In the spirit of the holidays, this week’s Security Central takes a look at the potential threats and pitfalls awaiting eager holiday shoppers and deal-seekers. We also explore why people still seem to be such suckers for phishing and take a peek inside the Oracle/Dyn acquisition.
For a lot of us, the holidays mean lots of eating, skillfully (or perhaps not so skillfully) navigating political conversations with relatives and waiting in long lines at overcrowded malls to purchase those perfect holiday gifts. Unfortunately, eager shoppers aren’t the only ones waiting. Hackers don’t take vacations. New data from Cybereason, developers of the world’s only military-grade, real-time detection and response platform, reveals that shoppers are doing a whole lot more than just scouring sites for deals - they're making themselves tremendously vulnerable to cyber-attacks. In fact, 62 percent of shoppers are concerned with being hacked this holiday season, yet 40 percent do nothing to prevent themselves from cyberthreat. Puzzling…
Why don’t shoppers change their online habits, especially in light of the risks? “Consumers consider their credit card insurance as a good enough safety net that allows them to use their card on any website, and worst case scenario, revert any fraudulent transactions without taking any financial damage,” explains Israel Barak, Cybereason’s CISO. “This is especially true during the holiday season and not only for consumers. Employers should take note since tens of millions of additional people will be shopping for their holiday gifts during work hours, increasing risks to the corporate networks,” he said.
If you provide security services for your customers, the holiday season might be even more stressful for you than the rest of us. Consumers are more likely to click on links or attachments if they’re from a retailer. They click on advertisements, opening themselves up to click-fraud. They’re shopping on their business network-connected devices over unsecured public Wi-Fi networks as they travel over the river and through the woods to grandma’s house for the holidays. They’re downloading apps and buying from unknown retailers, giving cyber-attackers a very jolly Christmas.
Partners should communicate these threats to their customers and consider employee awareness training to prevent crippling their security and exposing networks. Here are a few tips from our friends at Cybereason:
- Only visit websites that you trust because they are generally safer to use. Do not shop on sites that you have never heard of because an offer too good to be true might be nothing more than a scam.
- Make sure that the URL reads ‘HTTPS’ and not just ‘HTTP’ and look for the padlock icon to the left of the URL because it is a sign of increased security.
- If you receive an email or attachment from a retailer that you are interested in, visit the retailer’s site by typing in the address of the site to search for the deal. If it is a legit offer, you’ll be able to verify it on the retailer’s website. This is a good way to avoid phishing emails that make people click on fake URLs, exposing them to malware and other security risks.
- Be diligent to check the URLs and contact information in the emails or attachments you receive. Often, hackers will create fake email accounts and websites by very subtly changing a letter or number in a URL, making you believe it is a real site when it isn’t.
- Make sure your operating system, browser and other apps on both your mobile phone and desktop are updated so that known vulnerabilities are fixed and patched.
- When traveling, it is better to tether to the Internet using your smartphone as a hotspot instead of using Free public Wi-Fi which can be easily compromised by hackers.
In keeping with this theme, at the recent Financial Crimes and Cybersecurity Symposium in New York, top law enforcement officials voiced that the biggest challenge that they deal with is… wait for it…. email. As if that’s news to the channel. “Phishing—mundane as it is—is the biggest threat we face and need to tackle,” said Cyrus Vance, Manhattan District Attorney. In the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter, writer Jeff John Roberts examined the statements at the event and sheds some light on fixes that partners can use with their own customers.
Essentially, the old “malicious bugs hidden in emails that appear to come from credible sources” trick is still alive and well. “The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing,” stated Homeland Security Secretary Jeh Johnson at the event. Ok. So, how do we fix it?
Education is one tack, says Roberts. Jeh Johnson has a neat method - his agency sends emails to its own employees containing suspicious links with bait lines such as “free Redskins tickets.” Those who click on the link receive instructions and a location to collect their “tickets.” When they arrive at the spot, they instead receive a free lesson on cyber-hygiene. Involved learning and “real life” examples… genius. Of course, technology helps, too. Vance announced at the event that the Global Cyber Alliance has created a free tool to help organizations install DMARC software, which is designed to detect spam-y messages and authenticate real email messages.
To wrap up the week, we look to the clouds…specifically, delivering public cloud services. An Azure customer this week handed Microsoft a little lesson in security. Ian Duffy, a software engineer at online retailer Zalando, discovered a massive vulnerability that would have essentially given cyber-attackers a free pass into Red Hat Enterprise Linux virtual machines. According to eWeek, Duffy was in the process of creating a secure, custom Red Hat Enterprise Linux (RHEL) machine image that could run on both Amazon Web Services (AWS) and Microsoft Azure. That’s when he discovered the vulnerability. In a blog post outlining the gap, Duffy writes that he was able to obtain "administrator level access to all of the Microsoft Azure-managed Red Hat Update Infrastructure that supplies all the packages for all Red Hat Enterprise Linux instances booted from the Azure marketplace.”
Had the vulnerability knowledge fallen into the wrong hands, an attacker could have pinpointed the Red Hat Update Appliance responsible for managing and distributing RHEL updates for all Azure regions and gain administrative access to the Red Hat Enterprise Linux Appliance Representational State Transfer API. From that point, the hacker could have uploaded an “altered package” which would grant them full access to the client virtual machines than ran the update.
Roy Feintuch, CTO and co-founder of Dome9, states that the security vulnerability around how Microsoft Azure handles RHEL updates shows just how wrong things can go when private appliances meant for internal use become accessible to the public. “Well-planned and executed access control is key to preventing such vulnerabilities and containing their impact,” says Feintuch. “Security needs to be designed under the assumption that software is susceptible to bugs and misconfigurations, and that private services exposed to the public will get hacked eventually. With the proper tools that allow organizations to visualize, evaluate and enforce the exposure level of each service they deploy, such risks can be mitigated.”
As we enter the holiday season and a new year of IT challenges, failures and successes, there are key critical components that partners need to make their customers consider along the road to achieving this daunting and seemingly never-ending task. Enterprises must manage risk and reduce cost while maximizing cybersecurity effectiveness and operational efficiency. How to accomplish this? Design and deploy infrastructure that prioritizes the protection of critical assets.
So readers, as we dive headfirst into the swirling vortex that is the holidays, keep a sharp eye out, take a closer look at that email and be careful what you click. Remember, Santa is watching…