1 in 8 of all websites had a critical vulnerability
Symantec and other reliable sources have reported giant spikes in cybercrime in recent years. Among Symantec’s findings: 77% of legitimate websites had exploitable vulnerabilities and 1 in 8 of all websites had a critical vulnerability.
Cybercrime in 2013 was unprecedented
2013 was a turning point for cyber threats, with increasing reports of cyber-espionage, new privacy threats, and damage done by malicious insiders. The came December’s Target and related breaches, underscoring how damaging and pervasive cybercrime has become. Compound that with continued security vulnerabilities on social media, mobile devices, and with the rapidly growing “Internet of Things” (like smart TVs, cars, medical devices, etc.), and it’s clear the problem is growing exponentially.
According to the Washington Post –
“More than 552 million identities (world-wide) were breached in 2013, putting credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, email addresses, logins, passwords and other personal information into the criminal underground.” (The Washington Post, April 14, 2014).
And now the Open SSL Heartbleed Bug…
April, 2014’s shocking revelation about the Open SSL Heartbleed bug has caused widespread panic among users and business owners. It exposes half a million servers to attack (each server or application fix costing thousands of dollars), and by some estimates, has impacted as much as two-thirds of the entire internet. Undetected for two years, the bug quietly undermined the basic security of the Internet by leaving a gap in OpenSSL, a universal encryption technology used widely by businesses to protect sensitive data.
If you haven’t already changed your passwords on Google, Yahoo, Facebook and other affected major service providers, we highly recommend you do so. However, be aware that skilled hackers may be able to use the bug to create fake websites, closely resembling legitimate ones, to try to trick you into disclosing your personal information. Changing your passwords cannot protect you if you share them with a hacker pretending to be one of your service providers.
Heartbleed’s fallout in the weeks ahead
The Heartbleed fix will ultimately impact hundreds of thousands of sites, most of which have yet to take action. As a result, data-heavy certificate revocation lists are going to flood the internet with new entries. This means that checking a site’s identity will take significantly longer, potentially slowing down the entire internet.
Some initial steps to protect your business and vital personal information
As a business owner, your credibility with customers requires that you take action to patch your OpenSSL software as quickly as possible.
Advice for businesses
- Check your current version of OpenSSL and either:
- Recompile your OpenSSL without the heartbeat extension.
- Update to the latest fixed version of the software (1.0.1g) if you are using OpenSSL versions 1.0.1 through (and including) 1.0.1f.
- After moving to a fixed version of OpenSSL, contact the certificate’s issuing Certification Authority for a replacement.
- Finally, businesses should reset any end-user passwords that may have been visible to hackers in a compromised server memory.
Advice for consumers
- When an internet service provider sends you notice to change your password, contact them by phone to make sure the request is legitimate.
- For now, stick with reputable websites and services that have most likely already have addressed the vulnerability.
- Carefully monitor your bank and credit card statements to check for any unusual activity.
There are other significant internet security threats you, your fellow employees, and friends need to have on your radar
In last week’s blog, Cybercrime’s Exponential Growth in the Age of Big Data (Part I), we discussed the alarming rise in internet security breaches, including April’s Heartbleed bug, and last December’s hacking of Target customer credit card information.
Unfortunately, there are other significant internet security threats you, your fellow employees, and friends need to have on your radar.
Ransomware is simple in concept: a hacker crashes your website – or even locks up your computer data – and extorts payment to undo the damage and/or prevent further problems. This scam first appeared in 2012 and has grown by 500% through 2013. At first the attackers posed as law enforcement or government agencies who were demanding fake fines for bogus violations, but that kind of pretense has mostly been dropped.
Laws in the majority of states require that hacking be reported. However, research shows that at least 3% of companies pay the ransom because –
- It’s usually only a few hundred dollars (ranging from $100 to $500)
- Companies want to avoid reporting such crimes to avoid potential adverse public perception, negative impact on stock prices, etc.
It’s easy to see how criminals behind such schemes do well with this ploy if they hit enough sites and aren’t caught along the way. The most common current version of this scam is Cryptolocker, which encrypts user files and demands a ransom for unencryption. The wide range of online payment methods is facilitating this method of extortion. Be aware that small businesses and consumers are the primary targets of Cryptolocker.
Mobile device social media scams and malware
The Internet is rapidly evolving into mobile device user dominance. In recent months Symantec has reported that 38% of mobile users to date had experienced mobile cybercrime. Though lost or stolen devices remain the biggest risk, many users fail to take even basic security measures to protect their personal and employers’ sensitive data.
A significant percentage of social media users report that someone has hacked into at least one of their social network accounts. This is especially concerning because about a quarter of us store work and personal information in the same online storage accounts, and about a fifth share logins and passwords with families. If you fall into either of these categories, we recommend that you take remedial action without delay!
Email spear phishing
If you haven’t yet received emails from hackers impersonating one of your friends or business associates, consider yourself lucky. One quick giveaway that their email account has been hacked is a subject line promoting a product or service (often well known and trusted), completely unlike anything they’ve forwarded to you in the past. Once you click on the link or attachment the hacker can then take over your digital device and steal personal and/or company data. Of course, even visiting a website can infect your computer with malware.
Attackers are turning to the Internet of Things (IoT)
With Internet connectivity to many new devices and appliances, more opportunities are emerging for scammers. Did you know that automobiles, security cameras, routers, smart televisions, and medical equipment were all hacked in 2013? A big concern is attacks against consumer routers by computer worms like Linux.Darlloz. With control of these devices, scammers can push victims to fake websites, with the general objective of stealing financial information.
Protective measures you need to take
We recommend that you stay informed of emerging threats before they hit the evening news!
- For the average user, cnet.com, and forbes.com/sites/firewall/ are reliable touchstones.
- For IT professionals, sites like darknet.org.uk, darkreading.com and ddanchev.blogspot.com provide more in-depth, hands-on information.