Tag: security

May 02, 2019

“BERN” App Divulges 150 Million Voter Records

The future of community organizing or the latest flagrant violation of online privacy? That’s the debate currently raging over the Bernie Sanders presidential campaign’s roll-out of its new “BERN” application. The campaign positions it as a new organizing tool that assists volunteers in tracking potential supporters – permitting them to log the name and background of anyone they talk to: from friends and family members to complete strangers on the street. But skeptics argue that the database of personal information could open non-supporters up to harassment. While a sizable proportion of the data the app requests is publicly available for savvy political operatives who know where to look, critics say that having the data neatly compiled — while not giving people a way to opt out of it — presents online and offline safety concerns. So how did this hotly debated application expose private information of up to 150,000,000 American voters? It seems that an error in the app’s source code caused personal voter identification numbers to be exposed for several hours before ultimately being corrected. Visitors to the website could simply use the F12 Developer Tools shortcut to inspect HTML elements, displaying results like this: (personal information redacted to protect user privacy) Defenders of the application note that information like this has long been accessible by campaigns through the use of CRM tools like NGP VAN and others. However, opponents argue that there are some important caveats. Traditionally, campaign staff using the above tools are limited to data about the precincts they work in, data packets are coded, and personnel are monitored – the BERN app contained no such restrictions. Publishing voter files online is illegal in every state – and for good reason. In some states, voter ID numbers are identical to other identifying numbers like those found on Driver’s Licenses or Social Security cards. This is deeply troubling as hackers and criminals could use these legitimate records to make counterfeit IDs and subsequently use them to open bank accounts and commit other types of fraud. Setting aside critical identifiers like Social Security numbers, the exposed information such as a user’s age, residence, gender, zip code and other “banal” data can be cross-referenced with personal records already compromised on the Dark Web. For example, a cybercriminal typically purchases stolen credit card information on the Dark Web for less than $10 per record. To carry out an online purchase, a hacker would have to know your address and ZIP code – and thanks to the BERN leak, this information is already out there. For in-store purchases, a hacker could simply clone your credit card and, in the rare case that a store associate asks for a photo ID, use the Driver’s License number found on BERN to create a convincing and scannable counterfeit ID. (sample Dark Web advertisement for stolen credit card information) So how do you protect yourself from becoming a victim of identity theft? Organizations have proved time and time again that they are unable to ensure complete security of your personal information; therefore, it would benefit private citizens to enroll in an Identity Monitoring service. By enlisting the help of a trusted provider, online users can monitor their credit cards, driver’s license, Social Security number, medical records and even their passwords – and be alerted when they are for sale on the Dark Web, the world’s largest marketplace for stolen information. ID Agent provides a robust suite of services to address the risks faced by MSPs and that of their SMB clients. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.

Read More
April 26, 2019

Game of Thrones: An SMB Cybersecurity Analogy

***SPOILER ALERT: this article contains some plot details up to Season 8, episode 2*** The epic struggle of Jon Snow, Daenerys Targaryen and their fragile coalition of allies against the looming undead army of White Walkers bears a striking resemblance to the growing specter of cyberthreats against small to medium sized businesses in recent years. So how do you make people care about cybersecurity as much as they care about who will reign supreme over Westeros? Simple – frame these threats in the fantastical terms they already understand from Sunday nights watching HBO. Westeros as an SMB Westeros, the fictional continent where much of the show’s action takes place, is an excellent metaphor for your organization’s IT environment. It has a clear perimeter as an island surrounded by water and contains significant assets – food, weapons, livestock, infrastructure and its citizens (just as a business owns personal data, payment information, intellectual property and other sensitive material). While there is some warring between the Lannisters, Starks and other houses, it’s helpful to think of them as various departments within the same organization – jockeying for resources, much as different business units might fight for limited budget. A united Seven Kingdoms allows us to recognize the true existential threat to the security and prosperity of Westeros’s inhabitants – the White Walkers. The most direct cybersecurity parallel to this horde of undead would be a malware botnet. A botnet is a collection of internet-connected devices such as computers, smartphones or IoT devices whose security has been breached and control ceded to a third party (the ice-cold third party being The Night King in this scenario). Much like The Night King is able to raise his victims from the dead to join his ranks, hackers are able to fool unsuspecting users by implanting and executing malware on their devices, oftentimes through advanced phishing attacks, to take control of them. This malware could restrict access to business-critical systems for a ransom and harvest user credentials to grant hackers access to financial resources — two techniques that could potentially bankrupt an SMB. The hacker can also use infected devices to carry out ever larger-scale attacks, such as Distributed Denial of Service (DDoS) attacks against your website. As we learned in the latest episode of Game of Thrones, The Night King is seeking to launch a DDoS attack on Westeros and beyond, with the goal of permanently shutting down the living. Another similarity that Game of Thrones superfans will appreciate: neither the White Walkers nor hacking tools were originally conceived with destructive purposes in mind. The White Walkers were originally human-like figures created with magic by the Children of the Forest to protect them from the First Men. They were defense weapons created with good intentions that eventually became so powerful, they threatened all of humanity. Similarly, cyberweapons like StuxNet were originally developed as tools of defense to limit the advances of Iran’s nuclear program, but have since fallen into the hands of third-party criminal groups, who continue to leverage the techniques that made StuxNet possible. Speaking of hacking tools that were previously only available to national governments but are now utilized by criminals, the White Walkers currently have access to more powerful resources than ever before – namely, a terrifying ice-fire-breathing dragon. This parallels the now widespread use of tools like those released by The Shadow Brokers in 2016. The exploit EternalBlue, developed by the NSA in the name of national security and leaked by The Shadow Brokers, was used in the infamous worldwide WannaCry attack that affected over 200,000 computers across 150 countries. Similar to the defense measures that many SMBs implement, Westeros has indeed taken steps to protect itself from the murderous throngs of ice zombies to their north. The most notable example of this would be The Wall. 300 miles long, 700 feet tall and fortified with ancient magic, this rock-solid ice wall could most easily (and ironically) be compared to a Firewall. It’s the first line of defense against intruders, and it takes a Night’s Watch of IT Administrators to maintain it, guard it and analyze for vulnerabilities. As any cybersecurity professional knows, a firewall is a significant defense but can be bypassed by a savvy hacker who knows how to exploit human error, compromised credentials and unpatched applications (or in GoT, by a savvy zombie sociopath with a seemingly unstoppable ice dragon). How to fight back So what can be done to keep your digital kingdom safe? First, you want to make sure your organization’s leadership isn’t like Cersei Lannister – Queen of the Seven Kingdoms who is unwilling to address the existential threat from the North. Much like the wise Maesters of the Citadel, you’ll need to educate decision-makers about the consequences of inaction. For example, 60% of SMBs go bankrupt within the first 6 months following a major cyber incident. Because the vast majority of data breaches are due to human vulnerability and compromised credentials, you’ll want to focus on cybersecurity best practices; these practices are your weapons forged from dragon-glass and Valyrian steel – the only ones proven to be effective against White Walkers. Just as Arya Stark is lethally trained by the Faceless Men, make sure your employees are trained to recognize phishing attempts that may contain malicious files or requests. You’ll also want your very own Three-Eyed Raven. That’s to say, you will want to implement a Dark Web Monitoring service to detect when your users’ credentials are compromised on the Dark Web. Leveraging visibility of your business’s weak spots will give you a *Stark* advantage against hackers (pun very much intended). Be sure to implement strong password phrases and modify them on a regular basis. Lastly, enlist the help of a dragon of your own. Managed Service Providers are a powerful resource for SMBs, armed with knowledge and experience in fighting off cybercriminals. A reputable MSP who focuses on the above techniques like Security Awareness Training and Dark Web Monitoring will be a fiery champion for your digital realm. ID Agent provides a robust suite of services to address the risks faced by MSPs and that of their SMB clients. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind. Send us a raven to schedule a demo today!

Read More
April 19, 2019

All the Cyber Revelations from The Mueller Report

The long-awaited Mueller Report was published yesterday – a 488-page document outlining Russian interference in the 2016 election, possible ties to the Trump campaign and subsequent efforts to obstruct justice. While the report leaves political conclusions up to interpretation, one fact is very clear from its findings – Russian state-sponsored hackers deployed a variety of techniques to infiltrate not only the Clinton campaign, but also election-adjacent entities as well. Below, we recap all the cyber-related revelations found in the report. Spearphishing: The Path of Least Resistance Beginning in March 2016, units of the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) hacked the computers and email accounts of organizations, employees, and volunteers supporting the Clinton campaign, including the email account of campaign chairman John Podesta. They did so by sending hundreds of spearphishing emails to the work and personal email accounts of Clinton campaign employees and volunteers. Between March 10, 2016 and March 15, 2016, Unit 26165, more commonly known as “Fancy Bear,” appears to have sent approximately 90 spearphishing emails to email accounts at hillaryclinton.com. Starting on March 15, 2016, the GRU began targeting Google email accounts used by Clinton Campaign employees, along with a smaller number of dnc.org email accounts. By no later than April 12, 2016, the GRU had gained access to the Democratic Congressional Campaign Committee (DCCC) computer network using the credentials stolen from an employee who had been successfully spearphished the week before. Over the following weeks, the GRU traversed the network and stole network access credentials along the way (including those of IT administrators with unrestricted access to the system). In total, the GRU compromised approximately 29 different computers on the DCCC’s network. Approximately six days after first hacking into the DCCC’s network, on April 18, 2016, GRU officers gained access to the Democratic National Committee (DNC) network via a virtual private network (VPN) connection between the DCCC and DNC networks. Over the next 2 months, Unit 26165 compromised more than 30 computers on the DNC network, including the DNC mail server and shared file server. In addition to infiltrating the networks of the DNC, DCCC and Clinton campaign, Russia also utilized advanced spearphishing attacks to compromise public officials involved in election administration and personnel at companies involved in voting technology. In August 2016, GRU officers targeted employees of a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network. Similarly, in November 2016, the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election. The spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer. Malware: Credential Harvesting and Document Transfer Unit 26165 implanted on the DNC networks two types of customized malware known as “X-Agent” and “X-Tunnel”. They also employed Mimikatz, a credential-harvesting tool and rar.exe, a tool used in these intrusions to compile and compress materials for exfiltration. X-Agent was a multi-function hacking tool that allowed Unit 26165 to log keystrokes, take screenshots, and gather other data about the infected computers (file directories, operating systems, etc.) These sessions were captured as GRU officers monitored work on infected computers regularly between April 2016 and June 2016. Data captured in these keylogging sessions included passwords, internal communications between employees, banking information, and other sensitive personal information. X-Tunnel was a hacking tool that created a connection between the infected computers and GRU-controlled computers outside the DNC networks that was capable of large-scale data transfers. GRU officers then used X-Tunnel to exfiltrate stolen data from the Victim computers – just short of 400 gigabytes of private data in total. The stolen documents included internal strategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees – these materials were ultimately released by Wikileaks in July 2016. SQL Injections By at least the summer of 2016, GRU officers sought access to state and local computer networks by exploiting known software vulnerabilities on websites of state and local governmental entities. They targeted state and local databases of registered voters using a technique known as SQL injection, by which malicious code is sent to the state or local website in order to run commands (such as exfiltrating the database contents). In one instance, in approximately June 2016, the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the website. The GRU then gained access to a database containing information on millions of registered Illinois voters and extracted data related to thousands of U.S. voters before the malicious activity was identified. GRU officers continued to scan state and local websites for vulnerabilities. For example, over a two-day period in July 2016, GRU officers scanned for vulnerabilities on websites of more than two dozen states. Key Takeaways Human vulnerability and compromised credentials remain the easiest techniques for compromising an organization’s information systems. The attacks on the various victims demonstrate a continuing trend in state-sponsored actors engaging in cyber-espionage – another example can be found in the recent Wipro breach. Organizations should emphasize security awareness training for their employees in order to prepare them to identify and recognize phishing attempts. Properly trained personnel are far less likely to acquiesce to fraudulent requests or open malicious attachments in e-mail communications – the most commonly employed tactic identified in the Mueller Report. This type of vigilance remains a challenge as hackers gain access to legitimate e-mail accounts of colleagues – highlighting the importance of credential monitoring to detect and react when an organization’s usernames and passwords have been compromised. ID Agent provides a robust suite of services to address the risks highlighted in the Mueller Report. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps like those used by Russian hackers to infiltrate systems. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.

Read More
April 18, 2019

The Wipro Breach: A Demonstration of Third-party and Supply Chain Risk

Advanced phishing and supply chain vulnerabilities – these seem to be the successful attack vectors that hackers have used to compromise Wipro, an Indian multinational corporation that provides information technology, consulting and business process services. Notable security researcher, Brian Krebs, reports confirmation that a nation-state actor had been inside the company’s systems for months, identifying opportunities to attack its vast customer base – currently, at least a dozen of the firm’s clients have been targeted as a direct result of this breach. Additional sources have claimed that Wipro’s corporate e-mail system had also been compromised for some time, forcing the company to build out a new private system. Who’s the Bad Guy? While the attack has not been attributed to a specific group, security researchers note that it bears a resemblance to those launched by the Chinese hacking group APT10 – almost always beginning with a phishing campaign targeted against a third-party partner. The group has a demonstrated history of attacking Managed Service Providers in order to gain access to a larger swath of targets. Last year, the Australian Cyber Security Center blamed APT10 for attacks on at least nine global service providers, and the UK’s National Cyber Security Centre said it is aware of malicious activity currently affecting UK organizations across a broad range of sectors. Takeaways The Wipro breach seems to be a textbook case of exactly how not to handle a breach. Refusal to acknowledge and inconsistencies in what they will acknowledge have done nothing but increase not only confusion in reporting on the incident, but also mistrust in the company. Additionally, it highlights how critical it is that organizations properly protect their assets and address the vulnerabilities inherent to human error. Companies must extend beyond robust network security and incorporate systematic employee training, supply chain security assessment and ongoing monitoring, and third-party security, among other methods of defense. Last October, the FBI warned Managed Service Providers about the increasing occurrence of Chinese hacking groups targeting them specifically. MSPs have unparalleled access to their clients’ networks, so compromising an MSP can give these groups direct access into dozens, hundreds, or even thousands of businesses and their client data. The number one way attackers penetrate networks is with stolen credentials, according to the alert. ID Agent provides a robust suite of services to address the risks highlighted in the Wipro breach. BullPhish ID™ delivers security awareness training and phishing simulations created specifically to help employees recognize and avoid phishing traps like those used to infiltrate Wipro’s systems. Dark Web ID™ monitors the dark web for employee and supply chain credential exposure, which most often results from using those credentials on third-party websites. SpotLight ID™ provides comprehensive personal identity protection and restoration services for employees and customers, mitigating risk and providing peace of mind.

Read More
April 15, 2019

Cyber Scams to Avoid This Tax Season

They say nothing is certain except for death and taxes. In 2019, it’s time to add cyber tax scams to the list. The Internal Revenue Service (IRS) has released its annual “Dirty Dozen” list of tax scams – and it’s no surprise that nefarious online schemes top the list. Here are some of the most common (and clever) techniques that hackers are using to defraud Americans of their personal information and hard-earned income.

Read More
February 22, 2019

Webinar Recap: An Update on Data Security Breach Laws in the U.S. & Canada

Data Security Breach Laws Becoming Stricter The webinar “An Update on Data Security Breach Laws in the U.S. & Canada” was offered February 13 by ID Agent. The top-line message is that the many overlapping laws and regulations governing data security are becoming stricter. Moderated by Jessica Retka, an associate in the Intellectual Property and Technology Group at Baltimore law firm Whiteford Taylor Preston LLP, the webinar featured legal experts S. Keith Moulsdale, a partner in the Cyber Security, Information Management and Privacy Group at Whiteford Taylor Preston, and Judith Payne, a partner at Winnipeg-based Pitblado Law who specializes in privacy, regulatory compliance, and information technology in corporate and commercial enterprises.

Read More
November 28, 2018

Winner Announced in Dark Web ID Contest!

We are excited to announce the winner of our “Tell Us Your Story” contest! Jeff Reiter of RWK IT Services in Frankfort, IL submitted our winning testimonial, as voted on by a committee of 10!

Read More
November 20, 2018

Stay Cyber-Safe When Shopping Online

We were thrilled to see how many of our MSP Partners utilized the resources we provided to help educate their customers during National Cybersecurity Awareness Month in October.

Read More
August 29, 2018

The Week in Breach: 08/19/18 – 08/25/18

A slow, but troubling week to say the least! Phishing and compromised databases still rule the day. This Week in Breach highlights incidents involving a New York-based gaming developer, medical data held by a University, and the disclosure of sensitive data held by a popular babysitter application. Highlights from The Week in Breach: Dark Web Ads! Twitch.tv sees a breach. Healthcare Nightmare! In Other News: Is Breaking Bad? A German company by the name of Breaking Security has been up in arms about the use of their legitimate software named Remcos (Remote Control and Surveillance). Remcos is used for managing Windows systems remotely and is increasingly being used by hackers for malicious attacks known as Remote Access Trojan (RAT). The question is, however… are they telling the truth? Researchers have uncovered that the product sold by the company is widely advertised on Dark Web hacking forums and it seems that not only does the organization know that this is happening, they are encouraging it. Breaking Security has strongly stated that any license linked to malicious hacking campaigns are revoked, yet still, many hacking campaigns continue to use the service. https://www.darkreading.com/attacks-breaches/attackers-using-legitimate-remote-admin-tool-in-multiple-threat-campaigns/d/d-id/1332631 Not So Private Messages In May, the popular live streaming service, Twitch, exposed user’s private messages because of a bug in their code. The Amazon subsidiary disabled the service, which allowed users to download an archive of past messages. When a user requested this archive, the game streaming company accidentally intertwined messages from other users. Twitch has come out and said that this only affected a limited number of users and has provided a link for customers to visit so they can find out if any of their messages were exposed and what the messages were. https://www.bleepingcomputer.com/news/security/twitch-glitch-exposed-some-users-private-messages/ Podcasts: Know Tech Talks – Hosted by Barb Paluszkiewicz IT Provider Network – The Podcast for Growing IT Service The Continuum Podcast Security Now – Hosted by Steve Gibson, Leo Laporte Small Business, Big Marketing – Australia’s #1 Marketing Show! United States – Augusta University Exploit: Email compromise by phishing attacks. Risk to Small Business: High: This is a significant breach in scale and severity, and due to the sensitive nature of the data compromised the organization will likely face heavy fines. Individual Risk: Extreme: Individuals affected by this breach are at high risk for identity theft, as well as their medical information being sold on the Dark Web. Augusta University: Georgia based healthcare network. Date Occurred/Discovered: September 10, 2017 – July 11, 2018 Date Disclosed: August 20, 2018 Data Compromised: Medical record numbers Treatment information Surgical details Demographic information Medical data Diagnoses Medications Dates of services Insurance information Social Security numbers Driver’s license numbers Customers Impacted: 417,000 https://cyware.com/news/augusta-university-health-breach-exposes-personal-records-of-over-400k-patients-432de74e https://www.augusta.edu/notice/message.php United States – Animoto Exploit: Undisclosed. Risk to Small Business: High: A breach of customer trust, especially involving geolocation data, can be highly damaging to a company’s image. Individual Risk: Moderate: Users affected by this breach are at a higher risk of spam and phishing. Animoto: New York-based company that provides a cloud-based video-making service for social media sites. Date Occurred/Discovered: July 10, 2018 Date Disclosed: August 2018 Data Compromised: Names Dates of birth User email addresses Salted and hashed passwords Geolocation Customers Impacted: Unclear. https://techcrunch.com/2018/08/20/animoto-hack-exposes-personal-information-geolocation-data/ United States – Sitter Exploit: Exposed MongoDB database. Risk to Small Business: High: Most customers would be uncomfortable with a company leaking data about their kids and when they are left alone with someone who doesn’t live there. Individual Risk: High: A lot of sensitive personal information was exposed in this breach, much of it unsettling. Sitter: An app that connects babysitters and parents. Date Occurred/Discovered: August 14, 2018 Date Disclosed: August 14, 2018 Data Compromised: Encrypted passwords Number of children per family User home addresses Phone numbers Users address book contacts Partial payment card numbers Past in-app chats Details about sitting sessions Locations Times Customers Impacted: 93,000. https://www.linkedin.com/pulse/incident-report-no1-babysitter-application-exposure-bob-diachenko/ https://www.bleepingcomputer.com/news/security/mongodb-server-exposes-babysitting-apps-database/ Australia – Melbourne High School Exploit: Negligence. Risk to Small Business: Extreme: This is a major exposure of sensitive and potentially embarrassing information that could irreparably damage a company’s reputation. Individual Risk: High: Those affected by the data breach have sensitive information about their personal medical information that is considered highly private and could leave them exposed to identity theft. Melbourne High School: School in Melbourne. Date Occurred/Discovered: August 20-22, 2018 Date Disclosed: August 22, 2018 Data Compromised: Medical information Mental health conditions Learning behavioral difficulties Customers Impacted: 300 students. https://www.theguardian.com/australia-news/2018/aug/22/melbourne-student-health-records-posted-online-in-appalling-privacy-breach A note to your customers: Tick Tock. The cost of cybercrime is no joke. This is easy to say from the perspective of someone whose business it is to know all about cybercrime trends, attack vectors, and yada, yada, yada. But to really quantify how big of a problem cybercrime is in the world of business, it is often easier to compare it to day to day things… like a doctor explaining a complicated procedure or a mechanic telling you why your car is making that noise. So today I would like to compare the cost of cybercrime to the most universal understanding that there is… time. The cost of cybercrime each minute globally: $1,138,888 The number of cybercrime victims each minute globally: 1,861 Number of records leaked globally each minute (from publicly disclosed incidents): 5,518 The number of new phishing domains each minute: .21 As you can see, cybercrime buids by the minute. https://www.darkreading.com/application-security/how-threats-increase-in-internet-time/d/d-id/1332629 Are you an ID Agent Partner? Feel free to re-use this blog post (in part or in entirety) for your own social media and marketing efforts! Just send an email to marketing@idagent.com to let us know! Not a Partner? Learn more about Dark Web ID™ and the benefits it holds for your Business. Contact us today!

Read More
August 09, 2018

The Week in Breach 07/30/19 – 08/03/18

This week contains the high-profile breach of Reddit, healthcare and education sectors and an exploration of a Dark Web hacking forum.

Read More

Please fill in the form below to subscribe to our blog