Category Archives: Security

Spammers hit new Windows 10 users with ransomware

Security experts are warning Windows fans not to fall for a new spam campaign designed to trick users waiting for the new version of the OS to open an attachment crammed with ransomware.

Cisco’s Talos team claimed in a blog post that the spam run was a typical attempt to ride the coat tail of this popular event in order to get the attention of as many email recipients as possible.

“The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign,” they stated.

The spammers themselves have taken several steps to make their emails appear to have been sent by Microsoft, including a spoofed “from” address of ‘update@microsoft.com’ even though the IP address is linked to a machine in Thailand.

The color scheme used throughout the unsolicited message is also very similar to that use by the Windows team, and the attackers have added in both a disclaimer and a message claiming the email has been scanned by anti-virus.

However, they failed to spot several mistakes in the text of the message characters which haven’t parsed properly.

“This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email,” Talos claimed.

If a user is tricked into opening the zip attachment to get their copy of ‘Windows 10’ and runs the corresponding executable, they will find their machine made unusable thanks to CTB-Locker.

This crypto-ransomware variant gives users 96 hours to pay a fee or face all of their computer files being lost forever.

It uses elliptical curve encryption which is said to have lower overheads than other types and hosts much of its infrastructure on Tor to avoid detection. Users must make payments in Bitcoins to make tracking even more difficult.

As I have mentioned in previous articles, the threat of ransomware is growing and will continue to grow as long as users give in to the tactics. As a defense, I encourage all users to backup their data in accordance with your companies best practices. Your backups should be stored offline to prevent them from being targeted by attackers.

Does teaching hacking lead to more attacks?

A black hat is a hacker who “violates computer security for little reason beyond maliciousness network security, anti-spam or for personal gain”, a definition attributed to Robert Moore in 2005. A white hat has been called an ethical computer hacker and/or a computer security expert who strives to ensure the security of an organization’s information systems. A gray hat is something in between; a hacker that tests systems to find security holes. This involves penetration testing, “pentesting” for short, which is basically initiating a black hat offensive against a company as a test of their systems.

These definitions are just one example of the cloudiness in the world of computer security. Who is good and who is bad depends on whom you ask.

Who has the right to be called a hacker?

Real hackers have deep systems knowledge. This does not come from using Microsoft Word to write college papers. It is the result of study and research and a great deal of poking and prodding networks and network devices. In a PC World article, Eric Geier outlines the steps he believes are needed to become an ethical hacker:

Pass A+ certification and get a tech support position.
Pass Network+ or CCNA certification and work as a network support or admin, then network security engineer
Pass Security+, CISSP, or TICSA certification and work in information security
Get hands-on experience with penetration testing, then pass the Certified Ethical Hacker (CEH) certification

“At that point, you can start marketing yourself as an ethical hacker,” says Geier. All this training is in addition to earning a university degree.

The psychology of hacking

But, as the saying goes, with great knowledge comes great responsibility. If you are capable of breaking into the Pentagon network, would you do it? If so, why? The answer to that question could be any of the following:

It’s like Mount Everest – it’s there.

To brag about the accomplishment to friends.

To find vulnerabilities in the system.

To take or extort money.

An adolescent often finds the first two answers convincing. He or she knows it is illegal and wrong, but that network is an irresistible target. Hacking into a computer system is like joyriding with a network instead of a Ferrari. And the Internet makes kiddie scripts and more complex hacks available to all, including young people (or adults) without fully-developed moral compasses. As these kind of hackers mature, they find employment involving computers, especially in the high-paying security field.

Hacking a system to find vulnerabilities, the third answer above, is not black and white. This is exactly what gray hats do for a living. Since more companies such as Google and Microsoft are offering “bug bounties”, some people are attracted to the challenge and the money involved. In fact, in an article called “Hacking for Good”, Bloomberg Business exults, “Hats off to the white hats. These hackers, who break into computer networks and digital devices to find holes before the bad guys do”. They point to Barnaby Jack as one of these heroes. At Black Hat in 2010, Jack showed how to hack an ATM to disburse cash. This shocking demonstration led to measures to enhance ATM security.

Without a doubt, hacking the Pentagon network to take or extort money, the fourth answer above, is just plain illegal. Criminals use whatever means available for their ends, and the computer is another tool in their arsenal.

Why hacking matters

The debate over different-colored hats would be academic were it not for the paramount role that computers play in our lives. Nefarious hacking of financial institutions, governments, and power grids is terrifying for two reasons. Of course, there is the resulting damage, but also the fact that we don’t entirely know how to avoid the incidents. This is where “good hacking”, white or gray hat, is critical. Without the deep system knowledge gained from hacking, our institutions stand no chance of being protected from adolescent mayhem, criminals, or terrorists.

Most education for security professionals has focused on defensive measures. This is not enough to beat the bad guys at their game. EC-Council declares that its Certified Ethical Hacker (CEH) certification deals with “hacking techniques and technology from an offensive perspective.” To emphasize this point, the title of their next step of certification is called Licensed Penetration Tester (LPT).

To take the CEH course or certification test with EC-Council, a candidate is required to have at least two years of “security related experience” and must sign an agreement to not misuse the knowledge in any way. However, because the CEH certification is much sought after, other organizations have created courses for preparation. These courses are available to whomever is willing to pay.

Should offensive hacking techniques be taught by EC-Council and other public entities such as universities? A growing number of people, however, are adamant that hacking is a way to arm IT personnel to deal with attacks.

What do you think, will this type of education lead to more attacks?

Our Spam Filtering Service with Office 365 – the perfect match!

Office 365 in the cloud has some great advantages. Microsoft manages the software updates, anti-spam, and email filtering making it easier for the IT support services. You can collaborate in real time using different mobile devices and PCs.

According to Adallom’s annual Cloud Usage Risk Report, Box, Office 365, Salesforce, and Google Apps constitute the majority of cloud applications in use today. It is inevitable that the move to the cloud will continue. Licensing for the upcoming Windows 10 enterprise will be per-user instead of per-device. This will spur the use of virtual desktop integration (VDI), where your computer will reside not on your desk, but in the cloud.

But, let’s face it, moving applications and data to cloud services exposes them to a larger variety of malware. As a result, many clients implement our spam filtering services in conjunction with Office 365 to improve security and block more spam and malware.

Email security for Office 365

Office 365 comes in a variety of flavors. Only the Enterprise versions offer beefed-up security. Office 365 mail security gateways provide some protection, but our spam filtering services is more effective in blocking spam. It blocks over 99.9% of spam with a false positive rate of less than 0.03%. Apex IT Solutions spam filtering service provides double antivirus engines, Kaspersky Lab and Clam AV, to protect against malware.

Apex IT Solutions can process both inbound and outbound email:

You can specify our services as the inbound mail gateway. We filters out spam and viruses, and then passes the mail on to the Office 365 mail servers.

You can also choose Apex IT Solutions as the outbound mail gateway. All outgoing mail sent via your Office 365 account is filtered before forwarding it to the recipient.

We offers additional control for outbound mail that is not available in Office 365. For example, Apex IT ensures that your e-mail domains are not used by spambots. This is important because internet service providers block email from addresses that generate spam. What would happen to your business if you could not communicate with your clients (and vice versa)?

Dedicated mail filtering

As you know, the threat landscape is constantly evolving with new threats emerging every day. Our service offers protection from the most current threats. Moreover, for our service mail filtering is not just another option on a long list services; it is there core offering. This focus results in a higher overall catch rate and protection rate than clients experience from vendors who are trying to be “all things to all people”.

Administrators can configure settings for the entire company, but also users can fine-tune filters. No two businesses are the same; mails that one company may regard as legitimate e-mail another company may regard as spam. Our services advanced features such as Advanced Content Control filter enable our engineers to apply a specific rule set to your mail flow. You see the mails you need to see and not the ones you don’t! This level of customization is not available on in Office 365 standard filtering.

Data Loss Prevention for email and files

Only the most expensive version of Office 365, Enterprise E3, offers data loss prevention for email and files. But business continuity is a concern for businesses of all sizes. SpamTitan Private Cloud infrastructure provides back up for your mail server. Our service maintains a 2-node private cluster to process mail; if one node fails, the other node takes over to continue processing email. Furthermore, each node is located in a different data center, offering optimal back up. Our service also uses Simple Authentication and Security Layer (SASL), requiring identification upon connecting to the network, before any data is exchanged.

Spam filtering complements Office 365 features

This article outlines some reasons that companies use our spam filtering service along with an Office 365 subscription, among them:

A greater level of protection.
A higher spam catch rate.
A greater level of customization/granularity.
Better outbound mail controls.
Business continuity.

Security Tips & Advice on Safe Internet Browsing Habits

If there is one item that pretty much everyone is familiar with on the Internet, it is the very thing we use to browse it, the Web Browser. Whether you use Firefox, Chrome, Safari, on a Desktop or Mobile device, this article concerns you. How you use a Web Browser has implications about your security position and any information that you handle.

1. Do not trust your browser.

It’s simple really, there are just as many ways to compromise a browser and its host operating system as there are to skin the mythical cat. Software exploits for all major browsers are being developed and sold on the black market and also officially by well-known businesses. This means that even if you update regularly and follow good security practices, you are still at risk of getting your browser and its host machine compromised. Once that happens, all bets are off. Therefore it makes even more sense to develop good habits when it comes to using your web browser.

2. Never store passwords in your browser Password Manager.

Yes, storing them, stops you from having to remember them. Well, that’s lovely, guess who else doesn’t have to remember them either? Mr./Ms. Random J Hacker. All he/she has to do is compromise your browser to get your login credentials to your Bank, Insurance Company or Company VPN. There is an option in your settings which can stop the browser from ever asking you to save them. Where should you store them? Use an encrypted off-line password-manager and keep its database on an encrypted USB stick/drive.

3. Learn how to enable and disable particular browser extensions or plug-ins.

Malicious browser extensions bring about security risks as they often lead to system infection. There are more bugs and exploits for browser extensions and plug-ins than you can conceive. There are many cases where these extensions are needed and cases where they’re not needed. Learn to recognize the difference.

4. Frequently clear your browser cache, saved passwords, cookies, history and form data

Your browser will store data while you are using it. What websites you’ve browsed, any cookies from sites you have visited, forms that you have filled and passwords that you have saved (see number 2), the content of visited websites, such as pictures, videos, scripts and text content etc. All of that data can be used to do bad things. Your browser will work fine without that data. If you’re afraid of losing a page you’ve visited just bookmark it.

5. Do not carelessly give your data and information to a web site.

In the course of browsing the Internet, many times will you be asked for various bits of information. It could be something as simple as a user name and a password but could go as far as requesting your full name, address, phone number, email, names of siblings and so on. Just because a web site is asking for that information does not mean they actually NEED IT. Ask yourself whether that Vintage Cars forum really needs to know where you live. If you do not intend to buy something or do not intend to do any business transactions with a website, refrain from providing such information.

6. Install HTTPS Anywhere

When data is transmitted to and from a website, it can be done in a secure way or an insecure way. The secure way will use HTTPS, the insecure one will use HTTP. When data is transmitted with HTTP, a hacker could intercept your traffic and read it or modify it at will, while you’re browsing. If HTTPS is used instead, intercepted traffic is encrypted and cannot be read. That’s a gross over-simplification but will suffice in this context. Not all websites support HTTPS but by using the browser extension HTTPSAnywhere you’ll automatically force any website that you visit (that supports HTTPS) to use HTTPS by default. Remember always check with your IT department before installing anything to your machine.

Some simple habits will make your browsing experience and information safer. It is easier to avoid bad habits than to break them. Now is the time to give up these bad security habits. Use technology tools available to move your organizations security habits in the right direction. Practicing these habits does not guarantee that your browser won’t be compromised but at least you won’t be the “low hanging fruit.”

Facebook cares about your Privacy

The social network is rolling out a security for users to use the encryption standard OpenPGP to protect e-mail notifications sent by the company, and to share their public encryption keys with their friends or with the public. The feature is being rolled out to users starting June 1^st 2015.

PGP, short for “Pretty Good Privacy,” is a way of scrambling emails or other chunks of text in such a way that, in theory, only the intended recipient can read. To use PGP, you create a pair of keys essentially long stings of letters and numbers used to encrypt and decrypt a message. One is a public key that you can share with everyone, and a private key that you keep a closely guarded secret. People can then use the public key to create a message that can only be deciphered using your private key. That way, even if someone is able to intercept your email, they can’t read the encrypted messages.

Incorporating PGP into Facebook could help protect activists who use the service for political organizing, though it won’t protect all Facebook communications.

Facebook can use PGP to encrypt emails it sends you, such as new message notifications from other users or password reset requests. But messages sent from you to other Facebook users through Facebook itself will remain unencrypted. That means that if someone gains access to your Facebook account or Facebook is forced to hand your account over to law enforcement those messages will be readable. Still, if someone only has access to your email account, and not to your private encryption key or Facebook account, they won’t be able to reset your password or read private notifications sent to you from Facebook.

This is the latest attempt by Facebook to tighten up its security and privacy credentials. Earlier this year Facebook announced that it will help fund the development of GnuPGP, an open source implementation of the OpenPGP standard. The company began encrypting all of its web traffic in 2013, making it harder for crooks and spies to eavesdrop on communications, and last year it added support for the concealment tool Tor. Moreover, WhatsApp, the messaging company Facebook acquired last year, incorporated an encryption system from Open Whisper Systems into the Android version of its app last year.

Meanwhile, Google and Yahoo have been developing a PGP based encryption system for web mail called End-to-End which could help bring PGP to a much wider audience.

Despite its limitations, privacy advocates are welcoming the new Facebook feature as an important step towards improving security online.

There are things that Facebook does that we don’t want. The advertising business requires that they collect more data than we want. However, their security team wants to work with the privacy community and there they can make a real difference. Although it’s tempting to say that people with serious security concerns simply shouldn’t use Facebook has a billion and a half users and they’re not going away. Facebook, even if it’s not going to be an organization platform, will always be an outreach platform. It will be a place where people go to do political work, and letting people secure the accounts they use to do that political work is really important. The most important thing for now may be getting more people to use PGP and improving the ecosystem of tools that support the standard. In my opinion Facebook is acting as a trend leader to drag other big platforms into this world. When you think about it if only a thousandth of a percent of Facebook’s users end up using this feature that’s still 15,000 people. By adopting these tools, Facebook is making it harder to for criminals to steal your credentials or read your messages and that’s a good thing because that improves the overall security of Facebook. These tools actually build a better internet for everyone.

Cyber extortion is on the rise

In 1824, the Duke of Wellington received a letter from a publisher threatening to publish a memoir by his former mistress. The publisher offered to keep the Duke out of the book if he received a sum of money. The Duke reportedly sent the letter back with “Publish and be damned” scrawled on the back.

Fast forward hundreds of years later, extortion not only exists but is thriving. In fact, it has bled over to the digital world.

Over the last couple of years, cyber extortions have revolved around the most valuable aspect of the digital age – data. The first case of cyber extortion, as reported by Thomas Whiteside in his book Computer Capers, occurred in 1971 when two reels of magnetic tape belonging to a branch of the Bank of America were stolen at Los Angeles International Airport. The thieves demanded money for their return, but the ransom was not paid because tape backup was available but things have escalated since.

Cyber extortions have taken on multiple forms, all focused on data – encrypting data and holding it hostage, stealing data and threatening exposure, and denying access to data:

Ransomware – As the name suggests, ransomware is a type of malware propagated via the traditional means – phishing emails, website drivebys, malvertising. Once the victim’s device is infected, the ransomware begins to encrypt private files the data, before popping up a message demanding a ransom in exchange for the encryption key. A devastating case of ransomware was Cryptolocker where the attackers demanded payment of $300 in Bitcoins within three days to not only decrypt the files, but to prevent them from being destroyed forever.

Denial-of-service attacks – A denial-of-service attack is when an organization’s website or online business is flooded by so much traffic that legitimate users are denied access. In an extortion situation, the cyber extortionists demand money to stop the DDoS. These attacks can be difficult to stop and impacts financial revenue. Many tech startups are reportedly targets because many do not have the infrastructure to defend against them. Meetup, Basecamp, Bit.ly, Shutterstock and MailChimp have all been targeted.

Holding sensitive data hostage – Stealing data and threatening exposure is nothing new. In 2007, Nokia paid millions of euros to ensure that an encryption key for their Symbian OS would not be released to the public. In June 2014, a cyber-extortionist group called Rex Mundi claimed it had customer records for 650,000 European Domino’s Pizza customers. Rex Mundi threatened to release those records if the company didn’t pay a ransom of about $41,000. In January 2015, the same group demanded a ransom from a bank in exchange for nothing releasing 30,000 emails with sensitive data if the bank didn’t pay a ransom. Neither victim paid.

Holding AWS accounts hostage – In June of last year, an attacker took over Code Spaces’ AWS administrative panel, and offered to return controls for a price. When the company refused, the attacker began to delete data, backups and configurations, putting Code Spaces out of business. The same pattern of attack occurred with Websolr and Bonsai, two search application infrastructure services provided by One More Cloud LLC, but they managed to recover.

One of the reasons these attacks have grown exponentially is because of the availability of digital currency. Instead of having to deal with physical cash and paper trails, extortionists now benefit from anonymized digital transactions with Bitcoin. Anyone can set up a Bitcoin wallet address without any financial oversight, which means any cyber extortionist can carry out an attack and extract payment.

Is there anything that can be done to prevent cyber extortion? Quite simply, identify and categorize your data. Spend your efforts protecting the most critical data. The easiest way to do this is by moving your data to the cloud. Why? Because when your data is in a corporate approved cloud storage application, you’ll know exactly where it is versus being distributed across multiple endpoints, personal email accounts and internal servers in data centers. The combination of security from your cloud application vendor, and a cloud access security broker probably delivers better security than most organizations can for their internal data center.

As long as companies continue to pay ransoms when attacked, we should expect cyber extortion to continue for a long time.

VoIP: The latest security threat for businesses

More businesses than ever are jumping on the Voice over IP (VoIP) bandwagon today. Aside from significant cost savings when compared to traditional phone services, VoIP also offers many value-added features such as voicemail-to-email transcription, barge and whisper service, call screening, conferencing, music on hold, call routing, portability, and increased flexibility and mobility for employees that are always on the move or required to travel. Although VoIP’s advantages have plenty to offer the business world, there is also the need for companies to secure voice technology. In this article I am going to discuss VoIP security and ways you can protect your business.

Studies show that over 75 percent of US businesses are using IP-based VoIP telephone systems as their primary telephone system. As the many advantages of hosted VoIP become increasingly evident to businesses, I think it’s important to clear up a basic misconception when it comes to security. By this, I mean that even if you are connected to your VoIP system through an insecure Wi-Fi network, it does not therefore mean that your VoIP system is automatically vulnerable to hackers.

In order to get into the VoIP system there are additional passwords required. The conversations themselves are encrypted. Undoubtedly the ability to have your phone accessible across multiple platforms makes it vulnerable to hackers generally, but the security issue concerns are related to data network and hardware security issues, not VoIP itself.

When it comes to securing VoIP, businesses need to go above and beyond basic compliance and become proactive in securing VoIP technology from hackers. Since VoIP packets flow over the network (just like data packets do), sensitive corporate information could be intercepted. Some of the same threats that affect data networks can also affect VoIP.

Other threats that can affect VoIP systems are:

Conversation eavesdropping/sniffing
Default passwords
Hacked voicemail
Identity spoofing
Man-in-the-middle exploits.
Denial of Service (DoS) attacks
Toll fraud
Web-based management console hacks.

VoIP security is a challenge for many companies, but the bottom line is: VoIP security should operate on the same rung as network data security both forms of data contain valuable information. Remember this: The bad guys never sleep; they are always looking for new and innovative ways to hack into business VoIP systems.

Security practices for every company should include:

Separating data traffic from voice traffic by creating two virtual VLANs.
Protecting the remote admin interface with a complex password and non-standard port.
Encrypting sensitive voice traffic:
Using Secure Session Internet Protocol (SIPS) for protection from eavesdropping and tampering.
Applying physical and logical protection: The VoIP server should be behind a SIP-aware firewall and intrusion prevention system (IPS).
Creating user names that are different from their extensions.
Keeping VoIP systems always up-to-date and patched.
Limiting calling by device.
Using encryption to secure calls.
Setting strong security policies.
Utilizing traffic analysis and deep packet inspection (DPI).
Properly securing VoIP gateways.
Using a strong voicemail 6-digit passcode or device certificate.
Deleting sensitive voicemail messages.
Removing mailboxes when employees leave the company.
Limiting invalid login attempts.
Restricting type of calls allowed on the network and implementing time of day policies.
Disabling international calls by default.
Security awareness training for employees.
Requesting that all employees report odd occurrences.

Of course some of these practices may not be feasible for some company. With that in mind here are three tips for maintaining VoIP system security:

Restrict password permissions. Business grade VOIP apps have an extra layer of security that has to be activated in order for a user to become connected. When launched on a computer, a VoIP unified communications (UC) app will require users to register with their unique user name/password every time. Companies can restrict the “remember me” options and require users to sign in every single time. That means that even if the VoIP app is attacked in the computer there will be always be another password that would need to be hacked as well in order for someone to get into the system.

Use the available safeguards. It should be said that even if hackers managed to get the password and hack into one phone, it would not affect the entire network it would only affect one user. Fortunately most business grade services have “fraud detection” monitoring and can determine if there are an unusual number of minutes being racked up and will flag it. Watch user trends and stay on top of alerts or changes in tracked usage.

Lastly, exercise common sense when working remotely. Common sense is one of the main security measures you can employ. It’s simply about being aware of your surroundings, where you keep passwords stored.

Calling it a VoIP security issue when someone has your passwords is like calling a bank security issue when someone takes your money after finding your card and PIN together, it’s not.

No network is perfectly secure. But having a clearer understanding of VoIP and its security measures together with basic practices that every company should implement will help ensure better overall security for all users. It will also help businesses looking at their phone options to consider the real risks and benefits of VoIP in achieving success.