 
							
					
															
					
					 by Felicien | Jul 31, 2019 | Education
Check Your IoT: URGENT/11 Zero-Day Vulnerabilities Impacting 2 Billion Devices
It was only a matter of time before connected devices become a target. The current vulnerability allows remote attackers to gain full control over IoT devices.  
Security professionals have known that connected devices are a risk, but the latest news around the URGENT/11 vulnerabilities may surprise even the most hardened security professional. Over 2 billion connected devices are thought to be vulnerable, including a range of printers, VOIP phones, routers, medical equipment, firewalls, elevators and industrial controls. Any connected device that is running the VxWorks operating system created by Wind River has the potential to be affected, allowing users to remotely gain control over the device.
URGENT/11 Vulnerabilities
Dubbed “URGENT/11”, these security risks include six critical vulnerabilities connected with VxWorks 6.5 or higher that includes the IPnet stack. There are a few versions of the OS that may not be affected, according to security research firm Armis, such as their VxWorks Cert Edition and VxWorks 653. Whether devices are within the network perimeter or on the edge, they can still be leveraged for remote access directly into networks. The vast range of manufacturers of the devices at risk means the level of security at the device level is likely to vary dramatically between product types. Fortunately, Wind River Systems provided critical patches during a recent July 19 release, but that may not be enough to reduce the risk for organizations utilizing these connected devices.
What is VxWorks?
“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses”. As an RTOS, or real-time operating system, VxWorks has generally been considered to be a stable solution for IoT and other interconnected devices with only 13 vulnerabilities reported in over 32 years of operation for the platform. Since it is only older versions of the RTOS that are vulnerable to attack, it’s thought that newer devices should be relatively safe and many affected devices are already reaching end-of-life. These devices are generally ones where chipsets only need to manage a few basic pieces of information, such as input/output operations, where little data processing is required.
How to Protect Your Business
While officials at VxWorks and Armis note that there are no indications that the URGENT/11 vulnerabilities have been exploited, the extreme disruption that could be caused within an organization is reason enough to warrant a proactive effort to protect your organization. Here are the recommended steps from Wind River security professionals and engineers:
Apply the recent patch immediately
Deploy specific firewall signatures/rules that will help mitigate the danger if patches cannot be applied immediately
You can view the full URGENT/11 whitepaper with a breakdown of the vulnerabilities and suggestions for remediation online. Experts note that the level of disruption could be significant, perhaps even rivaling the EternalBlue 2017 vulnerability or the WannaCry ransomware attack. In each of these instances, it was challenging for many small businesses to determine the best steps to move forward and protect their organization.
Partnering with an IT services firm helps ensure that your business is alert to this type of critical attack vector. Staying vigilant for vulnerabilities and quickly applying patches may mean the difference between a few hours of work patching devices or servers and months of remediation as you attempt to recover from a major attack.
				
					
			
					
											
								 
							
					
															
					
					 by Felicien | Jul 30, 2019 | Education
Organization Shouldn’t Be Complicated
Out of all of Microsoft’s Office programs, Excel is one of the most universally used. What started out as a fairly basic spreadsheet program has evolved into a must-have business tool. However, the more you use Excel, the more data your workbooks will accumulate.
Keeping these workbooks organized and easy to navigate can be a challenge. We can help with that. Check out our short Excel: Tips and Techniques for Managing Workbooks training video, available to you free and on-demand.
Simply Click Here.
Watch at your leisure, and say goodbye to your Excel frustrations.
				
					
			
					
											
								 
							
					
															
					
					 by Felicien | Jul 30, 2019 | Education
Capital One Data Breach Affects More Than 100 Million Customers and Small Businesses in The U.S. & 6 Million in Canada
On July 29, 2019, Capital One reported that their customers’ confidential information was compromised. This includes the Social Security and bank account numbers of more than 100 million people and small businesses in the U.S., along with 6 million in Canada.
The McLean, Virginia-based bank discovered the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator. They waited until July 29 to inform customers.
How Did The Hacker Get Into Capital One’s System?
According to court documents in the Capital One case, the hacker obtained this information by finding a misconfigured firewall on Capital One’s Amazon Web Services (AWS) cloud server.
Amazon said that AWS wasn’t compromised in any way. They say that the hacker gained access through a misconfiguration on the cloud server’s application, not through a vulnerability in its infrastructure.
Capital One says that they immediately fixed the configuration vulnerability that the individual exploited and promptly began working with federal law enforcement.
Who Breached Capital One’s Data?
Paige A. Thompson, a former software engineer in Seattle, is accused of stealing data from Capital One credit card applications.
Thompson was a systems engineer and an employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said that she left the company three years before the hack took place.
The FBI arrested Thompson on Monday, July 29 for the theft, which occurred between March 12 and July 17. Thompson made her initial appearance in U.S. District Court in Seattle and has been detained pending an August 1 hearing. Computer fraud and abuse are punishable by up to five years in prison and a $250,000 fine.
What Information Was Compromised?
Thompson stole information including credit scores and balances plus the Social Security numbers of about 140,000 customers and 80,000 linked bank account numbers of their secured credit card customers. For Capital One’s Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised.
The largest category of information obtained was that of consumers and small businesses when they applied for one of Capital One’s credit card products from 2005 through early 2019.
Capital One said, some of this information included names, addresses, phone numbers, email addresses, dates of birth and self-reported income.
Other data obtained included credit scores, limits, balances and transaction data from a total of 23 days during 2016, 2017 and 2018.
This is one of the top 10 largest data breaches ever, according to USA TODAY research.
What Is Capital One Saying About The Breach?
They will offer free credit monitoring services to those affected. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully.
They’ve set up a consumer website about the breach at www.capitalone.com/facts2019 that you should refer to if you’re worried that your information was compromised.
Capital One expects that this hack will cost them approximately $100 million to $150 million in 2019.
What Should Capital One Customers Do?
If you’re a Capital One customer, you should check your account online. You should also freeze your credit through each of the three main credit bureaus: Experian, Equifax and TransUnion.
It’s important to remain vigilant. Businesses should sign up for Dark Web Scanning to detect whether your confidential business information is there for cybercriminals to use.
Prevention is always the best remedy. Ask your IT provider to ensure your that your firewall is properly configured and to continuously remotely monitor your network for intrusions.
				
					
			
					
											
								 
							
					
															
					
					 by Felicien | Jul 30, 2019 | Education
Major Fines for IT Data Breaches
Outdated machines, software or employee practices can lead to major security problems. These big companies faced painful fines for their IT mistakes.
As companies increase their online activity, data collection and eCommerce, the stakes will continue to rise. Companies that are lax, poorly prepared or sloppy are facing disastrous tech breaches. Equifax, Uber, TJX and Visa are just a few of the companies that have had to face hefty payouts for data breaches. The public relies on companies to act professionally and secure their information. Many companies that face a security breach or lost data will not be able to stay in business.
With a security breach, the customer’s trust is lost. Not only will the reputation harm business, but fixing the issue will cost more than preventing it. Fines and payouts will also add to that cost. And, the more consumers affected by a major problem in the company’s security, the more painful the clean up. You can’t afford to slack when it comes to IT security.
Equifax Data Breach Settlement of $700 Million
The infamous Equifax data breach of 2017 has lead to 147 million affected customers. The settlement announced by the credit reporting company included $175 million to 48 states, $300 million towards free credit monitoring services for the impacted customers and $100 million to the Consumer Financial Protection Bureau for civil penalties.
Federal Trade Commission (FTC) Chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”
Facebook Faces $5 Billion in Fines for Privacy Violations
The FTC smacked Facebook with a $5 billion fine for the Cambridge Analytica incident. This privacy violations fine was in response to personal data taken from over 87 million Facebook users to create more persuasive and personalized ads.
Uber Faces $148 Million in Fines for Covering Up Hacked Accounts
In 2016, Uber had over 57 million user accounts compromised–and then tried to cover it up by paying the perpetrator $100k. This lead to the largest data-breach payout at the time of $148 million because they broke data breach violation laws.
Anthem Faces $131 Million for Data Breach of Customers
When the US health insurer Anthem was hacked in 2015, over 79 million customers had their names, birthdates, social security numbers and medical IDs compromised. The company paid out $115 million in a class-action lawsuit in 2017 regarding the breach. The US Department of Health and Human Services fined them an additional $16 million for HIPAA (Health Insurance Portability and Accountability Act) violations.
TJX and Visa Pay Out $40.9 for Data Breach
When over 96 million credit and debit accounts were hacked in a widely-publicized data breach that lasted from 2003 to 2007, TJX promised pay outs. This came under the terms that 80% of card issuers agreed to the recovery offer and promised not to take further legal action. TJX agreed to fund the settlement as a resolution to those U.S. Visa holders with cards from taking further legal action. This amount was not part of the $256 million the company said it had budgeted to deal with the breach.
Texas Cancer Center Fined $4.3 Million for Unencrypted Equipment
Between 2012-2013, the University of Texas MD Anderson Cancer Center lost one unencrypted laptop when it was stolen from an employee’s house and two unencrypted USBs that contained sensitive patient data. The health information of over 33,500 individuals was compromised and the center faced a $4.3 million fine for HIPAA violations.
FMCNA Fined $3.5 Million for Five Data Breaches
In 2012, Fresenius Medical Care North America (FMCNA) was fined $3.5 million for HIPAA violations after five separate breaches in different company locations. The Office for Civil Rights noted that FMCNA could have avoided this with a thorough risk analysis to find the potential risks and vulnerabilities. Many of their breach problems included lacking security policies and failing to encrypt sensitive health data.
A good company will take proactive IT security measures with a great tech team. By outsourcing IT security through a managed IT service company, you can get the best security without hiring a team full-time. Your IT team will provide an audit of your company to help you find the places where your security, devices or practices might be a threat to your company. Ensure you are using the right equipment and your employees are trained to meet compliance standards, privacy laws, customer expectations and more so your company can succeed.
				
					
			
					
											
								 
							
					
															
					
					 by Felicien | Jul 30, 2019 | Education
Phishing Attacks Target OAuth Credentials to Gain System Access
Discover how an increasingly popular authentication process, OAuth, can be exploited by hackers and wreak havoc on applications and access sensitive data.
What Is OAuth?
OAuth is a widely used framework that allows applications to share access to assets. It lets unrelated services and servers to allow authentication without sharing the initial single login credential. It’s often referred to as secure third-party user agent delegated authentication.
OAuth lets you access a resource — secure password-protected sections of a website, for example. Once the access is granted it remains in place until revoked, even if passwords or reset or 2-factor authentication changes.
It’s the technology that allows you to log in to a website or an app using Facebook or Google credentials. Instead of creating and using a password for, say, ESPN.com, you can log in using your Facebook account. Facebook, Google, Microsoft and Amazon are among those that use OAuth to allow access to other platforms as well as their own.
OAuth does not share password data across sites, but it does share the authorization tokens to confirm your identity.
What Is the Oauth Phishing Attack?
The OAuth tactic is unlike those used in traditional phishing attacks. By targeting the authorization tokens, hackers can essentially act as a compromised account holder throughout any platform on which the hacked person uses OAuth.
A hacker can create a simple app that is loaded into an email message. When users click on the phishing email, they can inadvertently allow access via the OAuth protocol.
“These techniques have been observed in sophisticated attacks in the past1 but are becoming easier to execute and are gaining in popularity,” notes a recent article.
What Can Attackers Do if a Phishing Attack Is Successful?
A successful phish attack lets a hacker do any number of things, depending on the resource to which access was granted. For example, if access is granted to your Microsoft Office or Office 365 account, a hacker could:
Search your mailboxes
Read your email messages
Download messages and any attachments
Search for keywords in your email and extract that data
Send messages on behalf of your account … to anyone
Access your contacts
Search shared drives like OneDrive and Sharepoint, read documents and download and extract files
Create malicious Outlook rules
Inject disruptive macros into stored Word documents
Create and install filtering and forwarding rules
Data accessed, reviewed and stolen can have severe consequences, as could macros and rules that make it difficult or impossible to use these common office productivity apps.
What Can Be Done to Defend Against a Phishing Attack?
More platforms are using OAuth to make it easier for customers or users to access information. That proliferation of uses means more opportunities for hackers. It’s likely that the number of OAuth phishing attacks is likely to grow.
The best defense against OAuth and other phishing attacks is awareness. Employees and other users need to be aware of the risks and potential outcomes of a phishing attack.
That means training and simulations that help users look for telltale signs of a phishing attack, such as poor grammar and spelling and the use of an unusual email address. Explaining how OAuth phishing attacks work also helps to raise awareness and let users take a skeptical approach to providing those credentials if something doesn’t feel right.
Your organization should also make it easier for employees to submit any suspect email messages that they believe are a phishing attempt.
Some other recommendations are:
Limit the number of third-party apps that can 3rd party apps that your network accepts
Disable any third-party apps across the organization that are unnecessary
To identify rare or suspicious instances, search for and monitor all consented applications
To reduce the likelihood and impact of an OAuth phishing attack, be sure to work with your managed IT services provider to ensure that training, anti-phishing solutions and monitoring are in place for your entire network.
				
					
			
					
											
								 
							
					
															
					
					 by Felicien | Jul 30, 2019 | Education
The cloud may still feel like a new technology – but in reality, it’s been around for more than 10 years now.
Does that make you feel old?
Let’s be clear about something – the cloud is here to stay. In recent years you may have still heard the occasional “industry insider” suggest that the world may be moving too quickly to an untested and unsure platform in cloud computing, but no more. The cloud is now an integral part of daily life for private consumer and business users alike.
What Is The Cloud?
The cloud is a network of technologies that allows access to computing resources, such as storage, processing power, and more. That’s where the data is – in these data centers all around the world. Which data center your data is in depends on what cloud service provider you’re working with.
The Cloud’s Many Layers
Public Cloud
Ideal for small businesses that may have trouble budgeting for any other type of cloud deployment, a public cloud is simple and cost-effective. Your data is stored in a “communal” data center, which, while not offering the best possible security or compliance guarantees, is often sufficient enough for organizations that aren’t required to maintain regulated compliance.
Private Cloud
A secure, dedicated environment to ensure maximum performance, security, and functionality for your business applications and employees. This is usually deployed for complaint-driven businesses such as healthcare and finance.
A Hybrid Cloud
This is like a dedicated cloud computing resource on Office 365 and Azure Stack with an extension to on-premise resources for maximum performance, control, security, and functionality. This is for businesses that require maximum control and scalability.
Instead of entrusting your legacy solutions to a public or private cloud, many businesses are opting for a hybrid cloud. They use a mix of on-premise, private and third-party public cloud services because this provides an infrastructure where one or many touchpoints exist between the environments.
Using a hybrid cloud gives you the freedom to choose which applications and resources you want to keep in the data center and which ones you want to store in the Cloud.
The Cloud Isn’t As New As You Might Think…
Would you say the cloud is “new”?
To some, this may seem like a question with an obvious answer, but it’s not that simple.
The way in which we think about technology can lead to something feeling new for a lot longer than would make sense otherwise.
After all, the cloud is more than a decade old, but a lot of people still think of it as a new technology.
For context, it was 2006 when Google and Amazon began using the term “cloud computing” – not necessarily the beginning of the cloud, but as good a point to choose as any.
In that year, the now woefully dated Crash won Best Picture at the Oscars. The Tesla Roadster was still two years from hitting the streets. Netflix was more than a year away from launching its now prolific streaming services.
Does that put it in perspective?
How Is The Cloud-Delivered?
SaaS (Software as a Service)
Software as a Service (SaaS) applications are being adopted at a much faster pace today than in the past. These are productivity applications like Microsoft Office 365, cloud-based practice management solutions, accounting programs, and more.
Your SaaS provider helps you identify and select line of business applications that will run well in the cloud. They can migrate your data and integrate it with software platforms in your current premise or cloud technology stack, or help you implement new ones.
PaaS (Platform as a Service)
This is whole cloth delivery of web applications that are based in the cloud, all via a comprehensive platform. The idea is that, in accessing this platform, you can utilize, develop and even deliver applications based on resources that you don’t need to maintain on-site.
IaaS (Infrastructure as a Service)
Infrastructure as a Service (IaaS) delivers IT infrastructure on an outsourced basis and provides hardware, storage, servers, data center space, and software if needed. It’s used on-demand, rather than requiring you to purchase their own equipment. That means you don’t have to expend the capital to invest in new hardware.
Why Should You Use With The Cloud?
For the same reasons that thousands of other businesses around the world have already adopted cloud computing:
Computing Power: The cloud has the ability to activate tens of thousands of CPUs. This unparalleled power can quickly perform deep analytics of your data, and process nearly any ad-hoc queries that you require.
Reliable Costs: The cloud services subscription model offers the strategic advantage of low-cost, low-risk opt-in combined with a simple, predictable monthly fee.
Easy Scalability: Cloud services have the unique strategic characteristic of being able to stretch or shrink to suit your current level of demand. This is especially useful for businesses of scale or companies that go through seasons of activity.
Real-Time Collaboration: With cloud technology, your staff doesn’t have to wait for each other to be done with their part of the document or project in order to tackle their own aspect. They can all work on the same project at the same time to maximize productivity.
Remote Work Capability: This cloud feature allows you and your employees to work remotely as need be, which will give your business members the flexibility they desire to have a more balanced home/work life.
You Need To Keep An Eye On Your Cloud
As beneficial as the cloud can be, it’s important to note that it can also pose risks if it isn’t managed properly. It all comes down to the classic binary relationship between convenience and security.
The cloud gives you unparalleled access to your data from anywhere with an Internet connection. That means that external parties (including cybercriminals) can have undue access to your data as well if you don’t take the necessary steps to secure your environment.
That’s why you need to monitor your cloud. No matter who you entrust your data to, you should ensure that you or someone in your organization is given appropriate visibility over your cloud environment. That way, you can guarantee that security and compliance standards are being maintained.
If you don’t have the resources to manage this type of ongoing monitoring, then it would be wise to work with the right third party IT services company. Doing so will allow you to outsource the migration, management, and monitoring of your cloud. You’ll get the best of both world – security and convenience.