Yesterday, we looked at two hot areas to be aware of regarding your online security: Data breaches and mobile security. Today, we’ll look at two more areas that haven’t caused as much trouble or damage as the other two, but are likely to grow in importance.
Internet of (Every)Thing at risk
The “smart” home has been in the works for some time now, and this year, we’ll see more and more gadgets from household appliances to wearables like fitness bracelets to industrial equipment becoming connected to mobile devices and social networks. This proliferation of inter-connected things will open up a whole new glorious space for hackers to play in.
We predict that from now on, devices will increase by an order of magnitude (not too bold a prediction, huh?), and of course, that will result in greater privacy and security concerns. A breach in the Internet of Things (IoT) will give cybercrooks the ability to install malware or ransomware on private networks – not only consumer, but corporate and government – steal personal information, or even cause physical harm to a space or a person. But before you run around the yard yelling, “Skynet is falling, Skynet is falling”, cybercrooks will feel the space out probably starting with adware uploaded on our smart TVs.
What to keep your eye out for
- New technologies and businesses around the IoT including
- Increased demand for low cost bandwidth and processing
- Expansion of infrastructure that carries Wi-Fi traffic
- Start-ups focused on communication and sensors between devices, storage, data analytics
- Home and factory automation
- The rise of “fog” computing architectures, where data is closer to the source as opposed to residing in a data center somewhere
Room for improvement
- Keeping multiple smart devices updated with the latest version of this-and-that software. You think it’s hard now with a couple of devices? Wait until your house, body, garage, and workplace are full of smart gadgets.
- The fractured ecosystem will make it harder to identify threats or protect against security exploits.
- Home routers are still unsecure and people are using open, unencrypted Wi-Fi. Start by securing your own home router by scanning with Avast’s Home Network Security scan, then follow whatever suggestions are given.
Social media world
By now, social media users know that sharing too much personal information can give strangers access to their personal life. To illustrate that point on a national scale, Allstate Insurance, aired a series of commercials about what happened to a couple who shared on social networks that they were away from their home for the weekend. Read about it on our blog.
Last year, we saw new privacy settings introduced on social media, and 2015 will see a rise in anonymous interactions via social media.
Hoaxes and scams spread by email and social networks were successful in 2014, as they have been for years now, so we see no reason that occurrences will decrease. Social engineering can trick unwitting victims and the rate of identity theft will increase.
What to keep your eye out for
- Continuation of scams associated with important events like celebrity gossip or sporting events.
- Watching videos on Facebook equaled watching videos on YouTube at the end of 2014, so we can expect hackers to take advantage of this by hiding malicious links in Facebook videos.
- More fraudulent and malicious ads will appear on social networks.
- Ransomware made the jump from PC to mobile in 2014, and it will likely hit social networks.
Room for improvement
- Cut back on sharing too much on social media and through Internet of Things devices.
- Adjust privacy settings in each social network.
For a month now, I have been reading predictions for 2015. In the security field, something new and unexpected can always pop up – like the Point-of-Sale (PoS) breaches in early 2014 – but most likely what will happen is just a continuation, that is, a natural evolution, of what has already occurred.
So let’s take a look at some things that will probably happen this year and steps we can take to stay safer. Tomorrow, we’ll look at a few more.
Data breaches will continue
Data breaches made the news in 2014, and in 2015 we will continue to see security breaches of companies, irrespective of size or business sector. These breaches are often caused by software vulnerabilities, advances in data stealing malware, and as we have seen recently with the Sony breach, by states using cyber espionage against other states.
What to keep your eye out for
- Heartbleed and Shellshock were successful at using vulnerabilities in software that we depend upon. We expect to see more of the same in 2015.
- Increase in phishing and social engineering attacks on employees of big companies in order to break in.
- Health care organizations are at risk because many of them use outdated software and have rudimentary security. Plus, there is so much valuable data to be stolen like sensitive patient records.
- More revelations that governments and even companies are using cyber attacks against each other.
- Companies need to tighten up the security processes of their employees, vendors, and third party suppliers who have access to their systems.
- Companies need to adopt advanced threat solutions to secure their PoS networks from breaches.
- Enterprise breach detection methods need to be improved because cybercrooks will likely go after the bigger fish.
- Passwords are not adequate protection for our personal or financial accounts. Two-factor authentication will be adopted more widely, as will new methods like ultra-sonic sound.
- Consumers and companies should update from the old, vulnerable Windows XP.
Mobile is attractive to cybercrooks
Since our mobile phones are as powerful and can accomplish nearly all the things a regular computer can, that gives cybercrooks a relatively easy in-road to your private data and financial information. 2015 will see consumers becoming more aware of mobile security since they will increasingly use mobile apps that contain sensitive banking, financial, and personal health information. Read more…
In last night’s broadcast of the Sugar Bowl, a showdown of two power-house college football teams in the USA, Allstate Insurance, aired a series of brilliant commercials about the risk of over-sharing on social networks. The social media team at Avast has been preaching this message for a while now, so we were happy to see this clever series of advertisements.
The ads are about a couple who shared on social networks that they were away from their house, actually attending the game. Allstate’s “Mayhem” character took advantage of this knowledge and broke into their unoccupied house, and proceeded to have a “MayhemSale” of all their possessions. “Buy Matt & Shannon’s stuff now at MayhemSale.com,” he announced, then soon after took to Twitter to sell off items one-by-one. I immediately visited the website, but apparently there were so many other interested people, that it kept crashing.
— Mayhem (@Mayhem) January 2, 2015
Burglars can easily search Facebook or Twitter for targeted keywords or see who has checked into airport lounges on Foursquare. According to FBI statistics, summertime is the most active for burglaries and oversharing can tip off thieves to your absence. Homeowners should be extra vigilant about protecting their goods.
Our advice – be extremely cautious what you share on social media, and wait until after you are back to share your vacation pictures.
From our headquarters in Prague, Czech Republic to our offices in the USA, Germany, China, and South Korea, all of us at Avast Software wish you love, laughter, and peace in 2015.
Looking back on 2014, we are grateful for the trust that our 220 million customers have placed in us. We thank you for your loyalty and for sharing Avast with your friends and family. We appreciate your support, your suggestions and feedback (even when it’s not so good ), the way you help others on our forum and social channels like Facebook, Google +, and Twitter, and especially when you write us with your stories of how Avast saved the day for you.
As we enter this new year, we promise to bring you the best security products for your home network, your business, your PCs, Macs, and Android devices, that we can. We will stay on top of new threats and contain the old ones that keep coming back to plague us. We will strive to keep your trust, but most of all, to keep you and your important data and hardware save from harm.
So raise your glass with us, and join us for our 2015 wish.
Peace. Love. Security. ~ from Avast
[AUDIO VERSION: This is an audio version of this blog post. Click below to listen.]
During the Christmas holidays, my mother received this email from a well-meaning friend. Since her daughter works for the most trusted security company in the world, she immediately asked me about the authenticity of the message.
Here’s the email:
Subject: VIRUS COMING !
PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!
You should be alert during the next few days. Do not open any message
with an attachment entitled POSTCARD FROM HALLMARK , regardless of who sent it to you.
It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole
hard disc C of your computer.
This virus will be received from someone who has your e -mail address
in his/her contact list.
This is the reason you need to send this e -mail to all your contacts.
It is better to receive this message 25 times than to receive the virus
and open it.
If you receive an email entitled “POSTCARD,” even though it was sent to
you by a friend, do not open it! Shut down your computer immediately.
This is the worst virus announced by CNN.
It has been classified by Microsoft as the most destructive virus ever.
This virus was discovered by McAfee yesterday, and there is no repair
yet for this kind of Virus.
This virus simply destroys the Zero Sector of the Hard Disc, where the
vital information is kept.
COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS.
REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US
This particular email has been around for years, and you have probably seen one of its incarnations. Although there are real incidents of malware being distributed via e-cards, this is a bogus, unsubstantiated hoax.
The language is quite strong – phrases like the worst virus and the most destructive virus ever are sure to get the attention of security-minded people. The problem is that the email fails to provide any authentic details to learn more about the threat, just vague announcements and classifications.
“The email doesn’t actually mention a specific virus,” said Jan Zika, an Avast Virus Lab analyst. “Sure some viruses use the “Postcard” social engineering method to trick users to click the link, but this email has been circulating for a couple of years now, and it never says which virus it is.”
The email does say what the virus can do, This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept, and it burns the whole hard disc C of your computer. Pretty scary stuff!
“No, it cannot burn anything, and no, it is not most destructive virus ever,” said Zika. His advice? “It’s best to avoid such messages unless you can confirm that the threat is real.”
Protect yourself against email hoaxes
- Keep you antivirus protection up-to-date and scan regularly for viruses and malware. Both Avast Internet Security and Avast Premier include anti-spam filters to keep your inbox free of this kind of nonsense.
- Use caution when opening attachments or downloading files. Double check that it’s from a sender you know and trust.
- Before clicking on any links or attachments, try to verify that the email came from a legitimate source. If you can’t, then don’t click.
Earlier this month, as the Sony Entertainment breach was making headlines, Sony’s PlayStation Network (PSN) was knocked offline due to an alleged hacking attack. On Christmas morning, just as kids everywhere were unwrapping their new PlayStation and Xboxes, the PSN and Microsoft’s Xbox Live network were both disrupted leading to speculation that they were once again hacked. A group calling themselves Lizard Squad claiming responsibility for the attacks via Twitter.
As of now, PlayStation is still offline and PSN is directing users to their @AskPlayStation Twitter account for updates.
Please follow @AskPlayStation to get the latest updates as we work to restore full network functionality.
— Ask PlayStation (@AskPlayStation) December 26, 2014
Xbox Live Status reports that its core services are running, but there is limited access to apps for IGN, Maxim, and MLG.tv.
Related article: Sony PlayStation Network down due to hacker attack
2014 has been an active year for cybercrime. Let’s start with the most recent and then take a look at some of the other important security events of the year.
We are ending the year with the most publicized and destructive hack of a major global company by another country – now identified as North Korea. The Sony Entertainment attack, still being investigated by the FBI, resulted in the theft of 100 terabytes of confidential employee data, business documents, and unreleased films. It was an attack on privacy due to the theft of a massive amount of personal records, but also essentially blackmail; aiming to silence something that the North Korean government didn’t like – namely the release of The Interview, a movie depicting an assassination attempt on Kim Jong-Un.
Most of the blame for state-sponsored cybercrime in 2014 has been with Russian or Chinese hackers. Whether private or state-sponsored, these hackers have attempted to access secret information from the United States government, military, or large American companies. Recently, Chinese hackers sponsored by the military were indicted for economic espionage by the U.S. Department of Justice.
Along with the Sony breach, other notable companies that suffered from cybercrime include Home Depot, eBay, Michaels, Staples, Sally Beauty Supply, and others. A significant number of these breaches were begun months or years ago, but were revealed or discovered in 2014.
Nearly 110 million records were stolen from Home Depot; the largest ever breach of a U.S retailer. The cyber-heist included 56 million payment card numbers and 53 million email addresses.
JPMorgan Chase’s data breach impacted nearly 80 million households in the U.S., as well as 7 million small- and medium-sized businesses. Cybercriminals were able to gain access after stealing an employee’s password, reminiscent of the Target breach from 2013. This breach is said to be one of the largest breaches of a financial institution. The FBI is still investigating.
Financial and data stealing malware
GameOver Zeus, called the most infamous malware ever created, infected millions of Internet users around the world and has stolen millions of dollars by retrieving online banking credentials from the infected systems.
Tinba Trojan banking malware uses a social engineering technique called spearfishing to target its victims. The spam campaign targeted Bank of America, ING Direct, and HSBC customers using scare tactics to get customers to download a Trojan which gathered personal information.
Chinese hackers were at it again, and again, targeting South Korean banking customers with banking malware using a VPN connection. The customers were sent to a look-alike webpage where they were unknowingly handing cybercrooks their banking passwords and login information.
Many of the breaches that occurred in 2014 were because of unpatched security holes in software that hackers took advantage of. The names we heard most often were Adobe Flash Player/Plugin, Apple Quicktime, Oracle Java Runtime, and Adobe Acrobat Reader.
Avast’s selection of security products have a feature called Software Updater which shows you an overview of all your outdated software applications, so you can keep them up to date and eliminate any security vulnerabilities.
Today’s biggest threat to the normal consumer is the consumer themselves.
This bold statement was made by Avast CEO Vincent Steckler in an interview with German technology website Valuetech in Munich last week. That’s a daring position to take after this year’s revelations about NSA spying, the theft of tens of millions of customer passwords from major retailers like Target and Home Depot, the recent Sony Pictures hack, and the normal parade of Trojan horses, worms and viruses, but it’s one that Steckler stands behind.
Watch the interview here (04:00),
Mr. Steckler has good reason for his conclusion. Here’s a few of the main points he made during the interview.
Social engineering preys on human weakness
“A lot of attacks are still using social engineering techniques; phishing emails – ways of convincing the user to give up valuable information,” said Steckler.
An example of phishing emails just occurred after Black Friday, when cybercrooks sent millions of fake purchase confirmation emails to customers of major retailers. You can read about that, as well as what to do if you are a victim, in our blog, Fake confirmation emails from Walmart, Home Depot, others in circulation.
The Mac misconception
Mac users are well-known for proudly touting that they don’t use antivirus protection because they never have a problem with viruses. But, it’s really a numbers game.
“There is no fundamental difference,” Steckler says of the security of PCs and Macs. “Mac is not inherently any safer, as a technology, than Windows is. What makes a difference there is what is more opportune for a bad guy to attack.”
He explains that malware written for Windows can attack up to 93% of the world’s PCs. Mac malware only reaches 7-8% of the world’s PCs. The safety then lies in the lower numbers of Mac devices rather than a technical safety advantage.
Households networks are as complicated as small business networks
With the interconnectivity of household devices from household computers, mobile phones, TVs and even refrigerators, Steckler compares the typical household network to that of a small business.
“The central weakness in this ‘Internet of Things’ will be that home router – the thing that connects everything together,” says Steckler, “and basically doesn’t have any security on it.”
Avast 2015 seeks to address this lack in security by including the new Home Network Security scanner.
Poor Sony. They are getting it from all directions these days. On Sunday, the PlayStation Network, the online store for games, movies, and TV shows, suffered a hacker attack and was knocked offline. Visitors to the store got a message that said, ‘Page Not Found! It’s not you. It’s the Internet’s fault.’ I just visited the page, and got this same message, so reports that it was up again, were at best, temporary – at least for some of us.
Sony tweeted yesterday that they were investigating.
We are aware that users are having issues connecting to PSN. Thanks for your patience as we investigate.
— Ask PlayStation (@AskPlayStation) December 8, 2014
A group called Lizard Squad, which was also involved in a hack of Xbox Live last week as well as previous attacks on EA Games and Destiny, claimed responsibility for the attack.
During the Xbox hack, Lizard Squad promised that attacks would continue until Christmas.
This attack comes on the heels of news recently that Sony Pictures’ corporate network was infiltrated by cybercrooks which resulted in the theft of 100 terabytes of confidential employee data, business documents, and unreleased films. It was speculated that North Korean hackers were behind the attack due to the upcoming release of the movie “The Interview,” which is about an attempted assassination of Kim Jong-Un. The North Korean government denied responsibility for the attack on Sunday. The attack has since been traced to a luxury hotel in Bangkok, and is being investigated.
The two attacks appear to be unrelated.
Cybercrooks target busy holiday shoppers with phishing scheme.
After all that shopping on Black Friday and Cyber Monday, consumers are reporting a bunch of phishing emails that look like authentic communications from poular stores. Malware-infected emails are reportedly coming from Walmart, Home Depot, Target, and Costco. The catch is these are not from the authentic merchants, but rather cybercrooks are using a phishing scheme to send fake emails with the intent to gather personal information from harried shoppers.
Millions of these emails are being sent each day, originating from more than 600 hacked websites that act as intermediaries, according to security analysts from Malcovery monitoring the attacks. This method prevented detection by causing the spammed links to point to websites that had been safe until the morning of the attack.
The messages have subject lines like this:
- Thank you for your order
- Order Confirmation
- Thank you for buying from Best Buy
- Acknowledgment of Order
- Order Status
If you receive one of these emails, don’t click on any links. Instead, visit the merchant’s website or call their customer service. Don’t give any personal information out unless you know for sure with whom you are speaking.
Signs of a fake email
Unfortunately, cybercrooks are becoming more professional with their scams, but here are a few things you can look for to tell a fake email from an authentic one.
- Poor grammar usage
- The Sender (the “from” line) may not match the merchant name
- Links in the email do not go to the real website
- There is no order confirmation number or details about the order. A real order confirmation email contains the details of your order without clicking on any links, as well as where it is being shipped and the payment method.
How to protect yourself
Walmart acknowledged that the fraudulent emails were in circulation and suggested these steps if you receive a suspicious email.
- If you actually placed an order and are suspicious about the email you received, log onto your Walmart.com order to check your order status.
- Keep your virus software updated on all your computers.
If you were a victim of fraud via the Internet, you should file a report with your local law enforcement agency along with the Internet Crime Complaint Center (ICCC). The ICCC is a partnership between the FBI and the National White Collar Crime Center. You can make a report with the ICCC.