August is off to a roaring start on the hacking news front. Between the “Backoff” malware that has been reported to have hit over 600 retailers’ Point-of-Sale networks, and the CyberVor gang’s mega disclosure of 1.2 Billion user credentials, we have fielded more than a few calls. Both attacks have the intent of exploiting businesses for financial gain; however, they approach the problem from different angles.
1.) The Backoff Malware
Backoff is a purpose-built application that is designed to steal credit card information from systems that either process payments, or accept credit card information. Businesses are being compromised through remote access tools such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEin’s Join.Me as commonly used remote desktop solutions.
Does your company allow incoming connections to these services through your firewall? What about third-party providers that manage your Point-of-Sale? Can you track when these systems are accessed?
Governance on these remote access tools is an absolute must. If you aren’t sure about any of these questions, ask us for help. If you cannot manage the overhead of tracking incoming connections from remote users, we can monitor these logs for you.
What should you do:
- Identify and contact all of your IT vendors that require remote access and ask them to update their passwords
- Close access to unwanted remote desktop services
- Limit any allowed remote services to only known IP addresses for incoming connections
- Turn on logging for remote access traffic and consider daily log review
The criminal hacking group dubbed “CyberVor” used a very common form of web based attack called SQL injection to collect 1.2 Billion user credentials. The reports that have been released so far have not disclosed specifics about the victims, nor the quality of the credentials.
According to analysts from Sophos, “Many of the passwords associated with those accounts were ‘hashed,’ meaning it would take the crooks a long time to crack them. Plus, some of these hashed passwords are quite old and probably useless to the criminals.”
What should you do as a “user”:
- Just to be safe, you should change your website passwords (including webmail, social media accounts, etc.). It’s good sense to change your passwords frequently
- Always use unique passwords for each website
- Use two-factor authentication wherever you can
- Check your bank and social media accounts for suspicious behavior
What should you do as a “website owner”:
- Install a Web Application Firewall
- Harden your website against SQL injection
- Make sure your users’ passwords are stored safely
- Enable multi-factor authentication for your users