Weekly Web Security Warning – hacks, hacks everywhere!

This week in web security, two hacks, one survey and 10 top blocks.

It was not a great week for cybersecurity in Canada, not one but two major breaches were announced. But don’t fear, we have some good news *rustles marketing notes*, we recently celebrated the one-year anniversary of D-Zone DNS Firewall by expanding our footprint of policy-enabled recursive services to two new Canadian cities!

Our two new nodes in Montreal and Vancouver allow us to situate our services closer to even more of our customers in Canada. There are significant benefits to an all-Canadian DNS firewall service, because we peer at local Internet exchange points (IXPs) we get faster response time, all DNS traffic stays in Canada, and networks can actually see a boost in web traffic speed where a CDN uses the recursive data to route content. There are many other benefits, but my marketing 101 class said to keep the rule of three.

Now the bad news – Breach #1

Algonquin College in Ottawa recently announced that up to 100,000 individuals may have had their data exposed in a cyberattack. This attack apparently happened on May 16 due to a malware-infected server that was compromised. The college should be commended for being proactive in this announcement as apparently no banking or credit card information was revealed and there are no current reports of the data on the dark web. However, a relatively small subset of 4,568 people did have sensitive data exposed. This disclosure case is interesting because it foreshadows a time in the not too distant future where being proactive will be mandated by law. Changes to the PIPEDA legislation that are planned for November 2018 will make such disclosure mandatory. In this case we don’t know the time gap between identifying the breach (we assume the May 16^th date was determined by logs and not the date they discovered it) and issuing the announcement, but in the future when companies are required by law to disclose all customer data theft these weekly updates will probably be getting a lot longer.

Breach #2

Our second breach is a little more worrisome as CarePartners announced thousands of their patients are having their healthcare data held for ransom by hackers. This isn’t a typical ransomware situation but rather more like a data theft. The perpetrators are apparently threatening to release the patient’s data if not paid. What is scary is that the thieves have taken the additional step of going directly to the media with a sample of the data in an attempt to put pressure on the organization to pay. This is bad news for a healthcare company as they can be fined up to $500,000 for disclosing personal health information under the Ontario’s Personal Health Information Protection Act. This is another great example of how the new PIPEDA regulations will change the disclosure environment as the company was originally contacted by the hackers on June 11 and from what we know, did not disclose the breach until the media reported it.

Less than half of cyberattacks detected by antivirus

We talk a lot about defence in depth around here and it’s not just because we like military analogies, there are real benefits to having multiple layers of protection. A recent survey asked respondents about data breaches and the tools they used to determine their efficacy. The report was written from the perspective of anti-virus efficacy but it was interesting to read between the lines at what it means for the value of layers. The big takeaway was that 42 per cent of respondents reported endpoint exploits.  Protecting an endpoint, at least for an organization with lots of IT security resources, is not just about antivirus, but also content filtering, access control, malware blocking, pattern modelling, training, and more. Smaller organizations have to struggle to keep up in this complex world. These results mirror what we uncovered in a similar report from our partner Nominum (now Akamai) when they analyzed what of malware strains were effectively blocked by common anti-virus solutions. In other words, a lab test and a survey with both uncovered a similar pattern—that one or two layers is not enough to protect your network.

And finally – the top 10 block list of the week

The following domains were the top 10 that we blocked last week.

Two things really jumped out at me as being new, and both are suppliers of DNS services – which is unexpected. This includes duckdns.org distributing jRAT delivered from a 3^rd level domain off their primary public domain. The other was no-ip.info distributing Bifrose, again from the 3^rd level. What makes no-ip extra interesting is that it is not their primary domain but one that redirects to their primary domain.

We aren’t going to publish the full domains here because we don’t want to publish links identified as distributing malware.  (a) you might click on it and get infected and (b) we don’t want our own blog to start appearing on block lists.