3 Ways Hackers Steal Your Company's Mobile Data

It's the unfortunate reality of the cybersecurity threat landscape today that malicious actors are advancing their tactics at a breakneck pace, finding new vulnerabilities in network defenses to execute attacks faster than IT teams can keep up.

This is especially true in the context of the modern distributed organization, where employees leverage an array of mobile devices — and access private networks from almost any location outside of headquarters — to conduct their work. This is a boon for business in that workers can enjoy flexible hours and not be tied to their desks to complete tasks, which can boost employee satisfaction and performance. But it also puts an increased burden on IT teams and network administrators, as they now are tasked with managing a practically borderless network with higher traffic volumes than ever before.

In fact, according to a recent survey of IT teams at major US organizations conducted by Researchscape for iboss, 80% of IT executives weren't confident in their ability to secure mobile traffic in the future, while only 56% of their superiors in the C-suite accepted the same reality.

This is compounded by the increased adoption of cloud services such as Office 365, Dropbox, and other off-premises storage providers, making it harder than ever for corporations to monitor the data leaving their network. Criminals are increasingly able to hide within encrypted traffic, exit the network, and slowly siphon out sensitive data without IT administrators immediately noticing.

While understanding the flaws in network defenses is valuable in planning for the future, it's also critical to know when and how sensitive data leaves the network, especially in expanding, high-stakes mobile breach scenarios. Here are three ways that cybercriminals can gain access to corporate systems through mobile devices and exfiltrate data.

Tor: Free Data Encryption First developed in 2002 as "The Onion Router," the Tor project directs traffic through a free volunteer overlay network that employs more than 7,000 relays to conceal information about users from network monitoring teams. Tor can be implemented in the application layer of a communication protocol stack that's nested like an onion — hence the original name — encrypting data, including the next destination IP address, repeatedly, before it goes through a virtual circuit comprising successive, randomly selected Tor relays.

Because the routing of communication is partially hidden at every port in the Tor circuit, traffic source and destination are hidden from the view of network administrators at every stop. This makes it increasingly difficult for IT and security professionals to determine whether traffic is legitimately exiting the network or if the activity indicates data exfiltration.

Hiding Within Legitimate Traffic Sensitive data may also be hidden within files or documents that wouldn't normally be tagged as malicious content by traditional network security monitors. A hacker who may already have crossed the perimeter might hide sensitive data within Word documents or .zip files, for instance, that feature familiar naming protocols and size characteristics.

If security protocols at the gateway aren't taking a detailed approach to vetting content as it exits the network — that is, taking a layered approach to evaluating entire files that goes beyond adhering to proxy settings or standard decryption — hackers can funnel data out of the network for weeks, months, or years before administrators even notice.

Leveraging Cloud Storage Applications The problem with many cloud applications is that they usually require users to send content into a data center shared by multiple customers, where many users and corporations leverage the same storage capacity and bandwidth. Cloud providers are also a third-party service, which means that data is potentially at risk of being mishandled by the provider if they aren't a proven, trusted partner, or if their security protocols aren't up to snuff.

File encryption and strong passwords can go a long way toward protecting corporate data housed in the cloud. But the most effective way to prevent data exfiltration is a defense-in-depth strategy that is as vigorous in vetting traffic entering the network as it does leaving it, by looking at data packets individually to determine the true intent of the content. For example, this could include sandboxing features that allow documents to play out in a simulated network environment that tests for malicious inclinations once the document crosses the network perimeter. Putting data about to leave the network through the same proxies and firewalls as incoming traffic is another possible solution.

This approach is especially critical for mobile devices accessing network data via remote channels and public Wi-Fi. With the increasing mobility of employees who frequently and easily access cloud services from coffee shops and airports, companies need to make sure that all their active user and device directories remain up-to-date, and that the network is constantly monitored to ensure all users are following best practices. This requires taking regular inventory of the devices and users accessing the network — quarterly, monthly, or even weekly — to ensure that unverified traffic is easy to spot on a rolling basis. The more rigorous that security teams are in making sure their reference points are up-to-date, the more effective their use of leading cybersecurity tools will be in preventing data exfiltration.

Smartphone Privacy and Security

The increasing use of smartphones for daily activities, such as emailing, banking, web browsing, shopping, bill tracking, social networking, file storage, and entertainment gives your mobile device the ability to know everything about you.  Not only do you know your smartphone, but your smartphone knows you.  Your smartphone’s knowledge, if not protected, is a potential risk to your security and privacy.  The ultimate question to ask: Is my privacy and security at risk?

Mobile malware is a rising threat to privacy and security.  What is mobile malware?

Mobile malware is a program specially created to infect your mobile phone or device.  Once installed on your device, it may disrupt the phone’s system, in order to gather information stored in the device.  It may also gain access to the device’s operating system, and take over the phone.

Mobile malware may present itself through fake mobile applications, web-browsing, and SMS/Text messages.

  • App-based malware attacks can target a user’s financial information.  This might include bank account numbers, passwords, and PINs.  The access of such information may result in the loss of money and/or account take-over.
  • Web-based Smartphone attacks can be a result of clicking on an unsafe link.  This may potentially give rise to “Phishing” scams or downloading infected files.
  • SMS/Text message-based attacks can be used to spread malware through unsolicited SMS/texts that request the user to reply or click on a link.  Unbeknownst to the user, malware may be installed on the device, leading to unauthorized access to the device’s information.

Securing your Smartphone device:

  • Passcode:  A passcode is a simple step you can take to protect your smartphone.  If it is stolen, with all of your personal information, this simple step may be the key to protecting your information from unauthorized users.
  • Antivirus software:  Use mobile security antivirus software.   There are Smartphone apps designed to monitor and protect your device against malware and spyware.
  • Software updates:  Updating your smartphone’s operating software is another step towards securing your device. Software updates are designed to fix problems in the device’s operating program, which may include fixing security vulnerabilities or other bugs that may diminish your smartphone’s performance. Therefore, stay up-to-date on any software updates and make sure to install the latest version.

Important Note:  Do not allow your device to remember passwords. If your device is lost or stolen, the information is now compromised.

Android or iPhone: Which one do you have?

  • Regardless of whether you use and Android or an iPhone, your privacy and security may be at risk.  Understanding the operating system of your smartphone will require work on your part.  This knowledge will help you understand the capabilities of your device and help you understand potential threats to privacy and security.
  • Both platforms have their own App Stores and both employ different security measures to monitor and vet the apps that are allowed to be on the Android Market or the Apple App Store:
  • Android’s Google Market runs an open market. As the smartphone industry grows, it attracts more malware developers to organize attacks and put smartphone privacy and security at risk. The Android Market has been criticized by the industry several times for not vetting its mobile applications before they are added to the Android Market. What does this mean for you Android phone users? You will need to exercise caution when downloading apps to your device.
  • If you are an iPhone user, Apple reviews applications before they are added to the App Store. According to Computerworld, “When Apple reviews an app, it tries to verify several things, including these: Does the app do what it says it does? Does it function reliably? And does it respect the limitations that Apple has put on developers?” However, despite tighter security measures, it does not exempt the iPhone user from privacy and security threats.

Application Permissions/Access:

Ever wonder if the apps that you download put you at risk?  If not, you probably should. Many apps are designed to capture a wide range of information. Did you know that apps can:

  • Read phone state and identity?
  • Track your location?
  • Read owner data?
  • Read contact data?
  • Record audio – your calls?
  • Take pictures?
  • Modify or delete SD card content?
  • Edit SMS/text or MMS messages?
  • Write sync settings?
  • Send SMS messages?
  • Write contact data?
  • Fully access the internet?

The best security practices when downloading apps are exercising caution and reviewing the app’s ratings, regardless of whether the app is free or paid.

You should carefully examine and pay attention to the permissions the app is requesting to access:

  • Android Market apps require the user to either grant or deny access – if you deny access you will not be able to download and install the app.
  • iPhone apps will not disclose what the application has permission to access. When downloading an app whether free or paid, Apple requires the recognition of consent by having the user sign in using their Apple account.  The primary reason behind Apple’s non-disclosure of the information, according to Computerworld, is because “Apple tries to prevent developers from having full-scale access to all of the data and hardware” on a device running on Apple’s operating system. However, apps still have access to certain system components.

Because apps have access to a lot of your personal information and data on your Smartphone, familiarize yourself with what the app really needs in order to run.  If you feel it requires more than it really should, reconsider installing it.

Only download applications you trust.  Android users are allowed to download apps from third-parties, whereas, iPhone users are only allowed to download apps from the Apple Store; unless, of course the iPhone has been “jail-broken.”  Jail-broken iPhones can download applications from the “Cydia App Store” (apps that have not been approved by Apple).

Location (GPS) and WiFi:

  • Many applications request permission to access location.  Consider turning off the location services (GPS) on your phone to protect your location privacy, unless it is necessary to perform a desired function.  Keep in mind that you have the ability to enable and disable the location services on your phone.
  • Have you ever taken photographs with your smartphone and posted them online?  What’s the worst that can happen? As careful as you may be, if your GPS is enabled, your personal information may be exposed through a process called “geotagging.”
    • According to PCmag.com, “Geotagging adds the current geographic location of the camera or smartphone to an image or message, or adds the static geographic location of a street address.”
    • This information most often includes latitude and longitude coordinates which are derives from a global positioning system (GPS).
    • While it sounds complicated, it really isn’t.  It simply means the marking of a video, photo, or other media with an embedded location of where it was taken.
    • Smartphones featuring GPS have made this “tagging” possible.
    •  “Geotagging” has been considered an infringement on public privacy and problems can arise if the information is given out unknowingly and/ or pulled by the wrong people. So, the photograph you took in front of your computer, at your doorstep, etc. has been recorded and may have possibly given your location.
  • To protect yourself, you can:
    • Turn the geotagging feature off.
    • Download disabling software (it will search for geotagging information and delete it before sending).
    • Be aware and educate yourself.  Understand the information you are sharing.
    • Consider what you post on the Internet.  You never know who has access to it.
  • Protect your privacy and security by exercising caution while doing financial transactions or checking banking information while connected to public wireless networks (WiFi). Credit card and personal information transmitted through public WiFi may be up for grabs by identity thieves.
  • If you are a Smartphone user, it is highly recommended to use your Provider’s 3G or 4G Network to conduct any financial business.  After all, you are paying for the service.

Critical Oracle Micros POS Flaw Affects Over 300,000 Payment Systems

Oracle has released a security patch update to address a critical remotely exploitable vulnerability that affects its MICROS point-of-sale (POS) business solutions for the hospitality industry.

The fix has been released as part of Oracle's January 2018 update that patches a total of 238 security vulnerabilities in its various products.

According to public disclosure by ERPScan, the security firm which discovered and reported this issue to the company, Oracle's MICROS EGateway Application Service, deployed by over 300,000 small retailers and business worldwide, is vulnerable to directory traversal attack.

If exploited, the vulnerability (CVE-2018-2636) could allow attackers to read sensitive data and receive information about various services from vulnerable MICROS workstations without any authentication.

Using directory traversal flaw, an unauthorized insider with access to the vulnerable application could read sensitive files from the MICROS workstation, including service logs and configuration files.

As explained by the researchers, two such sensitive files stored within the application storage—SimphonyInstall.xml or Dbconfix.xml—contain usernames and encrypted passwords for connecting to the database.

"So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise," the researchers warned.

"If you believe that gaining access to POS URL is a snap, bear in mind that hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember this fact when you pop into a store."

ERPScan has also released a proof-of-concept Python-based exploit, which, if executed on a vulnerable MICROS server, would send a malicious request to get the content of sensitive files in response.

Besides this, Oracle's January 2018 patch update also provides fixes for Spectre and Meltdown Intel processor vulnerabilities affecting certain Oracle products.

How to Keep Your Company Data Safe From Hackers

It was recently revealed that more than 43 percent of cyberattacks are targeted at small businesses – up from just 18 percent in 2011. This is likely to be because compared to their larger counterparts, startups and small companies lack the internal expertise and budgets to invest heavily in expensive cyber defenses. But cybersecurity has gone from being a luxury to something that no organization can afford to do without. Figures released by the Ponemon Institute revealed that the average cost of a data breach in the U.S. is more than $7 million. And the EU is bringing in new legislation that states that any company that that holds the data of EU citizens must commit to far more stringent data protection regulations or face fines of up to €4 million.

Clearly, then, from a financial perspective alone it has never been more important for businesses to invest in cybersecurity and defences for their digital systems. Here we take a look at some of the ways that small businesses can keep their crucial company data safe from cybercriminals and hackers.

Educate Your Staff and Colleagues

It is important to understand that the most crucial line of defence against hackers is not a firewall or an external cybersecurity team but your own staff. Unfortunately, it is the case that some of the most effective forms of cybercrime are facilitated by accidental or careless actions by employees. For example, one of the most common hacking techniques is a phishing email which purports to be a genuine email to get an employee to reveal login credentials for your computer system.

This means it is vital for you to provide training to staff and colleagues on common hacking and cybercrime techniques and how they can avoid being caught out.

Encrypt

Stolen customer data can be a nightmare for a business, not to mention for the individuals whose data has been taken. And while it may not always be possible to stop sophisticated hackers from getting into your system, it is possible to stop them from getting access to key data by encrypting it properly. Encryption is useful for everything from protecting information that has been stored on the cloud to keeping internal emails private and confidential.

Don’t Forget HR Data

Many companies put a great deal of work into protecting sensitive customer information with a secure computer network and a custom-made database but then forget that they also store a great deal of internal and HR-related data. Keeping your staff data in a system that is not secure makes it an easy target for hackers.

To ensure that you are completely protected, it is very important to use high quality, security-conscious HR databases and staff rota software.

Upgrade to Secure Sockets Layer (SSL)

If you have not yet made the decision to upgrade your website to SSL, it is really worth doing. SSL is a process that ensures that a channel between websites and computers are always secure. You may have noticed more websites with the HTTPS in the URL bar rather than the traditional HTTP – these are the sites that have upgraded to SSL. Now is the time you do so, too. It will ensure that anyone visiting your site is more secure. Some businesses assume that HTTPS is only necessary when someone is purchasing something, but it is now considered to be a best practice.

Stay Up to Date

It’s still true that it’s far more likely for hackers to compromise a system if it is not regularly updated. Failing to update your software can leave the whole of your business highly vulnerable, so ensure that your website and any computer systems that you use in the course of your work are kept entirely up to date.

Work With Specialists

Finally, it is worth pointing out that companies often suffer at the hands of cybercriminals simply because they lack the expertise to set up useful safeguards. For smaller companies who may not have the luxury of a large IT department, it is helpful to work with external cybersecurity professionals to benefit from their experience and knowledge.

Online Identity Theft: What It Is and How It Happens

Gone are the days when my biggest concern related to financial crime was having my wallet stolen. Now? We also face technology-based crimes, including online identity theft. In our cyber-focused 21st century, cool digital products and the Internet open a world of easy access to information, entertainment, and other services. But this cyber gateway also presents the possibility of our personal information falling into the wrong hands—and to becoming victims of online identity theft. Even a child's seemingly innocent interactive doll can give our personal information to third parties.

In this article, we’ll share what online identity theft is and how it happens, so you can help protect yourself in our increasingly connected environment.

What Is online identity theft?

Identity theft affects millions of Americans every year and occurs when a fraudster steals your identity—by gaining access to your personally identifiable information (PII)—to commit fraud. While ID theft can happen a number of ways, online ID theft occurs when someone steals your digital PII using scams like planting malicious software on your computer—as opposed to the old, simple technique of, say, stealing your purse.

Your digital PII can include your driver’s license and bank account numbers, as well as any sensitive personal information that can be used to distinguish your identity—and could allow fraudsters to present themselves as you. If a thief gains access to unique personal information like your Social Security number, they can fill out employment forms and even file for a tax refund—all in your name.

How online ID theft happens and what you can do

As we share our personal information online via social media and other digital formats, we may be putting that info at risk of falling into the wrong hands.

Fraudsters use high-tech and other ways to steal digital PII. Knowing what these tactics are may help you protect yourself:

  • Phishing occurs when cybercriminals send emails purporting to be from a financial institution or other trusted organization, trying to trick you into opening attachments or clicking on links and providing your PIIIgnore unsolicited emails and online requests for information. If you want to visit, say, your bank’s website to provide information, type in the URL rather than clicking on an emailed link.
  • Pharming occurs when your browser, compromised by a virus, is hijacked without your knowledge. You type a legitimate website URL into the address bar, but you’re redirected to a fake site that looks legitimate. There, cybercriminals are able to collect any PII you may type into the website.
  • Malicious software. Fraudsters may try to trick you into downloading “malware” that can attack your computer and, possibly, reveal your PII. Consider purchasing online security software for your computer, and keep it—and your computer operating system software—up to date.
  • Unsecure websites. Avoid online shopping and other activities on websites that aren’t secure, and be cautious about the apps you use. Make sure you use only official, secure websites with the “https:” prefix—not “http:”.
  • Weak passwords used for both social and financial accounts can leave you vulnerable. Strive to use unique, long, and strong passwords for each of your accounts. And when possible, activate multi-factor authentication, which requires you to enter both your log-in credentials and a secret code sent to your smartphone or other device before giving you access to your account.
  • Discarded computers and mobile devices that haven’t been wiped of your PII can be another point of access for a thief.
  • Targeting children online. Kids can give away personal information online without realizing it. Help protect your children online; be vigilant in monitoring the information they share when using an Internet-connected device.

We’ve all received emails saying we’ve won a too-good-to-be-true prize—redeemed by providing our personal information. As with anything in life, when something online seems too good to be true, it probably is. Don’t respond to emails from someone you don’t know. Don’t click on unknown links or attachments.

The bottom line? You can never be too careful when sharing your personal information online.