Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Iran Launches Evil New Malware That Wipes Windows Workstations


Zak Doffman posted: "Iran’s state-sponsored hackers have deployed a new strain of malicious malware, warns IBM, which has been aimed at the “industrial and energy sectors” in the Middle East.

No specific companies have been identified, but there’s no surprise in the nature of the attack. For Iran, its ongoing hybrid conflict with the U.S. and its allies has made these sectors a target. IBM has attributed the latest “destructive attacks” to Iran’s hyperactive APT34 “and at least one other group, [also] likely based out of Iran.”

APT34 has hit the headlines a few times this year, including with a phishing attack using LinkedIn. But it’s the identity of that “one other group” that’s arguably more interesting. The sectoral targets and use of wiper malware points towards Iran’s APT33, arguably the best known of its threat actors. This is the group behind the Microsoft Outlook exploit in July, prompting a U.S. government warning, and which deployed its own VPN to veil“aggressive attacks” on U.S. and Middle East targets in the oil and gas sector.

APT33 was also behind the infamous 2012 Shamoon attack on Saudi Aramco, an attack which erased the data on most of the company’s computers. Full story at Forbes


Continue reading

Online Holiday Shopping Tips


It’s that time of year again: online holiday shopping! With half of all holiday shopping done online, that leaves shoppers open to the numerous scams the bad guys use to get rich on. Here are 10 tips from KnowBe4 to help you stay safe this holiday season.

  1. Never click on links in emails. If you want to shop at a site, enter that site address in your browser. There are thousands of fake sites that look almost identical to the real thing. Don’t fall for evil-twin shopping sites.
  2. Don’t open attachments with special offers. It’s a classic scam. The offer should be in the email and you should be able to see it right away.
  3. Watch for malicious ads and popups. Do not click on ads that sound too good to be true, and ignore popups that might propose the “best deal ever”.
  4. Beware of e-skimmers. This is a new one. Do you know that bad guys sometimes skim your credit card at gas stations or ATMs? Well, there is a new flavor of that, the shopping website you order from might be infected with a “e-skimmer” and they steal your card data when you check out. You can prevent that by using PayPal or Amazon.
  5. Use a credit card to buy stuff online if possible. NEVER use a debit card to make online purchases but use that debit card to take out cash only.
  6. Do not shop over a public Wi-Fi. You simply do not know if it’s secure and who is listening. Only shop using a secure, trusted network. If you have no other way to shop, use a VPN which encrypts your traffic.
  7. Be very careful when you see a free offer during the holidays. There is an explosion of all kinds of survey fraud and gift card scams.
  8. Do not re-use any of your passwords. Instead, use a password manager to create hard-to-break passwords. Re-using any password is literally an invitation to get hacked.
  9. Keep a close eye on your credit card and bank accounts. During this season, unexpected and strange charges might appear which could very well be the first sign your card or even your whole identity has been stolen. If you think you might have been scammed, stay calm and call your credit card company, nix that card and get a new one.
  10. Be especially suspicious of gift card scams. They can be a perfect holiday gift, but gift card scams are skyrocketing. Only buy gift cards from trusted sources.


Continue reading

Chrome 79 released with tab freezing, back-forward caching, and loads of security features


Google has released today Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users.

This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predicitive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism.

Let's go over each of these new features in greater depth, one by one.


Password Checkup is an online service through which Google takes all your Chrome-synced passwords and checks to see if any have leaked via breaches at other online services.

Until today, Password Checkup was only available as a separate Chrome extension or a section in the Google web dashboard.

Starting with Chrome 79, released today, the Password Checkup utility has been integrated into Chrome itself. To use it, Chrome users must be logged in their Google account inside Chrome.

Once enabled, the feature will let users know for what websites they're using passwords that have been previously leaked online, and prompt the user to change them.

In a blog post published today, and shared with ZDNet, Google explained how this process works, in greater detail:

  • Whenever Google discovers a username and password exposed by another company's data breach, we store a strongly hashed and encrypted copy of the data on our servers with a secret key known only to Google.
  • When you sign in to a website, Chrome will send a strongly hashed copy of your username and password to Google encrypted with a secret key only known to Chrome. No one, including Google, is able to derive your username or password from this encrypted copy.
  • In order to determine if your username and password appears in any breach, we use a technique called private set intersection with blinding that involves multiple layers of encryption. This allows us to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users' usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records, down to 250 records while still ensuring your username remains anonymous. 
  • Only you discover if your username and password have been compromised. If they have been compromised, we strongly encourage you to change your password.


For years, Chrome has featured a security setting known as the Safe Browsing API. Through this tool, Chrome downloads a list of known bad sites once every 30 minutes.

When a user visits a site, Chrome checks the URL against this list of known bad sites, which is stored locally inside all users' browsers.

However, Google says that in recent months, threat actors have been changing sites and domains at a faster pace, taking advantage of this 30-minute delay.

Starting today, with the release of Chrome 79, Google says Chrome will get a new option in the "Sync and Google services" section that will allow users to enable the scanning of bad sites in real-time. Option 1 in the image below denotes that Safe Browsing is enabled. Option 2 gives Chrome permission to send URLs to Safe Browsing servers. Turning both options on enables real-time Safe Browsing.

Enabling this feature also means that you're OK with sending your web browsing history to Google. The company says that users have nothing to fear, as all URLs will be anonymized. The company explains how this will work:

"When you visit a website, Chrome checks it against a list stored on your computer of thousands of popular websites that are known to be safe. If the website is not on the safe-list, Chrome checks the URL anonymously with Google (after dropping any username or password embedded in the URL) to find out if you're visiting a dangerous site. Our analysis has shown that this results in a 30% increase in protections by warning users on malicious sites that are brand new."

In our test Chrome 79 install, this feature was enabled by default, a setting that some users or system administrators might want to turn off.

For Chrome enterprise installations, Google has prepared a group policy that will let administrators turn it on or off across an organization, depending on each company's security policies.


Another cool security feature added in Chrome 79 is the general availability of Predictive Phishing.

Launched in 2017, Predictive Phishing warns users when they might be entering passwords on suspected phishing sites.

Initially, the feature only supported detecting phishing sites when entering Google account credentials, and only when users were using the Sync feature inside Chrome.

With Chrome 79, Predictive Phishing warnings will be available for all usernames and passwords stored inside Chrome's password database, even if the user is using the Sync feature or not.

Read more:

Continue reading

Cyber Has Emerged as a Risk That is Not Specifically Covered by Other Insurance Policies


Insurance is a fundamental aspect of business risk management used to spread or mitigate financial risk by transferring it to a third party. Since business is now urged to take a risk management approach to cyber security, it is natural and inevitable that cyber insurance should be considered as part of the mix. Cyber insurance is set to grow, in size as an industry, and in importance as a service.

But there are issues -- not least because there is comparatively little actuarial history on which the industry can base its premiums. While there is a century of auto insurance and many centuries of shipping insurance, there is little more than two decades of cyber insurance history. As a result, both insurers and insureds are still unsure about what it is, what it should or can cover, and how much it should cost.

To the insurers, cyber insurance is primarily a gap filler. Cyber has emerged as a new risk that is not specifically covered by other policies, and cyber insurance is designed to fill that gap. But immediately there's a problem, because aspects of existing policies may cover aspects of cyber risk. The principle of 'silent cyber' can apply -- that is, if cyber is not specifically excluded from the policy, it is de facto included. Is separate cyber insurance even necessary?

Mondelez and NotPetya (the Act of War exclusion)

Mondelez appears to have believed it was not -- it already had an 'all-risks' property cover with Zurich American Insurance that included "physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction..." Following damage from NotPetya, it filed a claim for $100 million. Zurich American Insurance eventually declined the claim, and cited the 'war exclusion' clause of the policy, sending ripples of concern through business. If NotPetya can be defined under this exclusion, what cyber-attack cannot?

But it's not that simple. War exclusion is a standard and accepted clause in all property insurance. NotPetya was declared to be an act of Russian aggression. It was first directed at Ukraine, and there is effectively a war between Russia and Ukraine. So, both Mondelez and Zurich have a case -- one that is now to be decided by the courts.

We do not know the reasoning behind Zurich's position. However, if it simply pays the claim, it will weaken the need for separate cyber insurance, and weaken the nascent cyber insurance market. The suggestion is that if Mondelez had separate specific cyber insurance, Zurich would likely have paid the claim.

In defense of this view, Robert Wice, a focus group leader for U.S. cyber and technology at Beazley (an insurance firm that operates in Europe, the U.S, Canada, Latin America and Asia, and manages six Lloyds syndicates) comments, "There is a lack of clarity around silent cyber on property insurance. In pure cyber policies, war is still an exclusion, but cyber terrorism is more likely to be covered. I don't know of any pure cyber policy that refused to pay out for WannaCry or NotPetya -- so the proof is in the pudding."

There is a distinct possibility that the Mondelez/Zurich issue is being used as a test case to provide clarity. If Zurich is forced to pay out, this will weaken the argument for separate cyber insurance. Conversely, if the war exclusion clause in its current form holds, then the argument for a separate cyber policy that will include cover for 'cyber terrorism' (although still not actual war) gains strength.

Regulatory penalties

Corporate insurance should be treated as catastrophe mitigation. Attempts to cover every single dropped or broken piece of equipment will simply increase premiums and introduce additional management costs. The best function of insurance is to protect the organization from the financial effects of situation-changing events.

In cyber, such events are usually triggered by a major breach and the associated costs. Over the last year, however, a new financial threat has emerged: regulatory fines. In the U.S., Facebook has been fined $5 billion by the FTC. In Europe, Marriott has been fined $124 million and British Airways has been fined $230 million by the UK’s Information Commissioner’s Office (ICO).

It isn’t clear whether regulatory penalties can be insured. It’s a question of ‘moral hazard’: should an organization be legally allowed to transfer the risk of illegal activity to a third party? For now, the majority opinion seems to be ‘no’. But it is far from settled. Under English law, what this principle “is really looking at,” explains Greig Anderson, a partner specializing in dispute resolution with professional services firm Herbert Smith Freehills, “is criminal or quasi-criminal conduct. Under English law, the issue is whether an insurer can rely on a defense of illegality and refuse cover in response to an insured's claim for indemnity for a fine. This defense prevents the courts enforcing a claim when it is founded on 'immoral or illegal' conduct. On the one hand, there is some suggestion in case law that this debars recovery of all fines which are of a penal character for breach of laws enacted for the protection of the public interest. On the other hand, the courts must consider whether upholding the defense would be a proportionate response to the illegality, bearing in mind the seriousness of the conduct and whether it was intentional.”

But there’s a mismatch between this and the EU General Data Protection Regulation (GDPR). “Under GDPR, unlike some other statutes, the kinds of conduct that might underlie a breach of GDPR can be entirely innocent. It might be, for example, that a company buys Grade A security as opposed to Grade A+ security,” Anderson added.

This might have been a realistic strategic business decision – but if the GDPR regulator believes that the company should have bought the Grade A+ product, it can still levy a potentially very heavy fine if a breach of personal data occurs. “The courts may have some discomfort in suggesting that a fine in those circumstances is the kind of criminal or quasi criminal conduct that should not be covered by insurance -- and they have considerable latitude in relation to how they approach this. I don't think there is an easy answer.”

Incident Response

While war exclusion and regulatory penalty cover are subjects yet to be decided, cyber insurance is building its presence in incident response. 

When an organization considers cyber insurance, “One of the first things they want to know,” commented Wice, “is, when something bad happens, how much say do I have in controlling and understanding what happens?” He suggested it was a collaborative approach between the insured and insurer, but made it clear that the insurer will expect to ‘quarterback’ the process.

There is value in this. Each victim company has only its own experience to draw on – the insurer has far more. “Ultimately there is a tried and true practice of responding to a breach,” he continued, “where the insured will certainly benefit from literally thousands of other breaches that our team has already handled. You get this expertise in a box.”

What this means is that the insurer will want to hear from the insured “as soon as there is a problem, a suspected breach of security, because we have a panel of experts on the legal side, on the crisis management side, credit monitoring if that is involved, and we have relationships with forensics firms that have very favorable experiences with us in terms of managing through the process, working with the insurer and the insured to adequately respond to a breach.”

To a very large extent, the insurer expects to run the show with its own preferred team of experts. This will work well with simple breach response – but what if that response requires an early decision on whether to pay an extortion demand? The answer here, said Wice, “is that some insureds will want to pay, depending on the circumstances, and some will not.”

Again, the insurer will effectively quarterback the decision. It may not insist on its own advice, but will be able to exert hidden and unhidden pressure in terms of future premiums and coverage to ensure adherence to that advice.

This is where the future of cyber insurance gets a bit murky. Breach costs and extortion demands are increasing rapidly, and the industry simply does not have the actuarial history (and given the speed with which cyber changes, possibly never could have) to be able to pitch the premiums at the right level to cover costs and still make a profit. 

Under such circumstances, one must wonder whether the insurance industry will start imposing security conditions on the insured; that is, follow our recommendations and you’ll get a reduced premium.

Insurer Influence on Corporate Security

This is a difficult area. Taken to extremes, it could imply that, ‘you must include these controls’ could expand to become ‘you must use these specific products’.

Opinions are divided on whether this could happen. From within the security industry, Akshay Bhargava, SVP of cybersecurity at Malwarebytes, told SecurityWeek, “Insurance providers do not need to specify security controls, rather they should rely on industry standards that have been defined to detect, prevent, and respond to cyber-attacks.” In other words, independent auditing to, say the NIST Security Framework, should be enough for the insurer. 

Kris Lahiri, co-founder and DPO at Egnyte, is equally doubtful. “The insurance industry will always keep some distance from the actions of its insureds – among other things, it’s the only way it can retain the ability to point to the small print and potentially avoid liability. That’s not to say it will not publicize best practices and possibly impose minimum security requirements for Cyber coverage to remain effective, but I do not see that as leading to micro-management of a whole industry.”

It may be that the industry is too young to know how things will develop. But the potential is there. Greig Anderson told SecurityWeek, “Insurers are interested in understanding the cyber security measures employed by businesses. In fact, insurers are developing additional services where they assist businesses in improving their security measures. This both assists the business and lowers premiums because the better a business is at mitigating its cyber security risk, the less insurers need to charge because the risk for them is less.”

It is the extent and nature of that assistance that is still unknown. Andrew Barratt, managing principal at Coalfire, is optimistic. “Where cyber insurers are in place, they can and often do call the shots – but usually in a fairly ‘light-touch’ way.”

Jack Kudale, founder and CEO of Cowbell Cyber, sees the solution to getting the right premium versus cover balance coming from ‘inside out’ continuous risk assessment. “Measuring and weighing insurable threats is a far better approach than grading cybersecurity products. The best underwritten cyber policy incorporates decision based on inside-out exposure assessment, out-side view, loss cost analysis, business interruption forecast and dark web scores.”

Peter Halprin, an insurance attorney and arbitrator at Pasich LLP, comments, “I am not aware of a situation where the insurers have gone in to dictate the security architecture a company should have in place. I am aware of situations where, when the policyholder is putting together its application, there is a phone call and/or meeting or series of meetings between the policyholder and its IT team and security team and the insurers -- and the insurers usually bring along a consultant to help them evaluate what systems the policyholder has in place. That is the underwriting process. That helps them determine the level of the risk and the associated premium and the exposure and limits.”

But at the same time, he also adds, “my understanding from industry experts is that MFA can drastically reduce premiums.”

Does business need cyber insurance?

Nobody needs insurance. It is just one option in risk management. Nevertheless, insurance is so deeply embedded in business risk management, that cyber insurance becomes an obvious extension. The difficulty is this is a new development with little more than a decade of serious existence.

The insurance industry is still learning what premiums should be applied, and the insured is still learning what cover is needed. It is almost certain that the insurer will seek influence in the insured’s security posture, if only to minimize its payouts and protect its profits.

The consensus opinion, however, is that for at least the foreseeable future, it will not be too heavy-handed– if only because there is high capacity within the insurance market, and competition between the different insurers.

Two aspects stand out. Cyber insurance is fundamentally a gap filler between other existing insurances. Security is well-aware that gaps and different products lead to weaknesses. The danger here is the insured might feel, incorrectly, that it is already covered by existing policies, leaving a gap in coverage. The Mondelez/Zurich situation is a case in point. It is vital, therefore, that all insurances are examined in detail and at great depth. 

The precise wording and the correct policy are important. For example, cyber insurance will not normally cover the cost of broken contracts (SLAs) even if the cause is cyber ransomware. Broken contracts can be covered, but by a pre-existing separate policy.

Similarly, it is also important that the policy accurately reflects the insured’s security posture. If a firm has a preferred third-party incident response firm, that incident responder should be explicit on the policy. If a security product is changed during the life of the policy, the new product should be named on the policy. 

This requires good and continuous communication between the CISO and the risk manager (or other executive handling the firm's insurances), and between the risk manager and the insurer. Failure in this may not necessarily be problematic in the event of a claim, but fulfillment will guarantee that it is not.

The second aspect is the potential size of the cyber insurance marketplace. Kudale comments, “I anticipate that cyber insurance premiums over next decade will surpass the total cybersecurity spend globally. We will see more focus following cyber-attacks and cyber insurance will be core to mitigate financial losses in the aftermath of these global attacks.”

The extent to which a big industry will allow a smaller industry to influence its payouts remains to be seen. In the meantime, it is probably fair to say that business will benefit from cyber insurance – but that RTFM applies to policies even more than it ever applied to software.


Continue reading

What Is a Wangiri or "One Ring" Phone Scam?


Wangiri or "one ring" phone scams are bombarding people all over the world. Here's how the scam works and how to protect yourself.

All day, strange foreign numbers have called your phone. They’re from a country you’ve never visited. Each time the digits change slightly, making it impossible to block them. They ring for just a few seconds before hanging up. You’re tempted to call them back, but you shouldn’t—it’s a scam, and falling for it could cost you dearly.

This approach, called the Wangiri Scam, relies upon your innate curiosity. Many people would instinctively return a missed call—even from a mysterious international number. And the repetitive nature of the scam (it’s not unusual to receive dozens of missed calls in a single day) adds to the intrigue and pressure.

What happens if you cave? Your call is routed to an expensive premium rate number. You are then coerced into staying on the line for as long as possible. The longer you hold on the line, the more money they ultimately make.

To accomplish this, the scammers rely on a mix of social engineering and psychology. Some victims have reported being told they’ve won a prize—usually money—and are encouraged to wait on the line to claim it. Others merely test the victim’s patience by subjecting them to hold music without any other incentives.

Wangiri scams originated in Japan. The term itself is Japanese for “one (ring) and cut.” And as the name would imply, it’s a genuinely international scam, with victims distributed across the world. Warnings about the scam have appeared in the U.K., Canadian, Irish, and New Zealand media, among others. In the U.S., the FCC has warned consumers about it.

Adding to the Wangiri scam’s cosmopolitan credentials is the disparate number of countries these calls emerge from. According to a 2018 article on Which?, victims have reported receiving one-ring calls from developing African nations like Mauritania, Liberia, Comoros, and Chad, as well as tiny Pacific nations like the Cook Islands and Nauru (population 10,756).

That said, you shouldn’t assume every Wangiri call will come from a developing nation. At the start of the month, thousands of U.K. residents (including this writer) were bombarded by fraudulent phone calls from Swiss phone numbers.

How to Protect Yourself

Ultimately, there’s only one way to protect yourself from this scam, and it’s to refrain from returning calls from numbers you don’t recognize—particularly those from international numbers. It’s not unreasonable to assume anyone who urgently wishes to speak to you will have their digits stored on your phone’s contacts list, or will leave a voicemail or send a text message.

Another sensible assumption: If you’re deluged with mysterious missed calls, chances are other people are, too. Googling that number will typically show you if other people are in the situation, allowing you to confirm your suspicions that it’s a scam.

If you find yourself repeatedly barraged with Wangiri calls, you might also want to consider changing your phone number and limiting who gets it. Phone scammers frequently obtain phone numbers from data leaks and marketing databases, both easily obtained through legitimate and illegitimate means. It’s the former that’s most pertinent to this scam.

Over the past few years, hundreds of millions—and potentially billions—of people have found their details leaked to the Internet as a result of clumsy security practices. Earlier this year, unauthorized persons gained access to a database belonging to one company, People Data Labs, that contained 1.2 billion records. These included email addresses, SSNs, and yes, phone numbers.

It’s always a good idea to plug your details into Troy Hunt’s Have I Been Pwned to see if you’ve fallen victim to a data breach. Once you know the situation, you can start taking protective measures.

Another sensible idea is to contact your phone company and request they place a cap on the amount of money you can spend out of your plan. Should you accidentally butt-dial one of these Wangiri numbers, it’ll limit your losses to a more manageable amount.

And if you can, consider asking your phone network to block all outbound calls to international numbers.

Finally, if you have an iPhone, the new Silence Unknown Callers option in iOS 13 can help.

If You’ve Been Stung

What happens if the worst happens and you return the Wangiri call? In that situation, I’d strongly encourage you to call your phone provider and explain the situation. Some networks, like Vodafone in the U.K., will refund all charges made to a proven fraudulent number within thirty days.

You might also find that some networks without an explicit Wangiri refund policy will reimburse victims on a goodwill basis. Of course, this is entirely contingent on how generous your phone provider is feeling—and perhaps your ability to spin a convincing sob story.

If they’re unwilling to refund the charges, they might be amenable to letting you spread the cost of the call over several months, particularly if you’ve run up an unusually large bill.

Finally, you should report your experience to the relevant authorities, who will be able to investigate. In the U.S., that’s the FCC. In the U.K., you should contact Action Fraud.


Continue reading

Messaging / Smishing Attacks: You are the Best Defense


One of the most common ways cyber attackers attempt to trick or fool people is by scamming you in email attacks (often called phishing) or try to trick you with phone calls. However, as technology continues to advance bad guys are always trying new methods, to include tricking you with messaging technologies such as text messaging, iMessage/Facetime, WhatsApp, Slack or Skype.

Here are some simple steps to protect yourself and spot / stop these common attacks.

What Are Messaging Attacks?

Messaging attacks (sometimes called Smishing, a play on the word Phishing) are when cyber attackers use SMS, texting or messaging technologies to reach out to you and try to trick you into taking an action you should not take. Perhaps they want to fool you into clicking on a malicious link or get you to call a phone number so they can get your banking information. Just like in traditional phishing email attacks, bad guys often play on your emotions to act. However, what makes messaging attacks so dangerous is that they often feel far more informal or personal than email, making it more likely you may fall victim.

In addition, with messaging attacks there is less information and fewer clues for you to pick up on that something is wrong or suspicious. When you receive a message that seems odd or suspicious, start by asking yourself does this message make sense, why am I receiving it? Here are some of the most common clues of an attack.

  • A tremendous sense of urgency, when someone is attempting to rush you into taking an action.
  • Is this message asking for personal information, passwords or other sensitive information they should not have access to?
  • Does the message sound too good to be true? No you did not win the lottery, especially one you never entered.
  • A message that appears to come from a co-worker or friend’s account or phone number, but the wording does not sound like them. Their account may have been compromised and taken over by an attacker, or the attacker is attempting to pretend to be them, tricking you into taking an action.
  • If you get a message that makes you have a strong reaction, wait a moment and give yourself a chance to calm yourself and think it through before you respond.

Sometimes bad guys will even combine email and messaging attacks. For example, gift card scams can work this way. A cyber attacker will send you an urgent email pretending to be a friend or co-worker, then ask for your cell phone number. Then they can send repeated text messages, pressuring you to purchase gift cards. Once purchased, the attackers have you scratch off the code on the back of the cards and message a picture of the codes back to them. Another common attack urges you to “check out” a video or picture (“you won’t believe this!”). It appeals to your sense of curiosity. If the message looks like it is from someone you know, perhaps call the person on the phone to verify before you act.

If you get a message from an official organization that alarms you, check with them directly. For example, if you get a text message from your bank saying there is a problem with your bank account or credit card, contact your bank or credit card company directly by visiting their website or calling them directly using the phone number from the back of your bank card or credit card. Bear in mind that most government agencies, such as tax or law enforcement agencies, won’t contact you via text message.

When it comes to messaging attacks, you are your own best defense.


Continue reading

SIM Card Attack May Affect Over 1 Billion Mobile Phones Worldwide


Using SMS messaging, attackers can use phishing tactics to hijack mobile devices using a legacy piece of SIM code, called the S@T Browser, to execute commands as part of a more sophisticated attack.

Researchers at Adaptive Mobile Security have announced the discovery of a new mobile phone SIM vulnerability dubbed Simjacker. Believing this vulnerability to be over 2 years old and present on SIM cards in mobile devices in over 30 countries, the potential threat for this new vulnerability is significant.

According to Adaptive, an SMS message is sent to the phone with specific encoding that causes the SIM Card to call on an embedded library called the S@T Browser to process the commands. Location and device information can be exfiltrated, along with remote execution of commands on the mobile device, including:

  • Sending outbound SMS messages
  • Placing phone calls
  • Opening a web page

These kinds of actions could play a role in larger attacks. For example:

  • CEO gift card and fraud scams could be initiated via text message
  • Outbound calls could be used to listen in on conversations
  • Malware could be installed by directing the phone’s browser to a malicious website

This is a very powerful and nasty vulnerability. According to Adaptive, the carriers are working to block such messages, as the text messages don’t require user interaction. But because the attack following the compromise of a mobile device will need to leverage traditional methods of attack (usually involving some form of social engineering), users should be vigilant against attacks coming from mobile text messaging, mobile email, etc.


Continue reading

Black Friday 2019 Security Threat: U.S. Government Advises Consumers To Stay Vigilant


This year, like every year, Black Friday happens to be the day after Thanksgiving and, in effect, marks the start of the holiday shopping season. Consumers may well get more than they bargained for this November 29, as cybercriminals seek to exploit the retail feeding frenzy. Such is the concern over the potential for malicious activity that one U.S. Government agency has issued a statement advising consumers to "remain vigilant" and take precautions to avoid falling victim.

Why is Black Friday a security risk?

Black Friday is a big deal; of that, there can be no doubt. In 2018 more than 165 million people shopped over the Black Friday weekend, with $6.2 billion (£4.8 billion) in online sales on the Friday alone. This year it has been predicted that Black Friday sales will hit $7.5 billion (£5.8 billion.) This pales almost into insignificance when compared to "Singles Day," the November 11, 2019 one day sale at China's Alibaba online shopping empire. In the first 16.5 hours alone, it has been reported, some $31 billion (£24 billion) in sales were racked up.

Taking all of this into account, you don't have to be the Sherlock Holmes of cybersecurity to work out why such holiday season sales days are a prime target for cybercriminals. The vast majority of cybercrime is financially motivated, and following the money makes Black Friday a veritable magnet for criminal chancers of all varieties, which means more links and attachments delivering malware, more social engineering to separate you from your login credentials and more need for security awareness to be front and center.

The Cybersecurity and Infrastructure Security Agency (CISA) has published a "current activity" statement encouraging internet users to remain vigilant. CISA is part of the Department of Homeland Security (DHS) established when President Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018 into law. It has a brief to act as the risk advisor for the U.S. and work with partners to "defend against today’s threats," as well as collaborate to build a more resilient infrastructure in the years to come. You may recall CISA issuing a warning about a Windows BlueKeep exploit recently, for example.

Current activity statements are issued as part of the CISA National Cyber Awareness System, providing "up-to-date information about high-impact types of security activity." The latest posting relates to holiday season shopping, phishing and malware scams. "As this holiday season approaches, the Cybersecurity and Infrastructure Security Agency (CISA) encourages users to be aware of potential holiday scams and malicious cyber campaigns, particularly when browsing or shopping online," the statement read.

What should you watch out for this Black Friday weekend?

The timing of this is all-important with Black Friday less than three weeks away as I write. The CISA warns that cybercriminals may send emails containing malicious links or attachments. "Scammers and criminals are often looking for events to use as a hook for their scams," Javvad Malik, security awareness advocate at KnowBe4 said, "increasingly, we've been seeing more people targeted during the holiday season."

Because consumers often spend more on big-ticket items than usual it is easy to lose focus when an email or text message arrives purporting to be from a credit card provider or bank regarding a "suspicious transaction" or alerting them that the account has been frozen on security grounds. These, along with fake Amazon shipping invoices, for example, have a higher chance of users clicking on the links or downloading attachments than usual according to Malik. "Even during holiday times, people should remember that scammers will often use the same tactics of instilling panic or fear into their victims in order to get them to respond quickly without thinking of the implications, or what the proper process should be," Malik said.

CISA National Cyber Awareness System guidance

CISA encourages Black Friday shoppers, and everyone else as the holiday season descends upon us, to be vigilant and recommends the following National Cyber Awareness System resources:

Using caution with email attachments.

Avoiding social engineering and phishing attacks.

Shopping safely online.

Retailers also at risk during Black Friday sales

Security vendor Kaspersky, meanwhile, warned that retailers, as well as consumers, will find themselves in the cybercriminal cross-hairs this Black Friday weekend. "As the attention of your business focuses on accommodating the proverbial stampede of shoppers, there’s a good chance you could be too distracted to notice attacks in progress," a Kasperskyblog posting stated, "When that happens, hackers might target your website to lead online shoppers to malicious clones to try to steal personal or payment information." Like the CISA, Kaspersky recommends staying vigilant is the best defense for retailers just as it is for consumers.


Continue reading

Ferguson Medical Group Reports Data Loss from Ransomware Attack


Ferguson Medical Group, owned by Saint Francis Health, was infected with ransomware in September, which caused some data loss; a phishing incident and email hack complete this week’s breach roundup.

 - The Missouri-based Saint Francis Healthcare System’s Ferguson Medical Group was hit with a ransomware attack in September 2018, which encrypted all of the medical records for services provided by FMG prior to January 1.

The cyberattack infected the computer network used by FMG before it was acquired by Saint Francis in early 2019. All data contained on the network was rendered inaccessible by the attack, and officials were asked to pay a ransom to regain access.

Upon discovery, Saint Francis immediately took steps to secure the network and worked with federal law enforcement. The health system did not pay the ransom, but restored access to the encrypted files using available backup files.

However, officials said they were unable to restore access to all of the files encrypted by ransomware. As a result, all records for services provided by FMG between September 20, 2018 and December 31, 2018, including documentation scanned into the FMG system were permanently lost.

“Saint Francis does not believe that this incident resulted in the disclosure of any patient information to any unauthorized third parties,” officials wrote. “There is no indication that patient information has been or will be used inappropriately.”

All individuals from the impacted timeframe are being identified and located and will receive free credit monitoring services.


Choice Cancer Care Treatment Center in Texas recently began notifying patients that their data was potentially breached after an employee email hack in May.

On May 21, officials discovered suspicious activity on a company email account and launched an investigation with help from a third-party forensic investigation firm. They determined an unauthorized actor gained access to one employee email account between May 1 and May 21 before it was discovered.

According to officials, after discovering the incident they secured the account and confirmed the security of its employee email system.

Officials then “undertook a diligent programmatic and manual review of the contents of the relevant email account to determine whether personal information may have been present in the email account at the time of the incident.”

The investigation ended on September 18, four months after the initial incident. Choice Cancer Care then reviewed the records found within the compromised email account, which included some patient names, medical or health insurance information.

For some patients, the data could also include driver’s licenses, Social Security numbers, credit card information, and passport numbers. Those patients will receive credit monitoring and identity restoration servers.

Choice Cancer Care is currently reviewing its policies and procedures for data security and conducting additional employee training on data privacy and security.


California’s Solara Medical Supplies discovered an email breach in June, which later determined a more extensive compromise of its employee email system. In total, 114,007 patients were impacted.

Suspicious activity was first discovered on June 28 on one employee email account. An investigation led by a third-party team revealed several of its Office365 email accounts were breached for several months between April 2 and June 20. The accounts were immediately secured.

A manual review of the accounts determined the hacker could have potentially accessed some data that varied by patient, including names, Social Security numbers, employee identification, health insurance data, passports, state ID or driver’s licenses, Medicare or Medicaid ID, contact information, birthdates, and a trove of personally identifiable data.

Patients will receive a year of free credit monitoring and identity theft protection services. Solar has since bolstered the security measures on its email system.

Ransomware, phishing, and other email-related cyberattacks continue to plague the healthcare sector. Europol recently shared best practice guidance for spear-phishing attacks, which could prove useful to those healthcare providers still struggling to keep pace with these threats. The guide contains a list of useful technologies, as well as necessary policies and procedures.


Continue reading

110 Nursing Homes Cut Off from Health Records in Ransomware Attack

A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.


Milwaukee, Wisc. based Virtual Care Provider Inc. (VCPI) provides IT consulting, Internet access, data storage and security services to some 110 nursing homes and acute-care facilities in 45 states. All told, VCPI is responsible for maintaining approximately 80,000 computers and servers that assist those facilities.

At around 1:30 a.m. CT on Nov. 17, unknown attackers launched a ransomware strain known as Ryuk inside VCPI’s networks, encrypting all data the company hosts for its clients and demanding a whopping $14 million ransom in exchange for a digital key needed to unlock access to the files. Ryuk has made a name for itself targeting businesses that supply services to other companies — particularly cloud-data firms — with the ransom demands set according to the victim’s perceived ability to pay.

In an interview with KrebsOnSecurity today, VCPI chief executive and owner Karen Christianson said the attack had affected virtually all of their core offerings, including Internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.

The care facilities that VCPI serves access their records and other systems outsourced to VCPI by using a Citrix-based virtual private networking (VPN) platform, and Christianson said restoring customer access to this functionality is the company’s top priority right now.

“We have employees asking when we’re going to make payroll,” Christianson said. “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

Christianson said her firm cannot afford to pay the ransom amount being demanded — roughly $14 million worth of Bitcoin — and said some clients will soon be in danger of having to shut their doors if VCPI can’t recover from the attack.

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she said. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.”

The ongoing incident at VCPI is just the latest in a string of ransomware attacks against healthcare organizations, which typically operate on razor thin profit margins and have comparatively little funds to invest in maintaining and securing their IT systems.

Earlier this week, a 1,300-bed hospital in France was hit by ransomware that knocked its computer systems offline, causing “very long delays in care” and forcing staff to resort to pen and paper.

On Nov. 20, Cape Girardeau, Mo.-based Saint Francis Healthcare System began notifying patients about a ransomware attack that left physicians unable to access medical records prior to Jan. 1.

Tragically, there is evidence to suggest that patient outcomes can suffer even after the dust settles from a ransomware infestation at a healthcare provider. New research indicates hospitals and other care facilities that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among certain patients in the following months or years because of cybersecurity remediation efforts.

Researchers at Vanderbilt University‘s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach.

Their findings suggest that after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined. The researchers concluded that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

Companies hit by the Ryuk ransomware all too often are compromised for months or even years before the intruders get around to mapping out the target’s internal networks and compromising key resources and data backup systems. Typically, the initial infection stems from a booby-trapped email attachment that is used to download additional malware — such as Trickbot and Emotet.

In this case, there is evidence to suggest that VCPI was compromised by one (or both) of these malware strains on multiple occasions over the past year. Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security, showed KrebsOnSecurity information obtained from monitoring dark web communications which suggested the initial intrusion may have begun as far back as September 2018.

Holden said the attack was preventable up until the very end when the ransomware was deployed, and that this attack once again shows that even after the initial Trickbot or Emotet infection, companies can still prevent a ransomware attack. That is, of course, assuming they’re in the habit of regularly looking for signs of an intrusion.

“While it is clear that the initial breach occurred 14 months ago, the escalation of the compromise didn’t start until around November 15th of this year,” Holden said. “When we looked at this in retrospect, during these three days the cybercriminals slowly compromised the entire network, disabling antivirus, running customized scripts, and deploying ransomware. They didn’t even succeed at first, but they kept trying.”

VCPI’s CEO said her organization plans to publicly document everything that has happened so far when (and if) this attack is brought under control, but for now the company is fully focused on rebuilding systems and restoring operations, and on keeping clients informed at every step of the way.

“We’re going to make it part of our strategy to share everything we’re going through,” Christianson said, adding that when the company initially tried several efforts to sidestep the intruders their phone systems came under concerted assault. “But we’re still under attack, and as soon as we can open, we’re going to document everything.”


Continue reading

Multi-Factor Authentication: More Important Now than Ever


Almost every week you hear about another site or app being breached. And many of those breaches could have been prevented by multi-factor authentication (MFA)

Many of these breaches are caused by weak or reused passwords (80% according to the 2019 Verizon Data Breach Report). We can’t stress enough the value of a password manager like LastPass to help you, your family, or your employees manage their passwords and create strong, unique passwords. But then MFA comes in to provide a second level of defense.  

So what is MFA?

Multi-factor authentication (sometimes also called two-factor authentication) is a feature that requires you to have more than just your username and password to log in to an account. After you enter your username and password it also requires a second piece of information – like a one-time code or your finger print. 

You have to provide that second piece of information – whether it’s a code, or a temporary password, or the swipe of a finger – before the account can be accessed. If the correct information isn’t provided, the account remains locked.  

How can MFA prevent breaches?

When breaches happen at large companies, it is often the case that a hacker got a hold of an employee’s credentials and was able to hack into their system. Had that company required MFA to that system, the hacker would have entered the stolen username and password and then would have been asked for a second form of authentication. This would trigger an alert to be sent to the actual user’s phone or email asking them to authenticate. Since the hacker would not have access to that second piece of information, they would not have been able to log in and the breach could possibly have been prevented.  

For you as the end user, MFA is important because if your data is stolen through a breach, having an added layer of security can prevent access to your account. For example, if someone gets access to the username and password for your email account – they can try to log in but won’t be able to without providing a second form of authentication (like a code texted to your phone, or use of an authenticator app on your phone).

What should you do now?

First, start by enabling MFA for your LastPass account. If you are a personal user (either with our Free, Premium or Families products) follow the instructions here. If you are an admin for a business account (Teams or Enterprise) you can make multi-factor required or optional for employees – instructions found here. We encourage our admins to enforce MFA wherever possible in the workplace, such as with single sign-on, user directory, and any other sites that allow for it.  

Also, it’s important to remember that you should turn on MFA for more than just LastPass. Web apps like your email account, Venmo, PayPal, Slack, Twitter, Facebook, and others all offer MFA.  

Using LastPass and MFA together allows you to combine two secure practices: strong, unique passwords on all of your accounts, and an additional layer of security. Together, these allow you to rest easier as the news of breaches continues to roll in because your online accounts are protected to the best of your ability.  


Continue reading

3 Ways to Make Your Holiday Shopping a Breeze - And Keep You Safe


Since our last holiday shopping season, we’ve seen a lot of changes with LastPass. As Black Friday, Cyber Monday, and gift-giving season approach quickly, we’re sharing best practices for using LastPass to make online shopping fast, easy, and most importantly, secure.

Cyber security is a top priority for many consumers after so many of your favorite brands have been in the news this year due to data breaches.

Here are our tips for using the  LastPass to keep your personal information secure, while also making it easy and quick to get your online shopping done this holiday season.

Adding New Items

You’ll be inputting lots of information as you shop for loved ones this holiday season. From your personal information to shipping and billing address to credit card numbers, that’s a lot of typing, and it should be as seamless as possible. Before you do any shopping, get everything into LastPass by adding these items using the new structure in your vault. Here’s how:

  1. Click the LastPass icon in your browser and select “Open My Vault.”
  2. Select the + icon in the bottom right and choose “Add Item.”
  3. On the menu, select the type of item you want to add (Payment Card, Address, etc)
  4. Enter your information and click “Save” so you can access it later when you need it.

Do this for all of the information you’ll need throughout the holiday shopping season. Don’t forget each of your shipping addresses — your home, work, your parents or in-laws — so you can quickly fill it in when you need it.

Creating New Accounts

When you’re buying for others, you’ll find yourself on sites where you don’t already have an account, and you need to create one. The last thing you want is to take too much time creating those new accounts, so use LastPass to quickly fill your personal information (via the items you added above) and generate strong passwords. Here’s how:

  1. Click the icon in the empty account information field (Name, email address, etc).
  2. In the drop-down menu, click the item that corresponds to your personal information, and it auto-fills for you.
  3. In the password field, click the icon to show the password generator (which has a modern look and feel). You can “Fill Password” to use the auto-generated one, or choose “More Options” to change the requirements, such as length, complexity, and characters.
  4. Click “Fill Password” where it will populate both password fields, and submit the entire form.
  5. In the top right, a card will ask if you want to add the new site to your vault. Click “Add” and you now have the new account saved and easily accessible if you need to go back and track your order or contact support.

Filling Your Credit Card & Addresses

Perhaps one of the more tedious aspects of shopping online is typing in your address and credit card – endlessly. LastPass eliminates that process and reduces it to one click, and is the tool you’ll use most often throughout the upcoming holiday season. Here’s how to fill your information for purchases:

  1. Ensure you added your payment cards and shipping/billing addresses to your vault, as noted in “Add Items” section above.
  2. On the online checkout page, click the LastPass icon in the empty address field. You’ll see a drop down menu of items you added to your vault. Click the one you want and LastPass automatically fills in the form.
  3. In the credit card fields, again click the LastPass icon and select the payment card you want to use to automatically fill the credit card number, expiration date, and security code.

Just like that, you’ve made the online shopping process a series of clicks rather than a frustrating, time-consuming process of finding your credit card number and filling in your addresses. This holiday season, use the new look and feel of LastPass to make online shopping quick and easy, but without compromising your personal online security.


Continue reading

This New, Unusual Ransomware Strain Goes Exclusively After Servers


Danny Palmer at ZDnet alerted on the following: "An unconventional form of ransomware is being deployed in targeted attacks against enterprise servers – and it appears to have links to some of the most notorious cyber criminal groups around.

The previously undetected server-encrypting malware has been detailed in research by cyber security analysts at Intezer and IBM X-Force, who've named it PureLocker because it's written in written in the PureBasic programming language.

It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms.

"Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.

The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware.  This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services.

These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organisation where it hurts.

It's currently uncertain how exactly PureLocker is delivered to victims, but researchers note that more_eggs campaigns begin with phishing emails, so the ransomware attacks could begin in the same way, with the final payload likely to be the final part of a multi-staged attack.

Researchers say PureLocker campaign is still active and that it's important to ensure organisations have appropriate cyber security policies in place to protect against attacks.

"As with any malware threat, having good security infrastructure helps, but also educating employees about phishing is critical," Kajilot said." That means stepping them through new-school security awareness training.


Continue reading

Traveling for the Holidays? Avoid These 5 Tech Mistakes


Wi-Fi hotspots, public charging stations, and travel planning sites seem helpful, but they could actually be a traveler's worst nightmare.

With the holiday season approaching, many people are gearing up to visit family and friends. Travel has become much easier over the years with advancements in technology helping travelers book hotels and experiences, get more information about destinations, communicate with friends, navigate unknown territory, and more. 

However, laptops, smartphones, and tablets also open travelers to greater cybersecurity risks, said Clay Miller, CTO of enterprise security company SyncDog.  

"Everyone is pressed for time and always looking for convenience. This natural gravitation toward convenience can sometimes leave security considerations far in the background of our decision making," Miller said. "Unfortunately, there is a host of nefarious players looking for any opening to exploit those who are less than security conscious. Just a simple oversight can lead to severe consequences for an individual who has been compromised."

These risks are always present, but they become even more severe during the holidays, said Tom Kellermann, head cybersecurity strategist of VMware Carbon Black. 

"Hackers are always looking for ways to take advantage of people who are distracted and unaware of their surroundings, and holiday travelers fit the profile to a T," Kellermann said. 

With more than 55 million Americans planning to travel at least 50 miles for Thanksgiving this year, according to AAA's travel forecast report, many people run the risk of having their devices compromised. 

While gifts are common during the holiday season, no one wants to receive a virus or infected device. To help travelers stay protected, here is a list of the biggest tech traveling threats. 

Top 5 traveling threat vectors 

1. Travel sites

Travel-related cyberattacks can occur even before the trip begins. While vacation planning sites can be useful, the user must ensure the site is credible. Many scammers will pose as these sites, pretending to offer luxury vacations, travel coordination, discounted trips, and timeshare sellers, according to the Federal Trade Commission Travel Scams page.

"Cybercriminals follow the money, and unfortunately, travelers are constant targets because they are actively looking to purchase their perfect trip online," said Kevin Epstein, vice president of threat operations at Proofpoint. "We recommend travelers avoid clicking on strange URLs that do not connect back to an official trusted brand, messages that have obvious spelling or grammar errors, and suspicious emails from friends or colleagues floating a deal when you never discussed it with them. 

"Whether the scammer is simply seeking your credit card or more actively luring you into physically unsafe situations, if an online deal looks too good to be true in a social media post or in an email message, it probably is," Epstein said. 

Another best practice for booking tickets or hotel rooms online is to use a credit card instead of a debit card. "Credit cards offer the best liability protection against potential fraud in case you fall victim to a cyber predator," Kellermann said. 

2. Social media and out-of-office messages

Going on a vacation is exciting, but users should avoid sharing that excitement on social media. Posting on social media about vacations is an open invitation for cybercriminals. The same goes for setting up out-of-office messages, Epstein said. 

"Would you post a sign on your front door announcing your residence was vacant? Out-of-office messages can effectively do that, when they're not set to reply to only your office," Epstein said. "If your social network or auto-responder shouts your absence to the world, you're giving thieves carte blanche to visit."

Posting details about a trip on social media can also give cybercriminals ammo for attacks. "Be careful what you post on social media before returning home. Attackers can use those details to add veracity to calls to unwitting relatives and friends, claiming you've been mugged and need bail or money wired to pay fines," Epstein said. 

3. Public charging stations

Public charging stations at airports or other public places are extremely convenient, but are also a convenient way for a device's data to be compromised, Miller said.

"Connecting a mobile device via USB to a piece of hardware in an airport, library, or coffee shop means that you are connecting your device to hardware that is outside of your control," Miller said. "It may be perfectly fine, but there is a risk of data transfer being initiated or something even more nefarious like rooting the device." 

Plugging a device directly into the wall is fine; the risk comes when the device is plugged into a separate unit, Miller said. 

An easy way to avoid these risks is with a personal portable charger for your smartphone.
4. Public Wi-Fi hotspots

Nearly all public places offer Wi-Fi, which can be extremely helpful for those needing to access the internet while traveling. However, many of these public Wi-Fi networks are not secure, allowing hackers to easily observe a user's activity. 

Airport Wi-Fi networks are notoriously risky to join, and "while 'free' Wi-Fi is tempting, it's an easy hotspot for hackers to view what you're browsing and steal personal information," Kellermann said. "Particularly savvy threat actors will go as far as to set up honeypot Wi-Fi networks, mimicking official airport of coffee shops network names and collecting the information of anyone unfortunate enough to fall for the ruse and connect."

"Assume that you're being observed and every bit of Wi-Finetwork data is monitored; only use a VPN or your cellular connection for transactions involving sensitive information," Epstein said. 

Other avoiding public Wi-Fi or using a VPN, users should avoid banking activities or payment transactions until interacting on a private network, said John Bennett, general manager of LastPass.

5. Stolen device

The chaos of travel can make it easy for people to leave things behind or leave devices unlocked. A stolen, lost, or unlocked device is a quick way for private information to get into the wrong hands. 

"It seems simple, but simply leaving your phone unlocked and unattended can lead to someone compromising your information," Miller said. "Given enough time, they may root your device, install keyloggers or other malware, or simply copy your private information for later use. An unlocked phone is vulnerable to anyone with physical access to it, and especially vulnerable is stolen."

Users should make sure devices have the most up-to-date software and security standards before traveling, Kellerman said. 

"For an extra step of security, when you return home and are on a secure network, update all passwords to keep your accounts secure," Bennett said. 


Continue reading

400 Vet Locations Nipped by Ryuk Ransomware


The infection apparently made its way in through third-party systems.

National Veterinary Associates (NVA) has been hit with the Ryuk ransomware, in an attack that affects 400 clinics across the country.

The California company said that it could take a week for its facilities to be fully back up and running normally. Patient records, payment systems and practice management software were all locked up in the attack.

NVA said it discovered the ransomware outbreak on Oct. 27 and hired two outside security firms to help it recover. Affected clinics now have regained access to patient records.

NVA CMO Laura Koester confirmed the attack to independent researcher Brian Krebs, but declined to say whether the ransom was paid, or how it arrived on NVA systems. She noted that each NVA location runs its own IT operations; it’s unclear if there’s a wide-area network (WAN) or other common connection linking the affected locations (NVA has about 700 clinics in total). However, NVA head of technology Greg Hartmann said that it was a supply-chain attack.

“The virus eventually found three smaller points of entry through accounts that were unaffiliated with NVA, but unfortunately opened within our network,” Hartmann wrote in an internal memo obtained by Krebs. “Upon discovery of the incident, our technology team immediately implemented procedures to prevent the malware from spreading; however, many local systems were affected. Still, we have many hospitals whose systems are not recovered. The technology team continues to set up interim workstations at each affected hospital while they prepare to rebuild servers.”

NVA did not immediately respond to a request for comment, but Colin Bastable, CEO of security awareness training company Lucy Security, said that social engineering was the likely attack vector.

“Ninety-seven percent of successful attacks involve some form of social engineering, and over 90 percent start with a phishing email,” Bastable said via email. “When I demonstrate spoofing emails, around 10 percent of them get straight through to the prospect, after they always assure me that they have perfect defenses. This is especially so in government, which explains why ransomware is so effective in crippling state and local government. Ransomware attacks can wipe out entire systems in minutes – have a recovery plan and know what you will do when you are hit. Planning in advance is better than making it up when you have no phones, no email and no data.”

Ryuk is a ransomware strain distributed by the Russian-speaking Wizard Spider financial crime syndicate, first spotted in August 2018. Since then, it has been involved in several high-profile attacks, such as a coordinated, targeted ransomware cyberattack on 23 Texas local and state entities in August.

The Ryuk ransomware has recently added two features to enhance its effectiveness as well: The ability to target systems that are in ‘standby’ or sleep mode that it otherwise would have no ability to encrypt; and the use of Address Resolution Protocol (ARP) pinging to find drives on a company’s LAN. Both are employed after the initial network compromise of a victim organization.

“The destructive power of ransomware, especially Ryuk, continues to show how vulnerable organizations are regardless of their size,” Erich Kron, security awareness advocate at KnowBe4, said via email. “It is also a lesson in how long the impact of ransomware can be felt. According to Kaspersky, 34 percent of businesses hit with ransomware took a week or more to regain access to their data. That can be crippling to any size organization that’s not prepared for it.”


Continue reading

Think That Cybersecurity STILL Isn't For Your Business? THINK AGAIN.


Think that cybersecurity STILL isn't for your business? THINK AGAIN. 2019 is on track to set a record for the highest number of security incidents EVER RECORDED, with 5,183 data breaches and 7.9 billion records exposed by November in the United States alone, according to a report from Risk Based Security. 

The latest data from the vulnerability intelligence firm shows a 33.3% increase in publicly reported breaches from Q3 2018, and the volume of records exposed increased 112%.

The data includes only publicly disclosed breaches, which means the true figures are likely much higher. The past eight years has seen a steady uptick in breaches and an even faster increase in number of records exposed. In 2012, only 2,323 breaches were reported, with 485 million records exposed. 2019 has seen 5,183 breaches, and more than 7,9 billion records leaked.

The stark difference between the numbers has two possible causes. The first could be more transparency from companies that suffer security incidents, and the second is the increase in the volume of personal data organizations now hold.

“Despite occasional dips, there has been a steady increase in the number of breaches reported over the past eight years. So the increase in 2019 is not surprising,” reads the Risk Based Security report. “However, the change does stand out from the general trend, with a 33.3% increase in the number of breaches disclosed compared to the same point in 2018. The last time there was a jump like this was in 2015, which saw a 36.8% increase in breaches reported compared to the same point in 2014.”

The most common attack vector reported by companies is unauthorized access to systems, and cybercriminals are behind such events. But data is also often made freely accessible by misconfigured databases, backups, endpoints, and services.

Also, the two types of data most commonly leaked in breaches are the user’s emails (59.1%) and passwords (65.1%), with the names (26%) and addresses (12.7%) following from afar. The report also names some of the most exposed industries.

Healthcare is the most affected industry, with 343 breaches in 2019, followed by retail with 307, public administration with 264, and finance and insurance with 263 breaches. The business sector accounts for 66% of the breaches, medical 14%, government 12%, and education 8%.


Continue reading

Cyber Monday 2019: How can retailers avoid cyberattacks?


Cyber Monday 2019 kicks off on 2 December, concluding the onslaught of discounts and sales commenced by Black Friday. And with the majority of the events spend occurring online, the retail sector needs to be prepared for attacks from cybercriminals seeking to access data and extort retailers. Retail Insight Network investigates how retailers are affected by cyberattacks and what they can do to protect their business this coming Cyber Monday 2019.

Cyber Monday 2019: The facts and figures

Cyber Monday 2018, in the US, experienced a 432% year-on-year increase in ransomware attacks on the previous year, according to next-gen firewalls and cybersecurity solutions company SonicWall. And this Cyber Monday 2019 is set to see an increase in these attacks.

Figures from the 2019 Cost of a Data Breach Report by IBM Security and Ponemon Institute revealed that it took, on average, 228 days for retailers to identify a breach and 83 subsequent days for retailers to contain those breaches. The Mid-Year Update: 2019 SonicWall Cyber Threat Report revealed that 4.8 billion malware attacks involving retailers was recorded by SonicWall in first half of 2019 and that there was a 45% increase in never-before-seen attack variants over 2018. SonicWall also recorded 110.9 million ransomware attacks in first half of 2019 – a 15% year-to-date increase.

How are retailers susceptible to cyberattacks?

SonicWall CEO Bill Conner says: “When attacks like these happen to household brand names like Adidas or national institutions like the NHS, the temptation for small to medium-size businesses (SMBs) is to think that cyber attackers exclusively target large organisations. But SMBs are not immune. The reality is cyber attackers often focus their attention on SMBs since they are more likely to have low levels of sophistication in network security.”

The first half of 2019 also experienced a 76% increase in encrypted threats and a 51% increase in never-before-seen attacks via PDFs and 47% via office files.

Conner adds: “The problem for businesses and SMBs in particular is departmental siloing, an overreliance on legacy security systems and poor security training, which offers multiple points of entry for cyber criminals to gain access to sensitive information. Human error is often cited as the number one reason organisations are left exposed in this way. Human error encompasses everything from lack of vigilance to outright negligence when it comes to network security, but it is particularly a problem with email security.”

The cost of cyberattacks on retail

The IBM report also stated that, on average, a retail data breach costs the global retail sector US$1.84m, with a year-on-year (y-o-y) increase of 1%. The global average per-record costs of a retail breach amounts to $119, with a y-o-y increase of 1.7%.

Conner continues: “Between 2017 and 2018, 61% of SMBs experienced some kind of cyberattack, resulting in average net losses of around $1.2m (£1m) because of disruption to normal services.

“Consumers themselves, of course, bear the brunt of these attacks by having their personal information compromised. But retailers can face penalties from regulatory bodies and consumer representative groups bringing litigation; especially those who are not already using threat protection technologies.

“The recent $225m (£183m) fine incurred by British Airways and the $135m (£110m) incurred by Marriott are testament to this. That’s why it is imperative for retailers to ensure that their security approach is as robust as possible from the outset.”

How can retailers be protected for Cyber Monday 2019?

SonicWall VP of EMEA Terry Greer-King says: “The retail sector is under constant threat of cyberattacks due to its vast repository of customer data, which cyber criminals steal in order to sell in the Dark Web. Especially in the upcoming peak shopping season, cyber criminals are likely to amp up their attacks on retailers, hoping to capitalise on their increased activity. With many retailers relying on the last quarter of the year to boost their earnings, the potential damage increases exponentially.

“Retailers, whatever their size, should adopt both preventative and recovery measures to avoid data breaches that would lead to loss of customer trust, reparation costs, reputational damage and compliance issues that would follow them well into the new year. Adopting a layered security solution that’s able to block attackers at every step of the way is the safest option for retailers to protect their business against intrusions and attacks.”

Conner concludes: “As a first line of defence against cyberattacks, installing next-generation firewalls and enabling Deep Packet Inspection of SSL to inspect encrypted traffic is always critical. However, retailers need to be vigilant, as hackers are constantly developing new ways to attack business infrastructure and unless businesses are secured end-to-end, ransomware and other types of malware can easily find a vulnerable point of entry.

“Recently, Real-Time Deep Memory Inspection has offered a way of layering business security so retailers’ sensitive data can be protected across the board. Essentially, AI-powered technology detects and blocks malware, which does not at first exhibit obvious malicious behaviour but instead hides its weaponry via sophisticated encryption.

“It is important for retailers to begin looking at their security approaches now before the data shoplifters are in action again. After all, nothing has the potential to ruin the holiday season – for both retailers and consumers – more than compromised personal and financial data.”


Continue reading

Shopping Online Securely


The holiday season is nearing for many of us and soon millions of people will be looking to buy the perfect gifts. Many of us will shop online in search of great deals and to avoid noisy crowds. Unfortunately, cyber criminals will be active as well, creating fake shopping websites and using other tactics to scam people. In this newsletter, we explain how you can shop online safely and avoid becoming a victim.

Fake Online Stores

Cyber criminals create fake online stores that mimic the look of real sites or that use the names of well-known stores or brands. When you search for the best online deals, you may find yourself at one of these fake sites. By purchasing from such websites, you can end up with counterfeit or stolen items, and in some cases, your purchases might never be delivered. Take the following steps to protect yourself from fake online stores:

  • When possible, purchase from the online stores you already know, trust, and have done business with previously. Bookmark online stores you have visited before and trust.
  • Look out for prices that are significantly better than those you see at the established online stores. If the deal sounds too good to be true, it may be fake.
  • Be suspicious if the website resembles the one you’ve used in the past, but the website domain name or the name of the store is slightly different. For example, you may be used to shopping at Amazon, whose website address is, but end up shopping at a fake website that has a similar website address, where the letter o is replaced with the number 0.
  • Type the name of the online store or its web address into a search engine to see what others have said about it. Look for terms like “fraud,” “scam,” “never again,” and “fake.”
  • Use a unique password for each of your online accounts. Can’t remember all your passwords? Consider storing them all in a password manager.

Scammers on Legitimate Websites

Keep your guard up even when shopping at trusted websites. Large online stores often offer products sold by different individuals or companies that might have fraudulent intentions. Such online destinations are like real-world markets, where some sellers are more trustworthy than others. Check each seller’s reputation before placing the order. Be wary of sellers who are new to the online store or who sell items at unusually low prices. Review the online store’s policy on purchases from such third parties. When in doubt, purchase items sold directly by the online store, not by the third-party sellers that participate in its online marketplace.

Online Payments for Purchases

Regularly review your credit card statements to identify suspicious charges. If possible, enable the option to notify you by email, text, or app every time a charge is made to your credit card. If you find any suspicious activity, call your credit card company right away and report it. Avoid using debit cards whenever possible. Debit cards take money directly from your bank account; if fraud has been committed, you’ll have a much harder time getting your money back. Another option is using well-known payment services such as PayPal for online purchases, which do not require you to disclose your credit card number to the vendor. Finally, consider using a gift card for online purchases.

Just because an online store has a well-designed, professional look does not mean it’s legitimate. If the website makes you uncomfortable, don’t use it. Instead, head to a well-known site you can trust or have safely used in the past. You may not find that incredible deal, but you are much more likely to end up with a legitimate product and avoid getting scammed.


Continue reading

Ransomware Attacks Targeting MSPs Increase


Reports of ransomware attacks against MSPs are beginning to increase. Everis, one of Spain’s largest MSPs was hit by a recent ransomware attack, according to Bleeping Computer. While the attack has not yet been confirmed by Everis, reports say the ransom remand was $835,923.

Additionally, In a report published recently by threat intelligence firm Armor, the frequency of attacks against MSPs has increased. According to their research, hackers are targeting MSPs and hoping to use their access and deploy ransomware further on to the MSP’s customers.

Majority of MSPs Agree They’re Targeted by Attacks

Recently, we released our annual State of the Channel Ransomware Report featuring a wealth of statistics from our research with managed service providers around the world. In our 2019 report, we pulled data from over 1,400 Datto Partners to understand how they and their clients are impacted by ransomware on a daily basis. This information provides some insight into the trends with year-over-year data, frequency, targets, impact, and recommendations for improving the chances of recovery and continuity in the face of the growing cybersecurity threat.

According to our research, 4 in 5 MSPs agree that their business is increasingly becoming a target in ransomware attacks.


Continue reading

Amazon's Ring Video Doorbell Lets Attackers Steal Your Wi-Fi Password


Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon's Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network. In case you don't own one of these, Amazon's Ring Video Doorbell is a smart wireless home security doorbell camera that lets you see, hear and speak to anyone on your property from anywhere in the World. The smart doorbell needs to be connected to your WiFi network, allowing you to remotely access the device from a smartphone app to perform all tasks wirelessly.

While setting up the device for the very first time and share your WiFi password with it, you need to enable the configuration mode from the doorbell. Entering into the configuration mode turns on a built-in, unprotected wireless access point, allowing the RING smartphone app installed on your device to automatically connect to the doorbell. However, researchers told The Hacker News that besides using an access point with no password, the initial communication between the Ring app and the doorbell, i.e., when you share your home's WiFi password with the doorbell, is performed insecurely through plain HTTP.

Thus, a nearby attacker can simply connect to the same unprotected wireless access point, while the setup in the process, and steal your WiFi password using a man-in-the-middle attack. Since this attack can only be performed during the "one-time initial configuration" of the device, you might be wondering how an attacker can leverage this loophole after the device has already been configured.

Researchers suggested that by continuously sending de-authentication messages to the device, an attacker can trick the user into believing that the device is malfunctioning, forcing him to re-configure it.

"Attackers can trigger the reconfiguration of the Ring Video Doorbell Pro. One way to do this is to continuously send deauthentication packets, so that the device is dropped from the wireless network. At this point, the App loses connectivity and tells the user to reconfigure the device," the researchers told The Hacker News.


"The live view button becomes greyed out and, when clicked, the app will suggest restarting the router or pressing the setup button twice on the doorbell. Pressing the button twice will trigger the device to try to reconnect to the network – an action that will fail. The last resort is to try and reconfigure the device," Bitdefender said in a blog post.

Once the owner enters into the configuration mode to re-share WiFi credentials, the attacker sniffing the traffic would capture the password in plaintext, as shown in the screenshot. Once in possession of a user's WiFi password, an attacker can launch various network-based attacks, including:

  • Interact with all devices within the household network;
  • Intercept network traffic and run man-in-the-middle attacks
  • Access all local storage (NAS, for example) and subsequently access private photos, videos and other types of information,
  • Exploit all vulnerabilities existing in the devices connected to the local network and get full access to each device; that may lead to reading emails and private conversations,
  • Get access to security cameras and steal video recordings.

Bitdefender discovered this vulnerability in Ring Video Doorbell Pro devices in June this year and responsibly reported it to Amazon, but got no update from the company.

When requested for an update in late July, the vendor closed the vulnerability report in August and marked it as a duplicate without saying whether a third party already reported this issue. However, after some communication with the vendor, an automatic fix for the vulnerability was partially issued on 5th September. "However, to be on the safe side Ring Video Doorbell Pro users should make sure they have the latest update installed. If so, they're safe." similar security vulnerability was discovered and patched in the Ring Video Doorbell devices in early 2016 that was also exposing the owner's WiFi network password to attackers.



Continue reading