Even Disney Can Get Hit By Ransomware

It’s been a bad week for the corporate world.

Things started off with a bang thanks to the “WannaCry” ransomware attack that targeted more than 200,000 company locations in more than 150 countries. Among other things, it brought the UK’s NHS to a complete standstill and idled auto factories in France, but hospitals and manufacturing facilities weren’t the only targets. Put Disney on the list as well.

Yes, not even entertainment companies are immune to hacking, although it should be stressed that in Disney’s case, the hackers didn’t rely on the “WannaCry” malware, but more conventional means.

Their purpose?

To grab a copy of the fifth installment of Disney’s Pirates of the Caribbean movie, and threaten to release it online unless their demands were met.

This isn’t the first time an entertainment company has seen one of their prime properties held captive. Not long ago, Netflix suffered a similar attack when an entire season of the hit show “Orange is the New Black” was stolen.

The recent wave of attacks brings up an interesting philosophical question. Should you give into the hackers’ demands and pay the ransom?

Ultimately, the answer to that question is going to be different for each person or company. In some cases, it’s just easier and more convenient to thumb your nose at the hackers and take the plunge, restoring your files from the most recent backup you have, but other cases aren’t quite so clear cut.

Depending on the computer that’s been infected, you might lose critical, up-to-the-minute data that simply can’t be recovered, which may make you lean in that direction.

Of course, paying the ransom itself carries risks, because there’s no guarantee that they won’t take your money and simply not hand over the key. Unfortunately, by the time it gets to the point where you have to make that decision, it’s too late to make a good one. As ever, the answer lies in prevention. Please call us to find out how we can help you prevent these terrible threats from affecting you, and give you a proper plan for continuity in the event a threat gets through.

Used with permission from Article Aggregator

E-Signature Company DocuSign Gets Hacked

DocuSign, the world’s leader in electronic signatures for official documents, played an unwitting role in a particularly nasty phishing attack.

If you’re not familiar with the company, DocuSign is used by 12 of the top 15 US insurance companies, 12 of the top 15 US financial services companies and by most real estate agents, nationwide.

It is an electronic platform that allows agents to send official documents to their clients for digital signatures, and as such, it’s used for everything from signing loan documents to establishing insurance policies. In short, the documents housed on DocuSign’s servers run the gamut of sensitive information for hundreds of millions of users around the world.
Knowing this, the hackers breached one of the company’s subsystems and managed to get their hands on the company’s email list.

Armed with this list, they copied DocuSign’s branding, logo and layout, and proceeded to send out emails that appeared to legitimately come from the company. But instead of official documents in need of signing, these emails contained poisoned Word documents containing macro-enabled malware.

The company took swift, decisive action when the breach was discovered, and the phishing attack has been derailed, but if you make use of the company’s services, you may have already received a bogus email.

Having completed their detailed forensic investigation, the company assured its users that none of the stored files were accessed. The hackers were only able to gain access to email addresses, which definitely limits the amount of damage that could be done.

Even so, if a user clicks on the poisoned attachment, there’s no way of knowing what sort of malware could be unleashed. All DocuSign users are urged to take extra care when opening emails that appear to be from the company and ensure that anything they click on is a link to a legitimate file that needs to be signed, and not a Word document.

Used with permission from Article Aggregator

NYU’s Sarah Kaufman talks about the shape of cities to come

 On this week’s episode of Technotopia we talk to Sarah Kaufman, the Assistant Director at the Rudin Center for Transportation Policy & Management. Kaufman is working to create new transit opportunities for New Yorkers – and the world – and expects the future to be quite interesting. Her prediction? As we move towards self-driving cars we will see more options for… Read More

What Is Google’s Plan For Google Docs Scam Aftermath?

Phishing attacks are a fact of life on the internet these days, but recently, a Google Doc was used in a wide-spread, wildly successful attack that security researchers are calling one of the most advanced attacks of its class seen to date.

In fact, the attack was so successful, that in its aftermath, Google is rolling out additional protections to help ensure that the inevitable next attack doesn’t find the same level of success as this one did, which ultimately impacted several million users.

The recent combined a generic spam mail attack with an embedded Google Doc to try and trick Gmail users into giving up control of their email account. The company warns that any users who receive an email containing a Google Doc from a source they don’t know and trust should immediately revoke access to the document in their Google Account Settings and change their password, just to be safe.

In addition to making this recommendation, the company has announced that they’ll be rolling out a new security feature in their Android Gmail app that will mirror the action you already see when you surf to an unsafe website using the Chrome web browser. The new warning will read:

“Warning – Phishing (Web Forgery) Suspected
The site you are trying to visit has been identified as a forgery, intended to trick you into disclosing financial, personal, or other sensitive information.

You can continue to (URL) at your own risk. If you believe that this site is not actually a phishing site, you can (link)Report An Incorrect Warning(/link)”

It’s a good move, and should make a real difference in terms of limiting the next attack’s impacts. Hopefully, Apple will follow suit and implement a similar system for iPhone users. Note that the company has not released a firm ETA on when the change will be in place, but it should be regarded as “pending.”

Used with permission from Article Aggregator

Chrome Will Soon Tell Users When Sites Aren’t Using HTTPS

Google is throwing its weight around on behalf of the netizins of the world. Beginning this October, Chrome users will start seeing “Not Secure” warning messages any time they use Incognito Mode and venture onto a website that isn’t using a secure socket layer (SSL). The easiest way to tell the difference? Secure websites begin with “HTTPS” while un-secured sites begin with “HTTP.”

This is actually the second time Google has expanded their use of the “Not Secure” message. They began rolling it out last year, but at the time, it only appeared on pages that contained passwords and credit card data fields.

Since the company began displaying the warnings, they’ve reported a 23 percent reduction in unsecured password and credit card pages.

Eventually, the company plans to expand the use of the “Not Secure” message on all pages, period, whether the browser is in Incognito Mode with the ultimate goal being to push Web Masters to use SSL everywhere, and that strategy appears to be working. As things stand now, nearly half of all web traffic happens securely. While that’s certainly not a magic bullet, it does make a would-be hacker’s job more difficult, and anything that accomplishes that goal is a step in the right direction.

Google’s focus has been rubbing off on other browser companies too, so it’s creating a virtuous cycle. Recently, Mozilla has also taken similar steps to warn its users about visiting HTTP sites.

Does your business use SSL technology? If it does, is your entire website secure, or just the password and payment pages? If you’re not sure what the answers to those questions are, it would be worth your while to find out, and if you’re not displaying secure pages, it’s a fairly easy change to make.

Used with permission from Article Aggregator

The Executive Order on Cybersecurity: Can We Finally Get on the Right Path?

The recent WannaCry campaign took over news cycles, hindering an evaluation of Trump’s recent cybersecurity Executive Order (EO) — but I’ll admit, upon closer scrutiny, it’s a good start. This is particularly true if the goal is to kickstart a national cybersecurity strategy from scratch.

As a whole, there are no glaring errors despite some notable omissions, which I will touch on in this post. The EO identifies stakeholders, empowers them, asks for a plan and subsequently holds those stakeholders accountable. It’s much like any reasonable organizational policy. What is interesting, though, is the operational processes the EO demands.

Operationally, each department is asked to submit a security audit upstream — all the way to the President — that details current status, major identified risks and a plan to address them. The stickler here is that each sub-order only provides 90 days or less to submit. Given the respective IT scope of each agency, this could be quite an ambitious goal unless they have already done most of these framework audits — which is entirely possible. Additionally, the President, the Department of Homeland Security and the Office of Management and Budget are all going to receive a metric ton of audit reports to sift through as they attempt to develop Stage Two of the plan — i.e. now that we know what’s broken, let’s figure out a plan for how to fix it and how to pay for it.

At this stage, budgeting will be another huge item. We probably should expect HUGE budget increases, if even just requests, and a large fight over what agency gets what and how much. Again, it’s a good place to start. But we’re jumping ahead of the gun, what’s the actual process going to be like and what will it take to pull off?

  1. The transmission, access and storage of all these audits will be paramount. If the agencies are forthcoming and accurate with their audits, the amount of sensitive data about the current security of their IT environments and major risk areas will be an attractive target for state actors. And successful pilfering of the information could lead to some worse case scenarios.
  2. The audit function, assessing the current security status of each agency, cannot just be a one-time thing like the order implies. Audits should be scheduled at least annually, or even better — automated. IT environments change often, as does the threat landscape. If the time distance between when the audits are submitted with recommendations and when the budget is approved is too long, priorities could be off.
  3. There is zero purchasing guidance for agencies in regards to sector IT purchases (e.g. hardware, software, and services). One of the strongest levers the federal government has to improve cybersecurity for everyone is their budgetary power. They need to leverage it smartly while maximizing its benefit instead of blind “best-of-breed” purchases that end up wasting resources on trying to operationally secure them. Moreover, as an accountability accompaniment, if agency heads will be accountable for the security of their environments, so too should their IT and IT security vendors who supply products and services. Yes, I’m talking about financial liability for private organizations that sell to the government. For example, there are now a number of security vendors are now offering warranties that guarantee the effectiveness of their products, and hopefully more will continue to do so.
  4. Finally, the order assumes, dangerously so, that every agency isn’t already hacked. It feels like they think they’re starting with clean environments, which is pretty likely not the case. As agencies conduct the framework audits, they should absolutely look for indications of compromise, as those instances should be triaged and dealt with immediately. It doesn’t make much sense to try and secure a system that is already fundamentally compromised.

Ultimately, the EO on its own is pointing the government and its agencies to a higher level of accountability. This could lead to great success, even possibly affecting private sector companies that deal with government entities. All that’s left to see is if everyone executes on this effectively. We’re certainly rooting for it.

The post The Executive Order on Cybersecurity: Can We Finally Get on the Right Path? appeared first on SentinelOne.

Malware Group Focused On Windows Could Potentially Target Mac Machines

Unless you are intimately familiar with digital security, odds are good that you’ve never heard of Snake, Uroburos or Turla. These are three different aliases used by a single group of sophisticated Russian hackers that have been operating since at least 2007. Security professionals categorically agree that this group is far more organized, and more dangerous than better known groups like Fancy Bear and Cozy Bear, two organizations believed to have ties to Russia’s Military Intelligence Service (GRU).

Not only are Snake’s tools more advanced and robust. They tend to focus their attacks on much harder targets, such as military organizations, research and academic institutions, multinational corporations (especially those with government contracts), intelligence agencies, embassies and other well-guarded government institutions.

Traditionally, Snake’s attacks have focused on Windows, and the malware they have designed has been optimized for that platform. However, researchers from Kaspersky Lab found several Linux components in their toolkit, which suggests that the group is expanding their reach to other platforms as well.

Even more disturbing, the Dutch security firm Fox-IT has recently found a macOS variant of the toolkit that appears to be a direct port from the Windows version.

It should be noted that no mac-oriented malware based on this code has yet been found in the wild, which suggests that this toolkit represents a beta that’s still in testing.

Even if that theory is correct, however, it’s just a matter of time before the group completes its testing and begins making attacks to flex their newfound muscle.

That’s disturbing because high-level executives disproportionately use Macs, and a focused attack against Mac users will almost certainly be launched with them in mind as the primary targets. Even worse, Snake is best known for using Zero-Day exploits to carry out their attacks, which makes them extremely difficult to defend against. Stay vigilant. No one can say with certainty when or where the group will strike next.

Used with permission from Article Aggregator

Appian prices application software IPO at $12

 After a long journey as a private company formed in the dot-com boom of 1999, Virginia-based Appian is finally braving the public markets. Appian announced Wednesday they priced their IPO at $12 per share, raising $75 million for the company. Appian provides app development software for its business and government customers. Read More

Meta SaaS raises $1.5 million from Mark Cuban and others

 Meta SaaS is a product that helps you cancel other products. Like Cardlife and Cleanshelf, Meta SaaS looks at all of your software-as-a-service subscriptions and tells you which ones you use and, more important, which ones you don’t. Founded by Arlo Gilbert and Scott Hertel, the product raised $1.5 million in seed from Mark Cuban with participation from Barracuda Networks, Capital… Read More

Red Hat to acquire Codenvy as part of its growing container strategy

 Red Hat, which has made its name as the enterprise Linux company, has been making clear in recent years that it sees the cloud and containerization as a significant part of its future. Today, it announced its intent to acquire San Francisco startup Codenvy to continue building on that strategy and give developers access to a cloud-based integrated development environment. The company did… Read More