8/11/16 Weekly News Highlights, Vulnerabilities in Samsung Pay, Volkwagen locks, and Bluetooth doors, oh my!

Welcome back to Astria Horizon, your source for practical information news across the web. If you use Samsung Pay, our article today will inform you about a current vulnerability, as well as explain how to avoid the risks yourself. Plus major news in vulnerabilities in the remotes used to unlock Volkswagen vehicles from 1995-2016, and why you need to do some research before buying a Bluetooth door lock. Read on for our summaries of these articles.


1. CSO Online,"Samsung both denies and admits mobile payment vulnerability."

Last week's Black Hat security conference brought all sorts of presentations about vulnerabilities, and one that's caused a stir is in the contact-free payment method, Samsung Pay. According to CSO Online's article, security researcher Salvador Mendoza discovered a vulnerability in the payment method, where the data tokens from an unfinished transaction could be used to steal a victim's credit card for use on another contactless payment device. Samsung initially denied the vulnerability existed, but since has released a more detailed statement essentially saying that the attack is possible, but extremely unlikely.

The attack would require an attacker to be very near to the phone to access the NFC field of the phone, generally within inches. Small devices to read the tokens generated for payment can be created however, and even be designed to be worn around the wrist, hidden under a sleeve. The simplest way to prevent this type of theft if you use Samsung Pay is to simply be careful not to create any transactions you do not intend to finish. This prevents an unused token from being generating, and thereby leaves nothing for a cyber-criminal to steal. If you do end up starting a transaction without completing it, be sure not to let any strangers handle your phone. Keeping tabs on your device is one of the best countermeasures to this vulnerability.

2. Security Week, "Millions of Cars Vulnerable to Remote Unlocking Hack."

As cars become more and more integrated with software and new technology, new cyber-threats to our main method of transportation are bound to pop up. This article from Security Week however discusses a method of unlocking vehicles made as early as 1995, primarily by Volkswagon. It seems that the company uses very few encrypted codes to secure the signal to unlock their vehicles with a remote, and a thief who obtains this encryption could use it to recreate the signal sent from any remote to unlock VW vehicles within a 300 ft. radius. The newest VW vehicles are fortunately not affected by this vulnerability.

Other vehicles too were found to have weaknesses in their remote entry. HiTag2, another method of securing the signal to unlock cars with a remote, is found in vehicles made by Ford and Chevrolet, and has weaknesses of its own. The encrypted key needed to make sense of the signal for these models is based on a series of 4-8 rolling codes, which also could be obtained by a relatively unskilled hacker. The additional difficulty here is that the hacker would have to record the victim pressing the unlock button on the car several times, but even this is little challenge for a patient thief.

Unfortunately, with so many vulnerable vehicles on the market, it's unlikely that either of these will be patched for current vehicles. Fortunately the researchers have not publicly disclosed their findings, and so it is possible criminals will be unaware of how to perform these attacks. Still, the only way to entirely prevent it is unfortunately just to use the standard key to unlock your car.

3. Tech Hive, "Many Bluetooth Locks Open Easily for Attackers."

Image Credit: Poly-Control

Yet more vulnerabilities have turned up in the recent security conferences, this one affecting a newer technology, Bluetooth based smart locks. These are newer devices, locks that require you to enter a code with a special app on your phone to unlock the door. But according to the Tech Hive article, researchers have found exploitable flaws in most of the Bluetooth locks on the market, and many were able to be hacked with very minimal effort. Four of the 16 locks they tested even transmitted the unlock signal in plain text, so that anyone with a basic Bluetooth sniffing device could obtain the code needed to open the door themselves.

The more concerning issue is that few of the manufacturers seem to care about these exploits. One company even went so far as to state they were aware of the flaw and had no intentions of fixing it. This seems to be increasingly common in newer "smart home" devices, and many items such at WiFi enabled thermostats and lightbulbs only end up creating more weaknesses in security. In the case of door locks, the weakness could even give access to your home to thieves. Many of these devices are simply still very new, and haven't been properly tested. The best advice is to avoid such technology for the moment, or at the very least don't buy the door locks that transmit plain text.


That's all for this week, thanks for stopping in at Astria Horizon. If you'd like more information on how the experts at Astria Business Solutions can help you stay secure, visit our website at AstriaBiz.com

7/11/2016 Weekly News: Wendy's Breach Much Larger than Initially Believed

Welcome back to Astria Horizon for more security news from across the web. This week I'd especially like to call your attention to the article on the hacking of several Wendy's locations, including many that our customers in New Mexico may have been affected by. This breach was much larger than initially thought, and saw the theft of credit card data from customers for over half a year. In the article summary I have also included a link so you can see if any of the stores you may have visited were affected.

1. CSO Online, "Wendy's hack was bigger than thought and exposed credit card data."

In some unfortunate news about data breaches, it was found that the fast-food chain Wendy's hack was much larger than believed initially. While Wendy's believed less than 300 of its locations were affected, it was recently discovered that over 1000 of the franchised stores were affected by this breach. Many of these stores are located in Astria's home state of New Mexico, including many locations in Albuquerque and in Gallup. Wendy's has provided a list of affected locations which can be found here.

The locations affected had a targeted form of malware on their point-of-sale systems that specifically stole all credit card info, including the card  number, card-holder's name, expiration date, and even the verification code. This information was then believed to be sent out by the malware to the criminals who installed it. If you've eaten at Wendy's in the past year, it is highly advised that you view the list and check if your store was affected, and if it was, contact your credit card provider immediately for a replacement.

2. Watchguard Security Center, "Fitbits Hack ATMs?"

This short video from Watchguard shows the capabilities of Fitbits, the accuracy of their data, and how cyber-criminals could use these in the future. Corey Nachreiner discusses how security researchers found that using the motion data found on an average Fitbit device could allow them to detect which buttons the user pressed on an ATM's pin pad, essentially allowing the criminal to learn your pin. If the criminal also had a skimmer in place on that particular ATM, he would have access to both your card number and your pin, which of course would allow him to more easily make fraudulent purchases with your card.

While the concept was certainly interesting and had considerable accuracy, Nachreiner points out a few flaws with an attack of this type in his video. The most basic of issues is that as Fitbits and other fitness trackers are usually worn like a watch, they are rarely worn on your dominant hand. That means, the hand with the Fitbit is not likely to also be the hand you use to enter your pin, and so would not give the required motion data to any criminals. In spite of this and other issues he mentions in attacking Fitbits and similar devices, it is an interesting case study at the very least, and shows how criminals could benefit from the accuracy of the data collected by wearable devices.

3. Security Week, "Thousands of Websites Compromised to Spread CryptXXX Ransomware."

One of the newer forms of ransomware, CryptXXX, has come up with a new attack method. This article from Security Week discusses how at least 2000 different legitimate websites have been compromised, and now redirect visitors to download the ransomware. It seems that most of these have been running old and outdated forms of WordPress and Joomla! on their websites, as well as some outdated and vulnerable plug-ins. This allowed the hackers to break in to their websites, and redirect their viewers into accidentally downloading their ransomware.

The biggest thing to note here is that if you use a content management system (CMS) for your website like Joomla! or WordPress, it is vitally important to keep it updated. Hackers benefit greatly from taking over legitimate websites as it allows them to infect systems they otherwise would be unable to reach, making them a great target. And when CMS services are updated, it is often to patch vulnerabilities that cyber-criminals already know of. So leaving your CMS website un-updated often leaves it exposed attacks just like these, which hurt not only your business, but any customers or potential customers that may visit your website.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

7/5/16 Weekly News: How to spot skimmers, Android malware affecting millions of devices, and Dangerous keyboard at 50 mil downloads

This week we found articles on skimmers and on risks to avoid with your cell phone. You may have heard of credit card skimmers before, but do you know how to spot them? We'll go over the differences today. Plus, a new Android malware that can't be deleted by factory resets. And lastly, we'll show you a keyboard app that you should definitely stay away from, even though millions of others have already downloaded.


1. From Krebs on Security, "How to Spot Ingenico Self-Checkout Skimmers."

Thieves are often out to steal credit card numbers, and one of the more popular methods to do such is to use skimmers. If you've never heard of them, skimmers generally are designed to lay on top of genuine devices where you would swipe your credit card, such as an ATM or the credit card terminal at your grocery store. They don't alter the real device's function, but instead silently record the numbers and pins of cards swiped through them for the thieves to collect when they return for the device.

In this article, Brian Krebs notes specifically a new skimmer that has been appearing at Wal-Mart locations, particularly in self-checkouts. The article shows what the genuine device and the skimmer look like so that you can spot them. One of the biggest notes to me is that in this particular model, the skimmer ends up covering the stylus holder on the left, which may be the fastest give away. Be sure to view the article if for nothing else than to see the pictures of the overlay skimmer.

Still, one of the best practices to check for overlay skimmers is to simply give a little tug on the top part of the credit card terminal. If a skimmer is in place, you may be able to feel a very noticeable seam from the bigger piece being placed on top of the smaller one. If you ever do find a skimmer, notify the owners of the terminal and the police.

2. From Security Week, "Millions of Android Phones Infected With 'Hummer' Trojan"

A new Android malware, dubbed "Hummer" by researchers, is affecting millions of Android phones. According to the article by Security Week, the malware has been around for several years, but only became widespread within the last year. Currently, the daily average of infected devices is at about 1.2 million, many of which are likely generating income for the malware creators.

The malware displays a heavy amount of ads on infected phones, and clicking on these, whether the user meant to or not, will generate income for the malware's developers. Security researchers estimate the malware could be generating as much as $500,000 per day for the criminals, making this a particularly profitable malware. Worse, the malware actually tries to root the device after install, making it very difficult to remove, even with factory resets. On top of that, it can download additional malicious apps, and uses the victim's data, possibly adding additional costs to the victim.

The biggest take away is simply, be careful! While this malware isn't widespread in the US at the moment, many others are. One of the biggest dangers with mobile devices is the lack of awareness of the risks, but the truth is that Android and Apple phones both have serious vulnerabilities, and should be treated as such. The same sorts of websites and habits that you should avoid on computers should also be avoided on your phones, or you could risk downloading malware that is nearly impossible to remove.

3. From CSO Online, "Dangerous Keyboard App Has More than 50 Million Downloads."

In a very similar vein to the previous article, CSO Online reported that a similar dangerous app is also across millions of devices, but this one is downloaded intentionally. The Flash Keyboard app on Android may appear to be a standard keyboard app with additional features, but it puts users' phones at risk and portrays further questionable actions, sending private user data to an unknown server without user permissions.

On top of that, the app requires nearly every permission set available, something keyboards generally do not need. This creates a vulnerability in the phone, as if the app was hacked, criminals could use it to download files, install shortcuts, and even potentially lock users out of their phones, all without any user notification. The only verification it requires is the initial permission set when you download it, which unfortunately many users ignore.

This app is indeed a risk, and it would be wise to stay away from it, but there's more to learn here. Pay attention to the permissions you give apps when they download, and ask yourself if the risks outweigh the benefits. Does a keyboard really need permission to access the web, download files, and install shortcuts without your notification? Do phone games need the same access? Be sure to consider these risks before you download any new app.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

6/17/16 Weekly News: Most Organizations Unprepared for Cyber Threats, Email Scams Take $3b, Google Invests in Bug Bounty.

This week we at Astria found several interesting articles for discussion, including a report from RSA on the state of cyber-security levels worldwide, news from the FBI that losses from email scams have drastically increased in the past months, and Google investing further in the security of its Android OS.


RSA Research: "75% of Organizations are at Significant Risk of Cyber Incidents."

Security company RSA's findings in its second annual Cybersecurity Poverty Index revealed some unfortunate facts about the state of information security. It seems that about 75% of their survey respondents were found to be at a significant risk of various cybersecurity incidents, and about 50% were poorly prepared or even entirely unprepared for a cyber-attack on their network. The report notes that although most organizations are aware that cyber-security should be important, most do not invest in it until they experience a security incident themselves, largely because many organizations do not fully realize the costs of such security incidents.

This is certainly concerning, but it emphasizes how much people can do to help this situation. The biggest problem is a lack of knowledge, of the risks, and of what constitutes proper security. But spreading awareness and building the security mindset are incredibly key in improving these statistics.

Network World: "FBI: Business email scam losses top $3 billion, a 1,300% increase in since Jan."

This article by Network World discusses the FBI's Internet Crime Complaint Center (IC3) announcement last week that the losses from e-mail based scams in businesses have reached over $3 billion, with nearly one third of that amount stolen from US businesses. The scams seem to have targeted businesses of many different industries, and do not seem to be targeting any particular type of business.

The scams are generally written as if from the company's CEO, often asking the victim for information (such as W-2's) to be sent over email or for funds to be wired to the criminal's account. Since the emails are well researched and often professionally written and formatted, the mid-level employees targeted by these scams often believe the requests are genuine, and don't question sending the funds or information to steal employee identities. The FBI has found, the losses from these scams have been increasing rapidly, proving that it is often more practical for criminals to perform social engineering attacks over more complicated malware to steal from businesses.

Security Week: "Google Increases Android Bug Bounty Payouts."

In more positive news, Security Week reported that Google has increased the payouts for its bug-bounty program for the Android OS. For those who aren't familiar with them, Bug-Bounty programs reward hackers for finding bugs and vulnerabilities in different software and disclosing it to the developer first. This allows the developer, in this case Google, to improve on their software, in this case Android OS, and limit vulnerabilities before they are actively exploited by malicious hackers.

The fact that Google is investing more in something that can improve Android's security is definitely a great sign. While their payouts are not considerably high, the more that developers invest in bug-bounty programs, the more that white-hat hackers can succeed and improve the security of software. Because software is never written perfectly, vulnerabilities will often exist, and it is much better for developers to able to patch it before attackers even know they exist.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

6/8/16 Weekly News: How the LinkedIn breach effects you, Ransomware strikes the University of Calgary

Welcome back to Astria Horizon, your stop for information security news from across the web. This week, we'll be discussing some of the fallout from the 2012 breach of LinkedIn accounts. With the sale of information on over 117 million user accounts, many people may be wondering how it effects them, and why anyone would bother stealing information from a primarily social website. Two of our articles today will speak to the value of this information, and how it could be used by criminals. Additionally, the third article for the week covers another high-profile case of ransomware, this time infecting a University.


1. Krebs on Security, "Password Re-user? Got to Get Busy."

The first article today talks a bit more to the subject of the LinkedIn breach, particularly the subject of re-using passwords. Krebs on Security reported that in light of the breach, other major companies such as Facebook and Netflix may require some users to change their passwords. They are known to check the records for users who may have been exposed in breaches such as these, and contacting these users to recommend password changes on their websites as well as others.

Even if you do not hear from any of these companies, if you are in the habit of re-using your online passwords, it would be wise to consider changing to unique passwords across the board. The problem with reused passwords is that hackers often check breached passwords at multiple sites. So while a breach at LinkedIn may only reveal some basic information about yourself, the password you used could also allow the thief to access your eBay, Amazon, or PayPal account, which of course is quite a bit worse. Ultimately, the best strategy is to use unique passwords at each website.

2. WatchGuard Security Center, "Data from LinkedIn breach used in targeted email attack."

Staying on the topic of the LinkedIn Breach, this short article from WatchGuard discusses what cyber-criminals have been doing with the stolen information. CERT-Bund, Germany's federally sanctioned computer emergency response team, issued a warning that the stolen data from LinkedIn is being used to send targeted email-based attacks on victims of the breach. The emails are sent with information found on people's profiles, including name and job title to make the email look more legitimate, to encourage the victim to open a malicious attachment that contains varying types of malware.

The emails unfortunately look fairly legitimate, and for CERT-Bund to have issued a warning, the issue must be fairly prevalent. While so far the attacks have been in Germany, it is likely that similar emails may start appearing in the US as well. The biggest take-away is to be careful, and never open attachments from people you do not know. Just because an email looks official doesn't mean that it's safe, as cyber-criminals have become much more sophisticated in their methods of attack.

3. We Live Security, "University of Calgary bows down to ransomware demands."

In another unfortunate case of ransomware attacks, We Live Security has reported that the University of Calgary has given in to the criminals' demands. After apparently 10 days of battling the infection, the university decided that the best course of action was to pay the ransom of over $20,000 CND. It was not stated what ransomware variant infected their systems, or how it got in to their network, but it seems likely that proper backup procedures were not in place for the university to recover to.

As we have discussed in the past, we never recommend paying ransomware demands. Not only is it funding future illegal activity and painting yourself as a "paying customer" for future attacks; there is also no guarantee that you will receive genuine unlock codes. On top of that, many new variants of ransomware also leave behind other forms of malware to steal information even after successful decryption. If your system does get infected with ransomware, the safest course of action is to wipe and rebuild it, ideally from a recent backup.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

Macs, Malware, and Mythology

In the battle of which operating system is the "best," the biggest factor is usually simply what you are used to and comfortable with. But arguments will always arise, and one of the most common arguments for Mac systems and OS X is that they don't get viruses. But is this accurate?

Just this past month, Malwarebytes set out to shed more light on this issue, specifically discussing malware on Mac systems, and if they truly need antivirus and antimalware products, and the answer may surprise you.

According to their article, which you can read here, Macs can indeed get viruses and malware. While there are fewer types of attacks on these systems than on PCs, that number is beginning to shift as well. As Macs are becoming increasingly popular, more malware is being written to exploit those users. In fact, they state that in 2015, there were five times as many OS X malware detections than the previous five years combined.

This is particularly increasing because many Mac owners do not believe they need any antivirus, leaving these systems much more exposed to attacks. With more and more Macs being used, and a large percentage of those without any additional protection against malware, cyber-criminals are finding it profitable to attack these systems as well. So while there may be fewer vulnerabilities on Macs than on PCs, the number of attacks on Macs are certain to increase.

The Malwarebytes article even goes on to cover what sorts of attacks are already affecting systems running OS X, including adware, information stealers, and even a recent instance of ransomware. Adware is the most prevalent, as it is one of the simplest to implement, but the fact that more serious forms of malware have been found is concerning. As cyber-criminals see more value in attacking Mac systems, more and more forms of malware are likely to be developed.

The moral of the story? Macs are not invulnerable, and need to be protected just like any other system. Fortunately, thanks to their increasing prevalence, there are now plenty of options for antivirus on OS X. Find a company that you are comfortable with and that has a well rated antivirus/antimalware, and install it to better defend your Mac today.

5/31/16 Weekly News: Locky back in action, More iOS vulnerabilities, and Hacking as a business

This week we found several interesting topics, including a Ransomware campaign restarting, a new vulnerability discovered in iOS devices, and how hackers are increasingly treating their activities in a business-like fashion.


1. CSO Online, "New JavaScript spam wave distributes Locky Ransomware."

It appears that the "Locky" developers found a new way to distribute their ransomware variant. According to the article by CSO Online, ESET researchers have seen a recent influx of Locky being distributed through JavaScript attacks, opposed to previous methods using Office documents. This comes only a few weeks after the news that the Locky ransomware campaign was disrupted by white-hat hackers, which you can read about here.

The attacks are still primarily distributed through email. The article warns that the attackers are sending Zip folders containing .js and .jse files within, which do not require the users to execute them. This file type is rarely sent in email except for malicious uses, so it is best to avoid these opening these entirely. The biggest take away from this is to be careful of what emails you open, and especially of what attachments you open.

2. Security Week, "'SandJacking' Attack Allows Hackers to Install Evil iOS Apps."

Apple's patches to iOS unfortunately have only gone so far. According to this article by Security Week, security researcher Chilik Tamir discovered the iOS 8.3 update was a little less than adequate. The 8.3 update added some new features for users and patched some vulnerabilities, including one that Tamir discovered which allowed apps on iOS devices to be replaced with fake versions of the same app. This could have been exploited to spy on user activity and steal information off of devices running these malicious apps, and so it was patched in the 8.3 update to prevent replacement of legitimate apps.

Tamir however has found that Apple's patch ignored the restore process in their update, which allows the original attack to still be implemented. The process is slightly different, but can still be entirely automated. This form of attack is still a proof of concept and may not be known to attackers, but it is still a vulnerability that Apple has yet to patch. In any case, it is an interesting concept and yet further proof that sandbox environments like those found on iPhones are not impervious to malware incursion.

3. HPE Business Insights, "The (Big) Business of Hacking."

This article put forward by Hewlet-Packard Enterprises discusses a subject that has caught many people's interests recently: the strategic changes of hackers treating their illegal activities as a business. Increasingly, hackers and other cyber-criminal organizations have formed their own "companies," complete with accounting departments, payroll, and R&D. According to the article, these sorts of criminal companies are often offer several illicit products and services, including stolen information, rented hacking software, and even hacking as a service.

This can be a problem because these "companies" are regularly searching for new businesses to break into, as they often need new information to sell; and lots of it. The article discusses how personally identifiable information is often worth as little as $1 online, which means that criminal companies selling this information need to have masses of it to be successful. HPE goes on to mention that it is becoming increasingly important to have information security practices in place to defend against this sort of activity, as it will likely only increase as more hackers adopt a business model for their illegal activities.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

5/20/16 Weekly Security News: Extra Sneaky Malware, TeslaCrypt Ransomware is Over, and LinkedIn Breach Expanded

Welcome back for more weekly news updates on information security, brought here to you by Astria Business Solutions. This week saw many interesting developments, including a new and particularly stealthy form of malware, Ransomware encryption being beaten by an unlikely source, and new findings on the 2012 breach of LinkedIn user accounts. Read on for more information on this week's news.


1. Security Week: "Windows Malware Tries to Avoid 400 Security Products."

A particularly interesting new form of Malware was recently discovered, and it appears to target Windows systems without any antivirus. According to the article by Security Week, this malware known as "Furtim" initiates checks on systems where it may be installed, looking for over 400 different types of security products (such as antivirus or firewalls) on the system. If it finds any of these, the program immediately deletes itself, likely with the goal of never being caught on such systems.

If the malware does find a suitable system however, such as an undefended home computer, the malware will successfully install and proceed to steal any saved user account and password information on the infected system. It also blocks the user's access to 250 different security based websites, prevents downloads or updates of antivirus, blocks command line usage, and prevents the system from being shut down or put in hibernation, making it difficult to keep it from stealing other personal information from your system. The moral of the story is that if you do not have antivirus software of any sort, now would be an ideal time to install some.

2. CSO Online: "TeslaCrypt Victims Can Now Decrypt Their Files for Free."

Very good news for anyone hindered by the effects of the TeslaCrypt Ransomware, researchers now have a free tool to decrypt your files and once again obtain access to your computer. The especially strange part? The master decryption key used for the tool came directly from the developers of TeslaCrypt. CSO Online's article reported that the makers of TeslaCrypt decided to end their malicious activity of holding people's computers hostage through their Ransomware campaign. Researchers at ESET reached out to the group through official channels, asking for the master key to decrypt victims files, and the TeslaCrypt developers went ahead and made the key public.

Shortly after, ESET created a tool that is able to decrypt victims files and made it free to use for the public. If your system was previously infected with TeslaCrypt, you can find instructions on how to remove it from your system on ESET's website. This is certainly an unusual case, Ransomware decryption tools are not frequently developed, and rarely do their developers offer master keys such as in this instance. Remember: prevention is the best remedy for Ransomware.

3. Krebs on Security: "As Scope of 2012 Breach Expands, LinkedIn to Again Reset Passwords for Some Users."

Apparently, the breach of LinkedIn passwords back in 2012 was much larger than initially believed. Krebs on Security reported that while the initial scope of the breach appeared to be about 6.5 million users, in actuality it affected more than 117 million users, with the pool of user accounts being offered for sale on criminal websites. LinkedIn seems to be planning to force some of these users to reset their passwords, but not everyone will receive this prompt.

The problem here is that LinkedIn is only forcing some users to change their passwords, and not all. Since the breach was initially believed to only have been 6.5 million users, only those users were initially required to reset their passwords. Now it has been shown that the same breach actually affected over 117 million users. Even if LinkedIn forces all of these users to change their passwords, what happens if next year they discover the breach was even larger? When incidents such as these occur, companies need to be open with their users, and at least suggest password changes to them all.

One important take-away, it is advised you change your LinkedIn passwords, whether you receive official notification or not. With breaches such as these it is often difficult to assess the full scope, and it's much better to take a brief precaution than to have your account stolen for reputation hijacking purposes.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

Internet of Things (IoT) Risks Can Include... Printers?

This week we'll go back to the subject of the Internet of Things (IoT), but not to cover security systems or smart fridges this time. An IoT device that is often unfortunately overlooked in security audits is the ever common printer. While most offices have printers, and many have networked printers, wired or wireless, the majority of users simply would not expect hackers to try and attack a printer. But unfortunately, they often do.

According to CSO Online's article on this very subject, 35% of all security breaches in offices were traced back to printers or other similar multi-function devices. That's a significant percentage! So what is it that makes printers such a common target for cyber-criminals?

Essentially the base cause is that few people even consider printers to be a security risk. Most people see printers as relatively simple devices that take what is on the screen and put it onto paper. After all, if a hacker did manage to break in to it, all they could do is print their own documents, right?

The truth however is that printers are indeed computers, albeit specialized computers. While their main function is to print, they also store data of what they have printed, and have to communicate with other computers on the network, such as any computer that wants to print to it. This means hackers that break in to a printer can also communicate with those computers, and could even steal any documents that was previously printed on that device.

Further problems arise as printers are often not kept updated, or even no longer supported by their manufacturers. Updates on printers and other devices are designed not only to improve the product with new features, but more commonly to patch vulnerabilities in the software. But oftentimes, such as with printers, users are unaware of updates to their devices and do not install them. Other times, the printer is just very old, and no longer supported by the manufacturer with updates.

These factors add up to make printers a very convenient target for hackers. Since they provide a suitable platform to attack further into the network, are often easier to hack because of infrequent updates, and are regularly overlooked as a potential entryway, printers make an easy access point for many cyber-criminals.

The article does offer thoughts on printer defense, but mostly recommends upgrading. Newer printers often include more security features than older ones, some models even include encryption as an option. This however can be expensive and impractical in some cases.

To start securing your printers, look and see if they are still supported by their manufacturers with updates. Updating will often patch the most severe vulnerabilities, and could make a difference in securing the printer.


If you need further assistance, you can always contact Astria. We work with businesses to provide comprehensive security, and can also assess your network for vulnerabilities from things like printers and IoT devices. For more information on our services, visit our website at AstriaBiz.com

5/12/16 Weekly News: Locky Disrupted, Equifax Breached, and New Threats to Androids

This week we have several interesting articles to highlight, covering Ransomware, data breaches, and smartphone vulnerabilities.


1. Security Week: "Hackers Disrupt Locky Ransomware Campaign"

No one is quite sure how, or even why, but someone has managed to disrupt the dangerous "Locky" ransomware campaign. The article above by Security Week discusses how now, when the Locky payload is meant to be downloaded from the attackers' server, a 12kb executable file is downloaded instead. The file doesn't contain a valid structure or any threats to the systems that download it, and apparently will only display an error message stating: "Stupid Locky." It is likely that white-hat hackers were responsible for this disruption, and replaced the real executable for Locky with the fake one.

The article warns that this is likely only temporary good news, however. The developers of Locky have been continually improving their ransomware variant, and likely will be able to recreate it. But at least for now, there is a reprieve from this particular attack.

2. Krebs on Security: "Crooks Grab W-2's from Credit Bureau Equifax."

Photo Credit: Mike Stewart, AP

One of the big-three credit bureaus, Equifax, seems to have had another breech of W-2 data. Their website, W-2Express, provides the employees of many businesses the opportunity to view their W-2's online, but apparently comes with vulnerabilities built in for some users. Krebs on Security reported that Kroger employees were the unfortunate victims this time, and any employees that did not log in to change their passwords from the default may have been exposed in the data breach. According to Kroger, the breach does not appear to have come from their systems.

Equifax also does not believe the breach was in their systems, but that the passwords were obtained through other methods. W-2Express' default password value is unfortunately simply the last 4 digits of an employee's SSN and the 4 digits of their birth year. Unfortunately, this information is often fairly simply for many criminals to obtain, and allowed the breach of even more personal data via their W-2's. Neither party is certain how many individuals were effected by this breach, but it likely was fairly sizable for Kroger to send a letter to all current employees about the incident.

3. CSO Online: "Qualcomm flaw puts millions of Android devices at risk."

As if Android phones did not have enough security risks, a new, major issue in Qualcomm chips has caused further security concerns. CSO Online reported that this vulnerability puts these devices at risk for theft of text messages and call history. This flaw was patched in March, but older Android phones have no access to this patch. With the number of phones present with this flaw, and the number that cannot be updated, millions of Android devices are unfortunately left vulnerable to this exploit.

According to the article, devices running Android KitKat 4.4 and above are less effected by these risks, but still may have some risks. But any phones running Jelly Bean, KitKat, Lolipop are exposed to this threat. It is strongly advised if you are using a phone with one of these operating systems that you check with your phone's manufacturer for a patch for the vulnerability, tracked as CVE-2016-2060.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

4/28/16 Weekly News: Empty DDoS Threats, Automotive Cyber-Security, and Malware in a Nuclear Power Plant

This week saw some very interesting bits of news, including scams with threats of DDoS, the difficulties involved in making vehicles cyber-secure, and even malware being found on a nuclear power plant.


1. CSO Online, "Empty DDoS threats earn extortion group over $100,000."

Not all threats online have an actual bite. Sometimes cyber-criminals try and simply scare their victims into paying them, essentially just scamming them out of their money. CSO Online reported that for the last two months, many businesses have been receiving email threats of a DDoS attack from a group calling itself the Armada Collective. The messages demand that the victims pay "protection" fees or the group will begin DDoS attacks on the victims.

However, none of those that refused to pay have experienced any attacks at all. It seems the threats are entirely empty, and those sending the emails may not even be a part of the actual Armada Collective, but may simply be using their name in an attempt to add credibility to their scam. The scammers in fact have no way of telling who has paid and who hasn't, and therefor would be hard pressed to know who to even attack. Unfortunately it seems to be working, as collectively the threats have earned them over $100,000. Remember, it is always best not to pay such demands, as there is no way to be sure they won't attack again, or inform other criminals that your business pays when threatened.

2. Network World, "Headaches likely to grow over auto cybersecurity concerns."

As we discussed briefly last month, cyber-security in automobiles is becoming a growing concern. With vehicles to often connected to the internet, flash drives, or even USB music players, the risk of infection by malware is increasingly a concern. Researchers have found numerous vulnerabilities, even being able to completely stop a vehicle remotely, but patches to security may prove more difficult than expected.

According to this article by Network World, current vehicles may never be possible to secure, and even vehicles in production now will not be able to implement the encryption and secure communication processes that are necessary to properly secure the vehicle. In fact it is estimated that it will take an additional 5 years before proper encryption is developed and implemented into vehicles with wireless functions, leaving a multitude of new vehicles unfortunately vulnerable to cyber-attacks.

3. Security Week, "Concerns Raised Over Malware in German Nuclear Plant."

A nuclear power plant located in Gundremmingen, Germany, made the news this week after it was revealed that it's systems were infected with various types of malware. Fortunately, none of the malware infections were particularly vicious, and many were even old and quite outdated. In fact, none of the malware posed any real threat to the reactor, nor did it appear to be targeted towards hindering its systems.

The malware likely was accidentally put on the reactor's computers, which did raise some concerns. How exactly did it get on the system? Could this be exploited by others to put something worse on the reactor? Again it was likely down to carelessness, which just shows how important it is to teach employees about proper security practices.


That's all for this week, check back next week for more news on Information Security. And if you want more information on how Astria Business Solutions can assist you in meeting your business' information security goals, visit our website at AstriaBiz.com

4/22/16 Weekly News: Mac Ransomware Defense, Building Security Inadequate, and New Ransomware

This week was especially busy, and it resulted in delays in the Astria Horizon news posts, but certainly not for lack of interesting news. This week Ransomware is once again a prime topic, including preventative measures for Mac OS X users and the development of a new form of infection, as well as how the Internet of Things can effect a building's security.

1. CSO Online, "This tool can block Ransomware on Mac OS X, for now."

There is good news for Mac users: security researchers have developed a free tool that detects and blocks Ransomware from infecting systems running OS X. The tool, named, "RansomWhere?" is able to detect and suspend any encryption process on Mac OS X systems, and prompts the user to either allow or stop the encryption from taking place. This however does mean that it will not work on systems that are already infected with Ransomware, it is only a preventative measure.

Mac users have been increasingly targeted by Ransomware since the development of KeRanger last month, so the ability to suspend and stop the encryption process that Ransomware starts is very helpful. But the developers mention it is currently only effective against known Ransomware variants, and may not be able to block attacks developed in the future.

2. We Live Security, "Buildings at risk of cyberattacks."

Last week we discussed the Internet of Things (IoT), and in particular looked at a case where malware came pre-installed on IoT security cameras. This week, ESET's blog, We Live Security, covered how such threats can impact the security of not only information, but even directly upon buildings. Specifically they mention white-hat hackers that were able to break in to the building management system of a prominent tech company in Sydney, Australia.

ESET warns that although this was a test, it is important to properly prepare your business for cyber-attacks on the building as well. Often times security systems are installed with just their default passwords in place, and these are easily found in PDF owners manuals. Systems that secure your building electronically, such as security cameras and electronic door locks, need to be properly secured and updated regularly to be effective in keeping your building safe, or they may actually hinder the security of the building you're trying to protect.

3. Security Week, "CryptXXX Ransomware Steals Bitcoin, Private Data."

Another instance of Ransomware in the past week includes the development of a new form, dubbed "CryptXXX." Security Week reported on this new attack after it was observed by Proofpoint in a recent campaign. The Ransomware behaves as most do, encrypting a user's files and demanding a ransom of around $500 to decrypt the files to be useful again.

What makes this Ransomware different is that it also steals information from the user as well as any Bitcoins on the infected system. So if these infections are targeted towards hospitals as they have been in recent months, they could aim to both collect a ransom as well as stealing private information of patients or staff. Hopefully researchers will find better preventative measures for infections such as these in the future.


That’s all for this week, check back next Tuesday for further news from across the web, all here at Astria Horizon. If you want more information on how Astria Business Solutions can assist you in your Information Security goals, visit our website at AstriaBiz.com

Alert: Uninstall Apple Quicktime Now!

Last week, the Department of Homeland Security issued an important alert advising everyone using Windows computers to uninstall Apple Quicktime. The application has now reached its end of life for all Windows platforms and will no longer be updated, and Apple has recommended that it be uninstalled.

The risk of leaving this program on your system is serious, as it already has major vulnerabilities, and will only increase as time goes on. Since cyber-criminals are also aware that it is no longer being updated, it is only a matter of time before they find other significant weaknesses in the application. Trend Micro has already identified two major weaknesses in the program, both of which allow for remote code execution.

Apple was kind enough to provide Windows users with instructions as well on how to properly uninstall Quicktime if you do still have this program. You can find this page here.

Apple Quicktime is primarily used for viewing .mp4 and .mov video files, but there are many alternatives if you truly need to view such files. VLC is a current favorite of mine, but with any such software, remember to keep it updated, and if you don't use it, uninstall it. It is better to minimize any vulnerabilities from free software by only keeping the programs on that you genuinely need.

Malware May Come Preinstalled on Internet of Things (IoT) Devices

What all is your smart blender connecting to?

The Internet of Things, commonly abbreviated as IoT, is simply a term used to describe the way numerous household devices are now becoming a part of the Internet, connected to wireless networks and sharing data with users remotely. A good example of this are things like smart thermostats, which allow users to control their home’s temperature from mobile devices like their phones. With this, users could make adjustments to their home’s temperature while they are out and about, or even simply in another part of the home that may be distant from the actual thermostat. This is of course very convenient, and has many advantages for a variety of users, but unfortunately often comes at the cost of security.

One of the most common issues in the Internet of Things is a lack of security built into IoT products. Often as developers race to provide their customers with new features and connectivity, they leave gaps in their products security; if they even bother to secure it at all. These gaps are often quite simple for cyber-criminals to exploit, and can even infect the technology before the customer even purchases it.

Such was the case when Mike Olsen, co-founder of Proctorio,purchased a set of security cameras off of Amazon. As he installed the cameras he purchased, he noted they were acting unusually. He proceeded to use his developer’s tools to search the code, and found an imperceptible iFrame was running in the background, and set to download malware from a site known to be dangerous.

How the malware got on these cameras is unknown, but Olsen doesn’t imply that Amazon or the seller were at fault in this incident. Still, in an interview with Security Week, Olsen pointed out the ease of which infected devices can end up on websites such as Amazon. One could in fact purchase several of the devices, infect them with malware, and then sell them once again on Amazon as new, or even return them as unneeded items. As long as care is taken with the packaging, the items will be resold, and cyber-criminals proceed to profit from stolen data.

When it comes to IoT devices, it is important to weigh the risks, and determine how worthwhile the connectivity is to you. While you may not be concerned with theft of temperature data from your thermostat, what if that thermostat is infecting your router, phone, or even computers? Research on the security features of these devices is critical, and better yet, if you don’t need it to be connected to your network, don’t even connect it.

What experiences have you had with the Internet of Things? Are the features of the devices beneficial enough to outweigh the risks in security? We at Astria Business Solutions would love to discuss your thoughts in the comments below.