Cybersecurity News

Keeping up-to-date with cybersecurity news can help protect organizations from online threats such as malware downloads and phishing campaigns. By being aware of type of threats that exist, how they operate, and what damage they can do, organizations can take precautions against the threats, educate their employees to be aware of online security, and strengthen their online defenses.

The most effective way of preventing attacks by cybercriminals is to stop Internet users from receiving emails containing phishing links or visiting websites that harbor viruses. This can be achieved with an email filter and an Internet content filter – both solutions having mechanisms in place to protect organizations and ensure they are not featured in future in our cybersecurity news section.

Kaspersky Lab Makes Web Security Predictions for 2016

Kaspersky Lab has made a number of web security predictions for 2016, alerting IT security professionals to what the company’s security experts believe next year has in store. The company has listed some of the biggest security threats that are expected over the coming year.

Kaspersky Lab is one of the leading anti-virus and anti-malware software developers, and is a supplier of one of the two AV engines at the heart of WebTitan Web filtering solutions.

The Kaspersky web security predictions for 2016 include opinions gained from over 40 of the company’s leading experts around the globe. The web security predictions for 2016 can be used by IT professionals as a guide to where the next cyberattack could come from.

The Biggest Cyberattacks of 2014 and 2015

Last year saw numerous high profile attacks on some of the world’s best known brands. Around this time last year, Sony was hacked and its confidential data was posted online, causing much embarrassment and considerable financial loss. Some of the biggest names in retail in the U.S. were attacked in 2014 including Target and Home Depot.

The start of this year saw attention switch to health insurers. In February, Anthem Inc. was attacked. The records of 78.8 million insurance subscribers were stolen. News of a cyberattack at Premera BlueCross closely followed. 11 million subscriber records were compromised in that attack. Later in the year, Excellus BlueCross BlueShield discovered hackers had potentially stolen the records of approximately 10 million subscribers. Healthcare providers were also hit. UCLA Health System suffered a data breach that exposed the records of 4.5 million patients.

The U.S. Government was also targeted this year. The Office of Personnel Management was hacked and, while the perpetrators have not been identified, the attackers are believed to be government-backed hackers based in China. Over 22 million records were potentially stolen in that cyberattack. The IRS was also hacked and 300,000 individuals were affected.

37 million highly confidential records were obtained from internet dating website Ashley Maddison, and Hacking Team – a somewhat controversial provider of spyware – was also hacked. 40 GB of its data was dumped online for all to see.

Many of these attacks were highly sophisticated, but were made possible after employees fell for spear phishing emails.

Web Security Predictions for 2016

Hackers have been developing ever more sophisticated methods of breaking through security defenses to gain access to confidential data, to sabotage systems, or to hold companies and individuals to ransom by taking control of their data. Phishing and social engineering techniques are often used. While these are likely to continue, Kaspersky Lab experts believe hackers are likely to concentrate on stealthier techniques over the coming 12 months. The company’s experts believe there will be a growth in silent attacks that are difficult for security professionals to detect. The main web security predictions for 2016 are listed below:

APT Attacks to come to an end

Advanced Persistent Threats have proved popular with hackers, yet Kaspersky believe these attacks will soon come to an end. Instead, hackers are expected to conduct more drive-by attacks using stealthy memory-based malware. Memory based malware is not downloaded but resides in the memory where it cannot be easily detected. While the injection of malicious code into the RAM of a computer could only previously be used for short term infections, new techniques have been developed that are capable of surviving a reboot. These are likely to grow in popularity over the coming year.

Off-the-shelf malware use to increase

Rather than criminals paying hackers to develop new exploits, there is expected to be an increase in off-the-shelf malware attacks. Instead of developing new malware from scratch, existing malware will be used and tweaked to avoid detection. There is no need to reinvent the wheel when malware exists that can be used or rented out cheaply. The malware will just be made stealthier and more difficult to detect.

Alternative payment systems will be targeted

Financial cyberattacks will continue, and banks and financial institutions will be targeted. Expect a rise in attacks on alternative finance providers and payment systems such as AndroidPay, SamsungPay and ApplePay.

No end to extortion and mafia-style tactics

Not all hackers are motivated by money. Kaspersky has predicted a rise in the number of hacktivist attacks, which aim to shame the rich and famous. Attacks will continue to be conducted on companies that have caused offense. The attack on Ashley Madison and the 2014 hacking of Sony being good examples. Some hackers will use the threat of publishing data to extort money from victims, others will just be keen to sabotage companies. The use of ransomware is also expected to increase, with companies large and small targeted with increasing regularity.

Amazon Data Breach Risk: Precautions Taken to Protect Customers

Under normal circumstances the Amazon data breach risk is kept to a minimal level. The global online retailer is estimated to have generated $38.42 billion in gross profits between September 2014 and September 2015, and such deep pockets mean the company can invest heavily in cybersecurity protections.

With a company as large as Amazon, excellent data breach risk management strategies are essential. The company is a huge target for cybercriminals and a successful cyberattack has potential to make a dent in its profits. If customer data are obtained by criminals, those customers may choose to buy from an alternative retailer in the future.

Amazon data breach risk discovered in time to prevent a successful hack?

This week, a security scare has forced the company to reset some users’ passwords. It is not clear whether a data breach has actually been suffered, but the retailer certainly believes the risk to be credible as Amazon passwords were not requested to be changed. The company forced a reset.

Amazon.com announced that this was “a precautionary measure” to prevent a cyberattack from occurring. The company believes passwords were “improperly stored” or had been transmitted to the company using a method that could “potentially expose [the password] to a third party.”

The company has sent emails to all affected account holders advising them that they will need to specify a new password when then next login. No announcement was made about the number of users affected.

This is not the first time that Amazon has had a major security scare. In 2010, hackers managed to break through its security defenses and compromised a number of user’s passwords. In that instance, users were warned that their accounts had been compromised.

The Amazon data breach scare could affect more than just your Amazon account

It is not clear whether passwords were actually obtained by a third party. Because of the doubt surrounding the reason for the forced change, any individual that receives an email telling them their password has been reset should also change their passwords on all other online accounts if the accounts can be accessed using the same password.

Many consumers share passwords across multiple platforms, but password sharing is inadvisable. Many online accounts use an email address as the login name. If a password is shared across platforms, one data breach could result in all user accounts being compromised.

Amazon data breach risk management: Two-factor authentication now added

One of the easiest ways to improve protection is to introduce two-factor authentication. Many companies only insist on one factor to authenticate users: A password. Two-factor authentication involves an additional element to verify that the person attempting access is the genuine account holder.

Many global companies have now introduced two-factor authentication; although some have only done this recently. In some cases, the additional security measure was deemed necessary after a data breach was suffered. Twitter being one of the best examples. Google uses two factor authentication for its accounts, as does Facebook. This month, Amazon data breach risk management policies were changed to include two-factor authentication on user accounts. It is not clear why it took the company so long to introduce this enhanced security measure. All users should add it, especially in light of this recent security scare.

Dell Root Certificate Security Flaws Discovered

You would think that a brand new computer would be secure, aside from requiring a few updates to software after being taken out of the box, but a Dell root certificate security flaw means even brand new Dell laptop computer could be compromised within seconds of being connected to the Internet. Understandably, corporate customers and consumers alike are in uproar over the eDellRoot certificate security flaw that was recently discovered.

The security flaw was revealed by Dell as part of the company’s remote assistance support service. In order for Dell to “streamline” support for users, the company installed a self-signed root certificate on at least two models of Dell laptop computers – the Inspiron 5000 series and the company’s XPS 15 laptop.

Unfortunately, the root certificate is installed in the Windows root store along with the certificate’s private key. Any individual with a modicum of technical skill could obtain the key and use it to sign fake SSL/TLS certificates. In fact, the key is publicly available on the internet so it is easy to obtain. This means that anyone using one of the aforementioned Dell laptops could visit a HTTPS-enabled website in the belief that the connection is secure, when in fact it may not be.

It would be possible for hackers to view data shared between the secure website and the Dell laptop. If the laptop is used to access a banking website via an open Wi-Fi network or the Internet is accessed via a hacked router, someone could listen in on that connection. Users could compromise their personal bank account information, passwords, or login credentials used to access their employer’s network.

Any company that has purchased either of the above Dell laptops could potentially be placing their entire network at risk. If a BYOD is in operation, personal Dell laptops are a huge risk to data security.

Not only could hackers eavesdrop on secure internet connections, it is possible that the Dell root certificate security flaw could be used to install malware on devices undetected. Since the certificate can be faked, it is possible that system drivers or software could be installed which fool the operating system into thinking they have come from a trusted developer. Even if a warning is issued, users may think it is safe to install a program because it appears to have been created by Dell.

Dell desktops, servers, and other laptops may contain the Dell root certificate security flaw

The extent of the problem is currently unclear, but the Dell root certificate security flaw may not be confined to two specific laptop models. All laptops, servers, and desktops sold by Dell could potentially be affected. The eDellRoot certificate is installed by Dell Foundation Services (DFS) and the application is not confined to the Inspiron 5000 and XPS 15 laptops. According to one source, the security flaw has also been found on the Dell Venue Pro. Dell says the root certificate was only installed on hardware since August 2015.

A few days after the discovery of the Dell root certificate flaw, another one was discovered by Duo Security. This certificate was only present on a small number of systems around the world, although that Dell root certificate was discovered on a SCADA (supervisory control and data acquisition) system.

It doesn’t end there. A third has been discovered. The DSDTestProvider certificate is installed by an application called Dell System Detect or DSD. This is not shipped with Dell hardware. Instead it is downloaded onto computers and laptops by users. If they visit the Dell support website they are asked to install the detection tool.

Dell Root Certificate Security Fix Released

Users are able to remove the eDellRoot certificate using a tool that has hastily been released by Dell. However, at the time of writing, there is no tool to remove the DSDTestProvider certificate. Any user of a Dell computer, server, or laptop should therefore keep up to date with eDellRoot and DSDTestProvider news and should check the Dell support website frequently for further information.

Extreme caution should be exercised when accessing apparently secure websites, and users should not access secure sites from open Wi-Fi networks until the Dell root certificate security flaw has been fixed.

According to ARS, security expert Kenn White was able to use the publicly available security key to create a secure HTTPS test site using the certificate. When he visited the site it flagged no warnings that the certificate could not be trusted when he used Internet Explorer, Microsoft Edge, and Google Chrome browsers. The only browser that recognized the certificate as being suspect was Firefox.

Keylogging Malware Infection Discovered by Kentucky Hospital

If a user in your organization accidentally installs keylogging malware onto his or her computer, every keystroke entered on that computer – including login names and passwords – could be sent directly to hackers’ command and control servers.

This nightmare scenario could involve the exposure of a limited amount of sensitive data; however, if the malware has been installed on multiple computers, and the infections have not been discovered for a number of days or weeks, a considerable amount of data could be obtained by criminals.

Keylogging malware infection discovered by OH Muhlenberg Community Hospital

A hospital in Kentucky recently discovered that not only have multiple computers been infected with keylogging malware, those infections occurred in 2012. For three years, every keystroke entered on each of those computers was recorded and transmitted to the hackers responsible for the attack.

The computers in question were used by healthcare providers, employees, and contractors. Due to the length of time the computers were infected, it is not even possible to ascertain the data that may have been exposed and copied. Patient health information was entered, Social security numbers, health insurance information and other highly sensitive Protected Health Information. Providers would have entered their Drug Enforcement Administration numbers, state license numbers, National Provider Identifiers and other sensitive data.

Employees who logged into healthcare systems using the computers, could have had their login credentials recorded. Access to web services similarly would have involved credentials being compromised.

Such an extensive, long term keylogging malware infection could place many patients at risk of suffering identity theft or fraud, and physicians could have their identities stolen. Criminals could have used the data to commit medical fraud, insurance fraud or file false tax returns. The fallout from this cyberattack could therefore be considerable, and may cost the hospital dearly.

The danger of keylogging malware

Once keylogging malware has been installed on a computer, any data entered via the keyboard can be recorded. That information is then exfiltrated to a hacker’s server until communications with unauthorized IP addresses is blocked. In the case of the hospital, the malware was only discovered after a tip-off was received by the FBI. Agents had noticed suspicious communications between the hospital and third party servers. When the alert was issued and a security audit performed, a number of computers were discovered to have been infected.

Even when cybersecurity protections are installed, it is unfortunately all too easy for these to be bypassed. All it takes is for one user to inadvertently install malware. In the majority of cases, this action will not be noticed by the person responsible. No warning is issued about a potential infection and no flags raised by anti-virus software.

How are keyloggers installed on computers?

How can a hospital that has invested in cybersecurity defenses be attacked and fail to notice for three years? If regular scans of the hospital’s computers had been conducted, the infections may have been identified sooner. However, not all keylogging malware is easy to detect. Hackers are developing ever more sophisticated malware that is capable of evading detection.

There are a number of ways the malware could have been installed without being detected by anti-virus and anti-malware software. Since multiple computers were infected, it suggests that either an insider had installed the keylogging malware on multiple machines, via a USB for instance, or that multiple members of staff had fallen for a phishing campaign.

Phishing emails are sent out in the millions in the hope that some individuals will respond and download malware. Multiple infections suggest that an organization has been targeted using spear phishing emails. These are emails that are sent to a particular group of individuals within an organization. The subjects are researched and links to malicious websites are sent that are likely to entice the users to click. They are then directed to websites containing malicious code that installs files on their computers. Keylogging malware can also be installed via infected email attachments.

By targeting users, hackers and other cybercriminals are able to bypass robust security controls. Users are the weakest link, and it is far easier to target them than break through multi-million-dollar security defenses.

Cost-effective protection against phishing emails and malicious websites

There are two cost-effective solutions that can prevent staff members falling for phishing campaigns that install keylogging malware. The first works by ensuring phishing emails are never delivered to an organization’s employees. If the emails are blocked and are not delivered, they will not be able to respond. A powerful anti-spam solution will catch the vast majority of spam and phishing emails. In the case of SpamTitan, over 99.7% of spam emails will be captured.

Since hackers and spammers are constantly changing their tactics, and new malware is continually being developed, it is not possible for all spam emails to be captured 100% of the time. Occasionally, even the most powerful Anti-Spam software will miss the occasional email.

To ensure staff members do not respond to a request to visit a malicious website or open a malware-infected email attachment, it is essential to provide training. Training will help end users to identify the occasional spam email that sneaks past a spam filter.

An anti-spam solution will not prevent a user from clicking on a social media link to a malicious website. Ad networks can similarly contain links to malicious sites. Clicking on one of those links could result in keylogging malware being downloaded.

The second cost-effective solution to offer protection from phishing websites is web filtering software. A web filter can be implemented that will prevent adverts from being displayed or potentially harmful websites from being visited. WebTitan offers these protections and will keep end users safe when surfing the Internet. If end users cannot visit phishing websites and other dangerous sites, they will be prevented from inadvertently installing malware.

Alongside other cybersecurity protections, and the development of internal policies covering internet and email usage, organizations can reduce the probability that a cyberattack will be successful. If regular malware and virus scans are also conducted, when computers are infected, the severity of the security breach will be reduced.

New Mac Internet Scam Warning Issued

Using a Mac is safer than using a computer running Windows. That’s not to say it is not possible to inadvertently install a virus or malware on a Mac. It is just that hackers tend to focus more on PCs. From a hacker’s perspective, it is better to try to infect as many devices as possible and more people own PCs than Apple devices.

According to research conducted by IDC, sales of Macs have increased by just over 16% this year. However, while accurate figures are difficult to find, approximately 90% of computers use Windows software. This makes the operating system much more likely to be attacked. If you were a hacker would you concentrate on the 90%?

That does not mean that Mac users are immune to attack: BlackHole RAT, OS X Pinhead, Mac Flashback, and Mac Defender all targeted Mac users.

Mac users do face risks and must be cautious when using the Internet. They may not face such high risks, but they can just as easily fall for scams. Phishing websites will also work just as well on Macs users as they will on everyone else. That’s because phishing techniques are employed to fool the user of the device. It doesn’t matter what device is being used to access the Internet.

New phishing scam alerts iTunes users to account limitations

Mac users have recently been targeted by a campaign claiming iTunes accounts have been compromised. Most recently a phishing scam has been launched advising iTunes account holders that their accounts have been limited for security reasons.

They are informed of this by email and are provided with a link. If the link is clicked they are directed to a scam site and must enter information to lift the account limitation. A number of data fields must be completed and a credit card number entered.

This is an easy scam to identify as, even when accounts have been compromised, a service provider would not typically ask for a credit card number for identity verification.

If in doubt, just access your Apple account directly and check to see if there is a problem with your account. Never use the link supplied in an email.

Mac Internet scam reported offering urgent tech support

A Mac internet scam warning was recently issued after the discovery of a new tech support scam. A woman visited a webpage which flashed a warning that her Mac had been infected with malware. She was required to call a phone number to call to speak with tech support. On calling the number she was told she was speaking to an Apple employee, and she was required to pay for tech support to remove the infection. When asked for payment she tried to pay by AMEX, but was told American Express could not be used. This alerted her to the scam. Apple doesn’t have a problem taking AMEX as payment.

If you are warned of a virus infection, you can always visit an Apple store. They will be able to confirm if your Mac has really been infected.

Mac Internet scam warning! Your Mac is Infected with Malware!

Phishing scams targeting Mac users are far more common than malware infections targeting their devices, but malware is always a risk no matter what device is used. However, this year Apple has been targeted. A Mac Internet scam warning was issued earlier this year, again relating to Mac malware infections.

The scam is common with PC users, especially those using illegal file sharing websites, streaming services, and porn sites. However, a number of legitimate websites have been hijacked and are displaying pop-up windows announcing a virus infection has been detected.

The warnings come as a shock to Mac users and many will be convinced to click on the links. They direct the user to malicious websites offering fast and effective disinfection using Anti-Virus/Anti-Malware solutions. A click of a link will download a program called MacDefender that will conduct a full system scan.

The MacDefender Anti-Virus program is nothing of the sort. Instead of removing malware from the Mac, it is a form of malware. The fake Anti-Virus software appears to conduct a scan of the system and identifies apps that have been infected.  Popup windows are launched to porn sites and other websites as a scare tactic.

In order to remove the infections, the user is required to purchase a license for the software. To do that a credit card is required. Once the license has been purchased the program stops launching browser windows. It also advises the user that the malware has been removed.

Unfortunately for the victim, they have just given their credit card details to the scammers. Card purchase can be made and the criminals can run up thousands of dollars of debt.

No matter what device you use to access the Internet or email, you are always at risk of falling for a phishing scam or inadvertently installing malware. Fortunately, the risk can be easily managed. WebTitan is available for Windows and OS X, and offers protection from malware, malicious websites and phishing campaigns.

To find out how WebTitan can protect you and your company’s employees, call the sales support team today.

Critical Security Vulnerabilities in Browser Plugins

Critical security vulnerabilities in browser plugins have been widely reported in recent months. As soon as one has been found and patched, more are discovered. Zero-day Adobe Flash vulnerabilities (Shockwave Flash) have been some of the most publicized, due to the sheer volume discovered in 2015.

Earlier this year a number of companies pulled the plug on the Flash plugin, deeming it not to be worth the security risk. While it was once the most commonly used way of displaying videos and animations on webpages, the critical vulnerabilities that have been discovered have made it simply too risky to use. There have been many calls for Flash to be retired.

Google Chrome and Firefox stopped supporting Adobe Flash and many companies are moving over to HTML5 which offers the ability to display the same multimedia items without requiring a browser plugin to be used. One of the main problems with a plugin from a security perspective, is it will only be secure if the latest version is installed. Even then, as we have seen with the sheer number of security vulnerabilities found in Adobe Flash, the latest version many not be very secure at all.

If a user has not updated the plugin to the latest version, and an older version is still in use, criminals will be able to take advantage. A visitor to a website containing malware could result in the vulnerabilities being exploited. Exploit kits can be used by hackers to probe for security vulnerabilities in browsers to find out which software can be exploited. Other Adobe plugins can be exploited, such as PDF Reader.

Numerous critical security vulnerabilities in browser plugins discovered

It is not only Adobe plugins that are a problem of course, others company’s plugins also contain vulnerabilities that can be exploited. Even HTML5, which is seen by many as a more secure way of showing multimedia items on websites than Flash, is far from immune and also contains security vulnerabilities. No plugin is even required with HTML5.

In mid-October, Oracle released a security update for its Java software to deal with over twenty new security vulnerabilities that had been discovered. Oracle announced that an update was necessary on all computers as “all but one of those flaws may be remotely exploitable without authentication”. That means that a hacker could potentially exploit the vulnerabilities on any computer with an older version of Java installed, without the need to use a password.

Once critical security vulnerabilities in browser plugins have been announced and details of the flaws released online, the information is out there and available to hackers. Assuming hackers have not already discovered the vulnerabilities themselves.

A website link may not be as genuine as it appears (hovering your mouse arrow over it will not reveal a potentially malicious link!)

There are easy ways to check to see if a web link is legitimate or if the text has been changed so that it appears genuine. If you hover your mouse arrow over the link, the correct URL will be displayed. If end users get into the habit of checking every link before clicking, it will become second nature. Many phishing websites and other nasty web pages can thus be avoided.

Unfortunately, it is not always that simple. There are ways to make a URL appear genuine, even when the mouse arrow is used to check the link.

Some Japanese characters appear to be very similar to a forward slash, while certain Cyrillic characters are displayed as letters. This makes links appear genuine, and can be virtually impossible to spot. If one of these characters is present in a link and is displayed as a standard letter, the webpage could be a fake but would be indistinguishable from the genuine page.

An apparently genuine link could well be a link to a webpage containing malware. Many malicious websites can probe for critical security vulnerabilities in browser plugins.

These worrying issues were recently discussed at the SC Congress in New York, with Salesforce.com’s product security director Angelo Prado and senior product security engineer Xiaoran Wang demonstrating these and other worrying security flaws. They pointed out a particularly scary feature in HTML5 that allows a link to automatically download a file to a computer without the user being taken to the webpage used to host the file.

Protection is required and vigilance is key to avoid becoming a victim

The latest discoveries may make it exceptionally difficult to tell if a link is genuine. Even changing from the security flaw ridden Flash to HTML5 will not necessarily make the Internet a safer place. Fortunately, it is possible to take steps to ensure that end users are better protected, and stopped from visiting malicious websites. That said, it is essential that critical security vulnerabilities in browser plugins are addressed.

IT professionals should also install a web filtering solution such as WebTitan. Links can be blocked and users stopped in their tracks before they reach a malicious website. This type of protection is vital for businesses, schools, colleges and charities.

A visit to a malicious website can result in keyloggers being installed that can record and send passwords and login credentials to a hacker’s command and control center. Devices can become part of botnets and be used to send out huge volumes of spam emails, or computers could be hijacked and used for Bitcoin mining. Worse still, an infected computer, tablet, or Smartphone could be used to launch an attack on a corporate network.

It is also essential to be more security conscious. It may be difficult, or even impossible, to identify all online threats (and those delivered via email or social media networks), but many are obvious if you know what to look for. Staff training on security threats and online/email best practices must be provided if networks are to be kept secure.

It really does pay to take the advice offered by the FBI. Stop. Think. Connect. If in doubt. Do not connect. This should now be a common practice that is second nature. The current volume of data breaches now being reported suggest that for many employees it is not.

Customers Warned of TalkTalk Hacking Scams as Data are Sold on Dark Net Websites

British mobile phone and broadband provider TalkTalk discovered it had been hacked late last month; however further information has emerged that suggests TalkTalk hacking scams are increasing in number. Over a million customers’ data are apparently being offered for sale on the dark net, with criminals already using the data to defraud victims.

Over four million customers were believed to have been affected by the hacking scandal at first, although not all of the company’s customers are now understood to have been affected.

A criminal investigation was launched a few days after the hack was discovered. Initial reports suggested an Islamic terrorist group from Russia were behind the attack, having publically claimed responsibility. This claim appears to be false.

The Metropolitan Police Cyber Crime Unit acted fast and just a few days after the attack was announced, a 15-year old teenage boy was arrested in Northern Ireland on suspicion of being behind the attack. A few days later, a second arrest was made, this time a 16-year old boy from West London. A 20-year old was arrested in Staffordshire in connection with the hack, and now a fourth individual has been arrested: A 16-year old boy from Norwich has been detained.

1.2 million email addresses obtained by the hackers

The official figures released by TalkTalk are much lower than the initial estimates, but the hack still ranks as one of the biggest UK hacking scandals to be reported in recent years.

A statement released by the company revealed that approximately 1.2 million email addresses had been obtained in the attack, customer names and phone numbers were also stolen, and 21,000 bank account numbers and sort codes were accessed, presumed stolen. A later press release indicated that 156,959 individuals had been affected, and the earlier figure was “bits of data,” including email addresses, names, and phone numbers.

Credit card numbers were compromised, but since they did not contain complete numbers there does not appear to be a risk of them being used inappropriately. However, that is not to say that the data will be useless. Phishers may well devise campaigns to obtain the remaining digits from unwary TalkTalk customers.

It is not clear how the attack was performed as reports have not been confirmed, but it would appear that the attack was made using a blind SQL injection which exploited a vulnerability in a video on a page of the TalkTalk website. The specific vulnerability was not disclosed, although Adobe Flash has been found to contain vulnerabilities that could be exploited by SQL injection. These vulnerabilities were addressed in a recent patch issued by Adobe. SQL injection is the insertion of code that allows access to be gained to a company database. It is a very common technique used by hackers to gain access to corporate databases.

What is clear is that the security staff were distracted dealing with a DDoS (Distributed Denial of Service) attack that was conducted by one of the team of hackers. A DDoS attack bombards a company’s website with huge volumes of traffic, overwhelming it. This is made possible by using systems that have been compromised with a Trojan or have been infected by a botnet.

It would appear that while TalkTalk was dealing with the DDoS attack, the criminals were able to gain access to the company’s data by exploiting the website security vulnerability. A report in the Daily Mail indicates one of the team of hackers behind the attack made a mistake and accidentally disconnected from a service that was being used to hide his real IP address.

Some sources have reported that a ransom demand was issued in which £80,000 was demanded in Bitcoin. If the ransom was not paid the criminals behind the attack would release the data or sell it on dark net websites to criminals.  That appears to have already happened, with at least one individual appearing to have clocked up over 500 sales via dark net marketplace, AlphaBay.

Another online criminal was reportedly negotiating a deal to sell details of 500,000 accounts on the dark net, and claimed to have over a million records in his possession.

Businessinsider.com.au claims to have had been in contact with individuals who claim there were part of the attack, with figures of 1.3 million records mentioned. When asked why they carried out the attack, one person claimed it was for “sh*ts and giggles”, another for “lolz”, and “purely to like, own the ISP.” One of the persons behind the attack said it wasn’t for the money. The claim that a ransom was demanded were also denied.

While the total number of records exposed is not clear, and none of the reports from conversations with those claiming to have had a part in it have been confirmed, what is clear is that the security in place at TalkTalk was poor in some cases. One of the boys claims that one account had a password with just three digits. One quote obtained by Business Insider, from an individual operating under the name “Vamp”, claimed that the security in place was “terrible, that’s being honest with you, horrible.”

Reports in the press suggest that the vulnerability was shared, and between 20 and 25 people had access – although 5 individuals were reportedly behind the attack, including two in the UK and two in the U.S.

Beware of TalkTalk hacking scams

TalkTalk hacking scams have already been reported, with some customers having complained about being bombarded with phone calls following the security breach, as criminals attempt to use the contact information obtained to defraud victims. One victim was called after apparently having his internet connection slowed down, and was directed to a website, presumably containing malicious code.

TalkTalk hacking scams could be launched via email since 1.2 million email addresses were compromised in the attack. Phishing campaigns are often used by criminals to get users to reveal sensitive information, visit malicious websites or install malware on computers. The type of information obtained by the hackers, and subsequently sold to online criminals, could easily be used to launch highly convincing campaigns.

All of the company’s customers are advised to be exceptionally cautious, and not to reveal any personal information over the telephone, Internet or via email. TalkTalk hacking scams could be in operation for many months to come so it is vital that all customers remain vigilant and be on their guard.

Being hacked can have serious implications for a brand

A data breach such as this can have a major effect on an organization. Customers will lose trust in the brand, and it is difficult to regain trust once it has been lost. Many of the company’s 4 million customers are expected to change mobile phone/broadband provider as a result.

This is a highly competitive market and there will be no shortage of competitors looking to snap up new customers as a result of the security breach. Following the news of the hack, the company’s share price fell by 10%.

It will not be known for many weeks or months how much of an effect this, and other TalkTalk hacking scams, will have on the company’s brand image, but what is certain is it will certainly have a major financial impact. Many customers are also likely to lose out as scammers seek to take advantage.

Stockbroker Loses Job for Responding to a Phishing Email

Personal losses may not be suffered after responding to a phishing email sent to a work email address, but that does not mean an employer is the only victim. A U.S. stockbroker has just discovered that falling for a phishing campaign can result in loss of employment, as well as being barred from gaining employment as a stockbroker for a year.

Responding to a phishing email can have serious consequences

In this case, the ban was not issued for simply responding to a phishing email, but for the actions taken by the stockbroker. The phishing email response occurred last year, and resulted in $160,000 in funds being transferred from a client’s account into the bank account of a scammer.

The stockbroker, David P. Santos, received an email that had apparently been sent by his client. However, the client did not make the transfer request. The email was sent by a hacker who had managed to gain access to the client’s email account. The email requested a transfer of funds to a third party bank.

Santos obliged, but in order to do so, forged the signature of his client. He did this on 10 separate documents and made a series of transfers. According to a report issued by the Financial Industry Regulatory Authority (FINRA), in order to obtain the necessary funds, Santos liquidated holdings and conducted improper trades.

The matter has recently been back in the news as it was incorrectly tied to another security incident at the bank involving the theft of a laptop computer. According to the Pioneer Bank of Troy, Santos’s former employer, the matters are totally unrelated.

This may be an extreme example of an employee falling for a phishing scam, but the incident does highlight the need for employers to be vigilant, and to implement multi-layered security controls to protect against scam emails and phishing campaigns.

Proven phishing prevention strategies to minimize risk

If enough spam and phishing emails reach the inboxes of employees it is only a matter of time before someone responds and opens an infected attachment, visits a malware-ridden website, or exposes sensitive information to hackers. In some cases, even accountants fall for scams and make bank transfers from corporate accounts.

There are a number of measures employers can take to reduce the risk from spam and phishing emails. If no action is taken, it is just a matter of time before users fall for a scam. Once that happens, a network can be compromised or fraudulent bank transfers made.

Develop a culture of security awareness in the workplace

  • Ensuring all new employees receive security awareness training as part of their induction program
  • Conducting regular refresher training to keep data privacy and security matters fresh in the mind
  • Place notices of the latest security threats on company noticeboards
  • Issue email alerts warning of current threats, new scam emails and phishing campaigns as soon as they are discovered

Purchase software solutions to reduce the risk of employees falling for phishing scams

  • Invest in a robust and effective spam filter to prevent spam and phishing emails from being delivered
  • Employ a web filtering solution to stop employees visiting known malware-infected websites

Check for intrusions and malicious software that has bypassed security controls

  • Use Anti-Virus software and ensure virus definitions are set to update automatically.
  • Schedule full system scans during periods of low network activity
  • Install Anti-Malware software, keep definitions updated, and regularly schedule malware scans
  • Use an AV engine to protect end users and a separate one for servers. Two engines will maximize the chance of catching all viruses and malware

Mobile Malware Risk Increase Shown by New Kaspersky Report

A new security report issued by leading Anti-Virus firm Kaspersky Labs has highlighted the growing mobile malware risk, with Adware (intrusive mobile advertising) seeing a huge increase since last quarter.

The third quarter report shows a 3.1% increase in the number of new mobile malware programs discovered by Kaspersky Labs’s Q1, 2015 figures, with a 1.1% increase since last quarter.  In total, Kaspersky products detected 323,374 new mobile malware threats over the past three months. The mobile malware risk appears to be growing.

Only a small increase in mobile malware was recorded since last quarter, but the same cannot be said of mobile malware installation packages.  1,583,094 new installation packages were detected in Q3, which is one and a half times the total discovered in Q2.

There have been some significant changes in the types of mobile malware discovered, with some vectors seeing a fall in prevalence. Trojan Downloaders, Backdoors, Trojans, Trojan-Spy’s and Trojan-SMS’s all decreased in prevalence in Q3. The most significant reduction was in Trojan-Spy and Trojan-SMS malware, which dropped by 1.6 and 1.9 percentage points respectively.

However, the biggest drop since last quarter was recorded for RiskTool, which fell by 16.6 percentage points since the last quarterly report was issued. The RiskTool category includes legitimate mobile programs which are not malicious in nature, but can be manipulated by hackers. This makes them particularly risky to have installed on mobile devices. These programs are capable of terminating processes (such as security applications), hiding processes from the user, and concealing files within the Android system.

There were marginal increases in Trojan-Dropper, Trojan-Banker and Trojan-Ransom detections. The biggest rise by a considerable margin was Adware. Mobile Adware jumped from 19% of detections in Q2 to 52.2% in Q3: An increase of 33.2 percentage points.

Huge Hike in AdWare Highlights Increasing Mobile Malware Risk

Cybercriminals manage to install malware on mobile devices, but how do they actually make money from those infections? Many items of malware log keystrokes and capture passwords and logins used to access Internet banking websites but, the majority of mobile threats involve monetization via advertising. This quarter over half of all mobile malware threats came from Adware.

While the main form of monetization comes from the adverts served, that does not mean that is the only threat to users. Adverts are certainly annoying, and can contain links to malicious websites, but there could well be much worse things happening on your mobile device.

Malware is installed that can root the device and elevate privileges. Hackers can then take full control of the entire device. With superuser privileges, hackers can make changes which even the user of the device would not be able to make. Once this happens, it can be nigh on impossible to eradicate the malware and take back control of the device. It may also be virtually impossible to tell if a device has actually been attacked.

This quarter, the malicious software capable of doing this accounted for over half of the most popular malware items affecting mobile devices. The most common malicious program recorded by Kaspersky Labs, by some distance, was DangerousObject.Multi.Generic. This malware item accounted for 46.6% of attacks. The next biggest threat came from Trojan.AndroidOS.Rootnik.d which accounted for 9.9% of attacks in Q3.

How did Kaspersky Labs Produce the Report?

The latest Kaspersky report was compiled from data collected from the Kaspersky Security Network (KSN), which includes multiple anti-malware products and components. Kaspersky collected data from over 213 countries from users who had provided consent to send data from their devices to KSN. This global information exchange allows current threats to be accurately monitored. Data sharing is vital in the fight against cybercrime.

Countering the Mobile Malware Risk

Anti-Virus software such as that produced by Kaspersky Labs can be used to reduce the mobile malware risk and prevent mobile devices from being attacked. An additional control that should be considered, especially by companies allowing the use of personal devices in the workplace, is to install a web filtering solution to prevent users from accessing websites known to contain malware. This will reduce the mobile malware risk considerably.

SpamTitan web filtering software offers excellent protection and compliments AV software programs. The web filter prevents users from visiting risky websites, even when phishing links are clicked.It is one of the best ways to reduce mobile malware risk levels, although to reduce mobile malware risk to a minimal level, a multi-layered risk management strategy should be adopted.

Critical Joomla Vulnerability Discovered

Operators of websites running on the popular Joomla CMS have been alerted to a remote takeover risk following the discovery of a critical Joomla vulnerability. Approximately 2.8 million websites use the Joomla Content Management System, with the CMS second only to WordPress in terms of market share.

Joomla version 3.4.5 has now been released and contains a patch to plug the security hole that has existed for close to two years, although any site still running on previous versions will be particularly vulnerable to attack. Should a hacker successfully exploit the vulnerability, it would be able to obtain administrator privileges for the website, allowing full control to be handed over to the hacker. It would be possible for all data and content to be stolen and for the owner of the website and all other site users to be locked out.

The vulnerability, discovered by Trustwave SpiderLabs, affects version 3.2 and above and can be exploited using a hacking technique known as SQL injection. All users of versions 3.2 to 3.4.4 are at risk since this critical Joomla vulnerability affects as core module of the CMS, not an extension. Two other security flaws were also patched by the new release.

SQL injection is a common technique used by hackers to gain access to websites. The attacks are conducted by entering in SQL commands into text fields on the front end of website. These commands are misinterpreted by the web application. Instead of treating the input as plaintext, it is interpreted as executable code. As such, if the right commands are entered, the websites can be hijacked. Numerous cyberattacks have been successfully conducted using this very straightforward technique, including the recent hack of mobile and broadband provider TalkTalk.

Critical Joomla vulnerability can be used to gain access to the administrator control panel

Once access has been gained, files can be downloaded including confidential customer information. Since Joomla is used to create e-commerce websites, customers who have previously purchased products through Joomla websites could have their confidential information stolen.

This critical vulnerability can be exploited to extract a browser cookie which can be used to provide the attacker with administrator privileges. If that cookie is loaded into the browser, the hacker can gain access to the back end of the website and can access the administrator control panel. The code required to exploit the vulnerability has already been posted online.

It is therefore imperative that all administrators of Joomla sites update their website software immediately and patch the critical Joomla vulnerability in order to secure their sites.

The importance of updating software patches as soon as they are released

Zero-day vulnerabilities are frequently discovered in popular website applications and content management systems. A failure to install patches promptly leaves websites particularly vulnerable to attack. Code used to exploit the vulnerabilities can easily be found online, and is commonly shared by hackers, white hat and black hat – via online hacking and software development communities. Once an announcement has been made, there will be many amateur and professional hackers willing to exploit the vulnerability. Should that happen, data can be deleted, access rights changed, and customer data stolen.

Google Tackles Ad Injection Malware Threat

Organizations face a growing risk of sensitive data being compromised by ad injection malware. The latest figures released by Google suggest that an organization employing 100 individuals is likely to have at least five computers infected with ad injection malware.

This form of malware causes adverts to be displayed to the user that would not normally appear when visiting websites. The malware infects their browsers and results in annoying adverts being displayed, some of which contain links to legitimate retailers. Others contain much more sinister content. With little control exerted over the individuals placing the ads, cybercriminals are able to take advantage and place adverts containing links to malicious websites.

However, that is not the only security risk. When the malware infects a browser it causes changes to how websites are displayed. A connection to a website would be secured under normal circumstances, preventing third parties eavesdropping on the session. Unfortunately, when a browser is infected, the process used to encrypt the connection is broken. Sessions are no longer encrypted, and any data entered by the user could potentially be seen by a hacker or cybercriminal monitoring their connection.

When accessing a webpage via an open Wi-Fi network, an eavesdropper could quite easily listen in on the session. Usernames and passwords could be revealed as well as other confidential information.

Lenovo laptops were pre-installed with ad injection software

Potentially a user could avoid having their browser infected with the malware, but not if they bought a Lenovo laptop. Even brand new, straight-out-of-the-box laptops had been “infected”. In this case, by Lenovo. They have been shipping brand new laptops with legitimate software installed that inserts adverts into Google searches. The software in question is called Superfish and it functions as an image search engine.

Superfish is able to show adverts by using a root certificate which replaces a trusted website’s security with its own. This is how it is able to display adverts. Unfortunately, the security used by Superfish can easily be cracked. In fact, it already has been, so any Lenovo computer with Superfish installed cannot be used to securely browse the Internet. On an open Wi-Fi network, even a secure website such as an online banking site would not be secure.

Anyone not wishing to lose their privacy could uninstall Superfish. Unfortunately, if the software is uninstalled the security hole remains. The owner of the laptop will be permanently at risk of having their privacy violated and their internet surfing monitored. A problem for any employer allowing Lenovo laptops to be used for BYOD.

Google takes action to protect Chrome users

This type of “malware” is not new of course. The problem is the number of new applications and browser extensions that allow this form of advertising. Google has recently removed approximately 200 Chrome extensions from its web store that are capable of injecting ads into otherwise secure sites. Unfortunately, Google has discovered approximately 34,000 standalone applications that are able to inject ads when users browse the internet. There are approximately 50K Chrome extensions that allow ad injection according to Google researchers.

The solution for now, for employers at least, is to ensure that they do not use open Wi-Fi networks in the workplace. This will prevent any eavesdropping even if a user’s browser has been infected. BYOD participants should be instructed on the risk of using open Wi-Fi networks and told never to use their devices to access work accounts using public Wi-Fi hotspots.

Business Size and Network Security Threat are Inversely Proportional

When it comes to cyberattacks and the resultant data breaches, not all organizations are affected to the same extent. Larger organizations store greater quantities of data and a security breach may end up costing the company over $100 million to resolve, but such breaches are not suffered very often. In fact, when you compare the cost of breach resolution to the annual turnover of a company, the cost is actually very small indeed.

Even the huge data breaches that have affected Sony and Target have not cost the companies very much in the grand scheme of things. Compared to the annual turnover of both companies, the costs incurred are very low. As low as 1% of total turnover. The security breaches will be embarrassing, but the actual losses can be easily absorbed.

Benjamin Dean from Columbia University’s School of International and Public Affairs recently pointed out in a post that the cost to large companies may not be insignificant, but it is nowhere near as high as many people would believe.

Consequently, there is little pressure on many large organizations to invest more heavily in cybersecurity defenses. This may not be true for heavily regulated industries such as finance and healthcare, where heavy fines can be issued for non-compliance with data security regulations, but for some companies the costs can be easily absorbed.

Many of these companies are covered by insurance policies that pay for the majority of the cost and the resolution costs are tax-deductible.

He points out that while there will be fallout as a result of a data breach, this may not be nearly as high as many companies are led to believe. Many Sony employees had their data exposed in the cyberattack but how many will leave their employment as a result? Sure, they will be unhappy, but will they leave in droves? Probably not.

Customers may incur losses, but Sony will not have to cover the cost. How about cases of identity theft? Can a customer determine with any degree of certainty that they have become a victim because of the data breach at Target or Anthem, or any number of other companies that have suffered cyberattacks?

In many cases, losses are not suffered by the company but by the banks. The data breaches that have affected Target and Home Depot are estimated to have cost the providers of credit and debit cards, not the retailers. The cost of replacing the stolen cards has been estimated to have cost credit unions around $60 million in September. Those costs were covered by the credit unions, not the retailers.

The same cannot be said for small to medium sized businesses

The larger the corporation, the easier it is for losses to be absorbed, but when it comes to small to medium sized businesses the losses from a data breach can be catastrophic. Will movie-goers avoid a Sony Entertainment film because of the data breach? Unlikely. Will customers change to a rival printing company because their preferred provider has breached their financial data? Much more likely.

For SMBs it is essential to invest in robust data security systems. The loss of customers will really be felt, and many SMBs do not have the budgets to cover data breach insurance premiums. The resolution costs, in many cases, simply cannot be absorbed.

Data breaches do not affect all departments equally

If you work in IT security, you will be very keen to get a budget increase to protect your company’s systems. If a breach is suffered, your department will have to perform a great deal of extra work. You are likely to be blamed for allowing the breach to happen. You may even be criticized for failing to explain the risks adequately.

It is therefore in your best interests to implement the best possible security controls to protect the business, but often getting the funding is problematic. Cybercriminals are developing ever more sophisticated methods of breaking through defenses and consequently the defenses that must be installed must also be sophisticated. That usually means they cost a lot of money. Getting a sufficient budget to cover the cost can therefore be a difficult task.

To make it easier, you will need to know how managers assess budget requests.

Risk Analysis – How managers decide on budgets

Before a potentially expensive cybersecurity measure is given the go-ahead, a cost analysis will be performed. Managers will assess threats separately and will calculate the Annualized Rate of Occurrence (ARO) – the probability that security will be breached in any given year. Then they will calculate the costs from such a breach: The Single Loss Expectancy or SLO. Multiply both of those figures and they will arrive at the Annual Loss Expectancy (ALO). Based on that figure, a decision will be made about the best way to deal with the threat and whether it is worthwhile doing so.

There are a number of measures that can be put in place to address the risk. These will also be assessed:

Risk Mitigation

The biggest costs fall into this category. These include installing robust firewalls, anti-virus and anti-malware solutions, spam and web filters, and employee training.

Risk Transference

It may be possible to reduce the cost of dealing with a breach, and this may prove to be more cost effective than installing security measure to reduce risk. An insurance policy may be purchased so the company doesn’t have to cover the full cost of a security breach.

Risk Avoidance

It may be possible to reduce risk by preventing certain activities from taking place. For instance, banning the use of social media websites at work to combat the threat from malware. Sometimes risk cannot be avoided. Maintaining an online presence is essential, so a company cannot remove the risk of a data breach by not operating a corporate website.

Risk Deterrents

These measures can be cheap and effective. Legal disclaimers and internal policies can be developed to tackle insider theft. They may warn of prosecution for anyone found to be inappropriately accessing corporate data. This may be sufficient to put some individuals off snooping.

Risk Acceptance

Some risks cannot be avoided and must be accepted. However, a company must be aware of the risk in order to make a decision about whether it can be accepted, as well as the cost of mitigating that risk and the potential for damage.

It is essential that security professionals are consulted before these calculations are made. Their input will be required to gain an accurate estimate of the probable costs and level of risk faced.

If you, as an IT security professional, can provide accurate figures that can be used in the cost/benefit analysis, your company will be able to determine which security measures are essential and will allocate budgets accordingly.

Make sure you are an asset to your company and create your own risk analysis. As an IT security professional, you are in the best position to do this. If budgets are subsequently not forthcoming, it will not be your department that is blamed when security breaches are suffered.

SpamTitan’s Cybersecurity Predictions for 2015

To put it mildly, 2014 was bad year for many IT security professionals. The number of threats to network security increased significantly, more computer systems were breached than in previous years, and more confidential records exposed than in the previous 12 months.

The threat landscape is constantly changing, but 2014 saw incredible volumes of new malware released and a considerable number of zero day exploits succeed. Many IT security professional will be glad to see the back of 2014. Unfortunately, 2015 doesn’t look like it will be any better. Many predict it will even be worse.

2014 started badly with the discovery of a number of cyberattacks. Hackers had gained access to computer systems in 2013, or even earlier in many cases, but 2014 was when the attacks were discovered and a large volume of brown substance hit the fan.

The discoveries were shocking. Incomprehensible amounts of data had been compromised and listed for sale. The country was still reeling from the cyberattack on Target, and then came the announcement of mega data breaches at Neiman Marcus and Home Depot. P.F. Chang’s had customer credit card details exposed from 33 of its restaurants, JP Morgan was affected by a major data breach, as was Michael’s. The healthcare industry was also badly hit. Community Health Systems suffered a major data breach exposing 4.5 million records and even the U.S. Postal service was targeted. 800,000 employee records were exposed in that attack.

Then there was the attack on Sony. That data breach caused an incredible amount of damage, with the hacking group responsible not apparently looking for money. The attack was carried out by a group called “Guardians of the Peace,” supposedly located in North Korea and backed by Kim Jong-Un. As a result of the breach, Sony Pictures even stopped the Christmas release of the “The Interview” movie. The film parodied the North Korean leader and even depicted his death. The leader of the Democratic People’s Republic of Korea was reportedly none too happy about the film and the content of the movie was allegedly a motive behind the attack.

Now that “The Year of the Data Breach” (as it has been dubbed) has finally come to an end, it is a time to look forward to the New Year. Unfortunately, many industry experts have predicted an increase in the number of hacking incidents over the coming 12 months. 2015 is unlikely to be any better for IT security professionals.

The reason? Despite efforts being made by many organizations to address security vulnerabilities, many still exist. We are also no longer dealing with individual hackers operating out of bedrooms in their parents’ houses. International groups of hackers are targeting organizations in the United States and  are receiving funding from foreign governments. Some of the world’s most talented hackers are being funded to attack the United States, U.K., and just about every other company in the Western world.

So with the increasing threat, how is it possible to defend against cyberattacks, block malware, and beat malicious insiders. Fortunately, there have been a number of lessons learned from the data breaches suffered in 2014. Security trends have been identified and it is possible to implement a range of security solutions to prevent corporate networks from attack. Being forewarned is being forearmed! Here are SpamTitan’s cybersecurity predictions for 2015

Cybersecurity Predictions for 2015

Expect more mega data breaches

The more data that is held by an organization, the bigger target it becomes. The aim of many hacking groups is not to obtain money, but to use cyberattacks to cause financial havoc. Successful cyberattacks cause companies to incur incredible losses and can affect the financial markets. The data breaches have a huge effect on the economy, one of the aims of foreign-government backed hacking groups. These attacks will not only continue; they are likely to get a lot worse.

Healthcare and education sectors will be major targets

Expect to see data breaches the like of which have never been seen before. The financial and retail sectors will continue to be targeted, but 2015 is likely to see healthcare and education hit particularly hard. Student and medical records are particularly valuable to cybercriminals. The data contained in medical and student records can be used to commit a multitude of fraud: medical fraud, insurance fraud, and tax fraud for example. Identities can be stolen allowing credit to be obtained in the victims’ names. Universities were targeted in 2014, as were healthcare institutions. Expect more of the same in 2015.

Email will continue to be used as an attack vector

Virtually everyone now has an email account. Many have a separate email address for work and for personal use. Email is one of the easiest ways of getting in contact with people, and spammers are well aware how easy it is to get an account holder to click on a link to a malicious website, or to open an email attachment that has been infected with malware.

Email is used to “phish” for sensitive information that allows criminals to gain access to credit card numbers and bank accounts. Computers and mobile phones can all too easily be compromised, and the potential rewards for criminals are high. Phishing emails and other spam and scam emails are expected to increase during 2015.

Vulnerabilities in web applications will be targeted

2014 saw a number of zero day vulnerabilities discovered in popular software applications and we can expect more of the same in 2015. There was Heartbleed, which was a potentially catastrophic vulnerability. Shellshock was also particularly worrisome. It is likely that these are just the tip of a very large iceberg.

At first it was thought that these security vulnerabilities had not been found and exploited by hackers. Unfortunately, this would appear not to be the case. The hack of healthcare provider Community Health Systems exposed 4.5 million patient records. It is believed that the cyberattack was made possible because of Heartbleed.

Attacks on mobile devices are likely to increase

Ownership of Smartphones and tablets has increased considerably and so has the volume of personal data stored on those devices. Smartphones permit the user to access email accounts, bank accounts and social media networks. Many people track their movements using the devices and record exercise data. If a device can be accessed, a considerable amount of personal data can be obtained.

Unfortunately, many of the applications downloaded to the devices contain numerous security vulnerabilities. Even the platforms themselves (Android and iOS) contain many security holes. Hackers and cybercriminals are well aware that mobile devices can contain a goldmine of data and, with the increasing popularity of Bring Your Own Device (BYOD) schemes, mobiles can even be used to launch attacks on corporate networks. Expect mobile devices to be implicated in more corporate security breaches and millions of users’ data to be plundered in 2015.

The threat landscape is constantly changing and there are more malicious attacks being reported than ever before. The seriousness of those attacks has also increased. Consequently, organizations must invest more heavily in network and cybersecurity defenses. The companies that fail to increase cybersecurity spending are likely to become the next targets.

2014: The Year of the Data Breach

May is not yet over. There are still seven months to go before 2015 arrives, yet Internet security experts are already calling 2014 the year of the data breach. The situation is bad and it is expected to get worse. Before the year draws to a close, many millions of Internet and email users will discover they have had their computers infected with viruses or have become victims of Internet fraud.

The U.S. Healthcare industry has been hit particularly hard this year. In February, Anthem Inc. discovered a hacker had infiltrated its computer network and stole 78.8 million insurance records. Just days later, Premera Blue Cross, another U.S health insurer, uncovered a similar cyber attack that exposed the records of 11 million subscribers. The month of February was just over halfway through, but more confidential healthcare records had been exposed than in the whole of 2012 and 2013 combined.

Then there was the cyberattack on Target. Up until February 1, Bloomberg BusinessWeek calculated the retailer had spent approximately $61 million to cover data breach resolution costs. All three of these data breaches were suffered by large organizations who had invested heavily in data and network security systems. Yet despite the investment they still suffered massive data breaches.

What makes the Target data breach stand out though is the fact that the company’s security system actually detected the intrusion. For some reason, Target decided to do nothing about it. To state the obvious, this was a mistake. So far over 100 separate lawsuits have been filed against the retailer, in the most part citing negligence for failing to protect customer data and not taking action quickly enough when the breach was discovered.

The attack exposed the records of over 110 million customers and the banks have already been forced to spend in excess of $200 million as a result. When the lawsuits are resolved, the final cost of the data breach doesn’t even bear thinking about. Typically, data breach victims seek damages of around $1,000 a head.

Then there was Heartbleed. For those who somehow missed it, this was one of the biggest and potentially most serious security vulnerabilities ever discovered. It would appear that the bug was identified in time to allow companies to prevent it from being exploited. However, that is difficult to ascertain with any degree of certainty. If the security vulnerability was exploited, there would be no way of telling whether data had been stolen.

The cost of plugging this security hole was considerable. Companies were forced to take rapid action to secure their networks and computers before hackers could take advantage. The same cannot be said of consumers. It would appear that little has been done to protect against the bug. Following the announcement very few individuals have even changed their passwords or taken other steps to protect themselves.  A recent survey conducted by MarketWatch indicates that little has been done because consumers are not even aware of the Heartbleed bug. Half of those surveyed had never even heard of it, let alone the actions they need to take to protect themselves from attack.

Many of the major data breaches suffered this year did not actually occur in 2014. Hackers first gained access to networks last year or even earlier. This was the case with Anthem, Premera, and also Neiman Marcus, another major data breach uncovered this year. That attack was also discovered in February 2014, which could become known as “the month of the data breach”.

For the past eight months, Neiman Marcus’s systems have been open to hackers. Such a breach should have triggered the company’s security system. Which it would have approximately 60,000 times had that security feature not been inadvertently turned off. Suspicious server activity was unfortunately not being monitored.

These data breaches have proved very costly indeed. According to the Ponemon Institute, the cost of resolving data breaches has increased again this year making matters worse for companies attacked by hackers.

Security systems are excellent, but what about the security staff?

It is all very well installing multi-million-dollar cybersecurity defenses, but if skilled staff are not employed to interpret the data, when networks are infiltrated by hackers intrusions may not be discovered until many months later. This was certainly the case at Neiman Marcus, but also at Target. Had the system been checked, Target would have been made aware that its defenses had been turned off. It took a full post-breach audit to determine this was the case. This should have been checked on a regular basis. Doing so may not have prevented the breach, but it could have reduced the damage caused.

The problem for many IT departments, CISOs and CIOs is a lack of funding. Organizations appreciate that money must be allocated to counter the cybersecurity threat, but too little is being spent. This was highlighted by the Ponemon Institute study. Respondents indicated that a doubling of the security budget is necessary to counter the threat, install better security, allow audits to take place, and to employ the staff necessary to monitor systems for signs of attack. If security budgets do not increase, data breaches certainly will.

Will Your Brand Image Survive a Data Breach?

Consumers are spending less in bricks and mortar stores, and more people are looking for goods and services online. On top of this some major retailers have suffered data breaches which have tarnished their reputation. For Target, the data breaches it suffered have had a serious impact. Sales have been lost to competitors as a result.

According to a Cowen & Co.’s tracking survey, there has been a decrease in customer satisfaction. The survey indicates there has been a fall in satisfaction in the overall shopping experience and ratings for customer service have also declined.

The data show that reputation and brand image do have an impact on shoppers’ behavior. They will go elsewhere if they do not trust a retailer.

Target is one of the biggest retailers in the United States. What would be the impact on a small to medium sized organization? Would it be possible to weather the storm after a massive data breach has been suffered?

Data Breaches Can Cost SMBs Dearly!

The cost of a data breach can be considerable. The Ponemon Institute has recently quantified this. In a recent survey, 850 executives were asked about reputation damage following a data breach. 44% of respondents said it would take between 10 months and 2 years to recover from damage to reputation following a data breach. For some companies the effect will be felt for much longer. If they manage to stay in business that long!

Not all breaches have the same effect on a company’s reputation. Consumers are aware that security breaches are now a fact of life, but they are likely to be unforgiving if their Social Security numbers, credit card numbers, or bank account details are obtained by criminals.

The potential financial losses for a company can be considerable. Ponemon’s study suggested that brand image damage can cost between $184 million and $330 million. Best case scenario? You are likely to lose 12% of your brand’s value.

Your Competitors are Waiting to Take Advantage

All companies are likely to suffer a data breach of some description, yet many are ill prepared to deal with a security breach when it occurs. If a breach response plan is developed prior to a security incident being suffered, this can reduce the damage caused.

It is possible to win back the trust of customers after a breach, but it can be a long and difficult process. It is not actually clear whether a company’s reputation can ever fully recover. After all, today’s marketplace is particularly unforgiving. There is simply too much competition and plenty of competitors who will be ready to take advantage.

If your reputation is damaged, it will have an impact on your bottom line. Customers will change brands and there will be class-action lawsuits filed as plaintiffs try to recover damages. Revenues are likely to fall, and regulators may also issue costly financial penalties.

Fortunately, there are a number of actions that can be taken to reduce the risk of a data breach being suffered. Should the unthinkable happen, they can also reduce the severity of the breach. Think of data security investment as an investment in your brand image. That must be protected at all times.

Twitter Security Improvements Announced: Two-Step Authentication Added

Twitter, like many other social media platforms, is a target for hackers and cybercriminals. The company has recently become the victim of a number of cybersecurity incidents that have resulted in the account names and passwords of users being obtained by criminals.

Each attack spells bad news for the company, and even worse news for users of platform. They face an increased risk of suffering identity theft and fraud as a result of having their login credentials compromised. Twitter security measures were simply not good enough to prevent a data breach from occurring.

Twitter security bolstered with two-factor authentication

To address the situation, Twitter security has been improved with two-factor authentication. This is an important security measure to implement as it makes it harder for accounts to be hacked.

Two-factor authentication uses two means of identification to help ensure that accounts are only accessed by the correct individuals. In addition to entering a username and a password, Twitter now requires an extra element to verify the identity of the person trying to access an account.

A number of websites and online services have now added two-factor authentication to provide better protection for users of their online services. Google, for instance, added two-factor authentication in 2010.

Google’s reputation would be tarnished if it was hacked. The company proactively added the security measure to offer more protection to its account holders. Users of its services must supply a mobile phone number when opening an account. A unique code is then sent by SMS to the phone when a new device tries to access the account. Users can alternatively choose to have an email alert sent to advise them when a new device is used to access the account. This ensures that if someone tries to login to an account on an unknown device, they will be prevented from gaining access, even if they supply the correct login name and password.

This is a vital security measure to keep accounts secure and it has been adopted by a number of websites and social media platforms, although it appears to have taken a major data breach for Twitter security to have been improved with this fundamental security protection.

Social media accounts contain a considerable amount of data about the user. Should a criminal be able to gain access to an account, they would be able to gather a considerable amount of personal information that could be used to conduct a highly effective spear phishing campaign.

Two recent high-profile cyberattacks involved compromised Twitter accounts. They affected the UK’s Guardian newspaper and the American Associated Press. Hackers gained access to the accounts and released links to fake news items. Since the messages came from a trusted source, and contained click-bait links, the fake websites received hundreds of thousands of visitors.

The links were to fake articles detailing explosions at the White House – a potential terrorist attack – and a fake story about President Obama. Unsurprisingly, when news of the hacks emerged stock prices plummeted.

Oftentimes, the hacking of a company’s social media accounts causes permanent damage to the brand image. The compromising of a social media account could even allow hackers to launch further attacks, especially if passwords are shared across multiple platforms.

Two-Factor Authentication – An Essential Security Control

If you want to improve the security of your website or online services, setting up two-factor authentication is one of the best protections to implement.

Login names are easily obtained by cybercriminals, and passwords can all too easily be guessed. Many people still use “password” for example, or their data of birth. 1234567890 is also a surprisingly common password and one that is very easily guessed.

Enforcing secure passwords is essential. Force users to include capital letters, numbers, and special characters when creating passwords. Then add a second step that needs to be completed. Make sure the user registers an email address or a mobile phone number, and then verify these by sending an email or SMS text.

Whenever an access attempt occurs using a different device to that used during the registration process, a code should be sent via email or SMS. If that code cannot be provided by the user, the account should be blocked.

This will ensure that even if a password is obtained by a cybercriminal, access to the account will not be possible unless the person has also managed to gain access to the email account used to register, or has the victim’s mobile phone.

Boston Bombing Video Used to Infect Computers with Malware

Terrorist attacks are occurring with increasing regularity around the world, but it is still rare for one to happen on American soil. However, on Monday an attack took place at the Boston Marathon. The tragedy claimed the lives of three people.

It is at times like this that vigilance must be increased. Criminals often use events such as this to infect computers with malware. Big news events are often used to lure victims into clicking on links to websites infected with malware or convince them to open malware-infected email attachments. The Boston bombing is no exception. Criminals have seized the opportunity already and have started sending emails about the tragedy which contain links to infected sites.

SpamTitan is alerted when spam and phishing emails are captured. The quarantine reports are collected and analyzed, and some of the recent crop of captured messages contain titles such as “Explosion at Boston Marathon” and “Boston Explosion Caught on Video.” When news breaks, people want to find out what has happened, and images and videos of the event are sought online. Videos of the Boston bombing are being searched for on Google and social media, and emails including links to videos are likely to be clicked.

Anyone clicking one of the links in the emails will be directed to YouTube where a range of videos are listed. No harm is immediately caused.

However, after 60 seconds the visitor will be notified of a file called “boston.avi____exe”, and are asked to download it. If the file is run, it will install malware which will connect to servers in three locations: Argentina, Taiwan and Ukraine. Data from the infected machine will then be sent to those servers. SpamTitan software will prevent the email from being delivered using a variety of methods, thus protecting the user. Individuals without this software installed are unlikely to even be aware that their computers have been compromised.

Be wary about emails containing news alerts

Cybercriminals often use news events to spread malware and gain access to computers and servers. Each major news story, whether it is a terrorist attack, election result, natural disaster or celebrity wedding, will see numerous phishing and spam campaigns launched. Many of these campaigns see emails sent out randomly, often in the millions.

Any company that does not have a spam filtering solution in place is likely to see many of these emails delivered, and all it takes is for one end user to click on a link and download a file for a network to be compromised. It is not only malware that is a problem.

There have been a number of new websites registered in the past two days related to the Boston bombing. New domains have been purchased by individuals looking to capitalize on the attack. Some have been bought and are currently just parked. Some individuals have purchased the domains to prevent them from being used by scammers. Others have been activated and are seeking donations to help the families of the victims. Of course, any donations made through those websites will just go into the criminal’s pocket.

In addition to installing a spam filter to catch email spam, and employing a web filter to block links to malicious websites, be sure to adopt the following best practices and make sure that staff members do the same:

Don’t become another victim of a scam!

  • Check the email address of the person sending the email even if it appears to be from someone you know
  • Never click on a link in an email unless you are sure that link is genuine
  • Do not open attachments contained in emails from strangers
  • Be wary about opening attachments sent from friends. Their account may have been compromised or they may not realize they are sending an infected file
  • Never open executable files (those that end with .exe)
  • Never respond to an email request for money. If you want to donate, do so via a trusted, registered charity. Always visit the website via the search engines, not the link contained in the email
  • Make sure a charity is registered before making a donation
  • Be wary of any email sent to you containing information about a news event – who is sending it? How did they get your email address?
  • Do not forward or share suspicious emails or links

Predicted Increase in Everyday Hackers: Security Threat to Increase

What is a hacker?

Hackers are commonly referred to in print media and Internet reports, and are often viewed as either criminal masterminds intent of wreaking havoc and causing chaos, or bored (but highly skilled) teenagers with nothing better to do with this time.

However, a hacker is just an individual who is familiar with computer software and who is able to find and exploit security weaknesses in computer systems. Should you conduct a search on the internet for HTML Injection, you would find a great many websites that explain how to use this technique to gain access to websites.  If you were to follow the instructions, you would essentially be a hacker. Just, not a very good one.

Not all hackers are bad, not all lack a conscience, and many are not motivated by money. Some are highly talented individuals who want recognition for their computer skills or just want to protest about something. Hackers have been known to break in just to prove a point. It is morally reprehensible that board members are taking huge amounts of cash out of the business, but are jeopardizing the privacy of their customers and leaving them exposed to Identity theft.

Some companies even employ hackers to test their systems. These “ethical hackers” or “white hat hackers” perform an extremely valuable job. It is far better to have an employee attempt to hack a computer network to find vulnerabilities in order to fix them, rather than have a malicious outsider break in and steal data. Facebook has, and does, hire programmers for this purpose, and even runs an annual hack-a-thon.

The rise of the everyday hacker

The leading company in the field of application security testing, Veracode, produces an annual security report that assesses the state of software security. The company’s researchers investigate security trends and makes predictions about how vulnerabilities could potentially be exploited.

In this year’s State of Software Security Report the company has predicted there will be a rise in the number of “everyday hackers” over the next few years. These “have-a-go-hackers” will not be highly skilled computer geniuses. They will be normal people who decide to have a go at hacking. As previously mentioned, there is a lot of information on the internet, and many techniques do not require a great deal of computer skill to pull it off.

A “SQL injection” search on Google will reveal 1.74 million search results. Not all of those websites will give step by step instructions on how to do it, but some do. Currently, according to the Veracode security report, 32% of web applications contain security flaws that could be exploited by SQL injection.  These flaws are not hard to identify, and are actually quite easy to fix. Many companies do not even test for them.

Hacking is increasing and data breaches are occurring much more frequently

More than half of data breaches are caused by hackers breaking into systems to steal data (or stealing data once they have broken into a system for other reasons). In 2011 and 2012, Veracode calculated that 52% of data breaches came as a result of web intrusions.

Interestingly, software is now being installed to tackle these vulnerabilities and far fewer security holes typically exist. The problem is more people are now looking for vulnerabilities to exploit.

Veracode found that unsecure software was the largest root cause of data loss. Its researchers discovered that 70% of software used by organizations does not even comply with enterprise data security policies.

Unless organizations take a more proactive approach and address these vulnerabilities as a priority, hackers will exploit the security holes and sabotage systems, hold companies to ransom, and steal data. To prevent data breaches, action must be taken and taken fast.

Cybersecurity Attacks have given CEOs a Rude Awakening

Unfortunately, IT security professionals have to deal with business managers. This is a problem that will never go away, but there is some good news. They may still be intent of slashing budgets and increasing the productivity of the workforce, but they are less keen about slashing IT department budgets. Many are now suggesting increases in operational budgets to deal with the increased risk of attack.

We are also finally seeing CEOs making the decision to implement good security measures to protect against malicious insiders and hackers. The days of having “good enough” security measures may finally be coming to an end. Attitudes on cybersecurity are changing at last, in no small part due to the cost of not doing so being hammered home. Highly publicized cyberattacks have helped in this regard. So have reports of stock prices tumbling after security breaches are suffered.

It is not only lone hackers that are attempting to break through firewalls and cybersecurity defenses. Groups of incredibly talented hackers are being recruited by nation states and are being put to work on highly sophisticated hacks on U.S. enterprises. With the backing of nation states, the threat level increases considerably. Robust defenses must be implemented to repel the attacks. Any organization that implements minimal cybersecurity defenses may as well place an advertisement in the Washington post inviting hackers to attack.

Cybersecurity attacks have been receiving a lot more press, in no small part due to the huge volume of data that hackers have been able to obtain. Corporate secrets, company accounts, information on personnel, customer data, medical records, Social security numbers, and much more have all been obtained. This information is subsequently sold to the highest bidder or, in some cases, simply posted online for all to see.

The potential damage caused can be catastrophic. Many small to medium sized businesses would not be able to survive such an attack, and even enterprise organizations feel the effect. The threat from these attacks has seen a much needed change in attitudes of the upper management and, while IT departments are not yet given all the money they need, the situation is certainly improving.

A recent survey conducted by ESG research suggests information security situational awareness and strategy is something that business leaders are getting much more involved with, according to 29% of respondents. This is a major improvement year on year. Furthermore, 40% of respondents said that over the past year, the executive management has become “somewhat more engaged” with these matters.

As more mega data breaches are reported in the news, and the true cost of resolving security incidents is calculated, we can expect engagement to increase more. Bigger IT security budgets should also be allocated to improve protection.  

Data Security Threat Predictions for 2013

The festive period is almost upon us and, aside from having to deal with the wave of Christmas and New Year cybersecurity threats, it is a time to relax, reflect on the major security events of the year, and plan for 2013.

Lessons have been learned in 2012 and it is up to IT security professionals to ensure that the same mistakes are not made next year. 2013 is likely to see a wave of attacks, a great deal more threats, and many companies’ security defenses breached. Prepare adequately and your company is likely to avoid becoming another security breach statistic.

Online Security Threats from 2012

2012 was an exciting year, certainly as far as data mobility was concerned. Many companies have enjoyed the benefits that come from being able to access data from any location; on any device. Unfortunately, so have cybercriminals.

Widespread adoption of Bring Your Own Device (BYOD) schemes have made workforces much more productive, efficient, and happy. Unfortunately, mobile devices are being attacked with increasing regularity. Personal Smartphones, laptops, and tablets may represent the future of business, but they often lack the necessary security controls to ensure corporate networks remain protected. Cloud computing has also been adopted by many organizations, but not all have made sure their cloud applications are appropriately secured.

There has been an explosion in the number of social media websites. Use of the sites are more popular than ever before, and so are the threats from using the sites. As user numbers have increased, so have the types of malware being developed to exploit users of Facebook, Twitter, Pinterest and the myriad of other sites that have enjoyed an increase in popularity.

Up and coming platforms are being targeted as user numbers increase and established platforms such as Facebook and Twitter are honeypots for cybercriminals. Social media channels and mobile devices are likely to remain problematic for IT professionals charged with keeping their corporate networks secure. Unfortunately, IT security professionals have little control over personal devices, and it is very difficult to stop end users from using their social media accounts at work.

As cybercriminals start using new attack vectors with increasing regularity, security professionals must be alert to the new risks. Listed below are our security threat predictions for 2013. some of the trends that are likely to develop further over the course of the coming year.

Security Threat Predictions for 2013

SQL Injection attacks will continue to increase

There was a rise in the number of successful cyberattacks last year, many of which involved SQL injection – the use of Structured Query Language to gain access to corporate databases. Hackers were able to use this technique to hack into web servers and obtain user names and passwords from corporate databases.

Small to medium size companies are particularly vulnerable as they often do not have the resources available to address all vulnerabilities that can be exploited by SQL injection. However, even very large companies are at risk. In 2012, Wurm Online, a hugely popular online multi-player game, was hacked using SQL injection resulting in the site being taken offline. Yahoo Voices was also hacked using this technique and over 450,000 user logins were obtained by hackers. This attack was caused by “union-based SQL injection”. These attacks were made possible as basic web server mistakes had been made by the companies in question. Both attacks were avoidable.

Ransomware attacks will increase

The past 12 months have seen a rise in cyberattacks using ransomware. Users are fooled into installing malware on computers and networks which subsequently encrypts all company data. Company operations have ground to a halt, with no data accessible without a security key. Those keys will only be provided by the criminals if a ransom is paid. Companies have found they have no choice but to pay the criminals to unencrypt their data. In 2012, a number of hacked GoDaddy websites were discovered to be infecting users with ransomware.

Defenses against this type of malware must be improved. Install spam and web filters to prevent users from installing this malware, and ensure that all data is backed up and policies are developed to recover backed up files. A data breach response plan should be developed to ensure business-critical data is restored promptly.

Increase in amateur cybercriminals using attack toolkits

As we saw this year, you do not need to be a hacking genius to pull off a successful cyberattack. It is possible to rent an attack toolkit with a host of premium features to make it easy to use by virtually anyone. The Black Hole exploit kit is a good example.

Investment in these kits has helped improve their usability and many now include APIs, scriptable web services, reporting interfaces, and even mechanisms to protect the users of the toolkits. By improving the quality of the kits, talented computer programmers have been able to increase the number of individuals able to launch attacks on corporations. There is no shortage of takers, and the investment spent has been well rewarded. Expect more individuals to use these kits and the volume of email malware to increase.

Less damage from security vulnerability exploits

Security vulnerabilities are being discovered with increasing regularity and this is enabling security holes to be plugged before they can be exploited. Protection against exploits is also improving and the next 12 months is likely to see even more advancements in this area. A number of protections have already been developed and implemented to prevent attacks of this nature, such as address space layout randomization, sandboxing, data execution protection (DEP) and trusted boot mechanisms. It is expected to become harder for hackers to exploit security vulnerabilities, although the risk of attack will certainly not be eradicated.

New privacy and security challenges that need to be addressed

The rise in popularity of mobile devices, and the adoption of BYOD by many organizations, has seen data security risk increase substantially. Mobile devices contain numerous security flaws. The devices can be used to track victims with GPS systems and near field communication (NFC) allowing criminals to physically locate their targets. The growth in social media applications for mobile devices is likely to see even more devices compromised. Expect 2013 to see a wave of new attacks on mobile devices and security vulnerabilities in new technologies exploited.

Do you agree with our security threat predictions for 2013?