Using the past to predict the future: identifying vulnerable websites

If you’ve been following New Zealand media over the last week or so, you’d be forgiven for thinking that anyone and everyone was ‘hacking’ systems looking for information that could give them an advantage over their competitors.

The media spotlight on leaked emails and wide open websites has certainly brought a rise in enquiries to NetSafe about data privacy, hacking and security vulnerabilities.

Raising awareness of computer security

NetSafe has worked with the North Harbour Business Association over the last month to deliver a programme of cyber security education based on the Connect Smart Guide for SMEs, a 4 step process that looks at raising awareness of computer security issues amongst small businesses.

It’s always hard to steer clear of technical jargon and acronyms when discussing cyber security but NetSafe does have the advantage of using real life case studies to illustrate ‘bad stuff’ that happens to real New Zealanders and small Kiwi businesses.

Over the last 4 years our ORB website has taken more than 11,000 cyber incident reports  from people and businesses across New Zealand with more than $10m in losses recorded from a range of digital challenges.

Common incidents affecting SMEs:

  • Ransomware
  • Intercepted emails
  • Hacked websites
  • Employment scams
  • Spear phishing
  • Insider threats

When it comes to hacked websites, there are plenty of ways to identify threats and vulnerabilities your site may be at risk from. These range from professional security companies offering penetration testing services to reading up on industry standards and guidelines like the OWASP Top 10.

Recent academic research has highlighted the fact if you use a popular Content Management System or CMS to power your website, you’re more likely to encounter issues:

CMSes simplify configuration by reducing technical barriers, which means that they are often administered by non-experts. This could lead to a greater chance for server misconfiguration.

Second, CMS platforms are a form of software monoculture, exhibiting common vulnerabilities in both the underlying code and the default configurations.

Furthermore, we suspect that a key driving force behind the variation in compromise rates across software types is the software’s market share. When more webservers run a particular type of software, they collectively become a more attractive target for miscreants.

In short, if you’re using a popular system such as WordPress or Joomla to build the bones of your website it pays to keep the CMS patched and protected.

A tool like the Wordfence security plugin can highlight just how many automated attacks your site may face from attackers spread across the net:

Wordfence detects attackers attempting to gain access to your WordPress installation
Wordfence detects attackers attempting to gain access to your WordPress installation

Using the past to predict the future

Whilst pen testing and incident management plans can be considered reactive tools to improve security, imagine a world where data mining and software algorithms could identify threats in advance – highlighting the fact that the popularity of your website, the number of back links you have earned and the kind of content you publish and the systems you use can highlight risks before a hack takes place.

Automatically Detecting Vulnerable Websites Before They Turn Malicious, a paper by Kyle Soska and Nicolas Christin from Carnegie Mellon University, makes interesting reading when it comes to thinking about software or automated systems that could predict with some accuracy websites at risk from future attack and potentially assist web search engine companies with filtering poisoned search results before end users visit them and run the risk of a drive by download.

Some may say the criteria identified are common sense things that webmasters and IT teams can look for and protect against in advance. For smaller companies though, any assistance with protecting their websites from defacement or data breaches are well worth exploring.

Connect Smart: Don’t wait until it’s too late!

A phone call to NetSafe this morning from a PC user facing the loss of a year’s worth of data serves as a timely reminder that taking a proactive approach to computer security is essential when ransomware gangs and other cybercrimials are actively targeted out of date software or unpatched computers.

The computer owner had actually taken the time to back up important business files, but sadly found the USB backup had also been encrypted with CryptoWall ransomware as it was still attached to the infected machine.

With complex malware being able to ‘jump across’ to back up locations – including cloud based services like Dropbox – the onus is on every computer user to protect themselves online and store several copies of essential data, ideally in separate locations.

Last week, international law enforcement agencies took down the network behind CryptoLocker ransomware but it would appear other malware writers are moving in to grab a share of the market.

Connect Smart Week is coming

Next week marks the start of the new government initiative, Connect Smart. This rebranded Cyber Security Awareness Week for 2014 will highlight ways home internet users and SMEs can protect themselves from phishing attacks and malware infections and will be launched in Wellington.

TechSecurity-2NetSafe will be promoting the week and my colleague Lee will be speaking at a free to attend cybercrime event in Wellington on 18 June along with other computer security experts.

The Institution of Professional Engineers New Zealand (IPENZ) is hosting the event which starts at 6pm at Queen Margaret College, 53 Hobson Street, Thorndon, Wellington. More information can be found on the IPENZ website.

Protect yourself online: secure all devices

The recent high profile ‘hack’ of some iPhone owners’ iCloud accounts by ‘Oleg Pliss’ is another reminder of how essential it is to apply good computers security practices to all your connected devices.

NetSafe recently published guidance on smartphone security with 12 Tips for Protecting Your Digital Device as evidence is emerging of new variants of ransom malware now being developed for Android smartphones and tablets.

Whilst news media reported yesterday that Russian authorities may have caught the ransom gang behind the Apple ID hack, it’s essential that New Zealanders use Connect Smart Week as an opportunity to review their online safety and security.

Teach a man to phish and…

Tax Refund Ray
Tax-refund Ray – watch out for unexpected phishing emails around tax time suggesting a large cheque can be claimed from IRD or other companies.
Click on the links and you may suffer a nasty sting. Grant payments and bank fee refunds are increasingly being offered by telephone cold callers too.

Phishing has been in the news again this week with the high profile attacks on Apple IDs as one plucky cybercriminal named Oleg Pliss developed a new way to hold iDevices to ransom.

The continuing success of phishing attacks remains a concern that individuals and small businesses need to address:

  • training staff to recognise strange looking emails and not opening attachments trying to masquerade as invoices, delivery notes and tax refund alerts
  • and putting in place email filtering and spam detection that can lessen the impact of unwanted messages.

A report out today suggest phishing attacks on PayPal users is on the rise in 2014, with researchers observing a 73 percent increase in the number of phishing websites targeting PayPal login information.

The report even suggests a growing army of phishermen are taking the time to hone their skills, downloading code to build fake login pages and tweaking the look and feel to improve their ‘conversion metrics’ – an online marketing standard normally associated with more legitimate commerce operators.

PayPal is owned by eBay, the US auction giant which has suffered its own mega breach recently and was subsequently criticised by security professionals for taking a long time to warn customers that account data was at risk.

Identifying genuine threats

Yesterday I spent some time trying to work out if an email supposedly sent from eBay post-breach was a genuine request for users to reset their passwords.

Interestingly, the message spoke of the attack and suggested securing accounts was essential but provided no link in the body of the text to visit a webpage, no doubt an intentional step to reassure those receiving it this really was from the company and not cybercriminals trying to exploit the well publicised event.

Check out the screenshot below – would you have been able to decide if the email was real?

eBay-Password-Reset-Email
Click on the picture to view the email full-size

Both eBay and PayPal have comparatively low user numbers in New Zealand – the auction company was seen off by local operator Trade Me some time back. But both companies are more widely known across the Tasman in Australia where Kiwis are likely to have been buying goods on the .com.au site.

As we approach tax time, phishing gangs will no doubt step up their efforts against our own IRD. Take the time to read guidance on the organisation’s own website and report phishing emails to them so they can be taken down before personal information is passed over or logins compromised.

More resources:

Don’t want your iPhone or iPad ‘hacked’? Why unique passwords are so important for online security

Screenshot of affected Apple device
This screenshot was being used by many online media outlets yesterday showing a Find my iPhone style alert suggesting a ransom needed to be paid.

I was sitting down last night for a little light TV watching when I first read the story about ‘iPhones being hacked’ by a mysterious “Oleg Pliss”.

Hacked is a generic term often misused when it comes to device and online security and to date the evidence on web forums and in the security press seems to suggest that Apple’s consumer device has not been affected by ransomware – malicious software demanding a payment for a unique unlock key.

So far (on Wednesday morning, NZ time) it would appear that Apple ID owners have found their devices locked remotely after their login details have been used to block their devices using Apple’s own Find My iPhone service.

The current theory is a wave of phishing emails targeting Apple IDs or recent high profile data breaches at eBay and elsewhere have let cyber criminals amass a huge pile of email addresses matched with working passwords.

Use a different password for every online service

Do you daisy chain your passwords and online life?
Using the same password everywhere online lets bad guys ‘daisy chain’ your online accounts and services, hopping from system to the next hoping the same login details will give access to other systems and even let them hold your iPhone or iPad to ransom. (Daisy chain image used under CC by Flickr’s ‘benbawden’).

UK media regulator Ofcom recently published a report on attitudes to online life and buried in the depths of this statistical mass is the startling figure that 57% of Brits “use the same passwords for most if not all websites”.

I can’t help but wonder what the equivalent NZ figure would be? We know many folk find it hard to remember multiple logins and thus ease of use trumps a sense of security when it comes to passwords.

This latest Apple ‘hack’ would seem to confirm NetSafe’s belief that using strong passwords, changed regularly and with at least your most ‘valuable’ services protected by a unique string of letters, numbers and symbols is essential computer security best practice.

The risk is that should one database be breached and your usual login info be compromised, it doesn’t take much for the bad guys to start probing other online services, including it would seem your Apple ID, a centralised service that can control so much of your Apple-related life.

If your iPhone or iPad is locked report it to NetSafe on the ORB website. To date we’ve taken one report from a Kiwi iPhone owner suffering this issue.

Dealing with Apple ID hacks

“Change your password for your Apple ID. You can use your Apple ID to recover your device(s) if it has been locked by the hacker”

We’ve published links below to the current best practice when it comes to securing your Apple ID and recommend you review the security of your Apple login ASAP:

    1. Change your Apple ID password now!
      - Manage your Apple ID online at appleid.apple.com
      - Set up 2 factor authentication for your Apple ID and check recovery phone numbers and email addresses associated with your account
    2. Back-up your Apple devices should you need to wipe them and restore later
      - If your device has been disabled read Apple’s guide to using iTunes, Find my iPhone or recovery mode to wipe the device and install your data and settings from a recent backup.
    3. Be alert to Apple ID phishing emails that target your login details
      - Apple will not email you to request you restore access to your account. Always login at the apple.com website.

Graham Cluley at Intego Security has written an FAQ for iPhone and iPad users and we will update NetSafe advice as we learn more about the situation.

Watch our video from Cyber Security Awareness Week 2013 to learn more about strong passwords:

If “antivirus is dead” what next for computer security?

Tight-5-Tall-Banner-PNGSymantec, the pioneers behind Norton anti-virus software, have made a bold statement this week in the Wall Street Journal declaring the scanning software to be “doomed to failure”, only successfully catching around 45% of cyberattacks.

Despite internet security software suites now adding password managers, heuristic algorithms to detect new viruses and tools to identify spam and phishing emails, the company is to now sell intelligence briefings to larger customers on specific threats to help them take preventative action to protect hardware and networks based on other breaches.

What can home internet and small business owners do?

If anti-virus security software is not the magic ‘forcefield’ previously thought to protect you against all digital challenges, what can the average internet user do then to stay safe and secure online?

Intelligence gathering is something NetSafe has increasingly utilised to provide timely actionable advice to Kiwis – reports to our ORB cybercrime reporting website are analysed monthly with summary reports produced for partners to identify patterns of offending.

The top 5 issues reported each month – based on incident volumes and dollar losses – are sent to subscribers of our computer security email newsletter on a regular basis.

The report -> analyse -> educate cycle is NetSafe’s key to producing relevant information and guidance to New Zealanders so they can take steps to protect themselves online against newly emerging challenges.

You can sign up for free alerts and advice online now and stay tuned for the May issue which will look at the results of our 2014 Smartphone Security Survey.

AV is still relevant but so is knowing about the threats

Our Tight 5 cyber security guides produced last year focused on five keys issues for computer security:

  1. Think before you click
  2. Update everything
  3. Backup your files
  4. Secure your wireless network
  5. Use strong passwords

Whilst we skipped explicitly advising users to install, activate and pay for AV subscriptions – and despite the recent Symantec statement – we still believe a working and up to date anti-virus package is one worthwhile line in your cyber defences, and that includes on mobile devices.

If 45% of threats can be detected and blocked that gives you a good step up before considering other issues like software and operating system patches, using unique passwords to avoid ‘daisy chaining’ exploits against all your online accounts and social engineering threats via email and popular websites.

All internet users need to take preventative steps to secure their devices before they face a digital disaster. ‘Be Prepared’ (the Boy Scout motto) remains just as relevant today as it did a century ago, long before we spent so long staring into screens.

Advice and guidance for dealing with digital challenges