: http://www.information-age.com/technology/security/123459644/6-critical-steps-responding-cyber-attack

DDoS attacks occurring in Britain

On Wednesday, reports came in showing a high volume of DDoS attacks occurring mainly in the UK, after the hacktivist group known as Anonymous declared war on ISIS. The DDoS attacks, which overwhelm network systems with data until they reach a failure point, are thought to have originated from ISIS hackers, though it is nearly impossible to tell for sure.

Read more: http://www.cnet.com/news/british-spy-unit-reportedly-hit-anonymous-with-ddos-attacks/

Smart TV Security Concerns

With the great leaps that technology has made over the last decade, the rise in Smart TVs with network access has brought the Internet right to your living room. Due to the increased use for both homes and businesses, consumers should be cautious when allowing the TV to access their local network, as it could be used maliciously to gain access to sensitive information. Additionally, the remote use of webcams and voice-activation features could be used maliciously, to gain entry to a business or personal area, and should be disabled unless in authorized use.

Read more: http://www.technewsworld.com/story/81691.html

Recurrence of Dyreza for Windows 10

In the last week or so, there have been cases of the banking trojan, Dyreza, being found in Windows 10 environments. The latest variant is capable of killing processes used in endpoint security software, using injection into known good processes to continue running. Unfortunately for consumers, this update seems to have arrived just in time for Black Friday/Cyber Monday, as many will be doing their online shopping for the holidays.

Read More: http://www.theinquirer.net/inquirer/news/2435483/banking-trojan-dyreza-is-targeting-windows-10-and-microsoft-edge-users

 

 

 

Is 2015 the Year of Mac Malware?

Lots of blogs, articles and posts have been circulating recently about the increase in mac malware, mostly due to the publishing of Bit9’s report. I think it is wise to clarify what is really happening in the world of malware for Macs. Yes, there has been an increase in malware but what category do they fall under? What the consumers should be aware of and what they should be less concerned with.

Most recently a Mac ransomware proof of concept was announced and as expected the media lost their minds. I have had the opportunity to speak with the creator of the POC and also was able to look into what it does along with what it means for future malware. The author is a threat researcher/developer named Rafael Marques from Brazil. His POC has brought massive attention to the security needs of OS X and the lack of concern that most people feel about Macs. His motive was not to create a malware to use in public mass but to help educate people that Macs are not as safe as they think. I asked him why he decided to create this and his response was to inform people “about the myth that there is no malware for mac”. I couldn’t agree more with him, I recently wrote a blog about the history of mac malware along with another one on how adware is bypassing popular ad-blockers. Although the program he wrote can do as intended, it would need to bypass a few security features thus making it a little more difficult but not impossible. A quote from Cory Doctorow best sums it up, “never underestimate the determination of a kid who is time-rich and cash-poor.”

This is where the public typically gets lost in the industry terms. The proof of concept that he created is malware, but most of the encounters that we come across on macs are not this intense, these are instead PUAs (potentially unwanted application). PUAs are still considered malware for the most part, but they are not really looked at as something to be as concerned with. 2015 has really been the year of PUAs. Every day I go through samples that contain a majority of these PUAs, most of which are adware. These adware programs will try to hide a legit programs and run in the background just to get you to click on annoying pop-ups. VSearch, Genieo, IronCore, Bundlore, Wedownload… These are just a few that we come across every day.

While these programs don’t cause any real harm to the system they do help in showing consumers that Macs are not invincible. Adware is more like a testing ground for malware authors, they create these to figure out ways around security and users. Once an author is aware of how to bypass all the security measures, what’s to stop them from writing a more complex threat? Of course one could argue that my intentions are to get people to buy anti-virus, but I didn’t go into this career to sell a product, I choose my path to help build security and promote it to the world. I think it is very important that people began taking Mac security serious. The next time a ransomware for mac comes out, it may not have a researcher like Rafael creating it to bring awareness, it may have someone wanting to make money on your expense.

CRYPTOWALL 4.0 (updated)

We know that Cryptowall 3.0 has been hugely successful for the cybercriminals netting them nearly $325 million in its debut year. With over 800 command and control URLs and over 400,000 attempted infections it is easily the most prolific threat of 2015.

 

cryptowall 3 infection

Here it is, what we’ve all been waiting for – the newest edition of Cryptowall. This ransomware comes out with new revisions almost as much as Apple does with iPhones. The bad news is that both will set you back $700.

This is the locally saved html web page that it sends you to. If you don’t notice that, you’ll definitely notice that all your files have been encrypted and a new update is that the entire name of the file has been randomized so you no longer know which file is which. This is to create confusion on the severity of damage and increase the chance that you’ll pay out. As you can see from the first image they congratulate and welcome you to CryptoWall community – how nice. The rest of the instructions are pretty standard on informing you how install a layered tor browser and then connect to the darknet to pay them and get your files back. Notice the additional information they have at the bottom:

image2

These guys actually claim that the CryptoWall is NOT malicious and not intended to harm your data “Together we make the Internet a better and safer place” – who are they fooling? Either way this is new and not seen on previous variants.

On to the payment website and and we can see they immediately want $700. It wasn’t even a year ago when the default payment was $300…

payment

There are some new features like the a free decrypt which was first introduced by coinvault that we discovered a while back. It obviously has helped convince people that the decryption routine is fairly easy to get your files back and that the ransom is genuine and you will get your files back.

We’re currently reversing the sample and will have a more in-depth writeup of its infiltration, payload obfuscation, injection, and file encryption next week.

MD5 analyzed: E73806E3F41F61E7C7A364625CD58F65

Additional MD5 seen:

63358929C0628C869627223E910A21BF
5C88FCF39881B9B49DBD4BD3411E1CCF
32ACFA356104A9CE2403798851512654
CE38545D82858C7A7414B4BD660364A9
5384F752E3A2B59FAD9D0F143CE0215A
CF6D69E47B81FA744052DA33917D40F3
53C82D574E054F02B3163271262E0E74
A891CED376809CF05EFE4BB02EB2CBF3
5384F752E3A2B59FAD9D0F143CE0215A

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Cyber Security and the 2016 Presidential Elections

As National Cyber Security Awareness month is coming to an end, the 2016 presidential election cycle is building momentum and increasingly becoming our nation’s primary focus. Love it or hate it, the presidential elections also create an ideal environment for thieves and cybercriminals alike. Preying on the media’s attention to buzzworthy news, hackers are busy preparing scams to exploit the attention and distraction it inevitability causes.

While the election night is still over a year away, there will certainly be a plethora of media attention given to the event. From social media’s nonstop discovery of breaking news stories to the saturation of TV with campaign ads, the election will become more front and center in our everyday lives. And in this flurry of information are many threats and scams.

While I cannot predict the specific events of the future, I can certainly look at the past to identify trends that still occur today. One such trend and tactic is to use large media events and topics as bait to lure people towards less trustworthy websites, or, in the case of an election year, to fake campaign donation websites. There are many examples from the past, from the death of Osama Bin Laden to the tragic disappearance of MH370, fake websites and social media scams were quick to follow.

So how do you stay protected?

In the wake of a big news story, make sure to be on high alert and question your curiosity when reading up on the event online or through social media. Don’t just click without thinking, consider the source of the link you’re about to click and the destination of that website. Using security technology is also helpful when browsing the web. Aside from using WSA, I also recommend using Chrome with a responsible ad-blocking extension. This combination will keep you defended from online attacks in the event you stumble across a malicious website.

Another tactic that has grown considerably in the past year is the use of telephone-based scams. While these attacks often target banking customers, the presidential election cycle creates a perfect opportunity for attacks where scammers will pose as a campaign representative requesting donations. While this isn’t technically cybercrime per se, these attacks often attempt to gain enough information to lead to further compromises in the cybercrime space.

So how can I tell if the caller is a scammer?

As a rule of thumb, I would not provide any personal information, email address, phone number, etc. to anyone who cold calls, no matter who they claim to be. That said, the election cycle creates a temporary exception in where you might not be surprised to receive a call requesting campaign financial support. Phone scammers can be very convincing and have answers to many initial security concerns. The person might suggest sending you an email with more information about the cause they are campaigning for, which will then be used to further the scam along. A good way to handle such callers is being firm in that you don’t give out such information, and request to be removed from their calling list. If you want to donate, call or visit the foundations website directly. You can also improve telephone-based security on a smartphone by using a phone ID app such as TrueCaller. Such a service can provide you with community-based information about an incoming call.

Ultimately, these are just two examples of threats that will use the 2016 presidential election to their advantage. As the election nears, the number of such attacks will increase and so must your security awareness. While National Cybersecurity Awareness Month has wound down, the lessons taught and learned will continue to be important in order to stay in front of the adapting threat environment.