Industry Intel

Cookies, Pixels, and Other Ways Advertisers are Tracking You Online

In May of 2018, the General Data Protection Regulation (GDPR) came into effect in the EU. Seemingly overnight, websites everywhere started throwing pop-ups to inform us about their use of cookies and our privacy rights. While the presence of the pop-ups may be...

Online Gaming Risks and Kids: What to Know and How to Protect Them

Online games aren’t new. Consumers have been playing them since as early as 1960. However, the market is evolving—games that used to require the computing power of dedicated desktops can now be powered by smartphones, and online gaming participation has skyrocketed....

STEM for Kids: Why Does it Matter?

You have probably seen or heard news reports about STEM education (Science, Technology, Engineering, and Math), and how important STEM jobs are for the economy; or maybe you’ve heard reports on schools that are making strides to improve their STEM programs for...

Keeping Your Vehicle Secure Against Smart Car Hacks

An unfortunate reality of all smart devices is that, the smarter they get, and the more integrated into our lives they become, the more devastating a security breach can be. Smart cars are no exception. On the contrary, they come with their own specific set of...

Thoughtful Design in the Age of Cybersecurity AI

AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own. Thoughtful design...

Cybersecurity in Schools: What Families Need to Know

Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents...

Out from the Shadows: The Dark Web

You’ve likely heard of the dark web. This ominous sounding shadow internet rose in prominence alongside cryptocurrencies in the early 2010s, eventually becoming such an ingrained part of our cultural zeitgeist that it even received its own feature on an episode of Law...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

HTTPS: Privacy vs. Security, and Where End Users and Security Culture Fit In

Reading Time: ~ 4 min.

Since the dawn of IT, there’s been a very consistent theme among admins: end users are the weakest link in your network, organization, security strategy, fill-in-the-blank. We’ve all heard the stories, and even experienced them first-hand. An employee falls for a phishing scam and the whole network is down. Another colleague torrents a file laced with malware. Or maybe it’s something less sinister: someone wants to charge their phone, so they unplug something from the only nearby outlet, but what they unplug is somehow critical… help desk tickets ensue. 

But when it comes to security issues caused by human error, it’s not necessarily always the end user’s fault. Cyberattacks are getting more and more sophisticated by the second, and all of them are designed to either circumvent defenses or appear totally legitimate to fool people. One of the major advances of this type that we’ve seen is with phishing sites and the use of HTTPS.

HTTPS: The Beginning

While HTTP is the foundation of all data exchange and communication on the internet, it wasn’t designed for privacy. Transmitting information on the web using HTTP is kind of like sending a postcard; anybody who handles that card can read it. HTTPS was supposed to be a way of adding privacy to protect users and sensitive information from prying eyes.

At first, you’d only see HTTPS on financial or health care websites, or maybe the cart page on a shopping site, where the extra privacy was necessary. And back then, getting a security certificate was much harder—it involved significant costs and thorough security checks. Then, a few years ago, most web browsers started requiring security certificates for every website, or else they’d throw up a scary-looking warning that the site you were trying to visit might be dangerous. That trained us to look for (and trust) HTTPS.

A False Sense of Security

These days, when we see HTTPS at the beginning of a URL or the accompanying lock icon in our browser’s address bar, we’ve been conditioned to think that means we’re safe from harm. After all, the S in HTTPS stands for “secure”, right? But the issue is that HTTPS isn’t really about security, it’s about privacy. That little lock icon just means that any information we transmit on that site is encrypted and securely delivered to its destination. It makes no guarantees that the destination itself, is safe.

If you unwittingly end up on a well-faked phishing copy of your banking website and see the lock icon, it’s natural to assume that you’re in the right place and all is well. Except when you try to log in, what you’re really doing is securely transmitting your login credentials to an attacker. In this case, HTTPS would’ve been used to trick you.

The Bad Guys and HTTPS

Malicious actors are always looking for new ways to trick end users. Because so many of us think HTTPS ensures security, attackers are using it against us. It’s no longer difficult to obtain a security certificate. Attackers can do so very cheaply, or even for free, and there’s really no background or security check involved. 

As I mentioned during my talk on HTTPS at this year’s RSA conference, almost half a million of the new phishing sites Webroot discovered each month of 2018 were using HTTPS. In fact, 93% of phishing domains in September and October alone were hosted on HTTPS sites. When you think about these numbers, it’s easy to see why end users might not be to blame when you discover that a major security breach was caused by someone being duped by a phishing scam. 

The Way Forward

As more HTTPS phishing and malware sites emerge, even the most vigilant among us could fall victim. But that doesn’t mean we shouldn’t invest in end user education. End users are on the front lines on the cybersecurity battlefield. It’s up to us to provide right tools and armor to keep users and the companies they represent safe. To be truly effective, we need to implement ongoing security awareness training programs that recur continually throughout an employee’s time with the company. If we accomplish that, the results speak for themselves; after 12 months of training, end users are 70% less likely to fall for a phishing attempt!

We also need to make sure our security strategies incorporate real-time threat intelligence to accurately classify and determine which websites are good or malicious, regardless of their HTTPS designation. In an age where phishing sites appear and disappear in a matter of hours or minutes, malicious sites use HTTPS, and at least 40% of bad URLs can be found on good domains, it’s more important than ever that we all use the most advanced real-time technologies available. 

Ultimately building a culture of cybersecurity will always be more effective than a top-down mandate.. Everyone in the organization, from the CEO to the newest intern, should be invested in adopting and furthering a security conscious culture. Part of that process is going to be shifting the general IT perceptions around human error and the issues it can cause. We shouldn’t think of our end users as the weakest link in the chain; instead we should think of them as the key to a robust security strategy.

To hear more about HTTPS, phishing, and end user education, you can listen to the podcast I did with cybersecurity executive and advisor Shira Rubinoff at RSAC 2019.

Post Coinhive, What’s Next for Cryptojacking?

Reading Time: ~ 2 min.

In late February, the notorious cryptojacking script engine called Coinhive abruptly announced the impending end to its service. The stated reason: it was no longer economically viable to run.

Coinhive became infamous quickly following its debut as an innovative javascript-based cryptomining script in 2018. While Coinhive maintained that its service was born out of good intentions—to offer website owners a means to generate revenue outside of hosting ads—it took cybercriminals no time at all to create cryptojacking attack campaigns. Cryptojacking became incredibly popular in 2018, infecting millions of sites (and cloud systems among the likes of Tesla) and netting criminals millions in cryptocurrency at the expense of their victims.

Source: Coinhive [dot] com

I honestly did not see this happening, but I do understand. It is reasonable to think that Coinhive didn’t intend for their creation to be abused by criminals. However, they have still kept 30 percent of ALL the earnings generated by their script, one that was often found running illegally on hijacked sites. Most of that profit came from illicit mining, which has earned Coinhive a lot of negative press.

Additionally, 2018 was a terrible year in terms of the US-dollar value of Monero (XMR), which means their service is significantly less profitable now, relative to what it once was. Combined with the fact that the XMR development team hard-forked the coin and changed the difficulty of the hashrate, this means Coinhive is making very little money from legitimate miners.

Coinhive created this service so legitimate domain owners could host their script and generate enough revenue to replace ads. Ads are annoying and I believe this innovation was aimed at attempting to fix that problem. But the ultimate result was a bunch of criminals breaking into other people’s domains and injecting them with Coinhive scripts that essentially stole from visitors to that domain. Without consent, millions of victims’ computers were subject to maximum hardware stress for extended periods of time, all so some criminals could make a few pennies worth of cryptocurrency per computer.

Would you continue to operate a startup business in which most of the money you earned was a cut of criminal activity—stealing from victims in the form of an increased power bill? Maybe a year ago, when the hashing difficulty was easier (you earned more XMR) and XMR was worth 10 times what it’s worth now, it might have been easier to “sleep at night” but now it probably just isn’t worth it.

Even before this news, there were plenty of other copycats—Cryptoloot, JSEcoin, Deepminer, and others—so criminals have plenty of similar services to choose from. At the time of its shutdown, Coinhive had about around 60% share of all cryptojacking campaigns, though we saw this market dominance reach as high as 80% last year. I anticipate these other services stand to take larger shares of cryptojacking revenue now that the largest player has left. We might even see a new competitor service emerge to challenge for cryptojacking dominance.

Stay tuned to the Webroot blog for future developments in cryptojacking.

Cyber News Rundown: Georgia County Pays for Ransomware Threat

Reading Time: ~ 2 min.

Georgia County Pays Six Figure Ransom to Restore IT Systems

Following a ransomware attack earlier this month, officials in Jackson County, Georgia decided to pay a $400,000 ransom in order to obtain a decryption key and return their systems to normal operations. While it’s not normally recommended to pay ransoms, but instead to keep proper backups of critical files, the county decided that it would cost significantly more to restore the systems on their own. It is still unclear how the breach unfolded or how long the hackers had access to the network.

Michigan Healthcare Group Compromised

Sensitive information on over 600,000 patients was recently exposed after the Wolverine Solutions Group (WSG) suffered a data breach. The WSG initially suffered a ransomware attack in September of last year, and has been working to decrypt many of their systems since then. Due to Michigan’s lax laws regarding the announcement of a data breach, customers who may have been affected were contacted only within the last month.

Redirect Tags Found on Fortune 100 Sites

Hundreds of third-party redirect tags have been found hidden on the websites of Fortune 100 companies. These tags could allow attackers to access user data from any of the compromised sites and also degrade the performance of sites with multiple hidden tags. Many site owners even expressed concern over possible customer data loss, but did little to clear the tags from  their sites.

Asian Gaming Companies Infiltrated by Backdoors

Several Asia-based gaming companies have discovered hidden backdoors within main executables of some games attracting tens of thousands of players. Fortunately, after identifying the malicious code two of the three companies immediately pushed updates to their software, and the command & control servers for the backdoors were taken offline soon after. The backdoors appear to have originated from a malicious Chinese hacker group that has committed these types of attacks multiple times in recent years.

Info on 1.8 Million Women Found on Unprotected Chinese Database

An unprotected database was recently found which contains extremely sensitive data for nearly 1.8 million women in China. Amongst the personally identifying information was GPS coordinates, political affiliations, and even available video of specific individuals. Unfortunately, while the owners of this one database were successfully contacted, there are still thousands of similarly unprotected databases on Chinese networks.

Cyber News Rundown: New Ransomware Service Offers Membership

Reading Time: ~ 2 min.

Ransomware as-a-Service Offers Tiered Membership Benefits

Jokeroo is the latest ransomware-as-a-service (RaaS) to begin spreading through hacker forums, though it’s differentiating itself by requiring a membership fee with various package offerings. For just $90, a buyer obtains access to a ransomware variant that they can fully customize in exchange for a 15% service fee on any ransom payments received. Higher packages are also available that offer even more options that give the user a full dashboard to monitor their campaign, though no ransomware has yet to be distributed from the service. 

Android Adware Apps are Increasingly Persistent

Several new apps on the Google Play store have been found to be responsible for constant pop-up ads on over 700,000 devices after being installed as phony camera apps. By creating a shortcut on the device and hiding the main icon, the apps are able to stay installed on the device for a considerable amount of time, as any user trying to remove the app would only delete the shortcut. Fortunately, many users have been writing poor reviews about their experiences in hopes of steering prospective users away from these fraudulent apps while they remain on the store.

Phone Scammers Disguising Themselves with DHS Numbers

People all across the U.S. have been receiving phone calls from scammers claiming to be from the Department of Homeland Security (DHS), with actual spoofed DHS phone numbers, requesting sensitive information. While phone scams aren’t new, this campaign has upped the stakes by threatening the victims with arrest if they don’t provide information or make a payment to the scammers. DHS officials have stated they will never attempt to contact individuals through outgoing phone calls.

Failed Ransomware Attack Leaves Thousands of Israeli Sites Defaced

A ransomware attack aiming to infect millions of Israeli users through a widget used in thousands of websites failed over the weekend. Though all sites began displaying pro-Palestine messages, the intended file download never took place due to a coding error that prevented execution immediately after the pop-up message. After dealing with the poisoned DNS records for the widget creator Nagich, the company was able to restore normal function within a few hours of the attack beginning.

Chicago Medical Center Exposes Patient Records

Nearly eight months after a Rush Medical Center employee emailed a file containing highly sensitive patient information to one of their billing vendors, the company began contacting affected patients and conducting an internal investigation. Rush has setup a call center to provide additional information to concerned patients and has offered all victims access to an identity monitoring service, while warning them to check their credit history for any fraudulent activity.

Cyber News Rundown: Botnet Hijacks Browsers

Reading Time: ~ 2 min.

Fake Apex Legends App Spreads Malware

As the popularity of the latest free-to-play battle royale pushes ever higher, malicious Apex Legends apps have been spotted in the Google Play store with upwards of 100,000 downloads. The fake apps typically offer free in-game currency, or free downloads for an already free game, while installing malware onto devices and directing users to enter phishing domains to further compromise themselves.  

Cryptocurrency Wallet Bug Checks User Passwords with Spellchecker

A new bug has been found within the Coinomi cryptocurrency wallet app that quietly submits each user password to Google’s spellchecker without encryption, leaving user accounts vulnerable to attacks if someone is monitoring the web traffic of the application. The bug was discovered by a researcher who noticed that a majority of his funds had gone missing from his Coinomi-stored cryptocurrencies, leading him to investigate the app more extensively. 

Bangladeshi Embassy Site Compromised

Researchers have found that the web site for the Bangladesh Embassy in Cairo has been compromised and was pushing malicious word document downloads to any user who visited the site. Once the download is confirmed, it installs to an innocuous location within ProgramData and begins attempting to contact the command & control server to pull down additional malware. It’s likely that this issue is linked to an earlier attack on the site that left a cryptominer operating for several days and is affecting users who accessed the site during that time. 

Botnet Controls Browsers Even After Being Closed

A new type of cyber attack has been found that uses normal JavaScript and HTML5 functionality to take control of a user’s browser for a number of malicious activities and can even continue operating and commandeering resources after the browser or website has closed. Through these normal capabilities, this type of attack could affect both desktop and mobile browsers and, due to its nature, can be exceedingly persistent on the system once active. 

Multi-OS Ransomware Demands High Payment

The latest ransomware variant to make its rounds, Borontok, has already been spotted encrypting Linux servers and commercial websites, leaving a .rontok extension at the end of the filename. To make matters worse, the demanded ransom payment is 20 Bitcoins, or roughly $75,000, and gives directions to an actual payment site, though it does later offer the user a chance to negotiate for a lower payment. 

The Ransomware Threat isn’t Over. It’s Evolving.

Reading Time: ~ 5 min.

This is the third of a three-part report on the state of three malware categories: miners, ransomware and information stealers.

Ransomware is any malware that holds your data ransom. These days it usually involves encrypting a victim’s data before asking for cash (typically cryptocurrency) to decrypt it. Ransomware ruled the malware world since late 2013, but finally saw a decline last year. The general drop in malware numbers, along with defensive improvements by the IT world in general (such as more widespread backup adoption), were factors, but have also led this threat to become more targeted and ruthless.

Delivery methods

When ransomware first appeared, it was typically distributed via huge email and exploit kit campaigns. Consumer and business users alike were struck without much discretion. 

Today, many ransomware criminals prefer to select their targets to maximise their payouts. There’s a cost to doing business when it comes to infecting people, and the larger the group of people you are trying to hit, the more it costs. 

Exploit kits

Simply visiting some websites can get you infected, even if you don’t try to download anything. This is usually done by exploiting weaknesses in the software used to browse the web such as your browser, Java, or Flash. Content management and development tools like WordPress and Microsoft Silverlight, respectively, are also common sources of vulnerabilities. But there’s a lot of software and web trickery involved in delivering infections this way, so the bulk of this work is packaged into an exploit kit which can be rented out to criminals to help them spread their malware. 

Renting an exploit kit can cost $1,000 a month, so this method of delivery isn’t for everyone. Only those cybercriminals who’re sufficiently motivated and funded. 

“Because the cost of exploitation has risen so dramatically over the course of the last decade, we’ll continue to see a drop in the use of 0-days in the wild (as well as associated private exploit leaks). Without a doubt, state actors will continue to hoard these for use on the highest-value targets, but expect to see a stop to Shadowbrokers-esque occurrences. The mentioned leaks probably served as a powerful wake-up call internally with regards to who has access to these utilities (or, perhaps, where they’re left behind).” – Eric Klonowski, Webroot Principal Threat Research Analyst

Exploits for use in both malware and web threats are harder to come by these days and, accordingly, we are seeing a drop in the number of exploit kits and a rise in the cost of exploits in the wild. This threat isn’t going anywhere, but it is declining.

Email campaigns

Spam emails are a great way of spreading malware. They’re advantageous for criminals, as they can hit millions of victims at a time. Beating email filters, creating a convincing phishing message, crafting a dropper, and beating security in general is tough to do on a large scale, however. Running these big campaigns requires work and expertise so, much like an exploit kit, they are expensive to rent. 

Targeted attacks

The likelihood of a target paying a ransom and how much that ransom is likely to be is subject to a number of factors, including:

  • The country of the victim. The GDP of the victim’s home nation is correlated to a campaign’s success, as victims in richer countries are more likely to shell out for ransoms 
  • The importance of the data encrypted
  • The costs associated with downtime
  • The operating system in use. Windows 7 users are twice as likely to be hit by malware as those with Windows 10, according to Webroot data
  • Whether the target is a business or a private citizen. Business customers are more likely to pay, and pay big

Since the probability of success varies based on the target’s circumstances, it’s important to note that there are ways of narrowing target selection using exploit kits or email campaigns, but they are more scattershot than other, more targeted attacks.

RDP

Remote Desktop Protocol, or RDP, is a popular Microsoft system used mainly by admins to connect remotely to servers and other endpoints. When enabled by poor setups and poor password policies, cybercriminals can easily hack them. RDP breaches are nothing new, but sadly the business world (and particularly the small business sector) has been ignoring the threat for years. Recently, government agencies in the U.S. and UK have issued warnings about this completely preventable attack. Less sophisticated cybercriminals can buy RDP access to already hacked machines on the dark web. Access to machines in major airports has been spotted on dark web marketplaces for just a few dollars.

Spear phishing

If you know your target, you can tailor an email specifically to fool them. This is known as spear phishing, and it’s an extremely effective technique that’s used in a lot of headline ransomware cases.

Modular malware

Modular malware attacks a system in different stages. After running on a machine, some reconnaissance is done before the malware reinitiates its communications with its base and additional payloads are downloaded. 

Trickbot

The modular banking Trojan Trickbot has also been seen dropping ransomware like Bitpaymer onto machines. Recently it’s been used to test a company’s worth before allowing attackers to deploy remote access tools and Ryuk (ransomware) to encrypt the most valuable information they have. The actors behind this Trickbot/Ryuk campaign only pursue large, lucrative targets they know they can cripple.

Trickbot itself is often dropped by another piece of modular malware, Emotet

What are the current trends?

As we’ve noted, ransomware use may be on the decline due to heightened defences and greater awareness of the threat, but the broader, more noteworthy trend is to pursue more carefully selected targets. RDP breaches have been the largest source of ransomware calls to our support teams in the last 2 years. They are totally devastating to those hit, so ransoms are often paid.

Modular malware involves researching a target before deciding if or how to execute and, as noted in our last blog on information stealers,they have been surging as a threat for the last six months. 

Automation

When we talk about selecting targets, you might be inclined to assume that there is a human involved. But, wherever practical, the attack will be coded to free up manpower. Malware routinely will decide not to run if it is in a virtualised environment or if there are analysis tools installed on machines. Slick automation is used by Trickbot and Emotet to keep botnets running and to spread using stolen credentials. RDP breaches are easier than ever due to automated processes scouring the internet for targets to exploit. Expect more and more intelligent automation from ransomware and other malware in future.

What can I do?

  • Secure your RDP
  • Use proper password policy. This ties in with RDP ransomware threats and especially applies to admins.
  • Update everything
  • Back up everything. Is this backup physically connected to your environment (as in USB storage)? If so, it can easily be encrypted by malware and malicious actors. Make sure to air gap backups or back up to the cloud.
  • If you feel you have been the victim of a breach, it’s possible there are decryption tools available. Despite the brilliant efforts of the researchers in decryption, this is only the case in some instances.

What can Webroot do?

  • Detect and stop ransomware. Prevention is always best, and it’s what we’re best at.
  • Block malicious URLs and web traffic.
  • Rollback changes made by some ransomware.
  • Offer support. Our support is excellent and easy to reach. As well as helping to tackle any possible ransomware attack, our team will investigate the root cause and help you secure your organisation against future attacks. Specialised security hardening tools that can be deployed from your console to your machines in a few clicks.
  • For more technical details see our Ransomware Prevention Guide.

Cyber News Rundown: Phishing through Email Filter

Reading Time: ~ 2 min.

Email Phishers Find New Filter Bypass

Since email filters have gained popularity over the last decade, scammers have been forced to adapt their attacks. To bypass a normal URL filter that would check for malicious links, these scammers have found a way to alter the “document relationship” file (xml.rels) and continue to push out harmful links. By removing the malicious link from the relationship file, many filters simply skip over it and allow the link to remain clickable, a new tactic which relies on filters scanning only a portion of a file.

Unknown Devices Putting UK Firms at Risk

In a recent survey, nearly 3 million UK businesses have admitted to constantly monitoring dozens of unknown devices connecting to their corporate networks. With internal security flaws being the main driver for data breaches, new policies should be implemented to work with the increasing number of external IoT devices connecting with systems expected to maintain a certain level of privacy. Unfortunately, many companies still see IoT devices as a non-threat and continue to ignore the gaping security holes appearing within their walls.

Swedish Healthcare Database Left Unattended for Years

A server was recently discovered to contain millions of call records made to a Swedish Healthcare Guide service that has been left exposed for up to six years. The server itself was created, then forgotten in 2013, and has since missed dozens of patches, leaving it vulnerable to at least 23 unique security flaws. Within the call records are names, birth dates, and even social security numbers, though after hearing of the breach, the company made swift efforts to properly secure the sensitive data.

Stanford Students Exposed After URL Vulnerability Spotted

What started as a simple admissions document request has left the personal data of 93 students exposed, due to a simple flaw in the record’s URL. By easily swapping out parts of the numeric ID viewable in the document’s URL, anyone with a login to the site could view another student’s records. Within the admissions documents was personal information relating to a specific student, including non-university records like background/criminal checks and citizenship standings. Fortunately, Stanford was quick to make the necessary changes and contacting affected students.

Cyber News Rundown: Photography Site Breached

Reading Time: ~ 2 min.

Popular Photography Site Breached

A major photography site, 500px, recently discovered they had suffered a data breach in July of last year. Data ranging from name and email addresses, to birthdates and user locations, were comprised. While the company did confirm no customer payment data is stored on their servers, all 15+ million users are receiving a forced password reset to ensure no further accounts can be compromised.

Nigerian Scammers Target ‘Lonely’ Victims

 A recent email campaign by a criminal organization known as Scarlet Widow has been focusing on matchmaking sites for people they consider to be lonelier, elderly, or divorced. By creating fake profiles and gaining the trust of these individuals, the scammers are not only attempting to profit financially, but also causing emotional harm to already vulnerable people.  In some cases these victims have been tricked into sending thousands of dollars in response to false claims of needing financial assistance, with one victim sending over $500,000 in a single year.

VFEmail Taken Down by Hackers

The founder of VFEmail watched as nearly 20 years-worth of data was destroyed by hackers in an attack that began Monday morning. Just a few hours after servers initially went down, a Tweet from a company account announced that all of the servers and backups had been formatted by a hacker traced back to Bulgarian hosting services. The motivation for the attack is still unclear, though given the numerous security measures the hacker successfully bypassed, it appears to have been a significant effort.

Urban Electric Scooters Vulnerable to Attacks

With the introduction of electric scooters to many major cities, some are curious about the security measures keeping customers safe. One researcher was able to wirelessly hack into a scooter from up to 100 yards and use his control to brake or accelerate the scooter at will, leaving the victim in a potentially dangerous situation. Without a proper password authentication system for both the scooter and the corresponding application, anyone can take control of the scooter without needing a password.

Phishing Campaign Stuffs URL Links with Excessive Characters

The latest phishing campaign to gain popularity has brought with it a warning about accounts being blacklisted and a confirmation link containing anywhere from 400 to 1,000 characters. Fortunately for observant recipients, the link should immediately look suspicious and serve as an example of the importance of checking a URL before clicking on any links.

Cyber News Rundown: Phishing British Parliament

Reading Time: ~ 2 min.

Members of British Parliament Targeted by Phishing Attack

Dozens of MPs from the UK were recently subjected to malicious spam and unauthorized solicitations via their mobile devices. Fortunately, as this wasn’t the first phishing attempt on MPs, many were quick to delete any unusual messages and quickly warned others to do the same. Due to the ease of mounting such an attack, phishing campaigns can be extremely effective, especially when deploying social engineering tactics to increase the victim pool.

Major African Utility Company Breached

One of the largest energy providers on the African continent suffered a data breach this week, brought on by an employee downloading a game onto a corporate device. Along with introducing a fairly sophisticated banking Trojan onto the system, the employee also allowed for a database containing sensitive customer information to be made available to the attackers. Even more worrisome, the utility company was only made aware of the breach after an independent security researcher attempted to contact them about the stolen data via Twitter.

Cryptocurrency Exchange Collapses After CEO Death

A Canadian-based cryptocurrency exchange was recently faced with a major dilemma after the untimely death of their CEO and only person to have access to the offline coin storage wallet. With more than $100 million worth of cryptocurrency current tied up in the exchange, many customers quickly found themselves without access to their funds, possibly indefinitely. Having a single point of failure is a critical, and easily avoidable, issue for any digital company.

Fast Food POS Breach

A new breach has been discovered that could affect any customers who paid with a credit card at any Huddle House fast-food locations over the past two years. While the specific malware variant is still unknown, there were obvious signs of credential stealing and other information gathering tactics. Huddle House has since been working with law enforcement and credit companies to help potential victims with credit monitoring.

Google Play Removes Porn Apps

In another wave of cleaning up the Google Play store, the company recently removed 29 apps that were disguised as photo or camera apps but would instead steal user photos and display a steady stream of pornographic advertisements. The apps had all been downloaded between 100,000 and 1 million time each, and were often extremely difficult to remove, even hiding the app icon entirely. Additionally, some of the apps would display as a photo editor, encouraging users to upload any extra pictures that weren’t already stolen.

Carbonite to Acquire Webroot

Reading Time: ~ 2 min.

I’m excited to share that Webroot has entered into an agreement to be acquired by Carbonite, a leader in cloud-based data protection for consumers and businesses.

Why do I think this is such good news for customers, partners and our employees?  

For customers and partners, the combined Webroot and Carbonite will create an integrated solution for their top security needs today and a platform for us to build upon in the future. When surveyed, SMBs and MSPs consistently name endpoint security and backup and data recovery services among their top priorities.

For our threat intelligence partners, the addition of new data sources will make our threat intelligence services even more powerful.

We see great opportunities ahead building on the solutions you trust—endpoint and network protection, security awareness training and threat intelligence services—and extending them to backup and data recovery and beyond.

For employees, we see a great future of growth for a team with a shared culture. Both Webroot and Carbonite have tremendously talented team members who together will bring even more innovative solutions to market. But, just as important, both companies have a culture of customer focus, where customer success is the ultimate proof of company success. 

Until the transaction closes, we must operate as separate companies. After close, which we expect to happen in the first calendar quarter of 2019, I look forward to sharing more information about our plans.

In the meantime, customers and partners can expect:  

  • The same commitment to customer care and support. You will have access to your same account reps and award-winning customer support team.
  • Future solutions that combine Webroot’s threat intelligence driven portfolio with Carbonite’s data protection solutions.
  • Extended sales channels and partner ecosystems. Carbonite partners will provide additional channels for Webroot to reach new customers and partners worldwide.

The most important point I want to underline is that our commitment to you will not change, and we are just expanding the family of people dedicated to building great solutions to protect you and your customers. 

Mike Potts
President & CEO, Webroot

The Reality of Passphrase Token Attacks

Reading Time: ~ 3 min.

In my blog, Password Constraints and Their Unintended Security Consequences, I advocate for the use of passphrases. Embedded in the comments section, one of our readers Ben makes a very astute observation:

What happens when attackers start guessing by the word instead of by the letter? Then a four-word passphrase effectively becomes a four-character password.

What Ben is describing is called a “passphrase token attack,” and it’s real. With a good passphrase, the attack is not much of a threat though. First, a definition, then I’ll explain why.

What’s a token?

In the context of a passphrase token attack, a token is a grouping of letters, AKA a word. The passphrase made famous by the comic xkcd, “correct horse battery staple,” is 28 characters long. But, in a passphrase token attack, I wouldn’t try to guess all possible combinations of 28 letters. I would guess combinations of entire words, or tokens, each representing a group of characters.

The math behind passphrases

One might assume, as Ben did, that a four-word password is the same as a four-character password. But that’s a math error. Specifically, 95≠1,000,000. 

Here’s why: There are 95 letters, numbers, and symbols that can be used for each character in a password. However, there are over a million words in the English language. For simplicity’s sake, let’s call it an even million words. If I’m thinking of a single character, then at most you have to try 95 characters to guess it. But if I ask you to guess which word I am thinking of, then you may need to guess a million words before you have guessed the word that I am thinking of. 

So while there are 95^4 possible combinations of characters for a four-character password, there are over 1,000,000^4 combinations of words for a four-word password. 

You might be thinking “But nobody knows a million words,” and you are correct. According to some research, the average person uses no more than 10,000. So, as an attacker, I’d try combinations of only the most common words. Actually, I may be able to get by with a dictionary as small as 5,000 words. But 5,000^4 is still a whole lot more combinations than 95^4.

Here is one list of 5,000 of the most commonly used words in the English language, and another of the 10,000 most commonly used words. Choosing an uncommon word is great, but even words in the top 5,000 are still far better than a complex nine-character password.

Why and how to use a passphrase

There are two major strengths of passphrases: 

  1. Passphrases allow for longer, more secure passwords. It’s length that makes a passphrase a killer password. A password/passphrase that’s 20 lowercase characters long is stronger than a 14 character password that uses uppercase letters, lowercase letters, numbers, and symbols. 
  2. Passphrases can be easy to remember, making creating and using passwords a lot less painful. “Aardvarks eat at the diner” is easy to remember and, at 26 characters long and including uppercase and lowercase letters, is more than 9 trillion times stronger than the password “eR$48tx!53&(oPZe”, or any other complex, 16-character password, and potentially uncrackable.

Why potentially uncrackable? Because “aardvark” is not one of the 10,000 most frequently used words and, if a word is not in the attacker’s dictionary, then you win. This is why it helps to use foreign-language words. Even common foreign words require an attacker to increase the size of their dictionary, the very factor that makes passphrase token attacks impractical. Learning a word in an obscure foreign language can be fun and pretty much assures a passphrase won’t be cracked.

As we’ve seen, cracking a passphrase can be far more difficult than cracking a password, unless you make one of two common mistakes. The first is choosing a combination of words without enough characters. “I am a cat,” for example. Although it’s four words, it’s only 10 characters long and an attacker can use a conventional brute force attack, even for a passphrase. Spaces between words can be used to increase the length and complexity of passphrases.

The second most common mistake is using a common phrase as a passphrase. I can create a dictionary of the top 1,000,000 common phrases and, if you’re using one, then it only takes at most 1,000,000 guesses to crack (about the same as a complex three-character password). 

So create your own unique passphrases and you’re all set. Most experts recommend passphrases be at least 20 characters long. But if you only go from eight characters to 16 upper and lower case letters, you’ll already be 430 trillion times better off. And if you’re creating a passphrase for a site requiring a number or symbol, it’s fine to add the same number and symbol to the end of your phrase, provided the passphrase is long to begin with.

As a side note, according to math, a five word passphrase is generally stronger than a four word passphrase, but don’t get too hung up on that.

So Ben, you are 100% right about the reality of passphrase token attacks. But, with a strong passphrase, the math says it doesn’t matter. Note: If this stuff fascinates you, or you suffer from insomnia, you might enjoy “Linguistic Cracking of Passphrases using Markov Chains.” You can download the PDF or watch this riveting thriller on YouTube. Sweet dreams.

Common WordPress Vulnerabilities & How to Protect Against Them

Reading Time: ~ 3 min.

The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a price. The easy-to-use interface has given even users who are not particularly cybersecurity-savvy a presence on the web, drawing cyber-criminals out of the woodwork to look for easy prey through WordPress vulnerabilities in the process.

Here are some of these common vulnerabilities, and how can you prepare your website to protect against them.

WordPress Plugins 

The WordPress Plugin Directory is a treasure trove of helpful website widgets that unlock a variety of convenient functions. The breadth of its offerings is thanks to an open submission policy, meaning anyone with the skill to develop a plugin can submit it to the directory. WordPress reviews every plugin before listing it, but clever hackers have been known to exploit flaws in approved widgets.

The problem is so prevalent that, of the known 3,010 unique WordPress vulnerabilities, 1,691 are from WordPress plugins. You can do a few things to impede your site from being exploited through a plugin. Only download plugins from reputable sources, and be sure to clean out any extraneous plugins you are no longer using. It’s also important to keep your WordPress plugins up-to-date, as outdated code is the best way for a hacker to inject malware into your site.

Phishing Attacks 

Phishing remains a favored attack form for hackers across all platforms, and WordPress is no exception. Keep your eyes out for phishing attacks in the comments section, and only click on links from trusted sources. In particular, WordPress admins need to be on alert for attackers looking to gain administrative access to the site. These phishing attacks may appear to be legitimate emails from WordPress prompting you to click a link, as was seen with a recent attack targeting admins to update their WordPress database. If you receive an email prompting you to update your WordPress version, do a quick Google search to check that the update is legitimate. Even then, it’s best to use the update link from the WordPress website itself, not an email.

Weak Administrative Practices 

An often overlooked fact about WordPress security: Your account is only as secure as your administrator’s. In the hubbub of getting a website started, it can be easy to create an account and immediately get busy populating content. But hastily creating administrator credentials are a weak link in your cybersecurity, and something an opportunistic hacker will seize upon quickly. Implementing administrative best practices is the best way to increase your WordPress security.

WordPress automatically creates an administrator with the username of “admin” whenever a new account is created. Never leave this default in place; it’s the equivalent of using “password” as your password. Instead, create a new account and grant it administrative privileges before deleting the default administrator account. You’ll also need to change the easily-located and often-targeted administrator url from the default of “wp-admin” to something more ambiguous of your own choosing.

One of the most important practices for any WordPress administrator is keeping the WordPress version up-to-date. An ignored version update can easily become a weak point for hackers to exploit. The more out-of-date your version, the more likely you are to be targeted by an attack. According to WordPress, 42.6% of users are using outdated versions. Don’t be one of them.

Additional Security Practices 

The use of reputable security plugins like WordFence or Sucuri Security can add an additional layer of protection to your site, especially against SQL injections and malware attacks. Research any security plugins before you install them, as we’ve previously seen malware masquerading as WordPress security plugins. If your security plugin doesn’t offer two-factor authentication, you’ll still need to install a secure two-factor authentication plugin to stop brute force attacks. Keeping your data safe and encrypted behind a trusted VPN is also key to WordPress security, especially for those who find themselves working on their WordPress site from public WiFi networks.

WordPress is a powerful platform, but it’s only as secure as you keep it. Keep your website and your users secure with these tips on enhancing WordPress security, and check back here often for updates on all things cybersecurity.