Internet Security News

Our Internet security news features the latest press releases from the world´s largest online security companies with details of the latest threats to be aware of and, unfortunately, Internet security news relating to significant data breaches. While some organizations will be grateful for the advanced warning of an online threat – and details of how to protect themselves against it – for some the warnings will come too late.

Consequently it is recommended to be protected against all manner of online threats with an email filter and web filter from TitanHQ. Our Internet security solutions prevent users from accessing unsafe sites via phishing emails and malvertising, and from visiting websites that are vulnerable to exploit kits and malware. As many organizations already using TitanHQ solutions would agree, it is better to be safe than sorry.

Android Smartphone Malware Beating 2FA

New Android Smartphone malware has been identified that gets around the security systems used by banks and other financial institutions to keep customers protected. The malware is managing to intercept messages that are sent to customers’ Smartphones used as part of the bank’s two-factor authentication system. However, an update to the Android Smartphone malware means it is now capable of intercepting passcodes on more robust 2FA systems.

Two-factor authentication is not infallible

Two-factor authentication offers enhanced security for bank customers. Rather than relying on a username and a password, and additional factor is used to verify identity. A one-time passcode is sent to a user’s Smartphone and that passcode is then used to authorize a transaction. If the passcode is not entered the transaction cannot be made. The codes are sent to the Smartphone via SMS in most cases, although some banks use an automated voice call to deliver the passcode.

This means that even if a user’s login credentials are obtained by a criminal they cannot be used to authorize a bank transfer unless the attacker has also managed to obtain the Smartphone of the account holder (or other device registered with the bank and used for two-factor authentication.)

While two-factor authentication makes it harder for fraudulent transactions to be made, the system is not infallible. In fact, the account holder’s device does not even need to be stolen in order for a criminal to empty a bank account. If malware can be loaded onto the device that can intercept the SMS text this will allow an attacker in possession of the login credentials to make fraudulent transfers.

Automated voice call passcode delivery intercepted by Android Smartphone malware

SMS messages can be intercepted easily if malware is installed on a device. Because of this, some banks are moving away from SMS passcodes and are now favoring the delivery of codes via an automated voice message. However, the latest android Smartphone malware is capable of obtaining these passcodes as well.

Android.Bankosy malware has been adapted to beat this system of passcode delivery. The malware will simply forward the voice call to the attacker, unbeknown to the victim. This is possible because Android.Bankosy is capable of enabling silent mode on the phone so the user is not aware that a call is being received. If the attacker has the login credentials, a transaction can be initiated. The voice call is redirected to the attacker, and that code is then used to complete the transaction.

Cybersecurity Predictions for 2016

Over the past four weeks we have seen numerous cybersecurity predictions for 2016 issued by security firms. Security experts are trying to determine which part of the now incredibly broad threat landscape will be most favored by cybercriminals in 2016.

Some companies have made very specific cybersecurity predictions for 2016. They have come out with very bold claims, even predicting the presidential elections will be disrupted by a major cyberattack. Others believe 2015 will be broadly similar to 2015, with just an increase in ransomware attacks and even more massive data breaches suffered.

What all of the cybersecurity predictions for 2016 have in common is that the next 12 months are expected to be tough for security professionals.

The number and types of devices now connecting to corporate networks is broader than ever before. People are now far more likely to own and use three or more Internet-connected devices and use them on a regular basis. Alternative payment methods are being used more frequently. There is now more than ever to attack and too many devices and systems to keep secure. Unsurprisingly, no one appears to be claiming that 2016 will be easier than last year for cybersecurity professionals.

Cybersecurity predictions for 2016

The attack surface is now incredibly broad, but where are cybercriminals most likely to strike? This is what we think. Here are cybersecurity predictions for 2016.

IoT – expect attacks on the Internet of Things

Let’s start with a bold prediction. The IoT is likely to come under attack this year. I say bold, but that is only in terms of the timescale. IoT devices will be attacked, shut down, altered, remotely controlled, and used as a launchpad for attacks on other devices. If a device is constantly connected to the Internet, it will only be a matter of time before an attack takes place.

One problem with adding IoT technology is the manufacturers of the devices are not security experts. A washing machine that can be controlled via Wi-Fi or a Smartphone app, and can be switched on remotely while you are at work, has been designed first and foremost to wash clothes. It has then had IoT functionality bolted on. It has not been designed with security at the core of the design.

Surely a washing machine is not going to be used to attack a corporation you may say. Well, a Smart heating and air conditioning system was used to attack Target and gain access to the credit card numbers of its customers. Hackers are certainly looking at IoT devices and are probing for weaknesses. Security needs to be first rate, but unfortunately in many cases it is not.

Crypto-ransomware evolution will continue – Increase in ransomware attacks to be expected

Over the past 12 months crypto-ransomware attacks have increased significantly. Cybercriminals are now developing new malware capable of locking computers with powerful encryption.

The encryption cannot be cracked. The devices can only be unlocked using a security key. That key is held by the attackers. A ransom is demanded by cybercriminals and it must be paid before the key is released. Ransoms are demanded in Bitcoin because the currency is next to impossible to trace.

Developing crypto-ransomware is a lucrative business and that is unlikely to change any time soon. At present, ransomware is sent via mass spam email and the victims are not really targeted. The aim is to infect as many devices as possible. More infections equal more ransoms.

What we are likely to see over the course of the next 12 months is an increase in the ransom amount demanded and a more targeted approach adopted. Businesses are likely to be targeted and crypto-ransomware used to hold companies ransom. Companies are likely to be able to pay more than individuals.

We also expect ransomware to make the jump over to OS X, and to a lesser extent iOS. Cybercriminals would love to start charging Mac prices!

Apple owners to come under attack

That neatly leads us on to Apple. Users of Macs and iPhones have had it too good for too long. Hackers have not been too bothered about Mac users in the past, as there are greater rewards to be had from writing malware to target the masses. Consequently, the majority of malware targets Windows-based devices. Apple’s market share has been too small to warrant the development of Apple-specific malware. That is now changing.

Apple’s market share is increasing. As more people make the switch to Apple, it will be more lucrative for criminals to develop malware to target OS X devices. Over the course of the last year we have seen new malware created specifically for Apple devices. The volume is still small in comparison to malware that infects Windows-based devices, but we can expect Apple to come under attack in 2016.

Increase in memory resident malware

Hackers are getting better at obfuscation. They are developing ever more complex ways of hiding malware to evade detection. One of the main problems faced by malware authors comes from the fact that if a file is downloaded to a computer it can be found.

However, if malicious code is injected into the memory of a computer and no files downloaded, it is very difficult to detect. Memory-resident malware is more difficult for hackers to create, but many are now developing new fileless malware in order to evade detection for longer.

Until now memory-resident malware has been short-lived. It only survives until the device is rebooted. However, we are now seeing new forms that are simply reloaded into the memory when the computer is rebooted. We can expect to see even more memory-resident malware attacks in 2016 as the use of fileless malware grows.

Major healthcare industry attacks will take place

In 2015, cybercriminals targeted the healthcare industry with increased vigor. Massive data breaches were suffered, the likes of which the industry had never before seen. Anthem was attacked last year and 78.8 million healthcare records were stolen. An attack on Premera BlueCross exposed 11 million records, and Excellus suffered a 10-million record data breach. These massive cyberattacks used to be a rarity. In fact, up until 2014 the largest U.S. healthcare data breach affected just 4.9 million individuals.

The healthcare industry has been slow to implement new technology and many security weaknesses remain. They are now being exploited with increasing regularity. Since the value of data stored by health insurers and healthcare providers is so high, and the volumes of Social Security numbers, health data, and personal information so large, successful attacks can be extremely profitable. Where there is profit, and poor security there will be cyberattacks. These massive breaches will therefore continue in 2016.

Attacks on employees to increase in 2016

Employees are the weakest link in the security chain and hackers and cybercriminals are well aware of this. They target employees to gain access to corporate networks, with phishing one of the easiest ways to gain access to corporate data. These attacks have proved to be highly successful and have resulted in huge volumes of data being obtained by criminals. Some of the largest data breaches of the last two years have started with phishing campaigns. The attacks on Sony, Target, and Anthem for example.

Employers are getting better at blocking phishing emails and employees are now being trained to identify them, but these attacks will continue and will become more targeted and sophisticated.

As more employees work from home, we expect them to be targeted there instead of work. Their home computers and personal devices will be used to gain access to corporate networks. They tend to have more security weaknesses. Those weaknesses are likely to be exploited with increasing frequency.

Do you agree with our cybersecurity predictions for 2016? What do you think the biggest threat will be over the next 12 months?

Time Warner Cable Security Breach Impacts 320,000 Customers

Hackers have potentially gained access to the data of hundreds of thousands of Time Warner Cable customers. The Time Warner Cable security breach was discovered by the FBI, which tipped off TWC last week. Affected individuals are now in the process of being notified.

320,000 customers potentially affected by Time Warner Cable security breach

The Time Warner Cable security breach was announced on Wednesday last week. Scant information was initially provided to the media about the security breach and how customer data came to be stolen by cybercriminals.

According to a statement released by the company, there has been no indication that the company’s computer systems were compromised in a cyberattack, and customers have only been advised to change their passwords as a precaution. The company advised customers via email as well as direct mail that their email addresses and passwords may have been compromised.

Over the next few days, further information about the Time Warner Cable security breach was released. At first a statement said residential customers were affected across all markets. It later came to light that the data were stolen not from TWC, but from a third party who had access to customer information.

Investigations into the TWC data breach are continuing, but at this present moment it would appear that the Time Warner Cable security breach only affects Roadrunner email accounts (rr.com).

Customers have been directed to resources where they are provided with further information about how to identify a phishing attack. There is a possibility that affected individuals will be contacted via email by the data thieves in an attempt to obtain further information that can be used to commit identity theft or fraud.

However, what will be particularly worrying for the victims is not the possibility that they may be subjected to future phishing campaigns but what confidential information they have in their email accounts. Email accounts may contain highly sensitive information about an individual which, in the wrong hands, could be used to cause considerable harm.

The information in an email account could allow a cybercriminal to build up a highly detailed knowledge of an individual. That information could then be used to conduct a phishing campaign or cyberattack on that individual’s contacts.

Last year, Ping Identity conducted a survey on 1,000 enterprise employees in the United States and discovered that almost two thirds of respondents shared passwords between work and personal accounts. Data in personal email accounts could also potentially be used to conduct phishing campaigns on employees with a view to gaining access to their employer’s computer network.

As a precaution against fraudulent use of any information, all affected customers should change their email password promptly. It would also be a wise move for any individual who has a roadrunner email account to also change their password, even if a breach notice letter or email is not received.

TWC is America’s second largest cable company and serves 16 million customers across 29 states.

BBC DDoS Cyberattack Caused by New World Hacking

On December 31, 2015, the British Broadcasting Company (BBC) suffered a cyberattack which resulted in all of its websites being taken offline for a number of hours. A hacking group operating under the name “New World Hacking” has now claimed responsibility for the BBC DDoS Cyberattack.

BBC DDoS cyberattack conducted to test hacking group’s capabilities

The BBC was chosen not because of some vendetta against the broadcaster, but as a test of the power of the hacking groups servers ahead of planned attacks on ISIS. The hackers behind the BBC DDoS cyberattack did not actually intend on taking down the BBC websites, but it turned out that the servers being used for the attack proved to be “quite strong,” according to one member of the group who came forward.

‘Quite strong’ is something of an understatement. The BBC DDoS cyberattack was the largest ever recorded, with traffic up to 660 Gbps, which corresponds to many tens of thousands of connections. The hackers took down the BBC website using the Bangstresser tool, and used two nodes of attack and “a few extra dedicated servers.” Before the BBC DDoS cyberattack, the largest ever recorded was a 334 Gbps attack on an Asian network operator last year.

Attacks of this size are rare. Few manage more than 100 Gbps and when attacks of this magnitude occur they tend to be fairly short-lived, although while they are being conducted they can cause a substantial amount of damage. Many of the connections will be blocked by network filters, which are capable of identifying spoofed IP addresses, although by no means all. Attacks of this scale are likely to cause a serious amount of damage to enterprise networks.

In this case, the hacktivists were only testing capabilities and the motivation for the attack appears to have been made clear; however not all hackers conduct DDoS attacks to disrupt web services or take down servers. All too often a DDoS attack is conducted as a smokescreen to distract IT staff while the real mission is completed. One part of a network is attacked, while other members of the group attempt to gain access to other parts of the network and install backdoors for subsequent attacks or steal data. This was demonstrated recently by the attack on UK Broadband and mobile phone service provider TalkTalk.

Who are New World Hacking?

New World Hacking is an American group of 12 hackers – 8 men and 4 women – that was formed in 2012. The group has conducted numerous campaigns against terrorist organizations in the past, as well as on other groups and individuals that the hackers deem to be unpleasant or whose views or actions are contrary to the group’s beliefs.

New World Hacking has previously conducted large-scale DDoS attacks and has taken down websites run by members of the Ku Klux Klan, as well as websites depicting child pornography. Other targets include Donald Trump. That attack occurred at the same time as the BBC DDoS cyberattack and resulted in the presidential candidate’s website being taken offline for five hours. The group targeted Trump because of his recent “racist rhetoric.”

The group was also active after the recent Paris terrorist attacks and attempted to identify social media accounts used by ISIS.

The main target of New World Hacking is ISIS. The group is now planning to use its servers for attacks on ISIS websites, and those of ISIS supporters. The group claims to have a list of targets that it plans to attack in the very near future.

A member of the group going by the name of Ownz told the BBC “We realize sometimes what we do is not always the right choice, but without cyber hackers… who is there to fight off online terrorists?” The group aims to unmask ISIS, stop its spread, and end the propaganda.

FaceBook Flash Video Retired: Social Media Network Switches to HTML5

It has been a long time coming, but Facebook has finally taken the decision to stop using Flash for video. The social media site is now using HTML5 for all videos served on the site. Facebook Flash video is no more, but Adobe Flash has not been totally abandoned yet, as it will still be used for Facebook games. Hackers can take some comfort from the fact that Farmville players will still be highly susceptible to attack.

Facebook Flash Video Retired to Improve User Experience

The move away from Facebook Flash video didn’t really require any explaining, although a statement released by Facebook said the move was required “to continue to innovate quickly and at scale, given Facebook’s large size and complex needs.” The move to HTML5 not only makes the social media site more secure, HTML5 improves the user experience. Videos play faster, there are fewer bugs, and HTML allows faster development. The social media network also plans to improve the user experience for the visually impaired using HTML5.

The move appears to have been welcomed by Facebook users. Since changing over to HTML5, users have added more videos, registered more likes, and are spending more time viewing videos.

The End of Adobe Flash is Nigh

Unfortunately, it is not quite so easy for the Internet to be totally rid of Flash. The video platform has been used for so long it is still a major part of the web. However, its 10-year reign is now coming to an end. Google Chrome stopped supporting Flash last year and Amazon also banned the use of Flash for video last year. YouTube made the switch from Adobe Flash to HTML5 and with without Facebook’s 8 billion video views a day no longer being served through Flash, the majority of web videos will now be viewed without Adobe’s platform.

Even Adobe appears to be trying to distance itself from its toxic product, having abandoned the name Flash in recent weeks. The company is attempting to deal with the huge number of zero day vulnerabilities as soon as they are discovered, and is patching them quickly, but it is fighting a losing battle. HTML5 provides everything that Flash offers in terms of functionality, minus the myriad of security holes.

Security Risk from Adobe Flash too High

Flash is well known for being a hackers dream as the software platform contains more holes than a sieve. Early last month a new patch was released to address 78 CVE-classified security vulnerabilities, 75 of which were totally separate. This, it has to be said, is an insane amount of security vulnerabilities to discover and address in a single patch. Adobe was quick to point out that it has not received reports of those vulnerabilities being used in the wild, but this has done little to address security fears about Flash.

The risk of drive-by malware attacks is simply too high with Flash. All it takes is for one malicious Flash based advert to be sneaked onto a site, and any visitor with a Flash browser plugin enabled could be automatically infected.

Even with the 78 vulnerabilities now addressed, Adobe Flash is far from secure. In fact, even the early December mega patch was not enough. Adobe was forced to issue yet another update on December 28 to address a number of new critical security vulnerabilities that had been uncovered. The total number of Flash security vulnerabilities addressed in 2015 is now estimated to be 316.

With YouTube ditching Flash and Facebook Flash video no more, the demise of Adobe Flash has surely been hastened.

Ad Injection Software Risk Addressed by Microsoft

The Superfish scandal discovered to affect purchasers of new Lenovo laptops last year showed that ad injection software poses considerable risks to users. Ad injection software risk cannot be easily managed. Even brand new laptops can come installed with software designed to deliver ads to users.  Unfortunately, programs such as Superfish can also be used by hackers to conduct man-in-the-middle attacks.

Hackers can potentially exploit security vulnerabilities in ad injection software. In the case of Superfish, the software was pre-installed on Lenovo laptops. In order to serve ads, the software used a self-signed root certificate that generated certificates for secure HTTPS connections. The software substituted existing HTTPS certificates with its own in order to serve ads to users while they browsed the Internet. Unfortunately, if the password for ad injection software is discovered, as was the case with Superfish, HTTPS connections would no longer be secure. Hackers would be able to eavesdrop and steal user data.

Man-in-the-middle (MiTM) techniques are increasing being used to serve adverts while users browse the Internet, but the ad injection software risk of hackers taking advantage is considerable. The software is capable of network layer manipulation, injection by proxy, and can alter DNS settings. These techniques are used to serve adverts, but this is outside the control of the browser and the user.  Since these programs can be manipulated and exploited by hackers they also pose a considerable security risk, and one that the user is unable to easily address.

Microsoft takes action to reduce ad injection software risk

The ad injection software risk is considerable, so much so that Microsoft is taking action to tackle the problem. By doing this, Microsoft will hand back choice to the user. The company has updated its criteria for determining what software qualifies as Adware, and has recently announced it will be taking action to reduce risk to users and prevent unwanted behavior by Adware.

Rather than the manufacturer of the equipment or developer of the Adware program dictating the browsing experience for users, Microsoft will be handing back control to the user. Microsoft’s policies now demand that “programs that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.”

Not only will Superfish-style programs be banned by Microsoft, by March 31, 2016 any programs that are detected will be detected and removed.

School Web Filters to Become Mandatory Under New Proposals

With Internet use increasing in schools the UK government has taken the decision to make school web filters mandatory. The government has previously recommended that schools implement web filtering solutions, although many schools have not taken action to curb and monitor Internet use in classrooms. Consequently, children are still able to access adult and other potentially damaging content.

The government is now going to get tougher on schools and will introduce legislation to force primary and secondary schools to filter online content. From September 2016, primary and secondary school children must also be educated about online safety.

How School Web Filters Make the Internet Safer for Kids

The main aim of mandatory school web filters is to prevent them from accessing online pornography at school and other potentially damaging content. The move will make it harder for religious extremists to radicalize children and it is hoped that the implementation of school web filters will help to reduce instances of cyber-bullying.

Some evidence has emerged that shows UK school children who have tried to leave the country, or have travelled to Syria, have been able to access information about Daesh/IS from school computers. Ministers believe that action must be taken to prevent such material from being viewed at school, but to also identify individuals who are attempting to access such material. Greater efforts can then be made to tackle the issue before it is too late. Children must also be educated more about how to stay safe when using social media websites such as Facebook, Twitter, Snapchat, and Instagram.

Proposals were published last week on the introduction of new measures to curb Internet usage in schools, which will include school web filters but also monitoring systems to identify individuals who are attempting to access illegal, dangerous, or inappropriate content. There is also concern that individuals will try to access the same material at home. To tackle that issue, the Department of Education has drafted new guidance for parents to help them keep their children safe at home.

School web filters will prevent all adult content from being accessed from any computer connected to a school network. Websites known to promote IS could also be blocked, along with other potentially harmful content. Children must be allowed Internet access at school as it is now an essential part of their education, but they must only be permitted to use the Internet responsibly. Greater efforts must be made to prevent children from being exploited, radicalized, groomed or recruited by extremists.

The new proposals are to be discussed over the next two months and a consultation will take place, after which the proposals will go to the vote. If adopted, enforcing school web filters will come under the remit of Ofsted.

Sky Implements Automatic Web Filtering to Block Online Pornography

School web filters are only one measure that is required to keep children safe. Protecting minors at home is another matter. Guidance can be given to parents, but that does not mean that all parents will read that information and take action to prevent inappropriate Internet usage at home. Sky Broadband is now planning to do its bit. From 2016, all new customers will be automatically prevented from accessing online pornography at home. New customers will be required to opt in rather than opt out if they want to view pornography. Any content with a rating of 13 years or above will also be automatically blocked until 9pm. At present, new customers are prompted to pick which elements of the Internet will be blocked by Sky web filters when they first access the internet.

Sky will also be backdating this new measure. A statement issued by Sky Broadband indicated this will be applied to all customers who have “joined since November 2013 and have not turned on Sky Broadband Shield”. According to Ofcom, only 30-40 percent of Sky customers have activated its web filter. Other broadband providers are being urged to follow suit. Currently only 6% of BT Broadband customers have implemented parental controls.

New EU Fines for Privacy Violations Up to 4 PC of Annual Sales

EU fines for privacy violations are likely to be issued to companies that fail to implement security measures to prevent their customers’ data from being stolen by cybercriminals. EU fines for privacy violations can be substantial, although the watchdogs that are able to issue them are limited. That is all about to change. The European Union has taken decisive action and will be penalizing companies that do too little to protect their customers.

EU fines for privacy violations apply to any company doing business in EU countries

Last week, negotiators met up in Strasbourg, France, and signed a new deal that will change data protection laws in the EU. It has taken some time for this update to take place, having first been discussed four years ago. There has been much debate about the level to which companies should be held responsible for data breaches, although finally all sides have come to an agreement that better protects consumers, make businesses more responsible, and will not interfere with efforts to bring cybercriminals to justice.

The changes to the law will ensure that more companies are held accountable for their lack of security controls. With the threat of cyberattacks increasing, and a number of major attacks suffered by companies over the past few years, an overhaul of data protection laws in Europe was long overdue.

Current legislation is somewhat patchy, offering limited protection for consumers. Companies in some industries can be fined up to 1 million Euros for privacy violations and the exposure of customer data, while others are allowed to escape without penalties.

The new EU fines for privacy violations will not have a fixed limit. Fines for businesses who are hacked or otherwise expose customer data will be as high as 4% of a company’s global annual sales. The aim of the new law change is to give companies a considerable incentive to invest in cybersecurity protections to keep their customers’ data secure, and improve consumer trust.

The law changes will also require companies doing business in any of the European Union’s 28 member states to disclose data breaches that have exposed consumer data. While privacy groups have welcomed the changes, business groups have not been quite so complimentary.

New EU fines for privacy violations to come into effect in 2018

According to EU Justice Commissioner Vera Jourova, “These new pan-European rules are good for citizens and good for businesses.” She also pointed out in a statement issued after the announcement of the conclusion of the negotiations that consumers and businesses stand to “profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation.”

It will take a further two years for the new laws to come into effect, with the new EU fines for privacy violations expected to start being issued in 2018.

End User Security Risk Being Addressed According to 2015 Security Study

A recently published 2015 security study has shown cyberattacks are pervasive and are likely to be suffered by virtually all organizations. However, IT security professionals have been taking proactive steps to reduce end user security risk and have also implemented better cybersecurity solutions to keep networks secure. Consequently, they feel much better able to deal with 2016 security threats.

New 2015 security study indicates 80% of organizations have suffered a security incident this year

Optimism appears to be high and many organizations believe they will be able to prevent security incidents from being suffered in 2016, which is great news. Unfortunately, that does not appear to have been the case this year. According to the Spiceworks study, 80% of respondents suffered a security incident in 2015.

Even though 8 out of ten organizations admitted to being attacked this year, they do feel they will be better able to deal with whatever 2016 has in store. Seven out of ten respondents said they would be better equipped to deal with cybersecurity attacks in 2016.

The reason for the optimism is an increased investment in both cybersecurity solutions and the provision of further training to members of staff. A more security conscious workforce means it will be much easier to prevent security breaches caused by malware infections, phishing attacks, and ransomware.

The study indicated that 51% of companies were attacked by malware this year, while 38% suffered phishing attacks. Ransomware is a cause for concern and threats have been reported extensively in the media, yet only 20% of companies actually suffered a ransomware infection.

Theft of corporate data only suffered by 5% of companies

There have been numerous reports of data breaches being suffered in 2015, and hackers have been able to steal corporate data and tens of millions of consumer records, yet the survey indicates only 5% of respondents actually suffered data theft this year. 12% of companies reported instances of password theft during 2015. That said, it is still a major cause of concern. 37% of respondents said they were still worried about the theft of data and passwords.

End user security risk main cause for concern among IT security professionals?

The study revealed what is keeping IT security professionals awake at night, and for the vast majority it is the threat posed by end users. IT security professionals can invest heavily in security defenses to keep hackers at bay, yet all the effort can be undone by the actions of a single employee. 48% of respondents were concerned about end users installing software on their work devices or the use of unauthorized technology.  80% claimed the biggest data security challenge was reducing end user security risk.

IT security pros also rated devices by the level of risk they posed to network security.

Riskiest network connected devices:

  • Laptops: 81%
  • Desktops: 73%
  • Smartphones: 70%
  • Tablets: 63%
  • IoT Devices: 50%

Measures have been taken to reduce end user security risk

IT security professionals are well aware that it can be a nightmare preventing end users from doing stupid things that result in their devices and corporate networks being compromised. Fortunately, they have realized there is a very simple and effective proactive step that can be taken to reduce end user security risk. That is to provide staff with security training.

The IT department can implement a wide range of sophisticated defenses to prevent security incidents, but if end users install malware on the network, respond to a phishing campaign, or give their login credentials out to a scammer, it will all be for nothing.

Respondents realized there is no use complaining about the risk that end users pose. Action must be taken to reduce end user security risk. By providing training on current threats and network security risks, the staff can be empowered to take action to keep their network secure.

Training employees to be more security conscious and instructing them how to identify scams and avoid malware is a highly effective strategy for reducing network security risk. The study revealed that 73% of IT security professionals have enforced end user data security policies and regular end user security training is now being provided by 72% of IT security pros.

Healthcare Phishing Emails Can Result in Business Crippling Fines

In the United States, healthcare phishing emails are being sent in increasing volume by cybercriminals looking for an easy entry point into insurance and healthcare providers’ networks. Healthcare employees are now being targeted with spear phishing emails as they are seen to be the weakest link in the security chain, resulting in HIPAA compliance breaches.

It is after all, much easier to gain entry to a healthcare network or EHR system if malware is installed by nurses, physicians, or administrative staff than it is to find and exploit server and browser security vulnerabilities. It is even easier if a member of staff can be convinced to divulge their email account or network login credentials. Hackers and cybercriminals are devising more sophisticated healthcare phishing emails for this purpose.

Clever healthcare phishing emails could fall any number of staff members

Even well trained IT security professionals have been fooled into responding to phishing scams, so what chance do busy physicians, nurses, and members of the billing department have of identifying healthcare phishing emails?

According to the Department of Health and Human Services’ Office for Civil Rights (OCR), employers will be held responsible if their staff fall for a phishing email, unless they have taken proactive steps to reduce the risk of that occurring.

This week, OCR announced it arrived at a settlement with University of Washington Medicine for a 90,000-record data breach that occurred as a result of staff falling for healthcare phishing emails. The settlement involved UWM paying OCR $750,000.

Small to medium-sized healthcare organizations could also be fined for members of staff accidentally installing malware. UWM may be able to cover such a substantial fine, but the average 1-10 physician practice would be unlikely to have that sort of spare cash available. Such a penalty could prove to be catastrophic.

Why was such a heavy fine issued?

The issue OCR had with UWM was not the fact that a data breach was suffered, but that insufficient efforts had been made to prevent the breach from occurring. U.S. healthcare legislation requires all healthcare organizations to conduct a comprehensive, organization-wide risk assessment to identify potential security vulnerabilities. In this case, University of Washington Medicine had not done this. A risk assessment was conducted, but it did not cover all subsidiaries of the organization, in particular, the medical center whose employee was fooled by the phishing email.

Healthcare phishing emails are such a major data security risk that efforts must be made to reduce the risk to an acceptable level. Had a risk assessment been conducted, the phishing risk would have been identified, and action could have been taken to prevent the breach.

OCR would not expect organizations to always be able to prevent employees from responding to healthcare phishing emails. OCR does expect healthcare organizations to make an effort to reduce risk, such as advising staff members about the threat from healthcare phishing emails, in addition to providing basic data security training at the very least.

Addressing the data security risk from healthcare phishing emails

Since the risk of cyberattack via phishing emails is considerable, healthcare organizations of all sizes must take proactive steps to mitigate the risk of employees falling for the email scams. Staff members must be informed of the very real danger from phishing, and the extent to which cybercriminals are using the attack vector to compromise healthcare networks.

They must be told to be vigilant, as well as being instructed what to look for. Training on phishing email identification must be provided, and in order to satisfy auditors, a signature must be obtained from each member of stall to confirm that training has been received.

Staff members should also have their ability to identify healthcare phishing emails put to the test. They should be sent dummy phishing emails with email attachments and fake phishing links to see if they respond appropriately. If they respond incorrectly after training has been provided, further help with phishing email identification must be given. These processes should also be documented in case auditors come knocking.

Due to the considerable risk of a healthcare phishing attack, and the ease at which networks can be compromised, additional protections must also be employed.  Small to medium-sized healthcare organizations that can ill afford a regulatory fine should make sure automated anti-phishing solutions are put in place.

These protections do not need to be expensive. There are cost effective solutions that can be employed that will reduce risk to a minimal and acceptable level. If training is provided and anti-phishing controls have been employed, OCR and other regulatory bodies would be less likely to fine an organization if a phishing-related data breach is suffered.

Deven McGraw, OCR Deputy Director for Health Information Privacy, recently pointed out that it is not possible to totally eliminate risk, but it is possible to reduce risk to an acceptable level. That is what OCR wants to see.

Automated solutions to reduce risk from healthcare phishing emails

To reduce the risk of members of staff responding to phishing campaigns, a powerful email spam solution must be implemented. Anti-spam solutions such as SpamTitan are cost-effective, easy to configure and maintain, and will block 99.98% of all spam emails. If phishing emails are not delivered, staff members cannot respond to them.

An anti-spam solution will not stop members of staff visiting malicious websites when surfing the Internet. Links to these malicious websites are often located in website adverts, on legitimate sites that have been hijacked by hackers, or contained in social media posts. To protect networks from these attack vectors, a web filtering solution should be employed.

WebTitan blocks users from visiting sites known to host malware. The anti-phishing solution can also be used to restrict Internet access to work-related websites. This will greatly reduce the risk from drive-by malware downloads and phishing websites.

Access rights can be configured on an organization-wide level to block malware-hosting sites. Group level privileges can be set to prevent social media networks from being accessed, for example. This control allows certain groups to have access to social media networks for work purposes, while reducing risk that comes from personal use. Individual access rights can also be set if required.

Summary

Provide training to the staff, block email spam and phishing emails from being delivered, and implement a web filter to manage web-borne risks, and not only will it be possible to keep networks and email accounts secure, heavy regulatory fines are likely to be avoided.

Data Breach Predictions: 25% of World Population Will Have Data Exposed by 2020

The latest data breach predictions by IDC analysts do not make for pleasant reading. If the data breach predictions turn out to be true, 1.5 billion individuals will be affected by data breaches in the next 5 years.

Companies being targeted by cybercriminals looking to steal consumer data

U.S. companies are being increasingly targeted by foreign cybercriminals. European businesses are similarly suffering more cyberattacks. In fact, companies all over the world are being attacked by criminals looking to gain access to consumer data. It is now no longer a case of whether a data breach will be suffered. It is now just a case of when a data breach will occur.

Companies must therefore be prepared. They must implement a host of security defenses to prevent cyberattacks from occurring, and need to make it harder for hackers and other cybercriminals to gain access to sensitive data. Failure to take action and implement multi-layered cybersecurity defenses will see a data breach suffered sooner rather than later. A breach response plan must also be devised to limit the damage caused when an attack is successful.

Data breach predictions for the next 5 years

The number of data breaches being suffered by companies all around the world has grown considerably in recent years, and the situation is unlikely to change. Based on the current levels of attacks, and the volume of data now being stolen by cybercriminals, IDC analysts made some bleak data breach predictions this month.

They expect that by the year 2020, a quarter of the world’s population will have had data exposed as a result of cyberattacks. That’s 1.5 billion individuals!

IDC also predicts that consumers will increasingly take action when their data are exposed. In fact, we are already seeing consumers boycott brands that have suffered major cyberattacks. Many consumers who previously shopped at Target for instance, have switched retailers following the massive data breach suffered in 2013.

In the UK, many consumers are switching broadband and mobile phone provider after TalkTalk was hacked by a group of teenagers this year. In the United States, there has been considerable fallout as a result of the massive data breaches suffered by Anthem Inc., and Premera Blue Cross. Customers have switched their health insurance to companies that they believe will take better care of their health data.

Data Breach predictions for healthcare organizations

Many cybercriminals have switched from targeting retailers for credit card data to healthcare providers and insurers for Social Security numbers and health information. The value of health data is much higher than credit card information. Once a credit card has been stolen, consumers rapidly shut down their accounts. Credit card companies are on the lookout for suspicious activity and block cards quickly. Healthcare data and Social Security numbers on the other hand can be used for months or even years before identity theft and fraud are discovered. Cybercriminals can use healthcare data and SSNs to defraud individuals and obtain tens of thousands of dollars before fraud is even detected.

The value of healthcare data, combined with the relatively poor defenses put in place by many healthcare organizations, has seen cybercriminal activity increase. The volume of healthcare data breaches has grown considerably over the past few years. Those data breaches are unlikely to stop in the foreseeable future. IDC’s healthcare data breach predictions for next year are bleak. Its analysts expect one in three Americans to have their healthcare data stolen in 2016.

113 million healthcare patients had their data exposed in 2015

The company’s data breach predictions are unlikely to be far off the mark. According to figures from the United States Department of Health and Human Services’ Office for Civil Rights, the agency charged with policing healthcare organizations, over 154 million healthcare patients and health insurance subscribers have had their healthcare data exposed since data breach reports were made public in 2009.

Almost 113 million of those healthcare records were exposed this year. That’s 73% of the total number of breach victims created in the last 7 years! If anything, IDC’s healthcare data breach predictions are overly conservative!

Twitter Cyberattack Prompts Warning of Government-Backed Hacking Campaign

A Twitter cyberattack has prompted the social media network to issue warnings to some users of the social media site. It would appear that attackers have attempted to gain access to the accounts of a limited number of individuals, but those attacks do not appear to have resulted in a breach of user data.

Twitter cyberattack prompts warnings to be sent to site users

The warnings appear to have only been sent to certain United States based users of the website. The emails warn users that foreign government-backed hackers are targeting the site and are attempting to steal user data. According to the warnings, user account data is not believed to have been obtained and, if it has, only a small amount of personal data would have been revealed.

Twitter has offered some suggestions to any users that have been targeted to allow them to take action to reduce risk. They have been told they can switch to the Tor network to access their accounts, or it was suggested they tweet under a pseudonym.

It would appear that the attackers responsible for the Twitter cyberattack are attempting to get the phone numbers, email addresses, and IP addresses. It is conceivable that the individuals were targeted to allow the hackers to send out tweets from the users’ accounts.

The warning alerted users to a “small group of attackers” who are targeting the site. If another Twitter cyberattack is attempted, the social media site will send out a warning email to advise the affected party or parties of the attempted attack.

Latest Twitter cyberattack appears not to be random

The Twitter cyberattack appears to have targeted specific users of the website. The individuals and companies that the attackers have targeted are security experts or activists. Coldhak, a not-for-profit company dedicated to improving privacy, security, and freedom of speech, was one of the organizations that the hackers attacked.

Twitter is currently conducting a full investigation into the attempted hacking of Twitter accounts. The warning indicates that the social media microblogging platform is being ultra-cautious and is alerting users as a proactive step to prevent a breach of customer data, as well as reducing the potential damage caused by an attack.

Both Facebook and Google have recently sent out warnings to users of their services alerting them to suspicious account activity. Those warnings alerted users to activity by foreign government-backed hacking groups. It would appear that Twitter is taking a leaf out of their books.

This is not the first Twitter cyberattack of course. In February 2013, Twitter reset the passwords of 250,000 users after hackers compromised accounts and gained user names, passwords, and other sensitive data. In 2010, the social media site was attacked and Japanese users of the site were directed to porn websites when attempting to access their Twitter accounts.

Retail Industry Cybersecurity Risk is Seriously Underestimated

According to the latest cybersecurity report from Osterman Research, retail industry cybersecurity risk is being seriously underestimated. There is false confidence in cybersecurity protections, and the risk of consumer and business data being exposed is considerable.

Assessing retail industry cybersecurity risk

The retail industry cybersecurity risk assessment was conducted on 125 large retailers during the month of November. The report indicates that even though security vulnerabilities have been identified, the retail industry is not taking the necessary steps to deal with those risks.

Many security holes remain unplugged. In particular, risks associated with temporary workers are not being dealt with. Retailers bring in temporary workers at busy times such as in the run up to Christmas. However, they are introducing a considerable amount of risk when the do so because they are not monitoring the activity of those workers effectively. Many actually believe they are – which is even more worrying.

Temporary workers are often provided with login credentials which are shared instead of giving each temporary worker a separate login. This eases the administrative burden on the IT department. Why create hundreds of new logins that will only be required for a short period of time? Simply give those workers low level privileges and any risk that is introduced will be minimal. Unfortunately, that may not necessarily be the case.

The study showed that 61% of temporary retail floor workers were using shared logins. It is not known whether this is a short cut taken and the risk is known, or whether retailers are unaware of the dangers that the activity involves. Even temporary workers must be given access to some data assets, yet it is impossible for some retailers to identify assets that each of those workers are accessing.

Furthermore, it is not only temporary workers that are being allowed to share login credentials. 21% of permanent workers are also sharing their login credentials.

Retail industry cybersecurity risk is being seriously underestimated

The research indicates that 62% of retailers believe they know everything their permanent workers are doing, and 50% claimed to know what data their temporary workers are accessing. Worryingly, when asked if their IT departments can identify specific systems that individual permanent employees have accessed, 92% said they could. This is clearly not the case in reality.

The study indicated that 70% of retailers gave access to corporate systems to permanent members of retail floor staff. 7% said that permanent workers had accessed systems they were not supposed to and 3% said temporary workers had done the same.

Those figures may actually be much higher as 14% of respondents didn’t know if their permanent workers had inappropriately accessed data. 26% couldn’t tell if their temporary workers were accessing data they shouldn’t. Given the potential gains to be made from gaining access to retail networks, criminals may even be tempted to take a holiday job simply to access to retail systems.

Security awareness training is also not being provided frequently enough. 60% of respondents only conducted training once or twice a year. If workers are not being kept abreast of the retail industry cybersecurity risk, they will not be able to take action to reduce that risk.

Even with the major data breaches and cyberattacks that have recently been suffered by major U.S. retailers, security vulnerabilities persist. Unfortunately, it would appear that retail IT professionals actually appear to believe they are doing a good job. If the measure of how well retail industry cybersecurity risk is being managed is whether or not a retailer has suffered a major data breach, then the industry is in pretty good shape. Unfortunately for the retail industry, if risk is not effectively managed, data breaches are likely to be suffered sooner rather than later.

Cryptowall 4.0 Ransomware Now in Angler Exploit Kit

Just over a month ago, researchers at Heimdal identified Cryptowall 4.0 ransomware; the latest incarnation of the nasty malware first discovered in September 2014. Since then, the malware has been further developed, with the third version discovered in January 2015.

Now, Cryptowall 4.0 ransomware is threatening consumers and businesses alike. The latest version of the malware is even sneakier and more difficult to detect, and its file encryption goes much further. To make matters worse, Cryptowall 4.0 ransomware has been packed into the Angler exploit kit, making it easier for the vicious malware to be downloaded to devices.

The Angler exploit kit takes advantage of vulnerabilities in browsers, making drive-by downloads possible. Any organization that has not installed the latest browser and plugin updates is at risk of having its files encrypted.

Cryptowall 4.0 ransomware – The malware keeps on evolving to evade detection

Last month, the Cyber Threat Alliance released new figures on the cost of Cryptowall infections. The criminals behind the malware have so far managed to extort $325 million from victims around the world. The latest version of the ransomware will see that extortion will continue. The bad news is, the latest version is likely to result in a much higher rate of infection. The money being ‘requested’ has also increased. Victims are no longer being asked for $300 to unlock their files. They are being urged to pay out $700 to unlock their files and keep their systems protected.

Victims are given less choice with the latest version of the malware. Not only will their files be encrypted, in order to make it harder for victims to restore encrypted files from backups, the latest version also encrypts filenames. The aim is to confuse victims even more. It is, after all, hard to restore files if you don’t know which files need to be restored.

Angler exploit kit used to infect computers with Cryptowall 4.0 ransomware

The Angler exploit kit is particularly nasty. First of all, it is not only Cryptowall 4.0 ransomware that will be installed. Visitors to malicious websites will have a host of malware installed on their computers. The network security threat is therefore considerable.

First of all, victims have to deal with Pony. Pony is installed and gallops around gathering information. It will steal login credentials and transmit the data back to the hacker’s command and control center. Attackers are looking for more than just a $700 ransom. What they are really after is access to content management systems and web servers.

A redirect will result in Angler being dropped, which will identify security vulnerabilities that can be exploited. Angler can incorporate new zero-day vulnerabilities and has been designed to be particularly difficult to detect. Angler will then install Cryptowall 4.0 ransomware.

Greater need to install a powerful web filter to prevent infection

Unfortunately, the use of the Angler exploit kit means end users do not need to download and install Cryptowall 4.0 ransomware manually – or open a malicious email attachment. Drive-by downloads will install the malware automatically if the user visits a website infected with malicious code.

Organizations can spread the news of the latest incarnation of Cryptowall to the workforce, and issue instructions to end users to instruct them to take greater care. However, since casual Internet surfing could result in computers being infected, greater protection is required.

Some end users will take risks and will ignore instructions. It is therefore a wise move to install software solutions to minimize the risk of infection by drive-by downloads. The cost of doing so will be much lower than the cost of dealing with multiple Cryptowall 4.0 ransomware infections.

WebTitan web filtering solutions are an ideal choice. They offer system administrators a host of powerful controls to prevent end users from visiting malicious websites and unwittingly infecting computers and networks. The software offers highly granular controls, allowing individuals or groups to have Internet access controlled. Protection against malware can be vastly improved without impacting critical business processes. WebTitan allows sys admins to block web adverts from being displayed, limit access to social media networks and certain website types, as well as sites known to contain malware and malicious code.

The inclusion of Cryptowall in the Angler exploit kit makes the installation of a web filtering solution less of an option and more of a necessity.

Essential security controls to reduce the risk of a Cryptowall 4.0 infection:

Conduct regular backups of your data – If you are infected, you must be able to restore all your files or you will have to pay the ransom.

Never store usernames and passwords on a computer – These can be read and transmitted to hackers.

Do not open unfamiliar email attachments – Even if an attachment looks safe, unless you are 100% sure of its authenticity, do not download or open it.

Install a spam filtering solution – make sure all email spam is quarantined and not opened.

Keep anti-virus solutions up to date – Virus definitions must be 100% up to date. Ensure that an AV solution is used that will detect Cryptowall 4.0 ransomware.

Install patches as soon as they are released – Your system must be kept up to date. It will be scanned for vulnerabilities that can be exploited.

Cost of Phishing Attacks Highlighted by Target Data Breach Settlement

The true cost of phishing attacks is difficult to calculate accurately, but the recent Target data breach settlement gives an indication of just how costly phishing attacks can be. The U.S. retailer has recently agreed to pay $39.4 million to resolve class-action claims made by banks and credit unions to recover the costs incurred as a result of the 2013 target data breach.

The claims were made to try to recover some of the cost of re-issuing credit and debit cards to the 40 million or so customers that had their data stolen by hackers. The banks were also required to issue refunds to customers whose credit or debit cards had been fraudulently used after the 2013 Target data breach.

The Target hack was financially motivated. The perpetrators of the crime sold data or fraudulently used credit card information and the personal details of customers. Approximately 110 million customers of Target may have suffered financial losses or had their identities stolen as a result of the 2013 Target data breach.

The settlement will see Mastercard retailers paid $19.11 million, while $20.25 million will be paid to credit unions and banks. This is not the only Target data breach settlement reached this year. The retailer agreed to pay Visa card issuers $67 million in the summer, bringing the total card issuer settlement to $106.4 million; more than the $100 million paid Visa and Mastercard issuers by Heartland Payment Systems Inc. Heartland suffered a massive data breach in 2008 that exposed 100-million+ credit card numbers. The company had to pay out around $140 million in total to resolve the breach.

The True Cost of Phishing Attacks

The settlement could have been considerably higher. Target’s figures suggest that approximately 40 million credit card numbers were stolen by hackers in 2013. The settlement is therefore lower than $1 per credit card number exposed.

In addition to paying $10 million to customers, Target also had to cover the cost of implementing a swathe of additional security measures after the cyberattack to prevent similar attacks from being suffered. One of the most expensive measures was the introduction of microchip-enabled card readers in its nationwide stores.

Then there was the damage to the company’s reputation. Many consumers have stopped using Target and have switched to other retailers. The total cost of the 2013 data breach may not be known for some months or years.

The 2013 Target data breach started with employees responding to phishing emails. Those employees did not even work for Target, at least not directly. The individuals who fell for the phishing scam worked for a contractor: an HVAC company used by the retailer.

Small to Medium Sized Businesses Face a High Risk of Phishing Attacks

Heating, ventilation, and air conditioning subcontractor, Fazio Mechanical Services, was the company hackers used to gain access to Target’s network. Login credentials were stolen from the company that allowed the attackers an easy route into Target’s network.

Organizations often give limited network access to subcontractors to allow them to remotely access IT systems, either to perform maintenance, firmware or software upgrades, monitor performance, or check energy consumption and tweak systems.

If hackers can break through the defenses of the smaller companies, they can steal login credentials that will allow them to gain a foothold that can be used to attack the systems that subcontractors remote into. That is where the big prize is: a database containing hundreds of thousands – or even millions – of confidential records.

Don’t Cover the Cost of Phishing Attacks: Pay for Anti-Phishing Solutions!

Regardless of the size of your organization, it is essential to put protections in place to make it as hard as possible for hackers to penetrate defenses. Phishing is one of the commonest techniques used to steal login credentials, so it is therefore essential that controls are put in place to limit phishing risk.

Anti-phishing measures include anti-spam solutions that block phishing emails from being delivered to inboxes. If malicious attachments are identified and quarantined, less reliance is placed on staff to spot phishing campaigns. Not all attacks come via email. Malicious websites may be visited by employees and malware can be downloaded. Implementing a web filtering solution will help employers to manage phishing risk and prevent these websites from being visited by the staff. Malicious adverts can also be prevented from being displayed to employees. They are increasingly being used by hackers to direct people to phishing sites.

The cost of phishing attacks is considerable, but those attacks can often be blocked. It is much more cost-effective to implement anti-phishing solutions than to cover the cost of phishing attacks when they do occur; and occur they will.

Point of Sale Malware Threatens U.S. Retailers

Point of sale malware is not new. Cybercriminals have been using point of sale malware to steal credit card numbers from consumers for many years. Unfortunately for retailers, the threat of POS malware is growing. Highly sophisticated malware is being developed and used to obtain a wealth of information from retailers about their customers. That information is being used to commit identity theft and fraud. POS malware is also being used to obtain corporate data.

Point of Sale Malware – The biggest data security threat for retailers

Retailers are at risk of having point of malware installed throughout the year, but in the run up to Christmas the threat is greatest. It is the busiest time of year for shopping and hackers and other cybercriminals step up efforts to get their malware installed. Hackers are hoping for another big payoff before the year is out, and they are likely to get it.

Over the Thanksgiving weekend, some of the most sophisticated malware ever seen was discovered. In some cases, the point of sale malware had been blocked. Many retailers were not so lucky. Unfortunately, identifying malware once it has been installed can be incredibly difficult, especially with the latest ModPOS malware. It is already responsible for providing millions of credit card numbers to hackers, and has caused millions of dollars of damage. The full extent of the infection is not yet known due to the stealthy nature of this new malware.

ModPOS – The most worrying point of sale malware to be seen to date

The new malware has been named ModPOS – short for Modular Point of Sale malware – and it is particularly dangerous, stealthy, and fiendishly difficult to identify once installed. Security experts have been surprised at the level of sophistication. An incredible amount of skill was required to produce malware as complex as ModPOS. It shows the level that criminals will go in order to obtain data and avoid detection.

The malware has been developed to make it exceptionally difficult to identify, and it has clearly been designed with persistence in mind. Once installed, it can perform a wide range of functions; not only serving as a keylogger and card reader, but also a tool for network reconnaissance. It is not just large U.S. retailers that will be affected. This point of sale malware may be used to infect multiple targets. If protections are not put in place to prevent infection, the potential for damage is considerable.

Security analysts first saw elements of this POS malware three years ago, but it has been subsequently developed further. It is difficult to even estimate the extent of infection due to the nature of the malware. The level of obfuscation is impressive.

It has taken some of the world’s leading cybersecurity analysts a considerable amount of time to identify this point of sale malware, and even longer to reverse engineer it. It is, to put it simply, the most complex and sophisticated point of sale malware ever discovered. iSight Partners’ senior director Steve Ward has been reported as saying it is “POS malware on steroids.” ModPOS is the result of an extraordinary amount of time, money, and development. Every aspect of the malware has been painstakingly developed to avoid detection. Every kernel driver is effectively a rootkit.

Investment by criminals in this malware is unprecedented but, then again, the rewards for that investment are likely to be as well. If a major retailer is infected, and many will be, every one of their customers’ data could potentially be obtained. The potential gains for investors in the development of this malware are likely to be off the chart.

Highly functional malware that reads cards, steals corporate data, and much more

The malware can act as a keylogger, recording all data entered by employees. It will serve as a card scraper and will read the credit and debit card details of every customer who pays via point of sale systems. The malware will simply read the card details from the memory. Even EMV terminals may not offer protection.

Data are exfiltrated to hackers’ command and control centers, but it is not even clear what data are being transmitted. The malware encrypts each transmission twice, with 128 bit and 256-bit encryption. As if that wasn’t enough, the data of each customer require a different security key to decrypt them.

The shell code used is virtually a full program in itself. According to one iSight security expert, the shell code contained approximately 600 different functions. And that is just one piece. There are many more than one in this malware. All of the different modules operate in kernel mode, making them exceptionally difficult to identify. Furthermore, the malware is not being sold via darknet marketplaces. It is being kept secret and used by the criminal gang that paid for its development. The gang behind ModPOS has effectively paid for a license to print money.

The methods being used to distribute this point of sale malware are not known, and there is no fix for the threat actor. At the present time, there is a high risk of infection, and no single defense mechanism that can be employed to prevent an attack. So far, approximately 80 major retailers have been warned to be on high alert.

Reducing the risk of point of sale malware infections

Since the threat actor is not known, retailers and other organizations should be ultra-cautious and supplement their defenses to prevent attacks from being successful. Additional measures to enhance security include:

Conversion to EMV terminals – If data is not encrypted it can be read by the malware. The memory must also be encrypted, not only stored data.

Protect all systems, not just POS – The malware contains many modules, and its full capabilities are not fully known. It is not just credit card details that are at risk. All corporate data must be protected.

Implement email filtering solutions – The malware may be delivered via spam and bulk email. Infected attachments and phishing links may be used. It is essential that robust anti-spam solutions are implemented to prevent infection.

Web filtering is essential – The executable file responsible for installing the malware must not be downloaded to any device. Blocking known malware websites and potentially malicious website adverts will help to reduce the risk of ModPOS attacks.

Instruct staff to be highly vigilant – Regardless of the software systems used to improve security defenses, employees will always be a weak link. Staff should be trained and warned to be ultra-cautious, and instructed how to spot potentially malicious emails, websites, and phishing campaigns.

Kaspersky Lab Makes Web Security Predictions for 2016

Kaspersky Lab has made a number of web security predictions for 2016, alerting IT security professionals to what the company’s security experts believe next year has in store. The company has listed some of the biggest security threats that are expected over the coming year.

Kaspersky Lab is one of the leading anti-virus and anti-malware software developers, and is a supplier of one of the two AV engines at the heart of WebTitan Web filtering solutions.

The Kaspersky web security predictions for 2016 include opinions gained from over 40 of the company’s leading experts around the globe. The web security predictions for 2016 can be used by IT professionals as a guide to where the next cyberattack could come from.

The Biggest Cyberattacks of 2014 and 2015

Last year saw numerous high profile attacks on some of the world’s best known brands. Around this time last year, Sony was hacked and its confidential data was posted online, causing much embarrassment and considerable financial loss. Some of the biggest names in retail in the U.S. were attacked in 2014 including Target and Home Depot.

The start of this year saw attention switch to health insurers. In February, Anthem Inc. was attacked. The records of 78.8 million insurance subscribers were stolen. News of a cyberattack at Premera BlueCross closely followed. 11 million subscriber records were compromised in that attack. Later in the year, Excellus BlueCross BlueShield discovered hackers had potentially stolen the records of approximately 10 million subscribers. Healthcare providers were also hit. UCLA Health System suffered a data breach that exposed the records of 4.5 million patients.

The U.S. Government was also targeted this year. The Office of Personnel Management was hacked and, while the perpetrators have not been identified, the attackers are believed to be government-backed hackers based in China. Over 22 million records were potentially stolen in that cyberattack. The IRS was also hacked and 300,000 individuals were affected.

37 million highly confidential records were obtained from internet dating website Ashley Maddison, and Hacking Team – a somewhat controversial provider of spyware – was also hacked. 40 GB of its data was dumped online for all to see.

Many of these attacks were highly sophisticated, but were made possible after employees fell for spear phishing emails.

Web Security Predictions for 2016

Hackers have been developing ever more sophisticated methods of breaking through security defenses to gain access to confidential data, to sabotage systems, or to hold companies and individuals to ransom by taking control of their data. Phishing and social engineering techniques are often used. While these are likely to continue, Kaspersky Lab experts believe hackers are likely to concentrate on stealthier techniques over the coming 12 months. The company’s experts believe there will be a growth in silent attacks that are difficult for security professionals to detect. The main web security predictions for 2016 are listed below:

APT Attacks to come to an end

Advanced Persistent Threats have proved popular with hackers, yet Kaspersky believe these attacks will soon come to an end. Instead, hackers are expected to conduct more drive-by attacks using stealthy memory-based malware. Memory based malware is not downloaded but resides in the memory where it cannot be easily detected. While the injection of malicious code into the RAM of a computer could only previously be used for short term infections, new techniques have been developed that are capable of surviving a reboot. These are likely to grow in popularity over the coming year.

Off-the-shelf malware use to increase

Rather than criminals paying hackers to develop new exploits, there is expected to be an increase in off-the-shelf malware attacks. Instead of developing new malware from scratch, existing malware will be used and tweaked to avoid detection. There is no need to reinvent the wheel when malware exists that can be used or rented out cheaply. The malware will just be made stealthier and more difficult to detect.

Alternative payment systems will be targeted

Financial cyberattacks will continue, and banks and financial institutions will be targeted. Expect a rise in attacks on alternative finance providers and payment systems such as AndroidPay, SamsungPay and ApplePay.

No end to extortion and mafia-style tactics

Not all hackers are motivated by money. Kaspersky has predicted a rise in the number of hacktivist attacks, which aim to shame the rich and famous. Attacks will continue to be conducted on companies that have caused offense. The attack on Ashley Madison and the 2014 hacking of Sony being good examples. Some hackers will use the threat of publishing data to extort money from victims, others will just be keen to sabotage companies. The use of ransomware is also expected to increase, with companies large and small targeted with increasing regularity.

Amazon Data Breach Risk: Precautions Taken to Protect Customers

Under normal circumstances the Amazon data breach risk is kept to a minimal level. The global online retailer is estimated to have generated $38.42 billion in gross profits between September 2014 and September 2015, and such deep pockets mean the company can invest heavily in cybersecurity protections.

With a company as large as Amazon, excellent data breach risk management strategies are essential. The company is a huge target for cybercriminals and a successful cyberattack has potential to make a dent in its profits. If customer data are obtained by criminals, those customers may choose to buy from an alternative retailer in the future.

Amazon data breach risk discovered in time to prevent a successful hack?

This week, a security scare has forced the company to reset some users’ passwords. It is not clear whether a data breach has actually been suffered, but the retailer certainly believes the risk to be credible as Amazon passwords were not requested to be changed. The company forced a reset.

Amazon.com announced that this was “a precautionary measure” to prevent a cyberattack from occurring. The company believes passwords were “improperly stored” or had been transmitted to the company using a method that could “potentially expose [the password] to a third party.”

The company has sent emails to all affected account holders advising them that they will need to specify a new password when then next login. No announcement was made about the number of users affected.

This is not the first time that Amazon has had a major security scare. In 2010, hackers managed to break through its security defenses and compromised a number of user’s passwords. In that instance, users were warned that their accounts had been compromised.

The Amazon data breach scare could affect more than just your Amazon account

It is not clear whether passwords were actually obtained by a third party. Because of the doubt surrounding the reason for the forced change, any individual that receives an email telling them their password has been reset should also change their passwords on all other online accounts if the accounts can be accessed using the same password.

Many consumers share passwords across multiple platforms, but password sharing is inadvisable. Many online accounts use an email address as the login name. If a password is shared across platforms, one data breach could result in all user accounts being compromised.

Amazon data breach risk management: Two-factor authentication now added

One of the easiest ways to improve protection is to introduce two-factor authentication. Many companies only insist on one factor to authenticate users: A password. Two-factor authentication involves an additional element to verify that the person attempting access is the genuine account holder.

Many global companies have now introduced two-factor authentication; although some have only done this recently. In some cases, the additional security measure was deemed necessary after a data breach was suffered. Twitter being one of the best examples. Google uses two factor authentication for its accounts, as does Facebook. This month, Amazon data breach risk management policies were changed to include two-factor authentication on user accounts. It is not clear why it took the company so long to introduce this enhanced security measure. All users should add it, especially in light of this recent security scare.

Dell Root Certificate Security Flaws Discovered

You would think that a brand new computer would be secure, aside from requiring a few updates to software after being taken out of the box, but a Dell root certificate security flaw means even brand new Dell laptop computer could be compromised within seconds of being connected to the Internet. Understandably, corporate customers and consumers alike are in uproar over the eDellRoot certificate security flaw that was recently discovered.

The security flaw was revealed by Dell as part of the company’s remote assistance support service. In order for Dell to “streamline” support for users, the company installed a self-signed root certificate on at least two models of Dell laptop computers – the Inspiron 5000 series and the company’s XPS 15 laptop.

Unfortunately, the root certificate is installed in the Windows root store along with the certificate’s private key. Any individual with a modicum of technical skill could obtain the key and use it to sign fake SSL/TLS certificates. In fact, the key is publicly available on the internet so it is easy to obtain. This means that anyone using one of the aforementioned Dell laptops could visit a HTTPS-enabled website in the belief that the connection is secure, when in fact it may not be.

It would be possible for hackers to view data shared between the secure website and the Dell laptop. If the laptop is used to access a banking website via an open Wi-Fi network or the Internet is accessed via a hacked router, someone could listen in on that connection. Users could compromise their personal bank account information, passwords, or login credentials used to access their employer’s network.

Any company that has purchased either of the above Dell laptops could potentially be placing their entire network at risk. If a BYOD is in operation, personal Dell laptops are a huge risk to data security.

Not only could hackers eavesdrop on secure internet connections, it is possible that the Dell root certificate security flaw could be used to install malware on devices undetected. Since the certificate can be faked, it is possible that system drivers or software could be installed which fool the operating system into thinking they have come from a trusted developer. Even if a warning is issued, users may think it is safe to install a program because it appears to have been created by Dell.

Dell desktops, servers, and other laptops may contain the Dell root certificate security flaw

The extent of the problem is currently unclear, but the Dell root certificate security flaw may not be confined to two specific laptop models. All laptops, servers, and desktops sold by Dell could potentially be affected. The eDellRoot certificate is installed by Dell Foundation Services (DFS) and the application is not confined to the Inspiron 5000 and XPS 15 laptops. According to one source, the security flaw has also been found on the Dell Venue Pro. Dell says the root certificate was only installed on hardware since August 2015.

A few days after the discovery of the Dell root certificate flaw, another one was discovered by Duo Security. This certificate was only present on a small number of systems around the world, although that Dell root certificate was discovered on a SCADA (supervisory control and data acquisition) system.

It doesn’t end there. A third has been discovered. The DSDTestProvider certificate is installed by an application called Dell System Detect or DSD. This is not shipped with Dell hardware. Instead it is downloaded onto computers and laptops by users. If they visit the Dell support website they are asked to install the detection tool.

Dell Root Certificate Security Fix Released

Users are able to remove the eDellRoot certificate using a tool that has hastily been released by Dell. However, at the time of writing, there is no tool to remove the DSDTestProvider certificate. Any user of a Dell computer, server, or laptop should therefore keep up to date with eDellRoot and DSDTestProvider news and should check the Dell support website frequently for further information.

Extreme caution should be exercised when accessing apparently secure websites, and users should not access secure sites from open Wi-Fi networks until the Dell root certificate security flaw has been fixed.

According to ARS, security expert Kenn White was able to use the publicly available security key to create a secure HTTPS test site using the certificate. When he visited the site it flagged no warnings that the certificate could not be trusted when he used Internet Explorer, Microsoft Edge, and Google Chrome browsers. The only browser that recognized the certificate as being suspect was Firefox.

Watch Out for Fake Black Friday Deals

Are you prepared for the official start of Christmas shopping season? Will you be starting your Xmas shopping on Black Friday? If you can’t resist a bargain, and can’t wait until Cyber Monday, take care! There are many fake Black Friday deals being advertised and you may end up becoming a victim of an online scam.

Fake Black Friday deals aplenty

Black Friday follows Thanksgiving Day in the United States, and it officially marks the first day of the Christmas shopping season. It is also a day when online criminals try to take advantage of Christmas shoppers. There will be plenty of genuine bargains, as Black Friday discounts are offered by most major retailers. Unfortunately for shoppers, there are plenty of fake Black Friday deals being advertised online. Picking out the real deals from the fake ones is not quite as easy as it used to be. Scammers are getting good at creating highly realistic offers and fake websites. Furthermore, scammers are getting sneaky and have launched fake Android Apps, and are now sending texts containing phishing links and fake phone lines.

Fake Amazon app will steal your passwords, make calls, and send texts

One of the scams already being sent offers a golden opportunity: The chance to beat the online crowds and grab a bargain before everyone else. Download this app and you will get to the front of the virtual queue and get all the Amazon Black Friday deals, days early.

Instead of launching an Amazon app when you start it, after downloading the fake Amazon app it will launch an app called com.android.engine. If you grant permission, as many people who download the app will, you give the app permission to view virtually everything on your phone, make calls, send texts, and see the data you enter via your phone. Deleting the app will make no difference. To avoid this scam and others like it, only download apps from Google Play store; never from third party sites.

Beware of texts warning of suspicious account activity

Scammers may love email to deliver phishing links and malware-ridden attachments via email, but some are now resorting to text messages. Texts are sent warning of a security breach, account hack, or other need to call a support line. The number provided will be answered by a scammer who will attempt to relieve you of your credit card information or bank account details, or will attempt to gather information that can be used in a future phishing attack.

Fake stores offering fake Black Friday deals

Social media websites advertise amazing discounts and many fake Black Friday deals. Spam emails are sent in the millions with fantastic “too good to be true” offers. Many of these are fake Black Friday deals designed to get you to part with your credit card number. When browsing the Internet, you may have pop-up adverts appear with links to these websites or they may appear in Ad blocks on legitimate websites.

Some of these adverts will direct you to online stores that you may never have heard of; yet the discounts do tempt many visitors to make a purchase. Any goods ordered will not be received and credit cards will be charged repeatedly.

Before making any purchase, take a few minutes to verify the company’s identity, address, and location. Don’t be afraid to give the store a call. It is better to be safe than sorry.

Your order can’t be delivered

Next week you may receive an email telling you your order cannot be delivered. Your purchases are unlikely to be specified in the email, only a link to the delivery company’s website. You will be asked to make alternative arrangements to collect your order or provide an alternative date when you will be home.

The links direct users to phishing websites aimed at getting visitors to divulge sensitive information. Delivery receipts and invoices are also sent via email. These contain malware, and opening the files will see your computer compromised. Be especially wary of PDF files, JPEGs, ZIP, and EXE files. Many file attachments have the suffixes masked to fool users into opening them. They contain malware such as keyloggers, or will allow hackers to take control of your device.

Only make purchases from stores offering a secure HTTPS connection

To avoid phishing and other malicious websites, use your common sense. If a deal sounds too good to be true it probably is. Before you make a purchase, check the website has a padlock next to the URL and the web address starts with HTTPS.

This is not a guarantee that the website is genuine, as security certificates can be faked. But it will give you a better idea if the website can be trusted. Also never make any purchase while connected to the Internet via an open Wi-Fi network. You never know who might be eavesdropping on your session.

If you want to protect against fake Black Friday deals, or keep your work network secure and free from malware, consider installing a web filtering solution. It will take the guesswork out of online purchases, and will block phishing websites, popups, and malicious adverts. Coupled with an anti-spam solution to catch malicious emails, you will be better protected from online scammers and cyberattacks.