By: Brian Barrett for Wired Security
April 24, 2017
The pitch has plenty of appeal: Sign up for our service, and we’ll automatically unsubscribe you from all those pesky email lists. For free! Except, not quite; as it turns out, you end up paying in privacy.
That’s just one revelation from a bombshell New York Times look at Uber, which showed how Unroll.me, the service described above, scans the email accounts of its users for information as granular as Lyft receipts to anonymize, package, and sell on the lucrative data market. Unroll.me CEO Jojo Hedaya issued something like an apology, though he mostly seemed sorry that no one bothered to read the terms of service closely enough.
But while Unroll.me has taken plenty of well-deserved flack for the unexpected disclosure, it’s hardly the only service that taps into your Gmail, or your other Google services, or for that matter your Facebook account. You’re probably given that access away freely, without even realizing it—or the full scope of its implications—in exchange for a little added convenience, whether that’s getting Bed Bath & Beyond’s digital marketers off your back, or simply using your Google account to sign in to a range of apps and sites across the internet.
Not all of these interactions and permissions are grody, or even all that objectionable. Your Withings App wants to tap into Google Fit? Sure, makes sense. Your email client needs Gmail access? Of course! Otherwise it would be a nothing client.
Often, though the adage holds true: If it’s free, you’re the product. Or more specifically, your browsing habits and social graph are, both of which advertisers crave.
That makes now as good a time as any to audit who’s tapping into your Google and Facebook services, and for what reason. You may have other go-to services you want to check as well, but these two are both the biggest, and the most commonly used for OAuth, an open standard that lets you use those accounts as your sign-in across the web.
Fortunately, taking stock takes no time at all. Neither does clearing out unwelcome interactions. Here’s how.
To see what apps and services you’ve given Google permissions to, just head here. That’s where you’ll find Unroll.me, for instance, along with anywhere else that has asked for your info. You might be surprised by what you find! (A personal example: At some point, I apparently agreed to let Target know my email address, approximate age, prefered language, and basic account details. Whoops?)
Not every connected entity has the same level of privileges. To see what they can tap into, just click, and the view will expand for a helpfully detailed rundown.
You can’t adjust the level of access from here, but if you want to cut something out of your Google goodies altogether, just click Remove, and then OK when a pop-up asks you if you’re absolutely sure.
Confusingly, Google also lets you parse your Connected Accounts here. These are accounts you voluntarily linked to your Google account, like say if in a fit of optimism you linked your Google Plus and your Twitter so that all your Google Plus friends could read your tweets. There’s not likely to be much in there, but check it just in case.
The Facebook case isn’t quite the same as Google. But Facebook also integrates with all kinds of third-parties, and if you’re auditing one you might as well take a look at the other. Especially given that, if anything, it’s even easier to purge. If you want to nuke any app, website, or plugin interactions with Facebook, just go to Settings, click Apps, then hit Edit under Apps, Websites and Plugins, and click Disable Platform.
For a more targeted strike, look at the top of that same Settings page and see what you’ve linked up with. Go ahead and ditch any you don’t use anymore, or don’t need Facebook to tap into. Also to be clear,
And while you’re at it, go to Apps Others Use, and click Edit, and clear out all of those categories, so that your info doesn’t get spread around just because your friends are still playing FarmVille for some reason.
There’s a whole other world of Facebook privacy settings to explore, but in terms integrating your account with other services, this should about cover you.
Again, not all use cases are bad! It makes sense for your Fitbit to tap into your health data. And OAuth can be a genuine convenience that doesn’t necessarily mean that those companies use your data inappropriately. (WIRED, for instance, lets you log in with your Facebook account.) There are plenty of permissions you’ll want to keep in place.
Besides which, none of this stops Google and Facebook from using your info for highly targeted ads. But at least this way you’ll know who’s got their hooks into your accounts, and why. And, more importantly, you can kick them out.
Moving to Office 365 isn’t just a question of hardware and licensing costs. Experts say you should consider productivity and the costs of infrastructure support, as well.
by Ericka Chickowski
As Microsoft marches on with its cloud-first strategies, the momentum for Office 365 continues to pick up steam. According to estimates from cloud access security broker Skyhigh Networks Inc., the ratio of enterprise users active on Office 365 jumped from less than 7% to more than 22% between 2015 and 2016.
This remarkable growth is expected to continue on an upward trajectory — but, on the flip side, it’s still important to note that the majority of users remain on-premises with their productivity apps. The goal for Microsoft may be to move past that tipping point, where the majority of its users are on subscription licensing, but there’s a long way to go on the migration front for most organizations.
As Microsoft shops contemplate a migration to Office 365, they need to keep in mind that the total cost of ownership (TCO) of their productivity software is not just a function of hardware and software licensing. There are a number of cost considerations they should keep in mind to maximize savings and minimize pain.
In a recent blog entry, Michelle Ramirez, product marketing manager for the email and apps portfolio at Rackspace, explained that, “All too often, organizations view TCO through the narrow lens of hardware and software licensing costs. The common calculus usually includes a basic look at the cost of hardware and on-premises licenses, versus the predictable monthly costs of SaaS [software-as-a-service] offerings.”
Migration-related productivity disruptions
One of the big impediments to large-scale Office 365 migrations is the perceived difficulty with the process. It’s no wonder, considering that 44% of IT professionals experience the difficulty of a failed migration each year, and 43% have experienced some system downtime as a result, according to a survey by Vision Solutions. If organizations don’t plan their migrations well, this pain can translate into some very real — but often hidden — costs.
“While migrating data is easy, it typically surprises enterprise organizations that migrating people is difficult,” said AmyKelly Petruzzella, global marketing director at Binary Tree Inc. “There is a huge amount of manual effort to perform a migration to Office 365. Many of these projects have delays, downtime, and overrun their schedule and budget.”
Petruzzella warns that the financial impacts of migration problems for a 5,000-user migration can stack up quickly. Binary Tree estimates that just an hour of downtime in this scenario can average to more than $116,000 in loses. A single week delay due to unexpected problems could equal anywhere between $20,000 to $40,000 in remediation cost overruns.
Cost of supporting infrastructure improvements
It is important to remember that users have a level of performance expectation based on software served up locally from on-premises systems. If organizations want to avoid costly productivity problems during and after an Office 365 migration, they’ll need to plan accordingly, with appropriate infrastructure upgrades to support a high-performing cloud-hosted software service. This may require infrastructure and internet service provider investments that will affect a migration’s TCO.
One big pitfall is going into a migration with insufficient bandwidth, or bandwidth that is metered, said William Warren, owner of Emmanuel Technology Consulting.
“Cloud-connected apps require a high speed [and] generous amounts of bandwidth,” he said. “Also, if you want to go cloud-based, you need more than one stable connection to guard against internet outages.”
According to Skyhigh, more than 90% of enterprise organizations had migrated at least 100 users over to Office 365 by last year. Clearly, most organizations are dipping their toes in the water before moving to any kind of wide-scale adoption. For many, the long-term strategy will be to gradually cut over users to the SaaS model through a staged hybrid approach. But that could add costs to the equation, as well, from both a tech support and licensing perspective.
“Even after you move some systems, you might continue to also rely on a hybrid landscape,” Petruzzella said. “This means that your IT team must be experts in both old and new. Rarely does this level of unique expertise exist in-house.”
As a result, organizations will either need to hire talent to fill in the gaps or bring in a service provider to help them during the long-term transformation.
Meanwhile, there are also considerations on the licensing front. Years ago, Microsoft introduced the Client Access License (CAL) Bridge option to help organizations with enterprise agreements for perpetual licenses gradually transition users to Office 365. CAL Bridge gives them access to perpetual license workloads. Organizations need to keep in mind that, a little over 18 months ago, Microsoft changed the terms of CAL Bridge to a per-user subscription model. Any new growth in users can’t be done through perpetual licensing, but can be through Office 365.
Preparation is your best defense
The experts generally agree that the key to a successful and cost-effective migration to Office 365 is preparation.
“Before any kind of migration, a full hardware, software and workflow assessment must be performed,” Warren said. “Otherwise, you are just winging it, and this leads, invariably, to delays, problems and cost overruns.”
Having the right tools can make all the difference. Office 365 through Integrated Technology Group provides you with cloud-based access to all of your favorite Microsoft Office applications on a pay-as-you-go basis. For a low monthly fee, you can have Office 365 installed on up to five devices per user, giving you the latest versions of popular Microsoft tools like Outlook, Word, PowerPoint, Excel and more.
Work together • Communicate in real time using Skype for Business. Collaborate on documents with SharePoint and use OneDrive for Business to make them available wherever you are. You can also hold face-to-face meetings in HD and from your mobile devices, sharing OneNote documents and attachments with ease.
Work smarter • Manage all of your Office 365 services from a single sign-on console that shows the current health of related services. Add users, manage groups and get maintenance reminders and notices. You can also add security to all mobile devices and protect company data by remotely wiping devices and requiring additional I.D. verification.
Cyber-attacks have been around for as long as there have been networks.
The Internet was developed to provide an alternative should conventional communications networks in the United States come under attack. The first computer worm was released in 1988 and shut down 10 percent of computers connected to the Internet. The earliest attacks went unnoticed because before the mid-‘90s, the Internet was primarily used by academia and connected mainframes. It wasn’t until 1995 that a virus, specifically attacking Microsoft Word documents, was released. And it wasn’t for another seven years that Bill Gates announced he would secure Windows.
Until fairly recently, attacks were perpetrated by loosely organized hackers and consisted of worms, viruses, and spy/malware. Many of the attacks were exercises in system access, data destruction, altering email systems, or installing relatively harmless spyware programs. Today, cyber criminals have become more organized and more sophisticated, utilizing advanced network threats such as ransomware and custom malware, making defending your sensitive data a daunting task.
Additionally, if your business accepts, stores or transmits payment card data, Payment Card Industry Data Security Standard (PCI DSS) compliance validation is required by card brands such as Visa, MasterCard and Discover, making the defense of your data even more daunting. PCI DSS compliance is designed to protect businesses and their customers against payment card theft and fraud.
On May 12, WannaCrypt, also known as WannaCry, was used in a very large cyber-attack that affected over 150 countries. Victims were told they could free their machines by paying the equivalent of US $300 in Bitcoin. The ransomware threatened to delete the infected files within seven days if no payment was made. Since then, the situation has been stabilized and the feared second wave of attacks has failed to happen.
The attack was contained by Marcus Hutchins, also known as Malware Tech, who registered a domain name to track the virus, which then stopped it from spreading. Since the malware relied on making requests to domains and ransoming the system when the connection wasn’t made, registering the domain essentially stopped the ransomware from spreading further.
This sinkholing of the malware has stopped the rate of infection, though Hutchins warns that it may be only a temporary fix.
How does WannaCrypt spread?
The ransomware spreads through a vulnerability in the Server Message Block in Windows systems. The creators of WannaCrypt used the EternalBlue exploit and the DoublePulsar backdoor to create an entry in Windows systems.
Additionally, the malware was also spread through social engineering emails that tricked users to run the malware and activate the worm-spreading functionality with the SMB exploit. The malware itself was delivered in an infected Microsoft Word file that was sent in the email.
Who is affected?
Organizations that use Windows systems and have not yet patched the vulnerability are vulnerable to this attack.
Over 230,000 computers in 150 countries were crippled worldwide. Healthcare organizations in particular were affected by this ransomware, including many National Health Services hospitals in England.
What should your company do to protect your network from these security threats and maintain compliance?
- Remember that as soon as the better mousetrap is built, the mouse will find other ways to get your cheese so it’s imperative to partner with a network security company, like Integrated Technology Group (ITG), that will continuously scan your networks to check for vulnerabilities.
- Always keep in mind that as long as there is data, there will be people trying to steal it, so if you have a Windows system, update it as soon as possible and stop using older versions of Windows right away!
- If you have been attacked, experts advise that you don’t pay the ransom, since there is no guarantee that the hackers can even decrypt the encoded files after receiving the ransom payment. It’s important to know that this attack likely won’t be the last one of its kind because this strand of ransomware attacks, released last month, is expected to increase through copycats.
Integrated Technology Group offers affordable Corporate Network Security scans that will identify an organization’s infrastructure vulnerabilities, which may lead to a ransomware attack like WannaCrypt. If you would like to learn more about the several preventative security services ITG has to offer please contact a representative at email@example.com.
Steve Snelgrove (CISSP), Security Analyst at SecurityMetrics; Rich Hummel, CCNA, CCNAW, CCSI; and SonicWall, Inc.
For our customers: Yes, ESET detects and blocks the WannaCryptor.D threat and its variants. ESET’s network protection module (in ESET Endpoint Security) also blocks the exploit (known as EternalBlue) used to spread it at the network level. Attempts to exploit the leaked vulnerability had already been detected, reported on, and stopped well before this particular malware was even created. On Friday, ESET increased the protection level for this particular threat via updates to our detection engine. (For more information on ESET products that prevent a WannaCry infection, view our Customer Advisory.)
The rapidly spreading WannaCry that utilizes the leaked United States National Security Agency (NSA) exploit, EnternalBlue, was released last month by a hacker collective known as Shadow Brokers.
When WannaCry touches a user’s computer, it encrypts its files, and tells the victim to pay in Bitcoin in order to retrieve those files. The ransom demanded for decryption of the files appears to be about $300. It then will use the EternalBlue exploit to access unpatched machines. (For a real-time check of the amounts that the malicious actors have received in Bitcoin funds, go here.)
Reports of WannaCry started in Spain’s telecom sector and quickly spread from that point to healthcare organizations in the U.K., plus various commercial websites, entire enterprise sites, and just about every type of network in between. People from around the world posted screenshots of the malware from computers in offices, hospitals and schools.
As far as we can tell, the attack is continuing to spread. Please follow these steps to help keep your business protected in the wake of WannaCry.
Ensure your Windows machines are up to date:
- Patches can be difficult to deploy across the entire network. However, you’ll want to install this one. It has been available since mid-April and actually stops the exploit from gaining a foothold in your environment. The patch listing for the entire listing of the Equation Group files can be located here.
- Use anti-malware software: This is a basic but critical component. Just because it’s a server, and it has a firewall, does not mean it does not need anti-malware: it does. Always install a reputable anti-malware program. (And one that protects against the EternalBlue exploit.)
- Back up files: For companies hit by ransomware that do have current backups, the attack is not nearly as damaging. Make sure you always back up data, and regularly check to make sure your backup systems are working properly.
ESET has been using its Threat Intelligence and appropriate YARA rules that identified the characteristics pertaining to the NSA’s leaked exploitation files. There have been many detections of these objects. Within the last few weeks, we have seen increased activity, and do not expect it to stop anytime soon.
Our security research teams around the globe are working 24/7 and continuing to track, monitor (both EternalBlue and WannaCry) and report on what we find. We are releasing our most up-to-date research on Welivesecurity.com, and sharing via our social channels.
Follow @ESET on Twitter and/or Facebook for updates on this topic.
(Media requests, please contact PR@eset.com)
MAY 12, 2017 BY BROOK CHELMO
Note: This blog was updated on Monday, May 15.
First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.
This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.
The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).
Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry. It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).
SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack. All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.
As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).
Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails. Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.
As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.
View our webpage to learn more on how SonicWall protects against ransomware.
The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST
The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section. Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.
Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.
Apart from SonicWall security protections in place (listed above), as a best practice we recommend to disallow or block inbound SMB traffic (TCP 445, UDP ports 137-138, and TCP 139) and RDP traffic coming from the internet on edge-facing Firewalls. If such access is required, implement secure remote access solutions like IPsec or SSL-VPN with proper authentication mechanisms in place.
Apply vulnerability patches on servers and PCs as recommended in Microsoft MS17-010 bulletin (listed above and below), disable SMBv1 communication (limit access via SMBv2/v3), as well as monitor for any suspicious activity on TCP 445.
- Microsoft’s Customer Guidance for WannaCrypt attacks
- Microsoft Security Bulletin MS17-010
- SonicWall Gateway Anti-Virus Information
- SonicWall Capture Advanced Threat Protection Service Information
- SonicWall Email Security
- SonicWall Content Filtering ServiceLearn More Watch our webcast Stopping WannaCry Ransomware
by Chris Brook, April 18, 2017
Holiday Inn image via phalinn‘s Flickr photostream, Creative Commons
In what’s becoming a familiar refrain to guests, InterContinental Hotels Group, said [in mid-April] that payment card systems at more than 1,000 of its hotels had been breached.
It’s the second breach that IHG, a multinational hotel conglomerate that counts Holiday Inn and Crowne Plaza among its chains, has disclosed this year. The company acknowledged in February that a credit card breach affected 12 of its hotels and restaurants.
In a notice published to its site [mid-April] the company said a second breach occurred at select hotels between Sept. 29 and Dec. 29 last year. IHG says there’s no evidence payment card data was accessed after that point but can’t confirm the malware was eradicated until two to three months later, in February/March 2017, when it began its investigation around the breach.
Like most forms of payment card malware these days, IHG said the variant on their system siphoned track data – customers’ card number, expiration date, and internal verification code – from the magnetic strip of cards as they were routed through affected hotel servers.
The hotelier said the first breach also stemmed from malware found on servers used to process credit cards, but from August to December 2016. That breach affected hotels, along with bars and restaurants at hotels, such as Michael Jordan’s Steak House and Bar at InterContinental Chicago and the Copper Lounge at Intercontinental Los Angeles.
IHG didn’t state exactly how many properties were affected by the second breach but that customers can use a lookup tool the company has posted to its site to search for hotels in select states and cities. IHG gives a timeline for each property and says hotels listed on the tool “may have been affected.”
A cursory review of hotels in the lookup tool suggests far more than a dozen – more than a thousand – hotels, were affected by the malware.
IHG says that since the investigation is ongoing the tool may be updated periodically. Some properties, for a reason not disclosed, elected to not participate in the investigation, IHG said.
While the company operates 5,000 hotels worldwide this most recent breach affects mostly U.S.-based chains. One hotel in Puerto Rico, a Holiday Inn Express in San Juan, is the only non-U.S. property that was hit by malware this time around, IHG claims.
The company said it began implementing a point-to-point encryption payment solution – technology that can reportedly prevent malware from scouring systems for payment card data last fall. The hotels that were hit by this particular strain of malware had not yet implemented the encryption technology, IHG claims.
The news comes as an IHG subsidiary, boutique hotel chain Kimpton, is fighting a class action court case that alleges the company failed to take adequate and reasonable measures to protect guests payment card data.
The chain said it was investigating a rash of unauthorized charges on cards used at its locations last summer. It eventually confirmed a breach in late August that involved cards used from Feb. 16, 2016 and July 7, 2016 at nearly all of its restaurants and hotels.
Bloomberg reported that Lee Walters, the plaintiff in the case against Kimpton, failed to plead all relevant factors. The judge overseeing the case, Judge Vince Chhabria of the U.S. District Court for the Northern District of California, dismissed California state fraud claims last week. Chhabria is allowing claims of implied contract, negligence, and California unfair business practices to continue however.
by Lily Hay Newman, Security for Wired
April 18, 2017
PHISHING ATTACKS CAN make even crusading technovangelists paranoid. One wrong click can put you out a ton of cash, or cause a corporate breach. And they evolve constantly. Case in point: A cunning new exploit makes malicious phishing websites appear to have the same URL as known and trusted destinations.
You know by now to check your browser while visiting a site to be sure it sports the little green padlock indicating TLS encryption. See it and you know no one can eavesdrop on any data you submit—an especially important consideration for financial and healthcare sites. But a malicious site that can impersonate a legit URL and depict that padlock leaves precious few tip-offs that you’re dealing with an imposter.
This particular vulnerability takes advantage of the fact that many domain names don’t use the Latin alphabet (think Chinese characters or Cyrillic). When English-based browsers run into those URLs, they use an encoder called Punycode to render each character from a standardized library of character codes maintained by Unicode, the standards body for text online. This exploit takes advantage of that conversion process; phishers can appear to spell out a familiar domain name using a different URL and web server. Attackers who trick people into loading the fake page could more easily convince them to answer questions or provide personal information because the site seems trustworthy.
These kinds of URL character manipulations, called homograph attacks, started years ago, and groups like the Internet Assigned Numbers Authority work with browser developers to create defenses, including Punycode itself, that make URL spoofing more difficult. But new twists on the attack still crop up. Web developer Xudong Zheng reported this exploit to Google and Mozilla in January and demonstrated it publicly on Friday, creating a fake Apple.com website that appears legitimate and secure in unpatched browsers.
Apple Safari, Microsoft Edge, and Internet Explorer protect against this attack. A Chrome fix arrives in Version 59 this week, but Firefox developer Mozilla continues weighing whether to release a patch. The organization did not return a request for comment.
Until then, you can check the validity of sites by copying and pasting the URLs into a text editor. A spoofed URL only appears familiar, and actually uses an address beginning “www.xn--” that you can see outside the browser bar. Zheng’s fake Apple site, for example, uses the address https://www.xn--80ak6aa92e.com. All Zheng need to do to get the trusted “https” status was apply for TLS encryption from an entity like Let’s Encrypt.
Firefox users also can protect themselves by changing their settings so the address bar only shows the Punycode addresses. Load the phrase “about:config” into your address bar, search for “network.IDN_show_punycode” in the attribute list that appears, right-click on the only result, and choose “Toggle” to change the preference value from “false” to “true.”
Given phishers’ love of domains like www.app1e.com, the Punycode trick seems like a powerful attack. But Aaron Higbee, chief technology officer at the phishing research and defense company PhishMe, says his company hasn’t found any instances of it appearing in the wild. The company also has not found the tools to execute it in any of the pre-fab phishing kits it examines on the dark web.
That’s not to say the exploit isn’t out there somewhere, but Higbee says phishers may not find it reliable because browser autofill mechanisms and password managers won’t autocomplete on spoofed sites. Such tools know, even if users do not, when a URL is not familiar. “There’s going to be a technical control for every phishing technique and eventually that control will be outwitted,” says Higbee. “Phishing lives in that space.”
With the attack publicized, you may see an uptick in its use and further research into even more creative versions. So until that Chrome update comes through, keep a close eye on your URLs—and anything weird on the websites they purport to show you.
Eight best practices to prevent your data from being held hostage
Brief courtesy of our trusted security partner SonicWall
Ransomware is a term used to describe malware that denies access to data or systems unless a ransom is paid to a cybercriminal. Every organization is susceptible to ransomware attacks. Fortunately, there are many steps you can take to minimize your organization’s risk. Here are eight best practices to protect your organization against ransomware attacks.
- Training and awareness
User training and awareness is paramount, and the first step to safeguard against ransomware. User instruction should include:
- Treat any suspicious email with caution
- Look at the domain name that sent the email
- Check for spelling mistakes, review the signature and the legitimacy of the request
- Hover on links to check where they lead to and if any URL seems suspicious, directly type the website or look it up on search engines vs. clicking the link in the email
- Email security
You should deploy an email security solution that scans all attachments besides filtering for spyware and spam. Along with periodic user training and risk assessments, you should also conduct phishing vulnerability tests.
Whether personal or corporate devices, endpoints are particularly at risk if they are not managed by IT, or don’t have the right anti-malware protection. Most anti-virus solutions are signature-based, and prove ineffective if not updated regularly. The newer ransomware variants are uniquely hashed and thereby undetectable using signature-based techniques.
Many users also turn off their virus scans so that it doesn’t slow their system down. To address these limitations, there are endpoint security solutions that use advanced machine learning and artificial intelligence to detect malware. They also have a small footprint, causing minimal performance overhead.
- Mobile endpoints
Management of endpoints is also a growing challenge as devices with multiple form factors and operating systems are introduced to the network. Mobile devices are particularly vulnerable as noted in the 2016 Dell Security Annual Threat Report with emerging ransomware threats on the Android™ platform. Choosing a solution that is able to automate patching and version upgrades in a heterogeneous device, OS and application environment, will go a long way in addressing a range of cyberthreats including ransomware.
For remote users who are outside the enterprise firewall perimeter, VPNbased access should not only establish a secure connection but also conduct a level of device interrogation to check for policy compliance on the endpoint. If an endpoint does not have the required security updates then it will not be allowed on the network or it will be granted access to only a limited set of resources.
Specifically, for Android mobile device users, the following steps are recommended:
- Do not root the device, as it exposes the system files for modifications
- Always install apps from Google Play store, as apps from unknown sites or stores can be fake and potentially malicious
- Disable installation of apps from unknown sources
- Allow Google to scan the device for threats
- Take care when opening unknown links received in SMS or emails
- Install third-party security applications that scan the device regularly for malicious content
- Monitor which apps are registered as Device Administrators
- For corporate-managed devices, create a blacklist of disallowed apps
- Network segmentation
Most ransomware will try to spread from the endpoint to the server/storage where all the data and mission critical applications reside. Segmenting the network and keeping critical applications and devices isolated on a separate network or virtual LAN can limit the spread.
- Backup and recovery
Another safeguard against having to pay ransom is a robust backup and recovery strategy. Back up data regularly. There will be less data loss in case of infection if there is a remote backup. Depending on how quickly the compromise is detected, how far it has spread and the level of data loss that is acceptable, recovery from a backup could be a good option. However, this calls for a smarter backup strategy that is aligned to the criticality of your data and the needs of your business around recovery point objectives (RPO) and recovery time objectives (RTO). Recover the most critical data in the least amount of time.
Finally, just having a strategy is not sufficient. Periodic testing of disaster recovery and business continuity is just as important.
- Encrypted attacks
Having the right enterprise firewall that is able to scan all traffic irrespective of file size is also critical. With the rapid increase in SSL encrypted traffic, as indicated by the Dell Security Threat Report, there is always a risk of downloading encrypted malware that is invisible to traditional firewalls. Hence it is important to ensure the firewall/IPS is able to decrypt and inspect encrypted traffic without slowing down the network significantly.
Another recommendation is to show hidden file extensions. For example, sometimes malware can enter the system with a .pdf or .mp3 icon, but in reality it is an .exe file.
- Monitoring and management
The enterprise firewall should be able to monitor both incoming and outgoing traffic, and block communication with blacklisted IP addresses as ransomware tries to establish contact with its command and control servers.
If a ransomware infection is detected, disconnect the infected system immediately from the corporate network. As soon as a new malware variant is detected, the firewall should have an automated update and centralized management process to roll out updates and policies quickly and consistently across all nodes. In addition, it is crucial to update your software and operating systems regularly.
Dell Security solutions can enhance protection across your organization by inspecting every packet and governing every identity. As a result, this protects your data wherever it goes, and shares intelligence to safeguard against a variety of threats, including ransomware.
Learn more about SonicWall next-generation firewalls by contacting ITG, firstname.lastname@example.org or 518.694.8053.
© 2017 SonicWall Inc. ALL RIGHTS RESERVED.
SonicWall is a trademark or registered trademark of SonicWall Inc. and/or its affiliates in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
The threat against our private and business information has never been as serious as it is today, but measures can be taken to avert those threats. Think of your private information in the same context as your personal belongings: if you leave your car unlocked in a large parking lot you’re taking a chance that anything left inside will be missing upon your return. But belongings, though perhaps having sentimental value, can be replaced. Information however, whether personal or business, cannot be replaced and its theft can lead to a mountain of debt and hours of time involved in rectifying the loss.
Security is second nature to ITG, which is why we are taking this opportunity urging you to take action now to protect your personal and business information. If you follow these simple recommendations you can help protect this sensitive information. Though these recommendations are focused on the corporate environment, they are just as effective for your home computer and you are encouraged to adopt.
- Change your passwords. This includes the password to log into your computer, and any sensitive websites that you have accounts with.
- Select passwords you can commit to memory rather than writing them down.
- Lock your computer (press CTRL ALT DELETE on the keyboard and choose “lock this computer”) when not at your desk.
- Be alert to any strange emails that you may receive. If you are unsure, feel free to contact ITG for assistance at email@example.com or by calling 518.694.8053.
- If anything seems strange on your computer at any time, alert someone.
Consider these password changes:
- A good rule of thumb is to set a policy requiring a password change every 90 -180 days.
- It is recommended that password requirements meet the standards of:
- 8 – 12 characters
- at least one each of UPPERCASE, lowercase and number or symbol
Note that the longer the password, the more difficult it will be to hack.
Contact us if you have any questions on network or email security, firstname.lastname@example.org or 518.694.8053. Together, we can ensure a more secure environment.