Author’s Note:In cyber security, ‘prevention’ is the first line of defence, followed closely by ‘detection’ when your defences are penetrated. I propose to re-target this newsletter to explore how you can protect yourself, and your organization, when the inevitable breach does occur. Using the cyber security news in the week, I will try to highlight where the vulnerability was & what was done in response to the incident. And, if possible, how you can prevent it.
I think this would a more profitable use of your time, rather than just reading the week’s threat intelligence. Please do let me know your thoughts & if you would like to see some other kind of content here.
Multi-factor authentication is a basic hygiene practice that goes a long way in making you secure. (If you have not enabled it for your important accounts, please go and do it right now. I will wait!).
An SMS based 2FA is the most common MFA. It is also the most easily broken authentication method. It is prone to a SIM swap, or a SIM jacking attack which are quite easy to execute. However it is quite sufficient for non-critical accounts and is definitely more secure than password based authentication.
If you are a good target for spear phishing, or if a compromise of your credentials has a very high impact, you are better off with an authenticator app based MFA, like Google Authenticator, than an SMS based one. Unless you lose your physical device or allow remote access, you would be secure.
A dedicated hardware key offers still greater security, at the risk of a minor sacrifice in convenience. In this method, you need the physical key to access your account and there is a tight binding between the device you use to access, your credentials & the key. So, even if you lose the key, since nothing is stored on the key itself, it will be useless to access your account. However, if you do lose the key, you would need to remove the key as a form of authentication from your accounts, replace the key and re-establish the authentication again. The peace of mind is worth the minor compromise in convenience, if the impact of wrongful access is great enough.
And, if you need even more security (and if you are on the Google eco-system), and if you do not want to even entertain the possibility of your account being compromised, you could also enroll into the Google Advanced Protection Program. It is basically impenetrable but not very broadly usable outside of Google; Apple users, for example, cannot use this. You can learn about multi-factor authentication & their ins and outs in this excellent PC World article.
Read on for more information on learning from this week's incidents and for the human interest cyber security news stories of the week. And, if you need the threat intelligence on high priority vulnerabilities, they are there too!
The latest ransomware attack victim turns out to be global mailing and shipping service, Pitney Bowes. As confirmed by the firm itself, their systems suffered a ransomware attack which caused disruption to their services. Learning: The average cost of a ransomware attack on a small company is pegged to be around $200,000 per incident. The irony is, even though ransomware attacks are common, they are not particularly sophisticated or insidious. They are easily preventable even by a small , non-technical businesses.
The best defence against this type of attack is having regular, well tested back-ups. Both aspects of backups, regularity and testing, are important for this defence to be effective. Additionally, your frequency of backup has to meet your organization’s standards for RPO (Recovery Point Objective).
The other aspect to keep in mind is that since most ransomware are introduced via email to the organization, either as an attachment or as a link, it might pay excellent dividends to invest in the security education of your employees. Combined with a good back-up process, this will help you prevent or recover from 90% of ransomware attacks.
You are aware of all the epigrams:
- “If you're not paying for the product, you are the product”,
- "Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.”
- "Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.”
What all these bon mots fail at is telling you how to erase your digital footprints on the broad internet. It is not always possible to browse the net using the incognito mode - after all, it is convenient get recommendations for that playlist that is tuned just to your tastes!
You should be able to balance your need for convenience with how much of your information is collected and how much of it is stored for how long. Learning: So, how do you ensure that your digital history is not stored on the internet? First, practice safe browsing practices:
- Examine a URL before clicking
- Do not install random software from unproven sources
- Install & use a good anti-virus
- Unfriend/ disassociate with anyone you do not actually know
- Look critically at the permissions you have given and fix them
For most organisations in India (92%), cybersecurity is an executive level priority. However, higher workloads and fatigue leave leaders little time to actually look into cyber security threats, according to Cisco’s 2019 Asia Pacific CISO Benchmark Study
Indie Japanese idol Ena Matsuoka ‘gave away’ her location to her obsessed fan Hibiki Sato!
Apparently, he was able to stalk her from her photos on social media. The 26-year-old fan used the angle of the light and shadows to approximate her GPS location! He also zoomed in on the singer’s eyes and identified a train station from the reflection in her iris. He then used Google Maps to find the train station.
In an ironic twist of fate, BriansClub, a black market site that contains stolen credit cards, was hacked to rescue the data of more than 26 million credit and debit cards. KrebsOnSecurity reports that the data stolen in August from the site, which goes by the name BriansClub was shared with financial institutions who were able to identify, monitor, and reissue cards that were compromised.
Kaspersky has set up ‘honeypots’ in various geographies to find out the nature & pattern of threats on smart devices. These are small footprint devices which have some processing capabilities.
They setup around 50 honeypots around the world. They found that there were 20,000 infected sessions every 15 minutes.
Their conclusion? Read the title of this snippet!
Email service provider Click2mail suffered a massive data breach that leaked sensitive personal information of their customers, and the attackers used the stolen email addresses to send spam emails.
Attackers seem to have stolen Click2Mail customer personal information, including name, organization name, account mailing address, email address, and phone number. Since Click2Mail does not store any credit card data, there is no financial data involvement with this breach.
If you use Sudo User ID -1 or 4294967295, you can execute as root.
The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password.
On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems. After this date, these products will no longer receive free technical support, or software and security updates.
Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2.
There's a potentially serious software flaw that could be used to crash or compromise millions of routers, smart-home devices, smart TVs, PCs running Linux and even Android smartphones.
The issue lies with the Linux driver software for Realtek Wi-Fi chips. A coding error makes it possible for someone within Wi-Fi range to disable or possibly even hijack the device. The attacker won't need to know your Wi-Fi network password or the network name.
Targeting your Personal Assets
This week again saw its share of attacks that target your personal information. Two reports stood out:
Bad actors have now started hiding malware in audio files! (Last week, it was GIFs in WhatsApp) These malware hijack your hardware for crypto mining
While there is very little defence against the first – it is a case of a previously legitimate source gone rogue – the latter can be handled with a bit of education.
Do not click any random links from any source!
The 'Site Isolation' security feature in Chrome was enabled for desktops last year. Google has now introduced it for Android smartphone users surfing the Internet over the Chrome web browser.
In brief, Site Isolation is a security feature that adds an additional boundary between websites by ensuring that pages from different sites end up in different sand-boxed processes in the browser.
The Internet Systems Consortium (ISC) has released security advisories, CVE-2019-6475 and CVE-2019-6476, that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.
Multiple vulnerabilities have surfaced affecting Pulse Secure Virtual Private Network (VPN). An attacker could exploit these vulnerabilities to take control of an affected system. These vulnerabilities have been targeted by advanced persistent threat (APT) actors.