Netizen Cybersecurity Bulletin: 24 October 2018 Edition
In this issue:
In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.
- Will This Halloween Be Cyber Scary?
- Healthcare.gov breach Compromises 75K Users’ Data
- Test your SSL Security
- Web Applications Vulnerable Due to Security Flaw in Popular Plugin
- Phish Tale of the Week
- How can Netizen Help?
Will this Halloween Be Cyber Scary?
As we wind down the month of October, it’s time for a Halloween story. And in that spirit, what is a Halloween story without some chills and frights??
Your company’s data is at risk! In what ways? A threat analysis conducted by F5 Labs reports the leading application breaches are concentrating on payment card theft in the following ways:
- website injection 70%
- website hacking 26%
- database hacking 4%.
These attacks use a polymorphic code; if you think polymorphic is something a mad scientist would use, you’re not far off. Polymorphic code self-mutate, making them harder to detect by anti-virus software.
Even scarier, the number of web application breaches is rising fast, like a mist on a moonless night. Notably, applications and identities are the primary targets in over 85% of breaches.
In Q1 of 2018, attacks break down as follows:
- login credentials stolen via compromised email accounts 34.29%
- access control misconfigurations: 22.9%
- credential stuffing (using automated tools to brute-force username/PW combinations): 8.6%
- brute forcing passwords: 5.71%
- social engineering thefts: 2.76%
Like any horror movie, simply running away will not keep you your data safe.
- Your network appliances need to be configured correctly with security as the top priority.
- Embrace a top-down security culture to ensure all employees and management stay vigilant against things that go bump in the digital night.
- Just as the victims in scary movies should never open closet doors, no one should use a public WiFi without a VPN in place to ensure data integrity.
Whether you’re expecting a trick or treat this Halloween, neglecting cybersecurity is certain to have frightening consequences.
Read the full report from F5 here: https://www.f5.com/content/dam/f5/f5-labs/articles/20180725_app_protect_report/F5_Labs_2018_Application_Protection_Report.pdf
Healthcare.gov breach Compromises 75k Users’ Data
The Center for Medicare and Medicaid Services (CMS) has reported that a sign-up system for Healthcare.gov has been breached, leading to the compromise of 75,000 users’ personal data.
On Oct. 13, CMS staff detected suspicious activity in the Federally Facilitated Exchanges (FFE) – the FFE’s Direct Enrollment pathway – a system used by healthcare insurance agents and brokers to help consumers apply for coverage available on Healthcare.gov.
When the breach was confirmed on Oct. 16, officials deactivated agent and broker accounts associated with the anomalous activity and disabled the pathway. “We are working to address the issue, implement additional security measures, and restore the Direct Enrollment pathway for agents and brokers within the next 7 days,” CMS said in a release.
The tool used to breach the system is available only via the disabled pathway. All other FEE enrollment channels, including Healthcare.gov and the Marketplace Call Center, are running. It’s worth noting the compromised system is available only to agents and brokers, not the general public.
CMS said open enrollment will not be negatively affected by the incident, and it’s planning to notify all those potentially affected “as quickly as possible.”
Test Your SSL Security
A free command-line tool known as testssl.sh can test Secure Socket Layer (SSL) security. SSL is used often in encrypting and securing online communication (i.e., a banking website should be TLS/SSL encrypted). The tool can check if a server’s service on any port for the support of TLS/SSL ciphers, protocols, including recent cryptographic flaws and more.
Features of testssl.ssh include:
- The output of the results is clear and concise.
- Easy installation of the tool supports Linux, Darwin, FreeBSD, and MSYS2/Cygwin out of the box; no extra configuration is required.
- Testssl is flexible as you can test any SSL/TLS enabled and STARTTLS service; much more than just web servers at port 443.
- Features are reliable as they are tested thoroughly.
- Results are confidential as it is only you who sees them.
- Testssl is completely free—i.e., Open Source.
We recommend considering this tool for use in securing the servers in your environment as it is efficient and very cost-effective.
Web Applications Vulnerable Due to Security Flaw in Popular Plugin
A popular plugin called jQuery File Upload has been found vulnerable to an eight-year-old flaw that allows over 7,500 software applications to be at risk for compromise and remote code execution.
jQuery File Upload is an open-source package for software developers that allows for easy file uploading, including multiple file selection, drag-and-drop support, and progress bars. It’s compatible with popular web languages such as PHP, Python, Java, and Node.js.
Security researchers have found that within the code, it allows files that were uploaded to be placed in vulnerable web directories, where they can be executed to run malicious code on the targeted web server. It was also found that there was no validation performed and did not need any form of authentication in order to upload the malicious files.
This vulnerability can allow attacks an avenue of attack, where they can have access to the system, to install malware, ex-filtrate data, or access to other parts of the network depending on where the server is hosted. Not only can attackers deface the website, but they can use the server as a command-and-control server for a botnet as well.
Fixes for the vulnerability have been addressed in the commercial version, allowing only image-file uploads, such as GIF, JPEG, and PNG. However, web applications that rely on the open-source code will have to issue their own fix to the vulnerability.
Phish Tale of the Week
Netizen captures many phishes each month, which we feature here. This week we haven’t found anything new or unique to share. Remember these tips to stay safe:
A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.
- Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
- Verify that the sender is actually from the company sending the message.
- Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
- Do not give out personal or company information.
- Review both signature and salutation.
- Do not click on attachments.
- Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
- Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.
Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management) certified company.