Author Archives: Axiom Admin

What is a Botnet and Why Should I Care?

What is a Botnet and Why Should I Care?

If you’ve seen the news this week, you’ve no doubt seen articles about a botnet called “Reaper”, “IoT Reaper” or “IoTroop” that is enslaving vulnerable smart devices like wireless routers, security cameras, and DVRs. While botnets are interested to cyber-security professionals, I’m sure the news made many people think “what the heck is a botnet and why do I care about it?”

In a simple explanation, a botnet is an army of internet-connected devices or computers that have been infected by malware and are now under the control of hackers. The malware is designed to infect devices and create an army of devices that can be enlisted to create distributed denial of service (DDoS) attacks like the one last October that took much of the East Coast offline. Botnets also can be used to steal data, send spam emails, or just simply allow a hacker to access the device and the internet connection it uses.

You may also hear the term “zombie” in connection with a botnet and that is simply because the malware lives on the compromised device and often the owner of the device is unaware of the infection of that the device is being used in attacks.

So what is it about this particular “IoT Reaper” botnet that has created such a buzz in the cyber-security industry? The sheer number of devices that are vulnerable, over 378 million, that can be brought into the botnet that has many worried. The hackers behind “IoT Reaper” are currently exploiting at least nine different vulnerabilities across different device manufacturers and appear to be adding to the list of vulnerabilities as they are found. Plus, like the Mirai botnet, “IoT Reaper” is a worm that jumps from one infected device to the next to spread the infection.

So all of that sounds scary, is there anything that can be done to prevent getting your devices enlisted into a “zombie” botnet army? YES!

As always, make sure that you don’t keep default username/password combinations on your internet connected anything. Also, check to see if your smart device manufacturer has released any firmware or security patches to close the vulnerabilities that are being abused by the botnet. Another great way to protect your IoT network is to place firewall protection at your internet connection but it’s also important to make sure that you keep your firewall up-to-date as well because threats are always evolving!

Is Your Cannabis Business Safe from Hackers?

If you’re in the cannabis industry, you would have heard about the cyber-attack earlier this year that brought down MJ Freeway, one of the largest cannabis compliance software systems in the industry.

This should have been a wake-up call for everyone that hackers are targeting the industry for a variety of reasons: profit, notoriety, or political statement.

Despite the seriousness of the MJ Freeway cyber-attack, today we’re still finding many businesses in cannabis are not taking cyber-security seriously, leaving themselves wide open to an attack that could bring their operations to a grinding halt.

If you’re not taking steps to ensure your cyber- and data-security is airtight, here are some real consequences your cannabis dispensary could be facing with a cyber-attack:

Patient and Customer Data

When you accept medical patients and clients, do you store their personal information on your servers or in the mythical, magical cloud?

If you do, then your data is at risk if you do not take steps to ensure your cyber-security and data security strategy is strong and impenetrable by hackers.

These talented hackers can target your systems to steal your customer information, and use it against you by holding it for ransom like they did for HBO or sell it on the Dark Web, or worse, delete it so you cannot recover the information.

There is no worse way to compromise your cannabis business’s integrity than having to tell your customers you’ve lost their data.

The recent Equifax hack demonstrated the value of personal information on the Dark Web. Hackers can relatively easily steal your data to sell to other unscrupulous individuals who will use the information for identity theft.

If you collect data that is regulated under the Health Insurance Portability and Accountability Act (HIPAA) and have a cyber-security breach, you’ll face serious finds from Health & Human Services.

Ransomware is the hot new cyber-crime trend that netted cyber-criminals hundreds of millions in ill-gained profits by encrypting business’ data and holding it for ransom, which puts businesses between a rock and a hard place: Do you pay the cyber-criminals to get your data back or do you start over from scratch?

Point of Sale (POS)

While credit card theft is not a large area of concern for many, there are still vulnerabilities within point-of-sale (POS) that need to be addressed.

POS systems are connected to the internet via servers and need to be protected and separated from the rest of the network to ensure that if a hacker gets into your back-office, they can’t move into your POS network.

There are plenty of examples of the theft of credit card data from POS systems infected by malware (Sonic, Whole Foods) but there also are verified cases where hackers have been able to change product prices for purchases after compromising a POS system. For example, instead of selling a product for $100, a hacker could change the price to $1 before checking out, costing you big money and allowing a hacker to take advantage of you big time.

Grow Operations

Grow Operations are increasingly sophisticated and use complicated internet-connected devices and HVAC systems.  Not taking the time to adequately secure you networks to ensure a hacker can gain access could allow them to gain access to your HVAC and change your room temperature and destroy your crop.

The sad and scary news is, your competitor may be the brains behind hacking your unsecured connections and data. Some companies are hiring hackers to destroy your business through a cyber attack and put you out of business.

The Target data breach was orchestrated when hackers jumped from the building’s unprotected HVAC systems into the company’s network and then into the point-of-sale system. This shows that not only are the HVAC systems vulnerable, but the HVAC system could be a your point of vulnerability that will allow a cyber-criminal access into your entire computer network.

Keep Asking Yourself This Question

Keep asking yourself this question for your cannabis retail operation: “What harm could a hacker do?”.

The answer is a lot and if any of these thoughts keep you up at night, contact Axiom Cyber Solutions or our partner, Hardcar Security, to discuss how you can achieve peace of mind and proper cyber-security protection for your cannabis business.

Another Day, Another Data Breach – Should We Just Get Used to It?

Another Day, Another Data Breach – Should We Just Get Used to It?

It seems like we can’t go a week without news of a data breach affecting a major company: Target, Home Depot, Yahoo (all 3 Billion account holders), HBO, Equifax (3 times), Deloitte, Sonic, Whole Foods. With the prevalence of personal information being exposed and stolen, people often wonder should we just get used to having our data breached? Should we get used to the fact that cat photos on Facebook are more secure than our social security number?

In short, no! We should never simply accept that the companies are not responsible for the security of the data they collect about us. We should be upset when our data is breached and demand action so that companies begin to take data security seriously. And one of the worst things about data breaches is that nearly all of them end up being far worse than initially reported.

The Equifax hack occurred because the company failed to install a patch for vulnerable systems for over six months after the patch was released. The Security & Exchange Commission (SEC) which ironically issues regulations telling other companies to clean up their technology infrastructure and can fine them for failing to take the necessary cyber-security measures suffered a data breach of its “Fort Knox” system called EDGAR which companies use to file all the important stuff about the business like quarterly earnings, merger & acquisition, IPOs, market news, and more. And Deloitte’s email administrator failed to secure his/her account with two-factor authentication and hackers were able to get in with privileged, unrestricted administrator access and steal millions of email records, many with sensitive information.

With the onslaught of lawsuits and regulatory inquires against Equifax will teach businesses anything, it is that our lawmakers and the people they represent are tired of having their data compromised and soon we can hope there will be real, tangible changes in how businesses consider data security. In its most recent shareholder packages for at least five years, Equifax did not mention data security once as a company priority. This must change and any business that collects personal information must be serious about the protection and should they fail, there must be repercussions because the theft of data can lead to real harm to individuals.

The news of the credit card data breach at Sonic has made many wonder, how are credit cards still getting hacked? The credit cards themselves are fairly secure but when the point-of-sale (POS) system used to process the credit card transaction is compromised, there is little the new chip technology can do to protect the consumer. USA Todayattributes part of the problem to the increase in the use of technology by businesses without the budget and skillset required to secure those new internet-connected POS systems. Companies need to ensure that they not only invest in the new systems but also hire the technical staff or find a trusted partner, like Axiom Cyber Solutions, to ensure that the POS systems are properly protected. Companies that take credit cards need to consider PCI requirements and ask the question, “If I get breached and lose the ability to take credit cards, can my company survive?”

Don’t get used to having your data breached. Demand that businesses protect your data and encourage your lawmakers to consider new legislation that would allow regulation of data security standards and penalties for data breaches.

Forget Everything You Knew about Safe Passwords

Forget Everything You Knew about Safe Passwords

Last month, the father of the 2003 NIST password guidelines said that he got it wrong and the way we are creating passwords to be a completely random string of characters and the frequency we change our passwords is making it harder on all of us but easier for cyber-criminals to crack.

The complexity of the old password guidance led to many bad password habits such as just replacing letters with the equivalent in numbers (‘o’ for zeros, e for threes, etc) and letters for characters (@ for a, $ for s) so that they could more easily be remembered. In fact, it was found that the standard eight-character password with special characters could be cracked faster than a 20-character password without special characters.

The old requirement to change passwords so often also led to many users simply reusing their passwords on multiple sites which again, made things easy for cyber-criminals when there was a breach. There has not been any evidence that your password becomes more hackable because it’s in use for more than 90-days. Plus, when we were forced to change our password too frequently, many times users would just shift one letter in the password which cyber-criminals quickly caught on to.

And believe it or not, a completely random password that does not use words are actually easier for hackers to crack than long, weird words or phrases that you can easily remember.

New guidelines throw everything we’ve been told to the wind like using a mix of upper & lower case letters, the use of special characters, and changing your password frequently. Now the password experts say that we should make our passwords long and memorable. Using a phrase that is unique to you, in conjunction of special characters if you are forced to use them (within the phrase, not within words), will make it harder for hackers and their cracking software to compromise your passwords.

Also, think about the system you are accessing and whether or not it needs a strong, unique password or is it ok to reuse a password for a site that just has your name, email, and password? For instance, do you really mind it if a hacker got access to your online recipe lists?

You might think that the password to your online bank is the most important password but you may be surprised to find that your email and social media passwords may be more sensitive because of the “Forgot Password” feature in systems that would allow a hacker that compromised your email account to reset your online banking access.

But passwords and one-time multi-factor authentication (like a SMS), are not bullet-proof protection as they can be hacked and hijacked. A recent, terrible example of account take-overs has been in the crypto-currency space where hackers are compromising email and mobile telephone accounts and emptying crypto-currency wallets. Users will need to continue to be vigilant and take every precaution to secure their most sensitive accounts.

Why IT is Not Cyber-Security

Why IT is Not Cyber-Security

Last month, CSO Online posted an article titled “IT is NOT Cybersecurity” that went into the details of while the disciplines are related, like policemen and firefighters, they both require very specific skill-sets for different functions. We often tell our clients, you wouldn’t go to your family doctor for a root canal, you would go to your dentist; the same applies to the skills required in cyber-security. IT professionals are just that, professionals, but their daily duties consist mainly of configuration and maintenance of the company’s networks (on premise or cloud) whilst the job of cyber-security professionals is the ensure and verify the security of the company’s networks. Combining the two functions is like asking your accountant to audit their own books, it’s a conflict of interest.

In small-to-medium businesses, there may be an on-staff IT person or outsourced managed service provider (MSP), but again, their job is the daily operations of the network and computer equipment. They often are too busy putting out fires, taking care of the “I can’t print” or “My email doesn’t work” kind of issues to even give cyber-security a thought.

The cybersecurity professional needs to think about the security of the company’s network and protecting sensitive data. The average starting salary for a cyber-security professional is upwards of $90,000 so most small-to-medium businesses are going without a professional on-staff and throwing caution to the wind by making their IT staff responsible for securing the networks they oversee maintaining. But again, with having to deal with the daily computer and network issues, in what spare time does the IT staff member have to think about cyber-security?

Additionally, with 80% of companies not knowing where their sensitive data is located, how would they even start to think about protecting it? And even with cyber-attacks targeting small business there has been a lack of focus on making sure that small-to-medium businesses have the ability to obtain the same kind of cyber-security as large enterprises. At least until now.

Axiom was founded by experts from the U.S. State Department, United Nations, European Union and Interpol with the vision of bringing solutions to the market to give small & medium businesses the same protections that large enterprises spend millions of dollars on. Axiom believes that by taking away the burden of cyber-security from their customers, they can stop more attacks and protect more businesses.

Massive Ransomware Attack Makes the World Wanna Cry

Massive Ransomware Attack Makes the World Wanna Cry

The massive ransomware attack on 100 countries worldwide left the world reeling from the scale of the cyber-attack and pretty much every cyber-security expert saying “told you so“. With a record 126,000 infections, the perpetrators behind the attack reportedly made $26,000 in a 24-hour period.

So how did the hackers manage to infect so many computers all at once? The self-propagating malware used a tool called EternalBlue that exploited a vulnerability in Microsoft operating systems that allegedly was created by the NSA, stolen by TheShadowBrokers, and released to the public in April. Microsoft released a patch for the vulnerability in March but many older systems still in use today remained vulnerable and many organizations do not enable automated updates that would have protected them from this attack. Once a computer on a network was infected, the worm was able to continue spreading through the network from vulnerable computer to vulnerable computer which could account for how quickly the malware spread.

The attack was inadvertently halted on Friday by a security researcher who goes by the name MalwareTech. While analyzing the code, MalwareTech identified an unregistered domain name being referenced and as part of his research into the behavior of the malware, he registered the domain. This action appeared to have acted as a kill-switch for the ransomware, at least temporarily. After directing the domain’s traffic to a server, the server immediately started seeing traffic of 5,000-7,000 hits per second. Unfortunately, there are already new variations of the malware that does not look to the unregistered domain name so it’s vitally important that organizations patch their systems sooner rather than later.

How can you protect against ransomware? This is a question asked all the time and there are some simple things that both individuals and organizations can do to prevent a ransomware attack. First and one of the easiest things to do is to keep your firewalls, operating systems, and anti-virus up-to-date. Whenever possible, enable automatic updates because the time from a vulnerability being discovered by hackers and the time until you patch is your risk factor for being breached/attacked (and one of the core reasons why Axiom developed its SecureAmerica Automated Threat Defense Platform!)

And of course, be wary of unsolicited emails that contain links and attachments. Hackers are getting more clever and finding devious ways to hide their ransomware infections. They are embedding files within files to infect businesses. All it takes is one click of a link or the opening of a file for you to lose access to your vital data.

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Tax Season Cyber-Crime: Hackers Step Up Phishing for W-2 Information

Despite IRS warnings and tons of news, tax season phishing scams have taken in an incredible number of businesses this year. Early in January, I wrote about the dangers of phishing, particularly for W-2’s during the tax season and it seems that each day there is news of another company that has unwittingly exposed sensitive employee data to hackers.

A year ago, the IRS warned companies of falling for the W-2 scams but companies are continuing to fall for email scammers posing as the company CEO or other high ranking executives asking for employee summaries and W-2’s. The W-2 information is valuable to hackers because they can take the information and file false tax returns with a diverted refund before the real person can.

Already last month four companies in Indiana have fallen for the trick. 17,000 employees of American Senior Communities were notified that their payroll processor had fallen for the W-2 phishing scam in mid-January but it wasn’t until employees started having their tax returns rejected in February that the breach was discovered.

Another company in Indiana, Monarch Beverage, discovered that they had fallen for the W-2 phishing scam two years in a row while investigating this year’s breach. During the investigation, the company found that the same information had been erroneously disclosed in April 2016 to a hacker posing as the company CEO.

The stories go on and on about unfortunate employees and companies have fallen victims to increasingly more sophisticated phishing attempts. Phishing actually topped the IRS’ Dirty Dozen list of tax scams for 2017 and the IRS has seen a 400% increase in phishing scams since 2009.

So, what can businesses do to combat phishing scams and protect their employee’s data?

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor, although phishing scammers often send their emails stating there is urgency in the response. But will an extra five minutes to get verbal confirmation from the sender be too much?

Two school districts (Groton, Glastonbury) in Connecticut were victimized by a phishing scam that divulged W-2 information for nearly 3,000 employees. The school district manager in Groton was placed on administrative leave and the Superintendent expressed his dismay in the disclosure stating “We are of course heartbroken and I just can’t tell you how disappointed I am that this occurred.” But in a related incident, the town of Groton also received a similar email asking for the W-2 information for all the town employees but the employee who received the email was suspicious of the request and reported the fraudulent request. You don’t ever see the success stories published in the news, but this employee truly saved the day by being suspicious of unusual requests for sensitive data.

Lastly, sensitive employee data should never be transmitted unencrypted, even internally.

The Dangers of Internet Connected Toys

Smart toys are pretty cool but they also come with some inherent cybersecurity vulnerabilities that could lead to your or your child’s sensitive information being exposed or even worse, a hacker interacting with your child. Internet connected (IoT or smart) toys like CloudPets, Hello Barbie, and Cayla have recently hit the news for all the wrong reasons; they’ve been hacked.

An unsecured MongoDB led to the exposure of voice recordings, pictures, and account information for the CloudPets line of IoT stuffed animals. Over 2.2 million recordings were accessible and due to poor password security requirements, over 800,000 accounts reportedly were vulnerable to being hacked. So far, following the disclosure of the vulnerabilities by a cybersecurity researcher, the maker Spiral Toys has downplayed the severity of the incident but reportedly as of 2/28/17 has filed a breach notification with the California Attorney General.

In mid-February, Germany banned a doll called “My Friend Cayla” and urged parents to destroy the doll due to hacking concerns. The connected doll was classified as an “illegal spying device” as interactions with the doll were recorded and transmits the information to a voice recognition company. It is believed that the Bluetooth connection on the dolls were insecurely implemented which could lead to hackers being able to interact with children.

These are just two of the recent examples but they are not at all isolated. The Hello Barbie doll allegedly could have been turned into a surveillance device due to security vulnerabilities. A Fisher Price stuffed animal teddy bear also was found to be vulnerable to leaking sensitive information. And what parent could forget about the 2015 VTech data breach that exposed the data of 5 million parents and children?

And it not just smart toys that are being hacked and affecting children. There have been numerous stories of parents being woken in the middle of the night by strange voicestalking to their children or even strangers watching them through hacked baby monitors. The stories of hacked baby monitors are not new but what is worrisome is that many parents still do not take basic precautions like researching if the systems are vulnerable to hacking before purchase or even failing to change the username/password.

So enough with the doom and gloom, what can parents do to allow their children to still have the latest and coolest toys without sacrificing security? It is important that parents do not ignore the dangers of internet connected toys simply because they are toys. IoT devices are continually being hacked to attack (5000 IoT devices attack university) or collect information on their owners (spy agencies plan to use IoT vulnerabilities to spy).

Here are a few things that parents can do to help secure their family and smart toys against hackers:

  • Immediately change the username and password of the device, if possible.
  • Review what personal information you share about your family. The less the better. Share only what is required.
  • Use privacy settings to adjust who has access to data.
  • Turn off location tracking or restrict as much as possible
  • See if there is a way to disable two-way communication
  • Tell your children to inform you of any unusual interactions with their toys. Talk to your children about sharing personal information, even with their toys.
  • Use strong passwords. Don’t trade ease of use for security.
Online Social Media Security – How Safe Are You and Your Children?

Online Social Media Security – How Safe Are You and Your Children?

In early December, I was asked to speak to a reporter from Univision Las Vegas about online social media security. The reason for the story was that an online scammer stole the pictures of a little girl and made up a story about how the little girl had been kidnapped. Thankfully, the little girl was at home safe with her family but the fake story aimed to raise funds to pay for a ransom to have her released and people were falling for the scam.

Another worrying trend with photos of children is what has been termed as “digital kidnapping” or baby role playing. In these cases, a person will steal photos of a child and repost the pictures claiming that the children are their own. Parents have found entire profiles filled with pictures of their children with another person claiming to be the person’s mother or father.

While there are risks to posting pictures of your little ones on social media, it does not mean that you should stop sharing those precious moments with far-away friends & family on social media although a survey from the University of Michigan found that 68% of parents are worried about their child’s privacy online and 67% are worried that the photos will be reshared.

There are things that you can do to increase your social media profile security when posting pictures of your children including:

  • Restrict who can see your child’s pictures
  • Restrict the ability to share your child’s picture
  • Use a watermark
  • Turn off location services when posting from your phone

Children aren’t the only victims

Remember the story about how now NFL star Manti Te’o fell for a girl who really never existed over a period of a couple of years? Online romance scams have become so prevalent that they account for higher financial losses than other internet-based crimes with victims typically losing tens of thousands of dollars according to the FBI Internet Crime Complaint Center. There have also been so many victims that there is now a support group called Scam Survivors, with a hotline and information resource center for those that have been duped by online scams.

For years now, fake profiles are created by scammers with duplicated names and profile pictures. And because people still fall for their scams, the fraudsters continue despite Facebook’s attempts to reduce the number of fake accounts. Once a fake profile is created the scammer may begin adding and contact family or friends. Then they start collecting information. And eventually, there comes a message claiming that they had been mugged, lost everything, and are stranded on the streets of a foreign city and in desperate need of help. Some years ago, this happened to my parents who received one such message from one of my brothers saying that he had been mugged in London which prompted my parents to question first how did he end up there and secondly, how did the scammer know to contact them to ask for help?

Other social media online safety tips include:

  • Don’t publicly post about going on vacation. It lets people know that your home will be vacant.
  • Never publicly post your address, home telephone or mobile number.
  • Manage your friends lists. Not all friends are created equal as Stay Safe Online eloquently puts it so categorize your social media friends into groups and restrict the information that you share with them.
  • Privacy settings exist for a reason, so use them! Use privacy settings (such as restricting posts to just select people or groups) when posting personal details.
Tax Season is Also Phishing Season

Tax Season is Also Phishing Season

As tax season is upon us, it is important to remind ourselves of whaling campaigns, which essentially are phishing scams but on a much larger scale. Whaling scams typically target large amounts of sensitive employee data (tax season = W2’s) or wire transfers for fake invoices. During tax season in 2016, cyber criminals successfully targeted 41 organizations for employee W-2 information. One particularly bad W-2 whaling scam led to the University of Kansas employee paychecks being diverted from their accounts after they received fake emails asking them to update payroll information.

Whaling scams catch people by surprise because they believe that they are receiving a legitimate request from inside their own organization (CEO, CFO, HR). The emails play on emotions with orders for urgent actions to pay invoices, update payroll information, or the need to file tax statements.

Phishing for W-2’s

During tax season, whaling campaigns are particularly lucrative for cyber criminals because with the W-2 information, they can file false tax returns and divert refunds from the actual person. Prior to last year, the IRS would not alert a person if they detected fraudulent tax filings but with the recent spate of data breaches and the number of false filings, the IRS will now does analyse on the filings to check consistency against previous years and will alert the taxpayer if they notice inconsistencies.

Even with all the checks in place, there were still around 275,000 claims of taxpayer identify theft reported to the IRS in 2016 and Experian’s Data Breach group handled more than 70 cases each week tied to W-2 schemes.

Whaling for Big Paydays

In April 2015, Mattel fell to a massive whaling scheme that saw $3 million diverted to Chinese cyber criminals. Luckily for Mattel, the money was wired over a Chinese holiday and they were able to work wiht the Chinese authorities to recover most of the funds.

In May 2016, the CEO and CFO of an Austrian plane manufacturing company both lost their jobs after falling for a whaling scheme that cost the company nearly US$57 million. The company managed to recover some of the money but most of it disappeared into foreign bank accounts.

And in January 2016, a Belgium bank lost US$75 million dollars after an email was sent requesting a money transfer to finalize an urgent business transaction.

So That’s the Bad News, Now How Can Organizations Combat Phishing?

Empowerment, verification, and employee education are key in combating whaling schemes. Anti-virus and anti-malware solutions will not stop phishing emails from being delivered or the links being clicked on or sensitive data being sent to the wrong person. It’s only when an employee is empowered to ask for verification and taught to question unusual circumstances that organizations will be able to defeat phishing scams.

The news of failure is constant but there are success stories everyday due to vigilant and aware employees. One such success story happened with week to a company that Axiom works with in Southern California. The “CEO” emailed his executive assistant and told her to wire money to someone right away. She thought it was odd as he typically did not send those type of emails and asked for verbal confirmation. The answer was “what are you talking about?” and Axiom was called for advice.