Avast blog: What to do about the BootHole vulnerability

Late last month, security researchers discovered a major vulnerability in the software that controls how PCs boot their operating systems. This is one of those issues that sounds scarier than it is. Fixing it will be a major process, especially for Linux system administrators and corporate IT organizations with a mixture of different PC vintages and manufacturers. The problem has been named BootHole, and it could affect up to a billion computers.

If you are running Linux, do your homework before rebooting or upgrading so you don’t make things worse. If you are running Windows, you’re better off waiting for Microsoft to issue a fix.  In the meantime, use basic security hygiene to avoid unwanted access to your machine.

You can read more about this issue in my post on Avast’s blog here.

 

Avast blog: How to use multi-factor authentication for safer apps

Multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key (shown here) or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access. Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes.

After the Twitter hacks of last month, I took some time to review my own security settings, and found them lacking. This just shows you that security is a journey, and you have to spend the time to make it better.

I go into more details about how to best use MFA to make your social media accounts better protected, and you can read my blog post for Avast here for the step-by-step instructions.

Avast blog: Why Emotet remains an active threat

One of the longest-running and more lethal malware strains has once again returned on the scene. Called Emotet, it started out life as a simple banking Trojan when it was created back in 2014 by a hacking group that goes by various names, including TA542, Mealybug and MUMMY SPIDER. What made Emotet interesting was its well-crafted obfuscation methods. Proofpoint posted this timeline:

Over the years, it has had some very clever lures, such as sending spam emails containing either a URL or an attachment, and purport to be sending a document in reply to existing email threads.

You can read more on Avast’s blog here.

Network Solutions blog: Tools and tips for best practices for WFH network printing

Now that more of us are working from home (WFH), one of the key technologies that can cause problems is surprisingly our networked printers. Hackers target these devices frequently, which is why many IT departments have taken steps to prevent home laptops from connecting to them. In my latest blog post for Network Solutions, I suggest several strategies to help you understand the potential threats and be able to print from home securely, including what IT managers can do to manage them better and what users can do to avoid common security issues.

How cybercrime has become boring work

To those of us who have seen one of the classic cybercrime movies, hackers are usually social misfits with an ax to grind and come with plenty of attitude. A new academic research paper takes issue with this profile, and indeed its title is somewhat intriguing: Crime is boring.  Let’s take a closer look.

The paper begins by describing how cybercrime has shifted to more cloud-based specialized and subscription services, mirroring the general direction that has happened in the legit IT world. Several years ago, cybercriminals sold their malware — now you can find just about anything for free on open-source marketplaces — again, mirroring this general trend in the legit world.

But as the tech has evolved, so has the units of work done by the typical cybercriminal. These jobs are very similar to maintaining the back-office infrastructures of an insurance company or any global business. The majority of people involved in cybercrime are doing the grunt work, such as evaluating different online services, running various scams and acting as resellers. In the past, cybercriminals could be found on dial-up BBS’ or IRC channels. Now they populate Discord, Telegram and other online chat groups.

As a result, the researchers from University of Cambridge (UK) Cybercrime Center have found that “there has been a change in the kind of work involved in the typical cybercrime economy.” Far from the exciting dramas depicted in the hacker movies, much of the work has become fairly routine and even dull, “the underground equivalent of a typical office job.” Or at least the office jobs that we once had at the beginning of the year.

The research involves interviewing admins who operate a variety of several cybercrime services, such as booters and stressers (which form the underpinnings of denial of service attacks). One person was quoted as saying “Creating a stresser is easy. Provider the power to run it in the tricky part.” They describe three malware situations in more detail: the botnet herders, the evolution of the authors of the Zeus banking trojan, and underground marketplaces hosted on the dark web. The booter services have something in common with legit web services: they need a solid customer-facing portal to track users, collect payments and manage the actual attacks. Some of these booters operate more than a dozen different websites that need to be maintained and to be configured and tested for continual operations. This often means a substantial investment in customer support, such as running a problem ticketing and tracking service or realtime text chat. Sound familiar?

The research pulls together a set of eight key features of the unknown cybercrime worker, ranging from support for broader illegal activity to diffusing risk and maintaining stability and transparency of the criminal infrastructure. I have never thought about cybercrime in this fashion, and it made for some interesting reading. The authors also mention that the often-publicized crackdowns on online criminals can “in fact unite communities, giving them a common sense of struggle and persecution” and purpose. Perhaps a different strategy of having law enforcement interventions that focus on the economics of boredom and encouraging burnout could be a viable substitute instead of the “whack-a-mole” current approach.

Network Solutions blog: How to Secure Mobile Devices from Common Vulnerabilities

The biggest cyber threat isn’t sitting on your desk: it is in your pocket or purse and, of course, we mean your smartphone. Our phones have become the prime hacking target, due to a combination of circumstances, some under our control and some not. These mobile malware efforts aren’t new. Sophos has been tracking them for more than a decade (see this timeline from 2016). There are numerous examples of attacks, including fake anti-virus, botnets, and hidden or misleading mobile apps. If you want the quick version, there is this blog post for Network Solutions. It includes several practical suggestions on how you can improve your mobile device security.

You can also download my ebook that goes into more specific details about these various approaches to mobile device security.

How to minimize your cyber risk with Sixgill

In this white paper sponsored by the security vendor Sixgill, I explain why the dark web is such a critical part of the cybercrime landscape, and how Sixgill’s product can provide cybersecurity teams with clear visibility into their company’s threats landscape along with contextual and actionable recommendations for remediation. I cover the following topics:

  • How the dark web has evolved into a sophisticated environment well suited to the needs of cybercriminals.
  • What steps these criminals take in the hopes of staying hidden from cybersecurity teams.
  • How Sixgill uses information from the underground to generate critical threat intelligence – without inadvertently tipping cybercriminals off to the fact that an investigation is underway.
  • Why Sixgill’s rich data lake, composed of the broadest collection of exclusive deep and dark web sources, enables us to detect indicators of compromise (IOCs) before conventional, telemetry-based cyberthreat intelligence solutions can do so.
  • Which factors businesses and organizations need to consider when choosing a cyber threat intelligence solution.

You can download my white paper here.

Avast blog: Your guide to safe and secure online dating

Recently, information from five different dating sites have leaked millions of their users’ private data. The sites cover users from the USA, Korea and Japan. On top of this, a variety of other niche dating apps (such as CougarD and 3Somes) had data breaches of their own that exposed hundreds of thousands of users’ profiles in May, including photos and audio recordings. This latter event occurred thanks to a misconfigured and open Amazon S3 storage bucket. Thankfully, the owner of the account quickly moved to secure it properly when they heard from security researchers. We haven’t heard much about dating site breaches since private data from some 30M Ashley Madison users were posted online in 2015.

In this time of the pandemic when more of us are doing everything we can online, dating remains a security sinkhole. This is because by its very nature, online dating means we eventually have to reveal a lot of personal information to our potential dating partners. How we do this is critical for maintaining both information security and personal safety. In this post for Avast’s blog I provide a bunch of pointers on how to do this properly and provide my own recommendations.

Avast blog: Understanding BlueLeaks

Earlier this month, a group of hackers published a massive dataset stolen from various local law enforcement agencies. The data has been labeled BlueLeaks and contains more than 269 GB of thousands of police reports that go back at least two decades from hundreds of agencies from around the US. The reports list private data including names, email addresses, phone numbers and bank accounts. The source is a group called Distributed Denial of Secrets or DDoSecrets, which like Wikileaks has been publishing various leaked datasets for many years.

The data can be easily searched as shown in the screenshot below.

What BlueLeaks shows is that third-party IT providers need to be properly vetted for their internal security methods. While having an easy-to-update website is great, it needs to be secure and all accounts should use multi-factor authentication and other tools to ensure that only authorized users have access. You can read more about the leak and its relevance here in my post for Avast’s blog.

RSA blog: Making the Next Digital Transition Will Require Extensive Security Planning

We are all in a forced march towards a more accelerated digital transition because of the global health crisis. McKinsey is one of many consulting firms proposing a 90-day guide towards moving into this brave new era. While the intentions are good, this proposal is somewhat flawed. It will take more than Zoom, Slack and a corporate subscription to a cloud-based collaboration platform to transform a business for this next normal. To make this move successful, we all have a lot more work to do in planning for this transition. In my blog post this month for RSA, I share a few ways to begin to frame your thinking about this subject.

There are many risks and security challenges associated with digital transformation in response to the on-going health crisis. I think they can be conquered, but will require significant planning to ensure that we manage the associated risks appropriately.