732-926-0112
Login

With the rise in dependability on technology and on the internet, cybercrime is also on the rise. To meet the demand, there is a rising trend of social engineering sites on the dark web, which make malicious hacking a point-and-click exercise. You read correctly, you can now pay for a service to help you commit crime and a new report describes two more sites that were discovered by security researchers.

Cybercrime-as-a-service platforms

The first is Ovidiy Stealer, found by Proofpoint, which steals passwords and is marketed on Russian-language website for 7 bucks. It's regularly updated and the sales seem to skyrocket.

ovidiy stealer-hacking-as-a-service

The Ovidiy Stealer malware currently has several versions in the wild, targeting people around the world. It is believed that the malware is currently being spread via email as executable attachments, compressed executable attachments, and links to an executable download. It is also likely spread via file hosting / cracking / keygen sites, where it poses as other software or tools.

Since it has been discovered, the content of this site has been removed. The site itself however, appears to still be online. Below is a list of some of the observed filenames that disguise the malware:

Ovidiy Stealer is written in .NET and most samples are packed with with either .NET Reactor or Confuser. Upon execution the malware will remain in the directory in which it was installed, and where it will carry out tasks. Somewhat surprisingly, there is no persistence mechanism built into this malware, so on reboot it will cease to run, but the file will remain on the victim machine.

Ovidiy Stealer is modular and contains functionality to target a multiple applications -- primarily browsers -- listed below.

The second is Hacksh*t, discovered by the Netskope Threat Research Labs, and is a Phishing-as-a-Service (PhaaS) platform that offers low cost, "automated solution for the beginner scammers."

hackshit-hacking-as-a-service

This platform offers free trial accounts to test their hacking tutorials and tricks to make easy money. "The marketplace is a portal that offers services to purchase and sell for carrying out the phishing attacks," Netskope researcher Ashwin Vamshi says.

The Hacksh*t website had a video demonstration appealing users to learning hacking, meeting hackers online and making money. It allows wannabe hackers (subscribers) to generate their unique phishing pages for several services, including Yahoo, Facebook, and Google's Gmail. "The attacker then generates a phished page from the page/generator link and logs into the email account of the compromised victim, views all the contacts and sends an email embedded with the phished link."

According to Proofpoint, "Like many other markets with many choices, the malware market is competitive and developers must market the strengths and benefits of their products in order to attract buyers. To help drive sales, the development team includes statistics on the progress of certain modules, and other plans for future releases of the malware.  In addition, the site includes “testimonials" from satisfied customers, presumably to demonstrate to other would-be criminals that they can be profitable when using Ovidiy Stealer."

Below is a screen capture of the reviews and development progress of Odiviy Stealer. The user ACE’s comments translate to English as: “I only need the stealer for burglary on order. I explain what it is: I accept an order for the hijacking of a certain person's account. After I work with him and install the stealer. That's all, for one order I get 300-500 rubles. Without this project it would be impossible! Thank you!”

It is inevitable that more and more software engineering services will surface. With the internet connecting people worldwide, it certainly comes with its challenges. This is a huge risk for businesses, because they are usually the targets of malware and phishing attacks.

This is why it is important to implement corporate policies and security services to protect company data. Backup and disaster recovery is also a huge component and a requirement in many instances to become operational after an infection.

Of course proactive measures are the first line of defense. Therefore, it is critical for companies to hire knowledgeable IT providers and staff to ensure their data is protected. QWERTY Concepts includes essential security services, such as anti-virus, anti-malware, inbound and outbound email security, backup & disaster recovery, and network security with web content filtering as part of its monthly managed services offering. Schedule a free technology assessment today!

In yet another phishing email hoax, the New York State DMV is now cautioning consumers against an email "phishing" campaign. This phishing attempt sends a notice to email users stating they must pay a ticket within 48 hours or their license will be revoked. While the notice is made to appear as if it comes from DMV, it is a hoax.

Though the recent press release is from the New York State Department of Motor Vehicles, campaigns for other states may be soon be phishing for personal information as well. The NY DMV advises that the "Email falsely claims to be from New York State DMV". The DMV also advises to "not click on links".

The phishing email hoax targets New York drivers, stating they have 48 hours to pay a fine or have their driver's license revoked. The NY DMV alerted motorists that the scam is just bait to entice them to click on a “payment” link. Once clicked, it will in turn infect their workstation with malware. The DMV does not know how many people have been affected, but Owen McShane, director of investigations at New York State DMV, said calls came in from New York City, Albany and Syracuse.

Olenick also went into more detail stating "The malware being dropped came in two categories. The first simply placed a tracking tool on the victim's computer to see what websites were visited; and the second, more nefarious, attempted to acquire a variety of personally identifiable information, such as names, Social Security numbers, date of birth and credit card information."

What to look for

There are several red flags that show the email is a scam. The supplied links lead to sites without an ny.gov URL, tied to the fact that the state would never make such a request. The hoax email lists a reference number and then reads something like this:

“The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV deputy executive commissioner, in a statement.

Recommended Action

We suggest you send your employees, co-workers, friends, and family an email about this scam, feel free to copy/paste/edit:

"Here is a reminder that you need to be alert for fake emails that look like they come from your local police or State Dept of Motor Vehicles (DMV) claiming you have a traffic violation. At the moment, there is a local scam in New York that falsely states you have outstanding violations you need to either pay for or refute, and if you don't your license will be revoked. This scam may spread to the rest of America soon. Remember that citations are never emailed with links in them, or sent out with an email attachment, and report scams like this to your local police department."

Obviously, an end-user who was trained to spot these red flags like this would have thought before they clicked. Additionally, email security solutions will likely trap these types of emails before they reach the mailbox.

We strongly suggest you get a quote for email security services for your organization - you'd be surprised how affordable they are. Contact us for a quote, today!

Reference: https://dmv.ny.gov/press-release/press-release-06-01-2017

The credentials leaked by an alleged hacker online were likely stolen from other services, the company said

dropbox

Hackers claim to have stolen a database of almost 7 million Dropbox log-in credentials, but the company says its service was not hacked and that unrelated websites are the data source.

The first data dump appeared Monday in an anonymous post on Pastebin.com and contained 400 username and password pairs. The author said that it's only the "first teaser" of 6,937,081 hacked Dropbox accounts and asked for community support in the form of Bitcoin donations. The user also claimed to have access to photos, videos and other files from the compromised accounts.

"As more BTC [Bitcoin currency] is donated, more pastebin pastes will appear," the post says.

At least five additional "teaser" posts appeared Monday and Tuesday on Pastebin, containing between 100 and 900 credentials each.

"Recent news articles claiming that Dropbox was hacked aren't true," Anton Mityagin, a Dropbox security engineer said Monday in a blog post. "Your stuff is safe."

According to Mityagin, the usernames and passwords posted were likely stolen from other services, but since the reuse of credentials for different online accounts is common among users, attackers tried to use them on different sites, including Dropbox.

"We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens," he said.

In an update Tuesday to the blog post, Mityagin added that credentials on a new list that was leaked were checked and are not associated with Dropbox accounts.

The incident is somewhat similar to the dumping of 5 million Gmail addresses and passwords online in September. Many initially assumed those credentials were for Google accounts, but it turned out that they likely originated from other services where people used their Gmail addresses as usernames. Google concluded that less than 2 percent of the leaked credentials might have worked to log into Google accounts.

Mityagin encouraged Dropbox users not to reuse passwords across different services and to enable two-step verification for their Dropbox accounts.

"This was either a novel attempt at scaring people into setting up two factor authentication on accounts which allowed it, or a quick and dirty grab for Bitcoins," said Chris Boyd, a malware intelligence analyst at security firm Malwarebytes, via email. "Given Dropbox's claim there's been no compromise and all of the 'sample' accounts were already expired, it's looking more like the latter."

"Anyone can post extravagant claims to Pastebin and while there's no harm in changing a password once word of a potential breach gets out, we shouldn't panic and wait until more concrete information comes to light," Boyd said.

Using separate passwords for different online accounts might sound inconvenient, but it's easy to do with a password management application, as long as it's used securely.

View Original Article Here

Internet Explorer

The seemingly endless stream of Internet Explorer security flaws continues. Is there an end in sight?

Microsoft today released its September Patch Tuesday update, with Internet Explorer topping the list of vulnerabilities.

This month, Microsoft is patching 37 vulnerabilities in IE, of which 36 were reported privately and one was publicly disclosed. Ross Barrett, senior manager of security engineering at Rapid7, told eWEEK that the September IE patch addresses one publicly disclosed issue identified as CVE-2014-7331, which is under limited active attack.

"An information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried," a Microsoft security advisory states. "This vulnerability could allow an attacker to detect anti-malware applications in use on a target and use the information to avoid detection."

The CVE-2014-7331 issue is also particularly noteworthy because it is a different type of vulnerability than the other 36 that Microsoft is patching in IE this month, which are memory corruption issues. "Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory," Microsoft stated in its advisory. "These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."

Craig Young, security researcher for Tripwire, told eWEEK that the CVE-2014-7331 vulnerability is also noteworthy in how it actually exploits a system.

"Unlike most IE information disclosures which are used to bypass ASLR [Address Space Layout Randomization] through memory address disclosure, this vulnerability utilizes a special URL scheme which allowed crafted Websites to determine if specific libraries are available," Young explained.

Young added that the presence or lack of a particular library is used to infer details about the target system's configuration, such as which security tools are installed.

"Armed with this information, the exploit kits can more carefully select which, if any, payload can be used without triggering endpoint protection," he said.

The September patch haul for IE overall is higher than it was for the August patch update, when 26 vulnerabilities were patched. As is the case this month, the bulk of the vulnerabilities were memory-related issues. Whether or not Microsoft can ever completely plug memory-related flaws in IE is a question that is difficult to answer.

"It sure doesn't seem like an end is in sight, does it? I've heard no indication that it is," Barrett said. "I think in practical terms, this has to trail off sometime, when most of the code base has been overhauled and all the use-after-free type issues have been addressed. However, I don't know when that will be."

While memory corruption issues are likely to remain a concern for some time, Microsoft is taking proactive steps to improve IE security overall. With the August Patch Tuesday update, Microsoft first introduced the capability in IE to block out-of-date ActiveX plug-ins in the browser. At the time, Microsoft said that the blocking feature would not become active for 30 days. Those 30 days are now up, and ActiveX blocking is part of the IE update.

"Applying strict controls around the use of out-of-date software is virtually a surefire way to increase the security of any system," Young said.

Young noted that one of the things that makes Google's Chrome browser robust from a security perspective is Google's attitude toward out-of-date plug-ins and browsers. Chrome has taken steps for a while to prevent users from activating out-of-date Java or Flash components.

"While these types of changes are not the enterprise-friendly policies we tend to see from Microsoft, it is a wise move in the right direction and certainly raises the bar for IE security,” Young said. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

View the original article here

Electronic medical records help healthcare organizations improve patient care, but lack of standardization could cause safety and security problems.

The foundation hospitals built when they overwhelmingly adopted electronic medical records is trembling under the weight of concerns over security and lack of standardization.

Healthcare organizations already see plenty of benefits from EMRs. The Internet is full of success stories detailing how hospitals save and improve lives, reduce costs, and enhance research capabilities through new access to real-time data. Many EMR applications are high-quality tools that take users' needs and wishes into account and evolve to meet mandates and clinicians' changing requirements.

Yet healthcare sometimes seems to operate in a vacuum. It appears determined to repeat the steps already taken by industries such as finance instead of skipping the proprietary isolationist years and leaping right into the era of standards, collaboration, and data-sharing. The government is starting to shake an interoperability stick, but the industry should act on its own initiative to allow disparate systems to work together -- and not only to cut costs for healthcare provider implementations. Standardizing also will improve patient safety, care, and results, experts say, resulting in reduced care costs and data security. Establishing standards will accomplish this by enforcing guides for healthcare employees and restricting access against unauthorized users.

At least one report suggests these predictions are on track. Concerned that increased use of EMRs tallied with an uptick in "patient safety events," the Division of Laboratory Programs, Standards and Services in the Center for Surveillance, Epidemiology and Laboratory Services, within the Centers for Disease Control and Prevention (CDC), studied errors in labs based on electronic health record (EHR) data. In some cases, labs used outdated software that didn't support current coding -- an issue that might increase when ICD-10 finally arrives.

Different facilities also use dissimilar codes for the same tests, creating confusion -- especially among staff members who move among different hospitals and clinics, according to a CDC report. In one case, the report cited, a woman required a hysterectomy after an EMR moved her abnormal test results to the bottom of the screen instead of placing the most recent results at the top. In another, a male patient received a double dose of a blood thinner due to an EMR error.

Other areas of concern: inadequate data transfer from one EHR to another, data entry in the wrong patient record, incorrect data entry, failure of the system to function correctly, and incorrect configuration, patient safety organization ECRI Institute wrote in a separate report.

"Recognizing that such errors can occur without health IT systems, there is cause for concern as an occasional error in a health IT can be replicated very quickly across a large number of patients," the CDC's report said. "Combining documented patient safety events with the anecdotal evidence shared by individual laboratory professionals across the US presents enough concern to warrant further investigation and mitigation."

The lack of EMR standards creates a greater security burden on healthcare organizations and professionals. But the stakes are incredibly high, not only because of the number of patients who could be impacted by a single breach, but also because of the sensitive nature of the date stored in EMRs and the potential for damage to an organization's reputation.

"We're in an historic time within healthcare. The impact from a healthcare perspective has the same impact as, say, a retail breach, but you're talking about personal health information, things that should be very private," said Ken Bradberry, CTO and vice president at Xerox Healthcare Provider Solutions, in an interview. "We're talking about strategies in healthcare that haven't evolved at the rate they should have. Security has to evolve and align with where we're at with the delivery of electronic health records and the delivery of services in general. The detection and [prevention] of security breaches [and] threats has to be of paramount importance to healthcare providers."

Now that more than 93% of hospitals use at least one EMR, government agencies, researchers, and pundits point to worrisome trends that could -- left unfixed -- jeopardize patients' faith in providers, payers, and the overall system. The drive among providers to forge partnerships and integrate EMRs between smaller practices, hospitals, accountable care organizations (ACOs), health information exchanges (HIEs), and other members of the healthcare ecosystem creates additional links in the chain -- and more potential points of breach, loss, or theft.

"The government is pushing for EHRs, but no one is overseeing the security and privacy of the records," said Karl Volkman, chief technology officer at Microsoft Gold Certified partner SRV Network. "Instead, it's left up to the individual organizations, which may allow medical personnel to alter records incorrectly with little oversight -- or the entire system may not have the capacity to protect from fraudulent encounters. Instead of rewarding and punishing those who have or have not switched to EHRs, the government should consider instilling standards to identify inappropriate use of the records, fraud, and breaches."

View the original article here

avg toolbar
Implementation issues with AVG Secure Search, a browser toolbar from antivirus vendor AVG Technologies that's supposed to protect users from malicious websites, could have allowed remote attackers to execute malicious code on computers.

The toolbar, also known as AVG SafeGuard, supports Google Chrome, Internet Explorer and Mozilla Firefox running on Windows XP and later, and is often bundled as an optional installation with popular free software programs.

According to researchers from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, versions 18.1.6 and older of AVG Secure Search and AVG SafeGuard install an ActiveX control called ScriptHelperApi in Internet Explorer that exposes sensitive functionality to websites.

"This control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template," said Will Dormann, a vulnerability analyst at CERT/CC, in a security advisory published Monday. "This means that any website can invoke the methods exposed by the ScriptHelper ActiveX control."

Furthermore, upon installation, ScriptHelper is automatically placed on a list of pre-approved ActiveX controls in the system registry, bypassing a security feature first introduced in Internet Explorer 7 that prompts users for confirmation before executing ActiveX controls. It's also excluded from IE's Protected Mode, a security sandbox mechanism, Dormann said.

All these conditions make it possible for an attacker to execute malicious code on the computer of a user who has a vulnerable version of AVG Secure Search installed, if the user opens a specifically crafted HTML Web page, email message or attachment in Internet Explorer. The rogue code would be executed with the privileges of the logged-in user, Dormann said.

AVG fixed the security issue in AVG Secure Search 18.1.7.598 and AVG Safeguard 18.1.7.644 released in May. It's not clear if the toolbar updates itself, so users should make sure that they download and install the latest version if they intend to keep using it.

AVG did not immediately respond to a request for comment.

According to Dormann, this AVG Secure Search flaw is the perfect example of how third-party programs bundled with free software -- commonly known as adware, bloatware or foistware among users -- can increase the security risks for Internet users.

"Free software isn't always free," Dormann warned in a blog post in which he described how his attempt to download and install a popular video player through Download.com resulted in four third-party programs being offered during and after the installation process, leaving him with a "nearly unstable" operating system.

"If you must use a service known for bundling adware into their installers, pay careful attention to the installation steps to make sure to opt out of any additional software choices provided," Dormann said. "Even installing applications such as Oracle Java or Adobe Flash may result in unwanted software, such as browser toolbars, if you are not careful."

One of the strategies to stay safe on the Internet involves minimizing the computer's attack surface by restricting the number of installed applications that could be targeted, Dormann said. "More software is not the solution, it's the problem."

View the original article here

Yet another critical security flaw has been found for Adobe's notoriously sieve-like Flash plug-in, this time by Google Engineer Michele Spagnuolo. His exploit tool, called "Rosetta Flash" is just a proof of concept, but could allow hackers to steal your cookies and other data using malicious Flash .SWF files. The exploit is well known in the security community, but had been left unfixed until now as nobody had found a way to harness it for evil. So how does this affect you? Many companies like Twitter, Microsoft, Google and Instagram have already patched their sites, but beware of others that may still be vulnerable. Adobe now has a fix, and if you use Chrome or Internet Explorer 10 or 11, your browser should automatically update soon with the latest versions of Flash, 14.0.0.145 (check your version here). However, if you have a browser like Firefox, you may want to grab the latest Flash version from Adobe directly (watch out for unwanted add-ons with pre-checked boxes). Finally, if you use apps like Tweetdeck or Pandora, you'll need to update Adobe AIR -- that should happen automatically, but the latest version is 14.0.0.137 for Windows, Mac and Android.

Via: Krebson Security

Source: Michele Spagnuolo, Adobe

wpid-image002.png An effective BYOD plan must balance control with convenience. Here's what to keep in mind.

Managers often believe a bring-your-own-device (BYOD) strategy is a silver bullet to solving mobile communication problems within their organization. Thoughts of "I don't need to purchase hardware for employees" or "Workers are more productive with their own device" can mask the challenges that often accompany BYOD programs. Today's business environment is becoming a target for data breaches and various security risks, so organizations cannot afford to overlook security when developing a BYOD strategy.

However, there's a fine balance when implementing BYOD security regulations -- you don't want to be so overzealous about security that employees' work is hindered. Done right, BYOD can reduce technology expenses while increasing end users' productivity and improving office morale. An optimal enterprise mobility strategy provides comprehensive device security without impeding employees' pace of work.

For example, many companies have traditionally forced users to connect with a VPN before accessing company resources. On mobile devices, that process is a real pain. It's also not practical -- since most users switch between work and personal tasks, it actually discourages users from staying connected and productive. Companies can implement in-app VPNs and Micro VPNs, which automatically connect specific apps to the corporate network without requiring users to make that connection manually. Companies can also distribute secure browsers that allow users on to internal links that automatically connect to Intranet sites or web application servers without manually launching and connecting with a VPN.

Without a well-designed and unified device management strategy in place, companies risk exposing their most sensitive data to outside sources -- and even competitors -- while stunting employee innovation. Here are three ways to create a plan that maximizes the benefits of BYOD while mitigating the threats.

1. Be transparent with employees.
Attempting to hide unflattering aspects of a BYOD plan can backfire if employees discover them. Being truthful about employee privacy rights and enterprise mobility management (EMM) components fosters a sense of trust between decision makers and their corporate team. We see this often with companies we work with: They explain that the technology is designed to protect and secure, but that it may collect employees' personal location information and personal apps. Be clear that you're not trying to play Big Brother, and that there are privacy filters installed to restrict access to most personal identifiable information (PII).

Building BYOD trust works both ways. CIOs and company leaders should feel confident that their employees are responsibly embracing the freedom of enterprise mobility -- and if at any point the leadership team feels that workers are not handling company data securely, they have the option to implement stricter BYOD controls.

Copyright © 2024 QWERTY CONCEPTS, Inc   |   All Rights Reserved   |   Sitemap   |   Managed IT services provider for New Jersey and New York City businesses