Cyber News Rundown: Edition 5/26/17

Cyber News Rundown: Edition 5/26/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Samsung’s Latest Iris Scanners are Easily Fooled

Recently, ethical hackers have been able to bypass Samsung’s latest attempt at iris recognition with minimal effort. Would you believe the tech is fooled by simply scanning a high-res picture of the right pair of eyes? While the vendor who supplies Samsung with the recognition software assures users that their security is infallible, the opposite seems to be true. The group that discovered the hack was also responsible for finding the workaround for Apple’s Touch ID locking system.

University Twitter Account Hacked, Tweets Racist Remarks

Unfortunately, Salem State University in Massachusetts has joined the ranks of notable organizations, institutions, and individuals who have fallen victim to social media hacks. In the past week, officials at Salem State having been dealing with the aftermath of a hack that caused their Twitter account to post highly offensive, racist messages. For the time being, the account has been suspended, the tweets in question have been deleted, and the university has issued public apologies through all regional means.

Tech Support Scammers Using WannaCry to Leverage Payment

While tech support scams aren’t new, it seems that scammers are now shifting their tactics to use cyberattacks that have made the news as an extortion tool. After launching an annoying popup that informs victims of their (fake) WannaCry infection, the scammers prompt users to call the (fake) support number for assistance. They then demand an outrageous payment just to run the free Microsoft Malicious Software Removal tool.

Yahoobleed Vulnerability Leaks User Data

Security researchers have been warning Yahoo! about its numerous security vulnerabilities around user data for years, and have gotten only silence in response. The flaw comes from ImageMagick, an image processing system used by Yahoo, which didn’t receive a crucial patch that was released in early 2015. This flaw allowed criminals to send an email containing a malicious image file which, once opened, would enable the end user access to Yahoo! server information. Rather than patching the bug that cybercriminals could exploit, Yahoo! simply discontinued using ImageMagick.

Bank Biometrics Bypassed by Twin Brother

Recently, a reporter for the BBC discovered that his HSBC bank credentials could be falsified by his non-identical twin brother using the voice-recognition password system. The system allowed the reporter’s brother no fewer than 8 attempts to correctly match the voice patterns necessary to access the account, though it only offered him limited viewing access. HSBC has stated that they will decrease the number of failed attempts allowed, and will work to add more layers of security.

Cyber News Rundown: Edition 5/19/17

Cyber News Rundown: Edition 5/19/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

WannaCry Ransomware Tackles Globe

In the past week, organizations in over 150 different countries have been dealing with the WannaCry ransomware that spread like wildfire across at least 150,000 individual endpoint devices. By propagating like a worm, the infection was able to spread quickly, exploiting a largely unpatched vulnerability in several Windows operating systems. While a patch for un-updated systems has been publicly available since March, many organizations have struggled to roll it out to their endpoints, or can’t do so without rendering their proprietary software unusable.

Restaurant Listing Service Zamato Hacked

Researchers have discovered a Dark Web vendor with a listing for 17 million Zamato user accounts, along with samples of the data to prove its legitimacy. In response to the hack, Zamato has issued a forced password reset for all affected users, and strongly recommends a password change for the remaining users as added precaution. Fortunately, no credit card information was compromised, as it is stored in an alternate location.

Pirates Pirate “Pirates”

As the official release of the new Pirates of the Caribbean movie looms ever closer, hackers have threatened to leak five minutes of a stolen, unreleased film, followed by 20-minute chunks if Disney doesn’t pay their Bitcoin ransom demand. (It’s unclear if the stolen movie is truly the new PotC, but that’s the rumor.) Piracy is hardly new in the film industry, and a case much like this one happened last month with Netflix and episodes from the upcoming season of Orange Is the New Black. From the sound of it, most production companies agree that a few leaks to dodgy download sites so close to release aren’t significant enough to consider paying up.

Dangerous Flaw Found in the Google Chrome Browser

A recently discovered flaw in Google Chrome has allowed researchers to download a malicious shell command file to a user’s computer, which then executes when the user opens the folder where the file was saved. Upon execution, the file retrieves the user’s login credentials for accessing other network drives or local files. Fortunately, Google is aware of the issue and is working to resolve the vulnerability.

Bell Canada User Data Leaked

In their public statement earlier this week, Bell Canada revealed that a large number of users’ email addresses had been compromised, along with several thousand names and phone numbers. The breach is currently under investigation, and all affected users have been notified to be on the lookout for resulting email phishing scams.

Clavister Partners with Webroot for IP Reputation

Clavister Partners with Webroot for IP Reputation

Webroot recently announced a new collaboration with Clavister, a leader in the network security market. Clavister selected Webroot’s BrightCloud® IP Reputation Service. The solution detects malicious activity within users’ IT infrastructure and delivers actionable threat intelligence. We sat down with Mattias Nordlund, product manager for Enterprise at Clavister to get the scoop on the new offering and also the importance of IP reputation.


Webroot: Give readers a brief overview of Clavister.

Mattias Nordlund: Clavister is a Swedish security vendor founded in 1997 in the very improbable location of Örnsköldsvik, on the border of Lapland, far in the North of the country. We always joke – because it’s cold and dark so much of the year – our developers don’t have any distractions from making the best security code out there. Our “Swedishness” is a big source of company pride.

The development of our proprietary software – first cOS core and later our cOS stream solution – made the product into an award-winning and industry-respected leader in cybersecurity and digital threat deterrence. We’ve managed to grow the business internationally to an installed base of 20,000 customers with a 95 percent satisfaction rate, which drove Clavister to be one of the few Swedish technology companies listed on the NASDAQ OMX Nordic Exchange. Clavister also has acquired a formidable client list that includes Nokia, Canon ITS, and D-Link, as well as collaborations with Intel, Redhat, and VMware, among others.

I love the source of pride in your heritage. Putting on your security hat, do you see a difference in cyber preparedness in Europe versus the United States?

Of course. The US is a very advanced market when it comes to threat protection and development with some of the biggest vendors operating within its borders. But, if you think of EU legislation, like GDPR, with a more independent tradition that doesn’t appreciate the surveillance and backdoors built by both US and Chinese actors, then you see that Europe is quite advanced in cybersecurity. In Sweden, just as an example, we use a two-factor authentication app for not only our banking but logging into public websites, checking your kid’s daycare schedule, etc. So identity management and using VPNs is far more advanced in the EU than in the US.

That’s great. We are always pushing two-factor authentication, but it isn’t required by many sites here. Switching gears, why is IP reputation important?

For us, it’s important as a tool to help our customers stop Command & Control and Botnet communications, alleviate load on servers from attacks from known Denial of Service (DoS) IPs, or help limit the load on mail servers by stopping known spam sources on the edge. IP reputation in a way becomes a proactive mitigation technique rather than a reactive one. That’s where we see the market for Next-Generation Firewalls (NGFW) going.

Being proactive in your cyber defense is key. What do you hope your customers will gain by including Webroot BrightCloud IP Reputation intelligence in your solutions?

For our customers, it’s one more piece of the puzzle in how to understand traffic flowing through our products. The customer will get insights on the behavior of users. Coupled with other features like web content filtering and application control, it will indicate the behavior of a user and how “risky” it is.

What advice can you share with businesses struggling with their security plans today?

Having a holistic approach to how the company behaves – BYOD, its cloud-based work, endpoint, identity access management (IAM), VPNs, etc. – is really critical. It no longer works to take a partial approach. And then there’s the human firewall factor. Keep in mind, 85 percent of network breaches come from employees hitting phishing emails. That’s very important to bear in mind, as much as the hardware and software solutions.

Wise words, Mattias. Thank you for taking the time to talk cyber.

If you want to learn more about this new collaboration, check out the media release.

Second WannaCry wave spreads the globe

Second WannaCry wave spreads the globe

As the second wave of WannaCry spreads across the globe, the latest estimate from the leading European police agency Europol suggests the malware has hit over 200,000 victims over 150 countries.  You can catch up on some of the latest news here.

Although a second kill switch has been identified and registered today, there is no certainty that this second kill switch will address all malware variants. Europol continues to recommend that one of the best defenses is to take advantage of the patches released by Microsoft.

Webroot currently has strong protection in place for WannaCry, and has already reviewed and fortified its protection and detection routines to protect its users against future variants that may appear.

As Webroot sees every new executable file introduced on systems where Webroot SecureAnywhere is installed, we get rapid insight into all types of new malware.  This allows us to quickly create and/or improve upon our best-in-class detection mechanisms for zero day threats.

WannaCry Ransomware: Webroot protects you.

WannaCry Ransomware: Webroot protects you.

Ransomware attacks continue to spread around the world this weekend, after the initial damage inflicted on healthcare organizations in Europe on Friday.

The criminals responsible for exploiting the Eternal Blue flaw haven’t yet been identified, but up to 100 countries have hit with WannaCry ransomware, with Russia, Ukraine and Taiwan among the top targets.

The ransomware first appeared in March, and is using the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers.  The initial spread of the malware was through email, including fake invoices, job offers and other lures with a .zip file that initiates the WannaCry infection.  The worm-like Eternal Blue can exploit a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution.  This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy technology like XP.

What’s New

Today, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, including XP and Server 2003.

Overnight and today, it has become clear that a  kill switch was included in the code.  When it detects a specific web domain exists—created earlier today—it halts the spread of malware.  You can learn more at The Register.

As a Webroot customer, are you protected?  YES.

Webroot SecureAnywhere  does currently protect you from WannaCry ransomware.

In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before.  It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.

In addition to deploying Webroot SecureAnywhere as part of a strong endpoint protection strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.

If you have any questions about your Webroot deployment, reach out to our Support Team now.

And, if you are not a Webroot customer, we encourage you to trial Webroot SecureAnywhere now.

Cyber News Rundown: Edition 5/12/17

Cyber News Rundown: Edition 5/12/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

UK Dating Site Exposes User Info

Recently, users of the UK-based dating site, Soulmates, reported receiving explicit emails that contained info available on their dating profiles. After what appeared to be a third-party data leak, Soulmates revealed that both usernames and corresponding email addresses had been compromised. Soulmates has since confirmed that the cause of the leak has been resolved, but declined to provide further detail.

Dangerous Microsoft Security Bug Found

In the past week, a Google researcher discovered a bug in the Microsoft® Windows Defender that exploits the program’s high-level permissions to cause chaos on the system—without the user having to take any action. The bug occurred when Windows Defender scanned a malicious email, which then enabled the remote code execution to further take control of the affected device. Fortunately, Microsoft releases automatic updates, so this should be resolved for most systems, or will be soon.

Ireland Falls Victim to Multiple Email Scams

In recent weeks, thousands of Irish citizens have received scam emails from Tesco Bank and Bank of Ireland, all requesting that they confirm personal information via a link to the site’s login page. (As if we needed yet another reason to avoid links in emails…) Recognizing that many users will be savvy enough to delete the obvious phishing attempt without clicking the link, attackers are likely measuring success based solely on the relatively small percentage of recipients who fall for the scam.

Healthcare Providers Leave Medical Records Accessible to All

Researchers have recently uncovered a flaw in several healthcare providers’ websites, which allows any user to view the medical records of other patients. By logging into one site, the researcher was able to successfully load another patient’s records by simply changing a single digit in the PDF download link. Another site allowed users to view records without a login that would verify their identity.

SS7, Major Security Flaw in International Telecomm

For years now, researchers have been documenting flaws inherent in SS7, the signal protocol that allows 800+ telecomm service providers to work together efficiently. By taking control of a rogue telecomm company, attackers have been able to successfully reroute incoming messages and calls to a compromised device to monitor activity. SS7 has also been blamed for multiple other security incidents over the years, from device tracking to full internet usage and communication monitoring.

Intern Q&A with Software Engineer Clarence Tan

Intern Q&A with Software Engineer Clarence Tan

A computer is only as good as the information that feeds it. This belief nourishes the computer programming and engineering field, encouraging scores of youth to dive into the relatively nascent field–software programming and engineering have only been a widespread occupation since the 1980s.  It’s no wonder there is an explosion of jobs in the field as new technology such as cloud, Big Data, and mobile are embraced. According to SC Magazine, the Bureau of Labor Statistics reported that in February 2017 there was a net increase of 13,000 information technology jobs.

So what is the next generation doing to prepare for this exciting field? They’re seeking out internships.

This semester, Webroot was lucky enough to have 8 interns. I sat down with Clarence Tan, a senior at the University of California, San Diego studying computer science, to get a snapshot into the mind of the next generation of computer greats.


Webroot: Tell me a bit about yourself?

Clarence Tan: I’m a 4th year studying Computer Science at UCSD. For me, I really enjoy software development, because I appreciate problem-solving and building things in general. Outside of coding, some of my interests include watching sports, playing board/video games, and traveling.

Those hobbies sound like a checklist for a lot of the technical folks around here! Besides the obvious overlap of interests, how did you learn about the Webroot internship?

I learned about the Webroot internship through UCSD’s job page (PortTriton). My university has great connections with area businesses like Webroot.

What was enticing about an internship at Webroot?

For me, I wanted to gain more industry experience and further my knowledge in software development to become a better engineer. While I do learn a lot of interesting things at school, I feel I have grown the most through my experiences as an intern.

Wise words, Clarence. There is nothing like “real-world” experience. Take us through a day in the life for you in our San Diego office?

As a software intern, the majority of my time is spent coding, doing research, and having technical discussions regarding the features I am working on. Outside of that, I have scrum meetings every other day, bi-weekly engineering meetings, and one-on-one meetings with Tom Caldwell, my manager. Otherwise, I have a few larger group meetings addressing more general Webroot or office business.

It sounds like you get to be in the weeds on projects. Knowing what you do now, what is your biggest takeaway or lesson learned from this semester?

I think one of the biggest takeaways for me is time management. Since I am still in college, I have to balance my coursework with my internship and other school activities. It was definitely a challenge for me initially, but I feel I’ve learned a lot through this experience and worked through how to balance it all.

While I do learn a lot of interesting things at school, I feel I have grown the most through my experiences as an intern.

If it’s any consolation, I also struggle with time management and balance. There is always one more thing to do! What advice can you share with students in your field?

I’d recommend doing side projects or pursuing an internship. As I mentioned earlier, I feel I’ve grown the most as a developer by applying the knowledge and theory I learned in school to real-world situations. It has allowed me to understand technology better through the application of it. Also, I’d recommend students pursue a part of software development that interests them in particular, which can range from full-stack to DevOps to mobile. These are all very different, but equally important, aspects of development and I believe it is important to do what you enjoy.

Solid advice, Clarence! Now on the flipside, any advice for Webroot?

Continue to rock on with those great snacks.

Thanks, Clarence. I appreciate you taking the time to chat.


If you’re interested in an internship at Webroot, check out our careers page, www.webroot.com/careers.

Cyber News Rundown: Edition 5/5/17

Cyber News Rundown: Edition 5/5/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Apple Threatens to Remove Uber App

In recent weeks, Apple has threatened to remove Uber from its App Store after a New York Times article revealed the app was tracking iPhones, even after having been uninstalled. Uber’s response was that the tracking was implemented to identify fraudulent trips and ensure untrustworthy users were blocked from the service, though this type of monitoring is expressly forbidden by Apple. While the issue has only been spotted on iOS® devices so far, it’s possible that Android® devices are also being tracked.

List of IoT Medical Devices Grows, Along with the List of Threats

Many of us may remember hearing that internet-connected pacemakers were potentially susceptible to cyberattacks. Now, several imaging sensors, prosthetics, and other connected medical devices, which are either currently available or in production, don’t appear to have proper security precautions. In addition to the possibility that these devices could be accessed remotely, there’s also a chance they could be used to steal any personal medical data they record.

Chipotle Payment Processing Systems Compromised

In the last week, Chipotle’s CFO released a statement about unauthorized activity on their internal payment processing network. While it appears their security measures did stop the attack, the company is working with its payment processor to monitor customer accounts for any suspicious activity over the 3-week period in which the breach occurred.

Mole Ransomware Brings Two Forms of Encryption

As ransomware continues to evolve, the tactics to ensure a successful attack have improved right along with them. With the Mole variant, criminals use RC4 encryption and RSA for decryption, leaving victims with no way to decrypt their files or even tell them apart. The infection begins by executing a javascript file that pretends to be a Flash update, then changes all file extensions to .MOLE. It finishes by scrambling all of the filenames with hexadecimal values.

FalseGuide Android Malware Reaches 2 Million Victims

In a recent study, researchers discovered the prevalent Android malware FalseGuide has affected over 2 million individual devices. The malware proliferates by disguising itself as game guides for dozens of popular mobile games, and, after being installed, requests admin privileges to remove any options for the user to delete the app. After gaining admin access, the malware registers itself on a cloud messaging service to receive remote commands.

Creating Strong Passwords on World Password Day

Creating Strong Passwords on World Password Day

Update: World Password Day will officially be observed on May 3, 2018. While the the rules for creating tough-to-crack passwords remain true, additional layers of password security such as two-factor authentication and password manager tools are giving users even stronger security for their online accounts. Follow the advice below and have some fun crafting strong passwords to keep you safe online in 2018.

We’ve heard the same advice over and over when it comes to passwords—make it strong. But how many of us actually follow this advice? Would you believe that some of the most popular passwords are still “password”, “123456”, “qwerty”, and “abc123”? For World Password Day, we’ve want to offer a few tips to make sure your passwords are up to snuff.

Tips for securing passwords
  1. Create a strong password that uses numbers, caps, and special characters
  2. Use unique passwords for each account
  3. Enable two-factor authentication
  4. Set up a secure password manager

You’re probably thinking “it’s hard to remember multiple strong passwords.” To help you out, here’s how you can choose something easy to remember, but hard to crack.

  1. Start with your favorite song, movie, or book. Use the first letter of each word. So, if your jam is “Guardians of the Galaxy Vol. 2”, that would make it “Gotgv2”.
  2. You could then increase the complexity by changing out any vowels with numbers. That makes it “G0tgv2”.
  3. Now add a special character, such as “!” or “$”. Your password would now be “G0tgv2!”.
  4. Turn it into a passphrase for good measure. Something like  “G0t7gv2! is my jam!”.
  5. Make sure it’s at least 16 letters long. This one is, but you may need to add another number or symbol to make the password long enough.

If this is still too much to remember, you can use the first letter of one of your favorite phrases from a song, movie, or book until you reach 12 or so characters, mix up capitalization, then add in a few special characters.

Otherwise, go with option 4 from my original list: get yourself a password manager. There are a number of free and low-cost password manager applications out there, which will generate and store secure passwords for all of your accounts. Many Webroot subscribers already have one, depending on their Webroot subscription type.

Note: If you do use this option, you will still need a strong password for the password management program itself.

Mobile reminder

If you don’t have a password on your mobile phone or tablet, you should reread part about following security advice. Most smartphones offer the option of a 4-digit PIN or a pattern. When creating your PIN, be sure to use a unique string of numbers, and one that isn’t easy to guess (e.g. don’t use your birthday.)

Join Webroot and hundreds of other organizations worldwide on May 4th to take the pledge to build stronger password habits.