Category: IT SECURITY AND DATA PROTECTION

Hackers Hijack Popular Chrome Extension to Inject Code into Web Developers’ Browsers

“Web Developer” is a popular extension that adds various web developer tools to a variety of browsers.

Unfortunately, the fact that the Chrome edition of the Web Developer extension has over one million users has also made its author – San Francisco-based Chris Pederick – a target for attack.

Yesterday, Pederick had some bad news for his Chrome extension’s many users.

The Web Developer for Chrome account has been compromised and a hacked version of the extension (0.4.9) uploaded ?

Online criminals managed to compromise the Chrome Web Store account for the Web Developer extension after Pederick fell for the simplest and oldest trick in the book: a phishing attack.

Any idea how this could have happened? Did they hack into your Google account or is the Chrome Store not secure?

I stupidly fell for a phishing attack on my Google account ?

Once the hackers stole the account credentials, they uploaded a modified malicious version (0.4.9) of the extension that included code to inject money-making adverts into over a million users’ web browsers.

That’s not the kind of behavior that goes unnoticed by the extension’s typical users: savvy web developers. These individuals began leaving negative reviews for the extension, warning that its out-of-character behavior might be an indication that it had been hijacked.

Despite the disruption and annoyance that the insert ads would have caused for the extension’s users, they should probably feel relieved that the attacker didn’t attempt something more malicious. After all, it appears that it would have been possible to inject more dangerous code that might have been harder to spot with the naked eye.

For instance, because the Web Developer extension has been granted wide access to what happens in a user’s browser, a maliciously-modified version could potentially grab keystrokes or intercept everything being displayed on websites that a victim visits.

The attack on the Web Developer extension is just the latest in what appears to be a trend for criminals to target the accounts of popular browser extensions in an attempt to display revenue-generating adverts or spread malicious code.

Just last week, another developer described how its CopyFish Chrome extension had been compromised to insert spammy ads into websites as users surfed the internet.

Like Pederick, the developers of CopyFish had been tricked into handing their passwords over after receiving a communication which they believed had come from Google.

A new version of Web Developer for Chrome has since been made live, removing the compromised code. Users are advised by Pederick to update immediately.

Anyone who was running the compromised extension should consider changing any passwords that they have entered as well as wiping any login tokens and cookies used on sites they visited during the infection period

For Your Eyes Only: Why Data Masking Needs to Be in Every Data Security Strategy

Data security is rife with complexities. The threats against an organization’s data are massive and ever-evolving, and the consequences of a breach are devastating, sometimes crippling, for a business, so it’s unsurprising that there are dozens if not hundreds of factors to be taken into consideration when it comes to securing databases.

That’s why it’s so refreshing when an aspect of data security makes perfect, uncomplicated sense. Like data masking. It’s simple: if you want to disguise something or keep others from seeing it clearly, you mask it.

THE IDEAL DATA DISGUISE

While it isn’t as easy as drawing a mustache on an organization’s personally identifiable data, data masking is a relatively simple way to replace real data with fake but fully functional data so it can be used in situations where placeholder data is required but the actual data isn’t.

Data masking essentially ensures that only the people who need to see data can see it and that they only see it when they should. It’s used to protect various types of data, including intellectual property, personally identifiable data, protected health data, as well as financial data, such as payment card information. The key to data masking is keeping data formats unchanged while changing the data values so the actual data is obfuscated.

For example, the employees of an organization may be assigned an eight-digit employee ID number written like so: 8765-4321. If that data were to be masked, the eight-digit format would remain the same but the values within it would be changed: 3561-2847. Some of the more common methods of data masking are character substitution, numeric variance, character shuffling and format preserving encryption.

AN ESSENTIAL MASQUERADE

There are a number of reasons data masking is essential. Some of the top reasons are as follows:

Third parties can’t be trusted.

Retail companies share customer data with market researchers, for example, and healthcare organizations share patient information with medical researchers.

Sending actual personally identifiable data, payment card information, or protected health information to these third-parties would not only be risky because of how many people could potentially access it for misuse but also because doing so may run afoul of the compliance regulations governing different industries.

Neither can insiders.

According to a 2016 study by the Ponemon Institute, upwards of 25 percent of all data breaches involve employee or contractor negligence. Whether through maliciousness or carelessness, the legitimate data access privileges of employees contribute to many data breach and leak incidents.

This threat can be minimized by allowing each employee to see only the data they require to complete their work with the remaining data masked.

Many business operations don’t need real data.

Plenty of organizations require data in order to build and test new programs or functions, as well as to test necessary patches and upgrades. It would be impossible to tell if a program is going to perform as it needs to if it can’t be tested with data. However, if it were tested with the actual data of users, customers, or employees, it would open up that data to the eyes of all kinds of employees or contractors who don’t require access to it.

It would also allow that data to be stored in potentially insecure development environments that may be vulnerable to hackers. Compliance regulations may also come into play here.

The European Union said so.

The EU has new legislation coming into effect in May of 2018 that regulates how any organization storing or processing the data of any person in the EU can handle that data. Among many other requirements, the General Data Protection Regulation (GDPR) specifically mentions in Article 32 that data masking be used to pseudonymize sensitive data to help protect EU citizens from data breaches and other unauthorized access.

Considering that failing to abide by the GDPR can result in everything from a written warning to a fine of 20 million EUR, it’s in an organization’s best interest to comply.

MAKING SENSE OF DATA SECURITY

There are many database security solutions that make plenty of sense. Data masking is chief among them because they are at the heart of an organization and contain a potential goldmine for employees and hackers willing to get malicious in order to turn a profit on the black market.

Data masking is just one of the steps companies need to take to avoid becoming the subject of negative press, class action lawsuits, and cautionary tales for years to come.

How a Single Email Stole $1.9 Million from Southern Oregon University

Southern Oregon University has announced that it is the latest organization to fall victim to a business email compromise (BEC) attack after fraudsters tricked the educational establishment into transferring money into a bank account under their control.

According to media reports, the university fell for the scam in late April when it wired $1.9 million into a bank account. They believed they were paying Andersen Construction, a contractor responsible for constructing a pavilion and student recreation center.

But the construction company never received its payment.

The incident appears to have spurred the FBI into issuing a warning about the risk to other universities in May.

In their advisory, the FBI describes how many universities are often engaged in major construction projects that require regular electronic payments of at least several hundred thousand dollars.

It’s normally fairly easy for a criminal to identify which construction firms are involved in the projects and then use a mixture of social engineering and email spoofing to trick universities into transferring funds into the wrong bank account. In some cases, the fraudsters actually hack into the email accounts of those they are pretending to be to make their communications appear even more convincing.

The FBI describes in further detail how a BEC scam works:

  • The scammer, posing as an established vendor, sends an e-mail to the university’s accounting office with bank account changes to be used for future payments.
  • Typically, it is an individual purporting to be from a construction company with which the university has an existing business relationship.
  • The scammer often spoofs the actual e-mail address of the company with a similar domain. For example, if the actual domain is abcbuilders.com, the scammer might register and use abc-builders.com to send the e-mail.
  • The university sends their next payment to the scammer’s bank account, and the money is often unrecoverable by the time the university realizes they have been the victim of fraud.

“We received a briefing by FBI that there have been 78 different attacks at institutions and some of those were universities,” said Southern Oregon University spokesman Joe Mosley. “We’re not alone.”

Mosley is right. He’s not alone. And it’s not just educational establishments that are in the firing line of criminals committing business email compromise. Firms such as cable manufacturer Leoni and tech firm Ubiquiti Networks are among those that have lost tens of millions of dollars through similar scams.

Indeed last year the FBI reported that corporations had handed over more than three billion dollars to fraudsters because of business email compromise attacks.

Good advice on how to introduce best practices and reduce the chances of your organization becoming the next victim of business email compromise is contained in this FBI advisory.

 

5 Tips to Maximize Your IT Security Training

Quality security training is a costly investment. Multiple-day training sessions are usually required for significant learning topics and are almost exclusively fee-based. And the fees are not the only investment. Key staff must be taken out of the field to attend the course, resulting in opportunity costs and lost work hours.

But our adversaries are not at rest. While not all attackers’ skills are on the bleeding edge, the threats we should concern ourselves with are dynamic, quick studies, and learn on demand. We need to keep up; we must make learning investments.

This article is about maximizing these investments, namely, how to get the biggest bang for your buck when investing time and money in training. I’ll focus (pun intended!) on my top 5 recommendations, in priority order.

#1: FOCUS

The obvious temptation for trainees is to pursue the age-old lost cause of multitasking, trying to get the best of both worlds, or hedge their training bet by “just getting some quick things done” or catching up on email. Some of you will shake your head, thinking “Pssh, amateurs! I can focus on two things at once, I do it all the time!”

If that’s you, turn off your ego and read what NPR and The Telegraph say (“Think You’re Multitasking? Think Again” and “Multitasking Is Scientifically Impossible, So Give Up Now“). Still not convinced? Take the quick test Psychology Today outlines in “The Myth of Multitasking.” This test conclusively puts the notion to bed.

Training events fully back those findings. Any trainer can tell you frustration-ridden stories of the outcome of multitasking. Frustration for the rest of the class when one person falls behinds and asks a question that was just answered. Frustration for the student that’s confused because they missed something. Frustration for everyone when someone misses something important because they ‘weren’t all there.’

The biggest obstacle to maximizing training investment is students being unable to resist the draw that Internet-connected training tempts them with: email and browsers are a window away. The only way to counter this is through focus. In some extreme cases, training administrators or management disable Internet or even local network access.

Another mental acuity-related issue is what I think of as ‘turning off’ during training. People very commonly adopt a ‘lead me by the hand’ mentality, whereby they seemingly forget everyday skills they already posses. The conversation goes something like this:

Student: “Hey, I got an error connecting to that system, is this thing broken?!”

Instructor: “Hmm, probably not. What did the error say?”

S: “I dunno, I ignored it.”

I: “Try reading it.”

S: “Okay. ‘Unable to connect to port XX on host.’ What does that mean?”

I: “What would you do if you saw that real world?”

S: “I’d think the system was down … oh, that service you talked about before is down [starts service] … now it works!”

That isn’t to poke fun at people. (Okay, maybe it is a little, you know who you are!) The real goal is to remind people attending training they need to stay sharp. In a healthy, well-built training environment, students can self-help their way through most glitches and challenges by applying their existing skills, or even better, avoiding them altogether by focusing on instructions.

#2: DISCIPLINE

The only real way to solve focus issues is through discipline. Learners need to invest themselves by applying the discipline that got them to where they are in their careers. Discipline serves to counter the hidden danger of distraction by the training itself. It’s counterintuitive, but student zeal and ADD can mislead a student to getting off topic while learning what’s being presented or practiced.

“Hey, what’s that thing do…?” 20 minutes and two topics later, the familiar refrain to all teachers: “Uhh, where are we?”, probably whispered to a neighbor. Or in bolder, less apologetic examples, “Wait, go back, explain the last 20 minutes.” Yeah, it happens.

Discipline is not only needed by students. Management needs just as much, if not more. An all-too-common culprit of disciplinary issues is the very manager that starts the class with a demand that their people “make the most of this and focus! Turn on out-of-office, don’t check emails, no surfing. After all, we’ve spent a lot of money and are investing heavily in you, don’t waste it!”

I’ve seen that same manager, in the real world, interrupt class less than an hour later. “Sorry, something important” and hand out taskers or completely remove one or more people. Yeah, that happens, too.

While it’s easy for me, as a teacher and trainer, to extol the pious virtues of focus and discipline, the reality is that I don’t ‘live’ in ‘the real world.’ (All three definitions Google gives you from that link could apply here.) I live in a place I call “Happy Pretty Training Land.” Where is this mystical place? Nowhere really. It doesn’t exist. Maybe in some alternate string theory universe. It’s a place where all parties are disciplined. And no crises occur.

“Hey, yeah, what about a crisis? What do you expect when that person in class is truly critical and something bad just happened that only they can fix?!” Yes, that happens, too. I will not tell you the correct answer is to deal with it and pretend we’re in Happy Pretty Training Land. After all, the whole reason there is a class is to help the organization improve through personnel investment. This, of course, does not negate the need to ‘keep the lights on.’

It does, however, lead us to tip #3.

#3: PREPARE

Prepare the team for trainee absence to help minimize distractions. Effective preparation requires the whole team’s attention. Reschedule meetings as necessary, organize backfills with backup personnel, brief collaborating teams on the expected disruption, and plan for workarounds where backfill isn’t necessary.

The hardest part is not just giving lip service to preparation. Work at it and commit to finding ways to help your learners stay focused.

Furthermore, only register qualified students for the class. Most training has pre-requisites, experience, and knowledge students are expected to already have. A major source of distraction and class interruption is a student that isn’t ready for the topic. Coordinate with training providers and the instructor when there are knowledge and skill gaps. They can tell you if the student should even attend or if there’s a possibility to fine-tune the content or apply workarounds.

#4: REFLECT

#4 changes tracks a bit and offers some real, neuroscience-driven advice for students. Pause for reflection time whereby a person considers previous experiences to see where the new stuff fits in. Your mind can only absorb so much, and, naturally, after many continuous hours of learning, most people reach a point of diminishing returns where comprehension breaks down.

During breaks in instruction and at the end of the day, spend some time thinking about what you’ve just learned and see how it fits into your world. See Don Clark’s excellent (and well-cited) explanation for some history and implementation tips.

Similar to reflection, I also recommend some downtime where you aren’t thinking about the material or any other mentally challenging topics. Have you ever had that “a ha!” moment when you realized the solution to a problem at a time you least expected when you weren’t even working on the problem and were even sleeping?

Albert Einstein, Aristotle, and Salvador Dali were known to use power naps. Fast Company‘s Drake Baer writes about the value of the “just beginning to dream” hypnagogic state. (Dali called for less than a ¼ second; read about Dali’s interesting life hack for preventing too much sleep in Baer’s article.) 20 minutes or more of sleep results in that familiar mental grogginess scientists call “sleep inertia” that require time to be fully alert.

Try some reflect time and downtime.

#5: FOLLOW-UP

#5 furthers the discussion by calling on you to fully realize your investment by following up with some focus on the subject in the days and weeks after class. Spend follow-up time refreshing on training topics and exercises to maintain, or, better yet, enhancing what you’ve learned with new skills and knowledge.

Practice skills you picked up in class. Look through the labs and lectures and ask yourself if they make more sense now. Then reflect and think how the content meshes with your world or doesn’t. Formal training content is often a one-size-fits-all proposition, so some of it might not work for you.

Don’t get stuck in Happy Pretty Training Land! Find what does and doesn’t work, and then think about how you could achieve your team’s expected results. Think about how you might apply what you’ve learned to solve new challenges no one has even identified. Think about how you might use what you’ve learned to tackle issues that aren’t even in the scope of training or your organization’s reason for sending you to class.

Tech skills are use-or-lose. Don’t drop the ball after class by forgetting what you’ve learned.

Now tie it all together. You’ve committed valuable time and financial resources to training; make the most of it by applying these tips. Cybersecurity is too important to not put our best foot forward.