The Week In Breach

 

Social Graphic_3.png (1200×627)

This week, medical data is on the menu for hackers.

Dark Web Data Trends 

  • Total Compromises: 2,368
  • Top PIIs compromised: Domains (2,366)
    • Hashed/Cleartext Passwords (36,617)
  • Top Company Size: 11-50
  • Top Industry: High-Tech & IT

United States – NorthBay Healthcare Corporation

https://news.softpedia.com/news/social-security-numbers-pii-stolen-in-northbay-healthcare-data-breach-523548.shtml
Exploit: Supply chain vulnerability.
NorthBay Healthcare Corporation: A healthcare organization based in Portland, Oregon.
Risk to Small Business:1.666 = Severe: An organization that is unable to secure the data of those applying for a job could scare away potential applicants as well as customers.
Individual Risk: 2.285 = Severe: Those affected by this breach are at an increased risk of identity theft.
Customers Impacted: Those who applied to the organization between 2012 and May 2018.
How it Could Affect You: A supply chain breach can damage customer trust in an organization, and while NorthBay Healthcare is offering identity monitoring services for those affected, it will not undo what has already happened.
ID Agent to the Rescue: Spotlight ID™ by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach like this one.
Learn more: https://www.idagent.com/identity-monitoring-programs

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

United States – Girl Scouts of America

https://cyware.com/news/girls-scouts-got-hacked-and-the-personal-data-of-2800-members-compromised-8f63f56a
Exploit: Compromised email account.
Girl Scouts of America: The preeminent leadership development organization for young girls in the United States.
Risk to Small Business:1.667 = Severe: A breach that exposes medical history can foster distrust between a customer and an organization.
Individual Risk: 2 = Severe: Those affected by this breach are at an increased risk for identity theft and fraud.
Customers Impacted: 2,800 members.
How it Could Affect Your Business: This breach could damage the reputation of any business or organization, and in this case could push away current members of the organization and scare away new potential members.
ID Agent to the Rescue: Spotlight ID by ID Agent offers comprehensive identity monitoring that can help minimize the fallout from a breach of this type.

Risk Levels:
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.


In Other News:

Facebook’s Folly
Private messages between Facebook users are for sale, and there’s no shortage. 81,000 users’ private messages were accessed by a hacker who is now attempting to sell them, some for as low as 10 cents per account. Facebook has been ravaged by hacks over the last year, and the social media juggernaut appears to still be having trouble keeping their customers’ data safe.
https://www.bbc.com/news/technology-46065796

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!


 

Hackers are Bundling Up This Fall.
Well, it’s nearing the end of the year. You know what that means: it’s time for the ‘best of 2018’ collections to start coming out. One category is Best Movies of 2018… personally, I think The Incredibles 2 is at the top of that list. Another category is Best of Ransomware. Yes, there is a ‘best of the year’ collection for cybercriminals. To the surprise of no one, the ransomware collection is being sold on the Dark Web, but there are many surprising elements to the bundle.

First off, the fact that the year’s most dangerous ransomware variants are being sold as a package deal at a reduced price should show the… professionalism… of the Dark Web marketplaces, as strange as it is to use that word to describe cybercriminals. This crime-as-a-service model is nothing new, but this bundle is undoubtedly a step above the norm. There are 23 ransomware variants included in the bundle, including SamSam. Yes, the notorious SamSam ransomware is included in the bundle. If you don’t know what SamSam is, it is a variant of ransomware that is infamous because of the high-profile targets it has been used against and because until now, it was under lock and key deployed only by a highly specialized group.

This bundle is not for inexperienced hackers, however, which would be worse than the current situation. An unskilled hacker would find difficulty putting most of the bundle to use. The bundle will be removed from the marketplace after sold 25 times, according to the seller, although it is unclear why this is the case. Don’t let one of the hackers who buys this bundle use it against your business!

https://www.zdnet.com/article/giant-ransomware-bundle-threatens-to-make-malware-attacks-easier-for-crooks/

 

Want some help?

 

Get a Free Dark Web Scan of your Business Domain

Get a Free Tool Kit- Phish Prone Test, Domain Spoof Test, Weak Password Tool and more!


Advertisements

Six Common Computer Viruses and What They Do to Your Computer

Here is a great article from InCyberDefense that explains computer viruses.

By Marissa Bergen 
Contributor, InCyberDefense

Viruses can attack your computer at any time, so knowing how to protect yourself is helpful in preventing attacks. Part of that protection is familiarizing yourself with the different types of viruses to which your computer is vulnerable. Once you understand how viruses work, you will be better prepared to deal with them in the unfortunate event that a virus infects your computer.

Six Common Computer Viruses and What They Do to Your Computer

To avoid an infection, here are six common computer viruses you should look for:

1. Polymorphic virus: When this type of virus infects your computer, it creates copies of itself. Each copy is slightly different than the others, making it difficult for antivirus programs to detect them.

2. Resident virus: A non-resident virus needs to be executed before it begins its infection, but a resident virus can activate as soon as the operating system loads. It functions by hiding in your computer’s memory, which makes it exceptionally difficult to eradicate.

3. Boot sector virus: A boot sector is the section of a computer’s hard drive or external storage medium that contains the information required to boot (start) your computer. A boot sector virus infects that part of the sector known as the master boot record and replaces legitimate information with its own infected version. This virus activates in your computer before it loads and may make your computer unbootable, so you can’t start your computer.

4. Multipartite virus: This virus is exceptional because it has the ability to attack two components of the computer at the same time. It infects both the boot sector and system or program files simultaneously. Because of this ability, a multipartite virus infects the same operating system over and over until the system and all of its components are completely eradicated.

5. Overwriting virus: An overwriting virus destroys files by infecting them and overwriting the data they contain. It can only be removed by deleting the infected files. In these cases, files are permanently lost and clean versions of them will have to be reinstalled on your computer.

6. Browser hijacker virus: Once this virus is in your computer, it modifies the settings of your web browser, including the default search engine and the homepage. Once the takeover occurs, the virus sends users to malicious websites.

This virus can also install spyware and ransomware to an operating system, compromising sensitive data. The virus spreads through malicious email attachments, free downloads and visits to infected websites.

Education Is the First Step in Preventing Virus Infections

Unfortunately, there is not much you can do to get rid of these six common viruses once they enter your computer. But educating yourself about viruses and how to avoid them can save you from a lot of headaches and heartaches later.

 

Need help on training your staff? Want some free tools for cyber awareness? Click Here!

The Week in Breach – Post Labor Day 2018 Edition

Breaches are flying high this week thanks to Air Canada!  China’s hospitality industry targeted and the data shows up on the Dark Web. And, in an effort to cut out Google’s cut, the creators of the game Fortnite create massive security challenges for unwitting gamers.

Highlights from The Week in Breach:

  • Fortnite on Android.
  • Hackers Take Flight!
  • Russian Breach.

In Other News:

Trust
Several companies that specialize in developing software designed to spy on one’s spouse or other unsuspecting “targets” have been compromised over the past few years. This category of software, which is essentially spyware installed on the target’s phone, collects a good bit of highly personal and sensitive data. This time, the company who makes the app, TheTruthSpy, was breached, allowing the target’s texts, location information, social media chats and other sensitive data to be extracted and posted on TOR/Dark Web forums for all to see.
https://motherboard.vice.com/en_us/article/mb4y5x/thetruthspy-spyware-domestic-abusers-hacked-data-breach

Fortnope
It seems like every kid on the planet is playing the popular video game, Fortnite, these days. Epic, who is the maker of the hit title, is planning on launching the Android version of the game soon, but not on the Google Play Store… this is an unprecedented move by a well-respected and popular game title, and likely has to do with Epic not wanting to give Google a cut of their money printing machine. This controversial move by the game developer has been made even more so due to Google researchers finding that the app is vulnerable to ‘man in the disk’ attacks. Man in the disk is an attack vector that takes advantage of Android’s less-secure external storage space. The vulnerability has since been patched, but make sure to have your kids update their app.  Scratch that… tell your kids to put the game down and go outside and play! Seriously people!
https://www.bleepingcomputer.com/news/security/fortnite-android-app-vulnerable-to-man-in-the-disk-attacks/

Podcasts:
Know Tech Talks – Hosted by Barb Paluszkiewicz
IT Provider Network – The Podcast for Growing IT Service
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Small Business, Big Marketing – Australia’s #1 Marketing Show!


Canada – Air Canada
Exploit: Unclear.
Risk to Small Business: High: The number of customers affected is a low percentage of the airline’s customer base, but to most other businesses, a breach of this scale would be much worse. Either way, the breach is extremely damaging to the company due to loss of customer trust.
Individual Risk: Extreme: The nature of the data leaked is highly sensitive and useful for identity theft.
Air Canada: Canada’s largest full-service airline.
Date Occurred/Discovered: August 22, 2018 – August 24, 2018
Date Disclosed: August 29, 2018
Data Compromised:

  • Names
  • Email addresses
  • Phone numbers
  • Passport numbers
  • Passport expiry date
  • Passport country of issuance
  • NEXUS numbers
  • Gender
  • Dates of birth
  • Nationality
  • Country of Residence

Customers Impacted: 20,000
https://techcrunch.com/2018/08/29/air-canada-confirms-mobile-app-data-breach/

China – Huazhu Hotels Group
Exploit: Unclear.
Risk to Small Business: High: The loss of customer trust alone would greatly cost the company, in addition to the other costs associated with a breach.
Individual Risk: Extreme: The information is already for sale on the Dark Web.
Huazhu Hotels Group: One of China’s largest hotel chains.
Date Occurred/Discovered: Earlier this month
Date Disclosed: August 28, 2018
Data Compromised:

  • ID card number
  • Mobile phone number
  • Email address
  • Login password
  • Customer name
  • Home address
  • Date of birth
  • Check in time
  • Departure time
  • Hotel ID number
  • Room number

Customers Impacted: 130 million
https://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/

RUSSIA – ABBYY
Exploit: Exposed database.
Risk to Small Business: Extreme: Sensitive internal documents were exposed that could have major effects on their business.
Individual Risk: Low: Only corporate documents were exposed.
ABBYY: Moscow-based optical character recognition software provider.
Date Occurred/Discovered: August 19, 2018
Date Disclosed: August 27, 2018
Data Compromised:

  • Contracts
  • Non- disclosure agreements
  • Memos
  • Other confidential documents

Customers Impacted: 200,000 sensitive documents.
https://cyware.com/news/abbyy-inadvertently-exposes-over-200000-sensitive-documents-via-unsecured-mongodb-database-be026aa2



Scam, Scam, Go Away.
Australia is well-known to be a dangerous place, with many poisonous plants and animals that inhabit its borders. Another danger in the outback is cybercriminals! According to the Australian Competition and Consumer Commission, Australian small businesses have been scammed out of $2.3 million so far in 2018.

The scam that most frequently targeted businesses is the false-billing scam, while employment and investment scams funneled the most amount of money away from Australian businesses.

Stay safe out there and make sure to have a healthy dose of suspicion when dealing with unexpected emails, especially those that deal with money!
https://www.arnnet.com.au/article/645826/aussie-small-businesses-scammed-2-3m-far-2018/?utm_campaign=daily-pm-edition-2018-08-28&utm_source=daily-pm-edition&utm_medium=newsletter&eid=-4152


The Week in Breach: 06/25/18 – 6/29/18

Hacks this week showed no mercy or regard to international boundaries. From North America to Australia, businesses of all sizes, across all industries were targeted. Malware injection and insecure databases were some of the most damaging compromises highlighted this week. At least 230 million individuals and 110 million businesses exposed on the dark web… YIKES.

Highlights from The Week in Breach:

  • Ransomware be gone!
  • Comcast’s leaky API
  • Another Intel CPU vulnerability?
  • Massive breach exposes how many kids you have and where you live.

In other news…
A popular Australian medical appointment booking app called HealthEngine is receiving negative attention from privacy advocates and cyber security professionals alike this week. It has come to light that they have been sharing patients’ personal information with a third-party law firm. The information sharing occurred daily as part of a referral partnership.
https://cyware.com/news/popular-medical-appointment-booking-app-healthengine-reportedly-patient-data-with-law-firm-3aba7747

Researchers at Cisco Talos have developed a tool that decrypts files affected by the ransomware Thanatos. This news is only made better by the fact that they are releasing it at no cost. The less ransomware out there, the better.
https://www.zdnet.com/article/thanatos-ransomware-free-decryption-tool-released-for-destructive-file-locking-malware/

Comcast’s website has been leaking account information, including whether a home security setup is in place. Anyone on the customer’s network could trick one of the company’s APIs into returning customer information. Comcast was quick to shut down the API after the vulnerability was revealed to them.
https://www.zdnet.com/article/comcast-fixes-another-xfinity-website-data-leak/

At Black Hat USA this year, it was revealed that Intel CPUs have a side-channel vulnerability that could be used to leak encryption keys for signing a message. Researchers at the Systems and Network Security Group at Vrije Universitet Amsterdam constructed an attack that can reliably extract an encryption key using Intel’s Hyper-Threading technology. To exploit the flaw, a hacker would need to already have malware on the system or use compromised credentials to log in.
https://www.zdnet.com/article/tlbleed-is-latest-intel-cpu-flaw-to-surface-but-dont-expect-it-to-be-fixed/

Podcasts:

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!

Exactis
Exploit: Elasticsearch insecure database exploit.
Risk to Small Business: High: Demonstrable gross negligence while aggregating and normalizing PII. This increasingly common exploit (insecure/ publicly accessible database). This compromise will cross state and international boundaries.
Risk to Exploited Individuals: High: The data breached could be used to execute extremely effective spear phishing campaigns.
Exactis: A marketing and data aggregation firm based in Florida.
Date Occurred/Discovered: June, 2018
Date Disclosed: June 27, 2018
Data Compromised: 

  • Names
  • Address
  • Email address
  • Telephone number
  • Interests
  • Habbits
  • Number of children, their ages and gender
  • Whether the individual smokes
  • Religion
  • Pets

Etc… over 400 variables per person
How it was compromised: Negligence
Customers Impacted: 230 million Americans and 110 million businesses

https://www.wired.com/story/exactis-database-leak-340-million-records/
https://info.idagent.com/blog/big-data-big-breach

People Dedicated to Quality (PDQ)
Exploit: Hackers gained entry by exploiting an outside technology vendor’s remote connection tool. Demonstrates supply chain-based vulnerabilities.
Risk to Small Business: High: Remote session / access tools are frequently targeted. Outsourcing and the cost-effectiveness of remote support makes this a very effective attack vector for hackers. This should be top of mind especially if an organization holds PII or any customer data of value.
Individual Risk: Low: Victims of this breach are highly vulnerable to financial fraud and identity theft.
PDQ: People Dedicated to Quality, or PDQ for short, is a chicken focused food stop founded in Florida.
Date Occurred/Discovered: May 19, 2017 – April 20, 2018
Date Disclosed: June 22, 2018
Data Compromised: 

  • Credit card information
  • Expiration dates
  • CVV
  • Names

How it was compromised: PDQ believes that a hacker gained access to their customer’s credit card information using an outside technology vendor’s remote connection tool.
Customers Impacted: Unknown, but all 70 PDQ locations were compromised.
https://www.eatpdq.com/promos/news/2018/06/22/guestinfo

FastBooking
Exploit: Web Application Exploit, Remote Access, Malware injection.
Risk to Small Business: High: There seems to be several layers to this exploit. Remote access was achieved to download the data scraping malware. This breach is far-reaching globally impacting businesses and individuals globally. The forensics, mandatory credit monitoring, brand damage will be costly and will linger to years.
Risk to Exploited Individuals: High: Personal data and credit card information was compromised during the breach, leaving individuals vulnerable to identity theft.
FastBooking: Based in France, the company sells hotel booking software globally.
Date Occurred/Discovered: Occurred on June 14, 2018, discovered on June 19, 2018.
Date Disclosed: June 26, 2018
Data Compromised: 

  • Full name
  • Nationality
  • Home address
  • Email address
  • Booking information

In some cases:

  • Credit card details
  • Name on card
  • Card number
  • Expiration date

How it was compromised: Malware installed on their server which granted remote access.
Customers Impacted: 4,000 hotels in 100 countries.
Prince Hotels is the first to inform customers, with 123,963 of their customers affected. Of these, 58,003 are instances of personal information compromised. 66,960 involved credit card information.

https://www.bleepingcomputer.com/news/security/hundreds-of-hotels-affected-by-data-breach-at-hotel-booking-software-provider/

https://www.japantimes.co.jp/news/2018/06/26/business/corporate-business/prince-hotels-hack-results-loss-124000-customers-credit-card-numbers-data/#.WzOvIdVKjIW

Best Sleep Centre
Exploit: Ransomware
Risk to Small Business: High: Significant impact to business operations if data not properly encrypted and backed up.
Risk to Exploited Individuals: Moderate: Data was encrypted by the ransomware. At this point, there is no public evidence that it was also exfiltrated.
Best Sleep Centre: Winnipeg based mattress store
Date Occurred/Discovered: June 2018
Date Disclosed: June 26, 2018
Data Compromised: The company’s server was encrypted.
How it was compromised: Ransomware. The owner decided to pay the ransom, but negotiated it down to $2,000 CAD.
Customers Impacted: Unknown at this time, but the business is impacted.

https://globalnews.ca/news/4298279/hacker-hits-local-mattress-store-with-ransomware/

Ticketmaster
Exploit: JavaScript chatbot with data scraper injected in to supply chain systems.
Risk to Small Business: High: Highlights how supply chain vulnerabilities can lead to massive data loss and exposure. Companies dealing with customer data / PII should have elevated security controls in place to prevent supply chain vulnerabilities.
Risk to Exploited Individuals: High: This breach leaves Ticketmaster customers vulnerable to identity theft.
Ticketmaster: A ticket purchasing website that is used globally for many types entertainment.
Date Occurred/Discovered: Discovered on June 23, 2018. Could have occurred as early as September 2017.
Date Disclosed: June 27, 2018
Data Compromised: 

  • Names
  • Address
  • Email address
  • Telephone number
  • Payment details
  • Ticketmaster login details

How it was compromised: Malware hosted on a customer support product hosted by a third-party supplier which sent data to a remote location.
Customers Impacted: Ticketmaster has been telling the media that about 400,000 customers have been affected, but in their alert to customers they claim that ‘less than 5% of their customer base have been affected. 5 percent of their customer base comes out to 11.5 million, so we will have to see if their investigation into the breach will reveal more affected customers.

https://www.govinfosecurity.com/ticketmaster-breach-traces-to-embedded-chatbot-software-a-11144
https://security.ticketmaster.co.uk/

Facebook (yes again)
Exploit: Unsecured JavaScript file/ supply chain
Risk to Small Business: High: A supply chain vendor that leaks data will tarnish the reputation of business.
Risk to Exploited Individuals: Moderate: The data the quiz app is leaking could be used in spear phishing attacks.
Facebook: A social media site that has over 2 billion monthly active users.
Date Occurred/Discovered: End of 2016-present
Date Disclosed: June 28, 2018
Data Compromised: 

  • Facebook ID
  • First name
  • Last name
  • Language
  • Gender
  • Date of birth
  • Profile picture
  • Cover photo
  • Currency
  • Devices used
  • When your information was last updated
  • Posts
  • Statuses
  • Photos
  • Friends on Facebook

How it was compromised: Any third party can view.
https://techcrunch.com/2018/06/28/facepalm-2/

Prime Telecommunications’ Technology Thwarts Cryptojacking

Cryptojack

 

Prime Telecommunications, Inc., a leading managed technology services provider, is helping small to mid-sized businesses (SMBs) to prevent cryptojacking attacks from damaging their organizations. Cryptojacking attacks, are derived from the widely popular cryptocurrencies, such as Bitcoin and Ethereum, and occurs when a corporate server is hijacked in order to facilitate cryptocurrency transactions by leveraging the inherent power of high-performance servers. As cryptocurrencies rely on an enormous amount of server power in order to facilitate transactions, many of the corporate servers that power small to mid-sized businesses have become an obvious target of cryptojacking attacks, as they are simply the most efficient vehicle for cryptojackers to exploit. Prime Telecommunications is currently protecting SMBs from this threat.

“Businesses that are under attack are often unaware of this threat because these attacks are specifically designed to be minimally intrusive and hard to trace,” stated Vic Levinson, President at Prime Telecommunications. “Typically, cyber criminals set up their malware to run quietly in the background during daytime hours, only to extract maximum power during off-hours. It’s one of the telltale signs, yet this is rarely monitored by organizations that aren’t working with a reputable managed technology services provider. The result is that most businesses are flying blind and unaware that their security has been compromised, which doesn’t seem very dangerous on the surface. However, this leaves many cryptocurrency hackers with access to very sensitive points within an organization that can be taken advantage of later.”

Most attacks take place when businesses are most vulnerable; after-hours and during migration to cloud-based solutions. Durring off-hours, cryptocurrency mining software can be installed quickly and without detection, creating a pivot-point where hackers can later install even more malware. Another vulnerable moment is when businesses are migrating their network to the cloud. The vulnerability here is because of the complexity and level of detailed attention required to successfully navigate these kinds of infrastructure transitions. Where most business owners simply add technology piece-by-piece, this fails to address the gaps in the network that arise gloming one solution onto another. Networks can quickly become messy and this is how organizations get exposed to hackers. In the case, of cryptojacking, it’s no different.

“Business owners can protect themselves by taking the following actions, commented Mr. Levinson. “As a first step, they need to diagnose their network and segment the utilization of their data. By doing this, business owners or CTOs can see which devices, servers, and endpoints are performing optimally and which are underperforming. Underperforming servers can provide a hint that the organization may have been cryptojacked. Another action they can take is to make sure that they aren’t vulnerable to exploit kits, which are tools hackers use to infiltrate networks via common business software. Lastly, businesses can direct their attention to systems that expose the network, like VPNs (Virtual Private Networks) or other cloud-based technology. While there are many more steps to take, these are very effective first steps to protect any organization from cryptojacking.”

 

ABOUT PRIME TELECOMMUNICATIONS, INC.

For more information on Prime Telecommunications, call (847)329 8600 or visit http://www.primetelecommunications.com.

The Week in Breach June 23 to June 29 2018

 

The Week in Breach

 

It’s no surprise that this week has been busy for cyber-attacks on the web, targeting big events such as the World Cup but also continuing to pursue small-and medium-sized businesses across the globe.

– Google is still leaking!
– Another Dark Web marketplace down in a big win for French authorities.
– Do androids dream of electric… rats? A new malware for Android!
– Going phishing at the World Cup.

In other news… Google has announced that Chromecast and Google Home devices, that are easily scripted to reveal precise location data to the public, will be patched in the coming weeks. Disclosed by a researcher at Tripwire, the simple script running on a website can collect location by revealing a list of internet connections available to the device. Researchers go on to describe how easy it would be to remote into an exposed individual’s device and network.
https://krebsonsecurity.com/2018/06/google-to-fix-location-data-leak-in-google-home-chromecast/

The Dark Web marketplace known as ‘Black Hand’ was shut down by French authorities this week. The marketplace was used to sell drugs, weapons, stolen personal information and banking data, as well as fake documents. The site had over 3,000 users from France and was highly active for selling illicit materials.
https://www.hackread.com/authorities-shut-down-dark-web-marketplace-black-hand/

Researchers have come across a new malware family that takes form as an Android remote administration tool (or RAT). The malware uses the messaging app Telegram both to spread and to operate the RAT. When an attacker gains access to a device, he or she operates it by using Telegram’s bot functionality and can intercept text messages, send text messages, make calls, record audio or screen, and locate the device.
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

With the World Cup in full swing this week, bad actors are taking advantage of the attention on the event and spinning up malicious email campaigns. The idea is that people are less vigilant about clicking emails from unknown sources when related to an event that only occurs every couple of years. Sites selling fake tickets, offering fictitious giveaways and luring unsuspecting induvial to click on malicious links related to the World Cup are popping up all over the place.
 https://www.darkreading.com/attacks-breaches/wallchart-phishing-campaign-exploits-world-cup-watchers/d/d-id/1332080

A network worm called ‘Olympic Destroyer’ that debuted at the 2018 winter Olympics is still doing damage across Europe. Since the Olympics, the group has taken an interest in financial and biochemical organizations and oftentimes uses spear phishing as a way to gain illegal access to systems. The group has so far remained anonymous, using a complex combination of false flags and other deceptive behavior to avoid being revealed.
https://www.darkreading.com/vulnerabilities—threats/olympic-destroyer-reappears-in-attacks-on-europe-russia/d/d-id/1332094


What we’re listening to this week!

Know Tech Talks – Hosted by Barb Paluszkiewicz
The Continuum Podcast
Security Now – Hosted by Steve Gibson, Leo Laporte
Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)
Small Business, Big Marketing – Australia’s #1 Marketing Show!

Indian Government

Exploit: Leaky websites, lack of basic website/ internet security controls.

Risk to Small Business: High: Demonstrates that poor cyber hygiene and complete disregard for basic website/ internet security can be highly damaging.

Risk to Exploited Individuals: High: Sensitive personally identifiable information that can be used for identity theft.

Indian Government: The Republic of India’s government.

Date Occurred/Discovered The government has experienced a wide variety of breaches over a long span of time, but with their websites being audited in May of 2018, their continuing lack of security with such highly sensitive information proves to be a continuing problem.
Date Disclosed June 20, 2018
Data Compromised · Names and phone numbers of those who bought various medicines from state-run pharmacies

Recently but not this week:

· Aadhaar number

· Data collected in ‘Smart Pulse Survey’

· Geolocation of people based on caste/religion

· Geolocation of ambulances, why they were summoned, and the hospital destination

How it was compromised Leaky websites and dashboards allowing anyone to look up HIGHLY sensitive medical and personal information.
Customers Impacted Anyone who has purchased medicine from the state-run pharmacies.
Attribution/Vulnerability Poorly configured database.

http://www.newindianexpress.com/specials/2018/jun/19/in-wake-of-data-leaks-andhra-pradesh-orders-audit-of-all-government-websites-1830571.html

https://www.huffingtonpost.in/2018/06/19/caught-leaking-information-on-people-buying-viagra-from-government-stores-ap-orders-security-audit_a_23463256/

Med Associates

Exploit: Supply Chain/Trusted Vendor Compromise
Compromised Workstation, most likely compromised credentials and a lack of multi-factor authentication.

Risk to Small Business: High: At least 42 physician practices had their customer’s PII compromised. Lack of situational awareness within the supply chain will create significant challenges for the vendors that replied on the claims processing vendor.

Risk to Exploited Individuals: High: This breach has disclosed a massive amount of HIGHLY sensitive personal and health information leaving customers impacted significant risk of identity theft and fraud.

Med Associates: A New York-based claims processing company.

Date Occurred/Discovered March 2018
Date Disclosed June 2018
Data Compromised · Patient names

· Dates of Birth

· Addresses

· Dates of service

· Diagnosis codes

· Procedure codes

· Insurance information, such as insurance ID numbers

How it was compromised Not disclosed, but it was specified that the attack did not involve ransomware or phishing.
Customers Impacted 270,000
Attribution/Vulnerability Still under investigation, but the third party gained remote access to the workstation without phishing or ransomware.

https://www.govinfosecurity.com/hacking-incident-at-billing-vendor-affects-270000-patients-a-11116


Chicago Public Schools

Exploit: Negligence

Risk to Small Business: High: If a breach of this magnitude happened to a small business, it is unlikely it would recover. This kind of negligence causing a breach tarnishes a name to a great degree, but people do not have a choice but to continue using Chicago public schools because it is a government-run program.

Risk to Exploited Individuals: High: Unfortunately, a minor’s personally identifiable information is highly sought after and valuable as its often not monitored.

Chicago Public Schools: School district in the Illinois city of Chicago

Date Occurred/Discovered June 16, 2018
Date Disclosed June 16, 2018
Data Compromised · Children’s names.

· Home phone numbers.

· Cell phone numbers.

· Email addresses.

· School ID numbers

How it was compromised When sending out an email about applications to selective enrollment schools, an employee attached a spreadsheet containing the sensitive data which was then sent out to families in the district. The person who made the critical mistake is going to lose their job according to the superintendent.
Customers Impacted 3,700 students and families
Attribution/Vulnerability Negligence

https://chicago.suntimes.com/news/cps-data-breach-exposes-private-student-data/

An important takeaway from this week is how easy it is to unsuspectingly leak personal information. A study conducted by Positive Technologies found some alarming statistics when researching the vulnerabilities of something that is often overlooked; web applications.

The study uncovered that almost half (48%) of the web applications tested were vulnerable to unauthorized access from a third party, with 17% of the tested applications being so unsecured that full control could be acquired. Every single web app that the study looked had vulnerabilities with just over half of them (52%) being high risk. A little under half (44%) of web apps examined that processed personal data leaked that personal data and 70% of all applications were at risk of leaking critical information to the business. The study found an average of two critical vulnerabilities per web application, and where the researchers had access to the source code of the web app they uncovered high-severity vulnerabilities 100% of the time. The industries used in this study of web applications include: finance, IT, e-commerce, telecom, government, mass media, and manufacturing.

Make sure to consider what web applications you are using in both your professional and personal life, otherwise, your information could end up on the Dark Web.

https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Web-application-vulnerabilities-2018-eng.pdf

https://www.darkreading.com/attacks-breaches/most-websites-and-web-apps-no-match-for-attack-barrage/d/d-id/1332092

 

Surprise! What’s The Country Where All The CEO Fraud Gangs Are?

KnowBe4’s Stu Sjouwerman wrote a really great blog about Business Email Compromise. Once upon a time, about 5 years ago, if you got a letter from a Nigerian prince or some sad story about not being able to transfer funds, that was obviously a scam. You knew, I knew, anybody but the most gullible knew it. Those were referred to as Nigerian 419 scams- 419 is the section of the Nigerian criminal code where this practice is codified as illegal.

Image result for nigerian prince

But times have changed and so have the gangs…

What if your CFO got an email from your COO or your CEO? What if your AP clerk got an email from your CFO- or your Comptroller?

A new study by Agari concludes that, despite all the attention nation-state espionage services have been getting for their phishing attacks, the big threat still comes from criminal gangs.

Here is your quick Executive Summary:

  • 97% of people who answer a Business Email Compromise (aka CEO Fraud) email become victims
  • The average BEC incident included a payment request of $35,500 (ranging from $1,500 to $201,805)
  • 24% of all observed email scam attempts between 2011 and 2018 were BEC even though BEC only started in earnest in 2016

And What’s That Country?

Many of those criminal gangs continue to operate from Nigeria, of the ten gangs engaged in the email scams that Agari studied, nine were based in Nigeria. Conclusion: the old Nigerian 419 scam has upgraded big time.

While business email scams are relative newcomers to the world of online crime, becoming popular only as recently as 2016, they’re now the most common kind of attack, accounting for 24% of phishing emails.

Patrick Peterson, Agari’s Executive Chairman said: “The sad irony is that these foreign adversaries are using our own legitimate infrastructure against us in attacks that are far more damaging and much harder to detect than any intrusion or malware.”

BEC, in which the scammer poses as an executive of the business being phished, has the greatest potential for a large, immediate payout. All organizations should make it their policy never to use email to direct fund transfers, and they should train their employees to be aware of this social engineering tactic.

Other scams have similar potential to bankrupt their targets. Real estate brokers, for example, have been targeted with malicious attachments that enable criminals to conduct man-in-the-middle account takeover scams that hit escrow accounts.

Scammers Use A Multi-Step Process

An interesting finding of Agari’s study is the multi-step process many of the scammers use: a probe email is followed by one or more follow-ups that deliver the scammer’s punch.

In the case of business email compromise, a common and effective probe might ask, “Are you at your desk to make a payment?” We have seen that these organized crime groups are starting to automate and script the process of sending these initial probes to their targets.

Interactive training can help a business arm its employees against social engineering. KnowBe4 actually allows you to monitor what an employee who falls for a simulated CEO fraud attack writes back, and automatically step them through immediate remedial training.

Want a free tool to see how vulnerable you are to spoofing? Cut and paste this link to your browser- https://info.knowbe4.com/domain-spoof-test-partner?partnerid=0010c00001wis6gAAA

Which Users Will Cause The Most Damage To Your Network And Are An Active Liability?


by Stu Sjouwerman

The statistic that four percent of employees will click on almost anything, with “Free Coffee” and “Package Delivery” taking some of the top spots among phishbait subject lines, may not sound like much.

However, keep in mind the most successful marketing campaigns only achieve around two percent. With double the response of most marketing initiatives, it’s no wonder that the phishing attacks keep coming.

That statistic comes from Verizon’s 2018 Data Breach Investigations Report. The report showed that the number of phishing emails continues to grow. The victims include government agencies that house some of our most sensitive records. The report also reveals that one quarter of all malware detected was ransomware, and it indicated that 68 percent of breaches go undetected for months.

The answer to fending off phishing campaigns may lie in the same employees who choose to click. Using a type of crowd-sourced security that turns employees into human sensors, could be the answer. One example of this approach is the US Department of Defense Cyber Security/Information Assurance program, where contractors share intelligence with each other and the DOD.

With the right training, employees can learn to recognize phishing attempts and alert others of the impending threat. This type of information gives the IT team an advantage leading to a faster response.

Here are a few steps that can empower your employees to be human sensors using a Phish Alert Button:

– An aware victim can be a good sensor. Encourage employees to ask how reading a suspicious email makes them feel. Rushed, pressured, exploited? Then be wary. Train your employees to recognize how the email makes them feel.

– Build an intelligence network. If you make it easy to report potential threat emails, you’ll build a steady stream of alerts.

– But don’t overuse the “Abuse Box.” Phishing needs to be reported. Flooding an underprepared IT department with messages that need to be checked, may be counterproductive. Make sure the IT department is ready to handle the volume. So build user awareness as you build capacity.

The number of phishing emails can be expected to grow. But with a change in the way your organization perceives and responds to social engineering, users can become your best defense and not your weakest leak. As always, consider interactive, new-school security awareness training. It’s effective and extremely affordable.

GCN has the story, written by Lex Robinson who works at Cofense.

Free Phish Alert Button
When new spear phishing campaigns hit your organization, it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from potential targets and victims into allies and partners in the fight against cybercrime is to roll out KnowBe4’s free Phish Alert Button to your employees’ desktops. Once installed, the Phish Alert Button allows your users on the front lines to sound the alarm when suspicious and potentially dangerous phishing emails slip past the other layers of protection your organization relies on to keep the bad guys at bay.

Don’t like to click on redirected links? Cut & Paste this link in your browser:

https://info.knowbe4.com/free-phish-alert-partner?partnerid=0010c00001wis6gAAA

Our friend, Kevin Lancaster from ID Agent, continues in his weekly posting of the week in breaches and phishing attacks. This is important- not just for enterprises, but also for small and medium sized businesses. Attacks are coming in from all directions- here are some highlights from his post:

Protection from Hacks

Two-factor Authentication Hackable?
Our friends at KnowBe4 show 2 Factor may not be enough in some cases.

Student of The Month in California!
Phish Teacher, Change Grades, Get Felony!  You can’t make this stuff up!

Good on ya Mate, Good on ya!
Crikey! Australians appear to have better password hygiene than the rest of us?


What we’re listening to this week:   

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


Highlights from The Week in Breach

  • Retail Point of Sale Systems (POS) can’t catch a break! can’t get their s*** together.
  • Healthcare insider threat strikes again.
  • Your legal case may have been closed… or deleted.
  • Your personality is revealing and, it may have been revealed.

Chili’s Restaurants
Retail

Small Business Risk: High (Malware/ Forensics, Brand Reputation/ Loyalty)
Exploit: Malware-based Point of Sale Exploit
Risk to Individuals: Moderate (Replacement of Credit/ Debit Cards with limited liability)

What you need to know:  Small business retailers should take the time to educate themselves on POS exploits and how they typically occur. Since most systems do not reside within the traditional network environment, processing systems are most commonly exploited via compromised trusted 3rdparty vendors, common credential stuffing and exploit kits delivered via email.

Chili’s Restaurants

Date Occurred/Discovered March-April 2018 / Discovered 5/11/18
Date Disclosed 5/14/18
Data Compromised Preliminary investigation indicates that malware was used to gather payment card information, including credit and debit card numbers, as well as names of cardholders who made in-restaurant purchases.
How it was Compromised Malware
Customers Impacted Chili’s has not disclosed the restaurants impacted and/or the number of customers impacted.
Attribution/Vulnerability Undisclosed at this time.

http://time.com/money/5276047/chilis-data-breach-2018/

Note: Breaches have huge repercussions, often resulting in customers losing trust in the brands. According to a study from KPMG, 19% percent of consumers said they would stop shopping at a breached retailer, and 33% would take a long-term break.

https://www.sfgate.com/technology/businessinsider/article/Chili-s-restaurants-were-hit-by-a-data-breach-12911248.php

Nuance Communications
Healthcare

Small Business Risk: High (PII Exposure, Brand Damage, Compliance Violation & Fines)
Exploit: Former Employee/ Insider Knowledge Exploit.  System and security control failure
Risk to Individuals: Moderate (Compromised Data Contained and not posted for exploit)

What you need to know:  Coming on the heels of a costly malware outbreak in 2017, it seems that Nuance had the limited ability to detect on-network anomalous behavior. With such a large percentage of its target market comprised of organizations that operate in regulated industries including Healthcare, Nuance should have invested in aggressive insider threat/insider mishap detection.

Organizations operating in regulated markets should take a more aggressive approach to both inside threat detection and threats originating within the supply chain as was demonstrated in this case.

Nuance Communications (speech recognition software)

Date Occurred/Discovered 11/20/17 – 12/9/17
Date Disclosed 5/14/18
Data Compromised Exposed data included names, birth dates, medical record and patient numbers, as well as service details such as patient conditions, assessments, treatments, care plans and dates of service. The incident did not include information such as social security number, driver’s license number or financial account numbers.
How it was Compromised An unauthorized third party, possibly a former Nuance employee, accessed one of its medical transcription platforms, exposing 45,000 individuals’ records.
Customers Impacted Personal information of thousands of individuals from several contracted clients, including the San Francisco Department of Public Health. The Justice Department said that it does not appear that any of the information taken was used or sold for any purpose. All the data has been recovered from the former employee.
Attribution/Vulnerability  Unknown/undisclosed at this time.

Note: News of the data breach follows the company having been hit by the NotPetya malware outbreak in June 2017. Earlier this year, Nuance reported that the outbreak cost it $92 million. “For fiscal year 2017, we estimate that we lost approximately $68 million in revenues, primarily in our healthcare segment, due to the service disruption and the reserves we established for customer refund credits related to the malware incident,” Nuance reported in a Feb. 9 form 10-Q filing to the SEC. “Additionally, we incurred incremental costs of approximately $24 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses.”

The incident is a reminder that Insider breaches remain one of the most difficult kinds of improper access attacks to defend against. There are a variety of tools and methods to monitor which resources an employee accesses, but preventing insiders from stealing data or intellectual property remains challenging.

https://www.bankinfosecurity.com/nuance-communications-breach-affected-45000-patients-a-11002

Mason Law Office
Legal

Small Business Risk: High (Compliance Violation & Fines, Brand/ Reputation Damage)
Exploit: Apparent Credential- based, account take-over exploit
Risk to Individuals: High: Sensitive PII and Legal Information loss and/ or deletion  

What you need to know:  It’s not 100% clear that this was an insider threat-based exploit. Regardless, Mason Law Office suffered an all-too-common account-based takeover compromise.  Legal firms leveraging 3rd party case management systems should take the time to review their security controls and procedure.  They should also conduct a full audit to determine who has access to what data within these 3rd party systems and make the required corrections.

Mason Law Office – Sacramento, CA (mycase.com)

Date Occurred/Discovered Discovered 5/5/18
Date Disclosed 5/14/18
Data Compromised Client data was potentially accessed, client case information was deleted, and other administrative changes were made to the system. Generally, any information uploaded to mycase.com was potentially accessed, and information has been deleted. Information potentially accessed includes client names, social security numbers, driver’s license numbers, phone numbers, email addresses, as well as legally privileged/protected information, including legal documents, case notes, disclosures, financial statements, evidence, photos, invoices, transcripts, trust balances, and attorney-client communications.
How it was Compromised The firm discovered evidence of unauthorized access to mycase.com by an unknown individual or group of individuals. It is unclear how this access was made.
Customers Impacted Clients of Mason Law Firm using mycase.com.
Attribution/Vulnerability Unknown/undisclosed at this time.

https://www.databreaches.net/mason-law-office-notifies-clients-of-hack-involving-mycase-com/

myPersonality app
Information Technology / Lifestyle

Small Business Risk: High (Forensic, Data Loss via GitHub Post, Brand / Reputation Damage, Fines and Damages)

Exploit: Application security misconfiguration resulting in credential-based exploit

Risk to Individuals: High (PII, Psychological Characteristics & Profile,)

What you need to know: The developers of the personality app failed committed several major blunders in this case.

  1. Poor website/application security allowed for easy and unmonitored access to their website and underlying datasets.
  2. They failed to notice that their data set had been sitting out in the open for 4 years.
  3. The data stored within the platform was easily unkeyed and de-anonymized.

myPersonality app

Date Occurred/Discovered Exact dates unknown – 2014 – 2018
Date Disclosed 5/14/18
Data Compromised The data was highly sensitive, revealing personal details of Facebook users, such as the results of psychological tests. The credentials gave access to the “Big Five” personality scores of 3.1 million users. These scores are used in psychology to assess people’s characteristics, such as conscientiousness, agreeableness and neuroticism. The credentials also allowed access to 22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.
How it was Compromised Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years. Each user in the data set was given a unique ID, which tied together data such as their age, gender, location, status updates, results on the personality quiz and more. With that much information, de-anonymizing the data can be done very easily.
Customers Impacted 3 million users of the app
Attribution/Vulnerability Publicly available credentials allowed access to the data. For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute. The publicly available username and password were sitting on the code-sharing website GitHub. They had been passed from a university lecturer to some students for a course project on creating a tool for processing Facebook data. Uploading code to GitHub is very common in computer science as it allows others to reuse parts of your work, but the students included the working login credentials too.

 

https://www.databreaches.net/mypersonality-app-data-leak-exposed-intimate-details-of-3m-users/

https://www.newscientist.com/article/2168713-huge-new-facebook-data-leak-exposed-intimate-details-of-3m-users/

 

The Pillars of Cyber Security Explained

Network Security

The cyber threat landscape changes on a daily basis.  There is no one size fits all solution and there are no magic bullets. It has been said that the price of liberty is eternal vigilance. The same holds true for cyber security. There are four pillars of security- end point protection, perimeter protection, monitoring and end user vigilance.

They say that those who don’t learn from history are doomed to repeat it, and matters of cyber security are no exception. Threats will often follow trends, and so by reviewing what has happened in the past, we may be able to glean some insight into what will be important in the future.

If the first half of 2018 was any indication, there are a few things that will be of most concern to IT professionals and end users. My friend and colleague, Tommy Vaughn from Central Technology Solutions, provided a lot of the inspiration for this post!

Ensure All Endpoints Have Appropriate Security Measures

It’s staggering to consider how many end points any given business could have, each providing a route in for threat actors. Between company-provided devices, personal mobile devices, and Internet of Things devices, there are plenty of opportunities for a company to be attacked.

As a result, as 2018 progresses, businesses must be aware of what threats exist, as well as better prepared to protect themselves against them. This includes strategies that ensure your organization’s digital protections are properly maintained while remaining cognizant of physical security best practices. Pairing encryption and access control, as well as mobile device management, can create a much safer environment for your data.

Cover your 6’s

Your network needs to have not just the firewall appliance – but a comprehensive suite of tools that can help you recognize suspicious behavior. It is more than just a static device. It has to be paired with analytical tools as a service that can give you insight into your network. Additionally, an external firewall or web filtering service can protect you from unseen threats on a multitude of levels. It is not just hardware and software anymore. You need to have the resources available to alert you to threats, cut down the noise from repeated alerts and investigate areas that you should not be in yourself – e.g. the Dark Web.

Get Back to Basics With Security and End User Education – Cyberawareness Training

While it may sometimes be tempting to focus on the massive attacks and breaches that too-often dominate the headlines, no business can afford to devote their full attention to those vulnerabilities and overlook the more common threats. This is primarily because once they do, they become exponentially more vulnerable to these attacks through their lack of awareness and preparation.

Part of being prepared for the threats of the coming weeks and months is to make sure that your employees are also up to speed where security is concerned. Educating them on best practices before enforcing these practices can help to shore up any vulnerabilities you may have and maintain your network security. This includes restricting employee access to certain websites, requiring passwords of appropriate strength, and encouraging your employees to be mindful of exactly what they’re clicking on. A comprehensive program of cyberwareness training- delivered to the employees over the course of a year in small incremental sessions is key. Use controlled mistakes as teachable moments to correct dangerous behavior. Once trained, your employees become your “human firewall”. As they say with shampoo, “rinse and repeat”. Often.

Continuing to Improve Security Measures

Finally, it is important to remember that implementing security features isn’t a one-time activity. Threats will grow and improve in order to overcome existing security measures, and so if they are going to remain effective, these security measures must be improved as well.

While regulatory requirements can provide an idea of what security a network should feature, they shouldn’t be seen as the endpoint. Instead, those requirements should be the bare minimum that you implement, along with additional measures to supplement them.

We are here to help. If you would like to explore the options of a completely managed firewall, DNS filtering, or cyber awareness training- we can assist. First- get a baseline of where your organization is at. We have a suite of FREE tools that can help show you your susceptibility to phishing, spoofing and whether your organization’s credentials are for sale on the Dark Web.  We can also do an onsite security assessment to analyze your network’s vulnerabilities.

For your free tools, please visit:  http://downloads.primetelecommunications.com/CyberAwareness-Free-Tools or give us a call at 847 329 8600.

We are your managed technology solutions professionals and we are here to listen!