Security

More Warnings Over Scams Aimed at Zoom, Teams and Meet Users

Reports indicate that hackers are still using domains related to popular remote, collaborative working platforms to target users working from home with phishing scams during the lockdown.

Domains

Almost as soon as the lockdown started, there were reports at the beginning of April by Cybersecurity company ‘Check Point’  that there had been a major increase in new domains registered that included the word ‘Zoom’ and other suspicious characteristics. It was also reported at the time that the official classroom.google.com website had been impersonated by googloclassroom.com and googieclassroom.com.

Zoom, Teams, and Meet

The most recent Check Point Research shows that scammers have widened their attack strategy by registered domains not just to pose as Zoom, but also as Microsoft Teams, and Google Meet-related URLs.

Check Point Research reports that, in just the last 3 weeks, 2,449 Zoom-related domains have been registered, 32 of which are malicious and 320 categorised as “suspicious”

WHO Impersonated

Check Point Research also shows that scammers have been sending phishing emails posing as the World Health Organisation with malware attachments and asking for donations to the WHO where any payments made go into known, compromised bitcoin wallets.

The WHO now has a page warning about the risk of being targeted with fraudulent email and WhatsApp messages by scammers taking advantage of the COVID-19 pandemic and claiming to be from the WHO. The page gives advice about how to verify authenticity before responding and how to spot and prevent phishing.  See https://www.who.int/about/communications/cyber-security

Nation-State Cyber Espionage To Steal COVID-19 Research

In a more sinister turn, the UK’s National Cyber Security Centre (NCSC) has reported that UK universities and scientific institutes involved in COVID-19 research are being targeted with cyber espionage by nation state-sponsored actors e.g. Russia, Iran, and China, allegedly looking for information about studies conducted by UK organisations related to the COVID-19 pandemic.

Protection

Ways that users can protect their computers/devices, networks and businesses from these types of threats, as suggested by Check Point, include being extra cautious with emails and files from unfamiliar senders, not opening attachments or clicking on links in emails (phishing scams), and by paying close attention to the spelling of domains, email addresses and spelling errors in emails/on websites.  Check Point also suggests Googling the company you are looking for to find their official website rather than just clicking on a link in an email, which could redirect to a fake (phishing) site.

What Does This Mean For Your Business?

Cybercriminals are quick to capitalise on situations where people have been adversely affected by unusual events and where they know people are in unfamiliar territory.  At the moment, people are also divided geographically and are trying to cope with many situations at the same time, may be a little distracted, and may be less vigilant than normal.  As long as the pandemic continues, these types of scams also look set to continue and evolve.  It is also shocking (but perhaps not surprising) to see how nation states appear to be sponsoring attacks on each other’s research institutions to get an advantage in defeating COVID-19.

The message to businesses, however, is that extra vigilance is still needed and that all employees need to be very careful, particularly in how they deal with emails from unknown sources, or from apparently known sources offering convincing reasons and incentives to click on links or download files.

Featured Article – Securely Disposing of Old Equipment

When our PCs, laptops, phones, and other devices need to be replaced, disposing of them in a way that does not pose a data security risk is especially important. Here are some tips on how to dispose of devices securely.

Backup

Before you begin the disposal process of your device the first thing to do is to make sure that you have a backup of all your important files and data.

Backing Up Your PC

To back up your PC, you could use:

– An external hard drive e.g. WD MyBook Duo, Toshiba’s Canvio, LaCie Porsche Design (good for Macbooks). Many other options are, of course, available. If you have Mac, make sure your chosen external hard drive is Mac compatible.

– A cloud-based backup service, such as Dropbox, Google Drive or Box. These have large amounts of free storage plus, for a relatively small fee you can buy more storage space if needed. For example, Box gives you 10GB of file storage for free, Google Drive gives you 15GB of storage for free, OneDrive gives you 5GB of free storage space, and Apple iCloud gives you 5GB free.

Transfer Files To A New Computer

If you have already purchased a new computer, you may wish to transfer the files from the old straight to the new, although having an updated cloud backup of your work and critical files is good practice anyway.

Sign Out Of Online Accounts

With everything backed up safely, the next step is to make sure that you know login details for (and have signed out of) any online accounts on the old computer. For example, these services/apps could include Facebook, Twitter, Google, Apple and Microsoft.

Wipe The Hard Drive

The next step is to wipe all traces of your data and activity from the hard drive. For those who are planning to wipe the hard drive of a computer that belongs to your employer/the company you work for you will need to first check what the company’s recommended policy or procedure is for doing so, and to check that your actions will be compliant with data protection laws e.g. GDPR.

Wiping the hard drive can involve a number of steps and options, including:

– Delete or overwrite files using software that meets guidelines for secure deletion e.g. File Shredder, Eraser or WipeFile. If you have an older Mac with a hard drive try Secure Empty (Trash option Finder > Secure Empty Trash) but for OS 10.11 and higher and Windows PCs with SSD drives, the drive will need to be encrypted. Although this type of software provides a relatively easy and simple solution, it may take some time to overwrite multiple times.

– Drive Encryption. For PCs, this can be found in Settings > About and Drive Encryption or Bitlocker Settings. For Macs, this can be done via System Preferences > Security & Privacy.

– Deauthorise the computer with relevant accounts. For example, some SaaS accounts (Microsoft 365) and entertainment accounts such as iTunes only allow you to use a certain number of authorised, named devices. If you are getting rid of your device you will need to de-authorise this device with those accounts, thereby enabling you to authorise another device/a new for use in its place with those accounts.

– Delete browser data. Since browsers save information about your browsing history and can store usernames, passwords, and other sensitive personal data, the next step is to delete your browser history, and to make sure that you are signed out of your browsers. For example, to clear your history in Microsoft Edge, go to the three dots (top right) open the browser menu and go to Settings > Privacy & security and select “choose what to clear”, making sure that all checkboxes are selected so everything gets removed. The same will need to be done for all other browsers e.g. Chrome, Firefox, and Safari.

– Uninstall programs. Some programs contain personal data and, therefore, need to be uninstalled.

– Macs (macOS) restart, coupled with Option+Command+R. The process for of wiping the hard drive for Macs is to erase and reinstall the operating system. To do this, go to Apple menu > Restart and, just as it reboots, hold down Option+Command+R until the spinning globe appears. Then, release the keys, choose Reinstall macOS, choose Continue, and follow the instructions.

– Windows PC reset. For a Windows PC, go to Settings (app), click on Update & Security, click on Recovery, choose Get started under the Reset this PC option, and remove all personal files during the process.

– Chromebook factory reset. To wipe your Chromebook, sign in to the Chromebook with the owner account, from the taskbar, click on Settings > Advanced > Powerwash > Restart. When the Chromebook restarts, select Powerwash and click on Continue.

Destroy The Hard Drive

Before recycling a computer, some experts recommend destroying the hard drive in order to be absolutely sure that any sensitive data stored on it cannot be recovered. This can be achieved by removing the hard drive and e.g. hitting it with a hammer or drilling holes in it.

To remove the hard drive, disconnect the PC from its power source, open the casing and locate the hard drive, which generally connected to a SATA data and power cable (or to a flat, wide IDE cable in much older computers), and remove the hard drive from its housing by undoing the screws.

If the device is on the premises of your business at the time, you will need to ensure that care is taken in order to comply with health and safety regulations if trying to physically destroy the hard drive.

Laptop

As with a PC, make sure all important files are backed up, accounts are signed-out of, de-authorisation is completed, and browser data is removed. With laptops, use software to erase the data e.g. File Shredder or Eraser, and remove the hard drive, while taking care to avoid and damage to the inside of the laptop. There are many online guides and videos to help with the removal of laptop hard drives.

Tablet

After backing up your important files and data, the best method for preparing to dispose of a tablet in a way that maintains data security is to use a full factory reset. To do this, tap the app drawer and find the Settings icon, select Backup and reset (left-hand side), uncheck the Back up my data and Automatic restore checkboxes (right-hand side), select the Factory Reset option and follow the instructions. As a ‘belt and braces’ option, select the app drawer, select Settings, select Storage (left-hand side), select Miscellaneous files (right-hand side), select the checkboxes for folders and select dustbin.

Phones

Our phones contain vast amounts of personal data and potentially sensitive company data. It is, therefore, extremely important to dispose of them in a way that does not compromise the security and privacy of yourself, your business/your employer, or any stakeholders and contacts.

Back-Up

Firstly, ensure that you have backed up your phone contacts. After backing up your important data the process is:

For Android

Most up-to-date android phones have a microSD card where the phone’s data is stored. Remove the back of the phone, remove the battery, and remove the microSD card. This can be used in your replacement phone. You will also need to remove your SIM card.

If you need to wipe a microSD card, you can attach it to a laptop (with a USB cable), open ‘My Computer’, locate the microSD card, select all files stored on it and click delete.

For iPhones

An iPhone has an in-built way to return it to its factory default settings, thereby removing your personal data. To do this, go to General, Settings, Reset, and Erase All Content and Settings. This will require you to enter your username and password, and you will be given the chance to update your iCloud backup before you go ahead with the erasing as part of this process.

Data Wiping Company/Charity

Another option is to simply use a trusted third-party data wiping company or charity to professionally clean all data from your devices, hard drives, network routers, switches, and servers. Examples include WeeeCharity, PC4 Recycling, Secure IT Services and Medecon although there are many other similar services.  Your IT Support Company may also be able to provide these services or recommend a company in your area. Contact your IT Support Company for details.

Afterwards

After you have wiped your device, and depending on whether the device belongs to you or the business/organisation/your employer, your options may be:

– Recycle the device. Many recycling centres, for example, take old PCs.

– Sell the device. You could choose to sell the device privately online e.g. eBay, Gumtree or Facebook Marketplace, or to a private company that buys devices e.g. Mazuma, Music Magpie, WeBuyAnyPhone or others.

– Donate your device to a charity e.g. Computer Aid International, Turing Trust or IT For Charities.

– Donate your device to a local school, centre, or Freecycle network.

In any case, if the hard drive has been removed, you will need to inform the person, or organisation that you are selling or donating the device to.

N.B. You may wish to consult your IT support company first as they may be able to provide data wiping and IT equipment recycling services or put you in touch with a good service near you.

Important

It is surprising how much personal and sensitive data we store on our devices, so following proven procedures to make sure personal and company data is removed from devices before selling them, recycling them or donating them is a very important consideration for businesses and individuals. As person’s and businesses circumstances are different, please get in touch before disposing of any IT equipment for a detailed and appropriate course of action, specific to your requirements.

Google Blocks 18 Million Coronavirus Scam Emails Per Day

Google is reported to have been blocking 100 million phishing emails per day and 18 million email scams relating specifically to coronavirus.

Millions of Scams and Spam Messages Daily

On its Cloud blog on 16th April, Google reported that Gmail blocks more than 100 million phishing emails each day and over the previous week, it had blocked 8 million daily malware and phishing emails related to COVID-19. Google reports that this was in addition to more than 240 million COVID-related daily spam messages.

Types of Scams

Google reports that the types of scam and phishing emails that it had seen and blocked have been using fear and financial incentives to create urgency in order to prompt users to respond. Examples include:

– Impersonating authoritative government organisations e.g. the World Health Organization (WHO) in order to solicit fraudulent donations or distribute malware. In order to achieve this, scammers were reported to be using downloadable files that can install backdoors.

– Phishing attempts targeted at employees operating in a work-from-home setting asking them to complete a form needed for payroll.

– Phishing attempts, imitating government institutions and targeted at small businesses asking them to click on links related to receiving government stimulus packages.

Proactive Monitoring

Google reports that it has put proactive monitoring in place for COVID-19-related malware and phishing across its systems and workflows and that when threats are identified, they are added to its Safe Browsing API to protect users in Chrome, Gmail, and other integrated Google products.

Not New

As Google acknowledges, many of the current threats are not new but are existing malware campaigns that have just been updated to exploit the heightened attention on COVID-19. Last month, for example, reports of phishing emails included:

– An email purporting (as reported by Proofpoint) to be from a doctor offering details of a vaccine cure that’s been kept secret by the Chinese and UK governments.  Clicking on the link promises access to the vaccine cure details.

– Workplace policy emails that target employees in a specific company/organisation and encourage them to click on a link that will take them to their company’s Disease Management Policy.  Clicking on the link will, in fact, download malicious software that can provide a way into the company network.

– As reported by Mimecast, using the promise of a tax refund for coronavirus, directing the target to click on a link to input all their financial and tax information and with the lure of gaining access to (bogus) funds.

– Asking for donations for a fake campaign to fund the fast development of a COVID-19 vaccine.  In this scam, the victim is directed to a bitcoin payment page.

– An email purporting (again, as reported by Proofpoint) to be from the World Health Organization (WHO) that offers a fake document with information about preventing the spread of coronavirus, where clicking on the link actually leads to the downloading of keylogging software (criminals can track your keystrokes to uncover passwords).

– Emails that exploit feelings of panic, such as an email that claims that COVID-19 has become airborne and asks the target to click on a link to a fake Microsoft login page.

Protecting Yourself Against Phishing Attacks

You can protect yourself and your business from phishing emails and others scams by doing the following:

– Keeping your anti-virus software up to date as well as your patching and other software updates e.g. your OS updates.

– Making sure that all staff and employees are given training and/or are made aware of phishing email threats and that they know the procedure for dealing with emails that appear to be suspicious and/or relate to releasing funds/payments, even if they appear to be from someone in the same company.

– Being on the lookout for online requests for personal and financial information e.g. from government agencies, are very unlikely to be sent by email from legitimate sources.

– Looking out for emails with generic greetings, mistakes in spelling and grammar, and/or heavy emotional appeals that urge you to act immediately, as these are all signs of scam and phishing emails.

– Checking the email address by hovering your mouse (without clicking) over the link in the email. This can quickly reveal if the email is genuine.

Google also recommends that its users could benefit from completing a Google ‘Security Check-up’, and that is G Suite Enterprise and G Suite Enterprise for Education users choose to enable Google’s security sandbox.

What Does This Mean For Your Business?

Since the beginning of the COVID-19 outbreak and the subsequent need for businesses and organisations to have their employees work from home, cybercriminals have seen the whole situation as a big opportunity to exploit the uncertainty, heightened emotions, and physical division of workforces.

Now more than ever, therefore, we should all exercise caution when we receive emails from unknown or unusual sources and remember that government agencies and financial institutions don’t send out emails asking for personal and financial information and that any requests for funds or other even slightly unusual requests that appear to come from within the company need to be checked for authenticity.

Companies need to alert employees, many of whom may soon be working from home (if not already) and may have a reduced ability to quickly ask the boss or manager about certain emails, to the threat of phishing emails with a COVID-19 theme and to the threat of social engineering attacks that could take advantage of a physically divided and reduced workforce.

Featured Article – Maintaining Security on Employee Exit

When employees leave (or are asked to leave) or retire from businesses and organisations, those entities still have a legal responsibility to ensure that security levels are maintained with regards to data security.

Laws For Data

The General Data Protection Regulation (GDPR) and the Data Protection Act 1998 are the main legislative frameworks covering how a business or organisation in the UK should manage the protection and handling of data. Within these, the data controller (i.e. you and your company/organisation) hold the responsibility for data matters.

Protecting that data is vitally important both to protect those who the company holds data about, and to protect the company itself from legal penalties, damage to reputation and more.  As well as personal data, your business needs to ensure that other sensitive data such as financial records, intellectual property and details about company security controls are all protected.

Threats

In addition to legal responsibilities for data protection, businesses must also address other potential threats as part of due diligence and hopefully, of a built-in company procedure when an employee leaves for whatever reason. For example:

– Damage and Disruption – In addition to the risk of data theft, attacks on a company’s systems and network, which may have been facilitated by not having security measures or procedures in place for employees leaving/retiring, can cause costly and disruptive damage and disruption.

– Insider Threat – One of the dangers of not managing the departure of an employee properly is that your business could then have an ‘insider threat’ i.e. a former employee, contractor or partner with access rights and logins that still work.

Security and Employee Exit

Clearly, there are many areas to be covered to manage employee exit from a security perspective.  Here are some pointers for managing the security aspects of an employee’s departure:

– Email is a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘way in’ for cyber-criminals.  With this in mind, managing the email aspects of security when an employee leaves/retires is vitally important.  Measures that can be taken include revoking access to company email, setting up auto-forwarding and out-of-office replies, while making sure that you mention who the new contact is. Also, it’s important to revoke access to/remove login credentials for other email programs used by the company to communicate with customers and other lists of stakeholders e.g. mass mailing programs with stored lists, such as Mailchimp.

– Company Systems and Networks. Employees have login details and rights/permissions for company computer systems and networks.  These should be revoked for the employee when they leave.

– CRMs provide access to all manner of data about the company, its customers, its other stakeholders, sales, communications and more. Login access should be revoked when an employee leaves.

– Collaborative Working Apps/Platforms and shared, cloud-based, remote working platforms e.g. Teams or Slack also contain direct access to company data. Make sure that a departing employee can no longer have access to these groups.

– If the departing employee has a personal voicemail message on the company phone, this will need to be changed.

– A leaving employee will need to return all company devices, and this implies that a company should have procedures in place to keep a record of which company devices have been allocated to each employee.

– Retrieval of any backup/storage media e.g. USBs may also help to prevent some security threats.

– Although it is best to store all online documents in a shared company folder that you have control over e.g. in OneDrive, it is possible that an employee has stored items in separate folders on their computer. Making sure that these are transferred to you or deleted when the employee leaves can help to maintain levels of security.

– Having a policy in place for the regular changing of passwords can work well anyway as a fail-safe but also, changing any passwords shared with multiple members of staff is an important measure to take when an employee leaves.

– If the departing employee was authorised to use company credit/debit cards, changing the PINs for those cards is another step that needs to be taken to maintain security with the company/organisation’s finances.

– Letting the company team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud’, is another way that you can help to close security loopholes.

– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved is something that should be done before the ex-employee leaves the premises for the last time.

– If the employee has been issued with physical documents (e.g. a handbook) that contains information and data that could threaten company security, these need to be retrieved when the employee leaves.

– If the departing employee’s email address and extension feature on the website and/or is that employee is featured as being in the role that they are departing from, this needs to be removed from the website.  Also, check that company social media doesn’t indicate that the departed employee is still in their role e.g. on LinkedIn and Facebook.  You may also wish to make sure that the ex-employee doesn’t feature in the business online estate e.g. at the top of the website home page or other prominent pages.

Responsibility of the Employee

It should not be forgotten that employees who leave or retire from their jobs also have a legal responsibility as regards not taking company data with them.  A case in point, from 2019, led to the Information Commissioner’s Office (ICO) to warn those retiring or taking a new job that under the Data Protection Act 2018, employees can face regulatory action if they are found to have retained information collected as part of their previous employment.  The case which led to the warning from the ICO related to two (former) police officers who were investigated under previous Data Protection Act 1998 legislation after it was alleged that they had retained personal data in the form of notebooks that they had used while serving.

The warning in the ICO’s statement was that the Data Protection Act 1998 has since been strengthened through the Data Protection Act 2018, to include a new element of “knowingly or recklessly retaining personal data” without the consent of the data controller (see section 170 of the DPA 2018).

The only exceptions to this new part of the new Act are when it is necessary for the purposes of preventing or detecting crime, is required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or whether it is justified as being in the public interest.

ICO Warning – Retiring or Taking a New Job

The ICO has also warned that anyone who deals with the personal details of others in the course of their work, private or public sector, should take note of this update to the law, especially when employees are retiring or taking on a new job because those leaving or retiring can now be held responsible if the breach of personal data from their previous employer can be traced to their individual actions.

Prosecution Example

Examples of where the ICO has prosecuted for this type of breach of the law include a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his work email account (in February 2017) containing sensitive personal information of 183 people.  Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

Moving Forwards

Maintaining the company/organisation’s security (physical, data and financial), are vital to its survival.  Making sure that procedures are in place to cover security in the event of ‘employee exit’ could save the company from preventable threats in the future.

Research Indicates Zoom Is Being Targeted By Cybercriminals

With many people working from home due to coronavirus, research by Check Point indicates that cyber-criminals may be targeting the video conferencing app ‘Zoom’.

Domains

Cybersecurity company ‘Check Point’ reports witnessing a major increase in new domain registrations in the last few weeks where the domain name includes the word ‘Zoom’.  According to a recent report on Check Point’s blog, more than 1700 new domains have been registered since the beginning of the year with 25 per cent of them being registered over the past week. Check Point’s research indicates that 4 per cent of these recently registered domains have “suspicious characteristics”, such as the word ‘Zoom’.

Concern In The U.S.

The huge rise in Zoom’s user numbers, particularly in the U.S. has also led New York’s Attorney General, Letitia James, to ask Zoom whether it has reviewed its security measures recently, and to suggest to Zoom that it may have been relatively slow at addressing issues in the past.

Not Just Zoom

Check Point has warned that Zoom is not the only app that’s being targeted at the moment as new phishing websites have been launched to pass themselves off as every leading communications application.  For example, the official classroom.google.com website has been impersonated by googloclassroom.com and googieclassroom.com.

Malicious Files Too

Check Point also reports detecting malicious files with names related to the popular apps and platforms being used by remote workers during the coronavirus lockdown.  For example, malicious file names observed include zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# is used here to represent digits). Once these files are run, InstallCore PUA is loaded onto the victim’s computer.  InstallCore PUA is a program that can be used by cyber-criminals to install other malicious programs on a victim’s computer.

Suggestions

Some ways that users can protect their computers/devices, networks and businesses from these types of threats, as suggested by Check Point, include being extra cautious with emails and files from unfamiliar senders, not opening attachments or clicking on links in emails (phishing scams), and by paying close attention to the spelling of domains, email addresses and spelling errors in emails/on websites.  Check Point also suggests Googling the company you’re looking for to find their official website rather than just clicking on a link in an email, which could redirect to a fake (phishing) site.

What Does This Mean For Your Business?

This research highlights how cyber-criminals are always quick to capitalise on situations where people have been adversely affected by unusual events and where they know people are in unfamiliar territory.  In this case, people are also divided geographically and are trying to cope with many situations at the same time, may be a little distracted, and may be less vigilant than normal.

The message to businesses is that the evidence from security companies that are tracking the behaviour of cyber-criminals is that extra vigilance is now needed and that all employees need to be very careful, particularly in how they deal with emails from unknown sources, or from apparently known sources offering convincing reasons and incentives to click on links or download files.

Cybercriminals Hijacking Netflix and Other Streaming Accounts

It has been reported that the surge in the use of streaming music and video services has been accompanied by a surge in the number of user accounts being taken over by cybercriminals.

Entertainment During Isolation

Self-isolation and the instruction to stay at home during the next few weeks in the COVID-19 crisis has meant that many people have turned to streaming services like Amazon Prime Video, Netflix, Spotify and Apple Music. In fact, the demand has been so high that many streaming and social media platforms have reduced the bit rate of videos in order to make sure that services can still be delivered without taking up too much bandwidth.

Stealing and Selling Your Credentials

Security company Proofpoint has now warned that cybercriminals are taking advantage of this increase in demand for streaming services by stealing the valid credentials of users and selling them online.  This means that someone else may be piggybacking off a user’s streaming account without them even knowing it.  When the account credentials are sold online (for a much lower price than normal accounts), the seller gives instructions to the buyer not to try and change the login details of the account.

How?

For cybercriminals to hijack streaming accounts, they first need to steal the legitimate credentials of existing users. Proofpoint has reported that this is achieved by using methods such as:

Keyloggers and information stealers – software that has been unwittingly downloaded, that is able to record keystrokes to discover logins and other valuable personal data.

Phishing attacks – convincing emails from bogus sources that have made users click on a link/ to re-direct, which has led to login credentials and financial information being stolen and/or malicious software being loaded onto their computer/device.

Credential stuffing – where logins are stolen in cyber-attacks on other sites/platforms and sold on to other cybercriminals are tried in other websites in the hope that a user has been password sharing (using the same login for multiple websites).

How Do You Know?

The ways to tell whether your streaming account is being piggybacked include checking the settings to view which devices are connected to the account, checking previous activity on the account and activating the options that notify you each time a new device connects to your account.

Protection

Since the ability to hijack a streaming account relies on the ability to steal login details, following basic data security and hygiene can dramatically reduce the risk to users. For example, using strong and unique passwords, not sharing passwords between different websites/platforms, using a good password manager, keeping anti-virus software and patches up to date, keeping systems and browsers up to date, and not clicking on links or attachments in emails may help protect against this and others similar crimes.

What Does This Mean For Your Business?

Cybercriminals are quick to take advantage of a crisis or a trend and are always keen to find easy, low-risk ways to get money and personal details.  In this case, adhering to relatively basic security best practice can prevent you from falling victim to this and many other cyber-crimes.

Sadly, this is not a new situation.  For example, a CordCutting.com report from last year suggested that around 20 per cent of people who watch a paid-for video streaming service are using someone else’s account.

Now that streaming services are experiencing a surge in users and are very much in the spotlight, it may be a good time for those services to tackle some of the long-running security concerns and to reassure users that they are taking some responsibility to make it much more difficult of others to piggyback accounts.

Featured Article – Maintaining Security During The COVID-19 Health Crisis

The current global health crisis may bring many different IT security challenges to businesses and organisations and this article highlights some of the ways that you can prepare to keep IT security covered as best you can at this difficult time.

Larger and Smaller Businesses – Some Different Challenges

Larger organisations may be at an advantage as they may already have policies, procedures, equipment and security arrangements in place for remote working, although they may find themselves more stretched as many more staff work from home than usual.

Smaller businesses and organisations, however, may be less well used to and equipped for suddenly having to send staff home to work. This means that they may have a lot more work to do now in order to prepare, and their IT personnel will find themselves needing to prioritise and be prepared to provide more on-demand support over the coming weeks.

Guide

Even though larger and smaller companies may have different challenges on a different scale, here is brief guide incorporating a list of suggestions that could help many businesses and organisations to stay secure while employees, contractors and other stakeholders are working remotely:

– Alert all staff to the possibility of email-borne threats and other social engineering attacks.  For example, over the last few weeks, cybercriminals have been sending COVID-19 related phishing emails e.g. bogus workplace policy emails, emails purporting to be from a doctor offering details of a vaccine/cure, emails with a promise of a tax refund and more.  The message to employees should be to not open unfamiliar emails and certainly don’t click on any attachments or links to external pages from any suspect emails.

– Make sure that any software and software-based protection used by employees working from home is secure and up to date.  For example, this could include making sure their devices have up to date operating systems and browsers, firewall software and anti-virus software is installed and up to date, and make sure that employees install any new updates as soon as possible.

– Ensure that any devices used by employees are managed, secure (have downloaded trusted security apps), have appropriate protection e.g. data loss protection, updated anti-malware, and a capacity to be centrally monitored if possible. Ensure that all devices, including employee mobiles (which can carry confidential information), are password-protected, and can encrypt data to prevent theft.

– Monitor the supply chain arrangements where possible.  If a supplier is geographically remote, for example, and if the Covid-19 crisis has left a supplier short of qualified IT and/or security staff, or if contract staff/cover staff, or unfamiliar staff members have been brought in to replace staff members e.g. particularly in accounts, this could present a security risk.  Taking the time to conduct at least basic checks on who you dealing with could prevent social engineering, phishing and other security threats, and exercising caution and offering your own known secure channel suggestions where suppliers may be short of  IT-security staff could help to maintain your company’s security posture.

– Although employees are likely to stay at home in the current situation, you will still need to make sure that they are made aware of your policy about accessing information on public or unsecured networks e.g. using a VPN on mobile devices to encrypt data.

– Make sure you have a 24-hour reporting procedure for any stolen or lost equipment/devices.

– Pay attention to user identity management. For example, have a user account for each employee, and give appropriate access to each employee.  This should help to prevent unauthorised access by other persons.  Also, control which programs and data each employee has access to, and which level of user rights they have on certain platforms.

– Make employees aware that they must use only strong, unique passwords to sign-in to your network, and that these details should be changed regularly e.g. every 3 months.  Also, make sure that multi-factor authentication is used by employees.

– Stay on top of managing the workforce and general daily operations.  For example, make sure that key IT staff are available at all times, communication channels and procedures are clear and functioning, handover procedures are covered, any sickness (which looks likely) can have cover planned, and that productivity targets can be met despite remote working.

– Remind employees that they still need to comply with GDPR while working remotely and ensure that help and advice are available for this where needed.

– Use this experience to keep the company’s disaster recovery and business continuity plans up to date.

– Schedule regular, virtual/online meetings with staff and ensure that all employees have the contact details of other relevant employees.

– If you’re not already using a collaborative working platform e.g. Teams or Slack, consider the possibility of introducing this kind of working to help deal with future, similar threats.

Looking Forward

At this point, the country, businesses, and many individuals are thinking more about survival strategies, but taking time to ensure that IT security is maintained is important in making companies less vulnerable at a time when operations don’t follow normal patterns and when many cybercriminals are looking to capitalise on any weaknesses caused by the COVID-19 health emergency.

Cybercriminals Take Advantage of Covid-19 Outbreak With Phishing Emails

Some cybercriminals have already taken advantage of the fear surrounding the Covid-19 outbreak by sending out phishing emails that promise cures, seek donations, or heighten panic in order to extract personal data and money.

Phishing For Fear

Cybercriminals rely on exploiting human error that’s often driven by emotional responses.  The coronavirus outbreak has, therefore, provided scammers with a near-perfect opportunity to exploit the heightened the level of fear and to offer things that will take that fear and panic away as a motivation for a person to click on a link.  Clicking on a link in a phishing email, however, means having malicious software loaded onto your device that can allow cybercriminals to take control of your computer, log keystrokes, gain access to your personal information and financial data (for theft and identity theft), or simply direct you to a payment page.

Examples

Examples of the kinds of corona-virus related phishing emails which have been spotted over the last couple of weeks, and could be coming to an inbox near you, include:

– As reported by Proofpoint, an email purporting to be from a doctor offering details of a vaccine cure that’s been kept secret by the Chinese and UK governments.  Clicking on the link promises access to the vaccine cure details.

– Workplace policy emails that target employees in a specific company/organisation and encourage them to click on a link that will take them to their company’s Disease Management Policy.  Clicking on the link will, in fact, download malicious software that can provide a way into the company network.

– As reported by Mimecast, using the promise of a tax refund for coronavirus, directing the target to click on a link to input all their financial and tax information and with the lure of gaining access to (bogus) funds.

– Asking for donations for a fake campaign to fund the fast development of a Covid-19 vaccine.  In this scam, the victim is directed to a bitcoin payment page.

– As reported by Proofpoint, an email purporting to be from the World Health Organization (WHO) that offers a fake document with information about preventing the spread of coronavirus, where clicking on the link actually leads to the downloading of keylogging software (criminals can track your keystrokes to uncover passwords).

– Emails that exploit feelings of panic, such as an email that claims that Covid-19 has become airborne and asks the target to click on a link to a fake Microsoft login page.

Spotting Phishing Emails

Many phishing emails have giveaways that you can spot if you know what you’re looking for.  Examples of ways in which you can identify a phishing email include:

– Online requests for personal and financial information e.g. from government agencies are very unlikely to be sent by email from legitimate sources.

– Beware of generic greetings. Scammers are less likely to use your name to personalise the email greeting and title.

– Mistakes in spelling and grammar can be signs of scam emails.

– Check the email address by hovering your mouse (without clicking!) over the link in the email. This can quickly reveal if the email is genuine.

– Beware of heavy emotional appeals that urge you to act immediately.  These are signs of scam emails that hope to bypass your reasoning and tap into an emotional response.

What Does This Mean For Your Business?

Scammers often use phishing emails when there is/has been a recent crisis, when there’s been fraud/cybercrime that’s affected lots of people, or on other such events to take advantage of those who are looking for help and answers.  Scammers know that where emotions are strong and where they can tap into that by offering relief from negative feelings and by saying what people want to hear, they are more likely to achieve their aims.

In the case of coronavirus, although companies and organisations are issuing statements related to it, the best advice is to simply check the information that is given out through trusted, official sites such as the NHS https://www.nhs.uk/conditions/coronavirus-covid-19/, the World Health Organisation https://www.who.int/health-topics/coronavirus, and via trusted TV and radio stations.

Crisis or not, always exercise caution when you receive emails from unknown or unusual sources and remember that government agencies and financial institutions don’t send out emails asking for personal and financial information.

Companies also need to alert employees, many of whom may soon be working from home and may have a reduced ability to quickly ask the boss or manager about certain emails, to the threat of phishing emails with a Covid-19 theme and to the threat of social engineering attacks that could take advantage of a physically divided and reduced workforce.

Facebook Sued Down-Under For £266bn Over Cambridge Analytica Data Sharing Scandal

Six years after the personal data of 87 million users was harvested and later shared without user consent with Cambridge Analytica, Australia’s privacy watchdog is suing Facebook for an incredible £266bn over the harvested data of its citizens.

What Happened?

From March 2014 to 2015 the ‘This Is Your Digital Life’ app, created by British academic, Aleksander Kogan and downloaded by 270,000 people which then provided access to their own and their friends’ personal data too, was able to harvest data from Facebook.

The harvested data was then shared with (sold to) data analytics company Cambridge Analytica, in order to build a software program that could predict and use personalised political adverts (political profiling) to influence choices at the ballot box in the last U.S. election, and for the Leave campaign in the UK Brexit referendum.

Australia

The lawsuit, brought by the Australian Information Commissioner against Facebook Inc alleges that, through the app, the personal and sensitive information of 311,127 Australian Facebook Users (Affected Australian Individuals) was disclosed and their privacy was interfered with.  Also, the lawsuit alleges that Facebook did not adequately inform those Australians of the manner in which their personal information would be disclosed, or that it could be disclosed to an app installed by a friend, but not installed by that individual.  Furthermore, the lawsuit alleges that Facebook failed to take reasonable steps to protect those individuals’ personal information from unauthorised disclosure.

In the lawsuit, the Australian Information Commissioner, therefore, alleges that the Australian Privacy Principle (APP) 6 has been breached (disclosing personal information for a purpose other than that for which it was collected), as has APP 11 (failing to take reasonable steps to protect the personal information from unauthorised disclosure).  Also, the Australian Information Commissioner alleges that these breaches are in contravention of section 13G of the Privacy Act 1988.

£266 Billion!

The massive potential fine of £266 billion has been arrived at by multiplying the maximum of $1,700,000 (£870,000) for each contravention of the Privacy Act by the 311,127 Australian Facebook Users (Affected Australian Individuals).

What Does This Mean For Your Business?

Back in July 2018, 16 months after the UK Information Commissioners Office (ICO) began its investigation into the Facebook’s sharing the personal details of users with political consulting firm Cambridge Analytica, the UK’s ICO announced that Facebook would be fined £500,000 for data breaches.  This Australian lawsuit, should it not go Facebook’s way, represents another in a series of such lawsuits over the same scandal, but the £266 billion figure would be a massive hit and would, for example, totally dwarf the biggest settlement to date against Facebook of $5 billion to the US Federal Trade Commission over privacy matters.  To put it in even greater perspective, an eye-watering potential fine of £266 billion would make the biggest GDPR fine to date of £183 million to British Airways look insignificant.

Clearly, this is another very serious case for Facebook to focus its attention on, but the whole matter highlights just how important data security and privacy matters are now taken and how they have been included in different national laws with very serious penalties for non-compliance attached. Facebook has tried hard since the scandal to introduce and publicise many new features and aspects of its service that could help to regain the trust of users in both its platform’s safeguarding of their details and in the area of stopping fake news from being distributed via its platform.  This announcement by the Australian Information Commissioner is, therefore, likely to be an extremely painful reminder of a regrettable and period in the tech giant’s history, not to mention it being a potential threat to Facebook.

For those whose data may have been disclosed, shared and used in a way that contravened Australia’s laws, they may be pleased that their country is taking such a strong stance in protecting their interests and this may send a very powerful message to other companies that store and manage the data of Australian citizens.

Billions Of Devices At Risk Due To Wi-Fi Chip Vulnerability

A security threat to devices, Wi-Fi access points (APs), and routers that comes from the Kr00k Wi-Fi chip vulnerability could affect billions according to security researchers.

Kr00k

The existence of Kr00k, also known by the catchy name of CVE-2019-15126 was made public at the recent RSA Conference in San Francisco and its discovery was attributed to ESET security researchers Miloš Cermák, Robert Lipovský and Štefan Svorencík.

Broadcom and Cypress Chips

According to the researchers, the Kr00k vulnerability is present in Wi-Fi chips manufactured by Broadcom and Cypress.  These chips are present in billions of devices and, prior to patches being developed and released already by many major manufacturers, the kinds of devices that were at risk included home smart speakers (Amazon Echo), Kindles, smartphones (Apple iPhone and Samsung Galaxy), the Raspberry Pi 3 and many Wi-Fi routers and access points that have Broadcom chips.

What Could Happen?

The Kr00k vulnerability could allow attackers to decrypt Wi-Fi traffic, thereby gaining access to data. Kr00k can do this by forcing an extended dissociation period in Wi-Fi devices, which is the temporary disconnection that occurs when a device moves between access points or when there is a low signal. In this period, Kr00k resets the encryption key used to secure packets to an all-zero value, giving the attackers access to your data.

This kind of attack, however, may not be as easy as it sounds because attackers would need to be within close range of their target’s Wi-Fi network.

Related to Krack

Some security commentators have noted that Kr00k is related to Krack, discovered in 2017, a vulnerability that was also a threat to devices that connected using Wi-Fi and required attackers to be in close proximity to the Wi-Fi network.  Krack was found to be a vulnerability in the Wi-Fi Protected Access 2 (WPA2) protocol.

What Does This Mean For Your Business?

The security researchers who discovered Kr00k shared their findings with the relevant manufacturers early-on which meant that the major manufacturers were able to quickly develop and release patches, thereby significantly reducing the scale of the threat posed by Kr00k.  Also, the need for attackers to be in close proximity to a Wi-Fi network to exploit the vulnerability is unlikely to be particularly attractive to many cybercriminals who prefer methods that allow maximum financial gain with minimum effort and that position them a long distance from their targets in a way that cannot be traced back to them.

Additionally, in this case, even though it is technically possible for attackers to use the dissociation period to decrypt Wi-Fi traffic, the data that they would be intending to steal is subject to being additionally encrypted by TLS thanks to HTTPS.