Cyber News Rundown: TFlower Ransomware Exploiting RDP
TFlower Ransomware Exploiting RDP
Ransomware attacks seem to be earning larger payouts by focusing on big businesses and governments, and a new variant dubbed TFlower might be no exception. TFlower has been proliferating by hacking into compromised networks through various remote desktop services. Attackers can reportedly execute the malware and begin encrypting most file types and removing all local backups. It is still unclear how much the demanded ransom is, but researchers have found that TFlower doesn’t append the encrypted files’ extensions.
Ransomware is evolving. Click here to learn more on the threat.
Lion Airline Data Leak
More than 30 million customer records belonging to two Lion Air-owned companies Malindo Air and Thai Lion Air were found in a publicly accessible database and later on several underground forums earlier this month. Among the available data are names, birthdates, and passport information, all of which could easily be used to commit identity fraud. While the data was available for nearly a month, it is still unclear how many individuals may have obtained copies of the data.
White Hat Hackers Expose Webcam Security Flaws
Over 15,000 unique webcams from several different manufacturers have been found to be using default security settings while connected to the internet. Many of the compromised devices have been identified in the U.S., Europe, and Southeast Asia. This recent discovery should prompt manufacturers to implement additional security settings and require users to set their own passwords.
Medical Patient Images and Data Unprotected
In a recent research study of 2,300 healthcare systems, nearly 25 percent were publicly accessible on the internet, containing a total of 24.3 million patient healthcare records from at least 52 countries. Over 400 million medical images were available for access or download through a system that allows medical workers to share patient documents. These systems date back to the 1980s and need to be brought up to current security standards, as the current system has virtually none.
Ecuadorian Data Analytics Breach
An Ecuadorian data analysis firm, Novaestrat, is under investigation after it was discovered that the company left personally identifiable information for nearly every Ecuadorian citizen exposed in an unsecured database. Records for 2.5 million car owners and nearly 7.5 million financial and banking transactions were included in the records. Immediately upon the revelation of the breach, Ecuadorian government officials arrested the CEO for possessing the data illicitly.
Keeping Your Vehicle Secure Against Smart Car Hacks
An unfortunate reality of all smart devices is that, the smarter they get, and the more integrated into our lives they become, the more devastating a security breach can be. Smart cars are no exception. On the contrary, they come with their own specific set of vulnerabilities. Following high-profile incidents like the infamous Jeep hack, it’s more important than ever that smart car owners familiarize themselves with their inherent vulnerabilities. It may even save lives.
Want smart device shopping tips? Make sure your security isn’t sacrificed for convenience.
Smart Car Vulnerabilities
At a recent hacking competition, two competitors were able to exploit a flaw in the Tesla Model 3 browser system and compromise the car’s firmware. While the reported “Tesla hack” made waves in the industry, it actually isn’t even one of the most common vulnerabilities smart car owners should look out for. These, easier to exploit, vulnerabilities may be more relevant to the average owner.
Car alarms, particularly aftermarket car alarms, are one of the largest culprits in smart car security breaches. A recent study found that at least three million vehicles are currently at risk due to insecure smart alarms. By exploiting insecure direct object reference (IDORS) issues within the alarm’s software, hackers can track the vehicle’s GPS location, disable the alarm, unlock doors, and in some cases even kill the engine while it is being used.
Key fobs are often used by hackers to gain physical access to a vehicle. By using a relay attack, criminals are able to capture a key fob’s specific signal with an RFID receiver and use it to unlock the car. This high-tech version of a duplicate key comes with a decidedly low-tech solution: Covering your key fob in aluminum foil will prevent the signal from being skimmed.
On-Board diagnostic ports are legally required for all vehicles manufactured after 1996 in the United States. Traditionally used by mechanics, the on-board diagnostics-II (OBD-II) port allows direct communication with your vehicle’s computer. Because the OBD-II port bypasses all security measures to provide direct access to the vehicle’s computer for maintenance, it provides particularly tempting backdoor access for hackers.
Protecting Your Smart Car from a Cybersecurity Breach
Precautions should always be taken after buying a new smart device, and a smart car is no exception. Here are the best ways to protect your family from a smart car hack.
Update your car’s firmware and keep it that way. Do not skip an update because you don’t think it’s important or it will take too much time. Car manufacturers are constantly testing and updating vehicle software systems to keep their customers safe—and their brand name out of the news. Signing up for vehicle manufacturer recalls and software patches will help you stay on top of these updates.
Disable unused smart services. Any and all of your car’s connectivity ports that you do not use should be turned off, if not altogether disabled. This means that if you don’t use your car’s Bluetooth connectivity, deactivate it. Removing these access points will make your car less exposed to hacks.
Don’t be a beta tester. We all want the newest and hottest technologies, but that doesn’t keep us at our most secure. Make sure that you’re purchasing a vehicle with technology that has been field tested for a few years, allowing time for any vulnerabilities to be exposed. Cutting-edge technologies are good. But bleeding edge? Not so much.
Ask questions when buying your vehicle and don’t be afraid to get technical. Ask the dealer or manufacturer which systems can be operated remotely, which features are networked together, and how those gateways are secured. If you’re not comfortable with the answers, take your money elsewhere.
Advocate for your security. As smart cars become so smart that they begin to drive themselves, consumers must demand that manufacturers provide better security for autonomous and semi-autonomous vehicles.
Only use a trusted mechanic and be mindful of who you grant access to your car. OBD-II ports are vulnerable but necessary, so skipping the valet may save you a costly automotive headache down the line.
Keep the Conversation Going
As our cars get smarter, their vulnerabilities will change. Check back here to keep yourself updated on the newest trends in smart car technologies, and stay ahead of any potential threats.
Smishing Explained: What It Is and How to Prevent It
Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late?
It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around 98% of SMS messages are read within seconds of being received
As with any development in how we communicate, the rise in brand-related text messaging has attracted scammers looking to profit. Hence we arrive at a funny new word in the cybersecurity lexicon, “smishing.” Mathematical minds might understand it better represented by the following equation:
SMS + Phishing = Smishing
For the rest of us, smishing is the act of using text messages to trick individuals into divulging sensitive information, visiting a risky site, or downloading a malicious app onto a smartphone. These often benign seeming messages might ask you to confirm banking details, verify account information, or subscribe to an email newsletter via a link delivered by SMS.
As with phishing emails, the end goal is to trick a user into an action that plays into the hands of cybercriminals. Shockingly, smishing campaigns often closely follow natural disasters as scammers try to prey on the charitable to divert funds into their own pockets.
Smishing vs Vishing vs Phishing
If you’re at all concerned with the latest techniques cybercriminals are using to defraud their victims, your vocabulary may be running over with terms for the newest tactics. Here’s a brief refresher to help keep them straight.
- Smishing, as described above, uses text messages to extract the sought after information. Different smishing techniques are discussed below.
- Vishing is when a fraudulent actor calls a victim pretending to be from a reputable organization and tries to extract personal information, such as banking or credit card information.
- Phishing is any type of social engineering attack aimed at getting a victim to voluntarily turn over valuable information by pretending to be a legitimate source. Both smishing and vishing are variations of this tactic.
Examples of Smishing Techniques
Enterprising scammers have devised a number of methods for smishing smartphone users. Here are a few popular techniques to be aware of:
- Sending a link that triggers the downloading of a malicious app. Clicks can trigger automatic downloads on smartphones the same way they can on desktop internet browsers. In smishing campaigns, these apps are often designed to track your keystrokes, steal your identity, cede control of your phone to hackers, or encrypt the files on your phone and hold them for ransom.
- Linking to information-capturing forms. In the same way many email phishing campaigns aim to direct their victims to online forms where their information can be stolen, this technique uses text messages to do the same. Once a user has clicked on the link and been redirected, any information entered into the form can be read and misused by scammers.
- Targeting users with personal information. In a variation of spear phishing, committed smishers may research a user’s social media activity in order to entice their target with highly personalized bait text messages. The end goal is the same as any phishing attack, but it’s important to know that these scammers do sometimes come armed with your personal information to give their ruse a real feel.
- Referrals to tech support. Again, this technique is a variation on the classic tech support scam, or it could be thought of as the “vish via smish.” An SMS message will instruct the recipient to contact a customer support line via a number that’s provided. Once on the line, the scammer will try to pry information from the caller by pretending to be a legitimate customer service representative.
How to Prevent Smishing
For all the conveniences technology has bestowed upon us, it’s also opened us up to more ways to be ripped off. But if a text message from an unknown number promising to rid you of mortgage debt (but only if you act fast) raises your suspicion, then you’re already on the right track to avoiding falling for smishing.
Here are a few other best practices for frustrating these attacks:
- Look for all the same signs you would if you were concerned an email was a phishing attempt: 1) Check for spelling errors and grammar mistakes, 2) Visit the sender’s website itself rather than providing information in the message, and 3) Verify the sender’s telephone address to make sure it matches that of the company it purports to belong to.
- Never provide financial or payment information on anything other than the trusted website itself.
- Don’t click on links from unknown senders or those you do not trust
- Be wary of “act fast,” “sign up now,” or other pushy and too-good-to-be-true offers.
- Always type web addresses in a browser rather than clicking on the link.
- Install a mobile-compatible antivirus on your smart devices.
Thoughtful Design in the Age of Cybersecurity AI
AI and machine learning offer tremendous promise for humanity in terms of helping us make sense of Big Data. But, while the processing power of these tools is integral for understanding trends and predicting threats, it’s not sufficient on its own.
Thoughtful design of threat intelligence—design that accounts for the ultimate needs of its consumers—is essential too. There are three areas where thoughtful design of AI for cybersecurity increases overall utility for its end users.
Designing where your data comes from
To set the process of machine learning in motion, data scientists rely on robust data sets they can use to train models that deduce patterns. If your data is siloed, it relies on a single community of endpoints or is made up only of data gathered from sensors like honeypots and crawlers. There are bound to be gaps in the resultant threat intelligence.
A diverse set of real-world endpoints is essential to achieve actionable threat intelligence. For one thing, machine learning models can be prone to picking up biases if exposed to either too much of a particular threat or too narrow of a user base. That may make the model adept at discovering one type of threat, but not so great at noticing others. Well-rounded, globally-sourced data provides the most accurate picture of threat trends.
Another significant reason real-world endpoints are essential is that some malware excels at evading traditional crawling mechanisms. This is especially common for phishing sites targeting specific geos or user environments, as well as for malware executables. Phishing sites can hide their malicious content from crawlers, and malware can appear benign or sit on a user’s endpoint for extended periods of time without taking an action.
Designing how to illustrate data’s context
Historical trends help to gauge future measurements, so designing threat intelligence that accounts for context is essential. Take a major website like www.google.com for example. Historical threat intelligence signals it’s been benign for years, leading to the conclusion that its owners have put solid security practices in place and are committed to not letting it become a vector for bad actors. On the other hand, if we look at a domain that was only very recently registered or has a long history of presenting a threat, there’s a greater chance it will behave negatively in the future.
Illustrating this type of information in a useful way can take the form of a reputation score. Since predictions about a data object’s future actions—whether it be a URL, file, or mobile app—are based on probability, reputation scores can help determine the probability that an object may become a future threat, helping organizations determine the level of risk they are comfortable with and set their policies accordingly.
For more information on why context is critical to actionable threat intelligence, click here.
Designing how you classify and apply the data
Finally, how a threat intelligence provider classifies data and the options they offer partners and users in terms of how to apply it can greatly increase its utility. Protecting networks, homes, and devices from internet threats is one thing, and certainly desirable for any threat intelligence feed, but that’s far from all it can do.
Technology vendors designing a parental control product, for instance, need threat intelligence capable of classifying content based on its appropriateness for children. And any parent knows malware isn’t the only thing children should be shielded from. Categories like adult content, gambling sites, or hubs for pirating legitimate media may also be worthy of avoiding. This flexibility extends to the workplace, too, where peer-to-peer streaming and social media sites can affect worker productivity and slow network speeds, not to mention introduce regulatory compliance concerns. Being able to classify internet object with such scalpel-like precision makes thoughtfully designed threat intelligence that is much more useful for the partners leveraging it.
Finally, the speed at which new threat intelligence findings are applied to all endpoints on a device is critical. It’s well-known that static threat lists can’t keep up with the pace of today’s malware, but updating those lists on a daily basis isn’t cutting it anymore either. The time from initial detection to global protection must be a matter of minutes.
This brings us back to where we started: the need for a robust, geographically diverse data set from which to draw our threat intelligence. For more information on how the Webroot Platform draws its data to protect customers and vendor partners around the globe, visit our threat intelligence page.
Cyber News Rundown: Arizona School Ransomware Attack
Ransomware Closes Arizona School District
As many students began returning for the fall semester, classes were cancelled in the Flagstaff Unified School District in Arizona after a ransomware attack disabled some of the district’s computer systems. Officials haven’t yet released any additional information on the ransom demanded or if any sensitive employee or student documents was compromised. The attack is another in a chain of ransomware campaigns affecting dozens of school districts around the country in recent months.
Want more on the latest threats to your online security and privacy?
Follow us on Facebook and Twitter to stay up to date.
BEC Scam Targets Toyota Corporation
A subsidiary company of Toyota fell victim to a business email compromise (BEC) that could cost more than $37 million. Using social engineering to convince the victim to send the wire transfer has become a common practice around the world and earned scammers an estimated $1.3 billion in 2018 alone. Officials are still working to determine the proper course of action to recover the stolen funds, though it is unlikely they will be able to track down their present location.
International BEC Sting Nets 281 Arrests
With the cooperation of many law enforcement agencies around the world, at least 281 individuals were taken into custody for their roles in various BEC scams. Along with the arrests, officials seized $3.7 million in cash that had been stolen by redirecting wire transfers while posing as a high-level executive. While the majority of arrests came from Europe and Africa, nearly a quarter occurred in the U.S.
LokiBot Campaign Affects U.S. Manufacturer
A poorly written email phishing campaign was recently discovered with a rather malicious payload called LokiBot. In the scam, once a victim would open the attachment (with assurances in the email that it simply needs to be reviewed), an archive would unzip and allow the payload to begin hunting for credentials and any other sensitive information stored on the system. After reviewing the LokiBot sample, the IP address from which the campaign originated from has been tied to several other, similar campaigns from recent months.
Oklahoma State Trooper Pension Fund Stolen
Malicious hackers recently stole more than $4.2 million from the Oklahoma State Trooper’s pension fund, which was to be used to assist roughly 1,500 retired law enforcement agents in the state. While most of the benefits programs should remain unaffected, officials are confident that they will be able to recover the funds, which would also be covered by insurance company if unable to be recovered.
Employee Spotlight: Chat with Alia AlaaEldin Adly
According to a report from hired.com, the demand for security engineers is up 132%. Additionally, the need for engineers who specialize in data analytics and machine learning has increased by 38% and 27%, respectively. Given recent trends in cybersecurity, it’s no wonder, and demand at Webroot is no exception. To be successful, our software engineers have to stay ahead of AI and machine learning trends so they can explore, work, grow, and effectively evolve tech in the cybersecurity industry.
We talked to Alia AlaaElDin Adly, a software engineer based in Linz, Austria. In her role, Alia is constantly looking for new technology, testing platforms, and developing the new solutions to stay ahead of modern threats.
What is your favorite part of working as a software engineer?
I enjoy exploring new technology and frameworks, specially figuring out problems by hand. Software engineers don’t always receive all the requirements up front, so we need to develop strategies and work on tasks without having all the pieces necessary to execute. For example, take the testing framework SpecFlow. We had to do a lot of research, have numerous brainstorming sessions, and rework the project outline to create a viable structure that would fit the needs of our APIs. It’s a fun challenge.
What does a week as a software engineer look like?
It really depends on the task at hand. Some tasks take a day or two, and others can take quite a bit longer. In planning, most tasks are designed to be completed in a maximum of two days, but, when you meet an unexpected obstacle and need to find a workaround, the task needs more time. Also, you have to factor in how much research or prototyping a task may require. One thing I can say about working at Webroot is that I am learning a lot. It’s like a rollercoaster ride: ups and downs, lefts and rights, spirals, and just when you think you’re done, even more spirals!
What have you learned / what skills have you built in this role?
When I started, I had pretty bad documentation habits. You hear a lot about the importance of documentation in school, but some lessons don’t really sink in until you have to face them in a real-world setting. I would say I still need to work on it, but my documentation has really improved! I am also getting better at having a proper project structure, and I’m really enjoying all the new tools and technologies I get to learn, like the Specflow framework and Xamarin forms.
What is your greatest accomplishment in your career at Webroot so far?
I work on the Unity API team based in Linz, Austria. The Webroot® Unity API is a platform that enables admins to dig deeper into the services and information Webroot offers. It’s a really useful tool for a lot of our customers, and I helped build out a automation testing framework to create smoke and regression tests for the API. Also, I managed and organized the end-of-year spotlight video that showcased what our team had accomplished.
What brought you to Webroot after your last job?
I was already in Austria completing my masters when I applied for the job. During the interview process, I liked how Webroot felt like a family. Everyone was so friendly and welcoming the day I started. Instead of making me feel like a nervous newcomer, they brought me in and helped me feel involved and important right away. And it has stayed that way.
Best career advice you’ve received?
To always be flexible and not limit yourself. You have to be curious not only about the world around you, but what you can do in it. If you keep your options open, you’re more likely to discover new strengths, and new (and exciting!) challenges to overcome.
What is your favorite thing to do in Linz?
I enjoy walking around in the city center and along the Danube River. I also like to go cycling, climbing, and running. During spring and summer, I usually bike to work and I like going to the lake to play beach racket. Of course, I love traveling and visiting new cities and countries! I feel very lucky that Webroot’s Linz office is in such a good location, which makes quick day trips and weekend travel really easy.
Cyber News Rundown: Deepfake Voice Fraud
Deepfake BEC Scam
A new variant of the well-known BEC scam has implemented a feature that has yet to be used in an email scam: voice fraud. Using an extremely accurate deepfake voice of a company’s CEO, scammers were able to successfully convince another company to wire $250,000 with the promise of a quick return. Unfortunately, that transfer was quickly spread out through a number of countries, leaving investigators with very little clue as to the identity of the scammers.
Yves Rocher Data Leak
The customer databases belonging to French retailer Yves Rocher were found to be publicly available by researchers who discovered the records of over 2.5 million customers. In addition to the personal data, the details for over 6 million transactions, and internal Yves Rocher information were grouped with the exposed database. The internal data could be a major opportunity for any competitors to obtain some crucial footings in the marketplace.
German Mastercard Breach
Officials recently learned of a data breach that was affecting nearly 90,000 German Mastercard holders that are part of their members loyalty program. Nearly half of the exposed email addresses have already been compromised in previous data breaches, according to Have I Been Pwned, though the affected customers should still update their credentials. Fortunately, this breach only affected the loyalty program members rather than the entirety of Mastercard’s world-wide client base.
Ransomware Wave Hits US
Continuing on from a summer full of ransomware attacks on US cities comes a streak of 13 new attacks that range from the East Coast to the West Coast. Sadly, several of the victims have already paid out some portion of the demanded ransoms, with some insurance companies even attempting to negotiate with the attackers for a lower payout. With this streak, the total number of ransomware attacks in the US in 2019 is up to 149, 20% of which involved educational institutions.
UK Travel Agency Breach
A UK-based travel agency has recently fallen victim to a data breach that could affect over 200,000 of their customers. The main leak included audio files for the affected customers confirming travel and payment plans, as the travel firm completes their deals over the phone. The audio files appear to have bene publicly available for a span of nearly 3 years, but quickly secured the sensitive information once they were informed of its current status.
Cyber News Rundown: Social Media Bots Attack
Cybercriminals use Botnets to Launch Attacks on Social Media
According to a new report, more than half of all login attempts on social media sites are fraudulent, and at least 1 in 4 new account creation attempts are also fraudulent. With the sheer number of potential victims these types of sites provide attackers, these strategies are proving to be more and more lucrative. Even more worrisome: at least 10% of all digital handshakes from online purchases to new accounts being created are being made by malicious actors.
Cybercriminals target end users. Learn why businesses need security awareness training.
xHelper Trojan Infects Thousands of Android Devices
A new Trojan has infected over 30,000 devices in a very short time. By disguising itself as a JAR archive, the dropper is able to move quickly through a system, rather than being installed within a bundle as a standard APK. At least two variants of the Trojan have been spotted, one running extremely silently on infected devices while the other does less to hide itself, creating an actual xHelper icon and pushing an increasing number of notifications to the device.
Malicious PDF Scanner App
Researchers recently notified Google of a Trojanized CamScanner app that has been downloaded over 100 million times. The app itself is used to download and launch a malicious payload, after making contact with the attacker’s servers. Fortunately, Google is quick to act when they receive these types of reports, and has already removed the app from the Play Store. This app follows in a long line of high-install malicious apps to hit the Google™ Play Store in the last couple months.
Cable Companies Delay Robocall-Detection Implementation
Following the FCC decision to push out a technology that would allow all telecom companies to implement detections for the excessive number of robo-calls their customers receive every year. Unfortunately, the FCC never made an official deadline, so the lobby groups for the cable companies have been pushing for further delays. Hopefully, more telecom companies will get behind this technology and start helping their customers avoid this kind of harassment.
Hosting Provider Data Breach
A data breach was recently revealed by Hostinger, a hosting provider, which could affect their entire 14-million-strong customer base. Within the last week, the company identified unauthorized access to one of their servers, which contained sensitive customer information. Fortunately, Hostinger resolved the vulnerability quickly and pushed out a mandatory password reset to all affected users.
Cyber News Rundown: Android Adware
Android Apps Riddled with Adware
Another 85 photo and gaming apps have been removed from the Google Play store after they were discovered to have been distributing adware to the roughly 8 million users who had downloaded the fake apps. The adware itself is rather tricky: by sitting dormant on devices for at least 30 minutes to avoid detection, they are then able to display a steady stream of full-screen ads that make users wait through each in its entirety before allowing continued use of the app.
Learn more about mobile security for shopping, banking and browsing.
Texas Hit by Multiple Ransomware Attacks
Several Texas municipalities have fallen victim to a single ransomware campaign affecting at least 22 locations and asking a cumulative ransom of $2.5 million. The state of Texas has been under fire for the past few months, suffering a seemingly endless string of ransomware attacks on local governments. Fortunately, many of the targeted districts have been swift to remediate issues and are already on the path to full system recovery, managing to avoid paying heavy ransoms.
Steam Zero-Days Released After Valve Bans Submitter
A researcher recently found several zero-day vulnerabilities within the Steam API that could allow for local privilege escalation (LPE), which could then allow malware to use the client as a launching point. Unfortunately, Valve decided the bug was outside of its scope of responsibility, locked the report, and refused to investigate it any further, also banning the submitter from the bug bounty program. Eventually, after much negative media coverage, Valve pushed out a patch that was quickly subverted by another workaround. It is unusual for a company with so many active users to blatantly ignore one of Microsoft’s most commonly patched vulnerabilities.
Adult Site Database Exposed
Yet another adult site has fallen victim to poor information security practices after a database containing personally identifiable information belonging to nearly 1 million users was misconfigured and left publicly available. The leak was discovered by researchers who were able to verify a breach and swiftly report it to the site, which took only four days to secure the data. Site users were notified of the breach and are being advised to change login credentials, especially those using work devices or contact details.
Magecart Found in Poker Tracker
The infamous Magecart card-skimming script was recently found loaded into Poker Tracker’s main site, which allows online poker players to make statistics-based betting decisions. It was later revealed that the site was fully injected via an outdated version of Drupal that has since been updated. The attack left the attackers with a copy of every payment made through the site or the app.
Cybersecurity in Schools: What Families Need to Know
Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure.
Learn how VPNs help safeguard your data and can enable private and anonymous web browsing.
Unsecured School WiFi
Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.
Weak Cybersecurity Practices
A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.
Targeted Cybersecurity Attacks
Due to the highly sensitive data stored within their systems, education IT infrastructure is consistently a top target for cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and 2018 alone. The threat has become a large enough issue that the FBI has released a public service announcement warning that the education sector was one of those most frequently targeted by social engineering schemes and phishing attacks.
Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.
How to Protect Your Student’s Cybersecurity
How can you protect your child’s cybersecurity while they are at school? Get involved. Ask the school’s administrators about their cybersecurity policy. Ask about their strength of their firewalls, their email security measures, and the amount of encryption applied to the data storage systems. If you’re not satisfied with their measures, be your child’s cybersecurity advocate.
Although you may have limited control over any school-provided devices, you can secure your child’s personal devices behind a trusted VPN (though they must know how to use it first). This will wrap your child’s data in a tunnel of encryption, protecting them from prying eyes wherever they go. In some cases, VPNs can prevent access to testing and curriculum sites on school networks, so students should know how to connect and disconnect to their VPN at will.
Most importantly, teach your child to be aware of the risks of cybercrime and how to combat them. Help them understand how a VPN and other measures can keep them safe, how to recognize phishing attacks, and why they should always be vigilant. Your child knows to wear a seatbelt when riding in someone else’s car, they should also know how to stay safe online, whether at home, school, or a friend’s house.
The key to truly protecting your children from potential cybersecurity threats is education, both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.
Get to Know Manager of Software Development, Fred Yip
With job growth projected to surge 24% over the next seven years, software engineering is one of the most demanded professional fields in the U.S. Exceptionally competitive pay and the chance to pursue careers across many industries are just a few benefits of being a software engineer.
We explore how software engineers working in cybersecurity face unique challenges and opportunities in our sit down with Fred Yip, Manager of Software Development in Webroot’s San Diego office.
Besides this sunny San Diego weather, what gets you out of bed and into the office?
I’m surrounded everyday by smart people who want to do their best to solve customer problems. There is a lot to do, but the work is very engaging and rewarding. My favorite part of the job is working closely with my team to deliver products to our customers. We work in a startup-like environment. Everyone wears many hats: as software developer, as tester, DevOps engineer, and customer support.
There are many industries that demand your talent, what drew you to cybersecurity?
Cyberattacks are a rising trend. I used to work for an enterprise serving Fortune 500 companies. Knowing that cyberattacks affect everybody, I saw an opportunity to bring my skillset to Webroot. We extend our product to small and mid-sized businesses as well as consumers, which gives me the satisfaction of building a top-notch technology for anyone who needs it, whether it be a doctor’s office, coffee shop, or someone walking down the street.
What does a week of life at Webroot look like for you?
A typical week for a manager is not much different than that of a team member. We do software development, testing, and deployment of product features as a team. I help design and implement the cloud infrastructure that supports our software components as microservices. In addition, I look out for the well-being of each team member in terms of technical, personal, and career development.
What skills and traits do you look when hiring software engineers?
As an engineer, you have to be a team player, not self-focused. I look for a lot of integrity and honesty about what they are doing and what they know and don’t know. An eager attitude toward learning is important because it allows them to solve problems and contribute to the team. When they bring their best character and performance, they help to build a strong team. As long as someone has some relevant experience, they can always learn the technical skills. And an ability to learn new things quickly is another thing I always look for in a potential team member.
Are there any outside activities that you and your team are involved in?
We attended a coding challenge at UC San Diego earlier this year, where we host students for a friendly competition. It was very high energy and there was a lot of participation. It was a fun challenge beyond just writing code. You could actually see the code working against others and the top winner was recognized after we gave out prizes. I always tell candidates to participate in the event, it’s a way to motivate them to join our team!
Cyber News Rundown: Hookup App Exposes Users
Hookup App Leaks User Locations
Geo-locating and other sensitive data has been leaked from the hookup app 3fun, exposing the information for more than 1.5 million users. While some dating apps using trilateration to find nearby users, 3fun showed location data capable of tracing a user to a specific building or floor. Though users had the option to disable coordinate tracking, that data was nevertheless stored and available through the app’s API. 3fun has since resolved the leak and has hopefully implemented stronger security measures considering the private nature of their client’s activities.
Ransomware Attacks on DSLR Cameras
Malware authors continue to find new victims, as a ransomware variant has been found to be remotely attacking Canon DSLR cameras and demanding a ransom to regain access to the device. Researchers have found multiple vulnerabilities that could allow attackers to perform any number of critical functions on the cameras, including displaying a ransom note and remotely taking pictures with the camera. Fortunately, Canon has already begun issuing patches for some of its affected devices, though it’s taking longer to fully secure others.
Take back your privacy. Learn more about the benefits of a VPN.
Google Drive Exploit Allows Phishing Campaign to Flourish
A new phishing campaign has been discovered that uses a legitimate Google Drive account to launch a phishing campaign that impersonates the CEO asking the victim to open the Google Docs file and navigate to the phishing site’s landing page. Luckily for victims, the campaign has a few tells. The phony CEO email address uses a non-conforming naming convention and the email itself appears to be a hastily compiled template.
British Airways Data Leak
British Airways has again come under scrutiny, this time after it was discovered that their e-ticketing system was leaking sensitive passenger data. The leak stems from flight check-in links that were sent out to customers containing both their surname and booking confirmation numbers completely unencrypted within the URL. Even more worrisome, this type of vulnerability has been well-known since last February when several other airlines were found to have the same issue by the same security firm.
Android Trojan Adds New Functionality
Following in the footsteps of Anubis, an Android banking Trojan for which source code was recently revealed, Cerberus has quickly filled the void without actually borrowing much of that code. One major change is that Cerberus implemented a new method of checking if the device is physically moving or not, in hopes of avoiding detection by both the victim and any researchers who may be analyzing it. Additionally, this variant uses phishing overlays from several popular sites to further collect any login credentials or payment card data.