IT NEWS

Last week on Malwarebytes Labs:

• Donut breach: Lessons from pen-tester Mike Miller: Lock and Code S03E17
• Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories
• JSSLoader: the shellcode edition
• CISA and FBI issue alert about Zeppelin ransomware
• How to secure a Windows PC for your kids
• Ransomwater confusion, does the criminal know who the victim is?
• Update Chrome now! Google issues patch for zero-day spotted in the wild
• Nearly 2,000 Signal users affected by Twilio phishing attack
• $6 million heist targets video game skin trading site
• Urgent update for macOS and iOS! Two actively exploited zero-days fixed
• Bad rhythm: Janet Jackson song resonates poorly with some old hard drives
• How IT teams can prevent phishing attacks with Malwarebytes DNS filtering
• Attackers waited until holidays to hit US government
• Business Services industry targeted across the country for backdoor access
• Spying on the spies. See what JavaScript commands get injected by in-app browsers
• Explained: Steganography
• Tech support scammers target Microsoft users with fake Office 365 USB sticks

Stay safe!

Steganography is the prime example of effectively hiding something in plain sight. The word steganography comes from the Greek words “stegos” meaning “cover” and “grafia” meaning “writing.” Steganography, then, is defined as “covered writing.”

In essence, we use the name steganography for every technique that conceals secret messages in something that doesn’t immediately cause suspicion.

In this article we will focus on steganography in digital images.

Methods

Hiding a message inside an image without changing its visible properties too much requires some work, but if the work is automated it can be done quickly and effectively.

Least significant bits

In the RGB color scheme, each pixel’s color is defined by 24 bits. The first 8 bits encode the amount of red in the pixel, the next 8 bits encode the amount of blue, and the next 8 bits encode the amount of green.

This method of steganography uses bits of each pixel in the image and makes hardly noticeable changes to the color by changing the least significant bits of the RGB amounts. The resulting changes that are made to the least significant bits are too small to be recognized by the human eye.

For example if a pixel has the color defined by RGB values (124, 5, 78) and I would change that to (123, 6, 79) in order to hide some message, the difference in colors will be minimal.

 Images courtesy of rgbtohex.net

You can barely see the difference between the color of the two figures, let alone such a difference when it would only be shown in pixels in a broader image.

Masking

The methods that use these techniques are effectively similar to paper watermarks, creating markings in an image. This can be achieved, for example, by modifying the luminance of parts of the image. Luminance determines how bright a particular object will appear in its given size per unit.

Without a color, luminance is the value from which an image’s brightness can be calculated. And without an available comparison to the original, these changes will hardly be noticeable. Masking and filtering techniques are mostly used on 24 bit and grey scale images. Masking images entails changing the luminance of the masked area.

Palette-based technique

Senders embed their message in palette-based images such as GIF or PNG files. The persistence of palette based images is very interesting. There is a color lookup table which holds all the colors that are used in the image. Each pixel is represented as a single byte and the pixel data is an index to the color palette.

There are two approaches to hiding messages in palette-based images:

• Embedding messages into the palette. The capacity does not depend on the image and is limited by the palette size.
• Embedding into the image data. Provides a higher capacity, but it is generally harder to design a secure scheme.

Compression and cropping

There are some possible hurdles that can remove or distort the hidden message between being created and reaching its destination. To escape those pitfalls the choice of the format and the method is important. And you will have to know which hurdles you can expect on the chosen route.

To prevent data loss there are three elements to consider in steganography:

• the message from the sender to the receiver
• the carrier, in our case the image in which the message is hidden
• the key is the information the receiver needs to find the message

The most common worry will be whether any operations that are performed on the carrier on its way from the sender to the receiver have an impact on the message. A much researched topic in this field is resisting JPEG compression. Lossy compression removes redundancies that are too small for the human eye to differentiate which makes the compressed files a close approximate, but not an exact duplicate of the original one. A famous file format that does lossy compression is JPEG.

Due to the development of mobile communication technology, many social media platforms such as Facebook, Twitter, and Instagram transmit enormous amounts of images. JPEG compression is always applied on the images of social media platforms out of consideration for the bandwidth, tariff, traffic, and other restrictions. This kind of lossy operation often destroyed the message hidden by traditional steganography techniques.

Cropping is an operation that can be used to make an image smaller (in pixels) and/or to change the aspect ratio (length to width) of the image. One approach to resist cropping is to copy the steganographic mark several times in different positions of the image.

Since masking techniques embed information in significant areas, the hidden message is more integral to the cover image than it will be when you are hiding the information at the noise level as you would with LSB techniques.

Steganography vs encryption

Why would we hide our secret message in an image rather than encrypt it? After all, an encrypted message cannot reveal its contents if its intercepted, unless the interceptor has the decryption key.

However, sending encrypted messages might imply that there is something we want to hide.

So, what to do if you want to send a secret message to someone without anyone else knowing that there is a secret in the message? Steganography is a possible answer to that problem.

Other hurdles

To find the hidden message the receiver will need some information and to prevent that the message can be found and read by anyone this will need a certain amount of complexity.

In top secret communications you will see a combination of steganography and encryption where a hidden message needs to be decrypted before it reveals anything meaningful. One of the problems is the security of transferring the key used for steganography between sender and receiver.

Again, there has been a lot of research into this matter. It can be as simple as using matching encode and decode routines. But whichever method you chose, it is imperative to have clear and unambiguous agreements in place if you want to rely on steganography for your secret communications.

Example

Let’s hide a message in the image we used as a header for this post. We used the python script which is available on geeksforgeeks.org.

Original:

With a hidden message:

The elegant part of this script is that the receiver does not need a copy of the original image or some cipher to decode with. The receiver just needs to use the same script to decode the message.

As you can see from the example images above, though there is no perceptible difference between the two images, we have, indeed, hidden a message within (Malwarebytes rocks). 

Microsoft is a hot target for scammers and acts of fraud. For example, tech support scam websites cover themselves in Windows branding and messages. Phone scammers claim to be calling directly from Microsoft. If it’s not a Bill Gates themed lottery spam mail in your mailbox, it’s a fake Excel spreadsheet laden with dangerous Macros.

Well, Microsoft is now issuing a warning related to a recent scam riding on the coat-tails of their branding. Criminals are producing very slickly designed physical boxes made to look like Microsoft products. The boxes say “Microsoft Office Professional Plus” on the front, along with “product key inside – no disc” at the bottom.

Opening the box reveals a solitary USB stick and a product key. This is about to go as horribly wrong as you’d expect.

Why mysterious USB sticks are probably not your friend

We’ve warned at length about the dangers of plugging random USB sticks into your device. Whether a stranger has given you it in the street as part of a giveaway, or you found it on the floor, or even received it at an event, there’s an element of risk involved.

You simply do not know what lurks on the stick if someone else has used it first. Of course, some fancy Microsoft branding and a large box will work wonders on the “please trust my fancy Microsoft box” front. Some sort of promotional copy of an otherwise expensive document editing tool? Even better.

What happens if someone is unfortunate enough to plug it in?

What’s in the box?

Sadly, people expecting a freebie Office Professional Plus do not receive what they were expecting. What actually happens is victims see a popup for a fake tech support line. Phoning the number is a short step to handing over remote control to the scammers.

Based on the typical tactics, the scammers will install a form of remote access software onto the target PC. At this point, they can pretty much do what they want. Do you have bank details stored on a notepad on your desktop? They can just open it up and take it. Will they install some dubious software or even malware to get up to who knows what? They might, and the victim would probably be none the wiser.

If they stick to the whole “here’s a product of some sort” angle, they may well just ask the victim to make a payment of some sort over the phone. Whatever the end-game, it’s not going to benefit the person sitting in front of their computer.

It’s pretend virus time

In this particular instance, the fake Microsoft outfit went with the “You have a virus, call us” approach. They did indeed attempt to install remote access software. Once the non-existent problem was “solved”, the victim was passed over to a phony Office 365 subscription team.

Microsoft has pointed out that this isn’t a very common tactic. While it has happened in the past, you shouldn’t start living in fear of novelty oversized Microsoft boxes landing on your doorstep to ruin your day.

Should you receive a novelty oversized Microsoft box, don’t panic. Check out Microsoft’s list of tips for staying safe where Microsoft-centric tech support scams are concerned. Report the box directly to Microsoft’s technical support scam reporting page. If there’s anything suspicious, you’ll have some steps to follow and hopefully a safe and timely resolution to follow. Either way: do not plug the USB stick into your computer and you’ll be fine.

Developer and privacy expert Felix Krause aka KrauseFx announced this week that he had introduced a simple tool to list the JavaScript commands executed by iOS apps when they deployed an in-app web browser to render webpages. He already shared some eye-opening results on his Twitter feed.

By opening Krause’s tool—new website inappbrowser.com—in a designated app, the website checks for one of many hundreds of attack vectors, which is JavaScript injection from the app itself. Disclaimer: a green checkmark is no guarantee that there is no JavaScript injection going on.

The reason

According to his announcement the development of the tool was triggered by his own report on the risks of mobile apps using in-app browsers. Instead of opening links to external websites in the default browser of the device, many apps render these links inside their own app. More importantly, those apps rarely offer an option to use a standard browser as default, instead of the in-app browser. Since it would be a lot easier for a developer to implement the use of an already present browser, there must be a reason they want you to open the links inside the own app.

Well, one of those reasons is that they can inject their own code into the website they just opened, which allows them to collect all the taps on a webpage, keyboard inputs, website title, and more. This is a privacy risk as such data can be used to create a digital fingerprint of a person. App-makers also claim, with some truth, that users do not like to hop from app to app—leaving their current environment only to be brought to another environment, like a separate web browser, when, for instance, shopping online. 

How to use

If you would like to check on some of the apps you are using, here’s how. First, you open an app that you want to analyze. Then you share the URL “https://InAppBrowser.com” somewhere inside the app (you can send it as a DM to a friend). Tap the link inside the app to open it and get a report about the JavaScript commands. Below you can find some results for apps that Krause tested.

Meta

Unsurprisingly, Instagram and Facebook have the ability to track interactions like searches, clicks, screenshots, and “form inputs.” Form inputs are a big deal since they can include things like passwords and credit card numbers. According to Meta’s response to Krause’s report, the injected script helps aggregate events, i.e. online purchase, before those events are used for targeted advertising and measurement for the Facebook platform.

One small bonus point for Facebook and Instagram is that they offer you the option to open third-party links in another browser (use that option!), which is more than we can say for TikTok.

TikTok

This should not come as a surprise, given that the FCC already called TikTok an unacceptable security risk. When you open any link on the TikTok iOS app, it’s opened inside their in-app browser. There is no alternative. While you are interacting with the website, TikTok subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen, like which buttons and links you click. There is no way to know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites. TikTok confirmed that those features exist in the code, but said that it is not using them.

“Like other platforms, we use an in-app browser to provide an optimal user experience, but the Javascript code in question is used only for debugging, troubleshooting and performance monitoring of that experience—like checking how quickly a page loads or whether it crashes,” said spokesperson Maureen Shanahan in a statement offered to Forbes.

Legitimate reasons

There are some legitimate reasons for apps to use an in-app browser, but these should be limited to first party content. In which case the publisher still should offer the user the option to open the content in another browser or an explanation as to why that is not possible. Such reasons do not exist when it concerns third-party content and such content should always be opened in the browser that the user prefers to use.

Incomplete

The inappbrowser tool is unable to show you everything that is going on for a couple of reasons, so a green checkmark is no guarantee.

• With iOS 14.3 (December of 2020), Apple introduced the support of running JavaScript code in the context of a specified frame and content world. JavaScript commands executed using this approach can still fully access the third party website, but can’t be detected by the website itself, like InAppBrowser.com.
• The tool cannot detect other app tracking that may occur, such as custom gesture recognition, screenshot detection, or tracking of web request events.

The article and the tool are focused on iOS, because the developer feels he is not knowledgeable enough to talk about the Android side of things, but you can rest assured that the apps you shouldn’t trust will be the same on either platform.

The presence of so many hacking tools in the detections for the Business Services industry tells a story about these organizations being targeted for not only infection, but to establish backdoors and likely gain access to customers of the organizations through the victim’s network.

Just like everyone else, the Business Services industry dealt with heavy detections of exploit attempts using the CVE-2021-21551 Dell driver vulnerability. The trend line followed by these exploit blocks also follow the trend of our heuristic engine detecting never-before seen malware, likely a result of successful exploit attempts during the same period. At the same time we observed this spike, the insurance company CNA Financial was breached in a ransomware attack.

A subsequent spike of this threat in August 2021 coincides with three major attacks, likely achieved because of the success of CVE-2021-21551.These were the Kaseya Breach which spread REvil to hundreds of networks, the ransomware attack on insurance firm Accenture, which demanded $50 million in payment, and the T-Mobile data breach which exposed the information of 50 million people.

Tools meant to compromise or hack an endpoint were discovered in numerous places throughout the year. This includes PortScanner slowly gaining traction through 2021, then spiking during January and February of 2022. Around this same period, the tire-marker Bridgestone was attacked by the LockBit ransomware gang. Our telemetry reveals these attacks focused on organizations in Georgia and Arizona. 

Next, OpenPort is a hacking tool that had most of its traction in May and August of 2021 against companies in California and New Jersey, matching up with spikes in detections of the Dell driver exploit.

In addition, the RemoteAdmin tool was detected primarily in Tucson, Arizona and saw a spike in November 2021, which never let up through the rest of the period, meaning that there are likely existing infections of this threat that have yet to be caught.

Wrapping up hacking tools, Business Services in Massachusetts fought off multiple attempts to launch malicious PowerShell scripts on their systems. This was observed throughout the entire period but spiked in December of 2021, coinciding with the hack against the business scheduling provider FlexBooker.

Folks in California and Ohio have been dealing with increasing detections of the notorious Emotet trojan. A massive increase was observed in October 2021 and has continued until the end of the period.

Recommendations to the Business Services industry

Our recommendation is to ensure security staff can push updates and force regular scans on all endpoints, ideally remotely. Regular scanning goes beyond just checking for malware though. We recommend utilizing a traffic monitoring tool to identify any malicious or suspicious traffic coming both in and out of the network. Also, take the time to do regular audits of open ports on all endpoints, looking for possible backdoors.

Considering the desire to utilize these tools from inside of the network, ensure that individual user rights don’t extend to the point of being able to scan the entire network, open ports, or establish remote connections without the permission of IT. This effort will reduce the success these actors have and make their lives a lot harder.

Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

Kernel privileges

CVE-2022-32894: An out-of-bounds write issue was addressed with improved bounds checking. The vulnerability could allow an application to execute arbitrary code with kernel privileges. The kernel privileges are the highest possible privileges, so an attacker could take complete control of a vulnerable system by exploiting this vulnerability.

Apple points out that they are aware of a report that this issue may have been actively exploited.

WebKit

CVE-2022-32893: An out-of-bounds write issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. Since the vulnerability exists in Apple’s HTML rendering software (WebKit). WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple points out that they are aware of a report that this issue may have been actively exploited.

More details

Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.

That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32892 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges

Mitigation

Users are under advice to implement the updates as soon as possible, by upgrading to:

• iOS 15.6.1
• iPadOS 15.6.
• macOS Monterey 12.5.1

Details can be found on the security content for macOS page. And instructions to apply updates are available on the Apple Security Updates page.

Stay safe, everyone!

Janet Jackson’s Rhythm Nation music video would have caused quite the commotion back in the old Windows XP days. If you’re still running a certain model of an OEM hard drive from the Windows XP days, you may still be liable to experience the same thing today. However, said commotion was not solely down to the choreography or phenomenal beats.

Rythym Nation by Janet Jackson came with a peculiar quirk. That quirk involved crashing the hopes and dreams of the person watching it, along with their hard drive.

Microsoft writer Raymond Chen reveals the somewhat bizarre tale of Janet’s computer stomping abilities in a recent blog post.

What was happening here?

Back in the olden times, it turns out that specific flavours of hardware running Windows XP did not like Janet busting a move. Some different models of laptop, from competitors of the first brand, would also crash. Even more spectacularly: simply playing the song on one device could make a second device nearby crash.

Old style mechanical hard drives are slowly being replaced by SSD drives. You may find them being used by gamers for cheap and easy excess game storage, but the mechanical hard drive’s time in the sun is over.

Mechanical drives have a whole lot of vibration going on inside, and this is where the drives become vulnerable to very peculiar forms of frequency based risk. Indeed, using the resonant frequency of the drive itself to make it stop working properly is not a new concept. Low frequency noise was used in tests during 2018 to break CCTV and prevent a laptop’s operating system from working.

Dancefloor devastation for your hard drive

Janet, ever the innovator, was clearly one step ahead of security researchers. By chance, it turns out that Rhythm Nation matched a resonant frequency for the hard drive used in these particular types of laptop.If you run into a mechanical drive in a device these days, there’s a good chance it’ll be a 7,200 RPM drive (RPM is the number of revolutions the drive’s platter makes per minute). The drives struck here, smooth criminal style,were specific models clocking in at 5,400RPM.

Custom filters were added by manufacturers in the audio pipeline. These filters swung into action at the first sign of a Rhythm Nation intro and removed the frequencies as the audio played.

A CVE: better late than never

This rhythm-based tale of woe seemingly has no end. The Register noticed an entry on the list of Common Vulnerabilities and Exposures (CVEs), listed as CVE-2022-38392. From the description, surely Janet’s finest hour:

A certain 5400 RPM OEM hard drive, as shipped with laptop PCs in approximately 2005, allows physically proximate attackers to cause a denial of service (device malfunction and system crash) via a resonant-frequency attack with the audio signal from the Rhythm Nation music video.

From further down the page, a rather relevant warning:

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

As I close the lid on my 2005 Windows XP laptop for the last time, never a truer word was spoken. 

Phishing attacks are a persistent threat to businesses globally. 

According to Verizon, 82 percent of data breaches in 2021 involved the human element—with phishing attacks making up over 60 precent of these. And if it ain’t broke, don’t fix it: threat actors have only continued to use phishing to attack businesses in 2022, with the Anti-Phishing Working Group (APWG) recording a 15 percent increase in phishing attacks in Q1 2022 compared to Q4 2021.

With Malwarebytes DNS filtering, however, you can prevent a large swath of phishing attacks. Our DNS filtering module extends our Nebula platform to help prevent risks introduced from nefarious websites and downloadable web content.

In this post, we’ll walk through what it looks like to block phishing attacks with Malwarebytes DNS filtering.

How to block phishing domains with DNS filtering 

Let’s say one of your employees gets an email like the one below. 

Photo credits: Phishing.org

Without some kind of phishing protection in place, after clicking on a link in the email there’s a chance the employee might give up some sensitive information or be tricked into downloading a malicious program.

Obviously, we want to prevent that. 

Let’s press pause here and go back in time to set up our DNS filter in Nebula. 

Above, you’ll see the dashboard for the DNS Filtering module in Nebula.

Let’s navigate to the “Rules” section and hit “New”.

Here, we’re prompted to name the rule and also select a policy to which the rule should be applied. 

I’m naming mine “Phishing block” and applying it to four of my endpoints.

Heading over to the “Categories” page, we see that “Use preconfigured settings” is enabled by default. This automatically blocks each subcategory in the “Security” category.

For demonstration purposes, we’ll leave this untoggled. Just know that each of these security subcategories are available (and recommended to use)!

Let’s scroll down to the “Phishing” option and toggle it.

I

Under allow lists you can add domains to exclude from this DNS rule. We’ll leave it blank: we don’t want to allow any phishing sites!

You can also add domains to block certain domains. We’ll also leave this blank!

Let’s flash forward in time to our employee who received the phishing email. Unfortunately, they clicked a URL in it—but no need to worry. 

Our DNS filtering kicked in and blocked the site, the outcome of which you can see below.

This is the default page, but can even customize it to your liking by going to the “Global Settings” tab. 

How does it work?

It works because Malwarebytes DNS filtering is powered by Cloudflare, which has a massive database of known phishing sites to which we can instantly block access using the intuitive Nebula UI.

But what happens if a phishing website somehow gets through and a malicious program (ransomware, for example) is installed on an endpoint? 

The answer is part of what makes our DNS filtering solution so holistic: because it is an add-on to our Endpoint Detection and Response product, a threat that gets through can be detected and mitigated using our EDR’s isolation and remediation capabilities. 

In other words, DNS filtering helps you filter the easily-blocked known threats, giving time back to your organization to focus on remediating the threats that do get through with our EDR.

Block threats from infiltrating browsers and web-based apps

Malwarebytes DNS Filtering module for Nebula helps block access to malicious websites and limit threats introduced by suspicious content. 

While we focused on preventing phishing threats in this post, the story doesn’t end there. You can also block access to spyware, DNS tunneling, crypto mining sites, and many other websites and domains that pose a security risk. 

Interested in learning more? Read the Malwarebytes DNS filtering datasheet. 

Further reading

What is DNS filtering?

3 ways DNS filtering can save SMBs from cyberattacks

DNS security for your small business

Introducing Malwarebytes DNS Filtering module: How to block sites and create policy rules

The government industry in the United States dealt with heavy hitting breaches against local, federal, and state government networks, primarily during the first quarter of 2021.

Our telemetry revealed a small spike in a generic backdoor detection, known as Backdoor.Agent, during March of 2021, mainly focused in Memphis, Tennessee. This data coincides with the attack on the Azusa Police Department in California; however, it reveals even more about the attacks observed the following month.  

During April of 2021, at least three notable attacks against government services made the news, this included the New York Metropolitan Transport Authority (MTA), the Illinois Attorney General’s office, and the Washington DC Police Department. During this same month, we also observed the beginning of a surge of exploits and AI detected threats that dominate the rest of 2021.

Our top spike for the period follows the detection of the exploit CVE-2021-21551 (Dell System Driver) and all the nasty threats it brought with it. Despite this, we were unable to correlate any newsworthy breach to this month. So, we can assume that the increase in detections was an onslaught of attempts to breach networks, shortly after the release of the Dell driver exploit. We can also make assumptions about this effort leading to numerous breaches and installations of backdoor malware, waiting dormant until later in 2021 and 2022 before launching a full attack.

Those most hammered by these exploit attempts were government organizations in Michigan and New Jersey.

The detection of this exploit slows as the year goes on, dwindling to almost nothing by May of 2022. This matches up with our detections of unidentified, AI detected malware. Despite that, a series of unspecific exploits battered the industry in late October, spiking in November and into December, when the Maryland Department of Health, the Virginia State Government and the Hawaii Timekeeping Services were all breached and disrupted, some due to ransomware, others to stolen data.

In addition to the push of exploits, the notorious TrickBot trojan has been lurking in the detections of this industry, staying mostly steady with only a 1.2 percent share of threats during the analyzed time period. Despite this, the small spikes of this threat in March, June, and November of 2021 seem to mostly align with major reported breaches.

Based on our data, there is a case to be made about government industry targeting, mainly taking place during the beginning and end of the year, a time notoriously known for vacation, reorganization, and reduced security staff.

Our best recommendation for this industry, beyond ensuring that proper patching and threat detection software are deployed on every endpoint, is to consider to major factors when planning for a cyber-attack. First is timing, the second is reducing operational disruption. 

Timing can be addressed by understanding not only when the attackers are coming after an organization, but also when an organization might be most vulnerable. For example, if you know that your staff will be reduce to only 25 percent during November, December, and January, for the holidays, you might not need to keep as many security staff on hand since there are fewer users.  This is a perfect opportunity for an attack that may have breached the network months prior, to finally achieve its purpose and attack the network while it’s less guarded.

So, by knowing the trends of government organization attacks, we recommend not reducing security staff during the holidays, if anything, you need to have more eyes on the network, looking for anything that might stand out as odd when the network is meant to be relatively quiet. This might be achieved by bringing in additional security staff for the season, allowing for security staff to take vacations around the usual holidays, if possible, and in some cases, making it possible for security and IT admin to remotely investigate threats through a cloud-based remote console.

The second recommendation is reducing operational disruption. When a restaurant gets hit by ransomware, it takes down the restaurant’s operations for a time, but the damage typically doesn’t go far beyond the restaurant’s walls. When a state or local government network is breached and hit by ransomware, because of the interconnected nature of government and public services, such an attack can disrupt entire cities and states, quickly creating chaos. It’s imperative to ensure that in the case of any type of cyberattack, there is some way to continue operations, be it at a backup site, using pen and paper, or having employees work remotely. The more pressure an organization is under to get things back to normal, the more leverage the attackers have against that organization.

Following these tips will not only reduce the damage done by these attacks, but likely increase the confidence that civilians have in the security of their government organizations.

With the return to school fast approaching, it’s time to ready the things your kids will need to pass the next year with flying colors. Increasingly, that means computing devices, which means you’ll need to spend time thinking about the safety and security of what they will be using.

In our “Back to School” series we will talk about several types of devices you may encounter. This one is about Windows devices.

The basics

You know that when your kids are hard at work, they can’t be bothered with all the warnings, notifications, EULA’s and what not. They are relentless in their pursuit of high grades, and maybe some less admirable goals. To achieve these goals they will click “OK” on anything that stands in their way. So, what you need to set up for them is something that gives them enough room to be a bit reckless.

Not that it’s wrong to give them a certain amount of responsibility or at least inform them about what you did to keep them secure. If they know and understand the goal, most of them will be more than happy to keep their system operational.

With that in mind, here are some security basics that you should attend to just as you would on any Windows computer:

• Apply security updates promptly. All the software on the computer needs to be maintained by installing the latest security updates when they become available. Fortunately, Windows 10 will update itself automatically, as will popular modern web browsers like Edge, Chrome, and Firefox. We suggest that you turn on automatic updates for the Microsoft Store, which will take care of any software you download from there. Whatever software those steps don’t cover will need to be checked occasionally to see if there are newer versions available.
• Use security software. Modern versions of Windows have lots of helpful security features, but Windows is still the most popular target for malware, so we strongly recommend that you install a third-party security solution like Malwarebytes Premium.
• Start backing up. The only backup people ever regret is the one they didn’t make, so read Microsoft’s short guide to Backup and Restore in Windows, and get yours working on day one. Backups are your last line of defense against system-altering malware, like ransomware or wipers, as well as bad software updates, and hardware failure or theft. They will also protect your child’s work against the inevitable accident of your kid deleting their most important assignment the night before it’s due.
• Install a password manager. A password manager is software for creating and remembering strong passwords. Good ones also provide a safe way for users to share passwords with other people. Install one on your Windows computer and get your child using it as soon as possible. Proper password handling is something lots of adults struggle with, so get your kids doing the right thing from day one.
• Give your child a local user account. Even if your child is the only person using the computer, create a separate local user account for them with limited permissions. Use a different account with administrator privileges to make changes to the computer, like installing software. Don’t share the administrator account with your child and never use it for work, web browsing or email. Malware will typically use the same permissions as the account that runs it. If your child accidentally runs malware as a local user, it will be not be able to alter the machine.

Other considerations

If the device isn’t your property

If the Windows device is provided by the school or another organization, your options for implementing your own security ideas may be very limited, but that’s OK, it just means somebody is doing it for you. It’s usual for IT staff from the school to setup and manage this kind of computer and to give your child access to a standard local user account. That should be enough access for your child to do what they need to without getting into too much trouble.

Parental controls

Children search Google for the weirdest things and topics. Whether they searched for something on purpose or just because they didn’t know what it meant, search results for some phrases are best not seen by young children.

The parental controls included with Windows allow you to enforce restrictions on screen time; block apps, websites, and games; and provide reports on what your child has been doing with their device.

Parental controls can be useful to limit the risks your children run into online, but you should know up front that they cannot eliminate every risk out there. Read our article about parental controls to learn what they can and can’t do for you.

Social media, messaging, and games

Children are inclined to share their entire lives with their friends, and keen to get their hands on the phones, computers, and accounts that will let them do it online. Unfortunately, social media, messaging apps, and gaming come with risks: It is easy for predators to hide behind a picture of a child and a believable persona, there is no break at the end of the school day from the bullying and harassment that happens online, and gaming communities can be rough and unforgiving.

Like many other aspects of the adult world, children deserve to be introduced to these things in a careful, supervised manner, and many parents opt for some kind of digital oversight or restrictions. (It is worth noting too, that most social media apps have a minimum age requirement of 13, although as a recent Omegle investigation showed, you cannot assume a platform will enforce its age restrictions or that its moderators will keep your children safe).

Alongside whatever tools or techniques you use to keep children safe online, we recommend teaching them responsible digital citizenship from an early age, to help understand the dangers, and to recognize cyberbullying and harmful content. Establishing guidelines and teaching them responsible online communication and etiquette will help them to communicate respectfully, with responsibility and confidence.

Wi-Fi

By default, Windows 10 will connect automatically to Wi-Fi networks you have used at least once. With a device moving back and forth between home and school, this creates an opportunity for an attacker (perhaps another student) to set up a network with the same name. These so-called “evil twin” Wi-Fi network attacks simulate known networks and can be used to perform a machine-in-the-middle attack (MitM).

The only way to easily protect against these attacks is by disabling the auto-connect feature. You can do this by removing the check mark when you connect to the network or in the properties of the connection by turning the “Connect automatically” option off. After doing this you can manually check the available Wi-Fi networks on location and look if there are two identical SSIDs (network names). The evil twin will not have a lock symbol near the strength indicator.

Low maintenance

In the past we have posted suggestions about how to set up a computer that requires a minimum of attention afterwards, which we called minimum effort for maximum protection. While this may seem like an attractive solution for your children, it’s important to realize that it does require some degree of security awareness of the computer user.

While this may not be suitable for all ages, it is an approach you might want to take with older children if you are trying to involve them in the process of understanding and securing their own device.

The other side

Depending on their age and computer skills, you will want to talk your kids through what you did and why. A class full of determined teenagers will break through your defenses in no time at all. If they understand what you are trying to protect them from they may use those same skills to steer clear of those dangers.