alt tag

Posts from March, 2016


The Latest Big Cyber-Threat: Are Your Servers “DROWN-proof”?

Wednesday, March 30th, 2016

lifebelt-459754_640

If you think there’s a new cyber-threat to worry about every week, you’re probably right. The latest vulnerability to send shockwaves through the enterprise security community has been given a rather ominous acronym: DROWN, short for Decrypting RSA with Obsolete and Weakened eNcryption.

Publicized just a few weeks ago by an international team of security researchers, DROWN exploits outdated encryption methods to intercept confidential data from as many as one-third of the HTTPS servers around the world—from those of popular public websites (including Yahoo, CNBC.com, AutoTrader, and more) to private servers hosting email, instant messaging, and other essential online services.

Yesterday’s Security, Today’s Danger

The basis of DROWN is Secure Socket Layer version 2 (SSLv2), an early Internet encryption protocol. As public Internet usage exploded in mid-’90s, SSLv2 was an early attempt to protect passwords, credit card numbers, and other sensitive data transmitted over the web. But the initial SSLv2 quickly revealed multiple security weaknesses—and proved quite “hackable”—before being largely replaced after only a few years by today’s cryptographic standard, Transport Layer Security (TLS).

Two decades later, obsolete SSLv2 is considered “ancient history” and no longer supported by most end-point browsers or client software (the apps your computer is using to access the web and send/receive email). Yet it remains supported by many servers as a means of backwards compatibility—even though it’s increasingly unlikely that a newer computer would attempt to “communicate” via the obsolete protocol.

Left ignored and mostly forgotten, SSLv2 became the perfect vehicle for a “cross-protocol” DROWN attack.

A Hacker’s Dream: Quick and Cheap

Without getting too far into the confusing technical details, the DROWN researchers proved that by exploiting the weaknesses in alternative SSLv2 connections, a TLS server connection (or “handshake”) could be successfully decrypted in under 8 hours. The process involves comparing about 40,000 “probe” connections against an extreme amount of offline computations (250). But with the current availability of cheaper Cloud-based high-capacity computing services as Amazon EC2, it could be accomplished by a skilled hacker for as little as $440.

The good news is that as of now, there are no reported cases of actual DROWN attacks “in the wild”—but the prime role of cyber-security is to uncover new threats before the crooks stumble upon them. In the meantime, the best defense against DROWN is to disable SSLv2 connections from web servers as well as all STMP, IMAP, and POP email servers. The DROWN research team has included specific details in their website, which can be seen here.

Longtime readers of our blog know that defending your company from cyber-attacks is now simply part of the cost of doing business. To learn more about the DROWN vulnerability and protection from other emerging threats, contact us today.

Are Macs “Ransomware-Proof”? Not Anymore

Wednesday, March 23rd, 2016

computer-150097_640

Since Apple famously introduced the Macintosh over three decades ago, Mac users have been confident that their computers are virtually immune to ransomware and other malware threats which plague their Windows counterparts. But those days are over.

On March 4, researchers at security firm Palo Alto Networks detected what they believe is the first “fully functional” ransomware attack aimed exclusively at Apple’s OS X operating platform.

Dubbed KeRanger, the ransomware code was discreetly piggy-backed onto a routine update of Transmission, a popular BitTorrent client (a free Mac utility enabling rapid download/sharing of large files). After lurking on an infected Mac for three days, KeRanger encrypts all or part of a Mac hard drive before demanding an untraceable payment of one Bitcoin (currently the equivalent of about $400) to restore access to the scrambled files.

Hack a Mac? Just Fool the Gatekeeper

Macs are generally less susceptible to viruses and malware thanks to Gatekeeper, a built-in OS X defense feature that rejects software downloads which don’t include an Apple Developer IDessentially Apple’s digital certification for a third-party app they declare legitimate and harmless. In the case of KeRanger, it was fraudulently coded with a Developer ID (Z7276PX673) that had been previously assigned to a software developer in Turkey, enabling it to bypass Gatekeeper and infect the Mac’s hard drive. (How the Turkish company’s Apple certificate apparently fell into the wrong hands is still under investigation.)

After isolating the bogus Developer ID on the morning of March 4, Palo Alto Networks immediately notified Apple, who quickly revoked KeRanger’s certification. The Transmission homepage has also replaced the tainted version of the app with a “clean” update. It was determined that KeRanger was only “in the wild” (at-large and uncontained) within a relatively small window between 11 a.m. March 4 and 7 p.m. March 5.

It Could Have Been Worse

In their haste to begin extorting victims as soon as possible, KeRanger’s developers didn’t complete an additional section of code that would have disabled Time Machine, an OS X feature that restores users’ backup files stored on an external drive—similar to the automated System Restore function in Windows. If they’d spent a little more time refining their “launch version” of ransomware, even backup files would have been hopelessly encrypted without that $400 payoff.

If you’re a Mac user who doesn’t use the Transmission app, you dodged a bullet. But the KeRanger incident is a serious blow to OS X’s reputation as the “hack-proof” operating system. As we’ve discussed, ransomware schemes are the fastest-growing form of cybercrime today, and it was only a matter of time before Macs became a target.

For more information on ransomware and more of the latest emerging cyberthreats, contact us today.

IoT Devices: Security Holes?

Tuesday, March 15th, 2016

network-782707_640

Hackers can take advantage of a newer technology prevalent throughout your business to break into your network and compromise security: Internet of Things devices. Your business may have never considered that the handy new Smart Thermostats throughout the building or the Smart TV in the conference room could actually be used by a hacker to piggy-back onto other devices on your network.

Fortunately, a managed service provider can stay on top of your IT security, installing the latest updates on every computer and all network hardware, and minimizing the risk of experiencing productivity-draining malware and hacks.

Your business could be vulnerable to a major security breach by leaving IoT devices unpatched and running old code.

The Elephant in the Room

In December of 2015, the security experts at TrendMicro identified approximately 6.1 million devices in use, including IoT devices, running software with an unpatched code execution attack security hole. The catch is that the security hole was identified and fixed all the way back in 2012, meaning these devices are still putting their owners at risk. Code vulnerabilities aren’t limited to device firmware, as the security hole TrendMicro found came from a code library found within apps.

A study by HP showed that upwards of 70 percent of all IoT devices are in some way vulnerable to an attack—and according to ZDNet, IoT devices are problematic for business security overall because they lack much of the security sophistication found on devices like laptops. For example, the home IoT market is facing major privacy and security concerns over Baby Monitor hacking. Your company may be concerned about home IoT devices as well if you have employees that work from home.

Plug, Play, and Forget

Hackers aim to exploit the common “set it and forget it” mentality toward IoT devices. Not only are IoT devices prone to security breaches, they are also often neglected as points of concern. When the manufacturer issues an update to patch security problems, your staff may not include IoT devices alongside regular updating practices.

There is plenty that an MSP can do right now to protect your business from IoT security holes, even when security apps and firmware patches aren’t an option. In addition to keeping the device’s operating software up to date, it is also necessary to keep all installed apps updated. Many IoT devices lack a clear interface to implement patches, making the process cumbersome. Security apps work well on devices that support them, but IoT products that lack security app support are a bit trickier to work with.

Another way an IT consultant may suggest to keep IoT devices from impacting the rest of your business’s security is to create a second isolated network for smart devices that can’t directly access your main network. WiFi makes the process relatively inexpensive and straightforward.

Keep your business running productively by taking preemptive action against IoT security faults with a local MSP. You’ll be glad you did.

iPhone “Backdoor”? It Already Exists! Why Your Company Needs It

Tuesday, March 8th, 2016

iphone-926235_640February’s big story in the tech world was the conflict between Apple and the FBI over the creation of a “backdoor” to retrieve encrypted data on iPhones. The government is looking for any clue as to what—or, more specifically, who—motivated Syed Farook, along with his wife, to gun down his San Bernardino co-workers at an office party. Meanwhile, Apple CEO Tim Cook, along with other high-profile tech leaders, warn that the existence of such an “anti-encryption key” could become a slippery slope—ultimately threatening individual privacy as well as the security of all virtually-protected data, personal or business.

Apple steadfastly refuses to comply with the FBI’s court order, and the battle is likely to reach the Supreme Court. And if the Court’s pivotal ninth seat remains unfilled due to political gridlock, the whole issue could remain undecided for quite awhile.

Finding the Facts

In the midst of this landmark security vs. privacy brouhaha, one key fact of the case is being underreported: The iPhone 5c the FBI wants to unlock was Farook’s business phone, issued to him by the San Bernardino County Health Department. He destroyed his personal phone—which he most likely used to actually discuss the terror plot—before the couple’s fatal shootout with police.

How could this highly-vocal Apple-FBI standoff have been averted in the first place? By using an encryption backdoor that already exists—completely legal, and, for businesses, absolutely necessary: mobile device management (MDM) software.

MDM allows users to enjoy the same mobile productivity—apps, email, documents, file-sharing—that they’d expect from an onsite network, while enabling IT administrators to ensure every device remains compliant with company security standards (configuration settings, updated security patches, and limiting unauthorized use of the device).

More importantly in this case, MDM can, if necessary, bypass a security passcode to regain access to the company-issued device. Ironically, San Bernardino County had already contracted with an MDM vendor, but simply hadn’t gotten around to installing the software on mobile equipment in Farook’s department, due mainly to the lack of a formal MDM implementation policy.

Your MDM Solution? Choose Wisely

As mobile computing and BYOD become increasingly common in the modern workplace, MDM is essential for every company. You’ll find products from a slew of vendors, large and small, at competitive prices, but here are some key points to look for:

  • Ease-of-use (look for free trials of MDM products)
  • Full compatibility with both iOS and Android platforms
  • Functionality across multiple devices and wireless carriers
  • Seamless integration of all company-used apps (email, data, SaaS)
  • Pricing structure (per device or flat rate)

Choosing the right MDM solution—and effectively implementing it across your organization—is another IT challenge facing your company today. We can help.

The Death (and Second Life) of a Replaced Business Smartphone

Wednesday, March 2nd, 2016

ios-1091302_640

When it’s time to upgrade employee smartphones, your business needs to worry about backing up data, clearing the memory, and figuring out the best way to get rid of the old devices. According to Business Insider, the average smartphone upgrade cycle reached 22 months in 2012. This time frame could continue to increase as carriers drop subsidized plans.

With such a brief window of use, it’s likely your business will end up with a stockpile of functional but unused devices.

Those old phones may still have some life in them—and you may want to consider repurposing them instead of dumping them in an electronics recycling bin.

Backing It Up and Clearing Your Data

Regardless of what’s going to happen to the smartphone, your first task is wiping the data off of it. This usually means backing up all the information on the device and performing a factory reset to erase any confidential information. Android phones can back up data a few ways: via Google’s Cloud, backup applications, and connecting to a computer to manually copy data. iPhones, on the other hand, can rely on the iCloud backup process.

Once you’re backed up, remove any SIM and microSD cards the phone supports, and then run a factory reset to clear any and all data. CNET recommends connecting the wiped phone to a dummy account and wiping the device a second time to further protect your information.

Repurposing Old Smartphones

Your business can extract some extra value by giving old devices a second life. Keeping an older device or two around the office in a shared area as a social media access point is a great way to provide content for your company’s social media accounts. If your company is doing something newsworthy that your audience would be interested, snap a photo of it on the phone and post it to Facebook and Twitter. Employees can also use the device to respond to questions posed on those social media accounts.

Smartphones can break fairly easily. A new device can easily run $400 to $700, while replacement plans on devices can get pretty expensive. Be your own device replacement insurance policy, and consider keeping a few of the two-year-old phones around to replace lost or damaged devices to hold employees over until the smartphone can be properly replaced. While using a two-year-old phone lacks the “new and shiny” feeling, it’s more manageable than a shattered screen. The software and hardware on the slightly older device may not be cutting-edge, but it’s probably far from obsolete.

Alternatively, there’s a second-hand market for smartphones to replace broken devices and avoid paying a premium on new devices.

With a little effort, a smaller business can resell the unused devices on sites like eBay to recoup some of the value to put towards replacements. If your business doesn’t want to repurpose the phone internally, Mashable recommends donating the device to the troops, domestic violence victims, or another charity like the One Fund for Boston Marathon tragedy victims.

Questions? Get in touch with your local MSP.