Q4 2018 Security Update: Want Access to an IoT System? Try 123456

Insights that can help you provide solutions with more value for your customers by helping to secure their systems and their data.

security as a service

To provide solutions your customers can use most securely, you need to consider common user behaviors and the current threat landscape. Use these insights and data from IT security experts when you consider application features and user experience that can result in a better defense against cyber attacks.

Give Your Customers Better Options than Choosing Their Own Passwords

Don’t assume your customers understand the importance of a strong password. The top passwords used in Internet of Things (IoT) attacks in September, according to Symantec’s Monthly Threat Report, are “123456,” [blank], and “system.” Those are followed in frequency used during IoT attacks by additionally easy-to-guess passwords including “admin,” and “password.” For whatever reason, the message isn’t getting across that when a password is required to access a system — IoT or otherwise — it has to be something that isn’t easy to guess.

Action Items

  • Provide solutions that suggest strong passwords, securely save passwords, or enable single sign-on.
  • Make sure applications clearly define the rules for creating passwords so the user doesn’t have to go back and add a number or character — and make creating a strong password a more frustrating process.
  • Consider rules that deter password reuse on multiple sites. An Indiana University study found longer passwords or passphrases, which are harder to remember, are also harder to reuse.
  • Consider solutions that confirm user identity in other ways than with a password, removing the burden to remember a complicated password completely.
“Likejacking” Tops Social Media Scams

Symantec also reports that web attacks have risen 7.5 percent in September, and “likejacking” or “clickjacking” is currently the most popular type of attack on social media sites. An Ncrypter article explains that clickjacking, or user interface redressing, is an attempt to get users to click on hidden links in a transparent layer. The call-to-action button the users see may be a Facebook “like,” a fake CAPTCHA, invitation to update, or the play button in a video — but when they click, they’re actually downloading malware or unleashing another type of cyberattack.

Action Items

  • Since GUI-based web browsers all support multiple layers on a website, including invisible layers, there isn’t one method that’s effective at preventing all forms of clickjacking. There are some tools and tests available to help guard against clickjacking, such as this test from OWASP and this tool for Firefox.
  • Make sure your client’s antimalware, antivirus, and other security solutions are up to date.
Financial Trojan Activity Increases

Although ransomware and cryptojacking both decreased from August to September, financial Trojan activity rose 12.5 percent. Investopedia explains that financial or “banker Trojans,” redirect traffic from banking and financial websites to other websites that the hacker can access. Trojans can steal usernames and passwords, but some also transfer money to other accounts.

Action Items

  • Help banks or other financial institutions have rock-solid authentication in place to ensure a request is coming from a legitimate account holder.
  • Kaspersky Lab explains that using a firewall, install antivirus or Trojan remover, and keeping software up to date are all measure that can help protect against this type of attack.
Cryptocurrency is Still a Prime Target

According to McAfee Labs’ September Threats Report, coin miner malware doubled in Q2 2018. In coin mining attacks, cybercriminals use malware to use a victim’s own computing power to mine for coins or to steal the victim’s cryptocurrency. Top cryptominers are Coinhive, a Monero miner, which as impacted 12 percent of organizations worldwide, followed by Cryptoloot, a JavaScript miner and JSEcoin, a web-based miner.

McAfee estimates the cost of a dedicated mining machine to be between $500 and $1,000. That’s a small investment in light of reports from the Financial Crimes Enforcement Network (FinCEN) that $1 billion in cryptocurrency ransomware payments and $1.5 billion stolen from cryptocurrency exchanges occurred over the past two years.

Action Items