Netizen Cybersecurity Bulletin 21 November 2018

In This Issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • Do Your Holiday Tech Gifts Include Privacy?  Mozilla Has The Details.
  • Malware Spreads Through ISO Files
  • New Bluetooth Car Hack
  • Cryptojacking Hits Make-A-Wish Foundation Website
  • Phish Tale of the Week
  • How can Netizen help?

Do Your Holiday Tech Gifts Include Privacy? Mozilla Has The Details

The Mozilla Foundation introduced *Privacy Not Included buyers guide to tech products last year, and has released their 2018 edition in time for the holidays.  Best known for the Firefox browser, the nonprofit organization has expanded the campaign to help consumers buy safe, securely connected toys and mobile devices.

Working together with a global consumer advocacy group, Consumers International, and the not for profit Internet Society, the guide provides reviews of 70 products – from connected teddy bears and smart speakers to game consoles and smart home gadgets – and ranks them with a “creepy” rating scale.

The 2017 inaugural shoppers guide revealed a strong consumer interest in the privacy and security of connecting toys and home products, including from the manufacturers of these devices.  The interactive guide allows consumers to review the 70 pre-screened products and read the details of the product’s characteristics.  Consumers can then rate the products using a Creep-O-Meter scale, which scores from not creepy to super creepy and then indicate their likelihood of buying the product.  While this seems counterintuitive, consider that Amazon’s Alexa is voted as one of the creepiest products, yet has sold over 40 million units.

Mozilla set their bar for bare minimum standards quite low, and will reject toys and devices that fall short in these areas:

  • Communications are not encrypted – Prevents eavesdropping
  • No Security Updates – There must be a mechanism for the manufacturer to patch vulnerabilities
  • Allows Weak Passwords – Products whose passwords are password or have them printed on the box.
  • Poor Vendor Contact Information – Vendors who wouldn’t respond to privacy inquiries
  • Privacy Details Indecipherable – Details so full of jargon, the average person couldn’t be certain what they meant, or how much of their data is being collected and sold.

Mozilla’s goal is to help foster consumer awareness, making people think about their own security when buying or using the latest connected devices.   While it is unlikely a WiFi lightbulb can lead to a consumer’s home being breached, educating people on the importance of cybersecurity can lead to greater attention paid to the other devices in their homes and offices, like routers and laptops.

Find their list of gift-giving devices here: https://foundation.mozilla.org/en/privacynotincluded/

RECOMMENDATIONS:

  • Always change the default login credentials. Not only the password but the username whenever possible.  Consider: a hacker already has half of the username+password combination if you use the default ADMIN.  Make the password difficult to guess.
  • Always segment your IoT devices to a wifi network separate from your primary (Home) network. Often this is as easy as using the GUEST wifi on your router.  If your router lacks the ability to have 2 or more segments, it’s probably time to upgrade.
  • Businesses should ensure the use of IoT devices comply with the corporate Acceptable Use Policy (AUP).
  • Make a calendar reminder to check your devices for firmware updates. While not all IoT devices update their firmware, make certain to install the patches to help stay ahead of vulnerabilities.
  • Evaluate whether you really need those devices in your home or office.  For example: do you really need a web-enabled toaster?

Malware Spreads Through ISO Files

It is no secret that threat actors spend much of their time concocting potent phishing emails to steal user credentials, among other highly sensitive personal information. Phishing emails are also infamous for containing malware that users may inadvertently download; many times, these attachments are of familiar file extensions like that of: .exe, .doc, .pdf, .zip, however, there has been a sharp rise in malware-laden ISO (.iso) files. An ISO file is a disk image of an optical disc in that it contains everything an actual physical disk would, including the optical disc file system.

So, the question begs, why use ISO files if they are less familiar with a wider audience? Well, as it turns out many email gateway scanners do not scan ISO file attachments properly. ISO files tend to be of larger sizes (although they don’t have to be) making them more difficult to efficiently scan correctly. Furthermore, ISO files are much easier to open these days, when previously a user would need third-party software to open the attachment; modern operating systems like that of Windows 8 and 10 possess a native ISO mounting tool. This stealthy ease of access increases the chances of a user opening the file and infecting their system.

RECOMMENDATIONS:

Users should follow the phishing prevention recommendations at the end of this bulletin, but these basics should still be followed: be wary of unsolicited emails, do not click any links or open attachments unless you are completely confident in their validity and or they have been verified, and always protect yourself with reliable antivirus software.

New Bluetooth Car Hack

There is a new attack centered around infotainment systems that are ubiquitous in cars today. It is called CarsBlues, and it has grave implications for the privacy of anyone who’s rented, leased or shared a car and connected their phone via Bluetooth.

Researchers at Privacy4Cars have stated that this vulnerability potentially affects tens of millions of vehicles worldwide. The most troubling aspect is that this attack can be carried out within a few minutes using inexpensive and easily obtainable hardware and doesn’t require a high degree of technical knowledge.

RECOMMENDATIONS:

If you ever have a car temporarily or sell yours and it has one of these infotainment systems, make sure you erase any and all personal info on them to maximize your privacy.

Cryptojacking Hits Make-A-Wish Foundation Website

The Make-A-Wish Foundation’s international website has been recently stealing CPU-cycles from visitors to mine for cryptocurrency. Researchers had discovered that the website was taken advantage of using an unpatched Drupal vulnerability on which the website is hosted. Embedded in the site was a script that used the computing power of site visitors in order to mine cryptocurrency right into the cybercriminals pockets.

The CoinIMP miner is a JavaScript that when embedded into a website allows for mining of a cryptocurrency called Monero using the CPU power of the visitor’s computer, tablet or phone. Attackers were able to leverage an unpatched Drupal instance in order to execute a remote-code execution bug, and inject the JavaScript file into the website. It’s been estimated that more than 115,000 sites have still not patched this vulnerability, even though the patch has been available since March.

Phish Tale of the Week

Netizen captures many phishes each month, which we feature here.  This week we have not received anything interesting, but it is still important to heed the following recommendations.

RECOMMENDATIONS:

A phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card, social security, or bank account numbers. A legitimate company already has this sensitive information and would not ask for it again, especially via email.

  • Scrutinize your emails before clicking anything. Did you order or ask for anything for which you’re expecting a confirmation? Did the email come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  • Verify that the sender is actually from the company sending the message.
  • Did you receive a message or email from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email—this is a huge red flag.
  • Do not give out personal or company information.
  • Review both signature and salutation.
  • Do not click on attachments.
  • Do not click on unrecognized links. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
  • Be wary of poor spelling, grammar, and formatting. As can be seen with the with this email, there are multiple spelling, grammar, and formatting errors, leading us to believe that the message is illegitimate. If an email is visually unprofessional, the sender is likely not who they say they are.

Many phishing emails pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action or that is addressing you in a threatening manner should be questionable. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Staff Pay Raises 2018” may seem like something you really want to know about, but it could just be a ploy to plant malware on your system or steal your credentials.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.


Netizen is an ISO 27001:2013 (Information Security Management) certified company.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s