Ecommerce revenue worldwide amounts to more than 1.7 trillion US dollars, in the year 2018 alone. And the growth is expected to increase furthermore.

However, with growth comes new challenges. One such problem is cybersecurity. In 2017, there were more than 88 million attacks on eCommerce businesses. And a significant portion includes small businesses.

Moreover, online businesses take a lot of days to recover from the attacks. Some businesses completely shut down due to the aftermath of the security breaches.

So, if you are a small business, it is essential to ensure the safety and security of your eCommerce site. Else, the risks pose a potential threat to your online business.

Here we discuss some basics to ensure proper security to your eCommerce site.

Add an SSL certificate

An SSL Certificate ensures that the browser displays a green padlock or in a way shows to the site visitors that they are safe; and that their data is protected with encryption during the transmission.

To enable or enforce an SSL certificate on your site, you should enable HTTPS—secured version of HyperText Transfer Protocol (HTTP)—across your website.

In general, HTTP is the protocol web browsers use to display web pages.

So, HTTPS and SSL certificates work hand in hand. Moreover, one is useless without the other.

However, you have to buy an SSL certificate that suits your needs. Buying a wrong SSL certificate would do no good for you.

Several types of SSL certificates are available based on the functionality, validation type, and features.

Some common SSL certificates based on the type of verification required are:

  1. Domain Validation SSL Certificate: This SSL certificate is issued after validating the ownership of the domain name.
  2. Organization Validation SSL Certificate: This SSL certificate additionally requires you to verify your business organization. The added benefit is it gives the site visitors or users some more confidence. Moreover, small online businesses should ideally opt for this type of SSL certificate.
  3. Extended Validation SSL Certificate: Well, this type of SSL certificate requires you to undergo more rigorous checks. But when someone visits your website, the address bar in the browser displays your brand name. It indicates users that you’re thoroughly vetted and highly trustworthy.

Here are some SSL certificate types based on the features and functionality.

  1. Single Domain SSL Certificate: This SSL certificate can be used with one and only one domain name.
  2. Wildcard SSL Certificate: This SSL certificate covers the primary and all the associated subdomains.
    Every subdomain along with the primary domain example.com will be covered under a single wildcard SSL certificate.
  3. Multi-Domain SSL Certificate: One single SSL certificate can cover multiple primary domains. The maximum number of domains covered depends on the SSL certificate vendor your purchase the certificate from. Typically, a Multi-Domain SSL Certificate can support up to 200 domain names.

Nowadays, making your business site secure with SSL certificate is a must. Otherwise, Google will punish you. Yes, Google ranks sites with HTTPS better than sites using no security.

However, if you are processing online payments on your site, then SSL security is essential. Otherwise, bad actors will misuse your customer information such as credit card details, eventually leading to identity theft and fraudulent activities.

Use a firewall

In general, a firewall monitors incoming and outgoing traffic on your servers, and it helps you to block certain types of traffic—which may pose a threat—from interacting or compromising your website servers.

Firewalls are available in both virtual and physical variants. And it depends on the type of environment you have in order to go with a specific firewall type.

Many eCommerce sites use something called a Web Application Firewall (WAF).

On top of a typical network firewall, a WAF gives more security to a business site. And it can safeguard your website from various types of known security attacks.

So, putting up a basic firewall is essential. Moreover, using a Web Application Firewall (WAF) is really up to the complexity of the website or application you have put up.

Protect your site from DDoS attacks

A type of attack used to bring your site down by sending huge amounts of traffic is nothing but denial-of-service-attack. In this attack, your site will be bombarded with spam requests in a volume that your website can’t handle. And the site eventually goes down, putting a service disruption to the normal/legitimate users.

However, it is easy to identify a denial-of-service-request, because too many requests come from only one source. And by blocking that source using a Firewall, you can defend your business site.

However, hackers have become smart and highly intelligent. They usually compromise various servers or user computers across the globe. And using those compromised sources, hackers will send massive amounts of requests. This type of advanced denial-of-service attack is known as distributed-denial-of-service-attack. Or simply put a DDoS attack.

When your site is attacked using DDoS, a common Firewall is not enough; because a firewall can only defend you from bad or malicious requests. But in DDoS, all requests can be good by the definition of the Firewall, but they overwhelm your website servers.

Some advanced Web Application Firewalls (WAF) can help you mitigate the risks of DDoS attacks.

Also, Internet Service Providers (ISPs) can detect them and stop the attacks from hitting your website servers. So, contact your ISP and get help from them on how they can protect your site from DDoS attacks.

If you need a fast and straightforward way to secure your website from distributed-denial-of-service attacks, services like Cloud Secure from Webscale Networks is a great option.

In the end, it is better to have strategies in place to mitigate DDoS attacks. Otherwise, your business site may go down and can damage your reputation—which is quite crucial in the eCommerce world.

Get malware protection

A Malware is a computer program that can infect your website and can do malicious activities on your servers.

If your site is affected by Malware, there are a number of dangers your site can run into. Or, the user data stored on your servers might get compromised.

So, scanning your website regularly for malware detection is essential. Symantec Corporation provides malware scanning and removal tools. These tools can help your site stay safe from various kinds of malware.

Encrypt data

If you are storing any user or business related data, it is best to store the data in encrypted form, on your servers.

If the data is not encrypted, and when there is a data breach, a hacker can easily use the data—which may include confidential information like credit card details, social security number, etc. But when the data is encrypted, it is much hard to misuse as the hacker needs to gain access to the decryption key.

However, you can use a tokenization system. In which, the sensitive information is replaced with a non-sensitive data called token.

When tokenization implemented, it renders the stolen data useless. Because the hacker cannot access the Tokenization system, which is the only component that can give access to sensitive information. Anyhow, your tokenization system should be implemented and isolated properly.

Use strong passwords

Use strong passwords that are at least 15 character length for your sites’ admin logins. And when you are remotely accessing your servers, use SSH key-based logins wherever possible. SSH key-based logins are proven to be more secure than password-based logins.

Not only you, urge your site users and customers to use strong password combinations. Moreover, remind them to change their password frequently. Plus, notify them about any phishing scams happening on your online business name.

For example, bad actors might send emails to your customers giving lucrative offers. And when a user clicks on the email, he will be redirected to a site that looks like yours, but it is a phishing site. And when payment details are entered, the bad actor takes advantage and commits fraudulent activities with the stolen payment info.

So, it is important to notify your user base about phishing scams and make your customers knowledgeable about cybersecurity.

Avoid public Wi-Fi networks

When you are working on your business site or logging into your servers, avoid public wifi networks. Often, these networks are poorly maintained on the security front. And they can become potential holes for password leaks.

However, public wifi networks can be speedy. So, when you cannot avoid using a public wifi network, use VPN services like ProtonVPN, CyberGhost VPN, TunnelBear VPN, etc, to mitigate the potential risks.

Keep your software update

To run an online business, you have to use various software components, from server OS to application middleware and frameworks.

Ensure that all these components are kept up to date timely and apply the patches as soon as they are available. Often these patches include performance improvements and security updates.

Some business owners might feel that this is a tedious process. But remember, one successful cyber attack has the potential to push you out of business for several days, if not entirely.

Conclusion

In this 21st century, web technology is growing and changing rapidly. So do the hackers from the IT underworld.

The steps mentioned above are necessary. But we cannot guarantee that they are sufficient. Moreover, each business case is different. You always have to keep yourself up to date. And it would help if you took care of your online business security from time to time. Failing which can make your business site a victim of cyber attacks.

Source: https://londonlovesbusiness.com/how-to-secure-your-online-business-from-cyber-threats/

Artificial intelligence (AI) is poised to impact every industry in the near future—including the lucrative business of malicious hacking and the cybersecurity industry working to defend against those attacks.

Enterprise IT and security professionals recognize AI’s potential in cybersecurity, according to a new report from Neustar: 87% of the 301 senior technology and security workers surveyed agreed that AI will make a difference in their company’s defenses. However, 82% said they are also afraid of attackers using AI against their company, the report found.

In a cyberattack, IT and security professionals said they most fear stolen company data (50%), loss of customer trust (19%), unstable business performance (16%), and the cost implications (16%).

Despite the risks, 59% of security pros said they remain apprehensive about adopting AI for security purposes, the report found.

“Artificial intelligence has been a major topic of discussion in recent times – with good reason,” Rodney Joffe, head of the the Neustar International Security Council and Neustar senior vice president and fellow, said in a press release. “There is immense opportunity available, but as we’ve seen today with this data, we’re at a crossroads. Organizations know the benefits, but they are also aware that today’s attackers have unique capabilities to cause destruction with that same technology. As a result, they’ve come to a point where they’re unsure if AI is a friend or foe.”

In terms of threats, security professionals said they were most concerned about DDoS attacks (22%), system compromise (20%), and ransomware (15%). Nearly half of organizations surveyed (46%) said they had been on the receiving end of a DDoS attack in Q3 2018, a higher proportion than in years past, the report found.

“What we do know is that IT leaders are confident in AI’s ability to make a significant difference in their defenses,” Joffe said in the release. “So what’s needed now is for security teams to prioritize education around AI, not only to ensure that the most efficient security strategies have been implemented, but to give organizations the opportunity to embrace – and not fear – this technology.”

The big takeaways for tech leaders:

  • 82% of security professionals said they are afraid of attackers using AI in cyberattacks against their company. — Neustar, 2018
  • Security professionals said they were most concerned about DDoS attacks (22%), system compromise (20%), and ransomware (15%). — Neustar, 2018

Source:https://www.techrepublic.com/article/82-of-security-pros-fear-hackers-using-ai-to-attack-their-company/

Are you using Hadoop for data analytics? If so, know that a new bot is targeting Hadoop clusters with the intention of performing DDoS attacks powered by the strength of cloud infrastructure servers. Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.

Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.

It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

Hadoop YARN Exploits

Radware Research has been tracking malicious actors exploiting a Hadoop YARN unauthenticated remote command execution for which proof of concept code was first published here in March of this year. YARN, Yet Another Resource Negotiator, is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. YARN exposes a REST API which allows remote applications to submit new applications to the cluster. The exploit requires two steps:

  • Request an application-id using POST to URI http://x.x.x.x:8088/ws/v1/cluster/apps/new-application
  • Use the ‘application-id’ from the response in step 1 and submit a new task to the cluster manager using the POST method to URI http://x.x.x.x:8088/ws/v1/cluster/apps and with the body containing the following JSON encoded data structure:

Our deception network recorded repeated attempts for /ws/v1/cluster/apps/new-application, slowly starting end of September and growing to over 1 million attempts per day for most of October.

The number of unique IPs from where the requests originated grew from a few servers to over 70 servers this week.

Older exploits from servers that are offline by now were referencing a well-known Mirai variant Owari, infamous because of the weak password used by the hackers for securing their command and control database:

More recently, however, we found Owari to be replaced by a new bot:

This new ‘bash’ binary was added to the server on Sunday Oct 21st. The same server also hosts the typical shell script we came to expect from multiplatform IoT malwares:

While the botnet comes with all the typical indicators of Yet-Another-Mirai-Botnet, a closer look at the binaries revealed to be different enough to continue the investigation.

DemonBot v1 – © Self-Rep-NeTiS

The reversing of the unstripped ‘bash’ binary revealed some unfamiliar function names and an atypical string which provided a unique fingerprint for the botnet code:

Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’. Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.

Both DemonBot.c and DemonCNC.c had an identical signature:

DemonCNC

The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:

  • A bot command and control listener service – allowing bots to register and listen for new commands form the C2
  • A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet

Starting the C2 service requires 3 arguments: a bot listener port, the number of threads and a port for the remote access CLI.

Credentials for remote users are stored in a plain text file ‘login.txt’ in the format “username password” using one line per credential pair.

Upon connecting to the remote access CLI (port 8025 in our demo setup) using telnet, the botnet greets us and asks for a username followed by a password prompt. If the provided credentials match one of the lines in the login.txt file, the user is given access to the bot control interface.

The HELP command reveals the botnet commands which will be discussed below in the section about DemonBot itself.

DemonBot

DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP.

Once successfully connected, DemonBot sends information about the infected device to the C2 server in the format:

Bot_ip

The public IP address of the device or server infected with DemonBot:

Port

Either 22 or 23 depending on the availability of python or perl and telnetd on the device/server:

Build

“Python Device”, “Perl Device”, “Telnet Device” or “Unknown” depending on the availability of a Python or Perl interpreter on the device server:

Arch

The architecture, determined at build time and depending on the executing binary on the compromised platform – supported values for Arch are: x86_64 | x86_32 | Arm4 | Arm5 | Arm6 | Arm7 | Mips | Mipsel | Sh4 (SuperH) | Ppc (PowerPC) | spc (Sparc) | M68k | Arc

OS

Limited identification of the host OS running the bot based on package installer configuration files. Value is either “Debian Based Device”, “REHL Based Device” or “Unknown OS”

Malicious payloads

The bot supports the following commands:

If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP.

The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets:

Fixed payload used by the STD UDP attack:

IOC

8805830c7d28707123f96cf458c1aa41  wget
1bd637c0444328563c995d6497e2d5be  tftp
a89f377fcb66b88166987ae1ab82ca61  sshd
8b0b5a6ee30def363712e32b0878a7cb  sh
86741291adc03a7d6ff3413617db73f5  pftp
3e6d58bd8f10a6320185743d6d010c4f  openssh
fc4a4608009cc24a757824ff56fd8b91  ntpd
d80d081c40be94937a164c791b660b1f  ftp
b878de32a9142c19f1fface9a8d588fb  cron
46a255e78d6bd3e97456b98aa4ea0228  bash
53f6451a939f9f744ab689168cc1e21a  apache2
41edaeb0b52c5c7c835c4196d5fd7123  [cpu]

Source:https://securityboulevard.com/2018/10/new-demonbot-discovered/

Travel industry staff are the “weakest link” in the fight against cybercrime, a security expert has warned.

Cyber consultant Bruce Wynn said cybercrime attacks risked bringing down entire businesses.

He was speaking at the launch of anti-fraud group Profit’s Secure Our Systems campaign, backed by Travel Weekly.

Wynn, who has 40 years’ cybersecurity experience and is one of several experts supporting the seven-week campaign, which aims to give the industry the tools to fight cybercrime, said: “The weakest link in any cybersecurity chain is the thing that fills the space between the keyboard and the floor.”

There was a 92% rise in the number of cyberattack reports made to Action Fraud between January 2016 and September 2018, from 1,140 to 2,190, according to The City of London Police’s National Fraud Intelligence Bureau. Reports of hacking, in which fraudsters gain unauthorised access to data, saw the biggest increase, up 110%.

Wynn believes all travel firms will have experienced cyberattacks but some may not know it.

“You need to have planned well ahead for what you will do when you do discover you’ve been attacked, including how to recover from some of the damage that will have been caused,” he said.

He said a ransomware attack, for example, could be “catastrophic” as a company could lose all data without an adequate data recovery plan. It could also face a GDPR fine.

“It will cost you big time if criminals get into your system and even just corrupt your information to the point you can no longer do business confidently,” he warned.

Other threats include cloned websites, impersonating chief executives and insider fraud, with criminals using techniques such as phishing and hacking to get into companies’ computer systems to steal money or information.

Wynn said one of the most productive attacks is spear phishing, which targets an individual for sensitive or confidential information and often relies on the vulnerability of the person involved.

“The bad guys are going to get in and they will do damage,” he said. “Who are your staff going to call? Your troops need to know how to detect something suspicious, and what to do.

“Computer technicians can try to ‘backstop’ some of it, but staff need to be educated and trained and get a professional to assess how their business can best manage its risk in terms of cybercrime as part of its wider risk assessments.”

At the very minimum all companies should have up-to-date systems in place with anti-virus and anti-fraud software and back-up programs that are regularly tested to ensure any data lost can be recovered.

Wynn believes 80% of attacks can be mitigated at “almost zero cost” to businesses. “Thirty minutes now [on planning] could save lots of money, embarrassment, legal costs and even your business, later on,” he said.

Wynn recommended free resource Cyber Essentials, at cyberessentials.ncsc.gov.uk. The government-backed scheme offers guidelines on self-assessment and access to professional advice on cyber security.

What are the cyber threats?

Here are some common terms for malicious technology and fraudulent activity.

DDoS attack – a distributed denial-of-service attack is where multiple computers flood a server, website or network with unwanted traffic to make it unavailable to its intended users temporarily or indefinitely.

Ransomware – a type of malicious software (malware), usually deployed through spam or phishing, designed to block access to a computer system, typically by encryption, until a sum of money is paid. It can be spread through email attachments, infected software apps, compromised websites and infected external storage devices. Famous examples include the WannaCry attack last year.

Rootkits – a set of software tools that enable an unauthorised user to take over a computer system without detection.

Trojan – type of malicious software often disguised as a legitimate app, image, or program. Typically users are tricked into loading and putting Trojans on their systems.

Viruses – a piece of computer code capable of copying itself, normally deployed through a spam or phishing attack that typically has a detrimental effect, such as corrupting the system, stealing, or destroying data.

Worms – self-replicating malware that duplicates itself to spread to uninfected computers.

CEO fraud – a senior executive in a company is impersonated to divert payments for products and services to a fraudulent bank account. Typically the fraud will target the company’s finance department via email or over the telephone.

Account takeover fraud – a form of identity theft in which the fraudster accesses the victim’s bank or credit card accounts through a data breach, malware or phishing, to make unauthorized transactions.

Insider fraud – when an employee uses his or her position in an organization to steal money or information to threaten security

Cloned websites – when a fraudster copies or modifies an existing website design or script to create a new site in order to steal money.

Phishing – when emails purport to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.

Spearphishing – email scam targeted to one specific individual, organisation or business often to steal sensitive information for malicious purposes. These purport to be from someone you know and use your name.

SMiShing (or SMS phishing) – type of phishing attack where mobile phone users receive text messages with a website hyperlink which, if clicked on, will download a Trojan horse (malicious software) to the phone.

Hacking – unauthorised intrusion into a computer or network.

Bot– a computer infected with software that allows it to be controlled by a remote attacker. This term is also used to refer to the malware itself.

Exploit kit – code used to take advantage of vulnerabilities in software code and configuration, usually to install malware. This is why software must be kept updated.

Keylogger – a program that logs user input from the keyboard, usually without the user’s knowledge or permission, often using memory sticks on laptop ports.

Man-in-the-Middle Attack – similar to eavesdropping, this is where criminals use software to intercept communication between you and another person you are emailing, for example when you are using third-party wi-fi in a café or on a train.

Source: http://www.travelweekly.co.uk/articles/314616/travel-staff-are-the-weakest-link-in-cybersecurity-says-expert

Chalubo is a new botnet which is targeting poorly-secured Internet of Things (IoT) devices and servers for the purpose of distributed denial-of-service (DDoS) attacks.

Researchers from cybersecurity firm Sophos said this week that the botnet is becoming “increasingly prolific” and is ramping up efforts to target Internet-facing SSH servers on Linux-based systems alongside IoT products.

The main Chalubo bot is not only adopting obfuscation techniques more commonly found in Windows-based malware but is also using code from Xor.DDoS and Mirai, the latter of which was responsible for taking down Internet services across the US and Europe three years ago.

Chalubo contains a downloader, the main bot — which runs on systems with an x86 processor architecture, and a Lua command script. The downloader is the Elknot dropper, which has previously been linked to the Elasticsearch botnet.

Different versions of the bot have been uncovered by the researchers which operate on other processors — such as 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC — which the team suggests “may indicate the end of a testing period.”

Attacks began in late August, and one assault registered at a Sophos honeypot on September 6 gave the firm an insight into the new bot’s capabilities.

Chalubo attempted to brute-force attack and secure the credentials of the honeypot, and while the attackers believed they were able to gain a shell through root admin, the researchers silently recorded how they used commands to ‘stop’ firewall protections and install malicious components.

The main bot component and the corresponding Lua command script are encrypted using the ChaCha stream cipher, and when the attack against the honeypot was launched, one particular command — libsdes — stood out.

Upon execution, libsdes creates an empty file to prevent the malware accidentally executing more than once. The botnet then attempts to copy itself with a random string of letters and numbers in /usr/bin/, forking itself to create multiple points of persistence to survive a reboot.

A script is then dropped and executed for additional persistence, which Sophos says is close to a carbon copy of how the Xor.DDoS family operates.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks,” Sophos says. “Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware.”

The bot itself contains snippets of Mirai but the majority of the code is new. The Lua command script communicates with the botnet’s command-and-control (C2) server and will download, decrypt, and execute any additional script it finds.

The sample of Lua Sophos obtained was designed to prompt the bot to perform an SYN flood attack, a kind of DoS which sends SYN packets at high packet rates in an attempt to overwhelm a system.

In this case, a single Chinese IP address was targeted.

Sophos expects that as the botnet appears to be reaching the end of a testing phase, we may expect more widespread attacks from this botnet in the future. However, Chalubo is far from the only botnet menace out there.

In September, researchers from Avast revealed the existence of Torii, a botnet which is considered “a level above anything we have seen before” — including Mirai.

Source: https://www.zdnet.com/article/this-botnet-snares-your-smart-devices-to-perform-ddos-attacks/