Companies would be remiss to downplay the profound implications of last month’s headline-grabbing WannaCry ransomware attack.
WannaCry was a mere harbinger; the tip of the iceberg. WannaCry happened a few weeks after the Shadow Brokers hacking collective stole dozens of the National Security Agency’s ace-in-the-hole hacking tools.
Shadow Brokers futilely tried to sell these cyber weapons piecemeal. But after getting no takers, publicly released them. Someone then quickly snapped up two of the free spy tools—code named EternalBlue and DoublePulsar—and whipped up WannaCry, which spread, in a matter of days, into government, utility and company networks in 150 countries.
The initial version of WannaCry proved easy enough to thwart. No one in law enforcement and information security was surprised when more robust self-spreading variants almost immediately followed. Within a week of WannaCry’s release, researchers at Cyphort Labs flushed out a variant with the self-spreading feature and ransomware instructions stripped out.
RATs hard to eradicate
Instead, someone crafted this particular variant to take root in the targeted network, stay put and stand by to function as a Remote Access Tool, or RAT. RATs are terrific at screen and keyboard monitoring, audio and video surveillance, file downloads, file transfers and more.
Meanwhile, cyber forensics firm Stroz Friedberg examined Shadow Brokers’ disclosures and tallied some 69 NSA cyber weapons. To be more precise, these are so-called “exploits” conjured up by the NSA that take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.
ThirdCertainty asked Mounir Hahad, senior director of Cyphort Labs, and Ed Stroz, co-president of Stroz Friedberg an Aon company, to outline the wider context. The text has been edited for clarity and length.
ThirdCertainty: How should company decision-makers think about the dozens of exploits released by Shadow Brokers?
Mounir Hahad, Cyphort Labs senior director
Mounir Hahad: Most of the exploits leaked are for very old operating systems and applications dating back to 2001, and most do not impact most companies. For those exploits that potentially apply, it is key that companies establish crisis cells to follow the development of these disclosures and be on the lookout for any patch or any attack reported in the media or social networks. To be more proactive, companies should be demanding from their security vendors what measures are being taken to guard against any future attack using any of these exploits.
Ed Stroz: The WannaCry campaign should serve as a stark reminder to organizations that having a sound and timely patch management process in place is critical. Companies should ensure they have an up-to-date asset inventory of their IT infrastructure components and threat surface, identify whether any highlighted systems are still in use and, if so, for what purpose. In addition, we recommend carrying out regular IT inventory, security assessments and penetration testing exercises to help ensure vulnerabilities against their infrastructure are addressed promptly.
3C: Is it possible to triage these exploits, perhaps categorize them by severity level?
Stroz: The severity of an exploit is often less about the nature of the vulnerability than it is about how an organization would be affected by it. Because severity is therefore subjective to a given environment it is somewhat premature to assign a generic severity score.
Ed Stroz, Stroz Friedberg co-president
Hahad: The type of environment exploited, and the age of the vulnerability are factors that matter. For instance, a Windows desktop exploit presents a higher risk than an FTP server exploit for most companies just because the FTP server may be used infrequently. Also, a more recent exploit presents a higher risk than a 15-year-old exploit because of the potential attack surface that still exists.
3C: Can you characterize what’s going on in the cyber underground with these weapons available to one and all?
Hadad: “It is clear some well-organized cyber criminals have poured over this data and quickly took advantage of the most readily available tools. The focus will now shift to the more obscure exploits. We will now see a resurgence of activity from well-funded cyber criminals and many more nation-states, which did not have access to such a treasure trove of exploits. The less sophisticated cyber criminals will probably revert back to previous email-based techniques and just wait for the next Shadow Brokers dump, which may have fresh exploits to use.
Stroz: Cyber threat actors are aware of what’s happening, and will take advantage of the time latency that exists between a patch release date and the organization’s installation date. In general, cyber threat actors are often quick to repurpose leaked exploits and tools for their own use, as it is cost effective to do so. A notable example is the Hacking Team leak in 2015 where (Adobe Flash exploits) were quickly repurposed by various espionage threat actors.
3C: How do you expect this to play out over the remainder of 2017?
Stroz: Cyber criminals could very well change tactics and take aim at connected devices and hold them ransom, something our firm predicted at the start of the year. Companies should not be sitting idle. If a company has not been applying patches and updates in a timely manner, they may be vulnerable to many other legacy exploits and not just those recently in the press.
Hadad: The security community has not finished studying these exploits, and I suspect that as detailed analysis emerges, so will the discovery of existing compromised systems that were previously operating under the radar.
Fake news is the new computer virus.
Bob Sullivan, journalist and one of the founding members of msnbc.com
That’s the conclusion I came to when reading a remarkable new report from computer security firm Trend Micro. If you doubt the massive efforts of underground “hackers” to influence you—and the massive cash they can make doing so—flip through the pages of this report. A few years ago, it could have been written about the spam, computer virus or click fraud economies. Today, “news” has been weaponized, both for political gain and profit.
While Americans bicker over who might have gained the most from hacking in our last presidential campaign, they are missing the larger point: Massive infrastructure has been put in place from China to Russia to India to make money off polarization. The truth is for sale in a way that most people couldn’t have imagined just a few years ago. As the report crucially notes: There’s no such thing as “moderate” fake news. Whichever side you’re on, if you play in extremism, you probably are helping make these truth hackers rich.
Here are some highlights from the report.
“(Russian) forums offer services for each stage of the campaign—from writing press releases, promoting them in news outlets, to sustaining their momentum with positive or negative comments, some of which can even be supplied by the customer in a template. Advertisements for such services are frequently found in both public and private sections of forums, as well as on banner ads on the forums themselves.”
Misusing the internet
Many services have a crowd source model, meaning users can either buy credits for clicks, or “earn” them though participating in others’ campaigns.
“(One service) allows contributors to promote internet sites and pages, flaunting a 500,000-strong registered user base that can provide traffic (and statistics) from real visitors to supported platforms. It uses a coin system, which is also available in the underground.”
A price list claims the service can make a video appear on YouTube’s home page for about $600, or get 10,000 site visitors for less than $20.
Such services aren’t limited to Russia, of course. According to the report, a Middle Eastern firm offers “auto-likes on Facebook (for) a monthly subscription of $25; 2,200 auto-likes from Arabic/Middle East-based users fetch $150 per month … (another service) has a customizable auto-comment function, with templates of comments customers can choose from. Prices vary, from $45 per month for eight comments per day, to $250 for 1,000 comments in a month.”
In China, the report says, “For … less than $2,600 spent on services in the Chinese underground, a social media profile can easily fetch more than 300,000 followers in a month.”
Appealing to extremists
It goes on to claim that fake news campaigns have incited riots and caused journalists to be attacked. Here’s an example of the latter:
“If an attacker aims to silence a journalist from speaking out or publishing a story that can be detrimental to an attacker’s agenda or reputation, he can also be singled out and discredited by mounting campaigns against him.
“An attacker can mount a four-week fake news campaign to defame the journalist using services available in gray or underground marketplaces. Fake news unfavorable to the journalist can be bought once a week, which can be promoted by purchasing 50,000 retweets or likes and 100,000 visits. These cost around $2,700 per week. Another option for the attacker is to buy four related videos and turn them into trending videos on YouTube, each of which can sell for around $2,500 per video.
“The attacker can also buy comments; to create an illusion of believability, the purchase can start with 500 comments, 400 of which can be positive, 80 neutral, and 20 negative. Spending $1,000 for this kind of service will translate to 4,000 comments.
“After establishing an imagined credibility, an attacker can launch his smear campaign against his target.
“Poisoning a Twitter account with 200,000 bot followers will cost $240. Ordering a total of 12,000 comments with most bearing negative sentiment and references/links to fake stories against the journalist will cost around $3,000. Dislikes and negative comments on a journalist’s article, and promoting them with 10,000 retweets or likes and 25,000 visits, can cost $20,400 in the underground.
“The result? For around $55,000, a user who reads, watches and further searches the campaign’s fake content can be swayed into having a fragmented and negative impression of the journalist. A more daunting consequence would be how the story, exposé or points the journalist wanted to divulge or raise will be drowned out by a sea of noise fabricated by the campaign.”
The key for all these attacks, the report notes, is appealing to the more extreme nature of our political discourse today.
“In the realm of political opinion manipulation, this tends to be in the form of highly partisan content. Political fake news tends to align with the extremes of the political spectrum; ‘moderate’ fake news does not really exist.”
Recognizing false content
The reports offer tips for news consumers to avoid being unwitting partners in a fake news campaign. The target of fake news is the general public, the report notes, so “ultimately, the burden of differentiating the truth from untruth falls on the audience.”
Here are some signs users can look out for if the news they’re reading is fake:
BY BOB SULLIVAN, THIRDCERTAINTY
Have you ever been on a website and noticed the site owner or another user has written out their email address in some variation of the following?
Name (at) domain dot com
If you wondered if the person was just averse to using symbols, you may be interested to know it’s actually a decent method for reducing unwanted spam emails and protecting yourself from possible phishing scams and even identity theft.
We talked to digital security expert Adam Levin, co-founder of Credit.com and chairman and founder of CyberScout (formerly IDT911), to learn more about how it works.
Good Cyber Hygiene
“One way spammers harvest email addresses is by sending out bots that are instructed to look for and scrape letter strings that contain the @ symbol,” Levin said.
For that reason, it’s a good idea to practice what Levin refers to as “good cyber hygiene” when entering your email address on public sites. Writing out your email address lets you do that. (Check out our tips for keeping your email safe and secure.)
Phishers can be dangerous, especially if you wade through a tremendous amount of email each day. They create emails that closely resemble legitimate companies and entities that can be difficult to spot as phony, especially when you’re in a hurry to get through your emails.
Using “at” and “dot” makes it more difficult for spambot programs to detect and grab your email address, Levin said. That can be helpful for small business owners whose information is listed on their website, social media accounts or other digital locations.
“For hackers and fraudsters, email addresses are essential tools used to phish their target,” he said. “Because the ultimate guardian of the consumer is the consumer, this is another way to be proactive about protecting your identity and personal data.”
Over the years, some spammers have made an effort to scrape even strings containing “at” and “dot” in hopes of gaining access to email addresses, though sifting through this data to find actual addresses requires manual review and is time-consuming.
If you’re concerned about spammers getting your email information or phone number through this method, you can create an image of this data that bots can’t read. With this method, the only way for spammers to “harvest” your information is manually, which means you’re pretty safe.
The bottom line when it comes to keeping your information safe is staying vigilant. Check your financial and digital accounts regularly. Check your credit reports for free once a year with each of the major credit bureaus. Ensure the reports are accurate and that you recognize all the accounts. If you suspect there are mistakes, reach out to the bureaus (Experian, Equifax and TransUnion).
Finally, to monitor your credit more closely, you can use a free tool like Credit.com’s Credit Report Summary for a breakdown, updated monthly, of the information in your credit report, along with free credit scores. If you see your score drop for no reason, something could be up.
Hackers tried to use leaked data within nine minutes of it being posted, according to a new Federal Trade Commission study.
Most attempted charges on compromised credit cards were for less than $10.
By the time you hear about a data breach, it's way too late to put measures in place to lock thieves out from using that data.
"If you post it, they will use it," concluded a Federal Trade Commission presentation on a new agency study. And quickly. When leaked consumer data like credit card numbers or email login details are made public, it's a matter of minutes (and at best, hours) before thieves make an unauthorized access attempt, it found.
"There's a real mystery of what happens to consumer data when it becomes public," said study co-author Dan Salsburg, chief counsel and acting chief of the FTC's Office of Technology Research and Investigation.
To see what happens to leaked data, researchers crafted a batch of 100 consumer profiles, each including a made-up name, an address from a national database, a phone number and email set up for the purpose of the study, and one payment mechanism also set up for the study — either an online payment account, a bitcoin wallet or a credit card. Each customer profile also included a password, although they didn't specify what the password was for.
"Our goal was to make this customer database look as realistic as possible," Salsburg said — as if it could have been stolen from a small business.
Researchers posted the faux database two times on a site they know thieves to frequent. Within 90 minutes of the first posting, thieves had started to try to access the email and payment accounts listed. On the second posting a week later — which a Twitter bot picked up — it took just nine minutes for thieves to start trying to use that data to make purchases and access accounts.
These three study insights on how thieves tried to use the leaked data could help consumers better protect themselves:
1) Monitor your accounts
Thieves were most interested in the credit card numbers, with FTC researcher spotting frequent charge attempts even weeks after the data had been leaked. That's likely because card numbers were the only data that could immediately be converted into money, Salsburg said.
Setting up alerts for suspicious transactions — big purchases, those made abroad, etc. — can help, but don't stop there. Regularly reviewing your account for new charges might help you catch an early warning sign: small test charges.
The vast majority of the attempted charges in the FTC study were for less than $10, as thieves attempt to verify the account is usable before selling that data or trying for a bigger purchase, Salsburg said. (See chart above.)
(That's likely also why a few thieves tried the cards at charity sites, he said — because nonprofits may allow small-figure donations and offer quick feedback on whether a card was accepted. "Our identity thieves are unlikely to be big philanthropists," he said.)
2) Enable two-factor authentication
Thieves in the FTC study were unsuccessful in their attempts to hack customers' emails.
"Every account was protected by a wrong password or two-factor authentication," Salsburg said.
Using two-factor authentication on not just your emails, but other bank accounts, social media accounts and others where available, can be a smart move, said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse.
When that technology is in place, logging in requires not just a password, but a secondary point of ID – usually in the form of a texted code. In other words, unless the hacker also has access to your phone, he or she is out of luck.
3) Put precautions in place ASAP
The quick turnaround from the time researchers posted the data to the time thieves started to try to use it shows that it's better to be proactive rather than reactive about protecting your accounts and identity.
"The information is already out there by the time you find out about it," Stephens said. "Unless you've been proactive, it may be difficult to remediate the situation."
Smart steps include creating a unique and complex password for each account, he said. That keeps thieves from using one compromised password to crack your email, bank account or other retail logins.
Once you hear about a breach, best steps to limit the damage may include changing passwords, signing up for free credit monitoring or even placing an alert or freeze on your credit file. (See infographic below.)
"The nature of the data that has been leaked is going to determine what you can best do to protect yourself," Stephens said.
When it comes to general computer safety, remember these words: install, update, power down, back up and destroy. Whether you’re on a Mac or PC, these tips will keep your system slim, trim and speedy—and block miscreants from your machine.
While the writing has been on the wall for a long time, on Friday, May 12, a new strain of ransomware called WannaCrypt, also known as WannaCry, raged like an out-of-control wildfire across Europe and Asia, ultimately impacting computers in 150 countries.
For many affected by this hack, a few hundred dollars in ransom money is a pittance when compared to the cost of hiring someone to attempt the recovery of your files after they’ve been encrypted. These ransomware attacks would cease to be profitable were there easy workarounds. But at this time, it is highly likely that if you happen to get got by one of these attacks, you should assume your files could be gone for good.
That’s why it’s critical you learn how to protect yourself.
If you’re like most people, you spend about 40 minutes a day on personal hygiene. While that’s a considerable amount of time, you probably don’t consider it to be an issue. It is not the same thing when it comes to cybersecurity. Were it as simple as downloading and installing software updates, the time spent on cyber grooming would be minimal (though the patches do seem to come fast and furious these days).
The issue really is that cyber hygiene is something one should practice 24/7/365. Come to think of it, it requires about the same amount of commitment and mindfulness as it takes to make sure your hair is OK and there’s no spinach in your teeth.
Here are some things to consider including in your daily cybersecurity routine.
When you are trying to find something online or use an app, an update notice can be like a mosquito that’s overly interested in you, but the last thing you should ever do is swat that notice away. It is often the only thing standing between you and the bad guys out there who are looking for a way to exploit weaknesses in the security features of the devices you use on a daily basis.
Both Macs and PCs now offer a way to protect the content stored on your hard drive, and it’s so easy there’s no reason not to use it. It’s called FileVault on Apple and BitLocker on PCs. It is easy to set up, and renders everything on your machine unreadable by a hacker who gains access to it.
For less than $60, you can purchase an external hard drive large enough to store an immense amount of data. That’s where you want to keep your most sensitive personal information. The reason is simple: It is air-gapped (not connected to the internet) most, if not all, of the time. There is no need to be online to back up your hard drive to an external drive. Extra points if you encrypt your data.
If you’re not using long and strong passwords, or still using the same password across multiple platforms and websites, you need to read this. For those who get over that rather low bar, it’s time to improve your game. It used to be that people made cheat sheets with their passwords and stored them in their desks (bad) or on an encrypted thumb drive (way better). That’s no longer necessary. Password managers take away the risk associated with having your passwords written down where they can be found and used. You need only remember one. As far as services go, there are many, and all are better than older methods of managing passwords. Research them online and make sure to read their reviews.
There are more spoof sites out there than you may realize, and they are there to do harm, not good. Always look at the URL to be sure you are on the site you intended to visit and not a clone—the clone often will have a very similar address, so look closely. For an additional layer of security, you might want to consider downloading HTTPS Everywhere, a plug-in that works on Chrome and Firefox and enables HTTPS encryption automatically on sites that support it.
The No. 1 way people get got is thoughtless clicking. Whether it is a fake or corrupted website designed to plant malware on your device or a phishing email that looks like it came from a trusted institution or a friend but is in reality from a cyber fiend, you must have a pause in place and it has to be automatic—when it comes to clicking on anything that comes your way from “out there,” even—or especially if—it looks like a friend or family member sent it.
If you see a story about a data breach or a security compromise on a device you use, consider that an action item for your day. Just take a second to find out if you are affected, and then take whatever precaution you can. The 40 minutes the average person spends on personal grooming is a good rule of thumb. Think of your cyber hygiene like a glance in the mirror.
Increasingly, two-factor authentication is available on the accounts we use daily, and it is essential that you set it up. It means that if a person hijacks one of your accounts, there isn’t much damage they can do without also having possession of your mobile phone or access to your email account. It’s an easy measure anyone can take to improve their personal cybersecurity.
In my book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, I go into greater detail about the various ways your information can be got and what you can do to protect it. The main lesson: Practice what I call “The Three Ms,” which are as follows:
Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t overshare on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and consider freezing your credit. (Here’s how to decide if you need a credit freeze.)
Monitor your accounts. Check your credit report religiously, keep track of your credit score, read Explanation of Benefits statements from your health insurer and review major accounts daily, if possible. (You can check two of your credit scores for free on Credit.com.) If you prefer a more laid-back approach, sign up for free transaction alerts from your bank, credit union and credit card companies or purchase a sophisticated credit and identity monitoring program.
Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve compromises. These are oftentimes available for free or at a minimal cost through insurance companies, financial institutions and HR departments.
A massive, fast-moving cyber attack has hit as many as 74 countries. The ransomware attack first appeared Friday morning in the United Kingdom and has impacted computer systems at a wide range of organizations including hospitals, telecom, universities and businesses.
According to news reports, the malicious software is a variant of ransomware known as WannaCry, which can encrypt older Windows® operating systems that have not been patched with the latest security updates. It’s delivered via email with an encrypted .zip file attachment, which, if opened, immediately infects and locks the targeted computer.
While the full scope and impact of this incident is still unfolding, CyberScout has seen hundreds of ransomware cases and offers these tips to protect your firm and clients:
Organizations that use Google for email, as well as thousands of personal Gmail customers, are reporting a scam that starts with an email from a known contact, which says that the person has shared a Google Doc. Recipients are asked to click the link to open, which redirects them to a legitimate Google sign-in page, where they’re prompted to select one of their Google accounts, and then to authorize a legitimate-looking app called “Google Docs” to manage emails. Once the app has permission to manage email, it secretly sends emails to all contacts, with the same phishing link. Personal and business email accounts are commonly used as the recovery email on a number of digital accounts, which means that hackers could get control of Apple, Amazon, Facebook, Twitter or personal Google accounts. Anything linked to a compromised Gmail account is potentially at risk. “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts,” Google said in a statement.
By Byron Acohido
Sniff out—and smack down—tax fraud. Put the kibosh on tax-related identity theft with these quick and easy tips.
Keeping Your Tax Information Safe Online
Keeping Your Tax Information Safe At Home
Keeping Your Tax Information Safe When You Use a Tax Preparer or Accountant