STE WILLIAMS

High-end crime groups are acquiring the sorts of sophisticated capabilities only nation-states once had, while low-tier criminals maintain a steady stream of malicious activity, from cryptomining to PoS malware.

Sophisticated cybercrime groups and nation-stated backed adversaries are not the only threats to enterprise security. A steady level of malicious activity by relatively low-level criminals is impacting businesses all around the world as well and should not be ignored, a new report warns.

Secureworks’ Counter Threat Unit recently analyzed one year’s worth of incident response data and threat activity across 4,400 companies. The analysis showed that organizations are under siege by both high- and low-level criminals.

At the high end, sophisticated financially motivated cybercrime gangs have recently begun using tactics that were once associated only with nation-state backed actors to plunder organizations around the world. Though relatively small in number, these organized crime gangs are responsible for a bulk of the cybercrime-related damage that businesses are experiencing, Secureworks found.

Highly organized groups of criminal actors in Central and West Africa, for instance, are targeting organizations with sophisticated business email compromise and business email spoofing campaigns that over the years have resulted in billions of dollars in losses. Examples include Nigerian threat groups Gold Galleon, which targets shipping companies, and Gold Milton, which targets real-estate companies and law firms in Australia.

Other high-end criminal gangs, like the FIN7 group, are making millions by combining advanced social engineering and network-intrusion techniques with point-of-sale malware to steal payment card data. In August, the US Department of Justice indicted several members of FIN7 on charges related to the theft of 15 million payment cards from some 3,600 institutions.

Small groups of highly professional operators from Eastern Europe and elsewhere are targeting online retailers, cryptocurrency exchanges, banks, and ATMs in campaigns that are netting them millions of dollars. One example is an attack on an Indian bank’s ATM infrastructure this August, which resulted in nearly $15 million in losses over a period of just three days. North Korea’s infamous Lazarus Group is believed to be behind that attack. Other campaigns have involved so-called “cashout” and ATM “jackpotting” operations in which threat actors have stolen millions of dollars via coordinated withdrawals from dozens of ATMs across multiple countries.

“These kind of criminal actors are more difficult to track because their communications are private and they do not advertise their intentions in forums where they might be observed by security researchers or law enforcement,” says Mike McLellan, senior security researcher at Secureworks CTU.

While sophisticated cybercriminals may make use of tools obtained from dark web forums or sell their capabilities on it, they are not openly doing business there — making them very hard to spot, he notes. As these groups increasingly acquire nation-state actor-like capabilities, attribution is going to become much harder, he says.

Low-level Criminality

At the same time, low and mid-tier cybercriminals are maintaining a steady level of malicious activity related to cryptocurrency mining, ransomware, spam, and banking and POS malware.

In 2017, one in three organizations encountered cryptocurrency mining software on their networks. It continues to remain a threat this year as well, contrary to common perception, McLellan says. “There is no evidence that cryptocurrency mining activity has decreased, despite the reduction in the market value of popular currencies such as Bitcoin and Monero.”

Similarly, Secureworks’ study found no letting up in ransomware activity. Between July 2017 and the end of June 2018, researchers from the company tracked 257 new ransomware families. The most prevalent of them was GandCrab, a ransomware tool distributed via Russian-language forums and exploit kits such as RIG and Grandsoft. In a majority of instances, ransomware targeting continues to be indiscriminate and many of the tools that have emerged over the last year are unsophisticated, Secureworks said in its report.

The easy availability of malware tools and services, and demand for personally identifiable information (PII) and other sensitive data continue to drive a lot of the malicious activity.

Secureworks regularly found comprehensive dossiers containing individual PII, payment card data and other information being offered for sale on underground forums at prices ranging from $10 to $25.

“Observed ‘for sale’ prices appear to have remained reasonably consistent, although there are a number of variables that come into play, such as the reputation of the seller and the nature of the PII,” McLellan says.

Also lowering the bar for cybercriminals are underground marketplaces selling direct access to compromised systems and to anonymized servers for carrying out malicious activity. Numerous forums for instance offer access to Virtual Private Servers and dedicated hosting services for between $10 and $300.

Others are selling access to compromised Remote Desktop Protocol servers for prices ranging from as little as 50 cents to $400. Some advertised prices have ranged between $1,000 and $20,000 for broader access to an organization’s network.

“Criminals might charge more where the organization is of a certain size, or in an industry vertical where they consider that the data it processes might have good inherent value,” McLellan says. “The price will also depend on the type of access offered and whether the actor selling the access has pre-installed additional tools.”

The trends highlight the need for enterprises to essentially make themselves a harder target. “Fundamentally, criminal actors want to make as much money as they can with the least possible effort and risk.” By implementing best practices like patching, multi-factor authentication on Internet-facing applications, least privilege for users, and layered detective controls, organizations can encourage criminals to look elsewhere, McLellan says.

Related Content:

• Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies
• Who’s At Greatest Risk for BEC Attacks? Not the CEO
• North Korean Hacking Group Steals $13.5 Million From Indian Bank
• 8 Ways Hackers Monetize Stolen Data

 

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/small-time-cybercriminals-landing-steady-low-blows-/d/d-id/1333273?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On 8 March, Cryptopay co-founder Wesley Rashid began to open a padded package addressed to two of his employees.

Something about it struck him the wrong way, though, so he didn’t open it all the way. That was a fortunate decision. The package held a bomb that could have injured or even killed him.

London’s Metropolitan Police announced on Friday that the sender, a 43-year-old Swedish man named Jermu Michael Salonen, has been sentenced to six and a half years in prison for sending the potentially lethal homemade bomb.

It turns out that the package had been delivered months earlier, around November 2017, to an office unmanned by Cryptopay employees. The UK crypto-wallet business had at one point employed an accounting firm that did have an office in that location, but fortunately nobody at the accounting company opened it on behalf of its client. The letter bomb just sat there, unopened, for five months.

Forensic specialists managed to retrieve some DNA samples from the package, but no matches were found in the UK. Investigators turned next to Interpol, and that’s when they hit a match, turning up Sorenson’s DNA sample in Sweden.

Police said he was known to Swedish authorities. In addition to being found guilty of attempted murder by Stockholm District Court, Salonen was also convicted of mailing threatening letters to Swedish lawmakers and government officials.

Finally, he was also found guilty of 20 counts of threats in relation to letters filled with a mysterious white powder that was sent to Swedish lawmakers. According to the Associated Press, Prime Minister Stefan Lofven received some of that powder in August 2017, along with a handwritten letter that said: “you will soon be dead.”

When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb – or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package – the only thing the company could think of was that it had declined his request for a password change.

In August 2017, Salonen, a customer of Cryptopay, emailed their customer services team to ask for a new password. They refused, given that it was against the company’s privacy policy.

A fair point, as it’s never a good idea to send a new password in an email. A password-reset link is safer all round, although it’s not clear if Cryptopay offered this option to Salonen.

Commander Clarke Jarrett, head of the Met Police Counter Terrorism Command:

Salonen seemingly made and sent a device that had the capability to seriously harm and even kill over something as inconsequential as a change of password.

Fortunately the bomb did not detonate. It was due to sheer luck that the recipient ripped opened the package in the middle rather than using the envelope flap which would have activated the device.

Sheer luck, sheer four-leaf clover, sheer good sense to stop when things seem a bit off.

Next time you have to deal with a customer service rep, or your help desk staffers, or anybody who deals with opening your organization’s mail, be gentle. It’s shocking to think that any of them could one day risk their life at the hands of a mentally unstable, disgruntled customer, all over the most trivial of help-desk requests.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/s24_T5dtszk/

Google’s campaign to nudge the web towards faster performance took a big step last month. Key personnel at the Internet Engineering Task Force (IETF) suggested basing the next version of a core protocol on technology that originated with the search giant.

The IETF is responsible for signing off many of the key standards underpinning the internet and the web. One of them is the hypertext transport protocol (HTTP), which is how browsers fetch web pages.

In 2013, Google introduced a new experimental protocol called Quick UDP Internet Connections (QUIC), that would make HTTP requests faster and more secure.

Google proposed the idea of running HTTP requests using QUIC in 2016. The IETF evolved the protocol, producing what amounts to its own version (sometimes called iQUIC, in contrast to Google’s gQUIC).

The IETF has been working on running HTTP over QUIC for a while. On 18 October, Mark Nottingham, chair of the HTTP and QUIC working groups, suggested that it was time to call that specification HTTP/3. This would, effectively, make it the next major version of HTTP, and it represents a significant change.

A QUIC-ker internet

QUIC seeks to make network connections faster by reducing the number of round trips that one computer has to make when downloading information from another over HTTP.

Round trips happen in HTTP requests because the client (typically the browser) has to establish a connection with the server. Think of it like asking a new work colleague for something. First, you have to introduce yourself, explaining who you are and what you do. Then you have to wait for them to greet you back and acknowledge you before you make your request. Later, after getting to know them, you could just pop your head round the door and say “hey, Derek, can I borrow that file?” And Derek would just hand it over because he knows you and trusts you. QUIC works the same way.

The protocol has some other tricks up its sleeve. One of them, drawing on earlier work in HTTP/2, uses multiple connections at once. It also estimates the bandwidth that connections will use in either direction in advance, to try and minimize congestion by spacing packet transmissions accordingly, and uses error correction to minimize retransmitting lost data.

QUIC also uses version 1.3 of the encryption and certification standard TLS, which became an official “proposed standard” of the IETF in August 2018.

Unlike HTTP/2, TLS 1.3 isn’t optional though. If you want the extra speed of HTTP/3 you’ll have to sign-up to the extra privacy and security of TLS 1.3 too.

One big step that Google took when designing QUIC was to abandon the core network mechanism for transporting traffic, known as the Transmission Control Protocol (TCP). This has been a staple for internet communications since the mid-1970s and has underpinned the web since its beginning. Instead, QUIC switched to the alternative User Datagram Protocol (UDP), which was designed for low latency communications. Effectively, UDP just concentrates on sending packets, avoiding the extra functions that TCP offers such as re-sending lost packets and reassembling packets in the correct sequence. This makes it faster.

The wish to move to UDP is the reason that Google didn’t continue with SPDY, an earlier protocol that it also proposed. This was a TCP-based protocol, also designed to make HTTP transmissions faster. This forms the basis for HTTP/2, ratified in 2015, but Google pulled support for it the same year after deprecating it.

Google estimates that traditional TCP-based HTTP requests take about 100ms because the client has to establish a connection with the server before it asks for anything. This gets worse when using TCP and TLS for extra security, taking up to 300ms. On a QUIC connection, it will initially take the same time as a TCP connection. When the client has spoken to the server before, it will take 0ms, because there will be no round trip. The server already knows who the client is, so there’s no need for an introduction.

The IETF draft for HTTP over QUIC was published on 24 October. Ratifying it will take time. If and when it happens, the whole world won’t suddenly move over to HTTP/3. However, those websites that do will be able to serve requests to compliant browsers more quickly and securely.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZCweiTeLlzI/

Cybercriminals have returned to old-school manual hacking tactics to boost the efficiency of targeted extortion, according to research conducted for the SophosLabs 2019 Threat Report.

Ransomware attacks are nothing new, but well known examples like CryptoLocker or WannaCry have tended to be opportunistic and indiscriminate. To penetrate their targets they rely on simple automation, such as boobytrapped attachments sent to a large number of prospective victims via email.

However, the most eye-catching innovation seen by Sophos during 2018 looks more like the opposite of automation – manual control.

Deploying an attack by hand takes time and doesn’t scale well, but it is hard to detect – because it doesn’t necessarily follow a predictable pattern – and hard to stop – because an attacker can adapt as they go.

SophosLabs sums up the advantages of the hands-on approach:

With targeted attacks, the behaviour is inherently unpredictable, and the attackers can respond reactively to defence measures that, at first, thwart them from accomplishing their goal.

The perfect case study in how successful this modus operandi can be is the SamSam ransomware, whose evolution Sophos has been tracking since 2015.

Earlier this year, Sophos researchers discovered that a group or individual has used SamSam to successfully extort $6 million (£4.6 million) out of victims in the two and a half years to June 2018.

After operating on a smaller scale for the first year, in December 2016 the group or individual seems to have realised that its package of efficient ransomware, targeting and manual attack had legs.

Careful targeting

SamSam succeeds over more widely deployed ransomware because of the size of the ransoms the attackers ask for, which dwarf the more opportunistic demands of established ransomware.

SamSam extorts up to $50,000 per attack, a couple orders of magnitude more expensive than the far more common GandCrab ransomware, which only demands a ransom of $400.

Message: the sum is extraordinary because the level of compromise is too, and that’s down to the manual nature of the attack.

Most likely, the victim was chosen because they use the Windows Remote Desktop Protocol (RDP), making them accessible from the internet, and breached by the brute-forcing of a weak password.

Having prised the door open, the attackers run a tool such as Mimikatz designed to sniff the credentials for domain controllers when admins log in.

The attackers can then use system administration tools to map out the victim’s network, disable poorly protected security software and distribute the SamSam encryption malware to as many target systems as they can reach. Cleverly, when the ransomware is finally executed, it happens at night, when few security staff are around to react to the fast-moving tidal wave of encryption.

SamSam’s personal treatment extends as far as the decryption too: each victim gets their own dark web site where the SamSam authors offer a perverse form of technical support.

SamSam isn’t the only ransomware used in this targeted manner. Attacks by the elusive BitPaymer malware have been accompanied by ransom demands as high as $500,000, while Dharma appears to be used by multiple groups targeting small businesses.

Their continued success of targeted ransomware, and the recent emergence of copycats like Ryuk suggest the trend for targeted attacks is set to continue through 2019.

Naked Security has already produced extensive advice on defending against SamSam and its ilk, with the first and most important job being to lock down Windows RDP.

SamSam is the devil waiting to take the hindmost, so simple precautions can keep network security teams nearer the front of the chase.

You can read more about targeted ransomware, and how SamSam differs from similar attacks such as BitPaymer, Ryuk and Dharma, along with much more insight from the team inside SophosLabs in the SophosLabs 2019 Threat Report.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Euh05jdmrdQ/

When Australia implemented its telecommunications data retention regime, privacy wonks worried about the potential for scope creep. The same warnings have been made about the government’s proposed encryption-busting legislation.

When’s a backdoor not a backdoor? When the Oz government says it isn’t

READ MORE

The Communications Alliance yesterday made public a list of 80 bodies (PDF) that have asked its members to hand over subscriber metadata, and warned that scope-creep could happen with Australia’s “Access and Assistance” draft legislation – which calls for anyone using or selling communications services in the country to be subject to police orders for access to private data.

When the regime came into effect in 2015, only 20 law enforcement and security agencies were given the right to ask telcos to hand over stored comms data without a warrant.

However, the government amended the legislation to provide other organisations access if they could produce a court order.

The Communications Alliance polled its members about the requests they received in response to a request from the Parliamentary Joint Committee into Intelligence and Security (PJCIS). That committee is holding hearings into the government’s proposed crypto-busting legislation, and the request for information arose during a hearing last month.

Communications Alliance CEO John Stanton said his group was warning that the Access and Assistance bill could have the same sort of unexpected consequences as occurred with the data retention legislation.

“One of the things that makes us really nervous about the encryption bill is not just the fact that it’s full of outrageous provisions, but there are potential unintended consequences,” he told The Register.

When he told the PJCIS hearing there were many more organisations requesting access than the 20 listed in the legislation, he was asked to back it up, so the alliance asked its members to identify who had made requests.

The result was a long list (PDF) of bodies in this document. While the Australian Federal Police or Australian Tax Office are unexceptional, the presence of Australia Post’s Corporate Security Group, various local councils, the Department of Agriculture, the Fair Work Building and Construction Commission, and the Taxi Services Commission in the list could raise eyebrows.

In the document, the alliance added that it wasn’t able to identify all the requests that resulted in disclosures.

Stanton said the huge number of requests arose not because of Section 313, which limited the warrantless supply of data to 20 agencies, but Section 280, which allowed other bodies to request data under various kinds of court orders.

That section, he said, “places carriers in a difficult position. When a council in Tasmania says ‘we want data under Section 280, and we have the right’, what does the carrier do?”

Stanton added that judging the legitimacy of a request isn’t in the scope of most telcos and service providers.

“So you have a barrage of requests coming in from all manner of entities, which may or may not be legitimate requests.”

Stanton said it could be argued the industry should have understood the implications of legislation back in 2014 and 2015. “Certainly, we didn’t anticipate it, and maybe that’s a failing on our part.

“I’ve hesitated calling it a ‘back door’… but it’s certainly a way in.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/14/comms_alliance_metadata_scope_creep/

ATM machines are vulnerable to an array of basic attack techniques that would allow hackers to lift thousands in cash.

This according to researchers with Positive Technologies, who studied more than two dozen different models of ATMs and found (PDF) nearly all would be vulnerable to network or local access attacks that would allow raiders to pillage the cash dispensers.

The study pitted Positive researchers against 26 machines from various manufacturers and service providers. Among the more noteworthy results:

• 15 were found to be running Windows XP.
• 22 were vulnerable to a “network spoofing” attack where an attacker connects locally to the machine’s LAN port and conduct fraudulent transactions. Such an attack takes around 15 minutes to complete.
• 18 were vulnerable to ‘black box’ attacks where an attacker physically connects a device to the machine and tricks it into spitting out cash. Positive notes these attacks can be carried out in about ten minutes with aftermarket compute boards (such as a Raspberry Pi).
• 20 could be forced to exit out of kiosk mode via a USB or PS/2 connection. From there, an attacker could access the underlying OS of the machine and execute additional commands.
• 24 had no data encryption in place on the hard drive, allowing an attacker who had access to the drive (see above) to pull any stored data and configuration info from the machine.

In general, the research found that, for the most part, the protections used by ATMs to prevent theft and tampering were more or less security theater, and anyone who really wanted to get into a machine could often do so in under an hour.

“More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case,” the researchers said.

“Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale.”

IBM, ATMs – WTF? Big Blue to probe cash machines, IoT, vehicles, etc in new security labs

READ MORE

One of the top recommendations the report makes to banks is to harden up the physical security of the machines themselves. By physically securing the cabinets to lock away access to the inputs and compute hardware of the machines, many of the techniques used in the study could be thwarted.

Additionally, the researchers recommend banks keep on top of logging and monitoring security events on their networks.

While many of these physical attacks are largely theoretical – banks take a dim view of customers hanging out at ATMs for longer than a few minutes – the report does highlight the shameful lack of security for ATMs, particularly on the software side.

At this year’s DEF CON hacking conference one researcher explained how he’d approached banks about flaws in their ATMs, only to be told such things weren’t possible. It was only when he told them he was going public with the research that the flaws were fixed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/14/atm_security_lousy/

The number one thing worrying infosec bods right now is… yup, you guessed it, a giant targeted attack that KOs their employers’ systems.

This fear was seconded – though not closely – by the threat posed by the people with whom they make small talk at the water cooler: their org’s very own blabby, policy-swerving, “oh-I’ll-just-email-it-to-my-Yahoo!-address-update-it-on-my-phone-over-public-Wi-Fi.. oh-never-mind-I’ll-use-this-USB-stick-I-found-on-the-floor” staffers. (Oh snap, they’ve just clicked on the malware-laden “fake PDF invoice” email – even though they’re not in accounts. Great.)

So reckon the people behind the Black Hat cybersecurity knees-up, who polled 130 European infosec folk to find out what keeps them awake at night.

The survey’s finding – that a targeted, sophisticated attack aimed directly at their particular organisation is the thing turning bright-eyed young cyber-defenders into grey-haired worriers – will surprise few, though worries corporate networks are not locked down tightly enough to user-proof them have risen markedly since last year.

Just over half (52 per cent) of respondents were worried about the cyber-attack-of-doom scenario, while a quarter stressed over “accidental data leaks by end users who fail to follow security policy”. The latter was up from 17 per cent last year.

Intriguingly, not many infosec bods think the EU’s General Data Protection Regulation will do much to improve online privacy. 42 per cent reckoned it would help “somewhat”, as opposed to the quarter who thought it would “substantially improve” privacy. Nearly a third (30 per cent) thought it would either help a little or wouldn’t make much of a difference. Black Hat opined this shows “growing scepticism among European security professionals with regard to the ability to protect user privacy”.

More than two-thirds (70 per cent) of insfoseccers surveyed said they’d devoted some corporate resources to GDPR compliance, suggesting that the harsh legal penalties for non-compliance have focused minds across the sector. Despite that, just a third thought their employers’ compliance was good.

Another question, asked for the first time this year, was whether infosec bods are worried about mission-critical cloud services being compromised. Just 16 per cent thought that was one of their top three worries, suggesting that – for now – public cloud vendors’ security posturing is enough to reassure the masses.

Just 2 per cent gave a monkey’s about “cryptocurrency mining and its potential impact on my enterprise network”, which, while probably a sensible position to take, doesn’t fully reflect what might be going on in hidden corners of the enterprise network.

And if all that leaves you feeling generally OK about infosec, two-thirds of respondents believed that a “major attack on critical infrastructure spanning multiple European countries” will take place in the next couple of years.

Stay paranoid, yo. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/11/14/black_hat_survey_state_hackers_top_infosec_fear/

Mega hacks like the Facebook breach provide endless ammo for spearphishers. These six tips can help you stay safer.

Huge breaches have become so common that it’s tempting for users to write them off as no big deal. Take Facebook’s recent announcement that hackers made off with personal info of 30 million users of the platform. How bad can it be for someone to have access to the kind of basic information we all share with hundreds or thousands of our friends, anyway? It’s not bank account info or Social Security numbers, right?

Well, it is a big deal — not because of what might happen on Facebook but because of how the thieves can use the information to launch spearphishing attacks. Even if you quickly changed your password to protect your privacy on Facebook, a fleeting snapshot of your Facebook activity — your name and employer, your LinkedIn URL, your religion, the people you follow, and your most recent searches — will give a good spearphisher more than enough information to craft a nearly irresistible bogus email: “Hi, Kowsik. I see that you love that new Spanish restaurant downtown. I just found a foodie site that’s offering a coupon for a free meal!”

Or if you are a fan of the New York Times, you might receive an emailed security alert that appears to be from the newspaper warning you to change your password. If you clicked on a link in that email, you’d land at a legit-looking landing page where you might very well hand over your username and password — which, chances are, are the same credentials you use for your bank, your doctor, and to get on your employer’s network.

For a bad guy, it’s a simple, diabolically effective combination. For starters, research shows that spearphishing works. Twelve percent of all users will open a phishing email, and 4% will always click a link in a phishing email, according to Verizon’s 2018 Data Breach Investigations Report. Corporate employees using their corporate email are a bit more circumspect, but still vulnerable. In the last 30 days, employees at our customers’ businesses clicked on 1.2% of the URLs included in phishing emails. That’s a high success rate, especially because accessing a corporate network makes targets of all of your fellow employees.

Breaches of major social networks will fuel the growth of the spearphishing scourge. After all, it makes for some easy pickings. Some types of cyberattacks, such as watering hole attacks, require victims to happen upon a malware-carrying website. But everyone uses email. And criminals are just like the rest of us — they don’t want to work any harder than they have to. If they have information on what is top of mind for millions of people, why would they bother with more tiresome approaches?

It’s no wonder that spearphishing is on the rise around the world. In Singapore, for example, the number of spearphishing attacks made via e-mail impersonation scams rose 20% from 2015 to 2016 (the latest data available), according to the Singapore Computer Emergency Response Team. In September, the FBI issued a warning about a rise in spearphishing attacks in which supposed human resources representatives tap directly into victims’ bank accounts. Just a few weeks ago, Vanderbilt University News warned students and faculty to be on the alert of increased spearphishing activity.

Take These Steps
So, if spearphishing is a fact of life in the age of social networks, what can you do to protect yourself? Quite honestly, the only foolproof defense is to not use email. Short of that, here are some best practices:

1. Have a healthy skepticism for emails offering awards and gift vouchers. Better yet, ignore them — and certainly don’t click on any links.

2. Beware of any email referencing something you posted about on Facebook or another social network, especially if you know they’ve been hacked. That should make your antenna go up in a big way. Be afraid — very afraid.

3. Never click on embedded links in emails — even if it appears to be from your bank, cable company, or another trusted vendor. You can always log on to those sites yourself to take care of whatever pressing business is at hand.

4. Don’t use open authentication programs. Yes, it is extremely convenient to log on to sites or apps using your Facebook or Google credentials. But take the time to create your own username and password. Most people don’t realize that this service allows the app developer to access Facebook on your behalf. In other words, a hacker wouldn’t need to breach Facebook’s defenses to see your information there — just breach that app developer.

5. Insist on good spearphishing hygiene from the companies you do business with. If that bank or cable company sends you an email with an embedded link, lodge your complaint. Tell them to direct you to log on to the site directly. If more vendors were pressured to adopt this policy, the link-clicking economy would fall apart.

6. Create fake email accounts to join social networks. Since you’re never likely to check the account again, chances are you’ll never see any spearphishing attacks that arrive there. And don’t feel too guilty. After all, the social network’s business model is probably based on monetizing your personal information.

Related Content:

• 7 Most Prevalent Phishing Subject Lines
• 4 Ways to Fight the Email Security Threat
• Email Security Tools Try to Keep Up with Threats
• When Facebook Gets Hacked, Everyone Gets Hacked

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-­founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Before Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/to-click-or-not-to-click-the-answer-is-easy/a/d-id/1333232?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

While 96% of US organizations say business resilience should be core to company strategy, only 61% say it actually is.

New data points to a gap between how businesses value resilience and how they implement it, Tanium researchers report.

As part of The Resilience Gap study, Tanium polled 1,000 US business decision makers to learn more about their ability to defend against cybercrime. Nearly all (96%) believe making technology resilient to business disruptions should be core to their broader strategy. However, only 61% report that resiliency is actually in place.

There remain several barriers to achieving business resilience, researchers found, specifically between internal organizational structures and access to technology and talent. More than one-third (36%) say growing complexity is to blame; 20% blame siloed business divisions. One-third say the problem is with hackers becoming more sophisticated than internal IT teams, and 17% claim their company doesn’t have the right skills to accurately detect breaches in real time.

Companies need to assign responsibility for business resilience, report researchers, who explain that one of the reasons it remains unachievable is because of growing internal confusion on where the responsibility lies. But who should handle it? Some respondents say the CIO or head of IT should take charge, 33% say all employees should be responsible, and 10% say the CEO.

Poor business resilience comes with financial consequences. Thirty-two percent say they could not — or don’t know if they could — calculate the impact of a breach when considering lost revenue and productivity. Eleven percent report they don’t know if they could calculate response cost; 10% don’t know if they could calculate the impact of lost or exposed data.

Read more details here.

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/risk/can-businesses-stand-up-to-cybercrime-only-61--say-yes/d/d-id/1333264?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Still reeling from last week’s Windows 10 Pro debacle, Microsoft dropped a fresh pile of “Oops!” onto Windows 10 Mobile users.

On Wednesday, users started reporting that an app update had broken Mail and Calendar:

Mail and Calendar no longer starts. After a short flash screen the app crashed back to the main screen. Tried restart and soft reset.

App got updated today 07-11-2018. This morning before the update it worked fine.

The problems showed up immediately after Microsoft released update 16006.11001.20083.0.

As of the following Tuesday afternoon, the initial post had tallied 431 “I have the same question” and 306 replies: a combination of “me-too’s” and “Is it time to jump ship and climb on board with Android/iOS/Google?”

By Saturday, however, many users were sighing with relief as they got back Outlook Mail and Calendar on their mobile devices, in spite of Windows 10 Phone being a nearly dead platform. As in, Microsoft is no longer developing new features, though it’s still supporting it with bug fixes and security updates.

As one Redditor noted, they weren’t even sure a fix would be forthcoming, given that their phone’s build – they said they were on a Nokia Lumia 1520 – is no longer officially supported.

The fact that there was a fix at all is surprising, but the quick turn around time was even more surprising… I’ll be making the transition back to team Android eventually but this fix allows me more time to come up w/ the scratch to actually get a phone a I want as opposed to buying something cheap to fill the gap…..Once again, to whatever nameless dev/coder(s) in Redmond who fixed this, thanks a billion!

Microsoft confirmed the issue with Windows Latest, apologizing and saying that its engineers were on it.

From a post from an employee on Feedback Hub:

We understand that many users on Windows Phone are experiencing crashes with Outlook Mail and Calendar on the latest update 16006.11001.20083.0 on phones running on Windows build RS1. We apologize for the issue and our engineers are quickly working on a fix for this. Please stay tuned.

Although we won’t be seeing any major software updates for Windows Phones, Microsoft is still going to issue monthly, cumulative updates for the platform, and Windows Phone will be supported until late 2019.

Well done, o ye nameless dev/coder of Redmond: consider thy haste to have been well-received. Go forth, Microsoft, and try hard not to fall on your face for at least a few more days: the wails from exasperated users with skewered production schedules was making the internet froth!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/DHcZsgYKUmk/