The good, the bad and the plain ugly

A prolific ransomware gang vows to dial back its campaigns and spare healthcare organizations altogether during the COVID-19 crisis. It’s no cause for celebration.

When ransomware attacks a healthcare establishment, it can have a devastating effect. This was witnessed in 2017, when WannaCryptor.D (aka WannaCry) hit multiple sites across the United Kingdom’s National Health Service, limiting their ability to provide services and causing nearly 20,000 appointments to be cancelled.

The COVID-19 pandemic is stretching the resources of health services to their maximum, across the globe. This includes not only the courageous frontline healthcare professionals but all the support teams that create the environment for them to work in, such as IT security teams. Those teams may be pleased, and amazed, to hear that one of their adversaries – the team behind Maze ransomware – has decided to stop activities that target medical organizations, at least until the current situation is stabilized.

A “press release” dated March 18 states that the Maze team is also willing to offer exclusive discounts to their partners due to economic conditions. I think their use of the word “partner” actually refers to victims, which is like arsonists calling the owners of the building they torched their “partners”.

Maze Team “press release” – hat tip to malware researcher going by the Twitter handle CryptoInsane

The group has been responsible for a number of recent attacks including against both the City of Pensacola and manufacturing company Southwire. In both instances the victims refused to pay and the Maze operators released data that had been stolen.

Maze Team is also attributed with publishing medical data from a number of healthcare organizations that refused to pay, the largest organization being New Jersey’s Medical Diagnostics Laboratories (MD Lab). About 9.5 GB of MD Lab’s data was published by the Maze operators in an attempt to force negotiations for payment.

According to an article on CyberScoop, the FBI issued a flash alert in December 2019 about the dangers of Maze ransomware. The alert details how the threat actors behind Maze use several different methods to breach a network, including fake cryptocurrency sites and malspam campaigns to impersonate government agencies and security vendors.

These are cybercriminals with a history of disruption and destruction; isn’t it thoughtful of them, though, in this time of crisis to stop attacking medical organizations? I must invite them over for tea to say thank you.

Apologies; that is my British sarcasm getting the better of me!

Any attack on a healthcare institution at any time has the potential to be responsible for a degradation in patient care, the consequences of which could be fatal. Offering discounts and the willingness to stop attacks in the current situation should not distract from the fact these are cybercriminals who have a reputation and history of attacking healthcare systems with complete disregard for patient care.

And they need to be caught and brought to justice!

23 Mar 2020 – 03:15PM

Week in security with Tony Anscombe

How to transition to a remote workforce in a safe manner – How to protect yourself from COVID-19 scams – Stantinko’s miner caught using new obfuscation techniques

The COVID-19 pandemic has caused a massive transition to a remote workforce, and we look at measures that companies can take in order to stay safe from the increased cybersecurity risks associated with teleworking. We share examples of numerous scams that attempt to steal people’s money and personal data by preying on people’s fears amid the public health crisis. Also this week, ESET researchers released their findings on unique obfuscation techniques that the cybercriminals behind the Stantinko botnet use to thwart analysis and avoid detection. All this – and more – on WeLiveSecurity.com.

Keep calm and carry on working (remotely)

How can employees stay motivated and productive while teleworking during the COVID-19 crisis?

As more of the world’s population than ever before take their equipment home to begin working remotely, the challenge is for team leaders to ensure their team members remain productive, motivated and engaged, and avoid the issues of isolation.

Last year, Buffer, a company specializing in social media content, surveyed 2,500 remote workers on the benefits and challenges associated with teleworking. The number one challenge, at 22%, was the ability to unplug after work. While appreciating this statistic, I suspect many office-bound workers who regularly take laptops home probably suffer from this issue as well. Number two on the list, at 19%, was loneliness, closely followed by collaboration and/or communication at 17%.

As a remote worker myself, I appreciate the challenges, and I am now sharing my home-office with my wife. She has only worked remotely on the odd occasion and is definitely a victim of being unable to unplug even in normal circumstances. Working on two separate campuses – sometimes being on both in the same day – means she is fully equipped as a mobile worker and her laptop does come home every night where round two of her work typically starts. In the current situation, though, monitors and keyboards have come home too!

RELATED READING: Work from home: How to set up a VPN

I am now experiencing sharing my remote home office; apart from the very noisy keyboard that is being used behind me to thump out emails, it’s a highly interesting time. I am hearing the challenges of my wife’s other team members, one of whom is struggling with childcare, another not having connectivity and many others with the kinds of issues one might expect.

There is, however, a team spirit that I can hear, and a great example of this is that one of her colleague’s children has a birthday tomorrow; as we are in a lockdown zone with only essential travel permitted, the party has been called off. Good initiative and technology means there is a virtual singing of happy birthday being scheduled over the organization’s video conferencing system and all the children who would have attended are invited. It is acts like these that will keep the motivation and spirits of employees high, and high spirits should lead to greater productivity.

The normal solitude I experience can be challenging, and those of you who know me will attest that I sometimes disappear to the local library or coffee shop to work, just to enjoy other people being in the same location. Experience has given me strategies to deal with the challenges; unfortunately in this scenario though the library and coffee shop are closed. The other element that is challenging, and is compounded in my situation by time-zone differences: when you achieve something great, there is no colleague to turn to and share the moment with. Those of you who know me will read this and laugh as I sometimes call people for no reason other than to share something that’s important to me, already knowing that they are not really interested.

 

Creating the right environment for those who may be first-time remote workers is extremely important for the employees’ welfare and company productivity. I suggest having a strategy and I recommend you consider:

Expect people to be ready for work; showering and getting dressed helps people understand they are going to start work. Where possible, encourage people to create an ad-hoc office space; try to sit at a table or desk in a regular chair. This also creates an environment where others in the house will respect that you’re working. Lounging on the sofa is for Netflix. The normal working day schedule should be maintained where possible; if work normally starts between 8-10 AM and lunch is somewhere between 12-2 PM, then try to maintain this schedule. Routines are good. My own experience, in normal circumstances, is that I take 30 minutes out at lunch time, where “out” means “out of the house”. I go to the store, get a coffee or walk around the block a few times. Under the current lockdown rules this is now a 30-minute walk to the beach, keeping social distance as mandated. Trust me, this will improve productivity in the afternoon. Agree on a single communication platform outside of the normal email system … a platform that is less formal and provides a more casual communication style … for example, Slack, Zoom, Skype or one of the many other communications or chat platforms that are available. Start the day with a team check-in, and take 15 minutes to communicate today’s agenda with the team to ensure they have the necessary information and resources to achieve the expected results. This also has the benefit of giving everyone a schedule of when to start their day. Keep the communication flowing over the agreed platform, watch for colleagues not participating and reach out to them. Don’t micromanage, focus on the bigger picture of the end result, and avoid babysitting or being overbearing. As people adapt to the new working arrangement, productivity may suffer – but with the right leadership and guidance, the reality is that productivity will most likely increase due to fewer distractions. If you have some staff who are experienced remote workers, use their knowledge as mentors for those who find the environment challenging. Create optional virtual team lunches so that the social interaction discussions that happen in the office can continue as normal. When the day’s goal is achieved, sound the bell, encourage people to down tools and spend time with family or friends, or get some exercise (lockdown rules allowing).

As an experienced remote worker, if asked for the most important recommendation, it would be to have a routine and continually (maybe even over-) communicate with colleagues. The task at the top of my own list is to acquire a less noisy keyboard for my wife!

What to do if your Twitter account has been hacked

Losing access to your account can be stressful, but there are steps you can take to get it back – and to avoid getting hacked again

Many people who use social media are fans of the blue network, and by blue we mean light blue with a bird and character limit of 280 characters. Tomorrow, Twitter celebrates its 14th birthday and undeniably it has had an impact on our digital lives since its launch. Some people use it as a way to keep up with their favorite celebrities, others to have a quick overview of world affairs, while most usually use it to share opinions with their friends and the world in general.

But what if your Twitter account gets compromised or hacked?

How did I get hacked?

Everyone is a target – from celebrities to regular people. Even Jack Dorsey, Twitter’s CEO, has had his account compromised although in his case, the bad actors gained access using a SIM swapping attack. Criminals sometimes also have access to databases of previously compromised accounts on other services; these include emails, usernames, and passwords.

The now-defunct LeakedSource was one such repository from which hackers were able to obtain the information by running a username through it. If they can get back an email and previously used password, they try their luck with your Twitter. The accounts of Keith Richards of the Rolling Stones and Justin Bieber’s producer Dan Kanter were hacked this way.

Alternatively, this method could be used for credential stuffing: the hackers would use bots to hammer the site with login attempts until they stumble upon the right combination. Since people often recycle their passwords, which makes the job of the ne’er-do-wells simpler.

You also could have fallen victim to a phishing campaign. It’s nothing to feel ashamed about; it happens sometimes, and phishing scams have gotten more complex. The scammers may have sent you an email with a link that redirects you to a website that looks exactly the same as Twitter, asking you to log in. By trying to log into this counterfeit Twitter, you essentially handed them the keys to your Twitter kingdom.

What are the signs that I was hacked?

The most obvious sign that you were hacked is that you’re locked out of your account. And by locked out, we mean you have been logged out of every device you’ve been using Twitter on and you can’t log in, no matter what you do or how hard you try.

Your first course of action is to try to change your password, by requesting an email from the password reset form; if you can get in, great: you can then perform a security audit. If you can’t get in, then you have to contact Twitter’s official support and hope they’ll help you recover your hacked account.

Besides getting hacked and locked out, your account can get compromised. There are a variety of telltale signs that may raise alarm bells. You may notice Direct Messages (DMs) you haven’t sent or tweets you didn’t write; your account may have followed or unfollowed accounts unbeknownst to you or even have blocked people. Twitter may alert you that your account has been compromised or that changes have been made to your account information, but you didn’t have a hand in that … those are all alarming signs.

There’s a number of things Twitter recommends that you should do immediately. Start with changing your password, then make sure your email account is secure; you should also revoke access to third-party applications that you don’t recognize and update your Twitter password in your trusted third-party applications. You can also take a peek at Twitter’s own security tips.

How not to get hacked again

Once you’ve gone through a compromised or hacked account scare, you probably want to lower the chances of that ever happening in the future. The simplest thing to start with for a more secure account is by creating a new stronger password, or if we might suggest, a strong passphrase. Just make sure that you haven’t recycled that passphrase for another account, since that makes it easier to compromise.

If you’re not a fan of holding all the passwords in your head, then a password manager could be a solution to your problems. You should also double down on your security and start using two-factor authentication (2FA), since adding an extra layer of security makes it harder for bad actors to invade your account.

Twitter supports a variety of 2FA options, such as authentication using text messages, hardware tokens or even software tokens. Actually, you shouldn’t use 2FA to secure only your Twitter account, but apply it as well to every non-Twitter account that allows the option. You can read up on the ins and outs of 2FA in our article.

On the eve of Twitter’s anniversary, we hope you didn’t get hacked, and that the suggestions we’ve made will help you take preventive measures to secure your account rather than reactive ones.

20 Mar 2020 – 11:30AM

Security flaws found in popular password managers

Not all they’re cracked up to be? Several password vaults contain vulnerabilities, both new and previously disclosed but never patched, a study says

Several popular password managers contain security vulnerabilities that could be exploited to breach the walls that are supposed to keep your passwords safe, according to researchers from the University of York.

After considering a pool of 19 password managers, the academics chose to test LastPass, Dashlane, Keeper, 1Password, and RoboForm based on their popularity and features. They uncovered a total of four new vulnerabilities, including a flaw both in the 1Password and LastPass Android applications that made them susceptible to phishing attacks. The vulnerability is caused by their use of weak matching criteria for identifying which of the stored credentials should be suggested for autofill.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” said Dr. Siamak Shahandashti from the Department of Computer Science at the University of York. He went on to add that, in order to remedy the situation, the password vaults should add stricter matching criteria that aren’t based just on “an app’s purported package name”.

The researchers also discovered that the Android applications of both RoboForm and Dashlane are susceptible to PIN brute force attacks. This flaw allows endless attempts at entering the master PIN that may ultimately unlock the password vaults.

“Through extrapolation of manual testing, it is estimated that even a manual random guessing attack is on average expected to find a randomly selected PIN in 2.5 hours,” the researchers explained, adding that factoring in additional variables can significantly reduce the time it takes to break the PIN.

The tools’ respective vendors were duly notified about the newly discovered vulnerabilities. “Some were fixed immediately while others were deemed low priority,” said Michael Carr, the lead author of the study.

In addition, the password managers also underwent rigorous testing against six previously disclosed vulnerabilities to see if the security holes had been plugged. The test showed that all except one of the password managers were susceptible to URL mismatch, and all of them were vulnerable to Ignoring Subdomains and HTTP(S) Autofill exploits. Dashlane fared the worst, as it was vulnerable to five out of the six vulnerabilities disclosed earlier.

Although the team admitted that “rigorous security models and canonical security tests for password managers” are needed, they still recommend their use to businesses and individuals alike, as they continue to be a more secure and useable option than resorting to password recycling or trying to memorize them all.

Food for thought, since people continue to make questionable choices when choosing passwords to protect their data, as can be evidenced by the fact that “12345” and similarly easy-to-hack passwords remain popular choices for many netizens.

19 Mar 2020 – 09:10PM

Work from home: Improve your security with MFA

Remote work can be much safer with the right cyber‑hygiene practices in place – multi‑factor authentication is one of them

If you happen to be working from home due to the COVID-19 pandemic, you should beef up your logins with Multi-Factor Authentication (MFA), or sometimes called Two-Factor Authentication (2FA). That way, you don’t have to entrust your security to a password alone. Easy to hack, steal, leak, rinse and repeat, passwords have become passé in the security world; it’s time to dial in your MFA.

That means you have something besides just a password. You may have seen MFA in action when you try to log into your bank and you receive an access code on your smartphone that you must also enter to verify it’s really you who is logging in. While it’s an extra step, it becomes exponentially more difficult for bad guys to get access to your account, even if they have a password that was compromised in a breach or otherwise.

What are your options?

The good news is that MFA is no longer super-tough to use. Here, we look at a few different popular ways to use it. If you need to work remotely now and log into a central office to collaborate with co-workers, this is a nice way to beef up the security of those connections.

Physical token

This means you have something like a key fob, security USB key or the like, which can be used to generate a very secure passcode that’s all-but-impossible to break (unless you have a quantum computer handy). Nowadays, things like YubiKey or Thetis are available for less than US$50 and are very widely supported if you’re logging into your own corporate office technology, online office applications and a host of other cloud applications. It means your normal login will ask for a password, but also the code generated by your device, which is often physically small enough to get lost in a pants pocket, so some folks hang them on their keychain for safekeeping.

Mobile phone

Nowadays you probably carry a mobile device around most of the time, which is a good argument for using it to boost your MFA security stance. For example, you can download an authentication app such as Authy, Google Authenticator, or ESET Secure Authentication. Whatever you choose, make sure it has a solid history, security-wise, since it needs to reside on your smartphone, which we now know can become compromised as well, thereby undermining your other security efforts.

RELATED READING: Work from home: How to set up a VPN

It’s worth noting that spam SMS messages on your smartphone can trick some users into voluntarily compromising their own accounts, so stay on the lookout if you use this. Of course, reputable mobile security software can help if you’re concerned with security problems on the platform itself.

Biometrics

It’s very hard to fake a fingerprint or retinal scan and make sure it offers a solid factor in MFA. Nowadays, lots of devices have built-in biometric readers that can get an image of your face from your smartphone taking your picture, or scan your fingerprint, so it’s not hard to implement this on a device you probably already have. Some folks steer away due to privacy concerns, which promises to be an ongoing conversation. Also, while you can reset a password, if a provider gets hacked it is notoriously difficult to reset your face (old spy movie plots, anyone?).

Closing thoughts

The important thing with MFA is that you pick one that suits your goals and one that is easy for you to include in your routine. I have a very good lock on my front door, but it’s very hard to use, so often my wife catches me leaving it open, which isn’t very secure, is it? Good security you don’t use can’t protect you.

In the event of a breach, MFA can offer side benefits as well. If you are notified that your password is compromised, there’s a very good chance they don’t also have one of your other factors, so successful hack attacks should drop precipitously if MFA is correctly implemented. Use an MFA solution and enjoy technology more safely.

19 Mar 2020 – 03:30PM

Stantinko’s new cryptominer features unique obfuscation techniques

ESET researchers bring to light unique obfuscation techniques discovered in the course of analyzing a new cryptomining module distributed by the Stantinko group’s botnet

In the new cryptomining module we discovered and described in our previous article, the cybercriminals behind the Stantinko botnet introduced several obfuscation techniques, some of which have not yet been publicly described. In this article, we dissect these techniques and describe possible countermeasures against some of them.

To thwart the analysis and avoid detection, Stantinko’s new module uses various obfuscation techniques:

Obfuscation of strings – meaningful strings are constructed and only present in memory when they are to be used Control-flow obfuscation – transformation of the control flow to a form that is hard to read and the execution order of basic blocks is unpredictable without extensive analysis Dead code – addition of code that is never executed; it also contains exports that are never called. Its purpose is to make the files look more legitimate to prevent detection Do-nothing code – addition of code that is executed, but that has no material effect on the overall functionality. It is meant to bypass behavioral detections Dead strings and resources – addition of resources and strings with no impact on the functionality

Out of these techniques, the most notable are obfuscation of strings and control-flow obfuscation; we will describe them in detail in the following sections.

All the strings embedded in the module are unrelated to the real functionality. Their source is unknown and they either serve as building blocks for constructing the strings that are actually used or they are not used at all.

The actual strings used by the malware are generated in memory in order to avoid file-based detection and thwart analysis. They are formed by rearranging bytes of the decoy strings – those embedded in the module – and using standard functions for string manipulation, such as strcpy(), strcat(), strncat(), strncpy(), sprintf(), memmove() and their Unicode versions.

Since all the strings to be used in a particular function are always assembled sequentially at the beginning of the function, one can emulate the entry points of the functions and extract the sequences of printable characters that arise to reveal the strings.

Figure 1. Example of string obfuscation. There are 7 highlighted decoy strings in the image. For example, the one marked in red generates the string “NameService”.

Control-flow flattening is an obfuscation technique used to thwart analysis and avoid detection.

Common control-flow flattening is achieved by splitting a single function into basic blocks. These blocks are then placed as dispatches into a switch statement inside of a loop (i.e. each dispatch consists of exactly one basic block). There is a control variable to determine which basic block should be executed in the switch statement; its initial value is assigned before the loop.

The basic blocks are all assigned an ID and the control variable always holds the ID of the basic block to be executed.

All the basic blocks set the value of the control variable to the ID of its successor (a basic block can have multiple possible successors; in that case the immediate successor can be chosen in a condition).

Figure 2. Structure of common control-flow-flattening loop

There are various approaches to resolving this obfuscation, such as using IDA’s microcode API. Rolf Rolles used this method to identify these loops heuristically, extract the control variable from each flattened block and rearrange them in accordance with the control variables.

This – and similar – approaches would not work on Stantinko’s obfuscation, because it has some unique features compared to common control-flow-flattening obfuscations:

Code is flattened on the source code level, which also means the compiler can introduce some anomalies into the resulting binary The control variable is incremented in a control block (to be explained later), not in basic blocks Dispatches contain multiple basic blocks (the division may be disjunctive, i.e. each basic block belongs to exactly one dispatch, but sometimes the dispatches intertwine, meaning that they share some basic blocks) Flattening loops can be nested and successive Multiple functions are merged

These features show that Stantinko has introduced new obstacles to this technique that must be overcome in order to analyze its final payload.

Control-flow flattening in Stantinko

In most of Stantinko’s functions, the code is split into several dispatches (described above) and two control blocks — a head and a tail — that control the flow of the function.

The head decides which dispatch should be executed by checking the control variable. The tail increases the control variable by a fixed constant and either goes back to the head or exits the flattening loop:

Figure 3. Regular structure of Stantinko’s control-flow-flattening loop

Stantinko appears to be flattening code of all functions and bodies of high-level constructs (such as a for loop), but sometimes it also tends to choose seemingly random blocks of code. Since it applies the control-flow-flattening loops on both functions and high-level constructs, they can be naturally nested and there happen to be multiple consecutive loops too.

When a control-flow-flattening loop is created by merging code of multiple functions, the control variable in the resulting merged function is initialized with different values, based on which of the original functions is called. The value of the control variable is passed to the resulting function as a parameter.

We overcame this obfuscation technique by rearranging the blocks in the binary; our approach is described in the next section.

It’s important to note that we observed multiple anomalies in some of the flattening loops that make it harder to automate the deobfuscation process. The majority of them seem to be generated by the compiler; this leads us to believe that the control-flow-flattening obfuscation is applied prior to compilation.

We witnessed the following anomalies; they can appear separately or in combination:

Some dispatches can be just dead code – they will never be executed. (Examples in the section “Dead code inside the control-flow-flattening loop” below.) Basic

Work from home: How to set up a VPN

As the COVID-19 pandemic has many organizations switching employees to remote work, a virtual private network is essential for countering the increased security risks

If you’re newly working from home because of the COVID-19 outbreak, you probably have to learn some new tools and tricks very quickly now. Here we look at virtual private network (VPN) technology. Later this week, we’ll dive into other security tools such as Two-Factor Authentication (2FA, or Multi-Factor Authentication – MFA).

For now, however, we’ll start with the basics of how to set up and use a VPN to secure your connection to your office. We’re not talking about building your own from scratch, just how to get up and running quickly.

First, what is a VPN?

A VPN is an encrypted tunnel for your internet traffic that goes through the open internet, often from your home office or coffee shop to your work network at the office. You can connect across a VPN no matter what network you’re on and “appear” to be sitting at your desk at work using all the resources you could if you actually were there.

For our purposes, we’ll only consider VPNs that facilitate working from home. You’ll see a lot of online vendors offering standalone VPN services, but these are typically aimed at users who just want a secure connection to the internet that’s less susceptible to tracking, or to bypass network filters, but not necessarily for those seeking to work from home.

It’s called a virtual private network because it creates your own personal tunnel no one else can access. If all your team members are working remotely from their home offices, this is how you can work as a virtual team without all being at the main office, or gathered together in some other location. Due to COVID-19, this is a newly found desire – even a requirement – for many right now.

Do I need to set up a VPN?

To make such VPN connections, you need to initially set up both ends of that connection – the one on your laptop or home desktop, and the one in the main office. Sometimes, if you have an IT department, they’ll tell you what app to download to your personal device(s) and then give you some VPN credentials for your specific situation – problem solved. Once you install that app and configure it, you can click a button and the link will establish itself and let you know you’re connected.

If you don’t have an IT department, you might have to set up your own VPN connections. Don’t worry, it’s not as daunting as you might think.

Many business-class routers (some under US$100), and some small office/home office (SOHO) ones, have built-in VPN capability, so cost shouldn’t be an issue. In fact, you may already have such a device, so you’ll only need to configure it!

Let’s now look at two common VPN technologies: OpenVPN and IPsec.

OpenVPN

This tried-and-true option, which has been around for a long time, is reasonably secure. Also, being open-source software, it is probably supported by your business-class router (and many SOHO units). It used to be tricky to install, but manufacturers have been working on making it simpler.

On contemporary devices, you usually just have to click a few buttons in the configuration screens of the router for the network to be accessed (your office network). You then download the configuration file generated by your router and use that to configure the OpenVPN client software on any remote laptop, desktop or smartphone that needs to access the network behind that router. You should be able to find an easily followed online tutorial for your router.

After you’ve set up your office network router, you have to install apps on the remote devices that will access your new office VPN. Download these from the OpenVPN website, then install and configure them with the files generated while setting up OpenVPN on your office router. That can be tricky if you don’t have an IT person helping, but there are nice online tutorials for this, too. Altogether, you could set up your router and laptop in half an hour to an hour, so it’s certainly doable.

IPsec

IPsec (Internet Protocol Security) also has a long history and reasonable security. It’s one of the other VPN technologies a lower-cost router is likely to support. The process is similar to OpenVPN, except that many laptops, desktops and smartphones have IPsec support built-in, so you may not need to install another app on your remote devices.

Some of the router IPsec implementations I’ve seen lately seem to be more complicated than those I’ve seen for OpenVPN. However, this may be offset by being able to use native tools on your remote endpoints to just type in a of couple things such as an IP address and credentials and it “just works”. Again, you could probably set this up in under an hour.

Closing thoughts

There are certainly other VPN technologies out there, but if you want to get started very quickly, these methods have lots of tutorials, experts and experience behind them, so you have a reasonable chance of getting them up and running without having a raft of IT experts on call.

It’s also worth noting that your remote users will likely need a beefier-than-normal broadband connection to sustain high throughput when running their traffic through a VPN, since there’s more horsepower required to do the work of keeping the connection encrypted and tunneled, so you may notice some significant slowdowns, especially on slower connections. This is offset, of course, by the ability to work more safely from home in these turbulent times.

Next we’ll look at how to set up Multi-Factor Authentication, sometimes called Two-Factor Authentication (MFA, 2FA), which can also help you work more securely from home. Until then, stay safe – and healthy!

18 Mar 2020 – 03:30PM

FBI warns of human traffickers luring victims on dating apps

The warning highlights one of the potential risks associated with revealing too much private information online

The FBI’s Internet Crime Complaint Center (IC3) issued a warning yesterday about the continued threat posed by human traffickers luring victims online. Using tactics such as coercion, fraud, force, and bogus job offers, the criminals scour social media sites and dating platforms in an attempt to exploit the personal situations of down on their luck individuals by promising to help them out.

“Offenders often exploit dating apps and websites to recruit – and later advertise – sex trafficking victims. In addition, offenders are increasingly recruiting labor trafficking victims through what appear to be legitimate job offers,” said the Bureau. The criminals usually pose as work recruiters, modeling agents or scouts, lulling potential victims with fake career prospects or offers of a helping hand.

To put the problem into context – according to data by the US National Human Trafficking Hotline, between 2015 and 2018 almost 1,000 potential sex trafficking victims were recruited using online services such as Facebook, Instagram, Snapchat, Craigslist, as well as online dating sites.

Per the FBI’s warning, the internet has been a boon for sex traffickers, who now have access to a vast pool of potential victims from all around the world. Online platforms make it simpler for human traffickers to find out more about their targets, often teenage girls, especially if they overshare about their financial woes or family problems. The offenders then leverage this information and feign romantic interest or offer fake prospects of a better life. They groom their victims, establish a false sense of trust, and ultimately meet them in person. Before long, they force the targets into sex work or forced labor.

RELATED READING: How (over)sharing on social media can trip you up

In its announcement, the FBI also described three cases where victims were exploited using such tactics. One sex trafficking victim met a trafficker’s accomplice through a dating website. Both the trafficker and his accomplice promised to help her with her acting career, but went on to abuse her and force her into prostitution.

In another case, a couple posted false advertisements on the internet and in a newspaper in India, lying about the nature of the work they were offering in their household and the salary their employees would make. Once the workers arrived, they were forced to work 18-hour shifts and were paid next to nothing.

It’s important to be vigilant about what you share on your social media accounts and be wary of who can see your posts and photos. Why not take precautions right away and review, for example, your Facebook privacy settings?

17 Mar 2020 – 10:10PM

COVID‑19 and the forced workplace exodus

As the pandemic forces many employees to work from home, can your organization stay productive – and safe?

The coronavirus (COVID-19) outbreak has officially been categorized by the World Health Organization (WHO) as a pandemic, meaning infection is accelerating in multiple countries concurrently. The United States of America has declared travel bans on 28 European countries, many countries have closed schools and universities, and large gatherings of people have been stopped.

High-profile companies such as Google and Microsoft are encouraging or mandating that staff adopt a work-from-home policy. For modern tech companies, the infrastructure and policy needed for remote working are unquestionably already in place and the vast majority of staff members are probably already laptop users.

For many smaller companies and organizations, however, the situation is likely to be very different. Remote working is probably limited to a few, and realistically mainly for email and other non-operational systems. The education sector is a good case in point: universities have been delivering distance learning as a feature for some time, while high schools and others are mainly dependent on staff and pupils being on-site to learn. The school’s operations and administrative teams also need to be considered, as they are unlikely to be mobile workers and may be using desktop devices rather than laptops.

Breaking the organization into just a few groups with differing requirements and dealing with the needs of each to effect the mass exodus may seem a simplistic approach, but is probably essential given the urgency in some cases. Using education as an example, there are students (the customers), teaching faculty, administration and operations. The school can’t run without significant student engagement, teachers at least need virtual conferencing facilities and the administration teams need network access, and this is the minimum.

In order to be productive, there are common requirements that all remote workers need. As someone who has worked remotely for the majority of his working life, I can attest to the last two:

  • A computer
  • A good internet connection
  • Chat and conferencing applications
  • A dedicated workspace (preferred)
  • Optionally, a phone
  • Self-motivation and discipline
  • A strict routine

Why is the phone optional? In today’s environment it may not be necessary, especially as most chat applications allow direct calling. The need for a phone may be a business requirement rather than an essential device.

Importantly, companies and organizations also need to prepare themselves and their employees for the increased cybersecurity risks associated with remote working. What are some of the challenges that may need to be addressed?

Physical security of company devices

Employees will be exposing company devices to greater risk as they leave the safety and security of the workplace. As a remote employee, I often take myself to the public library to work; there are shared and individual workspaces and it’s a form of socialization. Devices need to be protected against loss and theft with options such as:

  • Full-disk encryption ensures that even if the device falls into the wrong hands, the company’s data is not accessible.
  • Log out when not in use – both at home and in public places. An inquisitive child accidentally sending an email to the boss or a customer is easily prevented, as is limiting the opportunity for someone to access the machine while your back is turned in the local coffee shop.
  • Strong password policy – enforce passwords on boot, set inactivity timeouts, and ban sticky notes with passwords on them: people still do this!
  • Never leave the device unattended or on public display. If it’s in the car, then it should be in the trunk.

What’s in the home technology environment

Ask employees to audit their own home environment for vulnerabilities, before connecting work devices. There are continual disclosures regarding vulnerable Internet of Things (IoT) devices, and this is an excellent time for employees to take action on securing them with strong passwords and updating their firmware/software to the latest versions.

Consider promoting, or even mandating, the use of a connected home monitoring app before allowing work devices to be connected to home networks. The scan or monitoring will highlight devices with known vulnerabilities, outdated software or firmware, or default passwords that need to be changed.

Accessing the company network and systems

Establish if the employee needs access to the organization’s internal network or just access to cloud-based services and email. And take into consideration whether the same level of access to sensitive data enjoyed on-site should be granted when the employee is off-site.

  • If access to the organization’s internal network is needed:
    • I recommend this is only achieved from an organization-owned device so that full control of the connecting device is under the management of the technology security and IT team.
    • Always use a VPN to connect remote workers to the organization’s internal network. This prevents man-in-the-middle attacks from remote locations: remember that since you’re now working from home, the traffic is now flowing over public networks.
    • Control the use of external devices such as USB storage and peripheral devices.
  • Allowing access to email and cloud services from an employee’s own device:
    • Enforce the same endpoint security policy for antimalware, firewalls, etc. as with an organization-managed device. If necessary, furnish the employee with a license for the same solutions used on the organization-owned devices. If you need extra licenses, then contact the provider. They may have solutions to cover you through this unprecedented event.
    • Limit the ability to store, download or copy data. A data breach can happen from any device that contains sensitive company data.
    • Consider the use of virtual machines to provide access: this keeps the employee in a controlled environment and limits the exposure of the company network to the home environment. This may be more complex to set up, but could be a superior longer-term solution.
  • Multifactor authentication (MFA) ensures that access, whether to cloud-based services or full network access, is by authorized users only. Wherever possible, use an app-based system or physical hardware token to generate one-time codes that grant authenticated access. As there may be time pressure to deploy a solution, an app-based solution removes the need to procure and distribute hardware. App-based systems provide greater security than SMS messages, especially if the device used to receive the codes is not an organization-managed device and could be subject to a SIM swap attack.

Collaborative tools and authorization processes

It may seem strange to put these two items under the same heading, but one can help prevent issues with the other.

  • Provide access to chat, video and conference systems so that employees can communicate with each other. This provides the productivity tools needed and helps employees to remain social with their colleagues.
  • Use the collaborative tools to protect against unauthorized instructions or transactions. Cybercriminals will likely use the opportunity of remotely located workforces to launch Business Email Compromise (BEC) attacks. This is where a bogus urgent demand is sent by a bad actor, asking for the urgent transfer of funds, without the ability to validate the request in person. Be sure to use video conferencing/chat systems as a formal part of the approval system so that validation is made “in person”, even when remote.

Training

As per my other recent blogpost, there are numerous COVID-19 scams in circulation, leading to face masks, vaccines, and disinformation. When employees are relocated out of the workplace and placed into the more casual, they may consider clicking on links, as there are no colleagues who might see them watching that amusing video or visiting a webpage.

Cybersecurity awareness training is typically an annual requirement for employees. It would be prudent to offer a refresher to help avoid the human element that cybercriminals attempt to exploit. Consider running a campaign and training requirement before the employee begins working remotely … or as soon as possible thereafter.

Support and crisis management

In the rush to provide remote access, don’t sacrifice cybersecurity or the ability to manage systems and devices. The ability to support users remotely will be essential to ensure smooth operations, especially if users become quarantined due to health concerns. Remote workers need to have clear communication protocols for IT support and for crisis management if they encounter unusual or suspect issues that could be the result of a breach.

There are, of course, additional considerations from a technology perspective; for example, removing or limiting the use of RDP, as detailed in a recent blogpost by my colleague Aryeh Goretsky.

Beyond technology and functional processes, there are other key factors to effective remote working:

  • Communication – Consider having team calls once per day, brief people on the status, and give everyone the opportunity to share experiences and issues.
  • Responsiveness – Remote working is not the same as working in an office environment. Establish clear guidelines of how quickly a remote worker is expected to respond to a request depending on the communication type, email, Slack, calendar invites, etc.
  • Reporting – Line managers need to implement procedures that allow them to ascertain whether the remote workers are getting the job done: mandatory group meetings, team collaboration, daily/weekly/monthly reports.
  • Working schedule – Agree a method of clocking on and off, even if it’s as simple as a team group chat and members saying good morning when they start their day.
  • Health and safety – Do the ergonomic keyboards in the office need to be taken home to provide the same comfort employees are used to? Working from home does not remove the responsibility to provide a good working environment.
  • Liability – Ensure coverage for the company assets while in the employee’s possession.
  • Tech support – Distribute the contact details: all remote workers need to know how to get help when needed.
  • Socialization – Bring remote workers together, particularly virtually. Social interaction is an important part of motivation and increases productivity. Consider a buddy or mentor scheme so that every employee is paired and can problem solve, vent, share or socialize virtually.
  • Accessibility – Establish a virtual open-door management policy, just as there is in the office. Make sure people are accessible and can be easily engaged.

Don’t assume that all employees can switch to remote working effectively and with little assistance or guidance. Home is not the office and they may need significant assistance to adapt.

Philosophically, the world may never be the same again as this mass remote working mandate could prove to be a social/work experiment that few companies would have ever undertaken on such a scale. Will we ever return to our office in the same way?

Stay safe – and healthy!

16 Mar 2020 – 11:30AM