One small organisation accidently turned off their network firewall. ZORB detected that within 15 minutes their data was being sent, not to one, but to TWO different data centres in China. Evidence led us to believe this was actually two separate compromises.
Learning Point
The speed with which a vulnerable network can be compromised is minutes, not months.
One user got a little more than they expected when booking accommodation at a well-known vacation rental company. ZORB detected that the website was compromised and had downloaded malware to the user. We immediately suggested the user run an antivirus scan, which detected and safely removed the download before any damage could be done.
Learning Point
You always need to be vigilant of a website masquerading as something it is not.
How much traffic actually gets sent over a VPN? ZORB is often asked to test VPNs. Whilst testing one leading VPN software, we found only HTTPS traffic was sent over the VPN. Email, file transfer, non-encrypted web traffic was sent outside the VPN.
So, hang-on. The only traffic that did not need to be sent over the VPN (i.e. the encrypted web-traffic) was being sent over the ‘encrypted’ VPN, but non-encrypted traffic wasn’t!
It is actually quite hard to send email over a VPN, depending on which provider you use. By default, most providers do not encrypt email. Ensure that your email provider is using encryption such as S/MIME or TLS.
Learning Point
Don’t believe everything you read on the box.
ZORB detected a PC regularly scanning its home office network. The scan was being done stealthily, scanning for a few devices every few days. However, the device was scanning a different network address range to the home office network, so was finding nothing.
At first, we thought was an innocent software misconfiguration; such as the software being configured to work on the corporate office IP address range, not the user’s home office network IP range.
But two things were unusual:
1) The port the PC was using to scan did not link to any software on the PC.
2) ZORB also detected that the PC was periodically connecting to a compromised 3rd party ID server to which the business was not subscribed to.
An antivirus scan did not reveal anything. Only a complete rebuild of the PC removed the issue.
Learning Point
Antivirus is not foolproof. It’s quite easy for malware to bypass antivirus. Some industry regulators are now mandating that devices run two different AVs. With billions of new malware variants released each year, at best, AV can detect 5-10% of known malware. That only provides 20% coverage of known malware, assuming the two different AV software don’t interfere with each other. Antivirus only protects the one device it is installed on from Internet-delivered malware. ZORB Network Shield monitors network traffic for malicious activity that an AV will miss.
We’ve lost count at ZORB of how many times we’ve detected innocent websites linking to malware delivery servers via adverts. Most websites have no control over the adverts they serve. ZORB alerts users when they click on such a link.
Learning Point
Each time you click a third-party link on a website you take a risk. However, there are ways to reduce the risk.
If you have ever read the T&Cs when you connect to public WiFi (have you really?) you will discover that the provider a) claims no responsibility for your device being compromised, but b) enforces your protection by stating that anyone found scanning the WiFi will be removed.
ZORB’s free Coffee Shield alerts if anything attempts to connect to your PC on a public network. Occasionally a router or DHCP server will send a broadcast. This is normal and ZORB will detect this.
Whilst sat in a well-known brand coffee shop in London, it was interesting to observe the different techniques that someone was using to attempt to connect to my PC. Unbeknown to them that I was watching their every move.
Learning Point
Public WiFi is ‘public’. Everything you do on it is visible to anyone else. If you have the data allowance, use your mobile phone as a private hotspot rather than use public WiFi.