Article published in : ComputerFraudandSecurity.com
Are your IT professionals prepared for the challenges to come?
Three key security threats that you need to prepared for and how to mitigate them.
The IT is probably the most dynamic business sector these days. There are so many things happening all the time and the risks are so high, that even a relatively insignificant event can have dramatic consequences for an enterprise. This is why it has become more important than ever for the IT administrators to understand the risks and to be able to prioritize which risks are mitigated first.
Below you can find which are the most critical security topics which will make in the near future the lives of IT security professionals a more complicated than ever before.
The year 2013 was also the year of the ransomware. We have seen many methods that this malware used to scare the victims: using children pornography, encrypting files, using P2P networks.
Probably the most famous of all ransomware is the Cryptolocker – a new variant of this type of malware that encrypts various files on user’s computer and demands the owner of the computer to pay the malware authors in order to decrypt the files.
The affected files are documents, images, databases and many others. The CryptoLocker malware files are mostly spreading through fake emails designed to impersonate the look of legitimate businesses and through fake FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground. The cyber criminals pretend to keep the only copy of the decryption key on their server(s), meaning that it is not saved on your computer, so that you can’t decrypt your files without their help – help which costs 300 EUR/USD or 2 Bitcoins. The malware searches for all hard drives, network drives, USB drives and even cloud storage drives and identifies files that it can encrypt. Once the files are encrypted, Cryptolocker contacts the command servers and stores the asymmetric private key used to encrypt the files. It is to be expected that ranswomware will evolve into even more aggressive malware and that pretty much anyone will be able to buy or rent command and control servers for collecting the ransom.
The good news is that Cryptolocker is not a virus (self-replicating malware), it is a trojan which means that it can’t spread uncontrollable in your network. Its purpose is to encrypt files and demand payment for the decryption. Each user has to receive and activate the malware individually.
The bad news is, that it performs its malicious actions silently (encrypts your files) and only afterwards it communicates that it is present on the affected machine.
There are some mitigation techniques:
- Always keep your antivirus software active and up to date.
- Unfortunately, it is not possible to decrypt the files that the malware encrypted. Keep a backup. If you have a real-time backup software (e.g.: Dropbox, etc.) then make sure that you first clean the computer and then restore the unencrypted version of the files.
- Do not open suspicious or unsolicited web links.
- Do not open emails that you didn’t request
- Do not execute attachments from emails, even if the emails come from known persons
One last thing which I keep repeating: Never, ever pay the ransom. You would be just encouraging other criminals to go this way.
Exploiting unpatched security vulnerabilities in software
When Adobe lost source code and millions of user credentials in the recent breach, they also lost their major advantage in delaying or not patching applications: obscurity. Now, the cybercriminals are in possession of source code which they can analyze in details and they can find vulnerabilities which can be exploited. Until Adobe figures out what to patch first, many innocent users would have already been affected.
Nobody can foresee what the exact consequences will be, but my advice is to invest more in patching applications (especially those of Adobe) and in hardening the operating systems.
One other learning from this story was the fact that many users use simple passwords like 123456 and alike.
Other applications that are continuously in the news because they have known and security vulnerabilities are:
- Web browsers (Microsoft Internet Explorer, Google Chrome, Apple Safari, Mozilla Firefox and others).
- Plug-ins for browsers (Adobe Flash Player, Oracle Java, Microsoft Silverlight).
- Adobe Reader and Adobe Acrobat
- and, last but definitely not least:
- The Windows operating system itself
Speaking of Windows, Microsoft has also a similar problem since Windows XP will be no longer maintained starting with April 8th 2014. This means that there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. From this date on, cybercriminals will do a very thorough analysis of the OS with the purpose of finding previously unknown vulnerabilities. Since Microsoft is no longer going to patch the OS, this is the equivalent of freely handing the XP users to the cybercriminals. If you didn’t migrate from XP already, you should hurry up. However, many security vendors have announced already that they will maintain their products on Windows XP beyond the end of life of the operating system.
If you find patching too troublesome and a waste of time, then you should get a program that does the patching for you. In this article are some more explanations about patching and possible solutions that will make your life easier.
Hacks, Disclosure, Storage and Encryption
You may wonder what these concepts have together and what all of them have to do with encryption.
Last was the year of the major security breaches, hacks and disclosures. In these hacks millions credentials from notorious websites like Adobe, Google, Twitter, Adobe and many others were stolen. Many of the passwords that were stolen were stored in the databases or files in plain text. When the passwords were published, we have seen that many people use incredibly easy to guess passwords. Immediately after these hacks were disclosed, we have started to see a lot of targeted attacks against the users of these companies that did not encrypt the stored passwords nor did they store a hash (with salt) of the passwords (they kept them in plain text).
However, the biggest disclosure can be considered the NSA surveillance affair. The disclosure of the NSA global surveillance program has driven many people quite mad. As a follow-up of this disclosure, institutions ranging from companies to governments have started to consider and some even switched to encryption. The most notorious such actions were those of Google, Yahoo, Facebook which were sharing data between their networks unencrypted until the disclosure. In Germany, for example, the biggest email providers have engaged in a process of encrypting email communication between clients and server and between their servers. Google was doing the same about three years ago. We can only applaud these initiatives, of course.
One thing that still needs to be changed is cloud storage. So far, nobody started to talk about this issue seriously. I expect this to change any time soon. All companies that provide storage in the cloud say that they encrypt the data on storage, but everything with the same key, owned by the company. The argument these companies use are varying, but basically they do it for the only purpose that they want to be able to index the files. If the hash of a file that is being prepared for upload is identified in the existing storage, the file will no longer be uploaded again, it will be only referenced. This is reminiscence from the times when people were uploading binary files. These days I don’t think that there are many people still doing that. Most people upload documents, pictures, small videos, sometimes music files.
Thinking about the surveillance program, who can guarantee the consumer that his private files are remaining private? The company owning the storage has the private key used to encrypt the files, not the user, the owner of the data. If a governmental agency comes with a court order to get access to the files, the secret is gone. The ultimate security would be to encrypt the files with a key that only the user owns or has access to it. But then again, do we really expect that the regular computer user knows how to deal with a PKI system?
Enterprises are confronted with the same problem of keeping files and emails encrypted on a persistent storage. However, even on an enterprise level, the challenge is on a smaller scale than in a public storage service.
One thing is clear: people started to want more privacy. They want privacy when surfing, when sending and receiving emails, when doing VOIP calls, when they upload the files to a safe storage.
The Internet privacy has been proven to be broken, and it is just a matter of time until people will demand to have this right back. And the solution is only one: encryption everywhere.
© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch