PC PORTAL

Experienced. Trusted. Solutions.

ransomware

By

Cyber News Rundown: Medicare Data Breach

Reading Time: ~2 min.

Data Breach Affects Centers for Medicare & Medicaid Services

The Centers for Medicare & Medicaid Services (CMS) announced last week they had discovered malicious activity within their direct enrollment pathway, which connects patients and healthcare brokers. At least 75,000 individuals were affected. The pathway has since been disabled to prevent further exposure. Until the pathway is fixed, hopefully within a week, CMS is contacting affected patients and offering them credit protection services.

Ransomware Disables City’s Computer Systems

City officials in West Haven, Connecticut finally gave in to ransom demands following a cyberattack against their systems. The attack began early Tuesday morning and disabled 23 individual servers before a decision was made to pay a ransom in hopes for the return of their data. While it is still unclear if the systems were fully restored, the town was lucky to receive a relatively small ransom request ($2,000 given the significant amount of data stolen.

User Data Exposed on Adult Sites

A string of eight adult sites, all owned by the same individual, fell victim to hackers who took advantage of poor security to expose records for up to 1.2 million individuals. While not as large as similar adult-related breaches, it still presents questions as to why proper security measures aren’t put in place on these sites proactively. The owner of the sites has since taken them down and replaced them with messages warning users to update their passwords and take extra security precautions.

McAfee Tech Support Scam on the Rise

A new browser-based tech support scam has been spotted recently that warns users their McAfee subscription has run out and needs to be renewed. Rather than redirect victims through an affiliate link to the real McAfee site, though, this latest scam directly prompts the user to input payment card information and other personal data into a small pop-up window. To top it off, once payment info is entered, an additional pop-up appears that suggests contacting support to help install your new software and eventually falsely claiming payment wasn’t successful and users must re-purchase the software.

Iowa City Shuts Down After Ransomware Attack

The city of Muscatine, Iowa is working to determine how several of their main computer systems, both within city hall and its library, were infiltrated by ransomware that’s knocked them offline. Officials have announced that no information was stolen and the city does not maintain any payment records, so citizens shouldn’t be worried. The city’s emergency services were also unaffected and continue to operate as normal.

The post Cyber News Rundown: Medicare Data Breach appeared first on Webroot Blog.

By

Cyber News Rundown: Voter Records for Sale

Reading Time: ~2 min.

2018 Voter Records for Sale

As the United States midterm elections draw closer, concern surrounding voter information is on the rise, and for good reason. Records for nearly 35 million registered voters from 19 different states were found for sale on a hacker forum, with prices ranging from $500 to $12,500, depending on the state. Unfortunately, a crowdfunding campaign has begun on the forums to purchase each database and post them publicly, with 2 states already being published.

County Water Utility Struck by Ransomware

Just a week after Hurricane Florence hit land in North Carolina, a coastline county’s water utilities fell victim to a ransomware attack. Effectively shutting down all services during a time when they are working on emergency operations left the local water authority with limited capabilities until they began the lengthy process of restoring everything from backup files. By choosing to ignore the ransom and restore manually, the utility service has taken on a more time and resource consuming task, as they continue operating without any of their online systems.

PS4 Exploit Causes System Crash

A new exploit has been discovered that allows attackers to send a malicious message to other PlayStations that will effectively render the console unusable. The message itself doesn’t even need to be opened to cause considerable damage, resulting in most users performing a factory reset to return everything to normal. While some users have been successful in deleting the message from the mobile app before it causes any harm, others still had to rebuild the system’s database.

iPhone Passcode Bypass Still Active

Days after Apple released a patch for iOS 12.0 that shutdown a passcode bypass method, the same researcher was able to find yet another way to access the phone illicitly. By using a combination of Siri and the VoiceOver feature, anyone with physical access to the device could obtain pictures, and other data with ease. To make matters worse, the latest bypass also gives attackers the ability to send files to other devices and view them in full resolution, rather than minimized like the previous bypass allowed.

Massive Phishing Campaign Targets Iceland

Over the weekend, thousands of emails were sent out to the relatively small population of Iceland, most of which claimed to be from the local police and threatened judicial action if they did not comply. The email then linked victims to a nearly perfect replica of the official Icelandic Police website and requested their social security number. The attack itself was focused on gaining bank details and further compromising already infected computers for more information.

The post Cyber News Rundown: Voter Records for Sale appeared first on Webroot Blog.

By

Unsecure RDP Connections are a Widespread Security Failure

Reading Time: ~3 min.

While ransomware, last year’s dominant threat, has taken a backseat to cryptomining attacks in 2018, it has by no means disappeared. Instead, ransomware has become a more targeted business model for cybercriminals, with unsecured remote desktop protocol (RDP) connections becoming the favorite port of entry for ransomware campaigns.

RDP connections first gained popularity as attack vectors back in 2016, and early success has translated into further adoption by cybercriminals. The SamSam ransomware group has made millions of dollars by exploiting the RDP attack vector, earning the group headlines when they shut down government sectors of Atlanta and Colorado, along with the medical testing giant LabCorp this year.

Think of unsecure RDP like the thermal exhaust port on the Death Star—an unfortunate security gap that can quickly lead to catastrophe if properly exploited. Organizations are inadequately setting up remote desktop solutions, leaving their environment wide open for criminals to penetrate with brute force tools. Cybercriminals can easily find and target these organizations by scanning for open RPD connections using engines like Shodan. Even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web.

Once a criminal has desktop access to a corporate computer or server, it’s essentially game over from a security standpoint. An attacker with access can then easily disable endpoint protection or leverage exploits to verify their malicious payloads will execute. There are a variety of payload options available to the criminal for extracting profit from the victim as well.

Common RDP-enabled threats

Ransomware is the most obvious choice, since it’s business model is proven and allows the perpetrator to “case the joint” by browsing all data on system or shared drives to determine how valuable it is and, by extension, how large of a ransom can be requested.

Cryptominers are another payload option, emerging more recently, criminals use via the RDP attack vector. When criminals breach a system, they can see all hardware installed and, if substantial CPU and GPU hardware are available, they can use it mine cryptocurrencies such as Monero on the hardware. This often leads to instant profitability that doesn’t require any payment action from the victim, and can therefore go by undetected indefinitely.

Source: https://knowyourmeme.com/photos/1379666-cheeto-lock

Solving the RDP Problem

The underlying problem that opens up RDP to exploitation is poor education. If more IT professionals were aware of this attack vector (and the severity of damage it could lead to), the proper precautions could be followed to secure the gap. Beyond the tips mentioned in my tweet above, one of the best solutions we recommend is simply restricting RDP to a whitelisted IP range.

However, the reality is that too many IT departments are leaving default ports open, maintaining lax password policies, or not training their employees on how to avoid phishing attacks that could compromise their system’s credentials. Security awareness education should be paramount as employees are often the weakest link, but can also be a powerful defense in preventing your organization from compromise.

You can learn more about the benefits of security awareness training in IT security here.

The post Unsecure RDP Connections are a Widespread Security Failure appeared first on Webroot Blog.

By

Security newsround: September 2018

We round up interesting research and reporting about security developments from around the web. This month: the devastation from NotPetya, a sound idea for authentication, help with NIST and cutting-edge security analysis.

The shipping news

If the truly wise learn from the experiences of others, then there are lessons galore from Maersk’s ransomware infection. You know, the one that cost the world’s largest shipping company $300 million. Thanks to an eye-watering account in Wired, you can vicariously experience the eye of a storm during a crippling ransomware outbreak.

The story details Maersk’s troubles during the NotPetya outbreak in 2017, aka “the most devastating cyberattack in history”. Weighing in at more than 6,000 words, it’s a meaty read. The excellent in-the-trenches reporting from Andy Greenberg offers plenty of ‘what-if’ scenarios that security and risk professionals can use for developing response plans.

Listen to this: a wearable solution to 2FA trouble?

Build a better mousetrap and the world will beat a path to your door. In this case, the trap in question is authentication. Researchers at the University of Alabama have developed a wearable device that uses two-factor authentication to foil attackers that are remote or in close proximity. It requires minimal effort on the part of users, who don’t even need to install browser plugins. CSO reports that “the browser would play back a short random code encoded into human speech when a user attempts to login”.

The University’s own summary describes it as “a complete re-design of the sound-based TFA systems to thwart both remote and proximity attacks”, while still being easy to use. Sophos notes that usability has been a sticking point when it comes to 2FA adoption. It cited one 2016 study showing that 28 per cent of users don’t use 2FA, and 60 per cent of those that do only do it because someone makes them.” The original research paper is here.

Plotting a secure path through the NIST

This year, the National Institute of Standards and Technology updated its 2014 framework for improving the security of critical infrastructure. (Here’s the framework as a free PDF.) Now, Mukul Kumar and Anupam Sahai of Cavirin Systems have written a guide to help security professionals turn the framework theory into security reality for their needs. They outline five high-level steps for following the NIST advice, with detailed explanations for each step.

Researchers look to security’s future at Usenix 2018

The 27th Usenix security symposium took place in August, and it often hosts interesting sessions giving a glimpse of where security might be heading. This year was no exception, with the largest event in the conference’s history. Researchers from around the world presented at the three-day event. As part of their commitment to open access to research, the organisers publish links to all 100 papers at Usenix’s publications page.

There’s no shortage of tantalising titles to choose from. Among our favourites are: You can run, but can you hide? (analysing privacy protection in fitness trackers), The Battle for New York: (a case study of enterprise-level digital threat modelling), and O Single Sign-Off, Where Art Thou? (which analyses single sign-on account hijacking).

Possibly the best is Harvard professor James Mickens’ 50-minute keynote called “Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models”.

Things we liked

Europol warns that GDPR fears could lead breached companies to do deals with cybercriminals to avoid regulatory fines. MORE

The world is changing. Time to change how security professionals and CISOs approach their roles, argues Joseph DiBiase. MORE

Is two-factor authentication the security panacea some claim it is? Stuart Schechter argues caution before making the leap: “All security measures have trade-offs”, he warns. MORE

Patch, and patch often. This piece asks why does it take so long to install security updates? MORE

As the UK data protection regulator imposes a £500,000 fine on Equifax, the Register describes the company’s security failings as “the gift that keeps on giving”. MORE

 

The post Security newsround: September 2018 appeared first on BH Consulting.

By

Here’s the missing ingredient in a solid security and business continuity plan

Security incidents can cast an unforgiving light on many organisations’ readiness. They highlight the need for security programmes that go further than just fixing things when they break.

Response has been security’s classic default reaction to an incident. Something is broken, so we need to fix it. But this misses a critical ingredient: resilience. If an important system fails, organisations need to know they can continue by using alternative systems, be they technical or manual.

Resilience, not just recovery

“Security incidents invariably lead to downtime. So it makes sense to focus on resilience in security programmes, not just detection and recovery. This way, a business can continue to survive and function even if key services are disrupted or temporarily unavailable,” says Brian Honan, CEO of BH Consulting.

Last year’s ransomware outbreaks were a classic case in point. FedEx’s TNT subsidiary shipped a $300 million loss following the NotPetya infection. It took weeks to restore IT operations fully, and deliveries and sales declined during this time. The NHS in the UK cancelled 22,000 hospital appointments as it struggled to cope in the wake of WannaCry.

Steps to resilience

Brian recommends that organisations should become more resilient by integrating incident response and business continuity. He suggests the following four steps:

  • Identify key systems and services for your business
  • Look at the key risks and threats to those services
  • Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
  • Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.

Once you start talking the language of risk, you’re talking the language of business, not IT. That’s why Brian recommends getting agreement from business owners as to how the organisation manages the risks that it discovers. Suppose the assessment stage uncovers a vulnerable system. The organisation has three choices: replace the system outright, upgrade the current version, or accept the risk that the business will be unavailable for whatever time it takes to recover from downtime.

Decision time for the business

Each option comes at a price, but it’s up to the business to determine the cost it’s willing to bear. “The security professional’s role is to give the business well informed data and analysis so that they can make the appropriate decision for the business. The CSO is chief security officer, not the chief scapegoat officer,” says Brian.

There’s still vigorous debate over the meaning of resilience in the context of information security. Kelly Shortridge of Security Scorecard recently wrote a lengthy and thoughtful post that’s well worth reading. Drawing on a range of examples from far beyond security, she says security has too often focused on robustness. “Resilience is ultimately about accepting reality and building a defensive strategy around reality,” she writes. Quoting the ecological economics scholar Peter Timmerman, she adds: “resilience is the building of ‘buffering capacity’ into a system, to improve its ability to continually cope going forward.”

Another word for resilience is flexibility. That’s arguably an incomplete definition too, but the term hints at an ability to bounce back from an interruption to something approaching normal service.

The post Here’s the missing ingredient in a solid security and business continuity plan appeared first on BH Consulting.