Author Archives: Axiom Admin

What is a Botnet and Why Should I Care?

What is a Botnet and Why Should I Care?

If you’ve seen the news this week, you’ve no doubt seen articles about a botnet called “Reaper”, “IoT Reaper” or “IoTroop” that is enslaving vulnerable smart devices like wireless routers, security cameras, and DVRs. While botnets are interested to cyber-security professionals, I’m sure the news made many people think “what the heck is a botnet and why do I care about it?”

In a simple explanation, a botnet is an army of internet-connected devices or computers that have been infected by malware and are now under the control of hackers. The malware is designed to infect devices and create an army of devices that can be enlisted to create distributed denial of service (DDoS) attacks like the one last October that took much of the East Coast offline. Botnets also can be used to steal data, send spam emails, or just simply allow a hacker to access the device and the internet connection it uses.

You may also hear the term “zombie” in connection with a botnet and that is simply because the malware lives on the compromised device and often the owner of the device is unaware of the infection of that the device is being used in attacks.

So what is it about this particular “IoT Reaper” botnet that has created such a buzz in the cyber-security industry? The sheer number of devices that are vulnerable, over 378 million, that can be brought into the botnet that has many worried. The hackers behind “IoT Reaper” are currently exploiting at least nine different vulnerabilities across different device manufacturers and appear to be adding to the list of vulnerabilities as they are found. Plus, like the Mirai botnet, “IoT Reaper” is a worm that jumps from one infected device to the next to spread the infection.

So all of that sounds scary, is there anything that can be done to prevent getting your devices enlisted into a “zombie” botnet army? YES!

As always, make sure that you don’t keep default username/password combinations on your internet connected anything. Also, check to see if your smart device manufacturer has released any firmware or security patches to close the vulnerabilities that are being abused by the botnet. Another great way to protect your IoT network is to place firewall protection at your internet connection but it’s also important to make sure that you keep your firewall up-to-date as well because threats are always evolving!

Is Your Cannabis Business Safe from Hackers?

If you’re in the cannabis industry, you would have heard about the cyber-attack earlier this year that brought down MJ Freeway, one of the largest cannabis compliance software systems in the industry.

This should have been a wake-up call for everyone that hackers are targeting the industry for a variety of reasons: profit, notoriety, or political statement.

Despite the seriousness of the MJ Freeway cyber-attack, today we’re still finding many businesses in cannabis are not taking cyber-security seriously, leaving themselves wide open to an attack that could bring their operations to a grinding halt.

If you’re not taking steps to ensure your cyber- and data-security is airtight, here are some real consequences your cannabis dispensary could be facing with a cyber-attack:

Patient and Customer Data

When you accept medical patients and clients, do you store their personal information on your servers or in the mythical, magical cloud?

If you do, then your data is at risk if you do not take steps to ensure your cyber-security and data security strategy is strong and impenetrable by hackers.

These talented hackers can target your systems to steal your customer information, and use it against you by holding it for ransom like they did for HBO or sell it on the Dark Web, or worse, delete it so you cannot recover the information.

There is no worse way to compromise your cannabis business’s integrity than having to tell your customers you’ve lost their data.

The recent Equifax hack demonstrated the value of personal information on the Dark Web. Hackers can relatively easily steal your data to sell to other unscrupulous individuals who will use the information for identity theft.

If you collect data that is regulated under the Health Insurance Portability and Accountability Act (HIPAA) and have a cyber-security breach, you’ll face serious finds from Health & Human Services.

Ransomware is the hot new cyber-crime trend that netted cyber-criminals hundreds of millions in ill-gained profits by encrypting business’ data and holding it for ransom, which puts businesses between a rock and a hard place: Do you pay the cyber-criminals to get your data back or do you start over from scratch?

Point of Sale (POS)

While credit card theft is not a large area of concern for many, there are still vulnerabilities within point-of-sale (POS) that need to be addressed.

POS systems are connected to the internet via servers and need to be protected and separated from the rest of the network to ensure that if a hacker gets into your back-office, they can’t move into your POS network.

There are plenty of examples of the theft of credit card data from POS systems infected by malware (Sonic, Whole Foods) but there also are verified cases where hackers have been able to change product prices for purchases after compromising a POS system. For example, instead of selling a product for $100, a hacker could change the price to $1 before checking out, costing you big money and allowing a hacker to take advantage of you big time.

Grow Operations

Grow Operations are increasingly sophisticated and use complicated internet-connected devices and HVAC systems.  Not taking the time to adequately secure you networks to ensure a hacker can gain access could allow them to gain access to your HVAC and change your room temperature and destroy your crop.

The sad and scary news is, your competitor may be the brains behind hacking your unsecured connections and data. Some companies are hiring hackers to destroy your business through a cyber attack and put you out of business.

The Target data breach was orchestrated when hackers jumped from the building’s unprotected HVAC systems into the company’s network and then into the point-of-sale system. This shows that not only are the HVAC systems vulnerable, but the HVAC system could be a your point of vulnerability that will allow a cyber-criminal access into your entire computer network.

Keep Asking Yourself This Question

Keep asking yourself this question for your cannabis retail operation: “What harm could a hacker do?”.

The answer is a lot and if any of these thoughts keep you up at night, contact Axiom Cyber Solutions or our partner, Hardcar Security, to discuss how you can achieve peace of mind and proper cyber-security protection for your cannabis business.

Another Day, Another Data Breach – Should We Just Get Used to It?

Another Day, Another Data Breach – Should We Just Get Used to It?

It seems like we can’t go a week without news of a data breach affecting a major company: Target, Home Depot, Yahoo (all 3 Billion account holders), HBO, Equifax (3 times), Deloitte, Sonic, Whole Foods. With the prevalence of personal information being exposed and stolen, people often wonder should we just get used to having our data breached? Should we get used to the fact that cat photos on Facebook are more secure than our social security number?

In short, no! We should never simply accept that the companies are not responsible for the security of the data they collect about us. We should be upset when our data is breached and demand action so that companies begin to take data security seriously. And one of the worst things about data breaches is that nearly all of them end up being far worse than initially reported.

The Equifax hack occurred because the company failed to install a patch for vulnerable systems for over six months after the patch was released. The Security & Exchange Commission (SEC) which ironically issues regulations telling other companies to clean up their technology infrastructure and can fine them for failing to take the necessary cyber-security measures suffered a data breach of its “Fort Knox” system called EDGAR which companies use to file all the important stuff about the business like quarterly earnings, merger & acquisition, IPOs, market news, and more. And Deloitte’s email administrator failed to secure his/her account with two-factor authentication and hackers were able to get in with privileged, unrestricted administrator access and steal millions of email records, many with sensitive information.

With the onslaught of lawsuits and regulatory inquires against Equifax will teach businesses anything, it is that our lawmakers and the people they represent are tired of having their data compromised and soon we can hope there will be real, tangible changes in how businesses consider data security. In its most recent shareholder packages for at least five years, Equifax did not mention data security once as a company priority. This must change and any business that collects personal information must be serious about the protection and should they fail, there must be repercussions because the theft of data can lead to real harm to individuals.

The news of the credit card data breach at Sonic has made many wonder, how are credit cards still getting hacked? The credit cards themselves are fairly secure but when the point-of-sale (POS) system used to process the credit card transaction is compromised, there is little the new chip technology can do to protect the consumer. USA Todayattributes part of the problem to the increase in the use of technology by businesses without the budget and skillset required to secure those new internet-connected POS systems. Companies need to ensure that they not only invest in the new systems but also hire the technical staff or find a trusted partner, like Axiom Cyber Solutions, to ensure that the POS systems are properly protected. Companies that take credit cards need to consider PCI requirements and ask the question, “If I get breached and lose the ability to take credit cards, can my company survive?”

Don’t get used to having your data breached. Demand that businesses protect your data and encourage your lawmakers to consider new legislation that would allow regulation of data security standards and penalties for data breaches.

Forget Everything You Knew about Safe Passwords

Forget Everything You Knew about Safe Passwords

Last month, the father of the 2003 NIST password guidelines said that he got it wrong and the way we are creating passwords to be a completely random string of characters and the frequency we change our passwords is making it harder on all of us but easier for cyber-criminals to crack.

The complexity of the old password guidance led to many bad password habits such as just replacing letters with the equivalent in numbers (‘o’ for zeros, e for threes, etc) and letters for characters (@ for a, $ for s) so that they could more easily be remembered. In fact, it was found that the standard eight-character password with special characters could be cracked faster than a 20-character password without special characters.

The old requirement to change passwords so often also led to many users simply reusing their passwords on multiple sites which again, made things easy for cyber-criminals when there was a breach. There has not been any evidence that your password becomes more hackable because it’s in use for more than 90-days. Plus, when we were forced to change our password too frequently, many times users would just shift one letter in the password which cyber-criminals quickly caught on to.

And believe it or not, a completely random password that does not use words are actually easier for hackers to crack than long, weird words or phrases that you can easily remember.

New guidelines throw everything we’ve been told to the wind like using a mix of upper & lower case letters, the use of special characters, and changing your password frequently. Now the password experts say that we should make our passwords long and memorable. Using a phrase that is unique to you, in conjunction of special characters if you are forced to use them (within the phrase, not within words), will make it harder for hackers and their cracking software to compromise your passwords.

Also, think about the system you are accessing and whether or not it needs a strong, unique password or is it ok to reuse a password for a site that just has your name, email, and password? For instance, do you really mind it if a hacker got access to your online recipe lists?

You might think that the password to your online bank is the most important password but you may be surprised to find that your email and social media passwords may be more sensitive because of the “Forgot Password” feature in systems that would allow a hacker that compromised your email account to reset your online banking access.

But passwords and one-time multi-factor authentication (like a SMS), are not bullet-proof protection as they can be hacked and hijacked. A recent, terrible example of account take-overs has been in the crypto-currency space where hackers are compromising email and mobile telephone accounts and emptying crypto-currency wallets. Users will need to continue to be vigilant and take every precaution to secure their most sensitive accounts.

What You Need to Know about the Equifax Breach

What You Need to Know about the Equifax Breach

Data breaches are bad but the Equifax data breach may be one of the worst. When hackers stole the data on potentially 143 million American consumers from the credit reporting bureau they took everything they needed to unlock the identities of 44% of the American population. And ironically, Equifax was one of the companies that other companies turned to when they were breached. As their website states: “You’ll feel safer with Equifax. We’re the leading provider of data breach services…”

Hackers reportedly used a website vulnerability to steal everything from social security numbers to credit card numbers from May until the breach was discovered on July 29thmeaning the hackers had access for at least two full months. No reason for the delay in informing the public has been given but in some recent large investigations law enforcement has requested companies to wait to disclose the information.

What makes this data breach one of the worst, even though the scale isn’t as large as say Yahoo’s 500 million, is that consumers did not have to directly give their information to Equifax, instead it was provided to them by nearly every bank, credit card, and loan company to make credit decisions. So if you have ever applied for a credit card, loan, or mortgage, your data may have been compromised.

As standard with breaches, Equifax has offered free credit monitoring services for a year if you sign up by November 21st whether your data was accessed or not. But wait, don’t leave and sign up right now! A caveat to signing up for Equifax’s offer of free credit monitoring service from TrustedID, which is also owned by Equifax, is that the terms of service of TrustedID states that if you sign up you cannot partake in any class action lawsuits against the company. And not wasting any time at all, two Oregon residents have filled a lawsuit against Equifax alleging negligence in securing the personal information of consumers.

While a nice gesture and possibly giving Equifax some legal relief as people scramble to sign up for credit monitoring, the data stolen from Equifax can be sold on the DarkWeb for years to come to steal identities. There is no expiration date on information like name, address, date of birth, and social security number… all of which the hackers took. Consumers will need to remain vigilant in checking bank account information and making sure their identities are not stolen for the near and far future. Signing up for a credit monitoring service is definitely a good idea, perhaps not with TrustedID, but as you look, try to find one that doesn’t just look for new account creation. Find a service that monitors open accounts for changes as well as new account creation. You can also look into identity protection insurance services, such as LifeLock, as an additional layer of protection.

As a notable side note: Questions have been raised about the sale of $1.8 Million in stock by three executives of Equifax following discovery of the breach before it was disclosed to the public. The company reports that none of them knew about the breach. That does make one question the cyber-security incident reporting policies of such a large organization.

(AP Photo/Mike Stewart)

Why IT is Not Cyber-Security

Why IT is Not Cyber-Security

Last month, CSO Online posted an article titled “IT is NOT Cybersecurity” that went into the details of while the disciplines are related, like policemen and firefighters, they both require very specific skill-sets for different functions. We often tell our clients, you wouldn’t go to your family doctor for a root canal, you would go to your dentist; the same applies to the skills required in cyber-security. IT professionals are just that, professionals, but their daily duties consist mainly of configuration and maintenance of the company’s networks (on premise or cloud) whilst the job of cyber-security professionals is the ensure and verify the security of the company’s networks. Combining the two functions is like asking your accountant to audit their own books, it’s a conflict of interest.

In small-to-medium businesses, there may be an on-staff IT person or outsourced managed service provider (MSP), but again, their job is the daily operations of the network and computer equipment. They often are too busy putting out fires, taking care of the “I can’t print” or “My email doesn’t work” kind of issues to even give cyber-security a thought.

The cybersecurity professional needs to think about the security of the company’s network and protecting sensitive data. The average starting salary for a cyber-security professional is upwards of $90,000 so most small-to-medium businesses are going without a professional on-staff and throwing caution to the wind by making their IT staff responsible for securing the networks they oversee maintaining. But again, with having to deal with the daily computer and network issues, in what spare time does the IT staff member have to think about cyber-security?

Additionally, with 80% of companies not knowing where their sensitive data is located, how would they even start to think about protecting it? And even with cyber-attacks targeting small business there has been a lack of focus on making sure that small-to-medium businesses have the ability to obtain the same kind of cyber-security as large enterprises. At least until now.

Axiom was founded by experts from the U.S. State Department, United Nations, European Union and Interpol with the vision of bringing solutions to the market to give small & medium businesses the same protections that large enterprises spend millions of dollars on. Axiom believes that by taking away the burden of cyber-security from their customers, they can stop more attacks and protect more businesses.

Massive Ransomware Attack Makes the World Wanna Cry

Massive Ransomware Attack Makes the World Wanna Cry

The massive ransomware attack on 100 countries worldwide left the world reeling from the scale of the cyber-attack and pretty much every cyber-security expert saying “told you so“. With a record 126,000 infections, the perpetrators behind the attack reportedly made $26,000 in a 24-hour period.

So how did the hackers manage to infect so many computers all at once? The self-propagating malware used a tool called EternalBlue that exploited a vulnerability in Microsoft operating systems that allegedly was created by the NSA, stolen by TheShadowBrokers, and released to the public in April. Microsoft released a patch for the vulnerability in March but many older systems still in use today remained vulnerable and many organizations do not enable automated updates that would have protected them from this attack. Once a computer on a network was infected, the worm was able to continue spreading through the network from vulnerable computer to vulnerable computer which could account for how quickly the malware spread.

The attack was inadvertently halted on Friday by a security researcher who goes by the name MalwareTech. While analyzing the code, MalwareTech identified an unregistered domain name being referenced and as part of his research into the behavior of the malware, he registered the domain. This action appeared to have acted as a kill-switch for the ransomware, at least temporarily. After directing the domain’s traffic to a server, the server immediately started seeing traffic of 5,000-7,000 hits per second. Unfortunately, there are already new variations of the malware that does not look to the unregistered domain name so it’s vitally important that organizations patch their systems sooner rather than later.

How can you protect against ransomware? This is a question asked all the time and there are some simple things that both individuals and organizations can do to prevent a ransomware attack. First and one of the easiest things to do is to keep your firewalls, operating systems, and anti-virus up-to-date. Whenever possible, enable automatic updates because the time from a vulnerability being discovered by hackers and the time until you patch is your risk factor for being breached/attacked (and one of the core reasons why Axiom developed its SecureAmerica Automated Threat Defense Platform!)

And of course, be wary of unsolicited emails that contain links and attachments. Hackers are getting more clever and finding devious ways to hide their ransomware infections. They are embedding files within files to infect businesses. All it takes is one click of a link or the opening of a file for you to lose access to your vital data.

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Despite IRS warnings and tons of news, tax season phishing scams have taken in an incredible number of businesses this year. Early in January, I wrote about the dangers of phishing, particularly for W-2’s during the tax season and it seems that each day there is news of another company that has unwittingly exposed sensitive employee data to hackers.

A year ago, the IRS warned companies of falling for the W-2 scams but companies are continuing to fall for email scammers posing as the company CEO or other high ranking executives asking for employee summaries and W-2’s. The W-2 information is valuable to hackers because they can take the information and file false tax returns with a diverted refund before the real person can.

Already last month four companies in Indiana have fallen for the trick. 17,000 employees of American Senior Communities were notified that their payroll processor had fallen for the W-2 phishing scam in mid-January but it wasn’t until employees started having their tax returns rejected in February that the breach was discovered.

Another company in Indiana, Monarch Beverage, discovered that they had fallen for the W-2 phishing scam two years in a row while investigating this year’s breach. During the investigation, the company found that the same information had been erroneously disclosed in April 2016 to a hacker posing as the company CEO.

The stories go on and on about unfortunate employees and companies have fallen victims to increasingly more sophisticated phishing attempts. Phishing actually topped the IRS’ Dirty Dozen list of tax scams for 2017 and the IRS has seen a 400% increase in phishing scams since 2009.

So, what can businesses do to combat phishing scams and protect their employee’s data?

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor, although phishing scammers often send their emails stating there is urgency in the response. But will an extra five minutes to get verbal confirmation from the sender be too much?

Two school districts (Groton, Glastonbury) in Connecticut were victimized by a phishing scam that divulged W-2 information for nearly 3,000 employees. The school district manager in Groton was placed on administrative leave and the Superintendent expressed his dismay in the disclosure stating “We are of course heartbroken and I just can’t tell you how disappointed I am that this occurred.” But in a related incident, the town of Groton also received a similar email asking for the W-2 information for all the town employees but the employee who received the email was suspicious of the request and reported the fraudulent request. You don’t ever see the success stories published in the news, but this employee truly saved the day by being suspicious of unusual requests for sensitive data.

Lastly, sensitive employee data should never be transmitted unencrypted, even internally.

The Dangers of Internet Connected Toys

Smart toys are pretty cool but they also come with some inherent cybersecurity vulnerabilities that could lead to your or your child’s sensitive information being exposed or even worse, a hacker interacting with your child. Internet connected (IoT or smart) toys like CloudPets, Hello Barbie, and Cayla have recently hit the news for all the wrong reasons; they’ve been hacked.

An unsecured MongoDB led to the exposure of voice recordings, pictures, and account information for the CloudPets line of IoT stuffed animals. Over 2.2 million recordings were accessible and due to poor password security requirements, over 800,000 accounts reportedly were vulnerable to being hacked. So far, following the disclosure of the vulnerabilities by a cybersecurity researcher, the maker Spiral Toys has downplayed the severity of the incident but reportedly as of 2/28/17 has filed a breach notification with the California Attorney General.

In mid-February, Germany banned a doll called “My Friend Cayla” and urged parents to destroy the doll due to hacking concerns. The connected doll was classified as an “illegal spying device” as interactions with the doll were recorded and transmits the information to a voice recognition company. It is believed that the Bluetooth connection on the dolls were insecurely implemented which could lead to hackers being able to interact with children.

These are just two of the recent examples but they are not at all isolated. The Hello Barbie doll allegedly could have been turned into a surveillance device due to security vulnerabilities. A Fisher Price stuffed animal teddy bear also was found to be vulnerable to leaking sensitive information. And what parent could forget about the 2015 VTech data breach that exposed the data of 5 million parents and children?

And it not just smart toys that are being hacked and affecting children. There have been numerous stories of parents being woken in the middle of the night by strange voicestalking to their children or even strangers watching them through hacked baby monitors. The stories of hacked baby monitors are not new but what is worrisome is that many parents still do not take basic precautions like researching if the systems are vulnerable to hacking before purchase or even failing to change the username/password.

So enough with the doom and gloom, what can parents do to allow their children to still have the latest and coolest toys without sacrificing security? It is important that parents do not ignore the dangers of internet connected toys simply because they are toys. IoT devices are continually being hacked to attack (5000 IoT devices attack university) or collect information on their owners (spy agencies plan to use IoT vulnerabilities to spy).

Here are a few things that parents can do to help secure their family and smart toys against hackers:

  • Immediately change the username and password of the device, if possible.
  • Review what personal information you share about your family. The less the better. Share only what is required.
  • Use privacy settings to adjust who has access to data.
  • Turn off location tracking or restrict as much as possible
  • See if there is a way to disable two-way communication
  • Tell your children to inform you of any unusual interactions with their toys. Talk to your children about sharing personal information, even with their toys.
  • Use strong passwords. Don’t trade ease of use for security.
Online Social Media Security – How Safe Are You and Your Children?

Online Social Media Security – How Safe Are You and Your Children?

In early December, I was asked to speak to a reporter from Univision Las Vegas about online social media security. The reason for the story was that an online scammer stole the pictures of a little girl and made up a story about how the little girl had been kidnapped. Thankfully, the little girl was at home safe with her family but the fake story aimed to raise funds to pay for a ransom to have her released and people were falling for the scam.

Another worrying trend with photos of children is what has been termed as “digital kidnapping” or baby role playing. In these cases, a person will steal photos of a child and repost the pictures claiming that the children are their own. Parents have found entire profiles filled with pictures of their children with another person claiming to be the person’s mother or father.

While there are risks to posting pictures of your little ones on social media, it does not mean that you should stop sharing those precious moments with far-away friends & family on social media although a survey from the University of Michigan found that 68% of parents are worried about their child’s privacy online and 67% are worried that the photos will be reshared.

There are things that you can do to increase your social media profile security when posting pictures of your children including:

  • Restrict who can see your child’s pictures
  • Restrict the ability to share your child’s picture
  • Use a watermark
  • Turn off location services when posting from your phone

Children aren’t the only victims

Remember the story about how now NFL star Manti Te’o fell for a girl who really never existed over a period of a couple of years? Online romance scams have become so prevalent that they account for higher financial losses than other internet-based crimes with victims typically losing tens of thousands of dollars according to the FBI Internet Crime Complaint Center. There have also been so many victims that there is now a support group called Scam Survivors, with a hotline and information resource center for those that have been duped by online scams.

For years now, fake profiles are created by scammers with duplicated names and profile pictures. And because people still fall for their scams, the fraudsters continue despite Facebook’s attempts to reduce the number of fake accounts. Once a fake profile is created the scammer may begin adding and contact family or friends. Then they start collecting information. And eventually, there comes a message claiming that they had been mugged, lost everything, and are stranded on the streets of a foreign city and in desperate need of help. Some years ago, this happened to my parents who received one such message from one of my brothers saying that he had been mugged in London which prompted my parents to question first how did he end up there and secondly, how did the scammer know to contact them to ask for help?

Other social media online safety tips include:

  • Don’t publicly post about going on vacation. It lets people know that your home will be vacant.
  • Never publicly post your address, home telephone or mobile number.
  • Manage your friends lists. Not all friends are created equal as Stay Safe Online eloquently puts it so categorize your social media friends into groups and restrict the information that you share with them.
  • Privacy settings exist for a reason, so use them! Use privacy settings (such as restricting posts to just select people or groups) when posting personal details.