November 13, 2017 by The GLS Team
Just a few days ago, iOS 11.1 fell victim to numerous hacks. The responsible party? Security Researchers at Pwn2Own, a hacking competition in which groups of industry experts are given the opportunity to try and infiltrate different devices. The event gives competitors the opportunity to show off their skills in order to win prizes, and allows vendors valuable insight into vulnerabilities in their devices.
In the case of 11.1, a group called Keen Labs exploited a handful of WiFi vulnerabilities in the iOS to install a “rogue application.” One of the vulnerabilities—but it hasn’t been revealed which one—was used the next day, by a different competitor, to hack 11.1 again. Apparently Apple has some glitches to work on. But iOS 11.1 was nowhere close to the only victim at Pwn: 11 successful attacks were leveled against multiple devices. In fact, only the Google Pixel emerged un-hacked.
And what does Pwn2Own serve to tell us about the security of our mobile devices? Zuk Avraham, the founder of mobile security company Zimperium Inc., says that the takeaway is this: “phones are totally insecure.” According to Avraham, just because a phone is brand new or recently updated does not mean that it is protected against attack. As Keen Labs demonstrated at Pwn2Own, even the newest update of Apple’s iOS possesses several vulnerabilities that leave it open to being hacked. And even once those vulnerabilities are patched, who’s to say that more aren’t lurking just out of sight? After all: even before Keen Labs’ WiFi exploit, Apple had already patched for a different WiFi flaw exploited by KRACK.
The answer? First of all, we need to start recognizing that mobile security, and the security of our phones’ operating systems, is an important facet of cyber safety. PCs are not the only victims; and while our phones may seem like a less likely or a less important target, that’s simply not the case. Hackers can get the same kinds of personal data by hacking our cell phones as they can by hacking our computers or laptops. Keen Labs’ infiltration of 11.1 may be done as a part of a competition, but it still could have done real damage. As Forbes explains, the exploit Keen ran installed actual malware on an iPhone 7, which it then could have used to gather information from the device. Given the fact that our devices hold untold amounts of data and information about us—including banking apps that carry our credit card information and account details—this is no small matter. And, as the success of competitors at Pwn2Own 2017 demonstrates, our devices may possess vulnerabilities that make them not only worthwhile to target, but also easy to target.
Once we’ve realized that, the next to step is to work toward better security for our devices. Forbes suggests that keeping our devices updated is key: “[Users] should update to the latest operating system, even if it won't protect them from the weaknesses exposed at Pwn2Own. Apple patched a slew of weaknesses with iOS 11.1…” Even if updates aren’t 100% secure, they’re almost always more secure than earlier versions. Users can also take many of the same precautions with their phones that they would with their computer. Be wary when connecting to Wifi networks—as Keen Labs demonstrated, hackers can use those networks to gain access to devices...so watch which ones you choose to join. Additionally, protecting against phishing scams—especially voice and SMS phishing—is just as important on your mobile device as on your computer. Don’t open emails or texts that look suspicious. Don’t answer a phone call from a number you don’t recognize, and if you do, never give away personal information—even if the caller impersonates a legitimate party. A helpful tip to remember is that an actual representative from your wireless provider, your insurance company, or your bank would never solicit personal data over the phone.
The biggest threat of all isn’t a Wifi vulnerability or a brilliant hacker—it’s ignorance.Our phones may never be 100% secure, but being aware of the security risks they pose and how to deal with those risks is half the battle. To learn more about how to protect your phone and your data against hackers, ask for a demo of one of our Best Practices Modules on mobile security. Follow our blog to stay up-to-date with the latest hacks and strategies for preventing them. And don’t hesitate to touch base with one of our Solutions Architects about a training plan that will keep you and your employees secure against mobile security threats.
November 08, 2017 by The GLS Team
We’re all familiar with the usual phishing schtick: a suspect email containing an embedded link just begging to be clicked. In May of this year, the GoogleDocs hackers put a new twist on the scam by infiltrating Google and sending document requests to users from recognized contacts. And now, the document scam has struck again.
KeyBoy, a Chinese hacker group that has previously targeted only eastern countries, has now gone to work on American servers, hacking computers using fake Microsoft Word documents. The scam works this way: the user receives an email containing a Word document called “Q4 Work Plan.” Once opened, the document claims to require updating—running that instruction in turn runs a fake DLL payload, which installs a dropper on the hacked server. Once the system has been infected, the “spy malware” goes to work taking screenshots, browsing and downloading files, and generally collecting information about the server. Ultimately, it can use this information to steal from, and even shut down, the target system. And because the virus’ path into the system is so well-disguised, it’s difficult for even the most seasoned IT experts to recognize the infection. Which means that the virus can be covertly lodged in the server until it decides to make its big move.
But far worse than what KeyBoy actually achieves is the potential motive behind the campaign. Security researchers are now calling the virus an act of “economic espionage,” enacted on American corporations by data-seeking Chinese hackers. KeyBoy first came into the spotlight a few years, when it targeted systems in Taiwan and Hong Kong. But those would only have been acts of “domestic surveillance,” not espionage against a foreign country.
Of course, KeyBoy’s tie to the Chinese government has not been confirmed. But the possibility brings to light an important issue. As the twenty-first century progresses and our daily activities—both the mundane and the big-picture—happen more and more within the cybersphere, warfare itself takes on a new shape. Cyber espionage is not the exception, some odd one-off in which a hostile country targets our systems in order to target our citizens. It must be the new norm. Nuclear warfare has, and always will, devastate countries. But gathering information from servers across our country, not to mention infiltrating and infecting them to the extent of actually being able to shut them down one by one, also has the terrifying potential to bring us to our knees.
While this might not be a turn we expected cyber security awareness to take, the reality of our current situation is that protecting our systems and building up our knowledge of cyber threats could easily have implications not just for personal or corporate security, but for homeland security. KeyBoy isn’t messing around. So why are we? What do the stakes have to be before we finally realize that clicking on a Word document that we weren’t expecting, that perhaps even comes from an unknown sender, is a recipe for disaster?
As organizations prioritize their programs and efforts, cyber security training must start taking center field. It’s not just another box to check on the way to compliance. Putting users through anti-phishing training, teaching them what warning signs to look for and what best practices to follow when dealing with potentially infected emails, could prevent not just a mild IT inconvenience, but a massive security breach with implications for our nation’s security. “Think before you click” has never been more crucial. Don’t leave yourself open to any risks, big or small: you never know what a system breach could mean or what a hacker could be using it to achieve. Cover your bases and strengthen your organization by instituting regular anti-phishing training and refresher courses, and by making discussions about cyber security a core facet of your workplace culture. GLS provides customized training plans that emphasize anti-phishing, as well as informative and engaging communication materials like posters and newsletters. Together, we can help forge a culture of awareness and robust cyber security practices that will be able to stand up against any attack. And the first step is incredibly simple.
Contact us today.
November 06, 2017 by The GLS Team
Susan, a bank employee, sits down at her computer and logs into her bank’s system. She’s going about her work, moving from screen to screen, perhaps checking customers’ account information. Susan is accessing information that perhaps only she is supposed to have to access to. As far as she knows, her server is secure. So is her clients’ data.
Little does Susan know, someone is looking over shoulder—so to speak. Because of a little malware dropper that has embedded itself in her server, screenshots of the system, of private screens, of her customers’ most sensitive financial information, are being transmitted to a hacker. He will then use that information to remotely rob her bank. Susan has no idea.
This is “Silence,” a new malware targeting financial institutions across the globe. The virus gains access to bank servers by way of sophisticated spear-phishing emails: once bank employees click the link embedded in the email and enter their banking site, the “Trojan” malware enters with them. From there, it probes the server for information which it then transmits back to the hackers. And that’s not all—it can use its access to the bank’s server to send more spear-phishing emails, thus spreading the malware to as many employees as possible. Silence has already targeted 10 institutions, primarily in Russia, and continues to expand. American banks haven’t been targeted yet, but it’s only a matter of time until Silence—or perhaps a copycat—turns its attention to the United States.
Financial security threats are continually evolving. The biggest issue facing banks used to be physical security and robbery prevention, but now that so much data is dealt with online, the focus is shifting away from bricks and mortar and toward web infrastructure. Where secure tils and safes used to be the highest priority, system and email security now occupy the top spot. And the stakes are getting higher and higher: even the best bank robber only has access to some amount of the physical cash on the premises of any given bank. A virus like Silence, on the other hand, can infiltrate the system of an entire institution, eventually gaining access to the financial data of perhaps thousands of customers. One link clicked by one user in one phishing email can have catastrophic consequences.
Which begs the question: what can financial institutions do to prevent these sorts of occurrences? Well, first things first: Trojan malware hacks like this one start with a phishing email. Specifically, a spear phish: this type of social engineering scam claims to be from a trusted party, like a coworker or a friend. Spear phishing tends to be incredibly effective, because it pretends to come from a verified source. This makes it harder to spot as phishing, and thus increases the likelihood that an individual—a bank employee, for instance—will not only open the email, but also use less discrimination when clicking embedded links.
Because spear phishing is so sophisticated, it makes education in how to spot it even more critical. Almost anyone knows a phony email from a Nigerian prince when they see it: realizing that an email apparently from your supervisor is actually coming from a malware virus is a different story. There is an entire subset of security awareness that specifically covers spear-phishing scams and best practices for recognizing and dealing with them. Of course, no one thinks they need this sort of training until they become a victim—but by then it’s too late. Prevention is key: especially in high-profile organizations that are likely to be the targets of more sophisticated scams, users need to be educated and tested in every aspect of not just social engineering avoidance, but also in overall system security.
Which brings us to the second piece of this scam: once the virus enters the system initially, it camps out on the server and goes to work downloading more payloads and transmitting data to the hackers. While the situation appears to be more complicated than the virus merely taking advantage of weak or compromised systems, overall system security does play into it. As Business Standard recommends, “[Eliminating] security holes altogether, including those involving improper system configurations or errors in proprietary applications,” would keep organizations safer against these sorts of breaches. So would using threat detection services to spot the breaches before they get advanced enough to cause massive damage. Additionally, “strict email processing rules” would help cut off threats like Silence right from the start, by identifying and halting phishing emails before they can wreak havoc.
All these measures are reasonable and doable, especially with the help of security experts like the ones at GLS. We understand the current threat landscape. We also have the expertise necessary to create tailored and scalable training solutions to help keep your organization secure, at both the individual and organizational level. If these scams concern you—and they should—ask for a consultation. Strong security starts with education, and our team is committed to offering the most comprehensive and effective security training in the market. Contact us today.
November 02, 2017 by The GLS Team
Following on the heels of ransomware attacks Petya and WannaCry earlier this year, a new malware has thrown its hat in the ring: Bad Rabbit. Disguised as an Adobe Flash installer, Bad Rabbit tricks users into clicking and then goes to work, downloading itself onto servers and taking users’ information hostage.
But unlike most ransomware schemes, Bad Rabbit does not automatically download itself as soon as it is encountered on a site—it’s completely dependent on the user actually clicking. Yet the malware is still spreading with ease. As a general rule, internet users are click-happy—rarely do we actually stop and think critically about what we’re clicking before we do it.
To be fair, the situation is not as simple as it may seem: Adobe installers are fairly common fare on media sites like the ones Bad Rabbit targets. The virus is so effective partly because it appears to be legitimate. But in this day and age, any link or popup on any website ought to make us stop and think twice. Is this an overly defensive posture to take? The numbers would seem to say no: Ransomware threats in particular have seen a dramatic rise this year. According to Barkly Endpoint Protection, there were 4.3x as many new ransomware variants in the first quarter of 2017 than there were in the first quarter of 2016. What this means is that Ransomware threats are essentially lurking around every corner of the web, which should make us even more wary of clicking any link, no matter how legitimate it might appear. Any positive outcome that could come from clicking a link anywhere online is far outweighed by the potential risks.
Bad Rabbit uniquely serves to illustrate the necessity of cyber education. According to Infosecurity Magazine, “It’s crucial that organizations understand the bigger role employees play in securing company’s [sic] systems and data and start training them to recognize when something online looks suspicious.” Scams like Bad Rabbit are preventable, but only if users have received the security education necessary to spot them. What InfoSecurity is getting at is the maintenance of a strong Human Firewall™ made up of individuals who understand the risks of ransomware and other phishing scams and have been armed against them. What’s more, this cyber education must understand and teach that phishing doesn’t just look like easy-to-spot scam emails with phony addresses and bad grammar. Phishing can also take the form of seemingly legitimate embedded links that trick users into clicking them. All of us—from low-level employees to CEOs to ordinary users on home PCs—need to be able to spot each and every scam.
GLS can help. We offer focused courses that zone in on specific threats to prepare users for every possible scam. Our goal is to create a Human FirewallTM of users who know the dangers, who know to Think Before You Click, and who are therefore properly prepared to stand up to the threats currently facing the cyber world. And when that happens, Bad Rabbit won’t stand a chance.
October 30, 2017 by The GLS Team
What would happen if a virus got ahold of so many Internet of Things (IoT) devices that it had the power to potentially launch an attack against the entire web? Well, this appears to be just the question the world is facing, as the massive virus “Reaper” gains hold.
The numbers are shocking: since it was first spotted by researchers three weeks ago, Reaper has infected over a million devices. CheckPoint has revealed that a staggering 60% of the global network it monitors have been compromised. If those numbers continue to grow, we could be looking at a massive breach.
And let’s face it, that growth seems more than likely, because of the way in which Reaper works to infect devices. It’s called a botnet for a reason: it detects weaknesses in IoT devices—particularly Wifi routers and webcams—and injects malware into them which can then spread to other internet-connected devices. Essentially, Reaper is a web hack growing exponentially—day by day, device by device.
But perhaps the scariest part is the question we still can’t answer: what does the hacker plan on actually doing with the infected devices, and when will he do it? Once part of the botnet, the gadgets essentially belong to the hacker, giving him the power to harness their collective bandwidth as he pleases. The running theory, according to Wired and others, is that he will use the devices to overload servers with traffic and launch a Distributed Denial of Service (DDoS) attack. When the botnet Mirai did something similar in 2016, it pulled several providers off the web entirely, including The New York Times, Reddit, and Spotify. Reaper is proving to be much larger and more powerful than Mirai, begging the question: when the hacker finally decides to release his droids into the cybersphere, what might happen?
The possibilities are frightening. Massive portions of the internet crashing is, in reality, one of the best case scenarios. With control over a million devices across countless servers, a deranged hacker could do a lot worse with Reaper than to create merely inconvenient web outages. Suddenly, device security is brought into much sharper focus: we’re not just looking at breached personal information or even the occasional stolen identity. We’re looking at a rapidly growing army of “zombie slave devices” capable of, well, almost anything. Talk about an AI nightmare.
Given this situation, what can we do about it? Thankfully, there are a few practical measures we can take to help stop the spread of the botnet, if not to restore already hacked devices. Security experts recommend resetting factory settings—including passwords—on all IoT devices, especially routers and webcams. Additionally, consumers need to make sure that they’re applying security patches as soon as those patches are released. These measures will leave individual devices less susceptible to getting hacked.
But, in the long run, it will take more. At the risk of beating a dead horse, security awareness—from simple avoidance of social engineering scams and credit card data breaches to learning how to protect physical devices that could, quite literally, be turned against us—is a continual and holistic process. A few knowledgeable individuals resetting network default passwords on their routers will never be effective against a Botnet if the other 6.9 billion people on the planet are not taking similar measures. Additionally, if the big players—the organizations that create the routers and patch the weaknesses in the first place—are not willing to take on the responsibility that comes with their position in the industry, we really won’t stand a chance. Reaper has found an easy target in a weak Human FirewallTM.
But that doesn’t mean there’s not cause for hope. As each breach occurs, I think we open our eyes a little bit more to reality. Maybe a massive botnet taking our devices hostage is what it takes for us to actually wake up and see the writing on the wall. And while the efforts of a few individuals or a few companies won’t be enough to prevent the attacks altogether, they are a step in the right direction. Educating employees in network security and other cyber best practices may feel like too little, too late, but this could not be farther from the truth. We are rebuilding a razed Human Firewall brick-by-brick, showing peers and competitors alike how it’s done. And eventually, finding a worthy opponent, Reaper will take his scythe and go home. But there’s only one way to get to that point...
Contact us to get started building your solution!