Do Not Use These Chrome Extensions

Do you use any of the following Chrome browser extensions?

  • Change HTTP Request Header
  • Nyoogle – (a custom logo for Google)
  • Stickies – (a Post-It note for Chrome)
  • Lite Bookmarks

If so, you’re not alone. These four extensions have a combined user base of more than half a million.

Recently, security researchers from ICEBRG (a US cyber-security company) have discovered malicious codes embedded in copies of these on the official Chrome Web Store. The code allows hackers to manipulate the users’ browser via JavaScript.

So far, the hackers have only contented themselves with relatively tame activities like loading and displaying ads, clicking on ads, and loading malicious web pages in the background. However, the potential exists to do much more than this.

Since ICEBRG informed Google, the company has removed three of the four plugins from the Web Store. As of this moment, only Nyoogle remains, though the expectation is that it will be removed in short order as well.

While all four extensions utilize the same basic techniques, and do many of the same things, it is not clear if all four were created by the same group, although this seems likely.

Since the extensions have now been (mostly) removed, the rate of infection will slow. Of course, if you’ve already downloaded and installed one of these four, then you are going to continue to be impacted.

The extensions are easy to uninstall, and if you’re using one of them, that is the recommended course of action.

In recent months, Google has taken steps to make their auditing process more robust to prevent malicious extensions and apps from finding their way onto the web properties they manage. As this latest incident proves, no matter how careful a company is, sooner or later something is going to slip through.

Almost Half Of Top Ranking Websites Are Vulnerable

Menlo Security just released their third annual “State of the Web” report and it’s not pretty.  The headline finding is that 42% of the top 100,000 sites as ranked by Alexa are more dangerous than you think.

The report defines a risky site as one that meets one of three criteria:

  • The site, or one of its associated background sites (from which news articles or video is pulled), is running software with a known security vulnerability
  • The site has been used to launch attacks or distribute malware
  • The site has suffered a security breach in the past twelve months

This first point is key, and often overlooked by security professionals.  Any time your website is pulling content from another source, it creates an opening that a hacker could potentially exploit.  Worse, most security professionals lack the tools to properly monitor those connections.

As bad as that sounds, there’s an even worse detail lurking in the pages of the report, and that concerns emails.

Hackers are increasingly moving away from setting up their own domains.  Instead, they’re preferring to create a subdomain of a compromised, legitimate domain, which makes it harder to spot.  Amir Ben-Efraim, the CEO of Menlo Security, had this to say about the issue:

“It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives – such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms.  Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites.

Also, hosting services typically allow customers to set up multiple subdomains.  For example, researchers found 15 phishing sites hosted on the world’s 10 most popular domains.”

The bottom line is:  The web and even the most popular sites on it, aren’t nearly as safe as you think.

Does Your Business Have A Cybersecurity Incident Response Plan?

If your company has an incident response plan that you can rely on in the face of a cyber attack, then you’re ahead of most of the world, according to research recently conducted by the Ponemon Institute.  Shockingly, more than 75 percent of survey respondents from around the world admitted that they have no formal incident response plan.  Even worse, half of the companies that indicated they had an incident response plan said that it was informal.

Curiously, given these statistics, 72 percent of organizations indicated that they were more resilient today than they were the year before. They also indicated a high level of confidence in their staff to respond appropriately to any problem that arose.

Given the stark reality and the ever-increasing number of attacks, that comes off more like bravado than genuine confidence.  Ted Julian, the Vice President of product management of IBM Resilient (sponsor of the Ponemon Institute’s research) had this to say:

“Having the right staff in place is critical, but arming them with the most modern tools to augment their work is equally important.  A response plan that orchestrates human intelligence with machine intelligence is the only way security teams are going to get ahead of the threat and improve overall cyber-resilience.”

This year, most of the provisions of a new piece of legislation, GDPR (General Data Protection Regulations) come into effect, and companies that don’t have a formal incident response plan by then could pay a hefty price.  Even if that weren’t the case, the research concluded that the overall cost of a data breach was nearly a million dollars lower on average when companies were able to deal with the breach decisively and contain it within thirty days.

The bottom line is, if you don’t have one yet, now is the time.

No Spectre Fix For Certain Intel Processors

The bad news just doesn’t seem to stop where Intel and the Speectre vulnerability are concerned.  The latest bit of news comes directly from Intel, as the company admits that it’s just not possible to address the Spectre vulnerability in some of its older hardware. This means that nine families of chips and more than 230 models of computers (mostly manufactured between 2007 and 2011) will remain vulnerable to Spectre forever.

The company has stopped Spectre mitigation development on the following families of chips:

  • Bloomfield
  • Clarksfield
  • Gulftown
  • Harpertown Xeon
  • Jasper Forest
  • Penryn
  • SoFIA 3GR
  • Wolfdale
  • Yorkfield

A company spokesman had this to say about the recent announcement:

“We’ve now completed the release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google.  However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.”

It’s unfortunate, but not entirely unexpected.  If you have any older Intel equipment still in service at your company, have your IT group check the processor family. If it’s one of the above, it’s well worth marking those systems high priorities for upgrades, and limiting their use until you can.

Spectre is a devastating flaw, and it’s just not worth the risk to leave exposed systems connected to your network and in service. This is especially true now that it’s official that no help is coming for certain older systems.

Even worse, AMD chips, which are not impacted by Spectre and Meltdown, have since been found to have their own critical security flaws.  While not as bad or as pervasive as the two Intel is facing, they will nonetheless require the company to issue its own microcode updates, which they are currently scrambling to do.

The long and the short of it is that there really are no safe harbors anymore.

Study Shows Employee Satisfaction Is Higher With Technology Improvements

A new study recently published by HPE Aruba called “The Right Technologies Unlock The Potential Of The Digital Workplace,” reveals some interesting details about technology in the workplace that’s worth paying attention to.

The study was conducted by collecting feedback from more than seven thousand companies of various sizes around the globe.  These were broken broadly into two groups: “Digital Revolutionaries,” which made more and better use of cutting edge technology, and “Digital Laggards” which were slower to adopt the latest and greatest technologies.

The headline statistic is that 51 percent of employees working in companies employing more technology reported greater job satisfaction, and an impressive 72 percent of employees in these companies reported a greater ability to adopt new work-related skills.

Other intriguing statistics include:

  • 31 percent of respondents in the “Digital Laggard” category indicated that tech aided their professional development, compared with 65 percent in the “Digital Revolutionary” category
  • 92 percent of respondents said that more technology would improve the workplace overall
  • 69 percent of respondents indicated a desire to see fully automated equipment in more widespread use in the workplace

Joseph White, the Director of Workplace Strategy, Design and Management at Herman Miller said in a press release:

“No matter the industry, we’re seeing a move toward human-centric places as enterprises strive to meet rapidly changing expectations of how people want to work.  This depends upon combining advances in technology -which includes furnishings- with the cognitive sciences to help people engage with work in new ways.  This will not only mean singular, premium experiences for individuals, but also the opportunity for organizations to attract and retain the best talent.”

The study notes, however, that cyber security issues remain as challenging as ever.  Survey respondents reported lower than average cyber security awareness, which could lead to greater risks and exposure as workplaces become increasingly digitized.

While a small majority (52 percent) of respondents reported thinking about cybersecurity often (daily), fully a quarter have connected to unsecured WiFi and one in five reported using the same passwords across multiple web properties. These are the two most dangerous cybersecurity-related behaviors.

Clearly, increased technology has its risks.

New InvisiMole Malware Turns Your System Into A Video Camera

Another week, another new threat.  This time, in the form of a new strain of malware that researchers are calling InvisiMole.  The new threat was discovered by researchers at ESET, who found it on a number of hacked computers in Russia and the Ukraine.

While the researchers have yet to trace the software back to the group that developed it, based on the available evidence, the campaign appears to be tightly targeted and highly selective.  Only a few dozen computers have been found to be infected, although all impacted systems are both high-profile and high-value.

As for the software itself, it’s a nasty piece of business capable of quietly taking control over an infected system’s video camera and capture audio. This allows them to both see and hear anything going on in the vicinity of the system.  Essentially then, InvisiMole turns your computer into a compromised Amazon Echo.

Based on the sophisticated design of the software and the fact that the researchers have yet to be able to trace it back to the source, it’s believed that it has been developed by (or at least in partnership with) an unknown state actor.  Although the current campaign is small and highly targeted, given its capabilities, InvisiMole could easily become a much more serious threat.

Even worse, it’s entirely possible that the original developers could lose control of the code, or that some other hacker group could reverse engineer it, causing it to spread far and wide.

Research into the software is still ongoing, and at this point ESET can’t say with certainty how the malicious payload is being delivered to target machines. Of course, at present, there is no antivirus software defense against it.  Stay on your guard.  You never know who might be watching.

The U.S. Is The Most At Risk Nation For Cyber Attacks

Being “number 1” isn’t always a good thing.  Rapid7 has just published their third annual “National Exposure Index,” and unfortunately, the United States has the dubious honor of being the nation most at risk for a cyber attack on its core services.  The group’s methodology for ranking national exposure comes down to tracking the number of exposed services and comparing this number to the nation’s total allocated IP address space.

Ranked in this way, the top four most vulnerable countries are:

  • The United States
  • China
  • South Korea
  • The UK

All told, these four nations control more than 61 million servers listed on at least one of the points surveyed by Rapid7.

Drilling down a bit more deeply, the report also contained this chilling fact:

“There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL.  Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack.”

Given that this year has already given us the largest DDOS attack in the history of the internet, Rapid7’s findings should not be taken lightly.  The risks are very real, which is why the company is so strongly committed to the publication of their annual report.

As they put it:

“…national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet.”

A lofty goal indeed.  Unfortunately, although the data is illuminating, there are no quick or easy answers here, especially in the United States.  Thus far, the U.S. has struggled to put together a cohesive digital security policy at the national level, which seems unlikely to change at least in the near future.

Majority Of Web Apps Found To Have Security Vulnerabilities 

How many web apps do you have on your phone?  Probably a ton.  Here’s something you likely didn’t know.  Based on the latest research from Positive Technologies, nearly half of them (48 percent) are vulnerable to unauthorized access.

As bad as that is, it’s just the tip of the proverbial iceberg.

Here are some additional disturbing stats from their report:

  • 44 percent of the apps with vulnerabilities place the user’s personal data at risk
  • 70 percent are prone to leak critical information stored on the device
  • 96 percent of them contain flaws that would allow any malicious actor to exploit them to launch an attack on the target device
  • Of those, one in six (17 percent) has a flaw severe enough that it would allow an attacker to assume complete control over the app, and from there, the device itself

The majority of these flaws (some 65 percent) are the result of simple coding errors, with improper configuration of web servers being the most common of these.

There is one bright spot in the otherwise dismal report, though.  The percentage of apps with critical vulnerabilities has declined slightly, down from 52 percent last year, and 59 percent the year before. So the numbers, while frustratingly large, are trending in the right direction.

Ed Keary, the CEO of Edgescan had this to say on the topic:

“DevSecOps needs to be embraced such that security is throughout the development pipeline.  Application component security management (software components used by developers) is still not commonplace in terms of supporting frameworks and software components and is a common source of vulnerability.”

If your firm designs such applications, pay special attention to this report and review your code base at the earliest opportunity.  Even if you don’t, it pays to be mindful of the percentages, because odds are that your employees have several at-risk apps on the devices they’re connecting to your network.