In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Enterprise Facing Higher Cryptojacking & Mobile Malware Threats
• Insecure Printers
• Hackers Target Music Lovers
• Malvertising Campaign Hits Over 300 Million
• Phish Tale of the Week
• How can Netizen help?

Enterprise Facing Higher Cryptojacking & Mobile Malware Threats

Fortinet released its Q3 “Quarterly Threat Landscape Report”, and in it, they detailed an uptick in malware, exploits, and threats. From July – September unique malware threats increased by 43% and the number of malware families grew by almost 32%.

Cryptojacking, malware that surreptitiously mines cryptocurrency on infected computers, is a serious growing threat. The cryptojacking malware itself doesn’t necessarily harm your computer, but what it often does is bring down your antimalware software and create holes in your firewall, which makes your system vulnerable to more serious threats.

Mobile malware is another rising threat that many people don’t think about as being a risk. But our phones are computers just like the PCs we do our daily work on and can be exploited. Android leads the pack with infections due to being more popular worldwide and more open than iOS, allowing users to install applications from outside of the Google Play Store. Some of these apps coming from 3rd party android app stores are actually trojans that can steal your information and use your phone as a zombie in a botnet.

RECOMMENDATIONS:

Ensure that your systems are up to date on any patches and that your firewall and antivirus are current. Make sure that, if you own an Android phone, you do not install any apps from outside of the Google Play Store.

Insecure Printers

While the issue has become more pronounced over the years, the vulnerabilities of printers are still very underestimated and often not taken into account. The problem with printers is that many IT professionals see them as low risk, if not a trusted and reliable device. Often people do not think of printers as what they are—endpoints. If is connected to the network and can be accessed, it has the potential of being a vulnerability. A lot of the common issues with printers are that they are not adequately and routinely patched.

As time and technology progress, printers are becoming more and more multi-faceted, more internet-aware; creating new opportunities for cloud services and other advanced services like that of remote management by third-party service providers. Printer vulnerabilities are plentiful and include but are not limited to:

• Device misconfiguration
• Print job manipulation
• Unauthorized access to print data
• Man-in-the-middle attacks in the cloud

RECOMMENDATIONS:

Printers are widely vulnerable due to the fact that patching and updating may not always be such a simple task and it is one that leading printer companies are trying to perfect. Despite some challenges like that of firmware upgrades, we recommend:

• Data encryption rules
• Replace outdated printers with newer more secure models
• Enforce routine and regular patches as you would any server or PC
• Take advantage of any built-in management to properly secure for remote access

Hackers Target Music Lovers

Spotify user, beware: a phishing campaign is targeting you in the hopes of collecting your user credentials.

Bogus but well-crafted emails have been spotted, aimed at Spotify customers. The emails attempt to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their username and password, which will be reported to the adversaries who have crafted the scheme.

This wouldn’t matter too much if users didn’t reuse their passwords on other online accounts.   Readers of this blog have been warned before never to reuse your password, but as we are gaining new readers each month, it makes sense to repeat this tip.

Also, when attackers have the passwords in plaintext, as it was captured in the above example, they are often able to discern key information about the user from their password.   While many people use common word and number combinations like ‘password123’, many people use their pets’ name. Seeing a password like Tigger90 might lead an attacker to guess the victim has a cat, and they were born in 1990.  Social Engineering is a powerful skill and one that can be leveraged to hack other accounts, even if the password wasn’t reused.

RECOMMENDATIONS:

• Check the suspected email, and ensure the return address headers and other pertinent information are spelled correctly, and accurately point to the correct domain.  In the above example, the correct domain is ‘spotify.com’, and not something like ‘spotify.comz.ga’

• Check any links in the email aren’t misdirecting you.  Hover over any URL and check the preview (usually shown at the bottom of the browser window) to ensure the target is the correct, as above.

• If you aren’t certain, open a new window and go to the specific site by typing the URL or using your bookmarks. After you log in, check for new messages.

• Make an effort to use a password manager. Password Managers store your login credentials securely and allow complex and long passwords to be used, which prevents any hacker from building a profile from you should the passwords become revealed.
• Whether us you use Spotify or not, this method of attack can be aimed at any online service: social media, banking, or email.   These tips can protect all of your accounts from this kind of attack.

Malvertising Campaign Hits over 300 Million

• Be vigilant when browsing webpages, if it sounds too good to be true it is most likely malicious in nature.
• Use a browser extension that blocks advertisements on all websites, and whitelist or disable for known or regularly visited websites.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here. This week we have received several emails from users whose Dropbox and email accounts have been compromised, prompting the recipient to click on a file download titled “Business-plan.pdf”. This email was sent to everyone in the compromised accounts’ contact lists, along with the file linking to the official Dropbox website giving the phish a more valid appearance.

The best way to protect yourself from even relatively sophisticated phishing emails such as this is, especially when you get an email from a contact that you haven’t heard from in a long time, to make sure you contact the person asking for clarification on what this is and why it is being sent to you. If their emails are vague and urge you to just view the file, you should automatically be very suspicious and report this to your IT department.

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Do Your Holiday Tech Gifts Include Privacy?  Mozilla Has The Details.
• Malware Spreads Through ISO Files
• New Bluetooth Car Hack
• Cryptojacking Hits Make-A-Wish Foundation Website
• Phish Tale of the Week
• How can Netizen help?

Do Your Holiday Tech Gifts Include Privacy? Mozilla Has The Details

The Mozilla Foundation introduced *Privacy Not Included buyers guide to tech products last year, and has released their 2018 edition in time for the holidays.  Best known for the Firefox browser, the nonprofit organization has expanded the campaign to help consumers buy safe, securely connected toys and mobile devices.

Working together with a global consumer advocacy group, Consumers International, and the not for profit Internet Society, the guide provides reviews of 70 products – from connected teddy bears and smart speakers to game consoles and smart home gadgets – and ranks them with a “creepy” rating scale.

The 2017 inaugural shoppers guide revealed a strong consumer interest in the privacy and security of connecting toys and home products, including from the manufacturers of these devices.  The interactive guide allows consumers to review the 70 pre-screened products and read the details of the product’s characteristics.  Consumers can then rate the products using a Creep-O-Meter scale, which scores from not creepy to super creepy and then indicate their likelihood of buying the product.  While this seems counterintuitive, consider that Amazon’s Alexa is voted as one of the creepiest products, yet has sold over 40 million units.

Mozilla set their bar for bare minimum standards quite low, and will reject toys and devices that fall short in these areas:

• Communications are not encrypted – Prevents eavesdropping
• No Security Updates – There must be a mechanism for the manufacturer to patch vulnerabilities
• Allows Weak Passwords – Products whose passwords are password or have them printed on the box.
• Poor Vendor Contact Information – Vendors who wouldn’t respond to privacy inquiries
• Privacy Details Indecipherable – Details so full of jargon, the average person couldn’t be certain what they meant, or how much of their data is being collected and sold.

Mozilla’s goal is to help foster consumer awareness, making people think about their own security when buying or using the latest connected devices.   While it is unlikely a WiFi lightbulb can lead to a consumer’s home being breached, educating people on the importance of cybersecurity can lead to greater attention paid to the other devices in their homes and offices, like routers and laptops.

Find their list of gift-giving devices here: https://foundation.mozilla.org/en/privacynotincluded/

RECOMMENDATIONS:

• Always change the default login credentials. Not only the password but the username whenever possible.  Consider: a hacker already has half of the username+password combination if you use the default ADMIN.  Make the password difficult to guess.
• Always segment your IoT devices to a wifi network separate from your primary (Home) network. Often this is as easy as using the GUEST wifi on your router.  If your router lacks the ability to have 2 or more segments, it’s probably time to upgrade.
• Businesses should ensure the use of IoT devices comply with the corporate Acceptable Use Policy (AUP).
• Make a calendar reminder to check your devices for firmware updates. While not all IoT devices update their firmware, make certain to install the patches to help stay ahead of vulnerabilities.
• Evaluate whether you really need those devices in your home or office.  For example: do you really need a web-enabled toaster?

Malware Spreads Through ISO Files

It is no secret that threat actors spend much of their time concocting potent phishing emails to steal user credentials, among other highly sensitive personal information. Phishing emails are also infamous for containing malware that users may inadvertently download; many times, these attachments are of familiar file extensions like that of: .exe, .doc, .pdf, .zip, however, there has been a sharp rise in malware-laden ISO (.iso) files. An ISO file is a disk image of an optical disc in that it contains everything an actual physical disk would, including the optical disc file system.

So, the question begs, why use ISO files if they are less familiar with a wider audience? Well, as it turns out many email gateway scanners do not scan ISO file attachments properly. ISO files tend to be of larger sizes (although they don’t have to be) making them more difficult to efficiently scan correctly. Furthermore, ISO files are much easier to open these days, when previously a user would need third-party software to open the attachment; modern operating systems like that of Windows 8 and 10 possess a native ISO mounting tool. This stealthy ease of access increases the chances of a user opening the file and infecting their system.

RECOMMENDATIONS:

Users should follow the phishing prevention recommendations at the end of this bulletin, but these basics should still be followed: be wary of unsolicited emails, do not click any links or open attachments unless you are completely confident in their validity and or they have been verified, and always protect yourself with reliable antivirus software.

New Bluetooth Car Hack

There is a new attack centered around infotainment systems that are ubiquitous in cars today. It is called CarsBlues, and it has grave implications for the privacy of anyone who’s rented, leased or shared a car and connected their phone via Bluetooth.

Researchers at Privacy4Cars have stated that this vulnerability potentially affects tens of millions of vehicles worldwide. The most troubling aspect is that this attack can be carried out within a few minutes using inexpensive and easily obtainable hardware and doesn’t require a high degree of technical knowledge.

RECOMMENDATIONS:

If you ever have a car temporarily or sell yours and it has one of these infotainment systems, make sure you erase any and all personal info on them to maximize your privacy.

Cryptojacking Hits Make-A-Wish Foundation Website

The Make-A-Wish Foundation’s international website has been recently stealing CPU-cycles from visitors to mine for cryptocurrency. Researchers had discovered that the website was taken advantage of using an unpatched Drupal vulnerability on which the website is hosted. Embedded in the site was a script that used the computing power of site visitors in order to mine cryptocurrency right into the cybercriminals pockets.

The CoinIMP miner is a JavaScript that when embedded into a website allows for mining of a cryptocurrency called Monero using the CPU power of the visitor’s computer, tablet or phone. Attackers were able to leverage an unpatched Drupal instance in order to execute a remote-code execution bug, and inject the JavaScript file into the website. It’s been estimated that more than 115,000 sites have still not patched this vulnerability, even though the patch has been available since March.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here.  This week we have not received anything interesting, but it is still important to heed the following recommendations.

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Planning Holiday Travel? Check Your Rewards Account
• WooCommerce WordPress Plugin Vulnerability
• 2018 To Be 2nd In Breaches
• Multiple Critical Cisco Vulnerabilities
• Phish Tale of the Week
• How can Netizen help?

Planning Holiday Travel?  Check Your Rewards Account

Summer is in our rear-view mirror, but the year-end holiday season is fast approaching.  Make sure you remain cyber-aware as you plan sightseeing or to visit relatives.

Last month, Radisson Rewards, part of the Radisson Hotel Group, announced a data security incident that affected some of its Rewards members. There was no reported financial data exposed, but there were leaks of customer names, email addresses, phone numbers, their employer’s name, and frequent flyer numbers the member may have had on file.

As far as data breaches go, this one was fairly minor. However, the data exposed could be used in phishing campaigns designed to target users with specific information.

Consider: had your data been leaked in the Radisson exposure noted above, you could receive an email with a subject line including your employer’s name, perhaps mentioning a discount on travel because of a corporate deal.  A text message could be sent to your mobile phone, indicating it is from your HR office, asking to call to confirm your data.

These were just two examples of how some innocuous data from a travel rewards site could be weaponized against you.  Everyone needs to be on guard at all times, and question suspicious requests for personal or credit card information.

WooCommerce WordPress Plugin Vulnerability

The popular WooCommerce WordPress plugin that makes up around 35% of e-stores online has been found to contain a new vulnerability that could compromise your online store.

The vulnerability allows for malicious or compromised privileged user to gain full control over any unpatched websites. Because of the way that WordPress handles user privileges, and a WooCommerce file deletion vulnerability can allow an account with a “Shop Manager” role to reset the administrator’s account password and take control of the website.

The fix for this vulnerability has been acknowledged and fixed in versions 3.4.6 and above, and it is highly advised to update both WordPress and Woocommerce plugins as soon as possible.

2018 To Be 2nd In Breaches

2018 has not been kind to the data of organizations across the world. Between Jan 1st and Sept 30th, there were 3,767 breaches that exposed 3.6 billion records. The good news is that the reported number of data breaches is down 8% and the amount of actual records exposed is down 49% compared to the same time frame last year.

Seven of the largest breaches this year exposed over 100 million records, and the ten most significant breaches accounted for more than 80% of all records compromised. The most notable companies that suffered data breaches this year were Facebook, Under Armor, Ticketfly, and Hudson’s Bay Company.

That there were less overall breaches and records compromised this year does not necessarily mean the problem is improving. One thing that has not happened so far this year is that there are no events comparable to WannaCry and Petya/NotPetya, which were each catastrophic events. It’s also likely that attackers have focused on crypto-mining as a source of revenue more this year compared to 2017.

Insiders were behind the largest proportion of data breaches so far this year, accounting for almost 36% of the breaches. At least 30 of 51 breaches involving intellectual property came from within organizations.

That insiders were responsible for the most significant amount of compromised data does not mean outsider threats can be forgotten about. Outside hackers still accounted for the largest number of security incidents in most organizations.

All this information should remind you of the importance of training of staff to recognize both insider threats and minimal practices to lower the chances of an outside actor gaining unauthorized access to your data.

Multiple Critical Cisco Vulnerabilities

More critical Cisco vulnerabilities have been discovered, each affecting different products. The threats posed by these weaknesses range from remote attack to the execution of arbitrary commands or bypassing user authentication. While most of the vulnerabilities did have a medium severity rating, three, in particular, were of a critical nature. The following is an overview of the items affected:

Cisco Unity Express (CUE)

An arbitrary code execution flaw in the CUE can allow attackers remote access with root level privileges due to insecure deserialization of user-supplied content by the affected software. The vulnerability (CVE-2018-15381) affects releases prior to the 9.0.6 patch.

Cisco Stealthwatch Management Console (SMC) Authentication Bypass

This particular vulnerability is the result of an insecure system configuration. An attacker would be able to send a modified HTTP request to an application. A successful exploit would grant unauthenticated access, giving elevated privileges within the SMC. Vulnerability CVE-2018-15394 affects the SMC release 6.10.2 and earlier; the fix lies in patch 6.10.3.

Awaiting Patches for Cisco Small Business Switches

The vulnerabilities within the current patch level of these switches exist under certain circumstances, where the affected software enables a privileged user account without notifying system administrators of the change. An attacker would be able to login and execute commands with full admins rights and do so quietly. While there is no patch currently for this vulnerability, there is a workaround offered by Cisco:
Add at least one user account with access privilege set to level 15 in the device configuration. By adding this user account, the default privileged account will be disabled.

While these vulnerabilities were relevant to only Cisco systems/devices, it is an important reminder to ensure that all devices on your network be routinely patched and upgraded as an unpatched system can lead to some serious openings that could have been prevented by an otherwise simple and quick fix.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here.  This week we have received an unsolicited email asking us to download and view a pdf.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• How Secure Is Your Mobile Device?
• Apache Struts Vulnerability
• Self-Encrypting SSD Flaws
• Phish Tale of the Week
• How can Netizen help?

How Secure is your Mobile Device?

Smartphones are ubiquitous, in everyone’s hands wherever we go.  Whether in the Boardroom, the coffee shop or at entertainment events, we rely on our phones to process and store reams of personal digital data.  We check our bank balances, send personal or corporate emails, carry entire photo albums around, and diaries of our lives.  CNBC has estimated that there will be more than 6 billion smartphone users in the world by 2020.

It’s easy to forget that your mobile phone is essentially a pocket-sized computer and that, just as with any device that can connect to the Internet, mobile phones are at risk of a cyber attack.
Fortunately, the risk of mobile malware is still relatively uncommon.  However, the risk to those devices keeps growing.  And as the advisories are always looking to cash-in on sources of data (i.e., money) reside, they are looking towards mobile devices. Securing your mobile phone should be a top priority, both for personal and business use.

Mobile Malware

• Mobile spyware: Spyware on a mobile device is not unlike that on a desktop. It can infiltrate seemingly benign programs and secretly monitor your activity, record your location, and steal sensitive passwords. Frequently, users grant an app permission to access this information when the app is installed.  The classic example: does that Flashlight app need access to contact list?
• Mobile banking Trojans: Mobile banking malware masquerade as a legitimate banking app to lure users into installing it, only to steal their credentials.
• SMS malware: This form of malware will send costly text messages, often without the user noticing until they receive a huge bill at the end of the month.

How Your Mobile Phone Can Get Infected

The easiest way to infect your device is by downloading a malicious app. Hackers also exploit known vulnerabilities in an operating system, which is why you must keep your device up-to-date with the latest software patches.

Another way you might expose yourself to an attack is by connecting to a public WiFi hotspot. As public WiFi is usually unencrypted, attackers can intercept the data stream between the user and the access point.

Which is vulnerable, Android vs. iOS?

Short answer: Both!

Google’s Android holds dominance in the smartphone market but has a reported 19 million malware programs developed especially for that platform. A big reason for this is that multiple hardware vendors have varying methods of delivering Android updates, leaving the rest vulnerable.

On the other hand, Nevertheless, iOS is not entirely failsafe. The XCodeGhost attack that occurred in China in 2015 compromised more than 39 apps, including older versions of the popular WeChat app.

Earlier this week a friend showed me their Apple iPhone and demonstrated how by going to vote411.com they were being redirected a site that presented a false-positive virus alert.

While both Android and iOS platforms provide a “wall-garden” approach – requiring users to access apps from app stores controlled by Google and Apple, respectively – many users choose to jailbreak or root/enable unknown sources their devices, allowing the user to download apps from any website.  While this makes apps available to the user that is not in the App store, the risks of installing infected software outweighs any benefits of that greater selection.

Tips for Securing Your Mobile Phone
Of course, the most effective way to protect your phone from malware is to take preventative steps to reduce the likelihood of contracting an infection in the first place.

• Be wary of public WiFi hotspots.  Use a VPN whenever you are uncertain how secure the hotspot may be.
• Do not jailbreak or root your device Don’t defeat the built-in security provided by the smartphone vendors.
• Update your operating system Check for updates and ensure you have installed them
• Review your access permissions Often when consumers download new apps they don’t take the time to read the Terms & Conditions or consider what data they are allowing the app to access.

Keep cybersecurity in mind whenever you reach for your smartphone; your entire digital life will appreciate it!

Apache Struts Vulnerability

The Apache Software Foundation has released an advisory that the latest version of the Commons FileUpload Library is vulnerable to a two-year-old remote code execution flaw and that users must update their projects manually.

The bug found in the Common FileUpload Library is a known vulnerability (CVE-2016-1000031) that allows for remote code execution when using the open source framework, which is facilitated towards developing web applications in the Java programming language.

The vulnerability works by allowing an attacker to exploit a Java Object that can copy or write files on a server using the library. This can allow an attacker to take control of the affected system that is using the built-in file upload system of Struts 2.

It is highly recommended that any versions of Apache Struts at 2.3.36 or prior be updated immediately to the released version of the Commons FileUpload Library 1.3.3.

This vulnerability is similar to another critical remote execution vulnerability within the Apache Struts framework that led to the massive 2017 Equifax breach that led to the compromise of over 140 million Americans’ data.

Self-Encrypting SSD Flaws

Multiple critical vulnerabilities have been discovered in some popular self-encrypting Solid State Drives (SSD) that may allow an attacker to decrypt disk encryption, accessing protected data without even knowing the password for the disk. Successfully exploited models include:

Crucial: MX100, MX200, MX300
Samsung: 840 EVO, 850 EVO, T3 Portable, T5 Portable

The vulnerability is due to improper implementations of Advanced Technology Attachment (ATA) security and Trusting Computer Group (TCG) Opal, which are two specifications for the implementation of encryption with SSDs that utilize hardware-based encryption. Given that there is no cryptographic link between the SSD password and the data encryption key (DEK) an attacker could exploit and unlock these drives with any password by modifying the password validation touring in Random Access Memory (RAM) through a JTAG debugging interface.

Recommendations
BitLocker may not be the answer to encrypting your drive as well. Windows’ native BitLocker encryption method uses hardware-based encryption instead of software-based algorithms. Not all is lost, as you can force BitLocker to use software-based encryption in the following manner:

• Open the Local Group Policy Editor by entering “gpedit.msc” in the Run dialog.
• Head on to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.”
• Double-click the “Configure use of hardware-based encryption for fixed data drives” option in the right panel.
• Select the “Disabled” option there and click “OK” to save the new setting.
• Once suspend the BitLocker protection and re-enable it to make the changes in effect.

Other open-source resources exist too, such as VeraCrypt, which can encrypt your hard-drive just fine. VeraCrypt uses TrueCrypt software and is able to handle the encryption process on its own without relying on the SSD.

Since the discovery of the vulnerabilities, Crucial has released firmware patches for the affected drives, while Samsung has done the same for their T3 and T5 portable drives. For the EVO drives, it is recommended to install encryption software that is compatible with your system.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here.  This week we have received an unsolicited email alerting us of a fax that has never occurred nor was asked for. The unprofessional look, such as with the formatting and long “From” and “To” fields are a giveaway as well.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Protecting Yourself from Ransomware
• Password Security
• Tackling the Phishing Epidemic
• Phish Tale of the Week
• How can Netizen Help?

Protecting Yourself from Ransomware

Ransomware cost the world more than $5 billion in 2017 and is predicted to cost more than $8 billion in 2018. Previously ransomware was more indiscriminate, and many average people suffered from the effects. However, after 2014, malicious actors began to employ ransomware in a more targeted way, increasingly focusing on businesses and governments.

Just this past spring, the city of Atlanta, Erie County Medical Center in Buffalo, NY and the Colorado DOT were hit by ransomware and the total cost, which includes rebuilding IT infrastructure, was nearly $30 million. This underscores the importance of good security policies and practices to prevent these attacks from happening in the first place.

• Cyber Hygiene & User Training
  • Cyber hygiene starts with enforcing proper password policies, which include regular password changes, ample minimum length and special characters.
  • Public facing servers must have passwords.
  • Phishing training is a must to ensure employees don’t click on suspicious links in emails or download files.
• Best Practices
  • Keeping all machines used within your organization current with patches and updates is critical.
  • Using appropriately configured firewalls with unnecessary ports blocked.
  • Ensuring your IT professionals that set up your systems are either also trained in best security practices or have very good communication with your security team.
• Testing Disaster Recovery Plans
  • Simply implementing Disaster Recovery plans is not enough. They must be tested in training scenarios.
  • Using cloud infrastructure for backups helps add layers of recoverability.

Password Security

• Never use personal information; like names, addresses, phone numbers or birthdays.
• Do not use a single real word. Also, intersperse special characters within your password.
• Make your password long. A minimum of 10 characters, recommended that they be 16 or more.
• Never use the same password on more than one site. If one site becomes compromised and that password is revealed it will be tested on other sites.
• Use a password generator like 1Pass, KeePass or LastPass. They can generate a completely random password of any length for you and remember them for each site you use them on.
• If a password generator isn’t an option for you, in order to help with password memorability, put 4 or more random common words of 4+ characters together; like “correcthorsebatt$erystaple”
• Never write your password down on a sticky note which you then keep on or around your workspace.
• For your most important assets, use two-factor authentication. If possible, use an authenticator app or a physical USB token.

Tackling the Phishing Epidemic

• Use multi-factor authentication, neutering the power a criminal has if they do manage to get a username and password.
• Train the staff. Make sure they are informed how to recognize phishing and have phishing drills to test your peoples’ awareness.
• Use a reputable email scanner.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here.  This week we haven’t found anything new or unique to share.  Remember these tips to stay safe:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Will This Halloween Be Cyber Scary?
• Healthcare.gov breach Compromises 75K Users’ Data
• Test your SSL Security
• Web Applications Vulnerable Due to Security Flaw in Popular Plugin
• Phish Tale of the Week
• How can Netizen Help?

Will this Halloween Be Cyber Scary?

As we wind down the month of October, it’s time for a Halloween story.   And in that spirit, what is a Halloween story without some chills and frights??

Your company’s data is at risk!   In what ways?  A threat analysis conducted by F5 Labs reports the leading application breaches are concentrating on payment card theft in the following ways:

• website injection 70%
• website hacking  26%
• database hacking  4%.

These attacks use a polymorphic code; if you think polymorphic is something a mad scientist would use, you’re not far off. Polymorphic code self-mutate, making them harder to detect by anti-virus software.

Even scarier, the number of web application breaches is rising fast, like a mist on a moonless night.  Notably, applications and identities are the primary targets in over 85% of breaches.

In Q1 of 2018, attacks break down as follows:

• login credentials stolen via compromised email accounts 34.29%
• access control misconfigurations: 22.9%
• credential stuffing (using automated tools to brute-force username/PW combinations): 8.6%
• brute forcing passwords: 5.71%
• social engineering thefts: 2.76%

Like any horror movie, simply running away will not keep you your data safe.

Recommendations:

• Your network appliances need to be configured correctly with security as the top priority.
• Embrace a top-down security culture to ensure all employees and management stay vigilant against things that go bump in the digital night.
• Just as the victims in scary movies should never open closet doors, no one should use a public WiFi without a VPN in place to ensure data integrity.

Whether you’re expecting a trick or treat this Halloween, neglecting cybersecurity is certain to have frightening consequences.

Read the full report from F5 here: https://www.f5.com/content/dam/f5/f5-labs/articles/20180725_app_protect_report/F5_Labs_2018_Application_Protection_Report.pdf

Healthcare.gov breach Compromises 75k Users’ Data

The Center for Medicare and Medicaid Services (CMS) has reported that a sign-up system for Healthcare.gov has been breached, leading to the compromise of 75,000 users’ personal data.

On Oct. 13, CMS staff detected suspicious activity in the Federally Facilitated Exchanges (FFE) – the FFE’s Direct Enrollment pathway – a system used by healthcare insurance agents and brokers to help consumers apply for coverage available on Healthcare.gov.

When the breach was confirmed on Oct. 16, officials deactivated agent and broker accounts associated with the anomalous activity and disabled the pathway. “We are working to address the issue, implement additional security measures, and restore the Direct Enrollment pathway for agents and brokers within the next 7 days,” CMS said in a release.

The tool used to breach the system is available only via the disabled pathway. All other FEE enrollment channels, including Healthcare.gov and the Marketplace Call Center, are running. It’s worth noting the compromised system is available only to agents and brokers, not the general public.

CMS said open enrollment will not be negatively affected by the incident, and it’s planning to notify all those potentially affected “as quickly as possible.”

Test Your SSL Security

A free command-line tool known as testssl.sh can test Secure Socket Layer (SSL) security. SSL is used often in encrypting and securing online communication (i.e., a banking website should be TLS/SSL encrypted). The tool can check if a server’s service on any port for the support of TLS/SSL ciphers, protocols, including recent cryptographic flaws and more.
Features of testssl.ssh include:

• The output of the results is clear and concise.
• Easy installation of the tool supports Linux, Darwin, FreeBSD, and MSYS2/Cygwin out of the box; no extra configuration is required.
• Testssl is flexible as you can test any SSL/TLS enabled and STARTTLS service; much more than just web servers at port 443.
• Features are reliable as they are tested thoroughly.
• Results are confidential as it is only you who sees them.
• Testssl is completely free—i.e., Open Source.

We recommend considering this tool for use in securing the servers in your environment as it is efficient and very cost-effective.

Web Applications Vulnerable Due to Security Flaw in Popular Plugin

A popular plugin called jQuery File Upload has been found vulnerable to an eight-year-old flaw that allows over 7,500 software applications to be at risk for compromise and remote code execution.

jQuery File Upload is an open-source package for software developers that allows for easy file uploading, including multiple file selection, drag-and-drop support, and progress bars. It’s compatible with popular web languages such as PHP, Python, Java, and Node.js.

Security researchers have found that within the code, it allows files that were uploaded to be placed in vulnerable web directories, where they can be executed to run malicious code on the targeted web server. It was also found that there was no validation performed and did not need any form of authentication in order to upload the malicious files.

This vulnerability can allow attacks an avenue of attack, where they can have access to the system, to install malware, ex-filtrate data, or access to other parts of the network depending on where the server is hosted. Not only can attackers deface the website, but they can use the server as a command-and-control server for a botnet as well.

Fixes for the vulnerability have been addressed in the commercial version, allowing only image-file uploads, such as GIF, JPEG, and PNG. However, web applications that rely on the open-source code will have to issue their own fix to the vulnerability.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here.  This week we haven’t found anything new or unique to share.  Remember these tips to stay safe:

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Goodbye TLS 1.0/1.1
• Cyber Threats: How Prepared Is Your Organization?
• Flaw Allows Hackers to Connect to Server Without Password
• Phish Tale of the Week!
• How can Netizen Help?

Goodbye TLS 1.0/1.1

TLS, or Transport Layer Security, is the most popular security protocol deployed for protecting online privacy and data integrity. TLS is used by web browsers and applications that need to exchange data over a network; including VPN connections, file transfers, and voice over IP. As a more potent example, HTTPS is HTTP using the TLS protocol to encrypt communications, like that of a banking website.

While there are currently four available versions of TLS (1.0, 1.1, 1.2 and 1.3), versions 1.0 and 1.1 are known to have some serious critical flaws leaving them open to attacks.  It is for this reason that the support for the aforementioned versions are set to be removed from all major browsers in 2020.

Recommendations

While these outdated versions are not used as much anymore, the possibility of them still does exist. It would be wise to check and see if they are disabled; many vulnerabilities arise from misconfigurations in that the vulnerable control may not even be used yet is still turned on, thus creating an opening for attackers.

We recommend ensuring that you use TLS 1.2 (the most current version) as TLS 1.3 is still in the development stage. Many times, these controls can be found in the settings of your browser.

Cyber Threats: How Prepared Is Your Organization

The numbers of cybersecurity threats continue to rise across the globe. Whether those menaces reported are reported in local media, in trade journals or in the Netizen Cybersecurity Bulletin, organizations need to be on guard to protect their businesses.

This past summer, ISACA conducted a poll of 4,800 business and technology professionals. The ISACA/CMMI Institute Cybersecurity Culture Report produced astonishing results.

Ideally, cybersecurity awareness is integrated into the workplace culture so that perception and behavior are a part of every employee’s daily operation, from the executive level on down.  An effective cybersecurity culture can help employees understand their roles and responsibilities in keeping their organizations safe and customer data secure. However, the ISACA study found just 34% of respondents say they understand their role in their organizations’ cyberculture.

Worse still, the study found just 5% of employees think their organization’s cybersecurity culture is as advanced as it needs to be to protect their business from internal and external threats.

The report uncovered other findings that concern the researchers:

A remarkable 42% of organizations do not have an outlined cybersecurity culture management plan or policy.  A cybersecurity policy, signed-off by the senior management, sets the tone for the rest of the company to follow, and represents the first step toward a cybersecurity culture:

Naturally,  aligning the entire workforce with the organization’s cybersecurity policies often requires capital investment. However, 57% of the organizations surveyed reported a significant gap between their current and desired cybersecurity culture, yet those same organizations are spending only 19 percent of their annual cybersecurity budget on training and tools.

The full report may be downloaded here: http://www.isaca.org/cybersecurity-culture-study

Flaw Allows Hackers to Connect to Server without Password

A four-year-old vulnerability has been discovered in a Secure Shell (SSH) implementation library known as LibSSH that is widely used in Linux servers. This vulnerability allows anyone to fully bypass any authentication and gain administrative access to a vulnerable server without needing a password.

The security vulnerability, ID’d as CVE-2018-10933 is a bypass vulnerability introduced in LibSSH version 0.6 that was released earlier in 2014. This means that that vulnerability has been open to hackers for around four years now.

The latest research shows that approximately 6,500 servers are affected; however, OpenSSH has stated their package is not vulnerable due to the way that they implement the library.

The issue has been addressed with the release of updated versions 0.8.4 and 0.7.6, and the details of the vulnerability were released at the same time.

It’s highly recommended that if you are implementing LibSSH either on a website, or servers, you should update LibSSH as soon as possible.

Phish Tale of the Week

This week’s phishing email claims it originates from CHASE bank online asking the user to review a “secure message”. The email is poorly formatted, and it can be seen that the document links to some unknown site.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• Facebook Breach Affects 90MM users
• MikroTik / WinBox Vulnerability
• 3 Things to Look for When Choosing a Cybersecurity Company
• How can Netizen Help?

Phish Tale of the Week

This week’s phishing email claims it originates from the Payroll Admin and is asking the user to update their information in order to receive the new payroll increase. This is one of the more obvious examples of a phishing attempt; poor formatting, grammar, spelling, and it does not even display a proper ticket number.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

Facebook Breach Affects 90MM

90 million Facebook accounts were logged out last week.  So what happened?

Anyone who uses Facebook is familiar with the persistence of the login — you can close the browser/app, turn off your device and come back next week and your login is still active.

Another feature lets the Facebook login work on different sites and applications, using a feature known as SInge Sign-On (also known as OAuth).  You login to Facebook and then other sites recognize you. This is also a concern of many that Facebook can track your activity online, but that’s a discussion for another day.

Facebook provides users with the ability to have different posts shown to different groups of users – groups like Family, CoWorkers, School-Friends, and Global (the whole world).  Additionally, users are able to see their profile and ‘Wall’ page in the view any one of their friends or friends in user-groups see it. This is a useful and powerful feature, especially if users want to segregate their posts to certain users.

In 2017 Facebook updated their product to permit users to upload Birthday Videos to their friends.  This feature became instantly popular.

Researchers at Facebook noticed a sharp increase in the use of ‘View As’ and looked into it.  They discovered this function was being exploited by a bug in the Birthday Video app, which passed the OAuth sign-on token to the attacker, enabling that user to actually become any user they wanted.

Facebook responded by logging out some 90 million people, basically anyone any user who ‘Viewed As’ by any other user in the last year.  That act was drastic, but overall harmless and it ensured anyone’s account that was compromised was logged out. The OAuth has been incredibly useful, but when a service with the 2 billion user base has a bug, it potentially affects a lot of people.  Facebook disabled the View As feature and it is still unavailable as of this writing.

Recommendations

• Check where you’re logged in on Facebook:  Facebook tracks the devices you are currently logged in. On a desktop, click the down arrow (found in the top right-hand corner) and click Settings or go to this link: https://www.facebook.com/settings?tab=security Check WHERE YOU’RE LOGGED IN and see if you recognize the devices and locations. You can clock the three dots on the right-side of the list and select ‘Log Out’ to simply log out the connection, or ‘Not You’ to report a suspected login to Facebook.

• It is also a good time to select APPS AND WEBSITES (from the left-hand menu or go to https://www.facebook.com/settings?tab=applications ) and review what apps have access to your data. Many users don’t realize how many apps and websites are able to interact with their data.

These recommendations should be done periodically for all social media accounts.

MikroTik / WinBox Vulnerability

A once medium vulnerability discovered in MikroTik routers is now rated as critical. The vulnerability coupled with a new hacking technique used against MikroTik routers will allow an attacker to remotely execute code on affected devices and obtain root access. Furthermore, remote attackers would be able to bypass authentication and read arbitrary files by modifying a request to change one byte related to a session ID.

The vulnerability is capable of impacting WinBox as well. WinBox is a management component for administrators to set up their routers using a web-based interface with a Windows GUI application. The new exploit could allow unauthorized attackers to hack MikroTik’s RouterOS system, deploy malware payloads, or bypass router firewall protections.
Additional Vulnerabilities include:

• CVE-2018-1156—A stack buffer overflow flaw that could allow an authenticated remote code execution, allowing attackers to gain full system access and access to any internal system that uses the router.
• CVE-2018-1157—A file upload memory exhaustion flaw that allows an authenticated remote attacker to crash the HTTP server.
• CVE-2018-1159—A www memory corruption flaw that could crash the HTTP server by rapidly authenticating and disconnecting.
• CVE-2018-1158—A recursive parsing stack exhaustion issue that could crash the HTTP server via recursive parsing of JSON.

Recommendations:

The aforementioned vulnerabilities impact  MikroTik RouterOS firmware versions 6.42.7 and 6.40.9. Now, these issues have in fact been patched however it is estimated that nearly 70% of these routers are still vulnerable to attack. It is a good rule of thumb with any router to regularly patch and update the firmware. Also, while it may sound obvious if your router contains a default password (admin, password, etc.) change it!

3 Things to Look for When Choosing a  Cybersecurity Company

As cyber threats and security mandates continue to grow at a rapid pace, security teams are struggling to keep up. How does a company keep the team’s morale and motivation high? How does one ensure the strategy to protect your company’s assets are sound and continue to move in the right direction?

Teaming with a third-party security company can provide the skills, knowledge, and support that is needed to keep defensive measures strong. This is critical at a time when there are so few Cybersecurity professionals available – estimates of up to 3.5 million unfilled positions in the industry by 2021. Choosing the right security company can make certain your defense strategy stays on track, rather than derail due to a lack of resources.

Three questions to consider when evaluating potential security companies:

1. Are they a proven security company?
When it comes down to Cybersecurity, the best partner is one that often has done their “time in the trenches.” When you work with a company who is a proven practitioner of security – one that has been down the path and understands what companies are up against – you get a different, and arguably better perspective and guidance over someone who has simply has only read a book on security.

2. Do they offer end-to-end solutions?
Cybersecurity is a journey, not a destination; and every single company’s journey is different. What this means is that regardless of where a company is on the path to Cybersecurity, you need different solutions, product offerings, and services. There is no such thing as a one-size-fits-all solution.

All too often, companies rely on Cybersecurity software vendors for broad-stroke support. They may provide security consulting services, but their knowledge and capabilities are limited only to their technology. One needs to look fora  security vendor that can meet your companies needs wherever you are on your Cybersecurity journey.

3. Do they offer tailored security options?
With a multitude of factors that drive Cybersecurity decisions, including budget, risk tolerance, compliance requirements, technology stacks, and resource constraints, you need a Cybersecurity company that understands these various aspects and deliver the support that best fits your company.

You may want to adhere to specific standards or certifications when performing business objectives, such as ISO 27001. You will need a Cybersecurity company that can provide the needed security assessments and roadmaps with these standards in mind.

Working with a Cybersecurity vendor that only has a single delivery model, or single technology, greatly limits what they are able to provide. Working with multiple Cybersecurity vendors adds unnecessary complexity and higher costs for your business. That’s why seeking out a single firm that offers a range of services and solutions designed to meet your every challenge is the proven course. This approach offers more cost control, lower overhead, and most of all lower complexity.

When selecting the right Cybersecurity partner for your organization, remember that Cybersecurity is long term challenge, and teaming with a long term partner can help you along your journey.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

• Phish Tale of the Week!
• GhostDNS Hacks Over 100,000 Routers
• Browser Notification Spam
• Cybersecurity Buzzwords to Know
• How can Netizen Help?

FEMA Tests Emergency Alert System Oct 3 starting at 2:18 ET

Phish Tale of the Week

This week’s phishing email claims it originates from “Microcorporation” and is asking the user (T4NG) to reconfirm a password. This is one of the more obvious examples of a phishing attempt; poor formatting, grammar, spelling, and it does not even address the actual name of a person, as well as the fake link.

Recommendations:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

• Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
• Verify that the sender is actually from the company sending the message.
• Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
• Do not give out personal or company information.
• Review both signature and salutation.
• Do not click on attachments.
• Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
• Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

GhostDNS Hacks Over 100,000 Routers

A widespread malware campaign known as GhostDNS has hijacked over 100,000 home routers. The infection modifies the routers’ DNS setting to hack users with malicious web pages, namely, banking sites to steal users’ login credentials. The GhostDNS system operates mainly at four different modules:

DNSChanger module: This is the main module that can run scripts (an automated series of instructions) to exploit routers in the Shell, Javascript (Js), and Python (Py) programming languages; each language being a submodule of the former.

Web Admin module: Not too much information has been found regarding this module. However, it seems to be an administrative panel for the attackers to utilize when secured into a login page.

RogueDNS module: The RogueDNS is responsible for resolving targeted domain names from the attacker-controlled web servers. These web servers mainly included banking websites and cloud hosting services.

Phishing Web module: When a targeted domain has been successfully exploited, in this case, the domain is resolved through RogueDNS, the Phishing Web module points the server to the fake version of whatever website the user tries to visit, where the attacker can then steal credentials.

The GhostDNS campaign is organized and highly scaled, making use of different attack vectors coupled with automated processes, making the malware particularly dangerous.

Recommendations:

• To help protect your network from GhostDNS, due diligence provides the best defense:
• Ensure your router’s firmware is the most current version.
• Set a strong, complex password for the router.
• If at all feasible, disable remote administration to the router to increase security.
• Change the default local IP address.
• Hardcode a trusted DNS server into the router or at the operating system.

Browser Notification SPAM

Browser notifications enable websites to pop-up alerts, such as for breaking-news bulletins from a news site. Like so many features online, something good has been exploited. BleepingComputer.com reported this issue last week.

Sites are now tricking users to accepting browser notifications in order to promote unwanted extensions, fake software, adware bundles, adult sites, and scam sites.

For example, in the image above the site tricks the user into thinking they subscribe to notifications in order to view a video.

Once the users signs-up for notifications, the site will either perform a redirect to another site or display the video. In addition, the visitor will now receive spam browser notifications delivered directly to their desktop. These spam notifications will essentially be advertisements for unwanted extensions, fake downloads, adult sites, and giveaway scams.

If you are receiving browser notification spam, you can check for and remove subscriptions by going into your browser’s settings. Once the subscriptions are removed, the spam will stop appearing on the desktop,

Chrome Users
To remove them in Chrome, you can go into the Settings and search for Notifications, click on Content Settings, and then click on Notifications. Chrome will now display a list of sites that you are subscribed to or have blocked.  Most users are often surprised at how many sites they have in their subscription list. To remove a notification, simply click on the dotted vertical line next to a site and select Remove.

Firefox Users
Firefox users can go into Options, search for Notifications, and then click on Settings next to Notifications to access the list of subscribed sites and remove them.

Edge Users
You can disable browser notifications on a site-by-site basis by clicking on the menu icon (three horizontal dots) in the upper right-hand corner and going to Settings > View advanced settings.   Under the Notifications subheading, click Manage and a panel will appear where you can edit the various sites that you’ve agreed to receive notifications from.

https://www.bleepingcomputer.com/news/security/sites-trick-users-into-subscribing-to-browser-notification-spam/

Cybersecurity Buzzwords to Know

The cybersecurity industry is filled with words like trojan horse, zombie, and worm. Words that seem like works of science fiction, but are an everyday reality for the internet.

As more of our daily life is moving towards the digital world, these terms begin to take on new meanings and introduce us to the different cybersecurity threats we face.

While the majority of us would rather leave these threats to more IT-focused individuals, it’s important that we all have an understanding of cybersecurity so that we can protect not only ourselves but others, by understanding key terms.
Cybersecurity Terms:

Backup: Ensuring that all important data is stored on a secure, offline location to protect the data from being lost, or if a computer is hacked. It’s good practice to routinely copy files to a USB flash drive or cloud storage.

Blackhat hacker: An individual who maliciously cases damage to a computer system, steals data, or conducts illegal cyber activities.

Botnet: A group of computers, typically anywhere in the world, that have been infected by malicious software. This allows the group to be remotely controlled by a hacker, allowing them to perform malicious attacks such as denial of service.

Brute Force Attack: A hacking technique that is used to break into a computer system. The technique involves attempting to “guess” a password over several thousand attempts.

Phishing or spear phishing:  A technique used by hackers to obtain sensitive information, such as passwords, bank accounts, or credit cards. Often an unexpected email is received disguised as being from a legitimate source. In many cases, the hacker will attempt to trick you into either replying with the information they seek, like bank details or tempt you to click a malicious link or run an attachment. Spear phishing is a variant of this technique, but the hacker targets a business or person specifically, instead of taking a blanket approach.

Trojan horse: A piece of malware that often allows a hacker to gain remote access to a computer. The system will be infected by a virus that sets up an entry point for the perpetrator to download files or watch the user’s keystrokes.

Worm: A piece of malware that can replicate itself to spread the infection to other connected computers. It will actively hunt out weak systems in the network to exploit and spread.

Whitehat hacker: A person who uses their hacking skills for an ethical purpose, as opposed to a blackhat hacker, which typically has malicious intent. Businesses will often hire these individuals to test their cybersecurity capabilities.

Zombie: A computer system that has been infected by malware and is now part of a hacker’s botnet.

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.