cybX Security Digest, 18th Feb 2016

Welcome to today's edition of the cybX Security Digest. Live at 1230 today is the “Risks and opportunities of Digitisation” webinar being delivered by the cybX Director, Richard Preece. You can check that out here at around 1230 if you haven’t already registered.

The top news story today is being reported from several sources, the news is that a US Hospital has paid $17,000 to retrieve their files that have been encrypted through ransomware. We are now at the stage where this issue is prevalent enough that enough people are aware of this threat - I won’t bang this drum too hard, there are enough people doing that already. However, mitigate this risk - there is nothing you can do to wholly prevent it but you can prevent the damage from shutting your business down. Regular backups of endpoints and secure systems that are incremental and can be rolled back are key to this, user education and awareness training so that the most common vector, phishing, is prevented but please don’t train your staff to fail! Phishing, more specifically spear phishing is now targeted, well crafted and often do not make the traditional mistakes of the past. They look professional, they develop a trust relationship between the endpoint and the perpetrator and their whole purpose is to convince you that they are legitimate.

Tripwires blogpost yesterday was about “The trend towards targeted attacks”, we all know that as defender we are in a constant arms race. As the article states, the majority of malware out there is broad scattergun approach but they largely don’t do the kind of damage that a targeted attack does. The reason targeted attacks are so destructive to a company is because of the amount of research that goes into it, knowing who your CFO is, how your internal policies work, what operating systems, architecture and technology you have means a tailored piece of malware can really hurt and even remain hidden. If we look at the most common vector of attacks right now, Phishing as I’ve already alluded too today - they are becoming increasingly targeted, tailored and role specific. The article goes deeper into specifics and examples, such as watering hole attacks - definitely one worth checking out.

Ever wondered about the ‘Darkweb’ or ‘Darknet’ ? Well, the Information Security Magazine has you covered, they have written an article “DarkWeb Experiment shows how hackers use stolen credentials”. The broad overview is that hackers are getting smarter (apparently a running theme today) with many of them now using IP anonymising services or TOR drop off nodes in order to mask their originating IP address. Having an email freely compromised and then attached accounts subsequently compromised is no real surprise, however it should be a bit of a wake up call for those of you who put almost your entire online life into a single email address. There are ways to mitigate this, use more than one service and make sure you enable two factor authentication - most services have this facility these days.

This is an interesting one. VTech was compromised last year, potentially opening up details of thousands of children's and their parents details. Welivesecurity has noted that the service ‘Learning Lodge’ has come back online, with a small caveat… snuck into their updated terms and conditions:

“YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE.”

VTech are effectively absolving themselves of any responsibility regarding future breaches by getting the end user to accept that data they submit may not be secure. There are a number of legal questions to be raised surrounding such a statement, particularly in the EU where there is a legal obligation to secure personally identifiable information that will be coming into stricter force when the GPDR enforcement goes live in 2018.

Ending with Tripwire, we have a blog on “How to steer kids away from malicious hacking” highlighting the amount of arrests of teenagers in recent months following attacks on high profile targets. A fair point is made though, that younger less experienced hackers are more likely to be caught than the seasoned veterans so what we see in the media may well be skewed. There is still quite a bit of good advice for those of you with tech savvy teenagers to make sure they don’t cross the fine line in the sand. I think with most things kids, it’s allowing freedom enough without restricting them to a point they will rebel and giving them alternatives. Occupying them in ways that interest them in a way that’s practical, approachable and importantly achievable for them, allowing them to feel accomplished. For those interested there are a number of ‘hacking’ games that double up as teaching tools, such as “Uplink” and “TIS-100” as well as minecraft having RedStone which is not far from a logic based language in itself.

That’s it for today, thank you for reading and I will catch back up with you all next week!

The thoughts and opinions expressed in this article are that of the author and do not necessarily reflect that of cybX or its parent company.

David Dowson is an IT Technician working on the cybX project, cybX is a simulated virtual environment in which we can train, test, validate and exercise your technical and managerial teams in a safe and secure manner.