January 17, 2018 by nwilliams
In the fall of 2016, a new kind of attack was launched against web-connected devices. A powerful piece of malware called Mirai hacked into and then harnessed the connectivity of thousands of gadgets, creating a botnet capable of launching a Distributed Denial of Service (DDoS) attack against web platforms, shutting down web access in huge portions of the US and Europe for several hours. Just about a year later, a copy-cat named Reaper took what Mirai had done and multiplied it, gathering a botnet army of somewhere around a million devices. That’s a lot of gadgets, ready and waiting to do the unknown--but certainly nefarious--bidding of a hacker. A DDos attack might, in fact, be the least of our worries--another botnet powerful enough to shut down the web could potentially wreak much more serious havoc on our society.
What makes an attack of this type tricky in a new and unique way is the type of devices it uses to get around and gather horsepower. Unlike viruses that infect PCs or mobile devices—which our security measures are at least somewhat equipped to handle at this point--botnet viruses target any Internet of Things (IoT) devices they can get ahold of. For Mirai, it was Linux devices like routers and IP cameras whose default passwords never got reset. Reaper took things a step further by actively hacking into “a range of consumer and commercial products.” More than anything else, this hack demonstrated the variety of devices that are potentially susceptible to attack. Both of these attacks focused primarily on home and office routers and cameras, but they serve as a startling reminder of all the devices we rarely think of as “hackable” that are, in fact, easy targets. It’s been projected that, by the end of 2018, somewhere in the ballpark of 8 billion devices will be part of the IoT: and very few of these devices are as well-protected as PCs. This leaves a lot of potential targets for the next botnet attack, including any “smart” gadget: app-controlled thermostats, smart locks, even the ubiquitous Amazon Echo. Basically, all the things we use on a daily basis without even thinking.
These devices pose a significant danger at home and at the workplace, and not just because they could be harnessed into a DDoS or similar attack. Consider what information a hacker would be able to access if they breached an IoT device connected to the same network as your PC. Botnets and DDoS attacks aren’t the only risk that IoT devices pose to us—on a smaller but equally destructive scale, hackers can access other data on a network by hacking a poorly protected gadget. This is perhaps even more of a risk at the workplace, where computers are likely to house even more sensitive information than a personal PC. Reaper targeted a million organizations—imagine the kind of information it could have gotten ahold of if its goal had been to access private data through the devices it hacked.
Given that fact, how can we stay secure? How can we ensure that the devices we use--all of them--are safe against outside attack? First of all, be aware of software bugs, and any patches that the manufacturer might offer for them. While few “smart” devices are likely to come with the same caliber of software updates and protections as computers, there are more security implementations available than you might think. Take advantage of them, the same way you would for your PC (and if you’re not updating your PC, that’s an even worse problem).
Something else to keep in mind is this: how many of your “smart” devices are worth the risk? Given that even the best-secured gadget isn’t likely to come close to being as secure as, say, your PC, how many of them do you really want--or need? I would recommend taking an inventory of all devices you own that connect to your network. Some, you can’t do without--like your router. And most routers can be updated regularly. But what about the others? While it might be convenient to turn on your heat from your phone, or for a smart-pod to be able to play your favorite music on-command, is it worth the possibility of a hack? Convenience only comes at a cost. And that cost might just be loss of important data or an internet blackout.
At the end of the day, all progress comes with its own cost/benefit analysis. In many ways, the IoT is making our lives easier and more streamlined. But it’s also making them infinitely riskier and more complicated. Our ancestors’ predictions of artificial intelligence and a world run by robots are not so far off. The IoT is real. It surrounds us. We can limit its hold over our lives, but without retreating to the woods to live as hermits, we’ll never be able to avoid it completely. So, we really only have one option: be smart, and be vigilant. We need to utilize every tool at our disposal, including updates and system checks. We need to educate ourselves about how to keep our systems secure. And we need to stay on top of current threats. As the IoT continues to grow and the risks increase, there’s no greater danger to us than lack of awareness.
Don’t let the threats get ahead of you. Follow the GLS blog here.
January 08, 2018 by nwilliams
A few weeks ago, I received a strange pop-up notification on my iPhone. “Update Your Payment Information,” it requested. And it wouldn’t go away. Eventually, I followed the notification into Settings, where the error message persisted. It appeared that Apple needed new credit card information for an expired card...and it wanted me to hand it over. Covering all my bases, I called my tech-guru dad to ask his advice. Was this legit? As it turns out, one of the credit cards for our shared iTunes account had, in fact, expired, prompting the pop-up. But any request for financial data, no matter how trusted a source it comes from, should be taken with a grain of salt. After all—if cyber events this year have taught us anything, it’s that nothing is so innocent or so seemingly legitimate that it cannot be a phishing scam. Welcome to 2017, folks.
So the Apple notification was legit. But it could easily have been a massive scam to get me to give up my financial information to a bot disguised as a trusted provider. Such are the murky waters we’ve been navigating of late, as new information security disasters have popped up around every turn. Think I’m being overdramatic? I wish I was. But the good news is that, as we enter this new year, we have the perfect opportunity to notice our mistakes and learn from them. What went wrong last year, and how can we ensure that 2018 proceeds differently?
As you’re likely already aware, phishing was a massive problem in 2017. While phishing scams have always lurked behind spam emails and sketchy pop-up ads, recent years have seen them become more and more ubiquitous and mainstream. And they’re finding ever-advancing ways of exploiting trusted companies in order to reach their targets. In May, hackers used real Google Docs invitations-to-edit in order to get victims to grant permission to their account details. Rather than spoofing the Google brand, they actually worked from within, sending out actual invitations but then taking those who clicked to scammy third-party applications. From there, the scammers used the permissions they stole under false pretenses to spam everyone in that user’s contact list, spreading their mayhem and compromising the data of over a million Google users. Something similar happened with Netflix just a few months later: hackers took over the site’s branding, sent emails telling users that they needed to update payment information, then took users to a fake site where they could pilfer any credentials that those users were unlucky enough to give up. And while Netflix didn’t act within the system like Google did, the sophistication of the emails they deployed is a testament to the grand heights phishing technology is headed. Perhaps now you understand my pause when that notification popped up on my phone.
What really sets these hacks apart—and defines the landscape of phishing threats last year in general—is their realism and sophistication. By now, most computer users who are even remotely savvy can recognize ye olde run-of-the-mill phishing email, with its poor grammar, off-looking branding and sketchy “from” email addresses. But these hacks possessed few if any of those tells. The Netflix phish perfectly mastered the look and feel of a real email from the sites they were spoofing, which can only have drastically impacted their success. And the one from Google Docs? Thanks to its cunning maneuvering from inside, that one had no real technical tip-off at all.
If this sophistication defined phishing in 2017, how much more complicated will things get in the coming year? Well, phishing scams will undoubtedly continue to look better and strike us as more legitimate, as hackers continue to experiment and discover what works and what doesn’t. My suspicion is also that we’ll see a rise in phishing attacks that manipulate actual sites in order to do their work. We already watched as this happened with Google, as well as with the trojan malware that manipulated bank email systems in order to distribute itself, and I suspect that that method will become the norm. Hackers no longer have to resort to fake emails—why would they, when they can hack the system and send legitimate ones? This creates additional difficulties for prevention, as these emails bear an unprecedented mark of legitimacy—they actually come from who they claim to come from. Security experts also suspect that attacks on mobile devices will increase this year. Because we spend so much time on our phones, carrying out a wide variety of sometimes private activities, this seems like a realistic prediction. What’s more, we tend to be even more rushed and careless when messing around on our phones, which doesn’t bode well for click rates. But whatever 2018 brings, one thing is clear: hacks in general, with phishes leading the parade, will continue to get bigger and better...that is, until we step up to take them on.
Every time a breach occurs, security experts decry the woeful state of threat prevention, but that gnashing of teeth rarely takes any sort of actual hold. I’ve asked myself more than once what it will take for organizations to realize what’s at stake, and that protecting it is—are you ready?—worth it. In fact, it’s not only worth it, it’s even relatively simple. When it comes to phishing, there is one major variable at play—us. Humans. The individuals who may or may not become accidentally responsible for the theft of not only their data but the data of millions of others. And how do you prevent humans from making dumb, dangerous mistakes? As it turns out, we figured this out a long time ago: you teach them. You figure out the best way to reach and appeal to and truly affect your audience, and then you teach them. In-depth security awareness training is the piece of the puzzle still missing from even the most high-tech security programs. And it’s far and away the most crucial. If I can venture an outlandish supposition, it might just be what could save us in 2018.
As scams continue to get more frequent and more sophisticated, the only user populace that will be able to stand up to and combat them is an educated one. When phishing emails were few and far between and looked like they were written by a monkey, your average computer user might have been able to spot and avoid them. But now? They are too many and too good for us to slide by on a wing and a prayer. What we need now is in-depth phishing awareness training programs that not only teach users what to look for in a phishing email, but actually simulate real phishing emails in order to test their knowledge in the real world. These kinds of tools are gaining momentum across the marketplace, but in order to make a real dent in phishing rates, we have t0 actually utilize them. And beyond that, we need to work hard at cultivating a culture where phishing—and the training that will mitigate it—is taken seriously.
Even if phishing scams make great advances in 2018, even if every single one masterfully spoofs a legitimate, trusted website in order to hack every device we hold dear, they will never, ever be airtight. There will always be ways of attenuating risk and protecting ourselves and our information from hackers. But we need to equip ourselves with the tools and information necessary to do that. Sure—advances in hacking engineering could define 2018. Or, we could take matters into our own hands, and turn 2018 into the year that breach rates go down, that fewer phishing emails get clicked on, that fewer organizations and individuals suffer devastating losses at the hand of an infected link. It’s time to put 2017 behind us and make a new start.
December 01, 2017 by nwilliams
Holidays have gotten a lot more convenient than they used to be. Gone are the days when we had to rush the mall on Black Friday, loading our down-jacketed arms with bags and boxes, rushing to snag the last WalkMan from the shelf at RadioShack. Now, we can do our shopping from the comfort of our desk chairs, our beds, the line for Eggnog lattes at the coffee shop. Holiday shopping is a lot easier than it used to be—but it’s also a lot less safe. We might feel secure, sitting all alone in our PJs shopping for vintage records online, but we could actually be moments away from falling victim to the latest phish.
As you might already be aware, phishing has earned its place as one of the most popular scams of 2017. From the Google Docs phish to the recent banking trojans infiltrating systems via spam emails, phishing emails have been both frequent and effective. Not only do they keep popping up, we keep clicking on them—creating a vicious cycle in which hackers continue to move through phishing attacks because we continue to fall for them. Unfortunately, this cycle only gets worse around the holidays. According to data from Kaspersky Labs, phishing attacks increase during the holiday season, as web traffic spikes and more transactions take place online. The hustle and bustle of the holiday season makes a phishing email promising a killer deal—only a convenient click away—all the more enticing. It’s no wonder that more infected links get clicked this time of year than any other.
But the fact that the trend is understandable doesn’t make it any less dangerous. Clicking on infected links or pop-ups can put your personal data and financial information at risk, and perhaps even jeopardize your identity. And because scammers have become increasingly skilled at covering their tracks, you may not even realize you’ve been compromised until it’s too late. Rather than a having a restful and stress-free holiday, you could be looking at a nightmarish scramble to track down unusual expenses, cancel credit cards, and perhaps even re-establish your stolen identity. And all because of something as seemingly inconsequential as clicking a link in an email.
But this can all be avoided with a little bit of phishing awareness. Being on the lookout for these kinds of scams and knowing how to deal with them significantly lowers your risk of being phished. Here’s what you need to know:
- Think before you click. If you receive an email offering a deal or asking you to follow a link to shop, STOP. Even if it appears to be coming from a legitimate vendor, take a minute to stop and take a closer look.
- Know the warning signs of a scam email. Is the sender’s email address a little bit off (think waalmart.com or targett-deals.net)? Does the email contain spelling or grammar mistakes, or odd syntax? And remember: just because an email contains the logos and colors of a particular brand does NOT mean that it is legitimate.
- When in doubt, go straight to a vendor’s known URL to check on the legitimacy of a deal. If SweaterDeals promises 75% all sweaters, and asks you to click through to see the merchandise, delete the email, go to your web browser, and type in sweaterdeals.com yourself to confirm the deal.
- Remember that if a deal seems too good to be true, it probably is: if an email promises you a flatscreen TV 90% off if you click a link, then the resulting malware might just be what you get for being so gullible.
Above all else, remember the golden rule of web safety: better safe than sorry. Nothing is worth loss of financial data or identity. Nothing. If an email seems at all off, delete it. There are enough legitimately good deals on the internet--we don’t need to mess with the sketchy ones.
Lastly, keep in mind that safe security practices don’t begin and end with holiday shopping, nor do web scams begin and end with phishing emails. Unfortunately, there are thousands of hackers out there using various sophisticated methods to steal money, data, and identities on a daily basis. Almost anything on the web can be manipulated to hurt you. The surest way to avoid getting scammed or cheated is to stay informed: keep track of the latest hacks (follow the GLS blog to get our take on new scams as they unfold), and stay educated about how to secure yourself and your systems against new breaches.
November 13, 2017 by The GLS Team
Just a few days ago, iOS 11.1 fell victim to numerous hacks. The responsible party? Security Researchers at Pwn2Own, a hacking competition in which groups of industry experts are given the opportunity to try and infiltrate different devices. The event gives competitors the opportunity to show off their skills in order to win prizes, and allows vendors valuable insight into vulnerabilities in their devices.
In the case of 11.1, a group called Keen Labs exploited a handful of WiFi vulnerabilities in the iOS to install a “rogue application.” One of the vulnerabilities—but it hasn’t been revealed which one—was used the next day, by a different competitor, to hack 11.1 again. Apparently Apple has some glitches to work on. But iOS 11.1 was nowhere close to the only victim at Pwn: 11 successful attacks were leveled against multiple devices. In fact, only the Google Pixel emerged un-hacked.
And what does Pwn2Own serve to tell us about the security of our mobile devices? Zuk Avraham, the founder of mobile security company Zimperium Inc., says that the takeaway is this: “phones are totally insecure.” According to Avraham, just because a phone is brand new or recently updated does not mean that it is protected against attack. As Keen Labs demonstrated at Pwn2Own, even the newest update of Apple’s iOS possesses several vulnerabilities that leave it open to being hacked. And even once those vulnerabilities are patched, who’s to say that more aren’t lurking just out of sight? After all: even before Keen Labs’ WiFi exploit, Apple had already patched for a different WiFi flaw exploited by KRACK.
The answer? First of all, we need to start recognizing that mobile security, and the security of our phones’ operating systems, is an important facet of cyber safety. PCs are not the only victims; and while our phones may seem like a less likely or a less important target, that’s simply not the case. Hackers can get the same kinds of personal data by hacking our cell phones as they can by hacking our computers or laptops. Keen Labs’ infiltration of 11.1 may be done as a part of a competition, but it still could have done real damage. As Forbes explains, the exploit Keen ran installed actual malware on an iPhone 7, which it then could have used to gather information from the device. Given the fact that our devices hold untold amounts of data and information about us—including banking apps that carry our credit card information and account details—this is no small matter. And, as the success of competitors at Pwn2Own 2017 demonstrates, our devices may possess vulnerabilities that make them not only worthwhile to target, but also easy to target.
Once we’ve realized that, the next to step is to work toward better security for our devices. Forbes suggests that keeping our devices updated is key: “[Users] should update to the latest operating system, even if it won't protect them from the weaknesses exposed at Pwn2Own. Apple patched a slew of weaknesses with iOS 11.1…” Even if updates aren’t 100% secure, they’re almost always more secure than earlier versions. Users can also take many of the same precautions with their phones that they would with their computer. Be wary when connecting to Wifi networks—as Keen Labs demonstrated, hackers can use those networks to gain access to devices...so watch which ones you choose to join. Additionally, protecting against phishing scams—especially voice and SMS phishing—is just as important on your mobile device as on your computer. Don’t open emails or texts that look suspicious. Don’t answer a phone call from a number you don’t recognize, and if you do, never give away personal information—even if the caller impersonates a legitimate party. A helpful tip to remember is that an actual representative from your wireless provider, your insurance company, or your bank would never solicit personal data over the phone.
The biggest threat of all isn’t a Wifi vulnerability or a brilliant hacker—it’s ignorance.Our phones may never be 100% secure, but being aware of the security risks they pose and how to deal with those risks is half the battle. To learn more about how to protect your phone and your data against hackers, ask for a demo of one of our Best Practices Modules on mobile security. Follow our blog to stay up-to-date with the latest hacks and strategies for preventing them. And don’t hesitate to touch base with one of our Solutions Architects about a training plan that will keep you and your employees secure against mobile security threats.
November 08, 2017 by The GLS Team
We’re all familiar with the usual phishing schtick: a suspect email containing an embedded link just begging to be clicked. In May of this year, the GoogleDocs hackers put a new twist on the scam by infiltrating Google and sending document requests to users from recognized contacts. And now, the document scam has struck again.
KeyBoy, a Chinese hacker group that has previously targeted only eastern countries, has now gone to work on American servers, hacking computers using fake Microsoft Word documents. The scam works this way: the user receives an email containing a Word document called “Q4 Work Plan.” Once opened, the document claims to require updating—running that instruction in turn runs a fake DLL payload, which installs a dropper on the hacked server. Once the system has been infected, the “spy malware” goes to work taking screenshots, browsing and downloading files, and generally collecting information about the server. Ultimately, it can use this information to steal from, and even shut down, the target system. And because the virus’ path into the system is so well-disguised, it’s difficult for even the most seasoned IT experts to recognize the infection. Which means that the virus can be covertly lodged in the server until it decides to make its big move.
But far worse than what KeyBoy actually achieves is the potential motive behind the campaign. Security researchers are now calling the virus an act of “economic espionage,” enacted on American corporations by data-seeking Chinese hackers. KeyBoy first came into the spotlight a few years, when it targeted systems in Taiwan and Hong Kong. But those would only have been acts of “domestic surveillance,” not espionage against a foreign country.
Of course, KeyBoy’s tie to the Chinese government has not been confirmed. But the possibility brings to light an important issue. As the twenty-first century progresses and our daily activities—both the mundane and the big-picture—happen more and more within the cybersphere, warfare itself takes on a new shape. Cyber espionage is not the exception, some odd one-off in which a hostile country targets our systems in order to target our citizens. It must be the new norm. Nuclear warfare has, and always will, devastate countries. But gathering information from servers across our country, not to mention infiltrating and infecting them to the extent of actually being able to shut them down one by one, also has the terrifying potential to bring us to our knees.
While this might not be a turn we expected cyber security awareness to take, the reality of our current situation is that protecting our systems and building up our knowledge of cyber threats could easily have implications not just for personal or corporate security, but for homeland security. KeyBoy isn’t messing around. So why are we? What do the stakes have to be before we finally realize that clicking on a Word document that we weren’t expecting, that perhaps even comes from an unknown sender, is a recipe for disaster?
As organizations prioritize their programs and efforts, cyber security training must start taking center field. It’s not just another box to check on the way to compliance. Putting users through anti-phishing training, teaching them what warning signs to look for and what best practices to follow when dealing with potentially infected emails, could prevent not just a mild IT inconvenience, but a massive security breach with implications for our nation’s security. “Think before you click” has never been more crucial. Don’t leave yourself open to any risks, big or small: you never know what a system breach could mean or what a hacker could be using it to achieve. Cover your bases and strengthen your organization by instituting regular anti-phishing training and refresher courses, and by making discussions about cyber security a core facet of your workplace culture. GLS provides customized training plans that emphasize anti-phishing, as well as informative and engaging communication materials like posters and newsletters. Together, we can help forge a culture of awareness and robust cyber security practices that will be able to stand up against any attack. And the first step is incredibly simple.
Contact us today.