Author: Stuart Crawford

Check Your IoT: URGENT/11 Zero-Day Vulnerabilities Impacting 2 Billion Devices

It was only a matter of time before connected devices become a target. The current vulnerability allows remote attackers to gain full control over IoT devices.  

Security professionals have known that connected devices are a risk, but the latest news around the URGENT/11 vulnerabilities may surprise even the most hardened security professional. Over 2 billion connected devices are thought to be vulnerable, including a range of printers, VOIP phones, routers, medical equipment, firewalls, elevators and industrial controls. Any connected device that is running the VxWorks operating system created by Wind River has the potential to be affected, allowing users to remotely gain control over the device.

URGENT/11 Vulnerabilities

Dubbed “URGENT/11”, these security risks include six critical vulnerabilities connected with VxWorks 6.5 or higher that includes the IPnet stack. There are a few versions of the OS that may not be affected, according to security research firm Armis, such as their VxWorks Cert Edition and VxWorks 653. Whether devices are within the network perimeter or on the edge, they can still be leveraged for remote access directly into networks. The vast range of manufacturers of the devices at risk means the level of security at the device level is likely to vary dramatically between product types. Fortunately, Wind River Systems provided critical patches during a recent July 19 release, but that may not be enough to reduce the risk for organizations utilizing these connected devices.

What is VxWorks?

“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses”. As an RTOS, or real-time operating system, VxWorks has generally been considered to be a stable solution for IoT and other interconnected devices with only 13 vulnerabilities reported in over 32 years of operation for the platform. Since it is only older versions of the RTOS that are vulnerable to attack, it’s thought that newer devices should be relatively safe and many affected devices are already reaching end-of-life. These devices are generally ones where chipsets only need to manage a few basic pieces of information, such as input/output operations, where little data processing is required.

How to Protect Your Business

While officials at VxWorks and Armis note that there are no indications that the URGENT/11 vulnerabilities have been exploited, the extreme disruption that could be caused within an organization is reason enough to warrant a proactive effort to protect your organization. Here are the recommended steps from Wind River security professionals and engineers:

• Apply the recent patch immediately
• Deploy specific firewall signatures/rules that will help mitigate the danger if patches cannot be applied immediately

You can view the full URGENT/11 whitepaper with a breakdown of the vulnerabilities and suggestions for remediation online. Experts note that the level of disruption could be significant, perhaps even rivaling the EternalBlue 2017 vulnerability or the WannaCry ransomware attack. In each of these instances, it was challenging for many small businesses to determine the best steps to move forward and protect their organization.

Partnering with an IT services firm helps ensure that your business is alert to this type of critical attack vector. Staying vigilant for vulnerabilities and quickly applying patches may mean the difference between a few hours of work patching devices or servers and months of remediation as you attempt to recover from a major attack.

Capital One Data Breach Affects More Than 100 Million Customers and Small Businesses in The U.S. & 6 Million in Canada

On July 29, 2019, Capital One reported that their customers’ confidential information was compromised. This includes the Social Security and bank account numbers of more than 100 million people and small businesses in the U.S., along with 6 million in Canada.

The McLean, Virginia-based bank discovered the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator. They waited until July 29 to inform customers.

How Did The Hacker Get Into Capital One’s System?

According to court documents in the Capital One case, the hacker obtained this information by finding a misconfigured firewall on Capital One’s Amazon Web Services (AWS) cloud server.

Amazon said that AWS wasn’t compromised in any way. They say that the hacker gained access through a misconfiguration on the cloud server’s application, not through a vulnerability in its infrastructure.

Capital One says that they immediately fixed the configuration vulnerability that the individual exploited and promptly began working with federal law enforcement.

Who Breached Capital One’s Data?

Paige A. Thompson, a former software engineer in Seattle, is accused of stealing data from Capital One credit card applications.

Thompson was a systems engineer and an employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said that she left the company three years before the hack took place.

The FBI arrested Thompson on Monday, July 29 for the theft, which occurred between March 12 and July 17. Thompson made her initial appearance in U.S. District Court in Seattle and has been detained pending an August 1 hearing. Computer fraud and abuse are punishable by up to five years in prison and a $250,000 fine.

What Information Was Compromised?

Thompson stole information including credit scores and balances plus the Social Security numbers of about 140,000 customers and 80,000 linked bank account numbers of their secured credit card customers. For Capital One’s Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised.

The largest category of information obtained was that of consumers and small businesses when they applied for one of Capital One’s credit card products from 2005 through early 2019.

Capital One said, some of this information included names, addresses, phone numbers, email addresses, dates of birth and self-reported income.

Other data obtained included credit scores, limits, balances and transaction data from a total of 23 days during 2016, 2017 and 2018.

This is one of the top 10 largest data breaches ever, according to USA TODAY research.

What Is Capital One Saying About The Breach?

They will offer free credit monitoring services to those affected. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully.

They’ve set up a consumer website about the breach at www.capitalone.com/facts2019 that you should refer to if you’re worried that your information was compromised.

Capital One expects that this hack will cost them approximately $100 million to $150 million in 2019.

What Should Capital One Customers Do?

If you’re a Capital One customer, you should check your account online. You should also freeze your credit through each of the three main credit bureaus: Experian, Equifax and TransUnion.

It’s important to remain vigilant. Businesses should sign up for Dark Web Scanning to detect whether your confidential business information is there for cybercriminals to use.

Prevention is always the best remedy. Ask your IT provider to ensure your that your firewall is properly configured and to continuously remotely monitor your network for intrusions.

Major Fines for IT Data Breaches

Outdated machines, software or employee practices can lead to major security problems. These big companies faced painful fines for their IT mistakes.

As companies increase their online activity, data collection and eCommerce, the stakes will continue to rise. Companies that are lax, poorly prepared or sloppy are facing disastrous tech breaches. Equifax, Uber, TJX and Visa are just a few of the companies that have had to face hefty payouts for data breaches. The public relies on companies to act professionally and secure their information. Many companies that face a security breach or lost data will not be able to stay in business.

With a security breach, the customer’s trust is lost. Not only will the reputation harm business, but fixing the issue will cost more than preventing it. Fines and payouts will also add to that cost. And, the more consumers affected by a major problem in the company’s security, the more painful the clean up. You can’t afford to slack when it comes to IT security.

Equifax Data Breach Settlement of $700 Million

The infamous Equifax data breach of 2017 has lead to 147 million affected customers. The settlement announced by the credit reporting company included $175 million to 48 states, $300 million towards free credit monitoring services for the impacted customers and $100 million to the Consumer Financial Protection Bureau for civil penalties.

Federal Trade Commission (FTC) Chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

Facebook Faces $5 Billion in Fines for Privacy Violations

The FTC smacked Facebook with a $5 billion fine for the Cambridge Analytica incident. This privacy violations fine was in response to personal data taken from over 87 million Facebook users to create more persuasive and personalized ads.

Uber Faces $148 Million in Fines for Covering Up Hacked Accounts

In 2016, Uber had over 57 million user accounts compromised–and then tried to cover it up by paying the perpetrator $100k. This lead to the largest data-breach payout at the time of $148 million because they broke data breach violation laws.

Anthem Faces $131 Million for Data Breach of Customers

When the US health insurer Anthem was hacked in 2015, over 79 million customers had their names, birthdates, social security numbers and medical IDs compromised. The company paid out $115 million in a class-action lawsuit in 2017 regarding the breach. The US Department of Health and Human Services fined them an additional $16 million for HIPAA (Health Insurance Portability and Accountability Act) violations.

TJX and Visa Pay Out $40.9 for Data Breach

When over 96 million credit and debit accounts were hacked in a widely-publicized data breach that lasted from 2003 to 2007, TJX promised pay outs. This came under the terms that 80% of card issuers agreed to the recovery offer and promised not to take further legal action. TJX agreed to fund the settlement as a resolution to those U.S. Visa holders with cards from taking further legal action. This amount was not part of the $256 million the company said it had budgeted to deal with the breach.

Texas Cancer Center Fined $4.3 Million for Unencrypted Equipment

Between 2012-2013, the University of Texas MD Anderson Cancer Center lost one unencrypted laptop when it was stolen from an employee’s house and two unencrypted USBs that contained sensitive patient data. The health information of over 33,500 individuals was compromised and the center faced a $4.3 million fine for HIPAA violations.

FMCNA Fined $3.5 Million for Five Data Breaches

In 2012, Fresenius Medical Care North America (FMCNA) was fined $3.5 million for HIPAA violations after five separate breaches in different company locations. The Office for Civil Rights noted that FMCNA could have avoided this with a thorough risk analysis to find the potential risks and vulnerabilities. Many of their breach problems included lacking security policies and failing to encrypt sensitive health data.

A good company will take proactive IT security measures with a great tech team. By outsourcing IT security through a managed IT service company, you can get the best security without hiring a team full-time. Your IT team will provide an audit of your company to help you find the places where your security, devices or practices might be a threat to your company. Ensure you are using the right equipment and your employees are trained to meet compliance standards, privacy laws, customer expectations and more so your company can succeed.

Phishing Attacks Target OAuth Credentials to Gain System Access

Discover how an increasingly popular authentication process, OAuth, can be exploited by hackers and wreak havoc on applications and access sensitive data.

What Is OAuth?

OAuth is a widely used framework that allows applications to share access to assets. It lets unrelated services and servers to allow authentication without sharing the initial single login credential. It’s often referred to as secure third-party user agent delegated authentication.

OAuth lets you access a resource — secure password-protected sections of a website, for example. Once the access is granted it remains in place until revoked, even if passwords or reset or 2-factor authentication changes.

It’s the technology that allows you to log in to a website or an app using Facebook or Google credentials. Instead of creating and using a password for, say, ESPN.com, you can log in using your Facebook account. Facebook, Google, Microsoft and Amazon are among those that use OAuth to allow access to other platforms as well as their own.

OAuth does not share password data across sites, but it does share the authorization tokens to confirm your identity.

What Is the Oauth Phishing Attack?

The OAuth tactic is unlike those used in traditional phishing attacks. By targeting the authorization tokens, hackers can essentially act as a compromised account holder throughout any platform on which the hacked person uses OAuth.

A hacker can create a simple app that is loaded into an email message. When users click on the phishing email, they can inadvertently allow access via the OAuth protocol.

“These techniques have been observed in sophisticated attacks in the past¹ but are becoming easier to execute and are gaining in popularity,” notes a recent article.

What Can Attackers Do if a Phishing Attack Is Successful?

A successful phish attack lets a hacker do any number of things, depending on the resource to which access was granted. For example, if access is granted to your Microsoft Office or Office 365 account, a hacker could:

• Search your mailboxes
• Read your email messages
• Download messages and any attachments
• Search for keywords in your email and extract that data
• Send messages on behalf of your account … to anyone
• Access your contacts
• Search shared drives like OneDrive and Sharepoint, read documents and download and extract files
• Create malicious Outlook rules
• Inject disruptive macros into stored Word documents
• Create and install filtering and forwarding rules

Data accessed, reviewed and stolen can have severe consequences, as could macros and rules that make it difficult or impossible to use these common office productivity apps.

What Can Be Done to Defend Against a Phishing Attack?

More platforms are using OAuth to make it easier for customers or users to access information. That proliferation of uses means more opportunities for hackers. It’s likely that the number of OAuth phishing attacks is likely to grow.

The best defense against OAuth and other phishing attacks is awareness. Employees and other users need to be aware of the risks and potential outcomes of a phishing attack.

That means training and simulations that help users look for telltale signs of a phishing attack, such as poor grammar and spelling and the use of an unusual email address. Explaining how OAuth phishing attacks work also helps to raise awareness and let users take a skeptical approach to providing those credentials if something doesn’t feel right.

Your organization should also make it easier for employees to submit any suspect email messages that they believe are a phishing attempt.

Some other recommendations are:

• Limit the number of third-party apps that can 3^rd party apps that your network accepts
• Disable any third-party apps across the organization that are unnecessary
• To identify rare or suspicious instances, search for and monitor all consented applications

To reduce the likelihood and impact of an OAuth phishing attack, be sure to work with your managed IT services provider to ensure that training, anti-phishing solutions and monitoring are in place for your entire network.

5 Incredible Benefits of Effective Managed IT Services

Managed IT services are one of the many ways an organization can choose to handle their IT needs. With managed IT services, a third-party handles the entirety of the tasks and responsibilities regarding managing IT and keeping the company running. The difference between this and many traditional third-party services is that it’s provided for a set cost. Instead of having access to an hourly consultant rate, you’ll be paying a flat rate monthly (or annually) in exchange for total coverage.

Every arrangement is slightly different and must be outlined very clearly in the Service Level Agreement (also known as the SLA). This document will arrange not only the cost structure, but also the exact services that are included in the partnership, and the metrics that are used to define success or failure.

There are many reasons that companies elect to go with managed IT services to handle their day-to-day needs. Here are five of the most compelling reasons:

1. Provides Total Alignment Between Both Parties

In a managed services agreement, both parties are aligned for maximum efficiency and performance. Since it’s not an hourly rate, the third-party is incentivized to handle your IT in an efficient and effective manner. Otherwise, they have to spend more time and manpower resolving your issues, which brings down their effective hourly rate.

Additionally, if they don’t live up to the metrics set forth by the SLA, they may be liable for penalties or even complete termination of the contract. In this way, it’s in both companies interest to do the very best job possible.

2. Focuses on Being Proactive versus Reactive

If you’re paying by the hour, the services you’ll receive are going to be reactive. When your company notices an issue, they’ll reach out to the third-party to help fix it. Managed services provide proactive support. Since they’re working for you no matter if there’s a problem or not, much of their time is spent preventing problems in the first place. This results in much smoother daily operations and the avoidance of problems that could potentially hurt your businesses but would be unavoidable with another type of arrangement.

3. Contains Simple Cost Structure

The simple cost structure of managed IT services will be much appreciated by your accounting department and whoever is setting the budget. Instead of seeing costs vary wildly by the amount of support required in a particular month, the amount will be a flat fee. You’ll also likely save a great deal of money versus hiring a fully functional team in-house since you won’t need to pay for things like recruiting, onboarding, benefits, and continued training.

4. Makes Projects Easier to Manage

When you need to roll out a brand-new technology or simply update an existing one, it can take a great deal of time and resources. This is especially true if the third-party isn’t used to the way your business operates each day and has to fit the entire roll out into a small window of time. If you have continuous support, however, it’s a much more manageable process. They can work on the project when they have a spare moment in the day. Since they’re fully integrated into your day-to-day processes, they’ll have a much better idea of how to implement a new system from end-to-end, including training and providing post-launch support.

5. Offers Access to True Experts

Unless you’re a massive organization, it’s unlikely that you can afford to recruit, train, and maintain the very best in the IT field. With an agreement with a top-notch IT firm, you gain access to experience and perspectives that you would be unlikely to otherwise access. These talented professionals will be able to help you with all of your IT needs, from daily maintenance to improving upon your existing systems and processes.

Managed IT services are only one of the many ways that a company can choose to handle its IT needs. However, it offers many advantages over some of the other options, including handling IT in-house and going with an hourly consultant-based fee schedule. If you believe that your business could benefit from controlled costs, improved support, and access to an incredible variety of IT talent, managed IT services might be the best option for your business.

What You Need To Know About OAuth Phishing Attacks

Amnesty International has reported that OAuth Phishing attacks targeted dozens of Egyptian human rights defenders since the beginning of this year. They are warning that these human rights defenders should be vigilant and contact them if they receive any suspicious emails.

“Since January 2019 several human rights defenders and civil society organizations from Egypt started forwarding dozens of suspicious emails to Amnesty International. Through the course of our investigation, we discovered that these emails were attempts to access the email accounts of their targets through a particularly insidious form of phishing known as OAuth Phishing … We estimate the total number of targeted individuals to be in the order of several hundreds.” Amnesty International

What Is OAuth Phishing?

The Egyptian authorities are using a new spear-phishing technique called OAuth phishing. OAuth is an industry-standard protocol used for authorizations. All computer users should beware of OAuth Phishing.

OAuth Phishing is being used to abuse the legitimate authorization feature of online service providers that lets third-party applications gain access to an account. OAuth is the protocol used by many companies, including Google, Facebook, Amazon, and Microsoft. It’s used to manage access to user data across these and other platforms.

With access to a user’s email account OAuth can add events or flight times to their calendars. The OAuth Phishing hackers use malicious third-party applications to trick users into giving them access to their accounts.

OAuth Phishing targets OAuth tokens instead of passwords. When a user grants a third-party app the right to access their account, the application uses the OAuth token instead of a password. Egyptian authorities are gaining unauthorized access and use third-party apps to compromise users’ accounts.

How Does OAuth Phishing Work?

The hacker uses phishing emails with fake security warnings from Google to trick victims into clicking on a malicious link. The victim is instructed to click the “Update my security now” button. When they do, they’re sent to a third-party application called “Secure Mail.” This prompts the OAuth process.

But that’s not all. They are then asked to give the “Secure Mail” app access to their Gmail or other accounts. They’re told to click on the “Allow” button. When this happens, the hacker gains access to the victim’s account.

Now the attacker can use a malicious application to:

• Download other messages, attachments and files.
• Search for and read their messages.
• Install filters and forwarding rules.
• Inject macros into Word documents.
• Access users’ contacts.
• Get into OneDrive and search for downloaded files.
• Extract emails by searching for keywords.
• Setup malicious Outlook rules.

Amnesty International warns that these OAuth phishing attacks also target users’ Yahoo, Gmail, Outlook and Hotmail accounts.

How Can You Prevent Your Employees From Being Victimized By OAuth Phishing?

The best way is to be educated. Security Awareness Training is the go-to solution to keep employees informed about security threats and how to avoid them. But, because OAuth phishing can be difficult to detect and the victim authenticates through a legitimate site, people are still being tricked.

OAuth Phishing can be hard to identify. And, even with Security Awareness Training, people are being tricked. They’re trained to look for suspicious website URLs and to use Two-Factor Authentication. But these tactics don’t work to prevent OAuth phishing.

Phishing messages can convince users to click links that deliver malware or reveal their user credentials. Now with new tools, OAuth is being used for this. The account can be accessed until authorization is explicitly revoked. Not even password resets or using 2-factor authentication will work to stop it.

Train and test your users to:

• Spot phishing messages and specifically OAuth phishing messages.
• Know how to submit suspicious email messages if they find them.
• Defend and respond to OAuth attacks.

Along with Security Awareness training, companies must ensure that their IT service companies have set up the technology, policies and remote monitoring and management to detect these OAuth attacks.

What Does OAuth Recommend?

You can visit this page for security guidance. They say that if a suspicious or malicious third-party application is found in the OAuth environment that all permissions should be revoked. Then review remote monitoring logs to learn what was compromised.

They also suggest that you:

• Limit the number of third-party applications that can be accepted.
• Disable any third-party applications that you don’t need.
• Search and monitor all third-party applications that have been approved for use, and check for suspicious activity.
• If you use Microsoft Office 365, be sure to monitor your application permissions in the Cloud App Security.

The Bottom Line

All of your employees should be educated about the dangers of OAuth and other phishing attacks. They should always use best practices and only access applications that they trust.

Also, make sure that you and your IT provider periodically review the list of applications that you use. Revoke access to all applications that you no longer need.