In this blog post:
- 3 cybersecurity trends to look for in 2017
- One billion more Yahoo accounts hacked in a second incident dating back to 2013
- Emerging threats: Netgear routers easily hacked, a spiteful ransomware strain, a scam targeting Amazon shoppers, and more
- Cybersecurity shorts: Breach at Quest Diagnostics, EMV card deadline pushed back, a cyberheist at the Russian Central Bank, and more
- Software updates
It was certainly a busy year in the cybersecurity sector and we don't anticipate it will slow down in 2017. Read on to learn about those resources and about all the cybersecurity happenings this month including:
- The danger of connected kids' toys
- How to protect deceased loved ones from identity theft
- How nearly a million Germans got kicked offline
- And much more
3 cybersecurity trends to look for in 2017
Cybercriminals certainly didn't slow down in 2016. The past year brought us dubious new cybersecurity records:
- Two Yahoo breaches exposed the records of 500 million and 1 billion, respectively
- 700,000 taxpayers had their personal information compromised when a feature on the IRS's website was hacked
- 10,000 Department of Homeland Security and 20,000 FBI employees discovered that hackers obtained their names, phone numbers, and email addresses after the Department of Justice's database was breached
According to the Identity Theft Resource Center, there were 957 reported data breaches in 2016—177 more than in 2015.
And looking ahead, 2017 promises to be another banner year for hackers. Here are three threats that we expect to see more of in the coming year.
Since 2015, ransomware has been growing exponentially. According to McAfee, total ransomware samples in the first quarter of 2015 were just under 3 million. In 2016, that number jumped to over 7 million samples. Trend Micro predicts a 25% growth in new ransomware samples next year.
Ransomware, the malware that locks your computer and demands a bitcoin ransom to unencrypt your files, will continue to widen its reach in 2017. In 2016, we saw ransomware attacks hit hospitals and schools, and we believe we'll continue to see large institutions like these be infected.
The ransomware creators are adept at making new strains. Earlier this month, a new sample was discovered that gives the infected two options: pay up or infect two of your friends. (You can read more about that below.) But be aware that new ransomware is headed your way. Remember the 10-second EMAIL Rule (Examine Message and Inspect Link) and think twice before you click.
- CEO Fraud
Over the last two years, $3 billion has been lost by U.S. companies to the Business Email Compromise (BEC) /CEO Fraud Scam. This scheme involves scammers impersonating a CEO and sending an email to another employee asking them to perform a wire transfer that actually moves the money to the crook's account.
BEC is an easy and effective way for scammers to make money. The average compensation from this scam is $140,000. It's less work than creating ransomware and gives a greater reward, which is why we expect to see an even greater presence of this attack next year.
To protect your company from falling victim to CEO Fraud, you need to practice two-factor authentication for wire transfer. That means anytime a wire request comes in, the recipient must confirm the transfer with the sender in two ways—such as phone and email or face to face and email.
- Internet of Things (IoT)
The last three months have demonstrated the vulnerabilities in connecting all of our devices to the Internet. You may remember the massive DDoS attack that took down much of the Internet for one day in October. Hackers pushed an enormous amount of traffic to Internet company Dyn's servers. The increase in traffic caused the servers to crash—taking many popular sites offline.
How were the hackers able to push so much traffic at once? By taking over vulnerable devices connected to the Internet, such as cameras and video recorders. The Internet of Things (IoT) devices were hit with the Mirai malware which allowed the attackers to control the devices and send traffic to the selected servers. IoT devices that were still using default usernames and passwords were infected.
Since the Dyn attack, we've seen almost one million routers in Germany pushed offline and 80 different types of Sony cameras affected by the same malware. With such an uptick in the last few months, it's safe to assume that attacking vulnerable IoT devices will continue in 2017.
While IoT devices may seem convenient, we encourage you to do your research before purchasing them. As for items you already own, be sure to make them as secure as possible. Change the default username and password to something unique and make sure you are running the most up-to-date firmware on every device.
Each year brings us new cybersecurity threats to defend against—but also new ways to fight back. We must all stay vigilant with our cybersecurity plans and adapt when it's indicated. We're looking forward to this new year of cybersecurity vigilance and will continue to keep you updated on the latest news.
We wish you all a very happy 2017!
One billion more Yahoo accounts hacked in a second incident dating back to 2013
Yahoo announced this month a breach affecting more than one billion user accounts. This is separate from the hack announced earlier this year which affected 500 million. The second incident occurred in August of 2013 when an unauthorized third party accessed and stole data such as names, phone numbers, email addresses, encrypted passwords, and unencrypted security questions. The hackers were also able to forge authentication cookies which allowed them to login with no passwords and stay logged in for a long period of time. The cookies also contain a lot of personal information about the user.
If you have a Yahoo account, you should assume your account was affected. Change your password immediately and sign up for two-factor authentication. If any other account uses a similar login, be sure to change that as well. Also be wary of all emails you receive. It's likely that phishers will take advantage of this hack.
Netgear router owners: If you own a R8000, R7000, or R6400 router unplug it immediately.A flaw in these routers (and possibly others) was discovered and it makes them incredibly easy to hack. The attack occurs when a user visits a maliciously coded website that exploits the vulnerability and gives the hacker complete control of the router without needing the username or password. The researcher that discovered this flaw allegedly notified Netgear some time ago, but nothing was done. The researcher then went public with the story. Netgear has now released a beta version of the patch which you can download here.
New ransomware strain encourages you to infect others. The MalwareHunterTeam discovered the new malware, Popcorn Time, which gives you the option of paying a bitcoin ransom or sharing a link to infect two others to get your encrypted files back. MalwareHunterTeam says the code they discovered does not appear to be finished and it's not currently spreading fast. Still, think before you click.
Identity theft of deceased individuals is spiking, according to LexisNexis Risk Solutions. The fraudsters take advantage of the fact that people's identities can still be found on public documents even after death. They create "zombie identities" and commit various fraudulent acts. You can protect your deceased loved ones best by reporting their death to the IRS, Social Security Administration, credit reporting agencies, banks, and insurance companies.
Electronic Privacy Information Center (EPIC) files a complaint to ban certain kids' IoT-connected toys from the marketplace. In its complaint to the FTC, EPIC expressed concerns that certain vulnerabilities in these toys allow them to spy on children. For example, the popular My Friend Cayla and I-Que Robot send data from the conversations with the child to a technology company called Nuance rather than remaining private. Most of these toys also come with a set of terms that allows the toys to share data with various third parties.
New phishing scheme targets Amazon shoppers. The email tells the recipient that their order cannot be shipped until they click to confirm their account. The link brings them to a fake page which asks for their address and payment card information. Be sure to look closely before clicking on any link in an email.
Breach at Quest Diagnostics exposes information of over 30,000 people. The medical laboratory operator says an unauthorized third party gained access to an Internet application on its network which exposed customer information of about 34,000. Quest Diagnostics says the stolen information includes names, date of birth, and lab results. Social Security numbers, payment information, and insurance information were not compromised. Affected customers are being notified via mail.
Phishers stole personal information of 750,000 people after targeting Los Angeles Country employees in cyberattack. The phishers sent emails to nearly 1,000 county employees and had a 10% success rate—108 recipients provided their username and passwords to their accounts. The accounts gave phishers access to personal and health data of patients that received services from county departments.
Your credit card number could be guessed in seconds, according to security experts at the University of Nebraska. The team created a system that would send payment requests to multiple websites at the same time. The system was able to guess and push different card combinations (card number, expiration date, security code) until a card was verified. The system worked on over 30 popular sites—only eight of which have upped their security to stop the fraud.
Over 900,000 Germans found themselves with no Internet access after a malware strain, Mirai, infected their routers. Mirai exploited the routers via a security hole found in a new feature that allowed firmware to be updated remotely. Once infected, this feature was turned off. Last month, the same malware was responsible for a large IoT attack that took many devices offline.
Russian banks hit with cyberheist totaling $31 million. Russia's central bank and various commercial banks saw millions stolen by hackers this month. The hackers originally tried to steal twice that amount by faking client's credentials when logging into accounts.
Sony IP camera owners: Update firmware now! Security researchers at SEC Consult discovered vulnerabilities in 80 models of Sony IP cameras that allowed attacks such as manipulating images and using the device in a botnet or to spy on you. To see if your camera is affected and to update the firmware to close this hole, visit this link.
New payment safeguards could help decrease payment card fraud by 2020. Payment Strategy Forum has introduced two plans: "Confirmation of Payee" and "Request to Pay." The first would send users making a purchase or payment online a message confirming the name of the person they are paying. "Request to Pay," sends messages to users whenever a regular payment is charged to their account. Both messages will have to be approved before the charges go through.
EMV card deadline for gas pumps pushed to 2020. Gas stations were originally supposed to upgrade their payment systems to accept the new chip cards by 2017. However, Visa has pushed back this deadline due to the complicated infrastructure and technology needed for gas pump payment cards readers. Experts have noted that there has been a recent increase in payment card skimming at gas stations.
Commission on Enhancing National Cybersecurity recommends President-elect Trump to hire and train 100,000 cybersecurity specialists by 2020. The council, created by President Obama released a report this month advising the incoming Trump administration. In addition to increasing professionals, the commission recommends creating international norms for hacking and creating a national cybersecurity strategy, among other items.
IBM's Watson will now fight cybercrime. The supercomputer has partnered with 40 different organizations to help prevent cyberattacks. The program will assist cybersecurity professionals in analyzing the thousands of cyber events they see each day.
Adobe: Seventeen flaws were discovered in Adobe Flash this month causing Adobe to push a patch to close the issues. One of the flaws is considered "zero-day" and is already being exploited by hackers. Flash users should be running version 22.214.171.124, and while the program should prompt you to update, you can check your version here. Be sure to update your browsers if they run Flash, as well.
Google: This month, Google released a security update containing 50 patches—11 were considered critical. One of the updates fixes a vulnerability named DirtyCOW, which allowed users to write over read-only files. The patch for this issue, however, will only work on Google devices. Other Android devices, such as Samsung, cannot use the patch. You can learn more about the updates here.
Firefox: Firefox users should update their browsers immediately. A security vulnerability that allows hackers to inject malware into your browser was discovered this month. Firefox should alert you to update immediately but you can check your browser's status here.
Microsoft: A patch bundle closing over 40 vulnerabilities in Microsoft products was released this month. At least half of the fixes are considered critical and could allow an unauthorized user to take control of your device. The majority of vulnerabilities were found in Internet Explorer and Edge. Microsoft should prompt you to update automatically.