Ignoring software updates? You’re making one of five basic security mistakes

Cybercrime has quickly become a major problem for businesses, governments and citizens all over the globe.

While awareness of this multifaceted threat is increasing, we’re still making the same blunder when it comes to cybersecurity, as a recent study by the Pew Research Center alluded to.

Here are a few security mistakes to be aware of.

Email: This ruse is nothing new

Social engineering tactics are as old as the day is long, yet people keep falling for them. Today, phishing via email has become incredibly commonplace.

Although criminals are improving the ‘quality’ of these emails, with some targeted – known as spear phishing – emails looking incredibly authentic most do not (telltale signs include poor spelling, random email address and far-fetched claims that you’ve won millions).

Keep yourself safe by carefully checking the recipient, the request, and use some common sense – search via Google rather than using the enclosed website address. Also, be cautious of attachments, as they may be malware-infected. It’s important to check file extensions and to only open files deemed safe and from legitimate sources.

Social media: New hunting ground

Social media has become the go-to-market for cybercriminals eager to compromise people. It’s no surprise, as many users still fail to adequately look after their networks (for example, a 2016 survey showed that 58% of people do not know how to update their privacy settings).

As with email, and post too, always check the authenticity of the sender (do they look credible?), the message and the link (which will likely be shortened). Beware trending hashtags too, as many as now using these to catch out unsuspecting Twitter and Facebook users trying to catch-up with the latest breaking news.

Attitude: It won’t happen to me

Forget technology for a second, culture is arguably the biggest issue with security right now, and this has been the case for 20 years. CEOs think they won’t be targeted and citizens think much the same (i.e. it won’t happen to me).

This complacency is misguided, as everyone is a potential target. Accordingly, this attitude can often result in poor security habits, with individuals and organizations treating, for example, password and Wi-Fi security not as seriously as they should.

This is despite the fact that good cybersecurity can be achieved relatively easily, through good password hygiene, regular software updates, anti-virus and even password managers, VPNs and secure encrypted messaging apps.

Passwords: The easy way in

Generic, guessable passwords can be easily cracked, and they can open a can of worms if you use the same password across several accounts. Brute-forcing passwords is increasing fast and easy for criminals today equipped with either huge computing power, or access to buy such expertise on the dark web.

Weak passwords, such as 123456; password; 12345678; and qwerty remain commonplace, with many people failing to see how this ‘low-hanging fruit’ is an entry point for cybercriminals. According to Forrester, 80% of all attacks involve a weak or stolen password.

Fortunately, some web providers now forcing you to generate random passwords, or create complex ones. You may want to consider a password manager, as well as passphrases.

Software updates: A lack of

Whether on desktop, laptop or mobile, there’s always another software update for an app, our operating system or security solution. Interestingly, the constant pop-ups irritate us, with many people failing to understand just how important they are.

If we fail to update, we’re effectively leaving our software and devices vulnerable to attack, as cybercriminals look to exploit out-of-date flaws. Configuring automatic updates from trusted providers can make sure these are installed regularly.

https://www.welivesecurity.com/2017/05/19/ignoring-software-updates-youre-making-one-five-basic-security-mistakes/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

WannaCryptor: Are governments and financial regulators to blame?

By Tony Anscombe

On Friday 12th May the world paused and drew breath as cybercriminals launched WannaCryptor (popularly known as WannaCry), a ransomware attack that dominated news and conversations around the globe. Companies shut down technology that they rely on to trade, to treat patients and to communicate with customers. The results for many of the affected companies and their customers were devastating.

Security experts everywhere were called into action to combat the ransomware that was unleashed as companies and organizations attempted to return to normal trading and practice. The vulnerability used as an entry point to infect machines was in Microsoft’s Windows. The National Security Agency apparently knew about it, then someone leaked the details and the cybercriminal took advantage of the situation.

“As with all new innovative technology, it takes time for regulators and governments to catch up.”

We may never know what motivated the cybercriminal to unleash WannaCryptor but we do know that there was financial gain. The ransomware encrypted files, with an offer to decrypt them of $300, payable by bitcoin.

I am sure many of you, like me, have watched crime dramas where the law enforcement dudes say ‘follow the money’ as the method to find the real criminal behind a crime. Can you follow the money flow for WannaCryptor? Apparently not.

If you’ve attempted to open a bank account or applied for a credit card then you know the financial services industry has strict regulations requiring the identification of the person opening the account. The regulations extend to businesses and staff opening accounts or applying for a credit card terminal; the people responsible go through a process of being identified so they can be held responsible. The regulations are there to combat fraud and money laundering — in other words, to stop crime in the financial system.

Why does the criminal behind WannaCryptor only accept payment with bitcoin?

Bitcoin’s message on their website states that “bitcoin is open-source; its design is public, nobody owns or controls bitcoin and everyone can take part” and goes on to state: “Bitcoin allows exciting uses that could not be covered by any previous payment system.”

The concept of a virtual currency is potentially a good one: exchange rate free and accepted globally — there would seem to be benefits for businesses and consumers. How do I join the bitcoin community and reap the benefits of this virtual currency? To start with, I need a wallet to hold my virtual cash.

There are several wallet vendors, just like the physical world. With some offering additional privacy by rotating addresses and others offering services that remove the need to validate payments.

Once I’ve selected my wallet I can generate an address, a virtual location to receive funds; the recommendation is a different address for every transaction to enhance my privacy. The messages of rotating addresses and using a new address for every transaction start to give me the confidence that I am going to be able to remain hidden, private and anonymous.

Ok, my wallet is full, how do I get the money?

My wallet, which is an account, is bursting at the seams and I want to withdraw my funds. There are two methods: register with an exchange, or in person. Registering with an exchange will require positive identification, uploading utility bills and stuff that we are used to doing at normal banks. Alternatively, you can trade directly with another person, meet them, exchange a QR code for cash and walk away.

The ‘in person’ method of cashing out means another unidentified person now holds the virtual money in his wallet and I remain completely anonymous. Needing to move the funds on may not be essential though — holding on to them as an investment or anonymously trading for services could be alternatives.

Bitcoin is often regarded as an anonymous currency because it is possible to send and receive bitcoins without giving any personal identifying information. True anonymity may be impossible, as the cashing out process could require a physical meeting, but it is probably reasonable to say it’s pseudonymous.

Financial institutions around the world have sophisticated systems to detect money laundering, such as large sums moving from account to account. If you have ever sold a property and had the funds deposited in an account, you may have had to go through the experience of explaining where the funds came from.

In the virtual currency world there seem to be no – or very limited – requirements to track the flow of money, making it an ideal solution for criminals, fraudsters and terrorists to use for storing and moving their funds. A secret currency.

“As with all new innovative technology, it takes time for regulators and governments to catch up.”

As with all new innovative technology, it takes time for regulators and governments to catch up. Now would seem an opportune moment, though, for the same requirements imposed on financial organizations to be migrated to the new world of virtual currency, making “follow the money” a reality again. Taking action now by cutting off the ability to have an anonymously traded currency could stop the next major cyberattack.

https://www.welivesecurity.com/2017/05/18/governments-financial-regulators-to-blame/

WannaCryptor: Are governments and financial regulators to blame?

By Tony Anscombe

On Friday 12th May the world paused and drew breath as cybercriminals launched WannaCryptor (popularly known as WannaCry), a ransomware attack that dominated news and conversations around the globe. Companies shut down technology that they rely on to trade, to treat patients and to communicate with customers. The results for many of the affected companies and their customers were devastating.

Security experts everywhere were called into action to combat the ransomware that was unleashed as companies and organizations attempted to return to normal trading and practice. The vulnerability used as an entry point to infect machines was in Microsoft’s Windows. The National Security Agency apparently knew about it, then someone leaked the details and the cybercriminal took advantage of the situation.

“As with all new innovative technology, it takes time for regulators and governments to catch up.”

We may never know what motivated the cybercriminal to unleash WannaCryptor but we do know that there was financial gain. The ransomware encrypted files, with an offer to decrypt them of $300, payable by bitcoin.

I am sure many of you, like me, have watched crime dramas where the law enforcement dudes say ‘follow the money’ as the method to find the real criminal behind a crime. Can you follow the money flow for WannaCryptor? Apparently not.

If you’ve attempted to open a bank account or applied for a credit card then you know the financial services industry has strict regulations requiring the identification of the person opening the account. The regulations extend to businesses and staff opening accounts or applying for a credit card terminal; the people responsible go through a process of being identified so they can be held responsible. The regulations are there to combat fraud and money laundering — in other words, to stop crime in the financial system.

Why does the criminal behind WannaCryptor only accept payment with bitcoin?

Bitcoin’s message on their website states that “bitcoin is open-source; its design is public, nobody owns or controls bitcoin and everyone can take part” and goes on to state: “Bitcoin allows exciting uses that could not be covered by any previous payment system.”

The concept of a virtual currency is potentially a good one: exchange rate free and accepted globally — there would seem to be benefits for businesses and consumers. How do I join the bitcoin community and reap the benefits of this virtual currency? To start with, I need a wallet to hold my virtual cash.

There are several wallet vendors, just like the physical world. With some offering additional privacy by rotating addresses and others offering services that remove the need to validate payments.

Once I’ve selected my wallet I can generate an address, a virtual location to receive funds; the recommendation is a different address for every transaction to enhance my privacy. The messages of rotating addresses and using a new address for every transaction start to give me the confidence that I am going to be able to remain hidden, private and anonymous.

Ok, my wallet is full, how do I get the money?

My wallet, which is an account, is bursting at the seams and I want to withdraw my funds. There are two methods: register with an exchange, or in person. Registering with an exchange will require positive identification, uploading utility bills and stuff that we are used to doing at normal banks. Alternatively, you can trade directly with another person, meet them, exchange a QR code for cash and walk away.

The ‘in person’ method of cashing out means another unidentified person now holds the virtual money in his wallet and I remain completely anonymous. Needing to move the funds on may not be essential though — holding on to them as an investment or anonymously trading for services could be alternatives.

Bitcoin is often regarded as an anonymous currency because it is possible to send and receive bitcoins without giving any personal identifying information. True anonymity may be impossible, as the cashing out process could require a physical meeting, but it is probably reasonable to say it’s pseudonymous.

Financial institutions around the world have sophisticated systems to detect money laundering, such as large sums moving from account to account. If you have ever sold a property and had the funds deposited in an account, you may have had to go through the experience of explaining where the funds came from.

In the virtual currency world there seem to be no – or very limited – requirements to track the flow of money, making it an ideal solution for criminals, fraudsters and terrorists to use for storing and moving their funds. A secret currency.

“As with all new innovative technology, it takes time for regulators and governments to catch up.”

As with all new innovative technology, it takes time for regulators and governments to catch up. Now would seem an opportune moment, though, for the same requirements imposed on financial organizations to be migrated to the new world of virtual currency, making “follow the money” a reality again. Taking action now by cutting off the ability to have an anonymously traded currency could stop the next major cyberattack.

For more on the WannaCryptor, aka WannaCry, ransomware attack, check out the following:

https://www.welivesecurity.com/2017/05/18/governments-financial-regulators-to-blame/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

WannaCryptor aka WannaCry: Key questions answered

WannaCryptor, aka WannaCry, is one of the biggest cybersecurity stories of 2017. In fact, you could go as far as to suggest one of the biggest in years. Since news first broke on Friday, broadcasters, journalists, bloggers, commentators, experts and security vendors, to name but a few, have reported on, discussed and analysed this global threat with a level of attention unseen before.

While this all welcome, it can sometimes feel like information overload. Aware of this, we’ve put together this Q&A, bringing together some of the key points. There’s enough information to know all the salient points without getting too lost, but also plenty of links if you want more detail on certain areas related to the story.

What is WannaCryptor?

WannaCryptor, and its variants, is a type of malicious software known as ransomware, an increasingly popular attack method deployed by cybercriminals that involves the illegal encryption of files and devices. A ransom is demanded for the ‘safe recovery’ of said files and devices.

According to Michael Aguilar, a business security specialist at ESET, WannaCryptor, also known as WannaCry and Wcrypt, is “unlike most encrypting-type malware: this one has wormlike capabilities, allowing it to spread by itself”. He also offers some sage advice in his post on how to protect yourself. ESET clients were already protected by ESET’s network protection module.

The ransomware message that appeared on the screens of infected computers can be displayed in several languages, depending on geolocation, but the English version read: “Ooops, your files have been encrypted!” The authors of the malware added that it was futile to look for a way to access the files without their assistance (if, in fact, they can even do this). Of course, this comes with at a cost – $300 in bitcoin per infected computer.

What happened?

In the UK, news outlets in the country reporting that multiple NHS sites had been hit with a massive cyberattack. Services were disrupted, with doctors, GPs and healthcare professionals unable to access computers or files – in effect, bringing parts of the NHS to a standstill.

However, it’s unclear how much of the disruption was due to the precautionary shutting down or isolation of systems rather than direct breaches.

NHS Digital, which is the information technology arm of the Department of Health, was quick to issue a statement.

It stated: “This attack … is affecting organizations from across a range of sectors. At this stage we do not have any evidence that patient data has been accessed.”

Soon enough it became clear that the cyberattack was, in fact, global in scale, affecting close to 150 countries (including, to name but a few, Spain, the US, India, Russia and China) and impacting all sorts of organizations and government agencies.

For example, In Spain, the telecommunications giant Telefónica was hit; In Russia, the interior ministry reported infections; and in the US, FedEx confirmed that it also had fallen victim to the ransomware attack.

Over the weekend, internal and external security specialists responded swiftly to the attack, including NHS Digital, ESET, Microsoft and the UK’s National Cyber Security Centre, all of which has gone a long way to limiting the damage and reach of WannaCryptor.

Further, ‘luck’ has also played a part in at least slowing down the malware. An individual, based in the UK, who goes by the moniker MalwareTech, accidentally activated what was later discovered to be a kill switch in the malware.

As he tweeted on May 13th: “I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.” For more detail on this, please check out his subsequent blog, titled How to Accidentally Stop a Global Cyber Attacks.

This is, by no means, the end. The story is still unfolding, with new infections still being reported across the world, though seemingly with ‘less energy’ than the initial outbreak. Still, many are calling for vigilance, as, due to the complexity of this ransomware, aftershocks are likely.

How did this happen?

It’s currently unclear what the original source is for this malware, but it’s likely that WannaCryptor was either delivered by email – hidden in an attachment – or via a backdoor (suggesting that a system had already been compromised).

In this particular instance, the malware has exploited a vulnerability in older (Windows XP, Windows 8.0, Windows Server 2003) and/or still-supported versions of Microsoft’s Windows operating system where the MS17-010  update wasn’t applied. Computers that have been infected have, for whatever reason, not updated the operating system with the latest version. The MS17-010 update has been available for supported systems since March 2017, and was made available for Windows XP/Windows 8.0/Windows Server 2003 on May 12^th.

The case has highlighted many flaws within some organizations, security agencies and governments, including poor and untimely information sharing; inefficient and slow to react cybersecurity efforts and financial underinvestment, all of which have created a perfect hailstorm of opportunities for cybercriminals to exploit.

What are experts, decision makers and organizations saying?

Rob Wainwright, executive director of Europol, said in an interview with British broadcaster Robert Peston: “We’ve seen the rise of ransomware becoming the principal cyber threat, but this is something we’ve never seen before – the global reach is unprecedented.”

In an official company blog, Brad Smith, president and chief legal officer of Microsoft, described the WannaCryptor as a “wake-up call for all”. He added: “We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now.”

Mark Porter, council chair of the British Medical Association, noted: ‘We need to quickly establish what went wrong to prevent this happening again and questions must also asked about whether inadequate investment in NHS information systems has left it vulnerable to such an attack.”

MalwareTech, the so-called accidental hero, concluded in his blog: “One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”

The UK’s health secretary, Jeremy Hunt, who has been criticized for his silence on the attack, said three days after news broke: “According to our latest intelligence, we have not seen a second wave of attacks. And the level of criminal activity is at the lower end of the range that we had anticipated and so I think that is encouraging.”

David Harley, a senior research fellow at ESET, said: “If you didn’t take advantage of the patch for supported versions of Windows (Vista, 7, 8.1 and later) at the time, now would be a good time to do so (a couple of days earlier would have been even better). If you’re running one of the unsupported Windows versions mentioned above (and yes, we appreciate that some people have to because of hardware or software compatibility issues), we strongly recommend that you either upgrade or take advantage of the new update.”

https://www.welivesecurity.com/2017/05/15/wannacryptor-key-questions-answered/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

New Pirates of the Caribbean film ‘stolen by cybercriminals’

By Editor 

Cybercriminals have reportedly stolen Walt Disney’s upcoming Pirates of the Caribbean film, and are threatening to release it online if their ransom demands are not met.

CEO Bob Iger reportedly broke the news to ABC employees, adding that chunks of the new film, Pirates of the Caribbean: Dead Men Tell No Tales, will be put into the public domain unless the cybercriminals are paid using the digital currency bitcoin.

According to Iger, the extortionists have threatened to firstly release five minutes of the film, and then 20-minute segments unless the ransom is paid.

He added that Disney has refused to adhere to the demands, and is instead working with federal investigators.

Pirates of the Caribbean: Dead Men Tell No Tales, the fifth instalment in the film franchise, is set for an official release on May 25th.

The Pirates series has been a significant moneymaker for Disney, and the studio will subsequently be concerned at the potential for this incident to harm takings at the box office.

Disney itself is a lucrative target for cybercriminals due to its substantial presence in cinemas and theatres all over the world, achieved mainly through its core filmmaking studio, as well as Marvel studios and Lucasfilm, with the latter responsible for the historic Star Wars franchise.

According to The Verge, there is no evidence to suggest that hackers have actually taken the film, but previous incidents suggest that Hollywood is indeed emerging as a target for cybercriminals.

Last month saw a cybercriminal claim to release the new series of hit Netflix series ‘Orange is the New Black’ onto the internet, after the company refused to pay an undisclosed ransom.

The individual, using the moniker ‘thedarkoverlord’, also claimed to have stolen shows belonging to other broadcasters including Fox, National Geographic, and ABC.

In a statement, Netflix said it was “aware of the situation”, adding “a production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved”.

https://www.welivesecurity.com/2017/05/16/new-pirates-caribbean-film-stolen-cybercriminals/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29