What We Learned at Gartner Information Security & Risk Management Summit 2018 in Maryland

Information Security & Risk Management Summit 2018

 Information Security & Risk Management Summit 2018 in Maryland

The Gartner Information Security & Risk Management Summit at National Harbor, Maryland ran from June 3rd to 7th. Gartner’s event is a great opportunity for cybersecurity professionals to network with each other and attend panels on topics ranging from CISO responsibilities to cloud security, from intrusion detection to risk assessment, from endpoint protection to compliance. Fortunate attendees got to gleam knowledge from industry stars like IBM Security’s Bob Kalka, Cisco’s Gil Zimmermann, Microsoft’s Michael McLoughlin, Herjavec Group’s Robert Herjavec, and Gartner’s own Augusto Barros, Earl Perkins, and Roberta Witty.
What is Endpoint Protection?

If you couldn’t attend this year, here’s your opportunity to enjoy what I believe to be the highlights of the event.

Talking to Business Executives is a Key Corporate Cybersecurity Skill

We know how enterprises can maintain and improve their security stance. But money makes the world go ‘round, and if you want good cybersecurity practices to be implemented, you have to convince the non-technical executives.

Security is often a hassle for the non-tech C-suite. You must treat them like customers that you have something to sell to. When you sell security effectively, customers feel satisfied that you’re solving their problems.

Gartner’s Leigh McMullen said:

“Today, the battle ground for the digital industrial revolution is the customer experience. It’s not about cost; it’s not about efficiency; it’s not even about product. It’s about experience.

We as security people want things to be controlled. We want them stable, but people’s expectations are being set by forces outside our control, which means we need to change how we engage if we want to be successful. We have to give up control to gain influence.

Security should not wreck the customer experience, but it often does. Customers, and that is everyone in your enterprise, want the effort they put in to match the value they expect to get. If you deliver the wrong experience, they’ll just tune you out.”

As much as possible, you should translate how you speak about technological realities and solutions into business-speak. Less cybersecurity jargon, more Fortune Magazine.

Gartner’s Paul Proctor said:

“When we talk about technology risk and security, primarily in technology terms, stakeholders treat us like wizards who cast spells and protect the organization. Making risk and security more transparent and business-aligned is an absolute requirement to get you out of the wizarding world.”

If you’re going to cast “wingardium leviosa,” just explain that it’s a levitation spell.

Executives often get blamed after a significant cyber-attack. You need to sell them defensibility.

Gartner’s Leigh McMullen said:

“We have treated security like a dark art for so long that when an organization gets hacked, people don’t understand. So, the primary question is, ‘Who screwed up?’ You can’t guarantee the organization won’t get hacked, so stop selling your executives protection, and start selling something they truly need, defensibility.”

The risk assessment process must include any applicable non-technical executives in order to be conducted properly.

Gartner’s Paul Proctor said:

“Offering executives decision-making in the context of operational outcomes makes these engagements more than interesting to them. It directly impacts the decisions they make. You are now helping them do their job.”

Your customers naturally fear risk. That fear has had a negative effect on security innovation – an absolute must as cyber threats evolve.

Proctor said:

“Organizations are slowing down because they fear this issue. If you can improve their comfort and understanding of risk and security, you can help your company move faster. That is truly a business value of security.”

Better Security Through Proper DevOps

Cloud researcher Mark Nunnikhoven discussed the importance of good DevOps. The phrase is often misapplied. Essentially, DevOps is all about striking an effective balance between development and operations. It’s that simple.

Properly implemented DevOps features increasingly efficient delivery pipelines, due to constant feedback loops. DevOps can create “a culture of collaboration that reduces risk by decreasing the size of changes to production environments,” featuring people, process, and products.

In order to reduce risk when implementing DevOps improvements, make lots of smaller changes rather than making fewer larger changes. If you try to deploy a very large quantity of new code all at once, it can be more challenging to fix new bugs and vulnerabilities.

Good cybersecurity starts at the development stage, rather than as an auditing step, which results in more outdated perimeter approaches to security hardening.

If proper DevOps security means that the development process takes more time, then so be it. All stages of development must be designed with security in mind. The earlier a bug is found, the easier it is to fix.

“Soft skills” such as social ease and being able to communicate effectively are key to getting development and operations to work together successfully. Few security professionals can excel with “hard skills” alone.

Is the New Rwandan Cybercrime Law a Step Forward for Cybersecurity in Africa?

cybercriminals

Like many countries around the world, cybercrime is a problem in Rwanda. Malware is a frequent means of conducting cybercrime. According to Comodo intelligence, between January 1st and June 4th of this year, Rwandan networks got hit by 4,006 different strains of malware. Here’s a summary of the most common types of malware that Comodo has detected in Rwanda during that time period:

• LoadMoney: This threat is classified as a Potentially Unwanted Program. It modifies system files, creates Windows tasks and might shows advertisements on your computer and browser.
LoadMoney is adware which is bundled using custom installers and dropped on your computer during the installation process. It is capable of installing extensions to inject the advertisements, change the default browser home page & search and proxy settings.

Adwares can often socially engineer people into downloading more malware, and browser hijackers can often intercept private user web activity.

• Macoute: A worm which often behaves as scareware by telling the user that their machine has been infected. It also targets Windows, and it may attempt to privilege escalate and modify the Windows Registry. Macoute is also known to disable firewalls and antivirus software, download Trojan Windows updates, and prompt users into downloading trojans which are supposedly necessary to watch videos or view webpages. The user’s Windows client may display a scareware message such as, “Warning: Your computer is infected. Detected spyware infection! Click this message to install the last update of security software.”

• GlobalUpdate: Another Windows targeting bundler. GlobalUpdate malware is known to modify the “HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\globalUpdate
C:\Program Files (x86)\globalUpdate” registry key, hence its name.
Globalupdate is an adware program that displays advertisements in the user’s browser.
The program may arrive on the compromised computer as a browser plugin after being installed without user consent because it is bundled with third party applications.
It is an ad-supported extension which is capable of changing browser start page, search settings, changing security settings for Internet Explorer, Firefox and Chrome, and distributed through various monetization platforms during installation.
This malware is known to distribute Multiplug adware and CrossRider browser hijackers.

• Coinminer: This trojan uses the infected computer’s resources to mine digital currency at the backend and passes the mined currency and other required data to the server controlled by a malicious hacker. Initially these malwares targeted Bitcoin generation and the latest trend is to mine Monero and other cryptocurrencies. These are distributed as binaries and also work in multi OS platforms such as Windows, Mac, Android and IOS. Recently, these malwares are spreading through Javascripts to mine Monero cyptocurrency.
This activity can use a lot of processing power without their permission and make your PC run slower than usual.

• YTDDownloader: This unwanted application will allow you to download YouTube videos to your hard drive, so you can watch those videos offline. This unwanted application can affect the quality of your computing experience.

Following are the potentially unwanted behaviors:

Adds files that run at start-up
Modifies boot configuration data
Injects into other processes on your system
Changes browser settings
Changes browser shortcuts
Installs browser extensions
Disables User Access Control (UAC)
If you want to watch a video on YouTube, watch it on YouTube!

• Copali: This malware is categorized in to Worm type. It automatically spread to other systems by using general worm propagation techniques such as copying themselves to removable drives, network folders, or via email. This malware family, in general, creates a new folder on the root drive of an infected PC and copy themselves as csrss.exe. They also create desktop.ini in the same folder. It can download additional threat Zbot and kill the antivirus process.
It will attempt to hide the “Show hidden files and folders” in Windows Explorer in order to evade detection.

• Mindspark: Mindspark is a marketing company that focuses on interactive advertising. It targets mostly known browsers like Internet Explorer, Google Chrome, Mozilla Firefox, and Safari. This threat performs changes on browser settings that may result to home page hijacking and browser redirect problems. This adware is bundled using custom installers and dropped on your computer during the installation process.
It modifies system files, creates new folders, creates Windows tasks and shows advertisements on your computer and browser.

• Necurs: The Necurs botnet is a distributor of many pieces of malware, most notably Locky,Dridex,RockLoader and Globeimposter.
Necurs is a group of compromised computers which send spam emails with malicious attachments to a large number of recipients – usually the messages are created to look like a request to check invoice details or to confirm a purchase. The attachments contain packed scripts which install Locky Ransomware when ran.
Necurs nests itself inside a Windows installer folder and shows a lot of rootkit like behavior.
While Necurs is running, it is not possible to kill the Necurs process (hidden as syshost), to start monitoring tools that make use of drivers (such as memory dumping tools or sysinternals process monitor) or to view the access rights to the executable.

Necurs sends a heartbeat via HTTP to its C&C server every six minutes on average, communication with peers is done via UDP.

Watch out for this one!

Rwanda has been cracking down on cybercrime for a while now. At least eight million cyber attackers have tried to target Rwandan banks in 2017. Rwandan Central Bank Governor, John Rwangombwa discussed one particular financial cyber-attack that they were able to thwart which involved Rwf 900million.

“The money was transferred to one of the banks, but we were able to recover the funds in time, with the help of police… Criminals are constantly developing new techniques for cybercrime; we need to keep a constant review on activities carried out in banks.”

Rwanda’s first national cybersecurity policy took effect in 2015. By 2017, Rwanda became the second African country to establish a $3 million cybersecurity system designed to protect public and private institutions from online crime.

Now Rwanda has a new cybercrime law. On May 31st, Rwanda’s Chamber of Deputies passed the bill, which is designed to help both the government and the private sector. The law includes new penalties for cyber-attacks according the country’s Penal Code and integrates with the laws established under the Rwandan Ministry of Information Communication Technology.

Agnes Mukazibera, president of the Rwandan parliament standing committee on education, technology, culture and youth said, “We’re currently witnessing an unprecedented global cyber-attack. Attacks that are threatening our economy and our national security.”

Because the new law focuses on criminal penalties for conducting cybercrime, whatever benefit it has to Rwanda’s cybersecurity is dependent on how effective the country’s new $3 million cybersecurity system is. Laws are only as good as their enforcement, and law enforcement can’t catch a cybercrime that they’re unable to detect.

But Rwanda’s cybersecurity infrastructure and professionals have demonstrated a great deal of effectiveness. In 2016, the National Bank of Rwanda says that they were able to stop a rough average of 1,000 cyber-attacks per day which targeted companies, institutions, and private individuals.

I’m rather optimistic about the cybersecurity advances which are being made in this African nation of about 11.2 million people.

Related Resources:

How To Improve Your Company’s Cyber Security Readiness

Why you’re putting your network at risk with a defensive approach to malware

The Seven Advantages of Hiring a Cyber Security Provider

AV-TEST award Comodo Internet Security Premium ‘Top Product’ for the second time this year

Internet Security

Comodo Internet Security Premium was again placed among the best security anti-malware solutions in AV-TEST report of April 2018. Comodo is the only free-for-life product to gain the ‘Top Product’ award.

Comodo Internet Security Premium received the highest possible score for protection – 6 out of 6 possible.

  • Protection against 0-day malware attacks, inclusive of web and e-mail threats (Real-World Testing) – 100%
  • Detection of widespread and prevalent malware discovered in the last 4 weeks (the AV-TEST reference set) – 99.8%

Comodo Internet Security

 

The results prove you can feel totally protected with CIS Premium, absolutely free of charge. And that’s not all.

CIS also has impressively quick performance, scoring 5.5 of 6 in the April tests. And Comodo followed that up by scoring a maximum 6 out of 6 for usability, which checks whether the software creates false positives or distracts the user with warning messages.

Comodo Internet Security delivers complete protection for home users by seamlessly blending a diverse range of cutting-edge technologies into a single, cohesive package. CIS features include a powerful antivirus software, built-in firewall, automatic sandboxing, host intrusion prevention, website filtering and protection for online banking and shopping sessions. The software allows the average user to install-and-forget, but also has the interfaces required for power-users to dive-in and create granular rules and configurations.

All this, and it’s completely free for life too. If you haven’t yet tried Comodo Internet Security, then why not head over to our download page and find out what all the fuss is about.

You can find more details about the AV-test results here: https://www.av-test.org/en/antivirus/home-windows/

From Russia with Subpoena: New Variant of Sigma Ransomware to Scare Users

ransomware

Would you be scared or at least anxious if you’d found a subpoena to the US district court in your email box? Most of the people definitely would. That’s exactly what the malicious attackers counted for when conducted this massive attack from Russia-based IPs with sophisticated and cunning ransomware payload.

Social engineering: faked authority cause real fear

3582 users became the targets of this malicious email disguised as “United States District Court” subpoena.

subpoena
As you can see, the email consists of the whole bunch of social engineering tricks to convince the users to open the malicious attachment. Mainly, the perpetrators try to play on the emotional strings of fear, authority and curiosity to manipulate the victims. Installing this emotional-aroused state into the receivers’ minds is aimed to suppress their ability for critical thinking and make them act rashly.

Also, the email address of the sender is “uscourtgove.com”, which, of course, is faked but adds more credibility to the email. Having the password for the attachment strengthens the flavor of the mail solidity. The subject of email is “megaloman” and document attached is named “scan.megaloman.doc” and this match also adds some small touches of credibility. And threatening the victim with responsibility if she “fails to do for is bounden to you” (and the only way to find out that is to open the file in attachment) is the icing on the cake.

This blow-up manipulative cocktail is a potent tool to help the perpetrators to get what they want. So the risk for many people to fall prey to this scam is very high.

Now let’s see what happens if a user opens the file in the attachment.

The malware: first hides, then hits

Of course, it has nothing in common to subpoena. In reality, as Comodo Threat Research Labs analysts discovered, it’s a new variant of cunning and sophisticated Sigma ransomware that will encrypt files on the infected machine and extorts the ransom to decrypt them.

How Sigma ransomware functions:

Sigma ransomware functions
What is special in this new variant of Sigma is that it requests the user to enter the password. Um… password for malware? Throughout it can sound weird, in reality it has the clear purpose: more obfuscation of the malware from detection.

But even if the user will enter the password, the file won’t run immediately. If the macros are turned off on the victim’s machine, it convincingly asks to turn them off. Notice, how this require fits into the whole attackers’ strategy: if it’s a message from the court it definitely can be a protected document, right?

microsoft protected document

But in reality the file includes a malicious VBScript that must be run to begin installing the malware on the victim’s computer. It downloads the next part of the malware from the attackers’ server, saves it to %TEMP% folder, disguises it as svchost.exe process and executes it. This svchost.exe acts as a dropper to download one more part of the malware. Then via a rather long chain of actions – again, for stronger obfuscation – it completes the malicious payload and runs it.

The malware looks really impressive with its variety of tricks to hide and avoid detection. Before running, it checks the environment for virtual machine or sandboxes. If it discovers one, the malware kills itself. It disguises its malicious process and registry entries as legitimate ones like “svchost.exe” and “chrome”. And that’s not all.

Unlike some of its close ransomware relatives, Sigma does not act immediately but lurks and makes covert reconnaissance first. It creates a list of valuable files, counts them and sends this value to its C&C server along with other information about the victim’s machine. If no files were found, Sigma just deletes itself. It also doesn’t infect a computer, if finds out that its country location is Russian Federation or Ukraine.

The malware connection to its Command-and-Control server is also complicated. As the server is TOR-based, Sigma takes a sequence of steps:

1. Downloads the TOR software using this link: https://archive.torproject.org/tor-package-archive/torbrowser/7.0/tor-win32-0.3.0.7.zip
2. Saves it to %APPDATA% as System.zip
3. Unzips it to %APPDATA%\Microsoft\YOUR_SYSTEM_ID
4. Deletes System.zip
5. Renames Tor\tor.exe as svchost.exe
6. Executes it
7. Waits for a while and sends its request

And only after that Sigma begins to encrypt files on the victim’s machine. Then ransom note will capture the poisoned machine’s screen.

machine screen

And … finita la commedia. If the victim didn’t previously arrange to make backups, her data is lost. There is no way to restore them.

Protection: how to fight back

“Facing with malware so sophisticated on both sides, social engineering tricks and technical design, is a hard challenge for even security-aware users,” says Fatih Orhan, the Head of Comodo Threat Research Labs. “To protect against such cunning attacks you need to have something more reliable than just people awareness. In this case, a real solution must give 100% guarantee that your assets won’t be harmed even if someone takes the crooks’ bait and run the malware.

That’s exactly what exclusive Comodo auto-containment technology gives our customers: any arriving unknown file is automatically put into the secure environment, where it can be run with no single possibility to harm a host, system or network. And it will stay in this environment until Comodo analysts will have examined it. That’s why no one of Comodo customers has suffered from this sneaky attack”.

Live secure with Comodo!

Below are the heatmap and IPs used in the attack

The attack was conducted from 32 Russian-based (Saint Petersburg) IPs from the email Kristopher.Franko@uscourtsgov.com which domain most likely was created specially for the attack. It started on May 10, 2018, at 02:20 UTC and ended at 14:35 UTC.

heatmap

 

Country Sender IP
Russia 46.161.42.44
Russia 46.161.42.45
Russia 46.161.42.46
Russia 46.161.42.47
Russia 46.161.42.48
Russia 46.161.42.49
Russia 46.161.42.50
Russia 46.161.42.51
Russia 46.161.42.52
Russia 46.161.42.53
Russia 46.161.42.54
Russia 46.161.42.55
Russia 46.161.42.56
Russia 46.161.42.57
Russia 46.161.42.58
Russia 46.161.42.59
Russia 46.161.42.60
Russia 46.161.42.61
Russia 46.161.42.62
Russia 46.161.42.63
Russia 46.161.42.64
Russia 46.161.42.65
Russia 46.161.42.66
Russia 46.161.42.67
Russia 46.161.42.68
Russia 46.161.42.69
Russia 46.161.42.70
Russia 46.161.42.71
Russia 46.161.42.72
Russia 46.161.42.73
Russia 46.161.42.74
Russia 46.161.42.75
Total Result  32

Comodo Dome Shield 1.16 | Best Defense from Web-borne Threats

Comodo Dome Shield

Announcing Comodo Dome Shield 1.16

It’s been around a year since we first launched Comodo Dome Shield, the FREE of charge DNS-based security service. Dome Shield provides a first line of defense against web-borne threats by blocking access to known malicious websites, providing web domain filtering and advanced reporting and analytics.

Since then, Comodo Dome Shield has become the #1 choice of DNS-based Content Filtering Solution of IT Staff all around the World, securing more than 30 Billion DNS requests every day.

Our users include MSPs, schools, K-12s and enterprises of all sizes from all around the World.

Comodo Dome Shield provides the easiest way to block malicious and risky web access such as Phishing, C&C Servers and Malicious URLs, as well as providing the ability to create a company web browsing policy – on and off-premise.

Our users are able to create location and endpoint based security and content filtering rules with ease, using Dome Shield. One of the biggest pain points of our customers is, solutions that let them create internal IP and network specific content filtering rules are expensive, hard to deploy and manage.

Here at Comodo Cybersecurity, we care alot about what our customers need. For this reason, we have been working very hard for the past couple of months to help solve this problem. We have released Comodo Dome Shield 1.16 which lets our customers to create internal IP and network specific content filtering rules with ease and completely for FREE!

What’s New with Comodo Dome Shield 1.16:

Local DNS Resolver(Sites & Virtual Appliances): Introducing Local DNS Resolver Virtual Appliances! This is a VA that can be used for encrypting your DNS traffic end-to-end till it reaches to our Secure DNS infrastructure. On top of stopping preying eyes on your DNS traffic, it gives you the ability to create internal IP based rules and monitor web traffic of every single PC and network element. You can simply install Local Resolver Virtual Appliances in Active-Active mode to VMWware/Virtualbox or Hyper-V systems, and set them as your Primary and Secondary DNS Servers. Local Resolvers forward internal DNS queries to your existing internal DNS servers/internal domains and forwards external DNS queries to our Secure DNS infrastructure over a secure DNSCrypt tunnel

Internal IP Based Rules and Reports: By using Local Resolvers, you can create rules for your internal IP/Subnets! Making Dome Shield’s rule management more granular, you can even observe every single PC via Reporting over the cloud.

Internal Domain Bypass: Previously, using Dome Shield with Active Directory managed domains or networks with local servers was hard. Now you can simply add them to your internal domain bypass list and Local DNS Resolver can forward such DNS traffic to your internal DNS servers which can resolve your internal domains, making Shield adapt to your network seamlessly.

Site Management: You can manage your DNS Egress points separately by installing different Local DNS Resolvers to your different sites. It makes it possible to manage different Sites of your customers per their DNS traffic and rules from a single-pane-of-glass.

Block All Domains: This was also another major request coming from our customers, where sysadmins wanted to only allow only a couple of domains and block everything else. Now, you can do this with a single click.

False Positive Management: Dome Shield 1.16 offers a new tool called “Domain Classification Requests” on the Policy screen. Without having to leave the portal, you can simply learn the categories of domains, propose new categories and then automatically blacklist and whitelist them if you wish. All the reports and B/W lists get updated according to your requests and we re-analyze all proposals in 48 hours which you can observe from the same menu.

New DNS Nodes: We have added new POPs to France and Germany. Moreover, we have updated all our existing nodes in USA and Europe for providing lower latency and higher uptime.

How Local DNS Resolver Vas will fit to your existing network:

DNS Resolver

What’s Coming Next ?
Roaming Agent for MAC: A new agent will be provided for MAC Agents, with the same capabilities of the existing Windows Roaming Agent. This will give our users the ability to secure and apply content filtering rules to Roaming MAC Computers.

Active Directory Integration: Creating and managing user/group/department based domain filtering and security rules of Dome Shield will be possible. Moreover, it will give our users the ability to generate user/group/department based Reports.

Don’t Have Dome Shield License ?

We provide Comodo Dome Shield to Individual Users, MSPs and Enterprises of All Sizes completely for FREE! All you have to do is go to this link and get your license! https://cdome.comodo.com/dns-internet-security.php

Related Resource:

Ticketfly Data Breach Means Music Fans Need to Go Elsewhere for Tickets

Patch Management

Data Loss

Summer has yet to officially start, but to me it feels like it’s begun already. My hometown of Toronto has been experiencing sweltering temperatures for the past couple of weeks. My boyfriend is an avid music fan and he has already taken me to an outdoor Slayer concert. (This is their last tour and apparently it’s a big deal to metal fans.) Within the next few months, we’ll be seeing Brujeria, Marilyn Manson, and Rob Zombie (Jay’s preference), and Steely Dan (my preference.) I know we’re not alone, and possibly millions of people are planning to see live music this summer. The first step to attending a concert is to buy tickets for it, and these days people usually do that online. Well, you can’t use Ticketfly’s website at the moment.

Comodo’s own Shaw Unib Shaida has a video which explains the Ticketfly data breach in a nutshell.

Yep, ticket seller Ticketfly is the victim of a data breach. Will this be the Summer of the Data Breach?

Ticketfly’s website was vandalized by an attacker who goes by “IshAkDz.” They wrote:

“Your security down, I’m not sorry. Next time I will publish database.”

There are indications that the cyber attacker possesses a database with over 4,000 spreadsheets which contain names, email addresses, phone numbers, and street addresses of customers who have purchased tickets from Ticketfly. “IshAkDz” told a media outlet that they contacted Ticketfly several times and has yet to receive a response. They are demanding one bitcoin to undo the effects of their attack, which is currently worth $7,544 USD.

A Ticketfly spokesperson said:

“Following a series of recent issues with Ticketfly properties, we’ve determined that Ticketfly.com has been the target of a cyber incident. Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We realize the gravity of this decision, but the security of client and customer data is our top priority. We are working tirelessly to get our clients back up and running.”

Ticketfly parent company Eventbrite’s website hasn’t been affected. Ticketfly’s website has been down since about 6am Eastern Standard Time on May 31st. We don’t know yet when it will be back online.

Ticketfly founder Andrew Dreskin is one of the people who have been working tirelessly since Wednesday trying to restore their website. They suspect that their WordPress blog may have been the initial attack vector. “IshAkDz” is believed to have downloaded the WordPress site’s contents and posted in on the hijacked main Ticketfly website.

All websites, web applications, and CMSes have security vulnerabilities. But some CMS based websites are a lot more secure than others. A lot of it depends on how the web server is configured, and how the CMS is configured. Popular CMSes such as WordPress, Joomla, and Drupal are built with MySQL or PostgreSQL database backends, and they generate dynamic webpages with PHP. A lot of the CMS website security hardening process entails securing the database it runs on. SQL injection is a common way to successfully penetrate these sorts of websites. That usually involves entering code into a web form field. Instead of inputting a string that the form expects, such as my name (“Kim Crawley”), code is entered which may allow a cyber attacker to privilege escalate and acquire administrative access to the website. SQL injection attacks can also be used to do other malicious things to websites, but an attacker will usually SQL inject in order to privilege escalate. There are many ways to security harden WordPress based websites, WordPress has a handy guide you can start with. Websites and web applications should also periodically be penetration tested.

I’m just speculating about what may have happened to Ticketfly’s website and what Ticketfly may have been able to do that would have prevented the breach from happening in the first place. More details may be available in the next few days.

Ticketfly’s website deals in ecommerce, so there is financial transaction data which goes through their web servers. Ecommerce sites are especially important to security harden because financial data is very sensitive! It doesn’t appear that “IshAkDz” has acquired any financial or credit card data, so hopefully Ticketfly segmented the ecommerce component of their website from the parts which were attacked.

Hopefully Ticketfly’s web operations will be restored soon, because in showbiz they say, “the show must go on!”

Happy Donut Day!

It’s June 1st, so have a happy Donut Day! Your IT staff works hard all year. Perhaps you should consider bringing in a box of a dozen delicious donuts into the office. Some people prefer Boston Cream. Chocoholics are satisfied with chocolate, chocolate dipped. Others love pretty rainbow sprinkles. Or maybe just a simple glazed donut is more of your style.

Cybersecurity Donut

Enjoy your greasy, sugary treats. But donut forget to analyze your network for possible cyber-attack vulnerabilities! It’s vital to scan your systems for malware on a regular basis. But some administrators donut look for unknown files which aren’t on antivirus blacklists. If you donut look for them, the consequences could be terrible – data breaches, ransomware, network downtime, and backdoors for future cyber-attacks. Your business can try a free forensic analysis Malware Scan from Comodo Cybersecurity. Donut forget it! If you donut watch for attack vectors, your business may deal with cyber-attacks you donut want. Sometimes they actually affect the donut industry!

Popular Canadian donut chain, Tim Hortons learned a difficult lesson the hard way this past February. Over a thousand locations across Canada found their computer systems crippled, and the impact on their business was direct and painful. Malware entered the donut chain’s point-of-sale network. It made point-of-sale inoperable in many locations, so the affected restaurants couldn’t handle transactions during the downtime. That resulted in a lot of lost revenue and a lot of upset customers who just want a Double Double (a Tim Hortons coffee with two creams and two sugars) and a maple dipped donut.

The malware disabled point-of-sale system still ran a version of Windows XP, an operating system that Microsoft hasn’t supported with security patches since April 8th, 2014. Microsoft would urge any and all businesses to run a more recent, currently supported version of Windows. It’s very risky to put an operating system that’s no longer updated on any network. There is plenty of malware that cyber-attackers can buy from the Dark Web that’s specifically designed to exploit Windows XP vulnerabilities in commercially deployed systems.

The impact of the POS (point-of-sale) virus was palpable. An anonymous source said:

“The cash registers just plain don’t work. Many of the stores had to close totally. Some had to close their drive-thrus and have customers go into the stores to one or two working registers.”

Franchisees are often small business owners and they can’t afford to have to be closed for that long. I live in Toronto, and I often see Tim Hortons franchises with long lineups in the drive-thru and inside of the restaurant. Canadians want their donuts and Tim Hortons is a favorite brand for millions of people.

The corporation is responsible for the computer systems that franchises use in Tim Hortons restaurants. Some franchisees threatened to sue Tim Hortons parent company Restaurant Brands International (RBI.) Ouch! Litigation is expensive and can harm a company’s reputation. Great White North Franchise Association represented a number of disgruntled franchisees. A letter they sent to RBI said that the virus caused “partial and complete store closures, franchisees paying employees not to work and lost sales and product spoilages.” The franchises asked RBI for compensation for their losses and explanations for why the cyber-attack happened, how future cyber-attacks could be prevented, and whether or not sales data was compromised.

RBI said that no credit card data was breached, but the over 1,000 restaurants certainly lost a lot of money and had to deal with immense reputational damage. A lack of coffee and sweet treats likely left donut holes in consumer confidence. Tim Hortons calls donut holes “Tim Bits,” by the way. You can buy a box with twenty or more of them. They come in almost as many varieties as Tim Hortons’ donuts, as if they were actually cut out of them. But I don’t think that’s actually how Tim Hortons makes them. I’d hate to burst your French cruller! I mean, bubble. French crullers have a light and airy texture because of all of the bubbles in them.

Donut let a similar cyber-attack cripple your business! Donut Day is the perfect day to discover malicious and unknown security threats that are lurking in your network. The scan is custom designed for your business’ Windows systems and can be performed in as little as 15 minutes. You may only have to finish your morning coffee and donut to see results. You can try a free forensic analysis Malware Scan from Comodo Cybersecurity today. Cyber attackers donut like to attack your business’ network when you’ve hardened against potential exploits. But you can’t handle your vulnerabilities if you donut know what they are! Mmmm…. donuts.

Tension Between Donald Trump and North Korea Coincides with Malware Spikes

malware attacks

Talks of Korean reunification have made me feel very optimistic. The Korean War has had a devastating effect on Koreans on both sides of the heavily guarded border. Families have been separated for decades. The war started before I was born! Since 1953, relations between North Korea and South Korea have been considered to be a de facto stalemate. But despite the decades-long stalemate, the war might not be really truly over until Korea is one country. That possibility makes me happy.

The United States has had a major effect on the Korean War since before the war even began in 1950. When Korea split into North Korea and South Korea, it was South Korea which embraced American influence and troops.

The Trump Administration has been involved in the attempt to reunify Korea. On April 20th, 2018, US President, Donald Trump tweeted: “North Korea has agreed to suspend all nuclear tests and close up a major test site. This is very good news for North Korea and the World – big progress! Look forward to our Summit.” So Trump and North Korea Leader Kim Jong Un planned to meet in Singapore in June to discuss some of the necessary steps to establishing peace. But now things don’t seem to be going too well.

North Korea wasn’t too happy about the military drills American and South Korean soldiers conducted together. North Korea reacted by saying that they may consider pulling out of the summit that’s been planned for June. They also said that they were unwilling to dismantle their nuclear arsenal as early as the United States would like.

“If the Trump Administration is genuinely committed to improving NK-US relations and come out to the NK-US summit, they will receive a deserving response. But if they try to push us into the corner and force only unilateral nuclear abandonment, we will no longer be interested in that kind of talks and will have to reconsider whether we will accept the upcoming NK-US summit,” said Kim Kye-gwan, North Korean First Vice Minister of the Ministry of Foreign Affairs.

Harry Kazianis, a Korean affairs expert from the Center for the National Interest, offered his perspective. “The North Korean pattern is to do provocations whether it is tests of missiles or nukes, ask for negotiations then string us along for months and years. But this time, they are not even getting to that point, they are already causing problems before we have the negotiation.”

This sort of tension seems to be having a palpable effect on cyber-attacks. Comodo Cybersecurity research has discovered a huge spike in malware detections in North Korea. Between May 1st and May 3rd, while American and North Korean governments were exchanging harsh words, about eight times as many malware attacks were detected by Comodo in North Korea than typical levels since the beginning of 2018. A lot of the new malware was malicious Windows activation software, and Ultrasurf, a Chinese internet censorship circumvention tool. There is even heavier handed internet censorship in North Korea.

Ultrasurf was originally developed in 2002, by Chinese dissidents in Silicon Valley. The tool allows users in China to bypass what has been colloquially referred to as the “Great Firewall of China.” Ultrasurf is designed to work in Windows as an EXE executable. It can be used without any installation or changes to the Windows Registry. To remove all traces of Ultrasurf from a PC, a user only has to delete the u.exe file. Cybersecurity product vendors have mixed opinions as to whether or not Ultrasurf is malware. It behaves like some malware in how it redirects internet communications through encryption. That’s a useful cybersecurity function in applications such as VPNs, but some malware also uses stream ciphers in order to evade detection.

Because a lot of the malware readings Comodo received in North Korea were related to Windows activations and Ultrasurf, it appears that ordinary North Koreans are feeling more confident in the wake of Korean reunification talks. They may be less afraid of the North Korean government in their attempt to acquire open internet communications with the rest of the world, even if that requires deploying what some consider to be malware.

By May 5th, the spike in Comodo’s detection disappeared. Then by May 9th, US Secretary of State, Mike Pompeo travelled to North Korea and returned with three American prisoners.

In related news, there appears to be people in either North Korea or South Korea who are targeting North Korean disidents with Android spyware Trojans. Sun Team is the cyber-attack group behind this phenomenon. KakaoTalk, a popular chat app in South Korea, and social networks including Facebook are being used to find North Korean defectors. They are being socially engineered to download Android Trojans with names like “Blood Assistant,” “Pray for North Korea,” “Food Ingredients Info,” “AppLock Free,” and “Fast AppLock.” The latter two are fake security apps. These malware campaigns have been detected as early as October 2016, and even with the possibility of Korean reunification, Sun Team seems to be continuing their attacks.

There are both North Korean and South Korean indications in Sun Team’s activities. Dropbox accounts used as command and control servers by Sun Team have used names of South Korean celebrities and television shows. But they’ve also been found to use words that are exclusive to the North Korean dialect of the Korean language.

Unlike a lot of Android malware, the malware that Sun Team has been deploying seems to simply behave as spyware, reading SMS messages and contact information from the targeted Android devices and sending that sensitive data back to their command and control servers. So, Sun Team is engaging in espionage.

Matters in North Korea and South Korea may continue to get messy, even as South Korean President Moon Jae-In and North Korean Leader Kim Jong Un seem to want to make peace. Comodo will definitely be on the lookout for future malware that targets the two Koreas.