Monthly Archives: November 2019

Netflix account freeze – don’t click, it’s a scam!

Another Netflix phishing scam!

We’ve written about these scams before, and we’ll probably write about them again…

…for the sadly simple reason that THEY WORK.

They work because scammers know that the less inventive they are, the more believable their messages become.

It’s also a lot less effort to copy genuine content and adapt it just a little than to try to create your own material from scratch.

That’s what Naked Security Editor-in-Chief, Anna Brading, thought when she received this scam yesterday:

Sadly for the crooks, and fortunately for anyone who received this scam, the tiny bit of text that the criminals decided to write by themselves contains several rather jarring errors.

For the most part, however, this email is disarmingly simple, and therefore surprisingly believable, for all that it’s given away by typos, grammatical mistakes and orthographic errors.

It’s not overly dramatic, it’s not threatening, and it’s polite.

It’s the sort of thing that might easily happen from time to time – a recurring credit card transaction that’s temporarily failed – and that in real life is usually pretty easy to sort out.

Indeed, it’s the sort of glitch you’ve probably dealt with once or twice before, and that you may well have resolved entirely online without even leaving your browser.

Of course, even if you missed the spelling mistakes (a genuine retailer or cloud service is unlikely to mis-spell the word invoce, which should be invoice), the link would be a giveaway – this one uses a URL shortening service, but with an HTTP (insecure) URL instead of HTTPS.

Nevertheless, if you clicked without taking a moment to check it, you would end up redirected to a surprisingly believable page that is hosted on a website with a valid HTTPS certificate:

Sure, you’re not on a netflix.com web page, which is an obvious indicator that this is a scam, but the crooks have disguised the actual server they’re on by using a domain name that starts with a 32-character hexadecimal string.

The long, random starting text in the URL shoves the final part of the domain name off to the right far enough that your browser probably won’t have enough space to show it.

The domain used in this attack was only registered on 2019-11-17, and the web certificate was created yesterday, so the site was probably set up specially for this scam, perhaps along with a bunch of others. Remember that once you have acquired a domain name such as example.com, you’ve also acquired the right to create as many subdomains beneath it as you like. For example, we own sophos.com, so we automatically own and can use nakedsecurity.sophos.com, news.sophos.com, shop.sophos.com and so on, as well. As you can see, we try to make our subdomains descriptive so they’re easy to find and remember, but crooks can go the other way, creating unmemorable, unexceptionable subdomain names that are, and look as though they are, machine generated. Many of the genuine web links we use to these days – notably those generated by Google’s search engine – include long and random-looking components, so we’re conditioned to accept them when they show up.

Of course, if you are in a hurry, and don’t take a few moments to look for the obvious clues, you might easily end up entering your password – by which time it’s already too late, because the form submission button uploads it to the crooks, not to Netflix.

If you still don’t spot the deception (we’re hoping you wouldn’t have got this far!), then the phishing continues, taking you via this page…

…to one that asks directly for your card details:

Ironically, these crooks would probably have been better off skipping the intermediate page that starts, “Dear friend,” because it’s awash with telltale signs of bogosity.

Errors you should spot for yourself include spelling mistakes, poor grammar, and a mixup with languages (there’s a link in the middle of an otherwise all-English page that mysteriously offers to sell you a gift card in French).

What to do now?

Here’s what you need to know about this particular scam:

  • If you deleted the original email without clicking anything, you did the right thing. The crooks have tried and failed, so you win.
  • If you clicked through to the fake login page but bailed out without entering anything, you’re also safe.

    In general, it’s best not to click through at all, in case the site tries to sneak malware onto your computer using some sort of browser bug, or exploit. Fortunately, browser exploits are hard to come by these days, and this particular attack won’t do you any harm if you click through by mistake but close the offending web page immediately without clicking or typing anything in it.

  • If you went far as trying to login on the bogus site, the crooks know your password. Get yourself to the genuine Netflix login page as soon as you can and change your password.
  • If you gave away your credit card details, the crooks know those too. Call your bank as soon as you can to cancel your card. (Look on the back of your actual card for the number to call, for safety’s sake!)
  • If you think your card was compromised, keep a close eye on your statements. You should keep your eye on your financial records anyway, but you might as well step up your scrutiny after a security scare of this sort.

What to do next?

Given that today is Black Friday, which is by all accounts the biggest, boldest and baddest retail day of the year in North America, here are three general tips that we urge you to adopt if you haven’t already:

  • Never login via web pages that show up in an email. If you always find your own way to login pages, for example via a bookmark or your password manager, then you never have to worry whether a login link is phishy or not, because you won’t be clicking it anyway!
  • Use a password manager. Your password manager won’t put your Netflix password – or, indeed, any password – into a bogus site for the simple reason that it won’t recognise the site and won’t have a password to submit in the first place.
  • Measure twice, cut once. The scam above has plenty of giveaways, including obviously fake URLs; the use of HTTP instead of HTTPS in the email; and spelling errors. Getting scammed is bad enough without the pain of realising afterwards that all the signs were there for you to spot easily, but you were in too much of a hurry to stop and check.

LEARN MORE ABOUT STAYING SAFE ONLINE

If you like our videos, why not subscribe to our new Naked Security YouTube channel? (Don’t forget to click the bell icon so you receive notifications when we upload new videos.)

from Naked Security – Sophos http://bit.ly/2OyX6mc
via IFTTT

US tightens rules on drone use in policy update

When it comes to the issue of managing drones (Unmanned Aircraft Systems, or UAS) the US Department of Justice wants Americans to know it’s on the case.

In 2015, the DOJ published what was meant to be a comprehensive policy governing how US Government departments and law enforcement use drones to take account issues such as privacy, law and the Constitution.

Four years on and things have moved on a bit, prompting tweaks addressing more recent concerns, including misuse, access to airspace, and the cybersecurity of the drones themselves.

Large parts of the 2015 policy and its 2019 update sound almost identical. On privacy, both policies limit departments gathering drone data that contains personally identifiable information (PII) to 180 days unless there’s a specific reason to keep it longer.

In other words, it’s much the same mix of privacy rules, limits, and exceptions applied to all areas of technology which give officials just enough wiggle room to gather and retain data in defined circumstances.

Cybersecurity

That said, a few of the 2019 policies could turn out to be significant, the most important relating to the cybersecurity design of the drones themselves.

It’s a complex new front that won’t be any easier to manage with drones than it is in other areas of computing. For instance, the section on drone procurement states:

The procurement of IT must comply with applicable laws, policies, and regulations, including those administered by the Office of the Chief Information Officer. The Department ensures appropriate security and privacy protections for data and IT through the risk-based Department Cybersecurity Program and effective IT management.

Which is a way of saying that before buying them departments must do the same cybersecurity assessment on drones that they would on other IT equipment.

from Naked Security – Sophos http://bit.ly/37KiCfr
via IFTTT

Adobe’s Magento Marketplace suffers data breach

Adobe’s Magento Marketplace has suffered a data breach, the company has said in an email sent to customers.

The Magento Marketplace is where the Magento e-commerce Content Management System’s 250,000 customers can access software add-ons including extensions, themes and third-party services.

The company hasn’t said when the breach happened, merely that its security team discovered a vulnerability on 21 November 2019 that had allowed an “unauthorised third party” to access account information.

Data compromised includes names, email addresses, MageID, billing and shipping addresses and phone numbers, plus limited commercial information such as “percentages for payments to developers.”

The email, which can be read in full courtesy of a Twitter user who posted it, continued:

Upon discovery, we immediately launched an investigation, shut down the service and addressed the issue.

from Naked Security – Sophos http://bit.ly/2R1wigd
via IFTTT

Pressure mounts for federal privacy law with second bill

Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data. The Consumer Online Privacy Rights Act from Washington Senator Maria Cantwell not only outlines strict privacy and security rules, but also establishes a dedicated FTC office to enforce them. Cantwell also pointed out in her Bill announcement that it defines privacy as a right in federal law.

The proposed law would prevent companies from mishandling data to cause individuals harm. They’d also have to hand over a copy of the data to the individual owning it at their request and name any third party that they’d given it to. They’d also have to delete it when asked.

Companies would need to publish clear privacy policies, and they’d need to get a person’s consent before weakening their privacy measures. The consent measures are pretty close to those under the California Consumer Protection Act (CCPA) that comes into effect on 1 January 2020, in that they require companies to get permission to process someone’s data and allow individuals to opt-out of having their data transferred to others.

The legislation defines data broadly, including the usual suspects like email, financial account numbers, government-issued identifiers like social security numbers, and information about race, religion, union membership, and sexuality. It also covers things like biometric data, geolocation information, communications content or metadata, data about online activities over time and across third-party websites or online services, and even calendar appointments. The law singles out intimate photos and videos of people, too, in a clear attempt to prevent online creeps.

All the above falls under the term ‘sensitive covered data’, while ‘covered data’ seems to cast a wider net, encompassing “information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data”. That’s a broad definition, and like the CCPA’s seems to take in things like IP addresses.

Companies needn’t deliberately violate privacy rules to incur a penalty. The Bill also forces them to put security measures in place to avoid an accidental breach, including vulnerability assessments and training.

from Naked Security – Sophos http://bit.ly/2L4ALei
via IFTTT

Master Go player retires citing AI supremacy

AI just won another battle in the war for supremacy against humans. Master Go player Lee Se-dol has handed in his stones after deciding that there’s just no way to beat a machine when playing the ancient Chinese board game. The ninth dan South Korean player reportedly submitted his retirement letter to the Korea Baduk Association (KBA), which governs the professional Go community there.

Se-dol, 36, who began his career at 12, told the Korean Yonhap News Agency about his retirement in an interview on Monday 25 November, explaining:

With the debut of AI in Go games, I’ve realized that I’m not at the top even if I become the number one through frantic efforts. Even if I become the number one, there is an entity that cannot be defeated.

He’s referring to AI, and in particular to AlphaGo, the computerised Go player from Google’s AI subsidiary DeepMind. The two squared off in a five-game match in 2016, where AlphaGo beat him four times after he had predicted his own “landslide” win.

Se-dol attributed his one winning game to a bug in the AlphaGo system. He made an unexpected move that seemed to confuse the computer, causing it to resign. “It’s due to a bug,” he told the agency, adding that the move wasn’t one that an opponent could counter in a straightforward way.

from Naked Security – Sophos http://bit.ly/33yQEjw
via IFTTT

Pain points for CTOs: A primer of the most stressful aspects of the job

The role of chief technology officer is evolving quickly because of the current spate of technology and its development. Not so long ago, CTOs focused heavily on IT operations and their organization’s technology and design expansion. Now, much of their time is spent on business development and raising bottom lines.

Perhaps the most stressful factor facing most CTOs today is the unpredictability of people, both outside the organization and within. There’s also the fact that five o’clock never seems to come. For CTOs, the work never stops – certainly not the work of mitigating threats to the organization. Constantly looming, breach paranoia keeps many CTOs up (literally) at night.

In addition to a lack of a good night’s sleep, their mental health is at stake. The psychological toll of those in this profession can be enormous. Cyberattacks, tech outages and breaches cause stress-related illnesses and impact the mental well-being of 51% of tech executives, according to a survey of more than 850 C-suite executives from IT recovery firm Sungard AS. That number reaches 56% among CTO and CIO roles.

To ensure their proper mental health, CTOs must ensure that systems are running smoothly – but there’s more to this picture, as we’ll see.

Digital disruption everywhere

No industry is currently spared from digital disruption – education, financial management, and even healthcare. Disruption creates a change moment that may seem particularly unwelcome to those forced to uproot their traditional ways of doing things. But disruption doesn’t emerge from thin air.

Disruption is caused by the capabilities of new technologies, the changing demands of customers or user, and the rapidly evolving practices of competitors. For example, healthcare is facing disruption because of consumer-centric organizations offering retail-like health and wellness services specifically designed to meet and exceed the expectations of today’s healthcare consumers.

This disruption is front of mind for many CTOs who must adapt into more complex roles in the enterprise, which can give them plenty to be anxious about.

Asim Rais Siddiqui, CTO of TekRevol, says the first thing he does each day, before even getting his morning coffee, is to make sure no disasters happened overnight. This line of thinking resonates among his colleagues: consensus shows that sleep may never be sound for CTOs. Each morning comes with the responsibility of ensuring everything, technologically, within the organization is still intact. Siddiqui is not necessarily referring to threats or cyberattack, but even keeping simple technology intact that makes the organization function.

“New technologies are unfolding all around us,” Siddiqui said. “I believe every tech-based company is on some level vulnerable to new technology. However, the way out of this challenge is within our control. Our specific company culture encourages people to keep learning, stay up-to-date with the industry trends, and share their knowledge for the growth of the entire company.”

Dealing with data management

Data management can be an unglamorous task: an arduous, technically challenging process that can drive decisions faced and made by organizational leadership. Even for tech leaders, the job remains difficult and often undesirable.

“Data management is updating package versions, it’s documenting the process for who can access data and why, it’s creating good access controls,” said Vik Paruchuri, CEO, Dataquest.io. “So, a lot of data [management and] security comes down to: Do you know who can access the data? Do you have procedures for who can access the data? And do you have the right patches and versions, the right versioning system in place for critical security updates?”

Outside pressure

There’s always outside environmental factors pressing upon any organization. “Keeping up with competition and the rate of change in the business environment today is a job in itself,” said Stephanie Snaith, a director at Gradient Consulting. “Digital transformation is putting pressure on many companies to adopt new software and systems. Choosing to make a strategic change often shakes up an entire organization and can take months, even years, to settle down and until you see worthwhile results. By which time, the system is due another upgrade.”

Likewise, Dan Fradenurgh, CTO at Strategic Real Estate Coach and Freeland Ventures, framed the most challenging aspect as staying ahead of what’s taking place and not getting left behind by what’s developing outside the organization. This includes what’s coming up next and how these developments may impact the health of the organization long-term. By dropping the ball on monitoring outside influences, significant consequences are likely to occur.

A key aspect of leading an organization’s technology effort is constantly learning new things. For example, technologies are advancing at such a fast clip that it remains vitally important to know when and where to invest in the next significant platform or disruption.

Staying on top of every technological evolution can be overwhelming and time-consuming because they must decide when to commit to the trend and when to let it go. “It’s very easy to be left behind if you stop learning what’s out there,” Fradenurgh said. That’s not only dangerous for the organization but creates no small amount of toil for those approaching a decision.

CTO stress

While burnout may not receive the attention or credibility it deserves, the life of a CTO can be exceedingly stressful and filled with uncertainty. Some of this may be the result of the role being undefined without measurable expectations, a common occurrence because the role of CTO can be less easily understood than the roles of CFO or CMO, for example. Because of this, CTOs get pulled in many directions. This can result in their focusing less on their key areas of responsibility than other business priorities.

This can lead to an identity crisis and being pulled apart by competing priorities – exacerbating burnout.

Andy Lipnitski, ICT department manager at ScienceSoft, agrees. The most challenging area of his work is managing the IT department – organizing IT operations, designing policies and procedures – while also considering the company’s business objectives at the same time. “For this, I need to keep the perfect balance of working on the IT side and ensuring that the company’s executives know the importance of IT improvements for the performance of their business.”

Poor system design

A CTO’s hands-on work starts with system design. Without solid design – and backing it up – even the best CTO is sunk. No matter how many strategies are tried, how agile an organization becomes, or how much DevOps are developed into the practices, none of it matters without coherent and functional design. Therefore, design is foundational to long-term success that platitudes and processes cannot make better on their own. Without quality design, improvement efforts have little effect overall and can create nightmare scenarios, especially where outdated technology is a factor.

Design functionality only goes so far, of course. Solutions that enable current design and infrastructure must be capable of supporting future integrations and developments. As businesses grow, they need to adapt to keep up with demand and need. Legacy systems are unlikely to cope with the speed of output required, and you will notice it becomes increasingly challenging to plan and manage resources, stock, orders, and materials.

“Without data-driven insight, it is impossible to make informed decisions,” Snaith said. “As issues mount, the pressure extends from the system admin team to your employees; they are the people using the systems you have in place. In the modern-day, people expect easy-to-use tools to get their job done. If the systems you have in place are not fit for purpose, then something needs to change.”

A CTO’s biggest fear

According to Garth Wermter, CTO of Infranet Technologies Group, his second biggest worry is the insecurity of the non-business communication and collaboration tools used regularly: text messages, personal email accounts, shadow IT tools, and even BYOD. Inputs and outputs to systems can be secured, but time and again that humans conduct business through these personal devices, creating significant risk for the organization – leading to Wermter’s biggest fear.

Despite fears about technology, most CTOs seem concerned about one thing above all: “My biggest worry is human mistakes,” Wermter said. “We have great procedures that are well-documented, but our people still make mistakes – news articles show the business and financial impact of these errors daily. Our IT and security teams are not imaginative enough to predict and prepare our users for every threat variant.”

It’s difficult to outthink all the ways in which people can harm your organization. CTOs are very much akin to threat managers or watch groups protecting against attack. This is a yeoman’s task make more difficult because they must lead their staff through skills gaps of various teams and business units. These gaps can hinder delivery and security, particularly as technologies evolve.

Even if gaps are not present, most CTOs know that the weakest link to the success of their initiatives remains the human elements. For example, the weakest link of any organization under a cyberattack is the staff. The mistakes that humans make allow attacks to succeed or spread further.

“The mindset of many in IT is still stuck in in the traditional perimeter, with firewalls and client VPNs,” Andrew Moreland, CTO of Beyond M&A, said. “Often, their teams are blind to the larger security risks in their organization as a result.”

According to a new study by Code42, 79% of information security leaders believe that employees are an effective frontline of defense against data breaches even though facts seem to counter this claim. Some organizations have not put in appropriate detection and response data security controls and, instead, trust employees to keep data safe. The study shows that employees take more risks with data than employers think, which leaves organizations open to negligence and insider threats. In most breach cases, human error is the culprit.

Likewise, as for the technologies adopted, they need to be intuitive and easy to use for the people using them. Technologies that are difficult to adopt encourage people to turn towards workarounds that may create an unmonitored attack vectors.

Do the basics right

“As long as you keep your technologies and systems on the latest version and latest patch, you can protect your system very well. Hence, before you go to more sophisticated stuff, make sure to get the hygiene right first,” Siddiqui added.

Getting the basics right can be anything but basic. As discussed here, the role of CTO is evolving and continues to do so. So, getting even the most basic function correct – like security and threat protection – is more complicated than many may believe. The basics for a CTO today are vastly different than they were just a few years ago. For one, CTOs’ primary role is on business development rather than on building out IT infrastructure. As such, these leaders often experience overwhelming responsibility for how the organization performs as well as what it can perform.

There’s quite a bit that keeps CTO up at night. If the basics aren’t done right, all that may remain are nightmares.

from Help Net Security – News http://bit.ly/2q2Beqb
via IFTTT

Endace and Athena Dynamics partner to expand cybersecurity and network monitoring market

Endace, a world leader in high-speed network recording, playback and analytics hosting, has announced a partnership with Athena Dynamics in Singapore, which focuses on cyber security, critical information infra-structure protection and enterprise IT Operation Management products and services.

Since its inception in 2014, Athena Dynamics has won multiple awards including ICS Vendor of the Year (2017), Most Promising Industrial IoT Security Solutions (2018) and the CSA Cyber Security Award Finalist (2018) among others.

Athena has a strong reputation for successfully delivering classified projects in the public sector and critical projects to protect sensitive digital assets in the private sectors.

Endace VP of Sales APAC and Japan, Antony Adamo, says, “The partnership with Athena Dynamics reflects Endace’s strong commitment to the Asia Pacific region and to working with the best in the cyber security industry.

“Athena Dynamics has a deserved reputation for excellence demonstrated both by the multitude of awards it has won and its proven ability to deliver classified and critical projects across the public and private sector. They are a great team to work with and we’re thrilled to have them onboard as a consulting distributor for Singapore.”

CEO of Athena Dynamics, Ken Soh, comments: “Partnering with Endace allows us to expand our cyber security and network monitoring offering to customers and gives them access to a market-leading platform for scalable, full line rate packet capture and analytics hosting.

“This capability is in hot demand, especially when large-scale investigative or forensic related work is needed at state, nation-wide level.”

Athena Dynamics is also a consulting distributor for Endace Fusion Partner, Darktrace in the Singapore and Asia Pacific region.

from Help Net Security – News http://bit.ly/2OuvL4L
via IFTTT