fbpx

Cyber-crime has become one of the greatest threats to businesses, government institutions, and individuals, as hackers are constantly finding new targets and advanced tools to break through cyber defenses. As technology improves, new vulnerabilities are discovered and new obstacles challenge security professionals.

The past year was followed by a number of high-impact cyber-attacks. Namely, a number of devastating, high-impact cyber-attacks like rumors that the US election was hacked, marked 2017. Apart from the rumors regarding the hacked US election, there were ransomware attacks all over the world, and of course, the Equifax breach.

Unfortunately, as challenging as it is today, cyber-security threats will likely get worse in the future, as attacks get more sophisticated. As the years pass, the global security threat outlook keeps on developing. In order to fight this threat, all business entities must understand and learn how to cope with these global cyber threats.

In 2018, these cyber threats are expected to grow at a constant rate, as more complex challenges continue to surface, and cyber criminals keep coming up with new ways of attacking secure IT systems. The following are some of the biggest internet security threats that can impact the operations of IT-powered organizations in the year 2018.

Ransomware

Over the past 12 months, we saw a huge number of ransomware attacks. Ransomware is, in fact, a relatively simple form of malware that breaches defenses and locks down computer files using strong encryption. Then, hackers demand money in exchange for digital keys, needed to unlock the data. Quite often, especially if the encrypted data hasn’t been backed up, victims pay. This has made ransomware popular with criminal hackers, who have recently started demanding payment in cryptocurrencies which are extremely hard to trace.

Google, Amazon, IBM and other big cloud operators, have hired the best digital security that will protect them from such attacks. However, smaller companies can’t afford such thing, which makes them more vulnerable. For a small-scale local business, even a single tiny breach could lead to a big payday for the hackers involved. To prevent your computer from getting hijacked, avoid clicking on unknown links, keep security software up to date, and backup everything on an external hard drive.

Attacks on Cryptocurrencies

According to the latest research, currently there are 1324 cryptocurrencies in total, and this number is expected to increase. The rapid increase in the value of some cryptocurrencies has pushed thieves into massive criminal activities against virtual currency scheme. As more people mine cryptocurrencies on their computers, cybercriminals will organize more attacks designed to steal crypto coins from users, using malware to steal funds from victims’ computers or to deploy hidden mining tools on machines.

Threats to IoT (Internet of Things)

As the value of real-time data collection advances, day-by-day, individuals and business entities are increasingly making use of IoT devices. But, unlike our traditional devices, the IoT devices pose a significant challenge and a sense of less control, simply because they are not the best protected entities, and are susceptible to hacking. That’s why protecting them is so important and will continue to do so in 2018. Millions of connected devices have little or no defense against hackers who want to gain control of them and use them to enter into a network or access valuable data. The number of cyber-attacks powered by compromised IoT devices has become a great concern of the IT security industry, which is why IoT vendors are already putting more time and effort into securing their devices.

Source: This article was published alleywatch.com By VIVENNE CARDENASS

Categorized in Internet Privacy

Let’s talk seriously about industrial cybersecurity: What you don’t know can hurt you.

Industrial cyber security is all over the news, and not in a good way. Our most vital industries – including power, water, nuclear, oil and gas, chemical, food and beverage, and critical manufacturing – are under attack. The gravity of the situation became clear when the FBI and the Department of Homeland Security went public in October about existing, persistent threats. Virtually or not, bad actors are among us.

Unlike physical attacks, cyber attacks are nonstop. Cyber hackers have graduated from simple mischief and denial-of-service attacks to ransomware, theft of competitive information, interception or altering of communications, the shutdown of industrial processes, and even knowledge manipulation through the news and social networks (it’s bigger than just politics). Who knows what’s next?

Digitalization and connectivity are heightening cyber risk, though they are foundational to the Internet of Things (IoT), cloud computing, Big Data analytics, and artificial intelligence. Breaching a single connected operational technology (OT) device or system puts everything on the network at risk.

Low-security and small networks provide easy access for bad actors, whether they’re traditional hackers, black-hat hackers making money on the dark web, nation-states, or malicious insiders. Human error and negligence also are cyber risks.

To establish and sustain cybersecurity and restore the confidence of the public, greater awareness of threats and ownership of risks are imperative. In addition to mastering basic security measures, the industry needs to detect and respond to attacks with persistence and resilience. Trust is not a strategy.

Fortunately, industrial software, technology, equipment, and service providers are fast ramping up their defenses, and dozens of new cybersecurity technology and services firms are offering to help. Consultants, legislators, regulators, and standards bodies also have prominent roles, but it is the end users, ultimately, who must put the cybersecurity puzzle together.

Here, several industry and cyber professionals weigh in about industrial producers’ cybersecurity risks and responsibilities and offer their actionable recommendations.

How bad is the problem?

When companies are surveyed about their top business risk, the answer increasingly is cybersecurity, says Alan Berman, president, and CEO of the not-for-profit Disaster Recovery International Foundation (DRIF). The IoT – now a $3 trillion to $6 trillion industry – is opening new doors to cyber hackers. An estimated 50 billion connected devices (handhelds, sensors, etc.) are in use already.

Speaking at the Society of Maintenance and Reliability Professionals (SMRP) 2017 Conference, Berman noted that cyber hacking has matured to become a sophisticated industry seeking to penetrate devices and systems through the weakest link in the chain, with the goal of profitability. “It is a business and we have to deal with it as a business,” he explains.

The weakest link could be a vending machine in the plant, Berman says. “Once hackers get on the network, they can get into everything,” he says. “When that happens, it could be months before the breach is discovered. What looks like a malfunction could actually be a hack.”

Until there’s awareness within the maintenance organization of the security risks associated with adding or replacing a connected device, the number of cyberattacks an organization sees will continue to rise, says Howard Penrose, president of MotorDoc.

Penrose has easily uncovered industrial cybersecurity gaps using Shodan.io, a search engine for finding internet-connected devices. In one case, “We found numerous points of access to different IoT devices using (the organization’s) default passwords, including links to the documents with those passwords,” he says. “In another case, an OEM had installed software on wind generation systems that allowed them to be turned on or off with a smartphone app.”

Most people equate cybersecurity to the network or IT, but the things that go “boom” in the night are on the industrial control system (ICS) side, says Joe Weiss, managing partner at Applied Control Solutions. “Not enough people are looking at this,” he says.

Weiss has been compiling a nonpublic ICS cyber-incident database that he says already contains more than 1,000 actual incidents, representing about $50 billion in direct costs. Each new entry serves as a learning aid or reminder; often they’re logged in his cybersecurity blog.

“People worry about the IT/OT divide, but the real divide is what comes before and after the Ethernet packet,” suggests Weiss. “Before the packet is where the Level 0,1 devices live (sensors, actuators, drives), and that’s where cybersecurity and authentication are lacking.”

As managing director of ISA99, Weiss recently helped start a new working group for Industrial Automation and Control System Security standards to address the cybersecurity of Level 0,1 devices.

Fear or fight?

Digitalization adds significant value despite the cyber risk. “Don’t fear connectivity – the benefits are too great,” says Eddie Habibi, founder, and CEO of PAS Global. On the other hand, he cautions, the threat of cyber attack is imminent and proven; critical systems are vulnerable; and “every minute, day, or month that you put off securing your systems, they remain at risk.”

Malicious code can sit dormant on a network for months or years before it suddenly activates, explains Habibi. The consequences can be significant to safety, production, the company’s reputation, insurance costs, and even the cost of borrowing for organizations that are not considered secure. “It’s beyond the theft of data; it’s now hitting the bottom line,” he adds.

While OT operators face all of the cybersecurity risks common in IT environments, many of the tools used to mitigate those risks are not available for OT networks, observes Chris Grove, director of industrial security at Indegy. He notes the following crucial distinctions:

  1. OT networks are not designed from the ground up with security in mind, meaning that industrial controllers are not typically protected with authentication, encryption, authorization, or other standard security mechanisms.
  2. A successful cyber attack on an OT network could have safety, financial, and environmental implications.
  3. It is much more difficult to monitor OT networks than it is to monitor IT networks because of the lack of monitoring tools, the proprietary protocols in use, and network isolation.

With the right tools, such as those developed for OT asset discovery and for tracking of user activity and changes to operational code, operators can identify risky configurations, malware, human errors, and insider attacks.

“Security is not a static thing,” cautions Dr. Allan Friedman, director of cybersecurity initiatives at National Telecommunications and Information Administration (NTIA) in the U.S. Commerce Department. “It needs to be adaptive, resilient, and scalable.” He continues: “For example, don’t assume that an air-gapped system (unplugged from any network infrastructure) will stay that way. Improperly trained personnel may establish new connections, or the USB drive used for a software update may carry an infection.”

Security by design and necessity

Trust is the new currency; more regulations are coming, and cybersecurity is not an option because we are moving toward digital at the speed of light: Dr. Ilya Kabanov, global director of application security and compliance for Schneider Electric, made these three points at the ASIS 2017 international security conference.

Kabanov urges OEMs to embed privacy and security in the products themselves. “It is not security vs. innovation; security requires innovation,” he explains.

Richard Witucki, the cyber security solutions architect at Schneider Electric, agrees. “Since security by obscurity is no longer a viable option, it is incumbent upon manufacturers such as Schneider Electric to embed cyber security directly into their products,” he says. “By doing this, we enable the end users to take a much more defense-in-depth approach.”

Schneider Electric’s approach includes actively training its development teams and engineers in secure development life-cycle programs, incorporating established security controls into its products, and conducting exhaustive internal and external testing. The ISA99/IEC 62443 set of standards was chosen because it addresses cybersecurity at several levels, including the products, the systems, and the development life cycle of the products and solutions.

“We all rely on products that control our critical infrastructure to perform as expected,” Witucki says. “Ironically, because these systems are so reliable (e.g., PLCs controlling a seldom-used diesel generator for 20 years), they have now become a vulnerability within the shifting threat landscape.”

Predictive maintenance (PdM) system and service providers are also tackling cybersecurity. Paul Berberian, the condition monitoring specialist at GTI Predictive Technology, has heard customer comments ranging from “It is not an issue” and “Nothing in the plant is connected to the outside world,” to concerns about internal secrets being vulnerable through an internet connection.

“Maintenance and reliability departments want to use PdM technology, but some don’t want to fight the battle internally with IT,” explains Berberian. “In my opinion, the concern for most of these companies is that hackers will be able to find a way into their plant network through the PdM data portal.”

To mitigate this risk, GTI uses SSL certificates to ensure the security of its sites; it requires encrypted usernames and passwords for access; it encrypts the stored data, and it uses a secure (HTTPS) web address.

Operational security technology partnerships are also forming. “Manufacturers and utilities want a single, accountable provider with a reputation like Siemens’ rather than a dozen suppliers,” says PAS Global’s Habibi.

The Siemens-PAS partnership looks to help companies that are struggling to establish adequate cybersecurity regimens. The PAS Cyber Integrity analytic detection engine identifies and tracks cyber assets, enabling fleetwide, real-time monitoring of control systems. Forensic and analytics technologists at the Siemens Cyber Security Operations Center apply their expertise to this information so they can dig deeper and provide a more robust response to potential threats.

“There is a 100% probability that any company will suffer from a cyber attack, and these attacks travel with lightning speed – how resilient will your response be?” asks Leo Simonovich, vice president and global head of industrial cyber security at Siemens.

What should you do right now?

First, master the basics: access controls, backup and recovery, software updates and patching, network segmentation, system hardening, and malware prevention on endpoints. Consider using a search engine like Shodan.io to quickly gauge risk exposure.

Cybersecurity should be treated like lean manufacturing and Six Sigma initiatives; it should be a continuous process reviewed and assessed on a regular basis, says Schneider Electric’s Witucki. “It is not a goal, but a journey,” he says.

He suggests selecting a cybersecurity standard appropriate to your industry and organization and then focusing attention where it is needed most with a gap analysis or risk assessment. This starts with an inventory of all computer-based assets (hardware, software, etc.). “When you consider some of this equipment may have been operating for 20 years inside an enclosure, you start to understand why this may be difficult,” adds Witucki.

GTI’s Berberian’s urges both industrial solution providers and end users to establish a strategy and security protocol that suppliers must meet. “A strategy that everyone understands, other than ‘We will never use the cloud,’ is most helpful,” he says.

To secure complete operating environments, companies must begin by addressing the fundamentals: discovery, prioritization, monitoring, and protection of their assets, advises Siemens’ Simonovich. He also advocates that company leaders consider addressing OT cybersecurity as one of their core responsibilities. This requires ownership, a strategy that looks at the challenge holistically, and strategic partnerships with best-of-breed companies.

NTIA’s Friedman suggests the following when acquiring new equipment or devices:

  1. Ask questions regarding security: What are the risks, and how can they be mitigated?
  2. Employ basic security hygiene: Use strong passwords and security credentials; apply patches promptly; employ network segmentation; and “know what’s under the hood” (e.g., which operating system is used).
  3. Partner with other sectors and organizations on design principles: Your problems probably aren’t unique, and others may have developed useful security solutions.

Ensure that the default passwords are changed, especially in the settings of variable-frequency drives, energy monitoring devices, and other connected systems adds MotorDoc’s Penrose. Also, never let a vendor bypass security to connect to the network. “We once found that a USB WiFi card had been installed on a secure network so a vendor could access the system remotely, eliminating the isolation of the critical system's network,” he says. He adds that if the IT personnel are capable, they should be performing device vulnerability analyses.

Indegy’s Grove says that while active, passive, and hybrid ICS security monitoring approaches all have advantages, a hybrid approach is likely to provide the best value for most organizations because it “gives organizations total visibility into their OT network and environment.”

Applied Control Solutions’ Weiss reminds us that it isn’t always clear what is or isn’t a cyber event, and SCADA is not a fail-safe to identify potential cyberattacks. By design, in some cases it may not detect critical malfunctions. Weiss suggests getting involved in the new ISA99 working group and sharing your ICS cyber incidents with him (This email address is being protected from spambots. You need JavaScript enabled to view it.).

Finally, and perhaps of most importance, cautions Schneider Electric’s Kabanov, everyone from executives to end users must decide whether cyber protections make sense. If they don’t believe they do, they’ll work around them.

Much more needs to be done to protect the critical industrial sector. The bad actors already are planning their next move. What’s yours?

Source: This article was published plantservices.com By Sheila Kennedy

Categorized in Internet Privacy

IOT IS COMING and a lot of IT execs are scared silly. Or maybe it’s more accurate to say they are resigned to their fates.

In a May study of 553 IT decision makers, 78% said they thought it was at least somewhat likely that their businesses would suffer data loss or theft enabled by IoT devices. Some 72% said the speed at which IoT is advancing makes it harder to keep up with evolving security requirements.

Such fears are rooted in reality. Last October, hackers took down the company that controls much of the Internet’s domain name system infrastructure using some 100,000 “malicious endpoints” from IoT devices. More recently, the WannaCry ransomware attack crippled some Bank of China ATM networks and washing machine networks. For naysayers, those attacks validated fears that hackers could cause mayhem by commandeering our IoT devices.

At the same time, the IoT industry continues its steady growth path. Gartner predicts that by 2020 there will be some 21 billion IoT devices in existence, up from 5 billion in 2015. About 8 billion of those devices will be industrial, not consumer devices. Both present a juicy target for hackers.

For some, it seems like IoT is a slow-motion wreck playing out in real time. “The reason that the industry hasn’t backed off is the value proposition is very powerful,” said Chris Moyer, CTO, and VP-cybersecurity at DXC. “The risk proposition is also very powerful and that’s where the balancing is going on.”

Regardless of the industry’s appetite, IoT isn’t likely to get a scale until the industry addresses its security issue. That will take a cooperation among vendors, government intervention, and standardization. In 2017, none of those things appear to be on the horizon.

What’s wrong with IoT security

The consensus is that IoT is still under-secured and presents possibly catastrophic security risks as companies trust IoT devices for business, operational and safety decisions.  Existing standards are not in place and vendors keep struggling to embed the right level of intelligence and management into products.  Add the increasing collaboration among attackers and then it creates a need to address these challenges across a set of dimensions.

Consider what we face with the security of IoT devices;

  • Unlike PCs or smartphones, IoT devices are generally short on processing power and memory. That means that they lack robust security solutions and encryption protocols that would protect them from threats.
  • Because such devices are connected to the Internet, they will encounter threats daily. And search engines for IoT devices exist that offer hackers an entrée into webcams, routers and security systems.
  • Security was never contemplated in the design or development stages for many of these Internet-connected devices.
  • It’s not just the devices themselves that lack security capability; many of the networks and protocols that connect them don’t have a robust end-to-end encryption mechanism.
  • Many IoT devices require manual intervention to be upgraded while others can’t be upgraded at all. “Some of these devices were built very rapidly with limited design thinking beyond Iteration 1 and they’re not update-able,” said Moyer.
  • IoT devices are a “weak link” that allows hackers to infiltrate an IT system. This is especially true if the devices are linked to the overall network.
  • Many IoT devices have default passwords that hackers can look up online. The Mirai distributed denial of services attack was possible because of this very fact.
  • The devices may have “backdoors” that provide openings for hackers.
  • The cost of security for a device may negate its financial value. “When you have a 2-cent component, when you put a dollar’s worth of security on top of it, you’ve just broken the business model,” said Beau Woods, an IoT security expert.
  • The devices also produce a huge amount of data. “It’s not just 21 billion devices you have to work with,” said Kieran McCorry, director of technology programs at DXC. “It’s all the data generated from 21 billion devices. There are huge amounts of data that are almost orders of magnitude more than the number of devices that are out there producing that data. It’s a massive data-crunching problem.”

Taking such shortcomings into account, businesses can protect themselves to a certain extent by following best practices for IoT security. But if compliance isn’t 100% (which it won’t be) then, inevitably, attacks will occur and the industry will lose faith in IoT. That’s why security standards are imperative.

Who will set the standards?

Various government agencies already regulate some IoT devices. For instance, the FAA regulates drones and the National Highway Traffic Safety Administration regulates autonomous vehicles. The Department of Homeland Security is getting involved with IoT-based smart cities initiatives. The FDA also has oversight of IoT medical devices.

At the moment though, no government agency oversees the IoT used in smart factories or consumer-focused IoT devices for smart homes. In 2015, the Federal Trade Commission issued a report on IoT that included advice on best practices. In early 2017, the FTC also issued a “challenge” to the public to create a “tool that would address security vulnerabilities caused by out-of-date software in IoT devices” and offered a $25,000 prize for the winner.

Moyer said that while the government will regulate some aspects of IoT, he believes that only the industry can create a standard. He envisions two pathways to such a standard: Either buyer will push for one and refuse to purchase items that don’t support a standard or a dominant player or two will set a de facto standard with its market dominance. “I don’t think it’s going to happen that way,” Moyer said, noting that no such player exists.

Instead of one or two standards, the industry has several right now and none appears to be edging toward dominance. Those include vendor-based standards and ones put forth by the IoT Security Foundation, the IEEE, the Trusted Computing Group, the IoT World Alliance and the Industrial Internet Consortium Security Working Group. All of those bodies are working on standards, protocols and best practices for security IoT environments.

Ultimately what will change the market is buyers, who will begin demanding standards, Moyer said. “Standards get set for lots of reasons,” Moyer said. “Some are regulatory but a lot is because buyers say it’s important to me.”

Lacking standards, Woods sees several paths to improve IoT security. One is transparency in business models. “If you’re buying 1,000 fleet vehicles, one might be able to do over-the-air updates and the other we’d have to replace manually and it would take seven months,” Woods said. “It’s a different risk calculus.”

Another solution is to require manufacturers to assume liability for their devices. Woods said that’s currently the case for hardware devices, but it is often unclear who assumes liability for software malfunctions.

AI to the rescue?

A wildcard in this scenario is artificial intelligence. Proponents argue that machine learning can spot general usage patterns and alert the system when abnormalities occur. Bitdefender, for instance, looks at cloud server data from all endpoints and uses machine learning to identify abnormal or malicious behavior. Just as a credit card’s system might flag a $1,000 splurge in a foreign country as suspicious, a ML system might identify unusual behavior from a sensor or smart device. Because IoT devices are limited in function, it should be relatively easy to spot such abnormalities.

Since the use of machine learning for security is still new, defenders of this approach advocate using a security system that includes human intervention.

The real solution: A combination of everything

While AI may play a bigger role in IoT security than initially thought, a comprehensive IoT solution will include a bit of everything, including government regulation, standards, and AI.

The industry is capable of creating such a solution, but the catch is that it needs to do it on a very accelerated timetable. At the moment, in the race between IoT security and IoT adoption, the latter is winning.

So what can companies do now to latch on to IoT without making security compromises? Moyer had a few suggestions:

  1. Take an integration approach. This is a case where more is better. Moyer said that companies using IoT should integrate management solutions and bring the IoT platform in for primary connectivity and data movement and pull that data into an analytics environment that’s more sophisticated and lets them do a behavioral analysis, which can be automated. “By integrating those components, you can be more confident that what you’ve got from a feed in an IoT environment is more statistically valid,” he said.
  2. Pick the right IoT devices. Those are devices that have a super-strong ecosystem and a set of partners that are being open about how they’re sharing information.
  3. Use IoT Gateways and Edge Devices. To mitigate against an overall lack of security, many companies are using IoT gateways and edge devices to segregate and provide layers of protection between insecure devices and the Internet.
  4. Get involved in creating standards. On a macro level, the best thing you can do to ensure IoT security over the long run is to get involved in setting standards both in your particular industry and in tech as a whole.

This article was produced by WIRED Brand Lab for DXC Technology.

Categorized in Internet of Things

A comprehensive guide for choosing and setting up secure Wi-Fi.

Your router, that box sitting in a corner of your house giving you internet access, is in many ways more important than your laptop or mobile phone. It might not store any of your personal information directly, but sensitive data passes through it every time you access various online services and can be stolen or manipulated if the router is hacked.

A compromised router can also serve as a platform for attacking other devices on your local networks, such as your phone or laptop, or for launching denial-of-service attacks against internet websites. This can get your IP address blacklisted and can slow down your internet speed.

Because it's exposed directly to the outside world, your router is frequently targeted by automated scans, probes, and exploits, even if you don't see those attacks. And compared to your laptop or phone, your router doesn't have an antivirus program or other security software to protect it.

Unfortunately, most routers are black boxes and users have little control over their software and configurations, especially when it comes to devices supplied by internet service providers to their customers. That said, there are certain actions that users can take to considerably decrease the likelihood of their routers falling victim to automated attacks.

Many of those actions are quite basic, but others require a bit of technical knowledge and some understanding of networking concepts. For less technical users, it might simply be easier to buy a security-focused router with automatic updates such as the EeroGoogle OnHubNorton CoreBitdefender Box, or F-Secure Sense. The downside is that those routers are expensive, some require annual subscriptions for certain services, and their level of customization is very limited. Ultimately, their users need to trust the vendors to do the right thing.

If you don’t want to get one of those, or already have a router, follow along for a detailed, step-by-step guide on how to secure it.

Choosing a router

If you prefer getting a cheaper router or modem that you can tweak your needs, avoid getting one from your ISP. Those devices are typically manufactured in bulk by companies in China and elsewhere and they come with customized firmware that the ISPs might not fully control. This means that security issues can take a very long time to fix and in some cases, they never get patched.

Some ISPs force users to use gateway devices they supply because they come pre-configured for remote assistance and there have been many cases when those remote management features have been poorly implemented, leaving devices open to hacking. Furthermore, users cannot disable remote access because they're often not given full administrative control over such devices.

Whether users can be forced to use a particular modem or router by their ISP varies from country to country. In the US, regulations by the Federal Communications Commission (FCC) are supposed to prevent this, but it can still happen. There are also more subtle device lock-ins where ISPs allow users to install their own devices, but certain services like VoIP will not work without an ISP-supplied device.

If your internet provider doesn't allow you to bring your own device onto its network, at least ask if their device can be configured in bridge mode and if you can install your own router behind it. Bridge mode disables routing functionality in favor of your own device. Also, ask if your ISP's device is remotely managed and if you can opt out and disable that service.

The market for home and small office routers is very diverse so choosing the right router will depend on budget, the space that needs to be covered by its wireless signal, the type of internet connection you have, and other desired features like USB ports for attached storage, etc. However, once you get your list down to a few candidates, it's important to choose a device from a manufacturer that takes security seriously.

Research the company’s security track record: How did it handle vulnerabilities being discovered in its products in the past? How quickly did it release patches? Does it have a dedicated contact for handling security reports? Does it have a vulnerability disclosure policy or does it run a bug bounty program? Use Google to search for terms like “[vendor name] router vulnerability” or “[vendor name] router exploit” and read past reports from security researchers about how they interacted with those companies. Look at the disclosure timelines in those reports to see how fast the companies developed and released patches after being notified of a vulnerability.

It's also important to determine, if possible, how long a device will continue to receive firmware updates after you buy it. With product life cycles becoming shorter and shorter across the industry, you might end up buying a product released two years ago that will reach end-of-support in one year or in several months. And that's not something you want with a router.

Unfortunately, router vendors rarely publish this information on their websites, so obtaining it might involve calling or emailing the company’s support department in your respective country, as there are region-specific device models or hardware revisions with different support periods. You can also look at the firmware update history of the router you intend to buy or of a router from the manufacturer’s same line of products, to get an idea of what update frequency you can expect from the company.

Choose a device that can also run open-source community-maintained firmware like OpenWrt/LEDE because it's always good to have options and these third-party projects excel at providing support for older devices that manufacturers no longer update. You can check the device support list of such firmware projects—OpenWrtLEDEDD-WRTAdvancedTomatoAsuswrt-Merlin—to inform your buying decision.

Once you have a router, it's time to make a few important settings. Start by reading the manual to find out how to connect to the device and access its administration interface. This is usually done from a computer through a web browser.

Change the default admin password

Never leave your router with the default administrator password as this is one of the most common reasons for compromises. Attackers use botnets to scan the entire internet for exposed routers and try to authenticate with publicly known default credentials or with weak and easy-to-guess passwords. Choose a strong password and, if given the option, also change the username to the default administrative account.

Last year, a botnet called Mirai enslaved over 250,000 routers, IP cameras, and other Internet-of-Things devices by connecting to them over Telnet and SSH with default or weak administrative credentials. The botnet was then used to launch some of the largest DDoS attacks ever recorded. More recently, a Mirai clone infected over 100,000 DSL models in Argentina and other countries.

Secure the administrative interface

Many routers allow users to expose the admin interface to the internet for remote administration and some older devices even have it configured this way by default. This is a very bad idea even if the admin password is changed because many of the vulnerabilities found in routers are located in their web-based management interfaces.

If you need remote administration for your router, read up on how to set up a virtual private network (VPN) server to securely connect into your local network from the internet and then perform management tasks through that connection. Your router might even have the option to act as a VPN server, but unless you understand how to configure VPNs, turning on that feature might be risky and could expose your network to additional attacks.

It's also a common misconception that if a router's administrative interface is not exposed to the internet, the device is safe. For a number of years now, attackers have been launching attacks against routers through cross-site request forgery (CSRF) techniques. Those attacks hijack users' browsers when visiting malicious or compromised websites and force them to send unauthorized requests to routers through local network connections.

In 2015, a researcher known as Kafeine detected a large-scale CSRF attack launched through malicious advertisements placed on legitimate websites. The attack code was capable of targeting over 40 different router models from various manufacturers and attempted to change their Domain Name System (DNS) settings through command injection exploits or through default administrative credentials.

By replacing the DNS servers configured on routers with rogue servers under their control, attackers can direct users to fake versions of the websites they are trying to visit. This is a powerful attack because there's no indication in the browser address bar that something is amiss unless the website uses the secure HTTPS protocol. Even then, attackers can use techniques such as TLS/SSL stripping and many users might not notice that the green padlock is missing. In 2014, DNS hijacking attacks through compromised home routers were used to phish online banking credentials from users in Poland and Brazil.

CSRF attacks usually try to locate routers over the local area network at common IP addresses like 192.168.0.1 or 192.168.1.1 that manufacturers configure by default. However, users can change the local IP address of their routers to something else, for example, 192.168.33.1 or even 192.168.33.22. There's no technical reason why the router should have the first address in an IP netblock and this simple change can stop many automated CSRF attacks in their tracks.

There are some other techniques that attackers could combine with CSRF to discover the LAN IP address of a router, even when it’s not the default one. However, some routers allow restricting access to their administrative interfaces by IP address.

If this option is available, you can configure the allowed IP address to be different than those automatically assigned by the router to your devices via the Dynamic Host Configuration Protocol (DHCP). For example, configure your DHCP address pool to be from 192.168.33.50 to 192.168.33.100, but specify 192.168.33.101 as the IP address allowed to access the router's administrative interface.

This address will never be automatically assigned to a device, but you can manually configure your computer to temporarily use it whenever you need to make changes to your router's settings. After the changes are done, set your computer to automatically obtain an IP address via DHCP again.

Also, if possible, configure the router interface to use HTTPS and always access it from a private/incognito browser window, so that no authenticated session that could be abused via CSRF remains active in the browser. Don’t allow the browser to save the username and password either.

Shut down risky services

Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, any service that’s not used should be disabled to reduce the attack surface.

Over the years, security researchers have found many undocumented "backdoor" accounts in routers that were accessible over Telnet or SSH and which provided full control over those devices. Since there's no way for a regular user to determine if such accounts exist in a router or not, disabling these services is the best course of action.

Another problematic service is Universal Plug and Play (UPnP), which allows devices to discover each other on networks and share their configurations so they can automatically set up services like data sharing and media streaming.

Many UPnP vulnerabilities have been found in home routers over the years, enabling attacks that ranged from sensitive information exposure to remote code execution leading to full compromise.

A router's UPnP service should never be exposed to the internet and, unless absolutely needed, it shouldn't be enabled on the local area network either. There's no simple way to tell if a router's UPnP implementation is vulnerable and the service can be used by other network devices to automatically punch holes through the router's firewall. That's how many IP cameras, baby monitors, and network-attached storage boxes become accessible on the internet without their owners knowing.

Other services that have been plagued by vulnerabilities and should be disabled include the Simple Network Management Protocol (SNMP), the Home Network Administration Protocol (HNAP) and the Customer Premises Equipment WAN Management Protocol (CWMP), also known as TR-069.

SNMP is mostly used in corporate environments, so many home routers don't have the feature, but some do, especially those supplied by ISPs. In 2014, researchers from Rapid7 found SNMP leaks in almost half a million internet-connected devices and in April, two researchers found a weakness in the SNMP implementation of 78 cable modem models from 19 manufacturers, including Cisco, Technicolor, Motorola, D-Link, and Thomson. That flaw could have allowed attackers to extract sensitive information such as administrative credentials and Wi-Fi passwords from devices and to modify their configurations.

HNAP is a proprietary administration protocol that's only found in devices from certain vendors. In 2010, a group of researchers found vulnerabilities in the HNAP implementation of some D-Link routers and in 2014 a worm called The Moon used information leaked through HNAP to target and infect Linksys routers by exploiting an authentication bypass vulnerability.

CWMP or TR-069 is a remote management protocol used by ISPs and flawed implementations have been exploited by Mirai last year to infect or to crash DSL modems from ISPs in Ireland, the U.K., and Germany. Unfortunately, there's usually no way for users to disable TR-069, which is another reason to avoid ISP-supplied devices.

One thing's certain: Attackers are increasingly attacking routers from inside local area networks, using infected computers or mobile devices as a launchpad. Over the past year researchers have found both Windows and Android malware programs in the wild that were designed specifically to hack into routers over local area networks. This is useful for attackers because infected laptops and phones will be connected to their owners to different networks, reaching routers that wouldn’t otherwise be exposed to attacks over the internet.

Security firm McAfee also found an online banking trojan dubbed Pinkslipbot that transforms infected computers into web proxy servers accessible from the internet by using UPnP to automatically request port forwarding from routers.

The Vault7 documents published by WikiLeaks this year describe a set of tools supposedly used by the US Central Intelligence Agency to hack into routers and replace their firmware with one designed to spy on traffic. The toolset includes an exploit named Tomato that can extract a router's administrative password through UPnP from inside the local area network, as well as custom firmware dubbed CherryBlossom that reportedly works on consumer and small business routers from 10 manufacturers.

Unfortunately, when building devices, many manufacturers don't include local area network attacks in their threat model and leave various administration and debugging ports exposed on the LAN interface. So it's often up to users to determine what services are running and to close them, where possible.

Users can scan their routers from inside their local networks to identify open ports and protocols using various tools, a popular one being Nmap with its graphical user interface called Zenmap. Scanning a router from outside the LAN is more problematic because port scanning on the internet might have legal implications depending on jurisdiction. It's not recommended to do this from your own computer, but you can use a third-party online service like ShieldsUP or Pentest-Tools.com to do it on your behalf.

Secure your Wi-Fi network

When setting up your Wi-Fi network, choose a long, hard-to-guess passphrase, also known as a Pre-shared Key (PSK)—consider a minimum of 12 alphanumeric characters and special symbols—and always use the WPA2 (Wi-Fi Protected Access II) security protocol. WPA and WEP are not safe and should never be used.

Disable Wi-Fi Protected Setup (WPS), a feature that allows connecting devices to the network by using a PIN printed on a sticker or by pushing a physical button on the router. Some vendors' WPS implementations are vulnerable to brute-force attacks and it's not easy to determine which ones.

Some routers offer the option to set up a guest wireless network that's isolated from the rest of your LAN and you can use it let friends and other visitors use your internet connection without sharing your main Wi-Fi password. Those guests might not have malicious intentions, but their devices might be infected with malware, so it's not a good idea to give them access to your whole network. Since their devices can also be used to attack the router is probably best not to let them use your internet connection at all, guest network or not, but that might not be an easy thing to explain to them.

Update your router's firmware

Very few routers have fully automatic update capabilities, but some do provide manual update checking mechanisms in their interfaces or email-based notifications for update availability. Unfortunately, these features might stop working over time as manufacturers make changes to their servers and URLs without taking old models into consideration. Therefore, it’s also good to periodically check the manufacturer's support website for updates.

Some more advanced stuff

If you disable UPnP but want a service that runs inside the LAN to be accessible from the internet—say an FTPS (FTP Secure) server running on your home computer—you will need to manually set up a port forwarding rule for it in the router's configuration. If you do this, you should strongly consider restricting which external IP addresses are allowed to connect to that service, as most routers allow defining an IP address range for port forwarding rules. Also, consider the risks of making those services available externally, especially if they don’t encrypt traffic.

If you don't use it for guests, the router's guest wireless network can be used to isolate internet-of-things devices on your LAN. Many IoT devices are managed through mobile apps via cloud-based services so they don't need to talk directly to your phone over the local network beyond initial setup.

Doing this protects your computers from the often vulnerable IoT devices and your IoT devices from your computers, in case they become infected. Of course, if you decide to use the guest wireless network for this purpose, change its password and stop sharing it with other people.

Similar network segmentation can be achieved through VLANs (virtual local area networks), but this feature is not commonly available in consumer routers unless those devices run third-party firmware like OpenWRT/LEDE, DD-WRT or AdvancedTomato. These community-built Linux-based operating systems for routers unlock advanced networking features and using them might actually improve security, because their developers tend to patch vulnerabilities quicker than router vendors.

However, flashing custom firmware on a router will typically void its warranty and, if not done properly, might leave the device in an unusable state. Don't attempt this unless you have the technical knowledge to do it and fully understand the risks involved.

Following the recommendations in this guide will significantly lower the chances of your router falling victim to automatic attacks and being enslaved in a botnet that launches the next internet-breaking DDoS attack. However, if a sophisticated hacker with advanced reverse-engineering skills decides to specifically target you, there’s very little you can do to prevent them from eventually breaking into your home router, regardless of what settings you made. But why make it easy for them, right?

 Source: This article was published motherboard.vice.com By Jacob Holcomb

Categorized in How to

News flashes and sound bites are constantly calling our attention to the latest hacks or threats to our cybersecurity that seem to be filling our social media news feeds and television reporting circuits. While there are plenty of bad actors out there hell bent on doing us harm, symbiotically living in the digital ethers and layers that make up the vast web, there are companies and organizations working in the background to protect and remediate any potential disasters.

Some of these online threats pose significant harm to our lives, our businesses and our finances. Some of them are easy to detect, while others have become increasingly challenging and more sophisticated over the years. They sometimes involve massive bot-nets of millions of devices all acting in concert with one another, and sometimes they're far more individualistic in nature, with specific high-value targets that involve social engineering and location tracking to ensure that their cryptic intentions are fulfilled.

If you've ever been the victim of a phishing scam online or you've ever had someone hijack your profile or social engineer you or your employees to gain access to critical corporate information and infrastructure, or to steal any amount of money from you through methods such as Instagram money-flipping, then you know just how painful this process is. Oftentimes, we search for ways to exact our revenge, usually falling flat on its face due to the anonymity of the World Wide Web.

So, how do you go about protecting yourself from these online threats and cyber criminals who are determined to extra money and valuable information from you?

Clearly, there is no full-proof method to protect yourself. As technology evolves, so do our methods for combating these online threats. However, that doesn't mean that the threats stop. They also evolve. They get smarter, more efficient and more scalable as the near-limitless reach of the web gives them unfettered access to potential billions of dollars in crimes against unassuming individuals and businesses from across the planet.

What Are The Top Online Threats In Cyberspace? 

While there are numerous threats that exist at every turn on the internet, there are 10 very significant threats that pose malicious harm to us. Understanding what these threats are that exist on the web and learning how to combat them is integral to conducting any semblance of business or personal activity these days. Falling for these is painful to say the least, but even more so when you didn't even see it coming from miles away.

One of the biggest and most challenging uphill battles here when it comes to online threats to our security is actually determining whether or not a visitor is human. Bots that crawl the web, or that are designed to somehow infiltrate systems and drop malware generally don't behave like humans. However, this isn't always something that's straightforward. How companies go about detecting automated software and threats in cyberspace has a lot to do with their potential to fall victim to these scams.

Not only is it important to institute a good set of habits when it comes to dealing with online threats like this, but it's also important to stay in-the-know. The more informed you are, the better off you and your employees will be. It's important to note that whatever you do, threats are always evolving. Locate reputable companies that you can work with to help alleviate some of the stress that failure might cause in this arena.

#1 -- Ransomware

One of the biggest ongoing concerns and threats to our digital existences has been the proliferation and exponential rise of ransomware. You know, the type of thing that locks you out of your computer with an impending countdown that signals the digital death of your entire virtual existence. As it counts down, threatening to encrypt every last shred of data, you realize the peril that digital criminals can inflict on their unassuming victims.

Your choices? According to Tod Beardsley, Director of Research at Rapid7, a firm dedicated to thwarting these types of attacks through some of their wildly-popular software platforms such as Nexpose and Metasploit, you should never pay the criminals because you don't know the outcome of whether your information will in fact be restored, or simply vanish into thin air.

Redundant backups should be a priority for you. Backup to an external drive somewhere on your network and to the cloud through DropBox or another provider. Rapid7, which oftentimes stress tests other corporations by hacking in an effort to expose security loopholes, working to ensure that networks are safe from potential attacks, knows a thing or two about this. Companies rely on their teams to ensure that they're protected, and they're often the first phone call many make when an attack like this and others do actually happen.

#2 -- Phishing schemes

A large majority of people get caught up in phishing schemes. Phishing schemes are engineered to get you to click on things and oftentimes they seem harmless. Simply click on a link and it will go to some URL. That's it. However, as harmless as they seem, phishing schemes can lead to to a number of major online security breaches if you're not careful. By paying close attention to what you're clicking on, you'll better be able to mitigate these types of attacks.

Once you're ensnared in this type of scheme, it's hard to untangle yourself. There are phishing schemes for bank accounts, email accounts, big e-tailers and other service providers that have massive footprints. The goal? Gain access to the consumer's account to do the most damage. If you think you were the victim of a phishing scheme, and you entered in your username and password somewhere online and things didn't seem right, immediately change all your passwords.

Another important thing to note is that most people use the same (weak) password across a variety of services such as Gmail, Facebook and online banking as one example. Never do that. Always use different passwords and ensure that they're not simple passwords to begin with. If a cybercriminal gains access to one service, you don't want them gaining access to the others. You should also be changing up your passwords every few months or so.

#3 -- Man-in-the-middle (MIIM) attacks

One of the most sophisticated threats that exist online are man-in-the-middle attacks. I've seen these threats firsthand and know just how malicious they can be. Everything seems okay all the way to the final point of entry (even when using 2-factor authentication). This malware sits on your computer and waits until you've entered in all your credentials, then it actually swaps out the server that receives the communication and even communicates back to you.

Throughout all of this, everything seems fine. Nothing seems amiss. That's why it's such a sophisticated online threat. You almost don't know that anything is happening when it actually is happening. You have to be very wary of what you download to your computer and what reputable sources they're coming from. Virus software is not going to help you in most cases here because these threats are always evolving.

Oftentimes, MIIM attacks are a result of phishing schemes that installed latent software on your computer that sits dormant for some time until you begin accessing the proper network or until its recorded the right keystrokes. It then substitutes its own intercepted server right when you submit your credentials to login.

#4 -- Ad fraud

Online ad fraud is far more widespread than anyone could possibly imagine. This is likely one of the biggest cyber-threats that seems to go under the proverbial radar. Few people know that they've been scammed by sophisticated ad fraud systems after it's occurred. Publishers simply see views increasing and most ad platforms don't provide high specifics as far as direct views on every single ad impression or click, leaving most people in the dark.

In a recent conversation with Tamer Hassan, CTO of WhiteOps, a firm deeply entrenched in the fight against automated ad fraud, they've taken this fight to a new level by developing a platform that actively measures 500 to 2000 technical metrics to determine whether the person viewing the ad is in fact a human or a robot. This software analyzes several layers at a time and its the leading platform amidst the largest publishers in the world.

This impressive system developed by Hassan and team runs silently in the background, with no impact on the speed or latency of ad serving or delivery. In fact, most publishers are now building White Ops' software into their contracts, stating that violations in ad clicks and views from bots will result in non-payment of revenues. This human verification on the web is potentially one of the most lucrative types of fraud that so many cybercriminals are working to exploit and companies are working to protect against.

#5 -- Social media schemes 

Instagram (IG) money-flipping schemes and many others social media scams have surfaced in recent years. Considering that IG is one of the most popular social media platforms in the world, it's no wonder that unscrupulous cybercriminals are targeting individuals who are in desperate situations, looking to make a few hundred or a few thousand dollars quickly. These IG money-flipping schemes have become so widespread that the company can only take down 1 money-flipping scam for ever 3 that are being created.

In a recent conversation with Evan Blair, co-founder of ZeroFox, a firm specializing in social media security, he tells me that 70% of companies are using social media for business but that a large majority of those companies are uninformed about potential impersonations of customer service representatives or duplication of accounts and impersonation of profiles, until it's too late. In fact, there's little that many of the most popular platforms like IG can do to safeguard against the windfall of social engineering and phishing that is constantly occurring against companies at any given moment.

However, this isn't just a risk to digital security; cybercriminals are now using IG and other social media sites to physically track and harm well-to-do executives, celebrities and other high-profilers such as athletes and even politicians. Without a good system to thwart such attacks, most businesses and individuals are completely left lost in the dark. That's likely why so many of the world's leading companies and affluent individuals rely on ZeroFox's groundbreaking platform to thwart and mitigate such attacks.

#6 -- Bitcoin scams

Bitcoin scams have been on the rise recently, especially since the cryptocurrency leaves little in the way of traceable information and unlike with the banking sector, the transactions are irreversible. For those particular reasons alone, cybercriminals have been flocking to the Bitcoin platform. In fact, a large part of their criminal activity is dealt with in Bitcoins for a great majority of their malware attacks that include ransomware and other hacking initiatives.

Considering that Bitcoin valuations have been fluctuating and that there is little in the way of current regulations in the marketplace, this will only continue to get worse. Be very wary of paying for things in Bitcoin and in clicking on any URLs that look deceiving. Read the URLs thoroughly enough to ensure that it's not a variation of a popular domain name, something that hackers and cybercriminals tend to do often.

If you feel like you've been the victim of a Bitcoin scam, it's best to contact the FBI or your local law enforcement agency. Bitcoin does have built-in protections such as wallet backups and multi-signatures, but that doesn't mean that scams don't happen. Cybercriminals are getting more sophisticated by the day so be careful and avoid anything that looks suspicious.

#7 -- Social engineering

Social engineering isn't a new threat. In fact, criminals have been using social engineering hacks in person for ages now. However, when it comes to fraud and other crimes occurring online, this threat is certainly on the rise. With the layer of anonymity that the internet affords, it's no wonder that social engineering works so well in this medium. Most aren't that careful about who they interact with or what type of information that they give out or expose online.

It's not inherently difficult for a criminal to Google the web to find information about a person in an effort to social engineer a scam against them. They can discover their occupation on LinkedIn, their family members or children on Facebook, where they are through Instagram or what they're talking about on Twitter. They can then work to infiltrate those profiles and take over a person's entire social media presence, and use that control to take over email accounts and eventually bank accounts and so on.

It's important to be very careful about who you interact with and what information you expose to the general public. Utilize the privacy features on platforms like Facebook or Twitter and be sure not to share too much personal information on platforms like Instagram. If you do, make your profiles private so that not everyone can track your every movement.

#8 -- Targeting employees to compromise corporate networks

Another major online threat involves directly targeting employees to compromise corporate networks. Since some employees act as the gatekeepers into their corporate networks, there's no surprise that this is on the rise. For example, a large part of the wire fraud that occurs happens because cybercriminals successfully target the right employees to compromise the company's corporate network, allowing them almost unfettered access and approval to steal millions of dollars with ease.

Vulnerable employees also act as a gateway into a corporation's email servers, files and databases, where these cybercriminals can do massive amounts of damage. Employees need to be very careful on social media networks about who they interact with or through what phishing schemes that they click on and unknowingly provide credentials to. ZeroFox's game-changing software helps to alleviate a large part of this worry for most large companies, but not everyone is proactive enough to engage in their services.

Without using a company like ZeroFox, most corporations have no idea about what threats exist out there to their employees or their networks, and it really is one of the most revolutionary platforms that exists out there. Either way you cut it, employee education is a must here to ensure any potential attacks are thwarted before they even begin.

#9 -- Tracking movements for physical targeting

One massive online threat that exists, which can also help put your physical safety into peril, is the tracking of movements through social media and other channels. For consumers, this is an enormous risk, especially for those individuals that aptly portray a lavish lifestyle, traveling around the world. When cybercriminals know that you aren't home, it's simple for them to break into your home and steal your belongings.

You don't need to be uber-wealthy in order to be targeted. Criminals will target all types of individuals through social media channels, able to see when they're home and when they aren't. If you go on vacation, be careful of what information you're sharing and whether or not your profile is public or private. If you don't have home security systems installed and don't want to be a victim of a crime, be very wary about what you share.

Much of this remains common sense, but our physical security can also be put at risk if criminals know where we're going and learn what our routines and schedules might be. They can use that information to do all sorts of bad things to us, virtually and physically, so be very careful.

#10 -- Customer service interception

One of the gatekeepers to any company are their customer service representatives. They are one of the most proliferous category of employees who are interfacing with the clients on a daily basis. However, as skilled as they might be at their jobs, they are often unaware of the online threats that most cybercriminals pose when interacting through a number of mediums. In fact, cybercriminals are known to replicate profiles and post throughout social media to draw attention to unassuming individuals.

They do this in an effort to gain access to accounts, alter the awareness of the general public and to funnel or filter payments and other inquiries that might otherwise alert companies to something that's amiss. This is an enormous threat to businesses, and those without a system like ZeroFox or something similar, will most likely be unaware until the very last moment that a crime actually occurs.

Not only is this bad financially speaking, but it's also bad for a company's reputation. When a customer is angry, they often don't care whether they were speaking to an imposter or the actual company's representative themselves. At that point, it's usually too late to put out the fire. If you're a business and you're serious about your company's online security through social media channels, it's important to invest in a platform to help you mitigate such attacks.

 Source: This article was published forbes.com By R.L.Adams,

Categorized in Internet Privacy

Rather than becoming ubiquitous in homes as expected, the Internet of Things (IoT) has become the butt of jokes, in part because of major security and privacy issues. UK mobile chip designer ARM -- which created the architecture used by Qualcomm, Samsung and others -- has a lot to lose if it doesn't take off. As such, it has unveiled a new security framework called Platform Security Architecture (PSA) that will help designers build security directly into device firmware.

ARM notes that "many of the biggest names in the industry" have signed on to support PSA (sorry ARM, that's a bad acronym). That includes Google Cloud Platform, Sprint, Softbank, which owns ARM, and Cisco. (A complete list is shown in the image below.)

The main component of it is an open-source reference "Firmware-M" that the company will unveil for Armv8-M systems in early 2018. ARM said that PSA also gives hardware, software and cloud platform designers IoT threat models, security analyses, and hardware and firmware architecture specifications, based on a "best practice approach" for consumer devices.

Despite Intel's best efforts, ARM is far and away the most prevalent architecture used in connected homes for security devices, light bulbs, appliances and more. ARM says that over 100 billion IoT devices using its designs have shipped, and expects another 100 billion by 2021. Improving the notoriously bad security of such devices is a good start, but it also behooves manufacturers to create compelling devices, not pointless ones.

Source: This article was published engadget.com By Steve Dent

Categorized in Internet of Things

THE WARNINGS CONSUMERS hear from information security pros tend to focus on trust: Don't click web links or attachments from an untrusted sender. Only install applications from a trusted source or from a trusted app store. But lately, devious hackers have been targeting their attacks further up the software supply chain, sneaking malware into downloads from even trusted vendors, long before you ever click to install.

On Monday, Cisco's Talos security research division revealedthat hackers sabotaged the ultra-popular, free computer-cleanup tool CCleaner for at least the last month, inserting a backdoor into updates to the application that landed in millions of personal computers. That attack betrayed basic consumer trust in CCleaner-developer Avast, and software firms more broadly, by lacing a legitimate program with malware—one distributed by a security company, no less.

It's also an increasingly common incident. Three times in the last three months, hackers have exploited the digital supply chain to plant tainted code that hides in software companies' own systems of installation and updates, hijacking those trusted channels to stealthily spread their malicious code.

"There's a concerning trend in these supply-chain attacks," says Craig Williams, the head of Cisco's Talos team. "Attackers are realizing that if they find these soft targets, companies without a lot of security practices, they can hijack that customer base and use it as their own malware install base...And the more we see it, the more attackers will be attracted to it."

According to Avast, the tainted version of the CCleaner app had been installed 2.27 million times from when the software was first sabotaged in August until last week, when a beta version of a Cisco network monitoring tool discovered the rogue app acting suspiciously on a customer's network. (Israeli security firm Morphisec alerted Avast to the problem even earlier, in mid-August.) Avast cryptographically signs installations and updates for CCleaner, so that no imposter can spoof its downloads without possessing an unforgeable cryptographic key. But the hackers had apparently infiltrated Avast's software development or distribution process before that signature occurred, so that the antivirus firm was essentially putting its stamp of approval on malware, and pushing it out to consumers.

That attack comes two months after hackers used a similar supply-chain vulnerability to deliver a massively damaging outbreak of destructive software known as NotPetya to hundreds of targets focused in Ukraine, but also branching out other European countries and the US. That software, which posed as ransomware but is widely believed to have in fact been a data-wiping disruption tool, commandeered the update mechanism of an obscure—but popular in Ukraine—piece of accounting software known as MeDoc. Using that update mechanism as an infection point and then spreading through corporate networks, NotPetya paralyzed operations at hundreds of companies, from Ukrainian banks and power plants, to Danish shipping conglomerate Maersk, to US pharmaceutical giant Merck.

One month later, researchers at Russian security firm Kaspersky discovered another supply chain attack they called "Shadowpad": Hackers had smuggled a backdoor capable of downloading malware into hundreds of banks, energy, and drug companies via corrupted software distributed by the South Korea-based firm Netsarang, which sells enterprise and network management tools. “ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be," Kaspersky analyst Igor Soumenkov wrote at the time. "Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component." (Kaspersky itself is dealing with its own software trust problem: The Department of Homeland Security has banned its use in US government agencies, and retail giant Best Buy has pulled its software from shelves, due to suspicions that it too could be abused by Kaspersky's suspected associates in the Russian government.)

Supply-chain attacks have intermittently surfaced for years. But the summer's repeated incidents point to an uptick, says Jake Williams, a researcher and consultant at security firm Rendition Infosec. "We have a reliance on open-source or widely distributed software where the distribution points are themselves vulnerable," says Williams. "That’s becoming the new low-hanging fruit."

Williams argues that move up the supply chain may be in part due to improved security for consumers, and companies cutting off some other easy routes to infection. Firewalls are near-univeral, finding hackable vulnerabilities in applications like Microsoft Office or PDF readers isn't as easy as it used to be, and companies are increasingly—though not always—installing security patches in a timely manner. "People are getting better about general security," Williams says. "But these software supply-chain attacks break all the models. They pass antivirus and basic security checks. And sometimes patching is the attack vector."

'People trust companies, and when they're compromised like this it really breaks that trust. It punishes good behavior.' —Craig Williams, Cisco Talos

In some recent cases, hackers have moved yet another link up the chain, attacking not just software companies instead of consumers, but the development tools used by those companies' programmers. In late 2015, hackers distributed a fake version of the Apple developer tool Xcode on sites frequented by Chinese developers. Those tools injected malicious code known as XcodeGhost into 39 iOS apps, many of which passed Apple's App Store review, resulting in the largest-ever outbreak of iOS malware. And just last week, a similar—but less serious—problem hit Python developers, when the Slovakian government warned that a Python code repository known as Python Package Index, or PyPI, had been loaded with malicious code.

These kinds of supply-chain attacks are especially insidious because they violate every basic mantra of computer security for consumers, says Cisco's Craig Williams, potentially leaving those who stick to known, trusted sources of software just as vulnerable as those who click and install more promiscuously. That goes double when the proximate source of malware is a security company like Avast. "People trust companies, and when they're compromised like this it really breaks that trust," says Williams. "It punishes good behavior."

These attacks leave consumers, Williams says, with few options to protect themselves. At best, you can try to vaguely suss out the internal security practices of the companies whose software you use, or read up on different applications to determine if they're created with security practices that would prevent them from being corrupted.

But for the average internet user, that information is hardly accessible or transparent. Ultimately, the responsibility for protecting those users from the growing rash of supply-chain attacks will have to move up the supply chain, too—to the companies whose own vulnerabilities have been passed down to their trusting customers.

Source: This article was published wired.com By ANDY GREENBERG

Categorized in Internet Privacy

By Adeniyi Ogunfowoke

With almost everyone relying on the internet to perform tasks, there is barely anything like privacy. All your personal information are readily available to everyone by simply googling your name.

However, you can control the information others have access to online thereby guaranteeing your online privacy by taking certain steps. Jumia Travel, the leading online travel agency shares some of the steps you should take.

Password all your devices

Protect all your devices with passwords and that includes your computers, tablets, smartphones and anything other gadgets with your personal data on them. If it is unsecured by a password, your lost or stolen gadget will become a source of personal information for whoever has it and this can lead to identity theft.

Use two-factor authentication

The two-factor authentication is becoming very popular today. Activating this feature will not give you or any other person immediate access to your accounts. Instead, when you login, you will need to enter a special code that the website texts to your phone. No code, no access.

Do not share too much information on your social media profile

The more information you share online, the easier it’s going to be for someone to get their hands on it. One of such ways to get this information is via social media. So, check your social media profiles and remove information such as date of birth, phone numbers and email addresses. Anyone who wants to contact you should send a Direct Message.

Enable private browsing

If you don’t want anyone with physical access to your computer to see your online activities, you should enable private browsing which is a setting available in all major web browser. Enabling it will automatically delete cookies, browsing history and temporary Internet files after you close the window.

Set up a Google alert for your name

This is one of the easiest ways to keep track of everything someone may be saying about you on the website. With the activation of Google alert, you will be alerted immediately if someone illegally accesses your information.

Pay for transactions with cash

If you do not want to give out your card information online, you should use the cash on delivery option to pay for online transactions. You know some of these websites can sometimes be unreliable.

Keep your computer virus free

If your computer is infected by a virus or malware, hackers will not only have access to your information to steal your identity, but they may lock up your files and ask for a ransome to get them back. You will have to pay if the files are important to you.

Do not rely on search engines

If you don’t like the idea of your search history being used to do business, you can switch your search engines. This is because many of us rely heavily on Google Chrome. So, make it a rule of thumb to switch your search engine.

Adeniyi Ogunfowoke is a PR Associate at Jumia Travel

Source: This article was published businesspost.ng By Dipo Olowookere

Categorized in Internet Privacy

A new form of malware hit the internet Tuesday, shutting down systems across Europe and impacting companies from the U.S. to Russia. Unfortunately, the attack, which early reports indicate seems to have hurt Ukrainian organizations and agencies more in particular, is still largely a mystery for security researchers.

A form of ransomware, the malware encrypts a victim’s PC and demands that they pay $300 in exchange for the keys to unlock their computer or lose all of their data. The attack even managed to affect radiation monitoring equipment at the exclusion zone around the Chernobyl nuclear disaster site, forcing workers to rely on manual checks instead.

Cybersecurity firms originally believed the malware to be a perviously known form of ransomware called Petya, but Kaspersky Lab says it’s actually a different, unknown version kind of ransomware, causing the cybersecurity company to dub it NotPetya.

Interestingly, the Petya/NotPetya software uses a Microsoft (MSFT) Windows vulnerability similar to the one exploited by the WannaCry 2.0 ransomware which hit the web a few weeks ago. But it looks like that exploit, which was originally used by the NSA and called EternalBlue, is just one of three attack points this ransomware takes advantage of.

If your computer is infected with malware, your best bet is to simply erase the entire system. Ransomware programs sometimes require you to pay in Bitcoin, an anonymous currency that can’t be tracked.

However, criminals have increasingly begun demanding payment in the form of iTunes or Amazon gift cards, since the average person doesn’t know how to use Bitcoin, according to McAfee’s Gary Davis.

The amount you have to pay to unlock your computer can vary, with some experts saying criminals will ask for up to $500.

To be clear, ransomware doesn’t just target Windows PCs. The malware has been known to impact systems ranging from Android phones and tablets to Linux-based computers and Macs.

Where it comes from

According to Davis, ransomware was actually popular among cybercriminals over a decade ago. But it was far easier to catch the perpetrators back then since anonymous currency like Bitcoin didn’t exist yet. Bitcoin helped changed all that by making it nearly impossible to track criminals based on how victims pay them.

There are multiple types of ransomware out there, according to Chester Wisniewski, a senior security advisor with the computer security company Sophos. Each variation is tied to seven or eight criminal organizations.

Those groups build the software and then sell it on the black market, where other criminals purchase it and then begin using it for their own gains.

How they get you

Ransomware doesn’t just pop up on your computer by magic. You actually have to download it. And while you could swear up and down that you’d never be tricked into downloading malware, cybercriminals get plenty of people to do just that.

Here’s the thing: That email you opened to get ransomware on your computer in the first place was specifically written to get you to believe it was real. That’s because criminals use social engineering to craft their messages.

For example, hackers can determine your location and send emails that look like they’re from companies based in your country.

“Criminals are looking are looking up information about where you live, so you’ll click (emails),” Wisniewski explained to Yahoo Finance. “So if you’re in America, you’ll see something from Citi Bank, rather than Deutsche Bank, which is in Germany.”

Cybercriminals can also target ransomware messages to the time of year. So if it’s the holiday shopping season, criminals might send out messages supposedly from companies like the US Postal Service, FedEx or DHL. If it’s tax time, you could receive a message that says it’s from the IRS.

Other ransomware messages might claim the FBI has targeted you for using illegal software or viewing child pornography on your computer. Then, the message will tell you to click a link to a site to pay a fine — only to lock up your computer after you click.

It’s not just email, though. An attack known as a drive-by can get you if you simply visit certain websites. That’s because criminals have the ability to inject their malware into ads or links on poorly secured sites. When you go to such a site, you’ll download the ransomware. Just like that, you’re locked out of your computer.

How to protect yourself

Ransomware attacks vulnerabilities in outdated versions of software. So, believe it or not, the best way to protect yourself is to constantly update your operating system’s software and apps like Adobe Reader. That means you should always click that little “update” notification on your desktop, phone, or tablet. Don’t put it off.

Beyond that, you should always remember to back up your files. You can either do that by backing them up to a cloud service like Amazon (AMZN) Cloud, Google (GOOG,GOOGL) Drive or Apple’s (AAPL) iCloud, or by backing up to an external drive.

That said, you’ll want to be careful with how you back up your content. That’s because, according to Kaspersky Lab’s Ryan Naraine, some ransomware can infect your backups.

A ransomware attack screen designed to look like an official message from the F.B.I

Naraine warns against staying logged into your cloud service all the time, as some forms of malware can lock you out of even them. What’s more, if you’re backing up to an external hard drive, you’ll want to disconnect it from your PC when you’re finished, or the ransomware could lock that, as well.

Naraine also says you should disconnect your computer from the internet if you see your system being actively encrypted. Doing so, he explains, could prevent all of your files that have yet to be encrypted from being locked.

Above all, every expert I spoke with recommended installing some form of anti-virus software and some kind of web browser filtering. With both types of software installed, your system up to date, and a backup available, you should be well-protected.

Oh, and for the love of god, avoid downloading any suspicious files or visiting sketchy websites.

What to do if you’re infected

Even if you follow all of the above steps, ransomware could still infect your computer or mobile device. If that’s the case, you have only a few options.

The first and easiest choice is to delete your computer or mobile device and reinstall your operating system. You’ll lose everything, but you won’t have to pay some criminal who’s holding your files hostage.

Some security software makers also sell programs that can decrypt your files. That said, by purchasing one, you’re betting that it will work on the ransomware on your computer, which isn’t always the case. On top of that, ransomware makers can update their malware to beat security software makers’ offerings.

All of the experts agree that the average person should never pay the ransom — even if it means losing their files. Doing so, they say, helps perpetuate a criminal act and emboldens ransomware makers.

Even if you do pay up, the ransomware could have left some other form of malware on your computer that you might not see.

In other words: Tell the criminals to take a hike.

Source: This article was published Yahoo Finance By Daniel Howley

Categorized in Internet Privacy

Weeks after Netflix was held to ransom by hackers over the unreleased season five of Orange Is The New Black, cyber thieves have struck again, this time targeting film giant Disney. Speaking to ABC employees at a town-hall meeting on 15 May in New York, CEO Bob Iger announced that hackers had infiltrated the company's system, stolen an unreleased film and were holding it ransom.

While Iger did not reveal which film was at risk, Deadline reports it was the Johnny Depp-led Pirates Of The Caribbean: Dead Men Tell No Tales.

The studio has yet to confirm whether it is in fact the fifth installment of the Pirates franchise that is being held. Another possible victim could be Cars 3, which has a release date of 16 June, reports said.

Disney won't pay ransom

Disney staff members were informed that the hackers demanded "an enormous amount of money" via bitcoin, Deadline reports. If the money is not transferred, Disney risks the film being leaked ahead of its 26 May release date. However, the entertainment company is yet to confirm the ransom amount, and it is not clear when the deadline for the ransom payment is.

The hackers have allegedly threatened to publish the first five minutes of the film and continue leaking the whole movie in 20-minute clips if their ransom demands are not met. However, Iger reportedly stated that he would not bend to the blackmailers by paying them off.

"Anything that has a value will always be a potential victim of theft, either digital or physical," Mark James, ESET security specialist told IBTimes UK. "If someone has it and someone wants it then in theory there's a market for it."

"Disney has refused to pay the ransom and rightly so, James added. "Paying the ransom or indeed any ransom is generally frowned upon for many reasons. Funding other criminal activity, rewarding the bad guys or funding future attacks are all good reasons to not pay as chances are it's going to get released anyway."

Will hackers leak the movie?

This movie hack comes on the heels of a large content theft by the proliferate hacker group The Dark Overlord (TDO), which included the fifth season of Netflix's Orange Is The New Black, set to be released on 9 June. The perpetrators released the first episode of the season and threatened to leak the rest if they were not paid. TDO also claimed to have content from FOX, IFC, National Geographic and ABC, and warned the networks to expect an email "demanding a modest sum of internet money".

It remains unknown if TDO is also behind the Disney hack. The group had previously threatened to leak further content soon and the modus operandi of the Disney hackers appears to be similar. The Disney hackers could follow TDO's play book and leak the movie or opt to sell it on the dark web.

Thefts like these put the film industry in a difficult position. They could pay to protect their intellectual property, and ensure fans pay to watch it in the cinema instead of for free at home. But doing so could show vulnerability and a willingness to comply, making them an easy target for hackers to strike again.

The FBI denied having advised Hollywood studios to pay ransom demands, according to The Hollywood Reporter. However, security experts chose to differ. "If your system is wiped and you didn't pay, then there's no way to recover it and you basically shut down your entire business, so the FBI will say it's easier to pay it than it is to try to fight to get it back," Hemanshu Nigam, a former federal prosecutor of online crime in LA and one-time chief security officer for News Corp said. "And if one company pays the ransom, the entire hacking community knows about it."

Disney is not the first Hollywood studio to be hacked. In 2014, Sony was attacked by a cybercriminal group suspected to be linked to North Korea. The hacker group, dubbed Lazarus, has also been associated with the recent global ransomware strikes. However, it is uncertain if the Disney hack has any connection to the WannaCry ransomware attacks.

Source: This article was published ca.news.yahoo.com By Lara Rebello

Categorized in Internet Privacy
Page 2 of 7

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media