Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Lenovo Support Page Hacked

In possible retaliation to the Superfish MITM software installed on Lenovo consumer machines, hackers looking to be representing Lizard Squad have hacked Lenovo’s support page through DNS hijack.  Currently, if you head to http://support.lenovo.com/us/en/product_security/superfish, a whole new site appears rotating through images hosted on IMGUR and playing a song hosted on YouTube.  Meta data in the code shows “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey”, who have been implicated as members of Lizard Squad in the past.  We have pulled the source code for reference. We will update as we find out more information.

[UPDATE] Lenovo has restored the page back to the proper website. No official word from their team on what happened or how many affected in this DNS hijack.

2-25-2015 2-39-28 PM

<html>

<head>

<title>@LizardCircle</title>

<link href=’//fonts.googleapis.com/css?family=Roboto’ rel=’stylesheet’ type=’text/css’>

<meta name=”description” content=”The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey”>

<style>body{background-color:black;color:white;font-family:’Roboto’,sans-serif;}a{color:cyan;}#slides{display:none;}.container{width:100%;height:100%;}.slidesjs-navigation{display:none;}iframe{display:none}</style>

</head>

<body>

<center>

<a href=”https://twitter.com/LizardCircle”>

<div class=”container”>

<div id=”slides”>

<img src=”http://i.imgur.com/UPVwGSb.png”/>

<img src=”http://i.imgur.com/pRvR6jj.png”/>

<img src=”http://i.imgur.com/zTydDfv.png”/>

<img src=”http://i.imgur.com/InvkIDg.png”/>

<img src=”http://i.imgur.com/yr19vvc.png”/>

<img src=”http://i.imgur.com/7wKXhr8.png”/>

<img src=”http://i.imgur.com/SMy9P4g.png”/>

<img src=”http://i.imgur.com/tBSSz1M.png”/>

<img src=”http://i.imgur.com/IWpV3nR.png”/>

<img src=”http://i.imgur.com/QzhXFor.png”/>

<img src=”http://i.imgur.com/ny9IAhQ.png”/>

<img src=”http://i.imgur.com/lsUMIiw.png”/>

<img src=”http://i.imgur.com/dnQGUS1.png”/>

<img src=”http://i.imgur.com/IQbF2nB.png”/>

<img src=”http://i.imgur.com/dGrve6S.png”/>

<img src=”http://i.imgur.com/PhEKut7.png”/>

</div>

</div>

</a>

</center>

<iframe width=”0″ height=”0″ src=”https://www.youtube.com/embed/ZLa__49Ltv4?autoplay=1&loop=1″ frameborder=”0″></iframe>

<iframe src=”https://neko.li/haha/everybody/laughing/at/you” width=”0″ height=”0″></iframe>

<iframe src=”http://dev.neko.li/haha/everybody/laughing/at/you” width=”0″ height=”0″></iframe>

<iframe src=”http://cf0.pw/haha/everybody/laughing/at/you” width=”0″ height=”0″></iframe>

<script src=”http://code.jquery.com/jquery-1.9.1.min.js”></script>

<script src=”http://www.slidesjs.com/js/jquery.slides.min.js”></script>

<script>

$(function() {

$(‘#slides’).slidesjs({

width: 940,

height: 528,

navigation: false,

pagination: false,

effect: {

slide: {

speed: 200

},

fade: {

speed: 300,

crossfade: true

}

},

play: {

active: true,

auto: true,

interval: 2000,

swap: false,

pauseOnHover: false,

restartDelay: 2000

}

});

});

</script>

</body>

</html>

Google is taking steps to eliminate deceptive download ads.

Reading that Google was adding More Protection from Unwanted Software to their search results was a pleasant surprise. These deceptive ads for third-party downloads that include additional Potentially Unwanted Applications (PUAs) along with the software that you were intending to download have been a plague for some time now. Not only do these ads lead to PUAs being installed, we are also constantly asked why we blocked what people thought were legitimate downloads.

Naturally I wanted to check this out for myself. Imagine my disappointment when I did a search for “download flash player” and the first result was an ad for a third-party download:

1

I did some more searches and found that depending on what you search for, you may or may not get ads for third-party downloads. A search for “download vlc player” yielded no ads:

2

While certainly not perfect, this is a major step forward in helping prevent PUAs, and based on the changes that Google has made to their AdWords policy, I only expect this to get better over time.  As you can see by the screen shots posted here, the official downloads are now clearly marked, and even with the third-party ad for Adobe Flash Player, the link to the official download certainly stands out in a way that should help prevent users from clicking on the third-party ads.

It will be interesting to see if other search engines follow suit. Until they do, it is up to all of us to spread the word about the changes Google is making and let others know how easy it now is to identify the official download links for software (as long as you’re using Google as your search engine).

Five Questions The Financial Industry Should Be Asking About Security

As the mobile market continues to skyrocket and gain new users, financial industries are finding it increasingly more difficult to protect their customers against online fraud. Add in the seemingly never-ending wave of company breaches and data loss, coupled with an increasing number of users relying on mobile for their banking needs, and you have a recipe for potential disaster. As a result, customers are pressuring banks to add features and functionality, but at the moment, the US is behind the rest of the world in rolling out such features. Fortunately, there are ways for banks to mitigate these risks and fight back against these threats to their customers. Here are five questions the financial industry needs to be asking about security.

  • Q: What would the cost be for a single fraud breach within my banking channel?

Why you should be asking it:  From breaches at JP Morgan and Sony, to the recent Anthem data loss, we know data is under attack, and this is not a new target. When a financial institution suffers a single fraud breach, the costs expand beyond the data and on to customer trust, future business, and insurance.

  • Q: What is the most vulnerable point in our banking network?

Why you should be asking it: Breaches big and small can occur from one small dent in the armor, and when an exploitable weakness is discovered by cybercriminals, it would not be long until the full security layer is compromised. In the complete path from endpoint to data storage, where and when will that most vulnerable point appear?

  • Q: How do mobile threats attack our customers directly?

Why you should be asking it: Mobile is the hot new target for cybercriminals, who are quickly learning new ways to mask threats and make them more difficult to detect. Malicious mobile apps are rapidly on the rise and established PC threats like ransomware are trickling down to mobile devices.

  • Q: How can banks fight these threats and protect their customers?

Why you should be asking it: Educating customers on the importance of security is crucial, but that’s only part of the battle. Mobile security is a must today, but not all solutions are created equal. Manually downloading mobile antivirus requires some customer intervention and many users don’t even consider this crucial security step on their personal devices. Fortunately, there’s a ‘bet-of-both-worlds’ solution.

  • Q: How many people will be using their mobile devices for banking in 2017?

Why you should be asking it: The mobile market continues to skyrocket and shows no signs of slowing down. With an ever-increasing number of users connecting and downloading apps, the risk of being exposed to mobile malware also increases.

David Duncan will be speaking at the ISMG Los Angeles Fraud Summit on February 24, 2015 at the Hilton Los Angeles/Universal City.  For more information, please click here: http://www.ismgcorp.com/fraud-summit/los-angeles-11

Significant Gaps Between Compromise and Discovery

Over the past five years, the number of records compromised in US business breaches has exploded, growing from less than 20 million in 2010 to over 92 million in 2013. With major breaches at Target and the Home Depot, and many smaller breaches in the last year, the increase in records lost does not appear to be on the decline.

Some form of security technology was in place at most of these breaches so it is becoming clear that the issue is not one of having technology, but is in the reliance on outdated modes of security practices. Active, persistent attempts at breaching organizations is inevitable in this day and age, but breaking down the attacks and being able to intelligently detect the signs of a breach in real-time will help to minimize the destruction or exfiltration of data.  There are steps to help defend against the unknown, and with the right security approach, decrease the significant gaps between compromise and discovery.

Improve Your Vision To Defend Against Unknowns

Maintain visibility into the GLOBAL threat landscape.

Through the use of a global network of analytical servers, endpoints, security partners and other data collection tools and by collating varying types of threat data such as IP data, URL and Web data, Mobile App Data and Malicious File Data it becomes possible to understand the current, active threat landscape. Without a global network of collectors and without multiple data points it is not possible to have a complete understanding of the current threat landscape.

Ensure a real-time view of Internet objects to keep up with the new threats and the changing nature of known threats. 

Through the use of machine learning and automated analysis of data captured by endpoints, honeypots, security partners and other data collection vectors it is possible in real-time to identify zero-day and zero-hour threats. With the proper deployment mechanisms these threats can be detected and blocked within minutes or seconds ensuring organizations are protect from even the most aggressive threats.

Use intelligence to look for signs of successful attacks (no security is perfect).

Using contextual analytics to build relationships between threat data types an organization can now begin to dig deeper into known attacks to understand both the origin and the intent of a malicious player. A single data point such as an IP Address is no longer a standalone threat element rather it is now possible to analyze relationships that IP address has not only with other IP addresses but with Mobile Applications, Malware and URLs. This analysis allows not only the ability to more quickly and reliably identify a threat but paints a better picture of the nature and intent of an attack.

With the number of successful breaches increasing, it’s time for companies to improve their security vision to protect against the unknowns. As no security system on its own is perfect, it’s time to push for a layered approach with contextual analysis, automation and predictive machine learning as the new standard. This tactic, along with better breach awareness, will only help to decrease that gap, increase reaction time, and stop a breach from having a lasting impact on data and corporate reputation.

 

Competition at an All-Time High in Lucrative Hacking & Cybercrime-as-a-service Markets

While black market websites have long since offered a wide array of services aimed at the aspiring cybercriminal, recent attention has been given to a new breed of websites that offer hacking services to a much broader market, anyone really – for hire of course. Sites such as hackerslist.com, hackerforhire.org, neighborhoodhacker.com and even the review site, hackerforhirereview.com, serve as anonymous meeting grounds for people seeking hacking services and for hackers to provide those services. While the legality of these sites is still in question, many listings populate these sites and many hacking services have been rendered.

So what services are available on these sites? How much does it cost? And can you get in trouble?
Let’s find out!

First, the services offered on these more mainstream sites are only a small subset of the service offerings available on the larger underground market. You won’t find access to 100’s or 1000’s of infected PC’s, or malicious botnet hosting services either. Nor will you find malware writers or liquidation services for stolen passwords and credit card info. These offerings remain only available on sites looking to attract new cybercriminals which is quite a bit different from the focus of the hacking for hire websites.

The offerings you will find on hacking for hire sites are largely tied to spying and breaking into accounts as well as removing defamatory content and investigating cyber-bullying. Some sites have stronger policies about which services can be rendered and the term ‘Ethical Hacker’ is used broadly to give assurance to visitors seeking services that doing so is justified, and even ethical. But quite the opposite can be true. Who is to say that once a password is cracked, that the hacker stops there? Or that once an account is broken into that the hacker won’t collect additional information? What if the hacking service is a scam or what if the hacker is actually law enforcement? There are clearly many very considerable risks in using such services.

But back to what services are actually available and their prices? Pulled directly from neighborhoodhacker.com, here is a list of their service offerings:

• Password Cracking & Recovery
• Online account hacking
• Social Media & Cyber Stalking Investigations
• Social Media Hacking
• Online Fraud Investigation
• Mobile Security
• Identity Theft Consulting
• Encryption
• Cyber Bully or Stalker Investigations

The prices for these services range considerably based on a few factors but generally cost between $100 and $3000 depending on the complexity of the hacking job, a price well within reach for most.

Ultimately, what these sites represent is a growing demand for hacking services. Their emergence continues a trend that has been, and continues, strong in the black market for services. That is, year over year, the barrier to entry into participating in cybercrime becomes easier.
No matter what you’re looking to do, there is someone there ready to help, and not for a very unreasonable fee.

Stay tuned for my next blog which will take a much closer look at what services are offered on the black market for cybercrime.

Did Blackhat just break the hacker movie stereotype?

Blackhat(Yes, he’s Thor in other movies, but that doesn’t mean he can’t hack in Blackhat)

Blackhat is out today in theaters, and we were lucky enough to have an advanced screening of the film alongside our very own threat security team.

As seen in our previous post on Hollywood and hacking, the majority of the time it feels like producers in Tinsel Town don’t have a full grasp on how hacking works or how to accurately present it to the viewers, and instead come up with ridiculous uses of the computer that make little to no sense to the tech-savvy.

Blackhat felt like the opposite of that.  And that is the biggest surprise for us.  In all honesty, we headed into the movie, expecting it to have major misrepresentations and to tear it apart.  But as we sat around discussing the flick, we concluded that the team behind the movie really did their research.  Dare we say that Blackhat might be one of the best Hollywood representations of hacking and cybercrime, especially focusing on the darker side of criminal activities?

Yes, we do dare.

To say the movie is truly authentic would be a stretch, but the fact is that Michael Mann avoids the major stereotypes that have become all too commonplace in other films. He also does a good job traversing the social-political game of relations between US Government agencies as well as US-China relations. As a result, the story carries itself through very well to the end.

The movie actually presented many different methods that criminals will attempt to breach security, including social engineering, direct breach, cyber espionage, and computer hacking itself.  While hacking was a central topic throughout, ‘Blackhat’ was more than just about hacking, and focused more on cyber-terrorism, a broader yet more relevant topic that has been in the news quite a bit lately.  Each of these methods of breach are an everyday threat to organizations big and small.  If anything, the movie stands as a representation of the complexity of today’s security environment, showing how security alone will do little to keep a network safe.

While there was a bit too much Hollywood sexiness and bravado when it comes to just how talented the characters were, this inclusion surely added to the entertainment value.  We wish we could go from evaluating code to globetrotting, chasing down the bad guys, but sadly that is not how it works these days.

Overall, Blackhat was a well told story, and from a security team’s perspective, it maintains a solid grasp on reality in most of its hacking scenes.  The entertainment value was there, alongside fairly accurate representations of security infiltration, leading us to walk out pleasantly surprised.  And we think you might be as well.

http://youtu.be/Qn2g9qGbH_k

Hacking in Hollywood

It’s generally understood that Hollywood will always put their own spin on actions in order to help tell a story.  That’s part of the movie and TV magic, or artistic license, that directors take when they are producing these pieces of entertainment.  But sometimes, the artistic license itself is more entertaining for how far off they are representing said actions.

With “BlackHat” coming to theaters tomorrow, we decided to look back at some of the most ridiculous forms of ‘hacking’ displayed on the big (and small) screen.  Here are our 7 favorite misrepresentations of hacking from Hollywood.

Hackers:

http://youtu.be/8wXBe2jTdx4

This 1995 classic really took hacking to mainstream, introducing the idea of gangs of hackers to the world.  While it is true there are groups out there dedicated to hacking, that is where the similarities end.  As you can see in the clip, the hackers and the target are in a long, drawn out command-based attack against each other, all supported by 3D navigation of operating system code.

Jurassic Park:

http://youtu.be/dFUlAQZB9Ng
2nd Clip: https://www.youtube.com/watch?v=RfiQYRn7fBg

Jurassic Park has two ‘great’ examples of Hollywood hacking.  The first is the overly simplistic, “hacker crap”, stemming from simple commands.  The second being that just because the girl knows “Unix” she’s now able to control everything by clicking files?  We know that control is about commands, and hacking doesn’t occur via a GUI.

Goldeneye:

http://youtu.be/mIq9jFdEfZo

“BORIS IS INVINCIBLE”.  Need we say any more about this?  Boris, the self-described geek of Goldeneye, shows simplistic forms of hacking while breaking into the US Government computers as well as those around him.  In around 10 words, Boris is able to access everything he needs in any situation form any target.

Independence Day:

84255100

We don’t have an individual clip of this one, but chances are we have all seen this movie and the scene (pictured above) where Jeff Goldblum’s character uploads a virus using human technology (like a USB drive, etc) to an alien spaceship, and then proceeds to use a regular PC to complete the process.  Lots of scroll-y windows and a big, red “VIRUS UPLOADED” for the viewer’s pleasure.

Live Free or Die Hard:

http://youtu.be/F2zFmezNwaU

From the very start of this film, we are shown that hackers, and the viruses they produce, can control C4 and other items.  While technologically that is possible with command lines, specific transmitters, and such, the representation that hackers are deadly mercenaries is beyond crazy.  Beyond that, we again see the GUI supported hacker/virus delivery programs that have become common place in these style representations.


Swordfish:

swordfish_hacking

Probably the biggest offender of the GUI supported hacking alongside some amazing keyboard work.  While the clip won’t be linked here, the displays of hacking are amazing, with what seems to be a random pressing of keys in random orders, with no real commands, alongside encrypted files being decrypted, again, by command.  Super computers would struggle with the work, but our star can do it all in 60 seconds.

NCIS:

http://youtu.be/u8qgehH3kEQ

The crown goes to NCIS, hands down.  While the other examples are laughable at most, still linking back to a little (sometimes very little) reality, this clip shows one of the most ridiculous forms of “counter hacking” ever seen on the screen.  With 2 NCIS agents on one keyboard, almost a homage to “Hackers”, they attempt to defend off a hack of a mainframe by typing faster.  That’s all they do.  And it’s hysterical.

Why 2015 will be the year of cloud attacks

Several cyber take downs occurred this year when hackers infiltrated Home Depot, Michaels, iCloud, JP Morgan and the list just goes on. And while consumers and companies have been hit hard in 2014, our 2015 security predictions show that this will be the year of the cloud attack.

According to a recent IDC report, almost 90 percent of Internet spending (including mobile apps, big data and social media) will be on cloud-based technologies over the next six years.

While many companies are making the leap to the cloud, securing the cloud remains an ongoing challenge for IT departments. Smart cyber criminals know where the holes reside and view this space as a big target.

In 2015, a major cloud provider will be breached, compromising many of their customers’ data and in turn leaving hundreds of thousands of individuals vulnerable to follow-on threats. Following the breach, I predict the following will occur:

  1. U.S. Congress will step up efforts to legislate better security protection in public clouds.
  2. Consumer and shareholder outrage will lead to the sacking of several CEO’s and CISO’s and force the creation of internal cybersecurity task forces.
  3. Enterprises will recognize the benefits of cloud-based malware protection as well as cloud-based cyber attacks.
  4. Enterprises, government agencies and security vendors will begin to develop more effective collaboration and cooperation to combat the wave of cyber crime and cyber warfare.

With our 2015 security predictions in mind, what other theories do you have for this year’s security landscape?  Share your ideas in the comment box below.

Breach Therapy: 10 Companies Who Can’t Wait For 2014 To Be Over

Whether it be iPhones with bigger screens, major video game releases to make next-gen systems finally worth it, or wearables that are actually appealing to consumers, it’s safe to say any technological ‘advancement’ of this year was overshadowed by the seemingly endless wave of breaches that plagued companies and consumers alike.

Massive Data Breaches

With the New Year only a couple weeks and change away, let’s look back at 2014, aka the ‘Year of the Breach’, and revisit 10 companies who want nothing more than to forget their breach nightmares and start fresh in 2015:

Michaels

Going back almost a full year to January, and you have what was one of the first post-Target breach breaches to come to light. According to numerous sources (and reported by the ever-informed Brian Krebs), all signs were pointing to a potential Michaels breach. That same day (January 14), the US Secret Service said it was investigating further.

Fast-forward to April and we get the confirmation, with Michaels Stores Inc. announcing that 3 million customer credit and debit cards were stolen in Michaels and Aaron Brothers stores as a result of two eight-month long security breaches.

Goodwill

On July 21st, news of another breach started coming in. This time, the victim was Goodwill Industries. Or more specifically, the systems of a third-party vendor that processes payments for some Goodwill members (20 to be exact, which represents ~10% of all stores).

This breach, which was determined to be caused by a piece of malware called ‘Rawpos’, resulted in exposed information of 868,000 customer credit cards. Goodwill released details of the breach in September on their site.

The Home Depot

Speaking of September, that was a rough month for The Home Depot, which began when the company said it was “investigating some unusual activity with regards to its customer data.”

That ‘unusual activity’ ended up being a massive breach that involved pretty much every Home Depot location in the country.

Sure enough, six days after the initial reports started filing in, the company admitted that its payment systems were in fact breached, and that the attack was going on for months.  What was not yet known was the scope of the attacks.

That announcement came 10 days later, with The Home Depot saying that the malware was contained, 56 impacted debit and credit cards later. The disclosure made the incident the largest retail card breach…ever recorded.

Japan Airlines

On October 1st, with The Home Depot breach still fresh on peoples’ minds, Japan Airlines said that it was the latest breach victim and that 750,000 frequent flyer club members’ information may have been stolen after hackers breached JAL’s Customer Information Management System and installed malware on computers that had access to the system.

The potentially stolen data included everything from customer names to membership numbers and home addresses.

JP Morgan

And then, just one day later, JP Morgan confirmed an absolutely giant breach that affected 76 million households and 7 millions small businesses. Affected were customers who used Chase.com and JPMorganOnline websites, and the Chase and JP Morgan online apps.

Stolen information included names, email addresses, phone numbers, and home addresses, but more potentially-devastating information such as account numbers, passwords, and Social Security numbers were not believed to be impacted.

Fox Business also came out with a report saying that the nation’s largest bank was also bracing for a mass-scale spear-phishing campaign right after the breach was exposed, and that the stolen info was the ‘first wave’ that would help the cybercriminals steal the aforementioned ‘good stuff’, which they could do with legitimate-looking emails targeting those customers who’s data they already nabbed.

While no such campaign has yet happened, it has not yet been determined for sure who was responsible for the breach and the investigation is still ongoing.

You can find more detailed descriptions of The Home Depot, Japan Airlines, and JP Morgan breaches in a previous blog I wrote.

Kmart

Later in October, Sears Holdings Corporation announced that it discovered a breach at its Kmart stores that was due to malware on their POS  (Point-of-Sale) machines. At that time, Sears also announced that the malware was removed and that there was an ongoing investigation.

The investigation went on to reveal that the attack started in early September, which means that the breach was going on for a full month. Despite that, Kmart said that no personal customer information was stolen as a result of the breach.

Staples

Just over a week after the Kmart breach, Brian Krebs reported that he got information from multiple banks who said they were seeing a patter of credit card fraud linking back to a series of Staples stores in the Northeastern part of the country. At that time, Staples said it was investigating the issue.

According to a Bloomberg update from last month, Staples said that it believed the malware that caused was identified and eliminated, but that the investigation was still in its early stages and that they could not yet estimate the scope of the breach or how much data was stolen.

Last month, it was also reported that a link was found connecting the Staples and Michaels breaches.

USPS

On November 10th, numerous reports came out saying that the United States Postal Service was breached back in September, and that Chinese hackers were responsible.

This breach impacted both employees and customers, compromising data of 800,000 workers and 2.9 million customers.

Bebe

Earlier this month, security researcher Brian Krebs got word from banks about fraudulent charges on credit cards that were recently used at Bebe women’s clothing stores across the nation.

Sure enough, just a day later, Bebe Stores Inc. confirmed the breach, saying that the hackers got hold of customer information that may include customer names, account numbers, card expiration dates, and verification codes.

Sony

Sony Breach

(Source: IB Times UK)

The latest, and perhaps most devastating (for the company affected, at least) of all 2014 breaches, the attack on Sony continues to make headlines daily as new details emerge and new information is leaked.

This breach has all the ingredients for a Hollywood flick (a mysterious enemy, global threats, massive exposure, a potential inside job, etc), which is ironic, considering that The Interview, a Hollywood comedy about two accidental ‘agents’ assigned to assassinate North Korea’s leader Kim Jong-un, may be what started the breach to begin with.

So far, the attack has crippled Sony’s corporate network, exposed personal employee information such as executives’ salaries, social security numbers and medical records, and leaked email conversations that have landed some top execs in hot water. And new details are continuing to emerge.

This list highlights only 10 of some of the most prominent companies that experienced a breach this year. As you can see, no industry is safe and no two breaches are exactly the same. The one constant? All 10 of these companies will have ‘Don’t get breached!’ as one of their New Year’s Resolutions.

 

 

Social Engineering improvements keep Rogues/FakeAV a viable scam

The threat landscape has been accustomed to rogues for a while now. They’ve been rampant for the past few years and there likely isn’t any end in sight to this scam. These aren’t complex pieces of malware by any means and typically don’t fool the average experienced user, but that’s because they’re aimed at the inexperienced user. We’re going to take a look at some of the improvements seen recently in the latest round of FakeAVs that lead to their success. While the images shown may have different names of A-Secure, Zorton, and AVbytes, they are identical in execution, appearance and are likely from the same author(s). Webroot users are protected from all variants of these encountered.

 

This is what the GUI looks like and it’s pretty standard. Well polished and full functionality of all buttons. Those “scanned files” don’t actually exist, but those directories do so this simple indexing can add some form of legitimacy of unsuspecting users.

 

This is probably the biggest improvement to the veil of legitimacy. These brands of FakeAV now come with an action center window that is almost identical to the real one. Right where you would normally see your legitimate security software’s status via windows they have theirs listed in all the same fashion. This is just a fake action center and the malware will prevent you from opening the real action center and will just redirect you to this window. I can see this tactic fooling even the average user at times. These rogues wouldn’t be complete without a payment “website” and these probably have the best developed so far. Here is the payment page and the home page.

 

Not only do these pages contain fake awards from legitimate testing companies, but they also have phony reviews and even a simulated news feed with product updates, blogs and press releases. This really is the icing on the scam cake as depending on the limited interaction you’ve had with the rogue, it could be enough to convince you that this program will actually help you and may be worth the money. Now skeptics will notice that there are some flaws like “VMworld 2011 Europe” – how would a 2015 product make it to that expo? And the image used at the top of the home page shows Win XP security when the product is for Win 7. These are all minor mistakes and could have easily been fixed. I suspect that we’re only going to see more innovation in the future and eventually might find rogues that will blur the lines between legitimate and fraudulent so well that they’ll be almost indistinguishable.

Vaporizer chargers can contain malware

Vaporizers (AKA E-cigarettes) have been gaining some serious traction and widespread use over the past few years. The sudden surge of popularity isn’t too surprising considering the fact that the health implications of nicotine consumption are vastly more favorable with vaporizers when compared to traditional cigarettes.

Most Vaporizers charge through a propriety connection to USB that looks something like this:

Should be harmless, right?

In a recent reddit post, the poster reported that an executive at a large corporation had a data security breach on his system from malware, the source of which could not be determined initially. The machine was patched up to date, had updated anti-virus protection, and Weblogs were evaluated. “Finally after all traditional means of infection were covered; IT started looking into other possibilities…” The made in china USB charger had malware on it that, when plugged into a computer’s USB port, would phone home and infect the system.

Now for those of you scratching your head going – hang on a minute… Windows hasn’t auto-executed anything from USB in YEARS. USB drivers are loaded from the library on the PC and I would know when it was plugged in and I would have to click and run a file in that folder – this whole story sounds fishy… Let me introduce you to BadUSB. Essentially this USB control chip would be reprogrammed to act as a keyboard + mass storage device. Once plugged in, it sends key-commands to open command prompt and then executes files from the storage. It’s not as if this vector of attack is brand new either – at least conceptually. According to @th3j35t3r (the Jester), a well known cyberwarrior in an article titled ‘What would I do if I was Chinese PLA’, USB charger attacks such as this are “theoretical but entirely possible, if not probable”.

My personal suggestion to those concerned is to only charge USB devices through a wall adapter (they charge faster anyway). If you REALLY need to charge through USB then I suggest getting one of these, dubbed “USB Condoms”, which will make sure that only power is drawn and no data is exchanged.

 

What kind of defenses exist for this type of attack? Basically not much. Malware scanners cannot access the firmware running on USB devices and USB firewalls that block certain devices do not exist yet. Behavioral detection is unlikely since the device’s behavior is just going to appear as though a user has simply plugged in a new device. It’s very unsettling and the threat is there however unlikely we think it is. While I doubt this is widespread or even remotely common, I did make sure to take apart my charger and made sure that there were no data pins and that it was only drawing power through USB.

 

Safe Online Shopping, Happy Online Shopping – 5 Security Tips for the Holiday Season

The holiday season is almost upon us, which means the holiday shopping season is also almost upon us.

And as always, it’s bound to be a crazy time of scrambling for the biggest and best deals, both in stores and online.

But while your wallet is destined to take a hit as you stack up on gifts for your family and friends, you want to make sure cybercrooks don’t make your list of people who will be receiving presents this year.

Sadly, with 2014 being labeled by some as ‘The Year of the Hack’, it may be easier for them than ever before to do just that. Fortunately, armed with some general security know-how, you can make their hacking jobs significantly harder while making your online shopping experience slightly less stressful.

Here are 5 online shopping tips to stay secure this holiday season:

Be Breachophobic

This one applies to traditional holiday shopping as well…

With the influx of massive data breaches across a wide variety of industries, no company seems to be safe. And popular retailers have been hit particularly hard (looking at you, Target, Michaels, Home Depot, Staples, KMart, etc).

Unfortunately, these breaches don’t show any signs of slowing down. Perhaps even more unfortunately, as a result of this, consumers are experiencing ‘breach fatigue’ and not changing their buying behavior even in the midst of all these attacks (according to a recent report from Ponemon).

But in this case, fear is actually a good thing. It keeps you on your security toes. Don’t have the ‘yeah, a lot of people are impacted, but it won’t happen to me’ attitude when it comes to breaches.

If you learn of a breach at a company whose store you recently bought something in or at a bank that you use, take a proactive approach. Call you credit card company and have a new card issued ASAP. Call your bank and find our what steps you need to take to protect yourself. These are not the most fun activities, but they could save you from a potential financial/data loss nightmare.

Likewise, if you’re planning to go shopping at a particular retailer and you find out they’ve recently experienced a data breach, look to do your shopping elsewhere. Ok, maybe you won’t be able to take advantage of that exclusive Black Friday deal, but most of the competing big-name stores will likely have something similar. Plus, what good is that brand-new big-screen TV you got for a ‘steal’ if attackers got access to your credit card number?

Beware of enticing ‘Amazing Deal’ links in your email inbox

If a deal looks too good to be true, it probably is.

Phishing emails are still a popular tool for cybercriminals. The difference these days, however, is that they look more legitimate than they did in the past. Obvious red-flags like blatant grammatical errors or strange email addresses from the sender are less common and the bad guys are finding more creative ways to get you onto their fake, information-stealing pages.

 

An example of a UPS Phishing email (Source: PC Mag)

And the fact that the holiday season has many legitimate great deals actually benefits cybercriminals, giving them a perfect opportunity to blend in with a phishing email that would normally seem out of place.

So don’t just immediately click a link in that ‘great deal’ email that popped up in your inbox. Verify that the sender is legitimate, check for grammatical errors and inconsistencies, and even compare it with another email you’ve gotten from that company in the past that you know was legitimate. If there’s something odd or out-of-place, don’t pull the purchase trigger and potentially open yourself up for identity theft or money loss.

Know your surroundings

Just because you can connect to WiFi almost anywhere doesn’t mean you should connect to WiFi any time it’s available.

If you’re doing any of your holiday shopping online, it’s really in your best wishes to do it over a secure network.

As appealing as it may seem to knock out some of your holiday shopping as you’re sitting sipping your mocha at that coffee shop, know that public WiFi hotspots are just that – public. That means anybody can connect to them, including an attacker looking to catch a hapless holiday shopper unawares.

There’s a much lower chance someone will break into your network at home, unless of course your home network isn’t password protected. Which brings up another good tip – password-protect your WiFi network at home. And make sure to actually use a strong password! No ‘password’ for your password.

Mobile Devices are vulnerable, too

PC, Mac, Android, iOS…it doesn’t matter. No device/operating system is malware or hacker-proof. Let me rephrase: that means mobile devices aren’t in the clear! No, not even the iPhone is safe; remember the recent WireLurker malware?

So if you’re thinking: “I’ll just do my all my online holiday shopping on my tablet to avoid the chances of getting hacked”, don’t do that. It’s a flawed mindset.

Mobile is a hot target for hackers at the moment. Remember that today’s mobile devices aren’t the bricks of yesteryear that you used to make calls and play Snake. Nope, today’s smartphones (and especially tablets) are bonafide computing machines, and protecting them in the same way you’d protect your computer isn’t an idea that should be ignored.

But aside from installing mobile security (which you should definitely do), there are other actions you can take to mitigate mobile risks, a major one being not jailbreaking/rooting your devices and/or using third-party app stores. Easier to do and access on Android devices, these third-party app stores are often riddled with malicious apps that can steal your information and dollars.

Safeguard all your devices

Even if you’re intelligent in your browsing and downloading habits, having computer ‘street smarts’ isn’t enough anymore. New threats are emerging seemingly by the hour, vulnerabilities like HeartBleed and Shellshock are coming into light, and if you fall victim to an encrypting ransomware (that seems to be ever-evolving) with no sort of protection, you’re paying hundreds of dollars to get your files back or paying even more for a new computer.

But let’s bring it back to the holiday shopping topic. Take the fake phishing email scenario, for example. Even if you take the aforementioned steps to verify the validity of the email, you’re not completely out of the ‘cyber’ woods. Like I said, hackers are becoming increasingly more clever and those phishing emails are often very difficult (if not flat-out impossible) to distinguish from the real thing. You need an intelligent security solution to have your back in case you get tricked despite your best efforts.

 

The holiday shopping season is less than a week away so be sure that you’re ready and that your devices are secure. Follow these basic online shopping security tips and go out there and buy those presents…carefully, yet confidently! And by ‘go out there’, I mean on the internet. That way, you can avoid this:

(Source: CNN Money)

Happy holiday shopping!