SurfWatch Labs

Typosquatting: Easy Attack Vector That Produces Results

Every week here at SurfWatch Labs our team of threat analysts write about new vulnerabilities, malware developments and cyber-attacks. One attack vector that is not mentioned very frequently but can be a significant threat for organizations and consumers alike is a technique called typosquatting.

Typosquatting is an attempt to trick users into thinking they have landed on their desired website, but in reality the user has landed on a website with a similar looking domain name that is controlled by cybercriminals. It’s an old technique, and security-conscious organizations often try to secure those domain variations that arise from typos.

However, a study last year described how companies remain vulnerable to typosquatting and found that most organizations do very little to protect their customers from the threat.

Key findings from the study:

Few trademark owners protect themselves against typosquatting by defensively registering typosquatting domains for their own domains.
The study found that 95% of the most popular 500 websites researched were targeted with typosquatting.
Hackers are increasingly targeting longer domains.
Some companies secure potential typosquatting domains but then choose not to renew them, leaving them vulnerable.

TypoSquatting Attack Example

A great example of a typosquatting attack was used against the popular online first-person shooter game Counter-Strike: Global Offensive. The hackers set up a convincing spoof, tricking gamers into believing they were on a legitimate site for the game. The fake site was listed as csgoloungcs.com, while the legitimate site is csgolounge.com.

Not only were visitors of the fake site tricked into sharing their login credentials, a Trojan downloader was pushed on them, leading to malware infections.

Another example found malicious actors taking advantage of the .om top level domain. Earlier this year, Netflix users who mistyped the address as netflix.om were redirected to a fake Flash update page.

Typosquatting is one example of the many opportunistic type of threats facing organizations. It doesn’t require sophisticated techniques, and it’s an easy way to leverage popular brands in order to entrap customers who aren’t aware of such scams.

Typosquatting scams can lead to a variety of consequences for users — from account takeover to identity theft — and those consequences can easily spill over to the organizations being impersonated in the form of disgruntled customers, bad press, or having to deny a breach when stolen credentials are put up for sale on the Dark Web.

All that trouble can be largely avoided by being vigilant about identifying common typographical mistakes related your organization’s domains and purchasing them to keep them out of malicious actors’ hands.

Payment Transactions Face New Data Breaches and Exploits

The last few weeks have not been kind to businesses and customers concerning payment transactions and digital currency. Several point-of-sale systems and digital wallet services have come under fire for data breaches and potential financial theft — not to mention the recent theft of $68 million worth of bitcoin.

The most wide-reaching event may be the breach at software company Oracle Corp, which was reported by Brian Krebs on Monday. A Russian cybercrime group appears to be behind an attack that saw the compromise of hundreds of computers system, including a customer support portal for Oracle’s MICROS point-of-sale credit card payment systems.

This could be a potentially huge breach, as more than 330,000 cash registers around the world utilize Oracle’s MICROS point-of-sale system. In 2014, the company said that about 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels used the software.

It is currently unknown how many organizations were affected by the breach or how long the breach took place. The investigation is ongoing, but potential ties to the Carbanak Gang have raised the level of concern. Oracle did tell Brian Krebs that the company “detected and addressed malicious code in certain legacy MICROS systems,” and that Oracle asked customers to reset their MICROS passwords.

Digital Wallets Face Scrutiny

At last week’s Black Hat conference, a security researcher presented on a flaw in the mobile payment system Samsung Pay. Samsung Pay allows customers to save payment cards on a digital wallet, providing users the option to select the payment card of their choice with the added security of a PIN or fingerprint scan to complete a purchase.

Security expert Salvador Mendoza discovered several problems with Samsung pay, including static passwords used to protect databases, weak obfuscation, and comments in the code. Mendoza also discovered issues with the tokens that are used to complete transactions. Cybercriminals could potentially predict future tokens from studying previous tokens used to make fraudulent transactions.

“Samsung Pay has to work harder on the token’s expiration date to suspend it as quickly as possible after the app generates a new one, or the app may dispose of the tokens which were not implemented to make a purchase,” Mendoza explained. “Also, Samsung Pay needs to avoid using static passwords to ‘encrypt’ its files and databases with the same function because eventually someone will be able to reverse it.”

Samsung responded to Mendoza’s claims by saying “reports implying that Samsung Pay is flawed are simply not true.”

However, in a separate document Samsung did admit that “skimming” a token is possible, although extremely difficult.

“Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token,” the company wrote. “This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack.”

Samsung Pay isn’t the only digital wallet in the news for potential cybersecurity issues. Venmo — a digital wallet service that allows users to interact with friends by sending money, making purchases, and sharing payments — made headlines recently for flaws that could potentially lead to malicious purchases.

A flaw in an optional SMS-based feature could allow a criminal to easily steal money from people’s accounts, according to researchers. Because Venmo allows users to charge friends through shared bill pay, that friend has to authorize the charge before payment is made. A hacker with physical access to a Venmo user’s phone could steal money from another user’s account by replying to a notification text message with a provided 6-digit code. A feature in Siri that allows users to reply to text messages from locked devices along with the iOS text message preview feature make this attack possible.

“A hacker could have sent a payment request to a targeted user, and if they had access to the victim’s locked device, they could have used Siri to send the approval code displayed on the screen, ” said Eduard Kovacs of SecurityWeek. “The maximum amount of money an attacker could have stolen from one user was $2,999.99 per week, which is the weekly limit set by the developer.”

Keeping Payments Safe

As we’ve highlighted on this blog and in recent threat intelligence reports, high-profile payment-related breaches aren’t at the forefront of cybercrime in the way they were several years ago. However, recent events prove that these payment systems — traditional point-of-sale systems, digital wallets and digital currencies — can lead to significant direct losses as well as brand damage and other consequences from the negative press generated by discovered vulnerabilities.

As SurfWatch Labs’ Chief Security Strategist Adam Meyer recently wrote, cybersecurity is largely about identifying and removing opportunity for malicious actors to do bad things — either directly or indirectly. There are clear best practices that can be utilized by both businesses and customers to help protect sensitive payment data. Unfortunately, data is only as safe as the methods used to protect it.

Cybercriminals are constantly coming up with new methods and tricks to crack software and trick people into divulging their sensitive information. Cyber threat intelligence can help organizations remain mindful of the many new and evolving threats, identify their weaknesses, and deploy safeguards to protect data — whether that is payment-related data or other sensitive information.

Hacking the Presidency: Will Data Breaches Help Decide the 2016 Presidential Election?

The 2016 presidential election hasn’t been without controversy. Both candidates have blemishes on their records that have left many Americans with a bitter pill to swallow when voting comes in November, and cybersecurity has been put front and center in a way never before seen in a U.S. election. Email hacks, data breaches, cybersecurity ineptitude — they’re not just conversation topics among infosec wonks; but major campaign talking points.

Cybercrime has already infiltrated many facets of our everyday lives. Account information, payment card information, trade secrets, and more are regularly obtained and sold like merchandise on underground markets. Cyber-espionage also remains a huge threat as organizations and governments attempt to secure their precious secrets. With such a divided nation over who will become our next president, could the recent data breach of Democratic National Committee (DNC) data be a sign of what’s to come in this election?

More importantly, could this be the first presidential campaign ultimately swung by leaked information obtained in a data breach?

The information released by WikiLeaks from the DNC email breach caused an uproar from American citizens as the emails released showed a clear bias for Hillary Clinton over Bernie Sanders — a claim made by the Sanders campaign months before the DNC data breach. While none of the DNC information shows correspondence from Hillary Clinton directly, the DNC breach– along with other related cybersecurity issues — has had a big impact in Clinton’s polling numbers. However, the latest polls show Clinton above Trump by a favorable margin.

Clinton isn’t out of hot water yet. WikiLeaks founder Julian Assange told PBS’s Judy WoodRuff in a recent interview there would be more information released that will negatively affect Clinton’s campaign:

It’s a wide range of material. It covers a number of important issues. There’s a variety of natural batches and some thematic constellations that we’re working on.

It’s interesting material. We have done enough work now that we are comfortable with the material’s authenticity. And so now it’s a matter of completing the format, layout to make it easy and accessible and so that journalists can easily extract material from it, extract stories from it, and also the general public.

DNC Fallout from Breach

DNC chairwoman Debbie Wasserman Schultz announced her resignation as national party chair following the leak of the stolen DNC emails. Since the Democratic National Convention has wrapped up, more high-profile DNC officials have announced their resignation as well.

Chief Executive Amy Dacey, Chief Financial Officer Brad Marshall, and Communications Director Luis Miranda have all resigned just days after a new chair took over for Schultz. Luis Miranda was one of the key figures whose email account was breached and leaked by WikiLeaks.

The rest of the DNC members whose accounts were hacked have not resigned, including National Finance Director Jordon Kaplan, Finance Chief of Staff Scott Comer, Finance Director of Data & Strategic Initiatives Daniel Parrish, Finance Director Allen Zachary, Senior Advisor Andrew Wright, and Northern California Finance Director Robert Stowe.

Donald Trump in the Mix

During the DNC breach investigation, evidence was discovered linking Russia to the cyber-attack. Based off of this information, Trump called for Russia to conduct cyber-espionage against Hillary Clinton:

“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said referencing Clinton’s email scandal. “I think you will probably be rewarded mightily by our press.”

Trump later said he was kidding about his comment.

Not every politician found his remarks funny. Democratic Senators Chris Coons of Delaware and Sheldon Whitehouse of Rhode Island recently petitioned Senator and former Presidential candidate Ted Cruz to conduct an investigation into Trump’s support of involvement from Russia in U.S. elections. The Senators wrote the letter to Cruz because he chairs the Senate Judiciary Subcommittee on Oversight, which potentially could have jurisdiction in the matter. Cruz has not responded to the letter and his involvement in the matter is not likely.

Still, the damage has been done to Trump as the Clinton campaign is alleging him of having ties with Russian President Vladimir Putin, which makes his “joke” no laughing matter.

The data breach of the DNC, the controversy surrounding Clinton’s emails, accusations that Russia is trying to directly influence the election — this is the first time a presidential election cycle has been so heavily dominated by cybersecurity events.

The effects, at least for the candidates, have been relatively mild so far, but with WikiLeaks promising more leaks painting Hillary Clinton in a bad light, there is the potential that a close election in November could ultimately be decided based on cybersecurity.

No matter the outcome, cybersecurity has gained a national stage and everyone should take notice. Understanding cyber threats and the potential consequences of those threats is vital, whether you’re an employee, an executive, or a presidential candidate.

OurMine Hacking Group Trending, What Are They After?

As we mentioned in a previous post, hacktivism activity has been down in 2016 — with the exception of Anonymous. However, there is a new hacktivist group that has been showing up in SurfWatch Labs’ data — OurMine.

Over the last two months, OurMine has been the top trending hacktivist group.

OurMine made multiple headlines over the past month after successfully hacking the LinkedIn and Pinterest accounts of billionaire Facebook CEO Mark Zuckerberg. The hack provided some embarrassment for Zuckerberg, as it was discovered that the password he used for both accounts was “dadada.”

The group’s latest target was the CEO of Pokemon GO, John Hanke. OurMine hacked into Hanke’s Twitter account, saying that the hack was “for Brazil.”

Here are the top trending targets associated with the OurMine hacking team over the last two months.

What is OurMine After?

What separates OurMine from other hacktivists is their claim for hacking. In each of the group’s attacks, they claim they are a security firm that is testing their target’s security, and have even gone as far to say they were going to offer security services to their victims. The hacking group even has a website advertising their services.

OurMine has shown an aptitude for hacking. In several of their hacks — like Mark Zuckerberg’s social media — they were able to take advantage of a weak password to compromise the account. In other attacks — such as the attack against Google’s CEO Sundar Pichai’s Quora account — they have been able to exploit website platform vulnerabilities.

The group isn’t only after high profile businessman. OurMine has also targeted Minecraft player accounts, defaced websites like TechCrunch, and completely disabled the servers of HSBC bank.

It appears that all of these attacks are used as a method to promote their services. OurMine has yet to cause significant damage with any of their attacks other than a minor nuisance. Is this group’s supposed white hat hacking attempts really an effort to promote their security services and point out security weaknesses for companies? Only time will tell.

Cyber Skills Shortage Continues To Be An Issue

It has been long documented that cybersecurity organizations are struggling to hire qualified personnel. A recent study on the cybersecurity professional gap has reaffirmed this dilemma.

Intel Security and the Center for Strategic and International Studies (CSIS) released a global report that outlined the cybersecurity talent shortage crisis. The report, Hacking the Skills Shortage, outlined how the talent shortage crisis has impacted both companies and nations. Eighty-two percent of respondents said there is a clear shortage in cybersecurity, while 71 percent of respondents said this talent shortage has been a primary contributor to the amount of cyber-attacks — because organizations who lack qualified personnel are more desirable hacking targets.

“A shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP,” said James A. Lewis, senior vice president and director of the Strategic Technologies Program at CSIS. “This is a global problem. A majority of respondents in all countries surveyed could link their workforce shortage to damage to their organization.”

As we noted in June, more companies need talent, so companies are going to continue to be easier targets.

The lack of qualified candidates makes using the resources your organization does have that much more important. That’s one of the many reasons SurfWatch Labs stresses the importance of threat intelligence.

The Hacking and Skill Shortage report also mentioned diversity as being a huge challenge in the cybersecurity skills gap. The report referenced a 2014 Taulbee Survey and an ISC report to address the women and minority diversity challenge:

“In North America, a dearth of women and minorities in the cybersecurity industry mirrors trends in academia, according to a survey of academic institutions that provide degrees in computer science and engineering or information security. In this study, only 2.6% of doctoral graduates of these programs in 2014 were non-Asian minorities, a decrease from 3% in 2013. Women comprise only 17 to 18% of doctoral graduates in computer science, engineering, and information security. This mirrors industry trends, as an (ISC) study of 306,000 professionals in cybersecurity revealed only 11% were women. Anecdotal evidence from our interviews suggests that while relevant technical programs are slowly adding more women, black and Hispanic students remain in short supply.”

If women and minorities are so poorly represented in the cybersecurity workforce, organizations need to recognize this issue and put a plan in action. This is the same with threat intelligence; it’s not enough to do the bare minimum and meet security requirements, you have to recognize where your organization is vulnerable and address those threats head on with practical tools and intelligence.

Cyber-Insurance, Threat Intelligence and the Wendy’s Breach: Interview with Larry Bowman

Data breaches and other cyber threats have plagued business over the past decade often resulting in a long and expensive recovery process. Luckily for businesses, cyber-insurance can help alleviate some of the financial burden of these cyber-attacks.

“If you were to Google top ten losses due to data breaches in 2015 you would start off with a low of about $46 million for the Home Depot, move into the hundreds of millions with Anthem and Target, and as you get closer to Epsilon you get into the hundred to a billion mark,” said Larry Bowman, Director at Kane Russell Coleman and Logan PC. “The Veteran’s Administration hack was valued at about $500 million. These totals are for notification costs, response, cleaning up the computer system, implementing changes to increase encryption and security protection in the system. But, this does not take into account the loss of business and revenue.”

We had a chance to speak with Bowman about cyber-insurance: what is it, what it covers, and how threat intelligence fits into the equation. Bowman also provides some insight on the current Wendy’s point-of-sale data breach. Our conversation follows.

To kick things off, can you explain what cyber-insurance is and what exactly it covers?

To explain cyber-insurance, it’s helpful to first start with a brief explanation of traditional insurance and then explain the difference between it and cyber-insurance. Traditionally, insurance is for tangible property – such as if you own a home, business, or rent space. You insure property against the risk of loss, and that property is typically tangible property. So, you’ll see language in first-party property insurance – which is insurance industry lingo for like your homeowner’s policy – that is set up to protect you from that. The core insuring agreement – in exchange for premium money – insures the risk of loss which is usually defined in terms as direct physical loss to tangible property.

Secondly, there is a form of insurance called liability insurance. The industry acronym for it is CGL – commercial general liability insurance. And once again, if you act negligently – you being the insured – and you cause damage to some third party’s tangible property, your liability insurance will indemnify you for your legal obligation, which will then indemnify the people you hurt for the damage that you caused to their property.

Along comes hacking and cybercrime and data breaches. The people who are victimized by these third-party attacks make claims to their property insurance coverage. In most instances, whether it is a claim submitted under a traditional property or liability insurance policy , the courts look at these policies’ language and say there is no coverage because there is no loss to direct tangible property. This doesn’t exist in the virtual world of data and data breaches. There have been some cases where damage has been done to a computer system that looks like it is physical damage. Stuxnet is a great example of how a computer program can damage tangible property. In those cases, traditional policies may cover an insured’s losses. The bottom line is though, with the outlying cases aside, most cases say for there to be property or liability insurance coverage you have to have physical damage to tangible property, and that doesn’t exist when the insured has lost electronic data.

The losses from companies who suffer a data breach and the lack of insurance from the traditional market created a market for cyber-insurance. What has happened over the last few years has been the development of specialty insurance products designed to insure against the losses companies face when their computer systems or data is breached or hacked. These policies operate like traditional property or liability policies. But, there is no longer a requirement to have direct physical loss to tangible property. Cyber-insurance policies cover things like the cost of notifications to people affected by a data breach, the cost of hiring security professionals and lawyers to deal with the situation, and the cost of government compliance. It may or may not cover lost revenues or profits. Of course, the scope of coverage is specific to the policy itself.

What are some of the problems with the cyber-insurance industry?

There are a couple problems the insurance industry currently faces. First, the industry only has about a decade of experience in covering cyber losses – which isn’t a lot of time in the historical knowledge-base of the insurance industry – that makes pricing policies difficult. However, that is a problem in the process of being solved because the quantifiers are coming up with increasingly better models and formulas to allow an insurance company to set up a policy and price it accordingly. The insurance companies like certainty; they like probability. As time goes by and as data improves, this will be easier and easier to do – within reason.

The second problem is the lack of a consensus standard of care for data protection; although there are numerous proposed standards and guidelines for data protection – such as NIST’s cybersecurity framework. What I am talking about here is that it is nice to know what the rules are. The SEC, FDIC, and FTC have all pronounced in the last couple of years that they think cybersecurity is a board of directors-level issue that requires hands-on knowledge and attention and an effective remedy at the board of high management level. When you fill in the blanks, there are conflicting messages about what a board should do to enable reasonable cyber protections.

At SurfWatch Labs, we believe that robust security features such as firewalls and antivirus software are paramount to a well-rounded cybersecurity strategy. Perhaps just as important, we believe cyber threat intelligence – knowing what threats are out there and knowing how to proceed with security – is just as important. Some of the problems you mentioned with cyber-insurance is a lack of understanding around reasonable cyber protections. Do you believe cyber threat intelligence is a logical step in solving that issue?

As part of the initial application for cyber-insurance a lot of insurance companies will require the company applying for insurance to fill out a detailed form describing what its current cybersecurity policies are. I don’t know if those forms require cyber threat intelligence, but that would be a source of beneficial information. And it may be something that insurance companies should require from insurance applicants.

Are companies utilizing cyber-insurance to protect their assets in case of a data breach?

If you were to Google the amounts spent on cyber-insurance it started out small, but it really started to get off the ground with these well-publicized data breaches. In a few years, this is going to be a multi-billion dollar market. As a matter of fact, I believe it is already up to the billion-dollar mark already, and it is expected to get to about $5 billion by 2020. As the consensus standard gets better defined, using due diligence to protect your company’s assets and customer’s assets is certainly going to be a part of liability cyber-insurance coverage.

I would love to get your take on the current events tied to the Wendy’s data breach. It seems like the number of restaurants affected by point-of-sale malware increases every week.

The loss to Wendy’s is similar to the Target loss. The bad guys have gotten control of point-of-sale information, which means they have people’s credit card information. So what is the exposure to Wendy’s? Wendy’s gets sued by multiple customers who are saying they failed to implement reasonable measures and allowed our payment card information to be obtained by these hackers.

Now, their insurance policy will define what out-of-pocket costs are covered. That’s part of the fun right now is defining what those costs are. Some of those costs are driven by state and federal laws – like notification. If you are a retail company in possession of thousands of credit cards and those cards are obtained by a third-party, you have to notify all of those people about the event.

It’s not just notification costs; it’s everything that is done to investigate the data breach. They might have to pay experts, lawyers, and pay for forensic measures to make sure a breach doesn’t happen again. There may be costs with complying with regulatory action or government investigations. Those are just some of the out-of-pocket costs from the breach. Who knows, maybe people won’t trust Wendy’s anymore with their credit card information and consumers may simply avoid the restaurant.

DDoS Attacks Trending Over the Last 30 Days

DDoS attacks are growing in size and sophistication, says a new report from Arbor Networks, and those attacks have continued to impact a variety of organizations over the past few weeks.

According to Arbor networks, a current average-sized DDoS attack is capable of taking down almost any organization’s server at about 1 Gbps. The average attack size in the first half of 2016 was 986 Mbps, which was a 30% increase over 2015. It is project that the average size of a DDoS attack will reach 1.15 Gbps by the end of 2016.

Some highlights from the report include:

An average of 124,000 DDoS events per week over the last 18 months.
A 73% increase in peak attack size over 2015, to 579 Gbps.
274 attacks over 100 Gbps monitored in the first half of 2016 compared to 223 throughout all of 2015.
46 attacks over 200 Gbps monitored in the first half of 2016 compared to 16 throughout all of 2015.
The U.S., France and Great Britain are the top targets for attacks over 10 Gbps.

Lastly, reflection amplification attacks have continued to grow in popularity. The majority of larger DDoS attack utilize this technique by using attack vectors such as DNS servers. Because of this, DNS was the most used protocol in 2016, taking over from NTP and SSDP in 2015, according to the report. The highest recorded reflection amplification attack size during the first half of 2016 was 480 Gbps.

DDoS attacks have been conducted for monetary gain, notoriety, retaliation, and even for personal pleasure.

Trending DDoS Attacks

Over the last couple weeks, many organizations have been targeted with DDoS attacks. The most talked about DDoS attack over the last 30 days is tied to the controversial and very popular Pokemon GO. A group called PoodleCorp claimed credit for the attack, with a motivation very similar to another infamous hacking group called Lizard Squad — they did it for the LULZ.

Not all the recent DDoS attacks were done for the LULZ, as many appear to be out of retaliation for past events. Here is a breakdown of some of the top trending DDoS attacks over the past 30 days.

Pokemon GO Server
On Saturday, July 16 a DDoS attack took down all Pokemon GO servers, which left many players unable to hunt for their Pokemon. The group behind the attack is a newer hacktivist group known as PoodleCorp. The servers were down for several hours before reestablishing a connection for players.

On July 18, the Pokemon servers were hit with another DDoS attack, this time from the group known as OurMine. The group said that “no one will be able to play this game till Pokemon Go contact us on our website to teach them how to protect it!”

On July 20, PoodleCorp announced plans for an upcoming attack against the Pokemon servers that is scheduled for August 1.

MIT
Security researchers have discovered more than 35 DDoS attacks targeting the Massachusetts Institute of Technology (MIT) so far in 2016. The attack vectors used in these campaigns involved devices vulnerable to reflection and amplification attacks and spoofed IP addresses. It appears the bulk of attacks were carried out using booter or stresser services. Stresser services are a concern for organizations and the proliferation of DDoS attacks, as the cost to utilize these services are often extremely low.

Philippines Government Websites
The Filipino government announced this week that 68 separate websites tied to the Philippines government were hit with DDoS attacks. The attacks started July 12 and carried over to the next few days.

It is believed that China is responsible for the attacks as they correspond with a ruling made by the Permanent Court of Arbitration at the Hague in the Netherlands that favored unanimously for the Philippines over China. The ruling was over newly created islands located in the West Philippine Sea that China claimed even though those islands were in Philippines’ maritime territories.

Some of the government websites affected by the DDoS attacks were also defaced, signed with the words “Chinese Government.” There is no actual evidence at this time that China was behind the attacks, but it appears this is likely the case due to the extremely tense international relationship between the two countries.

Steemit
The social network Steemit announced on July 14 that an unknown attacker was able to hack into user accounts and steal the crypto-currency known as Steem Power and Steem Dollars. More than 260 users were affected by the attack, and about $85,000 of the crypto-currency was obtained.

In response to the attacks, Steemit fixed the issue and restored all stolen funds to the users. As soon as the company made this announcement, it was targeted with a DDoS attack. The attack did little to affect the social network, as the company used the attack as an opportunity to take down its servers for maintenance and other upgrades.

WikiLeaks
WikiLeaks servers suffered a DDoS attack last Monday that lasted through Wednesday. The DDoS attack appears to be in response to WikiLeaks’ announcement of an upcoming data dump belonging to Turkey’s biggest political party — AKP (Justice and Development Party).

The cache of data contained 300,000 emails and 500,000 documents that belonged to the party. The announcement came three days after the failed military coup in Turkey which saw the deaths of 208 people.

The DDoS attack prevented WikiLeaks from posting the information. As of July 20, WikiLeaks servers were back online and the data was released.

U.S. Congress Websites
The U.S. Congress website along with two adjacent websites — the U.S. Library of Congress and the U.S. Copyright Office — were the victims of a DDoS attack that lasted for three days. The attack started with the Library of Congress website on the evening of July 17 and slowly enveloped the other websites over the next couple of days.

As of Wednesday the websites are up and running normally. It is not known who is behind the attack or what the motivation for the attack was.

Brazil
A Rio court in Brazil was the target of a DDoS attack perpetrated by Anonymous. The attack took place on Tuesday and only lasted a few hours. Anonymous attacked the Rio court for its decision to block the controversial Whatsapp throughout Brazil. The decision told ISPs to block the app, and Brazil’s five major ISP operators — Claro, Nextel, Oi, TIM, and Vivo — all complied with the order.

The tensions between WhatsApp and Brazil go back to February 2015 when Whatsapp was unable to help Brazilian law enforcement by decrypting messages sent over the social network. Brazilian courts have fined and temporarily banned Whatsapp, arrested a Vice President for Facebook Latin America for being linked with the social network, and now a permanent ban is put in place. However, due to the Anonymous DDoS attack the Brazil court lifted the ban on Whatsapp.

Startup Companies Claiming To Be “Non-Hackable”: Interview With Angel Investor Michael Barbera

While cyber-attacks continue to grow and evolve some companies are claiming to be “non-hackable” – and they’re often startups. The problem with this logic is that it is simply incorrect; all companies are potentially vulnerable to being hacked.

“Every organization can be hacked by a clever person with patience. I personally avoid all companies who say they are non-hackable.”

We had the opportunity to speak with Barbera about angel investing, how serious startup companies are taking cybersecurity, and what he is looking for a startup company to have in place in terms of cybersecurity before he invests.

Our edited conversation follows.

As an angel investor, when a startup company tells you that they are “non-hackable,” what is your initial reaction?

So, a cloud storage company comes up and says you can store your files with them. Those files are encrypted, and once it is on their server if it were to ever get hacked, the hacker would receive an encrypted file and it looks like a bunch of junk. That means nothing to me. If the US Army can get hacked, if the CIA can get hacked, so can your little company. Nothing is foolproof, so why are you going around and saying it is? I don’t think they can practice what they preach.

Do you think these startup companies are simply saying what you would want to hear, or are they ignorant and truly believe they are “non-hackable?”

I think there is a lot of ignorance, and I think these companies really believe that they have a product or service that is foolproof. I also think some say it as a marketing technique for non-tech savvy people. If you had a baby boomer generation target market, they don’t know much about IT, or the Internet and how it works. They can barely operate a Facebook account. So when they hear a service is “non-hackable,” they are more likely to use that service. So it might be a marketing technique for some companies.

Years ago, LifeLock had an actor or spokesman put their social security number on a commercial. He got hacked.

[Laughs] Well of course he did.

What is your overall view on how cybersecurity is evolving when you learn about these new companies?

It really changes based on each company’s business model and strategy. So when you have a startup dependent on their budget and their goals, IT and security may or may not be a big part of it. It all depends on what they are doing.

Say you have a small mom-and-pop shop that is selling goods from their brick-and-mortar store that is also selling on their website, their minimal requirement is to be PCI compliant. Their biggest concern is being hacked. In the larger scheme of things, hackers will probably won’t look at a smaller target like a mom-and-pop store. It might not be beneficial to them.

Other companies who do more stuff on the Internet have more of a liability to protect that information, so they need to take it more seriously.

Focusing on cybersecurity, when you are looking to invest in a company, what are you hoping to hear from them when making a decision to invest or not?

If it was anything more than being PCI compliant, I would want them to have an in-house IT specialist that could provide the services needed. If it is a smaller company needing to be PCI compliant, we can outsource that. It really goes toward the organizational services that they are working with. If they are working with people’s finances, then we are going to have to implement advanced security systems. If they are working with names, addresses, and they are PCI compliant, that is a different story. There are different levels, and it really goes back to business models.

What you have to understand is a lot of people – like small business owners – their everyday life is making a sale. On top of that, while they are sweeping they are supposed to do their books, their IT, and their taxes. A lot of people don’t think about [cybersecurity] until it is too late, and that is unfortunate.

What Sensitive Information is on Your Organization’s Old Drives?

I heard a story yesterday about a friend’s nephew that lost his SD card from his smartphone. The SD card contained data on his games, pictures, and pretty much everything else he used his phone for. He searched everywhere for this SD card until it finally dawned on him where it was.

Turns out, the SD card was in his old smartphone that he traded to a cellular store for a newer phone. Honest mistake, right?

It was an honest mistake, but it is also a symptom of a bigger issue.

Data recycling can lead to big problems, problems that most people are unaware of. For many people that are looking to get rid of electronics, they probably go through a few basic steps to get rid of data such as a factory reset or manually erasing any data they see. However, this won’t get rid of all the data contained on the device.

In a study conducted by Blancco Technology Group, it was found that 78% of hard drives examined in the study still contained residual data that could be recovered. The study focused on 200 used hard disk drives sold on eBay and Craigslist.

What is this data? Well, let’s start with photos (with locations indicators), personal information, Social Security numbers and other financial information.

Perhaps more alarming, about 11% of studied devices contained company information such as emails, sales projections, product inventories and CRM records.

Unfortunately for organizations, this is another way neglectful actions on the part of human beings can cause a data breach or other malicious activity. People make mistakes all the time, and these unintentional mistakes can have severe consequences.

Erasing Computers, Tablets and Phones

Going through all your devices and making sure they are clear of any data can be a chore (especially if technology is not your thing). There is good news: the Internet is full of information that can help you solve this problem.

Obviously, there are different devices that hold your data and the steps taken to get rid of that data will be different. Below are some helpful links that can guide you through erasing all the data from a device:

USA Today: 3 simple ways to delete your data for good: This article from USA Today talks about steps you can take on Windows computers to delete data from the hard drive. The latest version of Windows covered in the article is Windows 8. It does offer information for Windows 7 OS and below.
BT: Selling your computer? How to wipe your PC with Windows 10: This article from BT shows you how to erase data from a hard drive with a Windows 10 OS. It will also show you how to reinstall Windows 10 for when and if you decide to sell the device or give it to a friend or relative.
ZDNet: Securely wiping an Android smartphone or tablet: Android devices are the most popular on the market, so this article covers the data erasure issue for many people with an Android OS smartphone or tablet.
Apple: What to do before selling or giving away your iPhone, iPad, or iPad touch: This is a page from Apple support detailing what a user must do in order to erase their data.
Apple: What to do before selling or giving away your Mac: This is the data erasure process for Mac computers.

As the Blancco Technology Group noted, many organizations struggle when it comes to securing the data on old drives.

“One of the more troublesome challenges is related to wiping the data from them when employees leave the company, the drives hit their end of life or the data itself needs to be removed to comply with IT policies and security regulations,” the report read.

Ensure your organization has a clear policy in place so that — unlike my friend’s nephew — you’re not scrambling later and trying to figure out the source of sensitive information being compromised.

BEC Scams Continue to Plague Businesses

In a year where ransomware is receiving massive amounts of attention, there is another threat that continues to grow – Business Email Compromise (BEC) scams. The FBI has issued two warnings about this threat in 2016. The first warning was bad enough, with the FBI estimating BEC scams have accounted for about $2.3 billion is losses from 17,642 victims. Unfortunately, the latest warning has increased these figures.

The FBI is now saying that money lost from BEC scams is over $3 billion dollars, with more than 22,000 victims falling prey to this attack.

“The BEC scam continues to grow, evolve, and target businesses of all sizes,” the FBI warning read. “Since January 2015, there has been a 1,300% increase in identified exposed losses.”

The warning went on to say that victims of BEC scams have appeared in all 50 U.S. states as well as 100 countries throughout the world. Another noteworthy piece of information is where the money lost in these scams is ending up.

“Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” the alert read.

In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions. The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.

Money is the ultimate goal of a BEC scam. Many cases involve attempting to create a scenario where a money transfer takes place. The 2015 tax season demonstrated a new method for BEC scams — W-2 data theft.

Tax fraud was abundant in 2015. In many of these documented events, a BEC scam was used to compromise company W-2 information.

“Fraudulent requests are sent utilizing a business executive’s compromised email,” the FBI alert stated about BEC data theft scams.

“The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.”

The alert from the FBI pointed out that BEC scams aimed at obtaining data first appeared during the 2015 tax season.

Employees are the primary targets of BEC scams. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.