Information Technology

Cloudflare said it’s system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. Cloudflare’s Omer Yoachimik explained in a blog post that the company serves over 25 million HTTP requests per second on average in 2021 Q2, illustrating the enormity of the attack. He added that the attack was launched by a botnet that was targeting a financial industry customer of Cloudflare. It managed to hit the Cloudflare edge with over 330 million attack requests within seconds, he said. 
Cloudflare
“The attack traffic originated from more than 20,000 bots in 125 countries around the world. Based on the bots’ source IP addresses, almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined. Indicating that there may be many malware infected devices in those countries,” Yoachimik said. “This 17.2 million rps attack is the largest HTTP DDoS attack that Cloudflare has ever seen to date and almost three times the size of any other reported HTTP DDoS attack. This specific botnet, however, has been seen at least twice over the past few weeks. Just last week it also targeted a different Cloudflare customer, a hosting provider, with an HTTP DDoS attack that peaked just below 8 million rps.”Yoachimik noted that two weeks before that, a Mirai-variant botnet “launched over a dozen UDP and TCP based DDoS attacks that peaked multiple times above 1 Tbps, with a max peak of approximately 1.2 Tbps.” Cloudflare customers — including a gaming company and a major APAC-based telecommunications and hosting provider — are being targeted with attacks on both the Magic Transit and Spectrum services as well as the WAF/CDN service. 

According to Yoachimik, the Mirai botnet generated a significant volume of attack traffic despite shrinking to about 28,000 after starting with about 30,000 bots. “These attacks join the increase in Mirari-based DDoS attacks that we’ve observed on our network over the past weeks. In July alone, L3/4 Mirai attacks increased by 88% and L7 attacks by 9%,” Yoachimik said. “Additionally, based on the current August per-day average of the Mirai attacks, we can expect L7 Mirai DDoS attacks and other similar botnet attacks to increase by 185% and L3/4 attacks by 71% by the end of the month.”

Tyler Shields, CMO at JupiterOne, called the 17.2 million attack “significant” and told ZDNet that the ability for a DDoS attack to reach that level of bandwidth exhaustion means that there is a significant backend infrastructure of either compromised hosts or hosts that have been scaled up with the sole purpose of sending malicious traffic. “The only other way to achieve these levels of bandwidth is to couple an enormous infrastructure with some kind of packet amplification technique. Either way, this is a meaningful attack that was not generated by a random attacker. This groups likely large, well funded, and dedicated,” Shields said. Howard Ting, CEO at Cyberhaven, added that DDoS attacks are a growing problem and one that we should expect to see more of. He noted that botnets, such as Mirai that launched the attack, heavily rely on compromised IoT devices and other unmanaged devices. “As the number of these devices grows, so too does the potential army for DDoS attacks,” Ting said.
Cloudflare
Yoachimik said their autonomous edge DDoS protection system detected the 17.2 million attack and noted that their system is powered by a software-defined denial of service daemon they call dosd.”A unique dosd instance runs in every server in each one of our data centers around the world. Each dosd instance independently analyzes traffic samples out-of-path. Analyzing traffic out-of-path allows us to scan asynchronously for DDoS attacks without causing latency and impacting performance,” Yoachimik said.  “DDoS findings are also shared between the various dosd instances within a data center, as a form of proactive threat intelligence sharing. Once an attack is detected, our systems generate a mitigation rule with a real-time signature that matches the attack patterns. The rule is propagated to the most optimal location in the tech stack.”  More

Cisco announced recently that it will not be releasing software updates for a vulnerability with its Universal Plug-and-Play (UPnP) service in Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers.The vulnerability allows unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.”This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition,” Cisco said in a statement. “Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.”The vulnerability only affects the RV Series Routers if they have UPnP configured but the UPnP service is enabled by default on LAN interfaces and disabled by default on WAN interfaces.The company explained that to figure out if the UPnP feature is enabled on the LAN interface of a device, users should open the web-based management interface and navigate to Basic Settings > UPnP. If the Disable check box is unchecked, UPnP is enabled on the device.Cisco said that while disabling the affected feature has been proven successful in some test environments, customers should “determine the applicability and effectiveness in their own environment and under their own use conditions.” 

They also warned that any workaround or mitigation might harm how their network functions or performs. Cisco urged customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.The vulnerability and Cisco’s notice caused a minor stir among IT leaders, some of whom said exploiting it requires the threat actor to have access to an internal network, which can be gained easily through a phishing email or other methods. Jake Williams, CTO at BreachQuest, added that once inside, a threat actor could use this vulnerability to easily take control of the device using an exploit. “The vulnerable devices are widely deployed in smaller business environments. Some larger organizations also use the devices for remote offices. The vulnerability lies in uPnP, which is intended to allow dynamic reconfiguration of firewalls for external services that need to pass traffic inbound from the Internet,” Williams told ZDNet. “While uPnP is an extremely useful feature for home users, it has no place in business environments. Cisco likely leaves the uPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product. Staff in these environments need everything to ‘just work.’ In the security space, we must remember that every feature is also additional attack surface waiting to be exploited.” Williams added that even without the vulnerability, if uPnP is enabled, threat actors inside the environment can use it to open ports on the firewall, allowing in dangerous traffic from the Internet. “Because the vulnerable devices are almost exclusively used in small business environments, with few dedicated technical support staff, they are almost never updated,” he noted.Vulcan Cyber CEO Yaniv Bar-Dayan said UPnP is a much-maligned service used in the majority of internet connected devices, estimating that more than 75% of routers have UPnP enabled. While Cisco’s Product Security Incident Response Team said it was not aware of any malicious use of this vulnerability so far, Bar-Dayan said UPnP has been used by hackers to take control of everything from IP cameras to enterprise network infrastructure. Other experts, like nVisium senior application security consultant Zach Varnell, added that it’s extremely common for the devices to rarely — or never — receive updates. “Users tend to want to leave well enough alone and not touch a device that’s been working well — including when it needs important updates. Many times, users also take advantage of plug-and-play functionality, so they do very little or zero configuration changes, leaving the device at its default status and ultimately, vulnerable,” Varnell said. New Net Technologies global vice president of security research Dirk Schrader added that while UPnP is one of the least known utilities to average consumers, it is used broadly in SOHO networking devices such as DSL or cable router, WLAN devices, even in printers. “UPnP is present in almost all home networking devices and is used by device to find other networked devices. It has been targeted before, and one of the big botnets, Mirai, relied heavily on UPnP. Given that the named Cisco devices are placed in the SOHO and SMB segment, the owners are most likely not aware of UPnP and what it does,” Schrader said. “That and the fact that no workaround or patch are available yet is a quite dangerous combination, as the installed base is certainly not small. Hope can be placed on the fact the — by default — UPnP is not enabled on the WAN interfaces of the affected Cisco device, only on the LAN side. As consumers are not likely to change that, for this vulnerability to be exploited, attackers seem to need a different, already established footprint within the LAN. But attackers will check the vulnerability and see what else can be done with it.” More

T-Mobile’s CEO has finally spoken out about the massive hack that exposed millions of customers’ sensitive information, apologizing for the leak and announcing a cybersecurity pact with Mandiant.CEO Mike Sievert on one hand sought to downplay the incident — which led to the leak of nearly 48 million social security numbers alongside other information from a total of 50 million people — by touting the fact that no financial information was lost.He also implied that the leak of social security numbers, driver’s licenses and ID information was “like so many breaches before,” but admitted that the company had failed to keep their customers’ data safe. “The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them,” Sievert said. “We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.” Sievert explained that the company hired Mandiant to conduct an investigation into the incident and said they have since closed the server entry points that gave the hacker, allegedly 21-year-old John Binns, access to T-Mobile data. He would not provide more information about the breach because they are “actively coordinating with law enforcement on a criminal investigation.” On Thursday, Binns openly took credit for the hack in an interview with the Wall Street Journal while mocking T-Mobile’s lackluster cybersecurity. 

“I was panicking because I had access to something big. Their security is awful,” Binns said, adding that he launched the attack because of his anger at US law enforcement agencies for allegedly torturing him in Germany and Turkey. Binns initially claimed he had access to the information of about 100 million customers but T-Mobile later confirmed that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach. Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked. More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile.Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.” “In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.”As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised.”  T-Mobile will also put a banner on the MyT-Mobile.com account login page of others letting them know if they were not affected by the attack. Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen. In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”The company will also be offering “Account Takeover Protection” to postpaid customers, which they said will make it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well. Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals. “As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added. “They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.” Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future. T-Mobile did not respond to requests for further comment from ZDNet. The telecom giant, which is the second largest in the US behind Verizon, has a terrible cybersecurity track record. Before the attack two weeks ago, the company had announced four data breaches in the last three years.  More

If you’re running NoSQL databases on Microsoft’s Azure cloud, chances are you’re running Cosmos DB. And, if that’s you, you’re in trouble. Even Microsoft had admitted that this newly discovered critical vulnerability, ChaosDB, enables intruders to read, change or even delete all your databases.

ZDNet Recommends

Ouch! According to the Microsoft email describing the problem to affected customers, “Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.” That’s a good thing because according to the cloud security firm, WIZ, which uncovered the ChaosDB security hole, it “gives any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment and impacts thousands of organizations, including numerous Fortune 500 companies.” How trivial is the exploit? Very.  According to WIZ, all an attacker needs to do is exploit an easy-to-follow chain of vulnerabilities in Cosmos DB’s Jupyter Notebook. Jupyter Notebook is an open-source web application that is directly integrated with your Azure portal and Cosmos DB accounts. It allows you to create and share documents that contain live code, equations, visualizations, and narrative text. If that sounds like a lot of access to give to a web application, you’re right, it is.  As bad as that is, once you have access to the Jupyter Notebook, you can obtain the target Cosmos DB account credentials, including the databases’ Primary Key. Armed with these credentials, an attacker can view, modify, and delete data in the target Cosmos DB account in multiple ways. 

To patch this hole, you must regenerate and rotate your primary read-write Cosmos DB keys for each of the impacted Azure Cosmos DB accounts. That’s easy enough. And, Microsoft claims, while this vulnerability is bad news, you don’t have to worry that much about it. Microsoft states: We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent [the] risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.WIZ isn’t so optimistic. While agreeing that Microsoft’s security took immediate action to fix the problem and disabled the vulnerable feature within 48 hours of being told about ChaosDB, the researchers point out that “the vulnerability has been exploitable for months and every Cosmos DB customer should assume they’ve been exposed.” I agree. It’s far better to be safe than sorry when dealing with a security hole of this size and magnitude. Related Stories: More

The parents of two teenagers allegedly responsible for stealing $1 million in Bitcoin are being sued. 

According to court documents obtained by Brian Krebs, Andrew Schober lost 16.4552 in Bitcoin (BTC) in 2018 after his computer was infected with malware, allegedly the creation of two teenagers in the United Kingdom.  The complaint (.PDF), filed in Colorado, accuses Benedict Thompson and Oliver Read, who were minors at the time, of creating clipboard malware.  The malicious software, designed to monitor cryptocurrency wallet addresses, was downloaded and unwittingly executed by Schober after he clicked on a link, posted to Reddit, to install the Electrum Atom cryptocurrency application. During a transfer of Bitcoin from one account to another, the malware triggered a Man-in-The-Middle (MiTM) attack, apparently replacing the address with one controlled by the teenagers and thereby diverting the coins into their wallets.  According to court documents, this amount represented 95% of the victim’s net wealth at the time of the theft. At today’s price, the stolen Bitcoin is worth approximately $777,000. “Mr. Schober was planning to use the proceeds from his eventual sale of the cryptocurrency to help finance a home and support his family,” the complaint reads. 

The pair, tracked down during an investigation paid for by Schober, are now adults and are studying computer science at UK universities.  The mothers and fathers of Thompson and Read are named in the complaint. Emails were sent to the parents prior to the complaint requesting that the teenagers return the stolen cryptocurrency to prevent legal action from being taken.  The letter reads, in part: “As his parents, I am appealing to you to first give him the chance to make this right, without involving law enforcement. Your son is obviously a very intelligent young man. I do not wish for him to be robbed of his future.” However, the requests, sent in 2018 and 2019, were met with silence.  Schober’s complaint claims that the parents “knew or reasonably should have known” what their children were up to, and that they also failed to take “reasonable steps” in preventing further harm.  In response (.PDF), the defendants do not argue the charge, but rather have requested a motion to dismiss based on two- and three-year statutes of limitation. “Despite his knowledge of his injury and the general cause thereof, Plaintiff waited to file his lawsuit beyond the two and three years required of him by the applicable statutes of limitations,” court documents say. “For this reason, Plaintiff’s claims against Defendants should be dismissed.” However, Schober’s legal team has argued (.PDF) that the teenagers were not immediately traced, and roughly a year passed between separately identifying Read and Thompson.  Schober’s lawyers have requested that the motion to dismiss is denied.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has outlined its efforts to shape the US government’s zero-trust initiative, based on Biden’s May Executive Order on cybersecurity.Google’s $10 billion commitment to beefing up critical US infrastructure includes expanding zero-trust programs, helping to secure software supply chains, and enhancing open-source security.Its contributions will see the company leverage initiatives that have been underway at Google for many years, spanning open-source fuzzing tools to funding Linux kernel developers to work on security, and pushing for the use of memory-safe languages in Linux. It comes after US president Joe Biden called on the chiefs of Apple, Google, Microsoft and JPMorgan Chase earlier this week to beef up the nation’s protection of critical infrastructure.Although Google was not among the 18 cybersecuity companies selected to work with the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) program — which will establish create Zero Trust designs for federal agencies to implement — it is now collaborating with NIST to develop a framework, Google’s Eric Brewer and Dan Lorenc said in a blog post. Zero Trust assumes that a network has been breached and refocuses cybersecurity on apps, data and people, rather than hardening the network perimeter.   “Instead of being reactive to vulnerabilities, we should eliminate them proactively with secure languages, platforms, and frameworks that stop entire classes of bugs,” said Brewer and Lorenc.

“Preventing problems before they leave the developer’s keyboard is safer and more cost-effective than trying to fix vulnerabilities and their fallout.”

Biden appealed to the private sector at the White House cybersecurity summit on Wednesday, noting that federal government alone couldn’t meet the challenge of protecting critical infrastructure from cyberattacks. Google and Microsoft committed $10 billion and $20 billion, respectively, over five years to improve the US response to future threats, following recent high-profile cyber attacks including the Colonial Pipeline ransomware attack, the SolarWinds software supply chain attack and widespread hacking of Microsoft Exchange server vulnerabities.   “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do,” Biden said, according to The Washington Post. In June, Brewer submitted four papers in response to Biden’s cybersecurity Executive Order 14028 on enhancing software supply chain security. One of the papers discusses the security problems inherent to coding in the C programming language and the emergence of Rust. “Secure languages and application frameworks can be used to impose a structure on software that enables high-confidence reasoning about its security, at scale,” Brewer wrote. 

SolarWinds Updates

“But ensuring that this requirement is actually fulfilled for real-world C code is challenging, and often requires difficult reasoning about heap memory structure. Similarly, it is difficult to ensure correct validation and escaping for all data that flows into a web application’s HTML markup, since data often passes through several components on its way from inputs to outputs, such as through a storage schema.””In contrast, Rust has emerged as a practical alternative to C and C++ as a systems-development language, embodying a secure-by-construction stance on memory safety. Rust’s type system imposes an ownership discipline that ensures, for example, that freed memory cannot be accessed.”To that end, Google is backing a plan to get Rust into the Linux kernel as a second language to C. Lorenc and Brewer argue that software bugs should be limited from the outset, rather than just reacting to new vulnerabilities. Microsoft and Amazon Web Services are also backing Rust as a memory-safe alternative to C and C++ for systems programming.    Google advocates for software code testing, including using tools from Microsoft-owned GitHub, such as Dependabot — a tool for keeping open source software packages or dependencies up to date. Google also offered its opinion on the idea of a software bill of materials (SBOMs) as part of the official US response to software supply chain attacks. The Linux Foundation is contributing this aspect of Biden’s order. It’s a complex problem to solve in both open-source and proprietary software due to the vast number of library dependencies used in modern programs. “SBOMs need a reasonable signal-to-noise ratio: if they contain too much information, they won’t be useful, so we urge the NTIA [National Telecommunications and Information Administration] to establish both minimum and maximum requirements on granularity and depth for specific use-cases,” Google said. More

The US Securities and Exchange Commission (SEC) has charged the former CEO of HeadSpin for allegedly defrauding investors.

Founded in 2015 and based in Silicon Valley, HeadSpin markets itself as an AI testing, dev-ops, and mobile testing platform. The co-founder and former chief executive, Manish Lachwani, led the company until May 2020.  According to the SEC and the US Department of Justice (DoJ), the 45-year-old allegedly defrauded investors out of $80 million “by falsely claiming that the company had achieved strong and consistent growth in acquiring customers and generating revenue.” For approximately two years, the executive allegedly pushed for a valuation beyond $1 billion by inflating key financial metrics, doctoring internal sales records, and falsely increasing deal values currently under discussion with potential clients, making out that they were secure and guaranteed revenue streams.  The SEC says that through these methods, as well as the creation of fake, inflated customer invoices, Lachwani also “enriched himself” by selling $2.5 million of his own HeadSpin shares during a funding round. Monique Winkler, Associate Regional Director of the SEC’s San Francisco Regional Office, said these activities misled investors into believing the startup had achieved “unicorn” status, the term used for a privately-held startup that passes the $1 billion valuation threshold.  However, his alleged actions did not go unnoticed, and an internal investigation by the firm’s board found issues with HeadSpin’s financial reporting. 

According to the US agencies, the probe resulted in the startup’s valuation being slashed from $1 billion to $300 million. The former CEO was then required to resign.Lachwani was arrested on Wednesday by US law enforcement.  HeadSpin has not been charged and says it is cooperating with the US agencies. The SEC’s complaint, filed in the Northern District of California, charges Lachwani with violating US antitrust laws. The regulator is pursuing penalties, an injunction, and a court order to prevent the former CEO from acting as an officer or director in the future.  Separately, the DoJ has filed one count of wire fraud and one count of securities fraud against the former executive. If convicted, Lachwani faces a maximum sentence of 20 years in prison for each charge, as well as fines of up to $250,000 and $5 million, respectively. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware attacks are going to get worse – and one could eventually take out the infrastructure of an entire 5G-enabled smart city, a cybersecurity expert has warned. Cyber criminals deploying ransomware regularly target government services. Not only do public sector IT budgets mean networks are less secure against attacks, but said networks are also used to provide vital services to the community.  In some cases, local government agencies sime pay the ransom to decrypt the network and restore services, making them ideal targets for extortion.Urban infrastructure, including emergency services, transport, traffic light management, CCTV and more are, increasingly becoming connected to 5G Internet of Things (IoT) services and sensors in order to collect data and provide better, more efficient services. But while connected cities have the potential to improve urban services, any lack of security in IoT devices could make them a very appealing target for ransomware attacks – and, given the current ransomware climate, it’s not a matter of if, but when.”I look two years out and my prediction is a 5G smart city will be held for ransom. I don’t see anything happening right now that tells me that this prediction is not going to come true,” Theresa Payton, CEO of Fortalice Solutions and former CIO at The White House said in an interview with ZDNet Security Update. There have been many cases of cities and public infrastructure being compromised by ransomware – and it can be extremely disruptive. When cyber criminals attack hospitals with ransomware, for example, the nature of the industry means that in many cases – but not all – health service providers feel as if they have no option but to pay. 

And the continued success of ransomware attacks means going after connected infrastructure is the logical next step for cyber criminals. “I just don’t see enough progress being made that we’re going to be able to eradicate ransomware – I see it getting a lot worse, unfortunately, before we really figure out how to tackle it and it gets better,” said Payton, adding that cyber criminals “really don’t care what the downstream impacts are they’re just trying to make a buck”. However, measures can be applied across smart cities to help protect them against cyber attacks.Guidance on smart city security from the UK’s National Cyber Security Centre (NCSC) recommends that cities should only roll out devices from trusted vendors, and that no IoT device on the network should use the default username and password, as this makes them easy targets. Organisations should also regularly check to see whether credentials belonging to employees with high-level account privileges have been exposed in a data breach. If so, passwords – and perhaps even account names – should be changed in order to reduce the risk of them being abused by ransomware groups or other cyber criminals. “Look for those email accounts look for those passwords and think about actually abandoning email accounts that are in password data dumps that have access to core systems,” said Payton. READ MORE ON CYBERSECURITY More