Techie Feeds

Zombie email rises from grave after eight years of radio silence

Malwarebytes - Fri, 03/08/2019 - 16:00

In a novel twist on “What happens to our accounts when we die,” we have “what happens to our abandoned accounts while we’re still alive”. In this case, UK ISP TalkTalk kept an old customer’s email account alive some eight years after she closed it—which left it wide open for takeover by spammers.

If you’ve cancelled an account and wondered which bits of your digital data continue to live on, this story is for you.

I’ve talked in the past about how when loved ones die, their emails, social network accounts, and more keep on keeping on. Of course, this content is a prime target for cybercriminals, who can pilfer contacts and other data from long-dormant accounts.

There are typically three ways of “rezzing” a dormant account, aka bringing it back. They are:

Accidental: This is where a previously dormant account comes back to life, but with no malicious intent behind it. For example, critic Roger Ebert’s wife accidentally started sending public messages instead of direct messages via his inactive Twitter feed.

Targeted: This is when trolls or other ne’er-do-wells specifically target an account to cause distress or just get a cheap laugh. A victim of the 2012 Aurora, Colorado, cinema shooting randomly tweeted “I’m alive” some years after the event. This was, of course, enormously distressing for everyone involved.

Non targeted: This is a deliberate hack, but it isn’t specifically about the victim. Rather, the account is just there to serve as a sock puppet/fake account to sell a scam or push a bogus product. It’s quite common on social media, and for the scammer, it’s “just business.”

What happened with TalkTalk?

While we often see accounts belonging to the dead compromised and dragged into all manner of dubious online activities, this situation is a little different. The outcome is the same—an account, long dormant, is harvested and brought back into action, zombie-style. However, in this case, the former account owner is still alive. It’s a “non targeted” if we’re going by the examples above, but, in contrast to those examples, it’s causing considerable headaches for the account owner.

Companies usually keep multiple pieces of data on former customers for a period after account cancellation—web browsing history, payment methods, or old addresses, for example. But to keep an email dormant while attached to someone’s identity—and for eight full years—is a bad idea, because at some point it’s probably going to be compromised.

The compromise doesn’t even have to be a database breach. It could be something as simple as the person having drastically improved their security practices over the years, yet old accounts are forever tied to something like “password123”.

In this case, the account was indeed hijacked somehow. (The Register article doesn’t go into detail on this, and frankly it’d be a minor miracle if the affected person had any idea what happened some eight years on).

Friends of the account owner became aware something was up when the account started sending them emails with suspicious links to .pdf and .img files. The scammers reused previous subject lines to make it all look a touch more above board. This is similar to how mail menaces will use “RE:…” in their subject titles to make the email look as though it’s part of an actual discussion.

Why is this a problem?

The former owner couldn’t get the account shut down due to a multi-tiered portal setup. It’s not uncommon for ISPs to have multiple login sections, some of which cater to generic items and others to specific account features, or packages, or and anything else you care to think of. This is especially common when an organisation offers television, phone, Internet, and other services.

While this wouldn’t ordinarily be a problem, in order to shut down the compromised account, the former owner needed access to a specific portal that required her to be a current customer. As she’s not, TalkTalk requested two forms of identification to prove her identity. Given previous stories on TalkTalk’s data breaches, she may be reluctant to hand it over.

What happens now?

Nobody is quite sure. Even if the ex-customer weren’t asking for it to be shut down, one would imagine TalkTalk would see it being used for spam and disable it. That has to break a ToS somewhere alone the line.

Most ISPs issue an ISP-branded email regardless of whether you want one or not. With that in mind, it’s worth logging into whatever portal you have available and having a look around. If an email address exists for your ISP, and you’ve never used it, it could be a problem for you down the line—or even right now. The account email may reuse your main login password, or have something incredibly basic assigned as the default password, which could easily be cracked.

You don’t want to walk into a zombie email scenario like the one outlined above. Review any dormant accounts you might have attached to things like cloud services, mobile or IoT devices, or ISPs and shut them down if you can. If you can’t, you can at least pop in there and add a difficult password unlikely to be broken through brute force. And if you want to go the extra mile, contact the companies attached to the email addresses and find out what their policies are for shutting down email accounts after customers leave.

As for suspicious emails: Should you receive something from an email address you haven’t seen in a long time, be careful. If you have another way to contact the person supposedly sending the missive, do so. Otherwise, keep these tips in mind before you open any attachments or click any links. It’s just not worth letting curiosity getting the better of you—or your PC.

The post Zombie email rises from grave after eight years of radio silence appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The not-so-definitive guide to cybersecurity and data privacy laws

Malwarebytes - Thu, 03/07/2019 - 16:00

US cybersecurity and data privacy laws are, to put it lightly, a mess.

Years of piecemeal legislation, Supreme Court decisions, and government surveillance crises, along with repeated corporate failures to protect user data, have created a legal landscape that is, for the American public and American businesses, confusing, complicated, and downright annoying.

Businesses are expected to comply with data privacy laws based on the data’s type. For instance, there’s a law protecting health and medical information, another law protecting information belonging to children, and another law protecting video rental records. (Seriously, there is.) Confusingly, though, some of those laws only apply to certain types of businesses, rather than just certain types of data.

Law enforcement agencies and the intelligence community, on the other hand, are expected to comply with a different framework that sometimes separates data based on “content” and “non-content.” For instance, there’s a law protecting phone call conversations, but another law protects the actual numbers dialed on the keypad.

And even when data appears similar, its protections may differ. GPS location data might, for example, receive a different protection if it is held with a cell phone provider versus whether it was willfully uploaded through an online location “check-in” service or through a fitness app that lets users share jogging routes.

Congress could streamline this disjointed network by passing comprehensive federal data privacy legislation; however, questions remain about regulatory enforcement and whether states’ individual data privacy laws will be either respected or steamrolled in the process.

To better understand the current field, Malwarebytes is launching a limited blog series about data privacy and cybersecurity laws in the United States. We will cover business compliance, sectoral legislation, government surveillance, and upcoming federal legislation.

Below is our first blog in the series. It explores data privacy compliance in the United States today from the perspective of a startup.

A startup’s tale—data privacy laws abound

Every year, countless individuals travel to Silicon Valley to join the 21st century Gold Rush, staking claims not along the coastline, but up and down Sand Hill Road, where striking it rich means bringing in some serious venture capital financing.

But before any fledgling startup can become the next Facebook, Uber, Google, or Airbnb, it must comply with a wide, sometimes-dizzying array of data privacy laws.

Luckily, there are data privacy lawyers to help.

We spoke with D. Reed Freeman Jr., the cybersecurity and privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler Pickering Hale and Dorr about what a hypothetical, data-collecting startup would need to become compliant with current US data privacy laws. What does its roadmap look like?

Our hypothetical startup—let’s call it Spuri.us—is based in San Francisco and focused entirely on a US market. The company developed an app that collects users’ data to improve the app’s performance and, potentially, deliver targeted ads in the future.

This is not an exhaustive list of every data privacy law that a company must consider for data privacy compliance in the US. Instead, it is a snapshot, providing information and answers to potentially some of the most common questions today.

Spuri.us’ online privacy policy

To kick off data privacy compliance on the right foot, Freeman said the startup needs to write and post a clear and truthful privacy policy online, as defined in the 2004 California Online Privacy Protection Act.

The law requires businesses and commercial website operators that collect personally identifiable information to post a clear, easily-accessible privacy policy online. These privacy policies must detail the types of information collected from users, the types of information that may be shared with third parties, the effective date of the privacy policy, and the process—if any—for a user to review and request changes to their collected information.

Privacy policies must also include information about how a company responds to “Do Not Track” requests, which are web browser settings meant to prevent a user from being tracked online. The efficacy of these settings is debated, and Apple recently decommissioned the feature in its Safari browser.

Freeman said companies don’t need to worry about honoring “Do Not Track” requests as much as they should worry about complying with the law.

“It’s okay to say ‘We don’t,’” Freeman said, “but you have to say something.”

The law covers more than what to say in a privacy policy. It also covers how prominently a company must display it. According to the law, privacy policies must be “conspicuously posted” on a website.

More than 10 years ago, Google tried to test that interpretation and later backed down. Following a 2007 New York Times report that revealed that the company’s privacy policy was at least two clicks away from the home page, multiple privacy rights organizations sent a letter to then-CEO Eric Schmidt, urging the company to more proactively comply.

“Google’s reluctance to post a link to its privacy policy on its homepage is alarming,” the letter said, which was signed by the American Civil Liberties Union, Center for Digital Democracy, and Electronic Frontier Foundation. “We urge you to comply with the California Online Privacy Protection Act and the widespread practice for commercial web sites as soon as possible.”

The letter worked. Today, users can click the “Privacy” link on the search giant’s home page.

What About COPPA and HIPAA?

Spuri.us, like any nimble Silicon Valley startup, is ready to pivot. At one point in its growth, it considered becoming a health tracking and fitness app, meaning it would collect users’ heart rates, sleep regimens, water intake, exercise routines, and even their GPS location for selected jogging and cycling routes. Spuri.us also once considered pivoting into mobile gaming, developing an app that isn’t made for children, but could still be downloaded onto children’s devices and played by kids.

Spuri.us’ founder is familiar with at least two federal data privacy laws—the Health Insurance Portability and Accountability Act (HIPAA), which regulates medical information, and the Children’s Online Privacy Protection Act (COPPA), which regulates information belonging to children.

Spuri.us’ founder wants to know: If her company stars collecting health-related information, will it need to comply with HIPAA?

Not so, Freeman said.

“HIPAA, the way it’s laid out, doesn’t cover all medical information,” Freeman said. “That is a common misunderstanding.”

Instead, Freeman said, HIPAA only applies to three types of businesses: health care providers (like doctors, clinics, dentists, and pharmacies), health plans (like health insurance companies and HMOs), and health care clearinghouses (like billing services that process nonstandard health care information).

Without fitting any of those descriptions, Spuri.us doesn’t have to worry about HIPAA compliance.

As for complying with COPPA, Freeman called the law “complicated” and “very hard to comply with.” Attached to a massive omnibus bill at the close of the 1998 legislative session, COPPA is a law that “nobody knew was there until it passed,” Freeman said.

That said, COPPA’s scope is easy to understand.

“Some things are simple,” Freeman said. “You are regulated by Congress and obliged to comply with its byzantine requirements if your website is either directed to children under the age of 13, or you have actual knowledge that you’re collecting information from children under the age of 13.”

That begs the question: What is a website directed to children? According to Freeman, the Federal Trade Commission created a rule that helps answer that question.

“Things like animations on the site, language that looks like it’s geared towards children, a variety of factors that are intuitive are taken into account,” Freeman said.

Other factors include a website’s subject matter, its music, the age of its models, the display of “child-oriented activities,” and the presence of any child celebrities.

Because Spuri.us is not making a child-targeted app, and it does not knowingly collect information from children under the age of 13, it does not have to comply with COPPA.

A quick note on GDPR

No concern about data privacy compliance is complete without bringing up the European Union’s General Data Protection Regulation (GDPR). Passed in 2016 and having taken effect last year, GDPR regulates how companies collect, store, use, and share EU citizens’ personal information online. On the day GDPR took effect, countless Americans received email after email about updated privacy policies, often from companies that were founded in the United States.

Spuri.us’ founder is worried. She might have EU users but she isn’t certain. Do those users force her to become GDPR compliant?

“That’s a common misperception,” Freeman said. He said one section of GDPR explains this topic, which he called “extraterritorial application.” Or, to put it a little more clearly, Freeman said: “If you’re a US company, when does GDPR reach out and grab you?”

GDPR affects companies around the world depending on three factors. First, whether the company is established within the EU, either through employees, offices, or equipment. Second, whether the company directly markets or communicates to EU residents. Third, whether the company monitors the behavior of EU residents.

“Number three is what trips people up,” Freeman said. He said that US websites and apps—including those operated by companies without a physical EU presence—must still comply with GDPR if they specifically track users’ behavior that takes place in the EU.

“If you have an analytics service or network, or pixels on your website, or you drop cookies on EU residents’ machines that tracks their behavior,” that could all count as monitoring the behavior of EU residents, Freeman said.

Because those services are rather common, Freeman said many companies have already found a solution. Rather than dismantling an entire analytics operation, companies can instead capture the IP addresses of users visiting their websites. The companies then perform a reverse geolocation lookup. If the companies find any IP addresses associated with an EU location, they screen out the users behind those addresses to prevent online tracking.

Asked whether this setup has been proven to protect against GDPR regulators, Freeman instead said that these steps showcase an understanding and a concern for the law. That concern, he said, should hold up against scrutiny.

“If you’re a startup and an EU regulator initiates an investigation, and you show you’ve done everything you can to avoid tracking—that you get it, you know the law—my hope would be that most reasonable regulators would not take a Draconian action against you,” Freeman said. “You’ve done the best you can to avoid the thing that is regulated, which is the track.”

A data breach law for every state

Spuri.us has a clearly-posted privacy policy. It knows about HIPAA and COPPA and it has a plan for GDPR. Everything is going well…until it isn’t.

Spuri.us suffers a data breach.

Depending on which data was taken from Spuri.us and who it referred to, the startup will need to comply with the many requirements laid out in California’s data breach notification law. There are rules on when the law is triggered, what counts as a breach, who to notify, and what to tell them.

The law protects Californians’ “personal information,” which it defines as a combination of information. For instance, a first and last name plus a Social Security number count as personal information. So do a first initial and last name plus a driver’s license number, or a first and last name plus any past medical insurance claims, or medical diagnoses. A Californian’s username and associated password also qualify as “personal information,” according to the law.

The law also defines a breach as any “unauthorized acquisition” of personal information data. So, a rogue threat actor accessing a database? Not a breach. That same threat actor downloading the information from the database? Breach.

In California, once a company discovers a data breach, it next has to notify the affected individuals. These notifications must include details on which type of personal information was taken, a description of the breach, contact information for the company, and, if the company was actually the source of the breach, an offer for free identity theft prevention services for at least one year.

The law is particularly strict on these notifications to customers and individuals impacted. There are rules on font size and requirements for which subheadings to include in every notice: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “More Information.”

After Spuri.us sends out its bevy of notices, it could still have a lot more to do.

As of April 2018, every single US state has its own data breach notification law. These laws, which can sometimes overlap, still include important differences, Freeman said.

“Some states require you to notify affected consumers. Some require you to notify the state’s Attorney General,” Freeman said. “Some require you to notify credit bureaus.”

For example, Florida’s law requires that, if more than 1,000 residents are affected, the company must notify all nationwide consumer reporting agencies. Utah’s law, on the other hand, only requires notifications if, after an investigation, the company finds that identity theft or fraud occurred, or likely occurred. And Iowa has one of the few state laws that protects both electronic and paper records.

Of all the data compliance headaches, this one might be the most time-consuming for Spuri.us.

In the meantime, Freeman said, taking a proactive approach—like posting the accurate and truthful privacy policy and being upfront and honest with users about business practices—will put the startup at a clear advantage.

“If they start out knowing those things on the privacy side and just in the USA,” Freeman said, “that’s a great start that puts them ahead of a lot of other startups.”

Stay tuned for our second blog in the series, which will cover the current fight for comprehensive data privacy legislation in the United States.

The post The not-so-definitive guide to cybersecurity and data privacy laws appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Spotlight on Troldesh ransomware, aka ‘Shade’

Malwarebytes - Wed, 03/06/2019 - 16:00

Despite the decline in the number of ransomware infections over the last year, there are several ransomware families that are still active. Ransom.Troldesh, aka Shade, is one of them. According to our product telemetry, Shade has experienced a sharp increase in detections from Q4 2018 to Q1 2019.

When we see a swift spike in detections of a malware family, that tells us we’re in the middle of an active, successful campaign. So let’s take a look at this “shady” ransomware to learn how it spreads, what are its symptoms, why it’s dangerous to your business, and how you can protect against it.

Troldesh spiked in February 2019

Infection vector

Troldesh, which has been around since 2014, is typically spread by malspam—specifically malicious email attachments. The attachments are usually zip files presented to the receiver as something he “has to” open quickly. The extracted zip is a Javascript that downloads the malicious payload (aka the ransomware itself). The payload is often hosted on sites with a compromised Content Management System (CMS).

Part of the obfuscated Troldesh Javascript

As the sender in Troldesh emails is commonly spoofed, we can surmise that the threat actors behind this campaign are phishing, hoping to pull the wool over users’ eyes in order to get them to open the attachment.

The origin of Troldesh is believed to be Russian because its ransom notes are written in both Russian and English.

Target systems are running Windows OS. Victims will have to unzip the attachment and double-click the Javascript file to get the infection started.

Ransomware behavior

Once deployed, the ransomware drops a lot of numbered readme#.txt files on the infected computer after the encryption routine is complete, most likely to make sure that the victim will read at least one of them. These text files contain the same message as the ransom note.

Targeted file extensions

Troldesh looks for files with these extensions on fixed, removable, and remote drives:

.1cd, .3ds, .3fr, .3g2, .3gp, .7z, .accda, .accdb, .accdc, .accde, .accdt, .accdw, .adb, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .anim, .arw, .as, .asa, .asc, .ascx, .asm, .asmx, .asp, .aspx, .asr, .asx, .avi, .avs, .backup, .bak, .bay, .bd, .bin, .bmp, .bz2, .c, .cdr, .cer, .cf, .cfc, .cfm, .cfml, .cfu, .chm, .cin, .class, .clx, .config, .cpp, .cr2, .crt, .crw, .cs, .css, .csv, .cub, .dae, .dat, .db, .dbf, .dbx, .dc3, .dcm, .dcr, .der, .dib, .dic, .dif, .divx, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .dpx, .dqy, .dsn, .dt, .dtd, .dwg, .dwt, .dx, .dxf, .edml, .efd, .elf, .emf, .emz, .epf, .eps, .epsf, .epsp, .erf, .exr, .f4v, .fido, .flm, .flv, .frm, .fxg, .geo, .gif, .grs, .gz, .h, .hdr, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .indd, .ini, .iqy, .j2c, .j2k, .java, .jp2, .jpc, .jpe, .jpeg, , .jpf, .jpg, .jpx, .js, .jsf, .json, .jsp, .kdc, .kmz, .kwm, .lasso, .lbi, .lgf, .lgp, .log, .m1v, .m4a, .m4v, .max, .md, .mda, .mdb, .mde, .mdf, .mdw, .mef, .mft, .mfw, .mht, .mhtml, .mka, .mkidx, .mkv, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mpv, .mrw, .msg, .mxl, .myd, .myi, .nef, .nrw, .obj, .odb, .odc, .odm, .odp, .ods, .oft, .one, .onepkg, .onetoc2, .opt, .oqy, .orf, .p12, .p7b, .p7c, .pam, .pbm, .pct, .pcx, .pdd, .pdf, .pdp, .pef, .pem, .pff, .pfm, .pfx, .pgm, .php, .php3, .php4, .php5, .phtml, .pict, .pl, .pls, .pm, .png, .pnm, .pot, .potm, .potx, .ppa, .ppam, .ppm, .pps, .ppsm, .ppt, .pptm, .pptx, .prn, .ps, .psb, .psd, .pst, .ptx, .pub, .pwm, .pxr, .py, .qt, .r3d, .raf, .rar, .raw, .rdf, .rgbe, .rle, .rqy, .rss, .rtf, .rw2, .rwl, .safe, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql, .sr2, .srf, .srw, .ssi, .st, .stm, .svg, .svgz, .swf, .tab, .tar, .tbb, .tbi, .tbk, .tdi, .tga, .thmx, .tif, .tiff, .tld, .torrent, .tpl, .txt, .u3d, .udl, .uxdc, .vb, .vbs, .vcs, .vda, .vdr, .vdw, .vdx, .vrp, .vsd, .vss, .vst, .vsw, .vsx, .vtm, .vtml, .vtx, .wb2, .wav, .wbm, .wbmp, .wim, .wmf, .wml, .wmv, .wpd, .wps, .x3f, .xl, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xsd, .xsf, .xsl, .xslt, .xsn, .xtp, .xtp2, .xyze, .xz, and .zip

Encryption

Files are encrypted using AES 256 in CBC mode. For each encrypted file, two random 256-bit AES keys are generated: One is used to encrypt the file’s contents, while the other is used to encrypt the file name. The extensions mentioned above are added after the encryption of the filename.

Protect against Troldesh

Malwarebytes users can block Ransom.Troldesh through several different protection modules, which are able to stop the ransomware from encrypting files in real time.

Real-time protection against the files in our definitions stops the ransomware itself:

Our anti-exploit and anti-ransomware modules block suspicious behavior:

Meanwhile, Malwarebytes’ malicious website protection blocks compromised sites:

Other methods of protection

There are some security measures you can take to avoid getting to the phase where protection has to kick in or files need to be recovered.

  • Scan emails with attachments. These suspicious mails should not reach the end user.
  • User education. If they do reach the end user, they should be informed not to open attachments of this nature or run executable files in attachments. In addition, if your company has an anti-phishing plan, they should know who to forward the email to in the organization for investigation.
  • Blacklisting. Most end users do not need to be able to run scripts. In those cases, you can blacklist wscript.exe.
  • Update software and systems. Updating software can plug up vulnerabilities and keep known exploits at bay.
  • Back up files. Reliable and easy-to-deploy backups can shorten the recovery time.
Remediation

If you should get to the point where remediation is necessary, these are the steps to follow:

  • Perform a full system scan. Malwarebytes can detect and remove Ransom.Troldesh without further user interaction.
  • Recover files. Removing Troldesh does not decrypt your files. You can only get your files back from backups you made before the infection happened or by performing a roll-back operation.
  • Get rid of the culprit. Delete the email that was the root cause.
Decryption

Even though AES 256 is a strong encryption algorithm, there are free decryption tools available for some of the Troldesh variants. You can find out more about these decryption tools at NoMoreRansom.org (look under “Shade” in the alphabetical list).

Victims of Troldesh are provided with a unique code, an email address, and a URL to an onion address. They are asked to contact the email address mentioning their code or go to the onion site for further instructions. It is not recommended to pay the ransom authors, as you will be financing their next wave of attacks.

What sets Troldesh apart from other ransomware variants is the huge number of readme#.txt files with the ransom note dropped on the affected system, and the contact by email with the threat actor. Otherwise, it employs a classic attack vector that relies heavily on tricking uninformed victims. Nevertheless, it has been quite successful in the past, and in its current wave of attacks. The free decryptors that are available only work on a few of the older variants, so victims will likely have to rely on backups or roll-back features.

IOCs

Ransom.Troldesh has used the following extensions for encrypted files:

.xtbl
.ytbl
.cbtl
.no_more_ransom
.better_call_saul
.breaking_bad
.heisenberg
.da_vinci_code
.magic_software_syndicate
.windows10
.crypted000007
.crypted000078

Contacts: Novikov.Vavila@gmail.com Selenadymond@gmail.com RobertaMacDonald1994@gmail.com IPs TCP 154.35.32.5 443 outgoing Bitcoin: 1Q1FJJyFdLwPt5yyZAQ8kfxfeWq8eoD25E Domain : cryptsen7fo43rr6.onion

The post Spotlight on Troldesh ransomware, aka ‘Shade’ appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Labs survey finds privacy concerns, distrust of social media rampant with all age groups

Malwarebytes - Tue, 03/05/2019 - 13:00

Before Cambridge Analytica made Facebook an unwilling accomplice to a scandal by appropriating and misusing more than 50 million users’ data, the public was already living in relative unease over the privacy of their information online.

The Cambridge Analytica incident, along with other, seemingly day-to-day headlines about data breaches pouring private information into criminal hands, has eroded public trust in corporations’ ability to protect data, as well as their willingness to use the data in ethically responsible ways. In fact, the potential for data interception, gathering, collation, storage, and sharing is increasing exponentially in all private, public, and commercial sectors.

Concerns of data loss or abuse have played a significant role in the US presidential election results, the legal and ethical drama surrounding Wikileaks, Brexit, and the implementation of the European Union’s General Data Privacy Regulations. But how does the potential for the misuse of private data affect the average user in Vancouver, British Colombia; Fresno, California; or Lisbon, Portugal?

To that end, The Malwarebytes Labs team conducted a survey from January 14 to February 15, 2019 to inquire about the data privacy concerns of nearly 4,000 Internet users in 66 countries, including respondents from: Australia, Belgium, Brazil, Canada, France, Germany, Hong Kong, India, Iran, Ireland, Japan, Kenya, Latvia, Malaysia, Mexico, New Zealand, the Philippines, Saudi Arabia, South Africa, Taiwan, Turkey, the United Kingdom, the United States, and Venezuela.

The survey, which was conducted via SurveyMonkey, focused on the following key areas:

  • Feelings on the importance of online privacy
  • Rating trust of social media and search engines with data online
  • Cybersecurity best practices followed and ignored (a list of options was provided)
  • Level of confidence in sharing personal data online
  • Types of data respondents are most comfortable sharing online (if at all)
  • Level of consciousness of data privacy at home vs. the workplace

____________________________________________________________________________________________________________________________

For a high-level look at our analysis of the survey results, including an exploration of why there is a disconnect between users’ emotions and their behaviors, as well as which privacy tools Malwarebytes recommends for those who wish to do more to protect their privacy, download our report:

The Blinding Effect of Security Hubris on Data Privacy

____________________________________________________________________________________________________________________________

For this blog, we explored commonalities and differences among Baby Boomers (ages 56+), Gen Xers (ages 36 – 55), Millennials (ages 18 – 35), and Gen Zeds, or the Centennials (ages 17 and under) concerning feelings about privacy, level of confidence sharing information online, trust of social media and search engines with data, and which privacy best practices they follow.

Lastly, we delved into the regional data compiled from respondents in Europe, the Middle East, and Africa (EMEA) and compared it against North America (NA) to examine whether US users share common ground on privacy with other regions of the world.

Privacy is complicated

If 10 years ago, someone had asked you to carry an instrument that could: listen into your conversations, broadcast your exact location to marketers, and allow you be tracked as you moved between the grocery aisles (and how long you lingered in front of the Cap’n Crunch cereal), most would have declined, suggesting it was a crazy joke. Of course, that was before the advent of smartphones that can do all that and more, today.

Many regard the public disclosure of surreptitious information-gathering programs conducted by the National Security Agency (NSA) here in the US as a watershed moment in the debate over government surveillance and privacy. Despite the outcry, experts noted that the disclosures hardly made a dent in US laws about how the government may monitor citizens (and non-citizens) legally.

Tech companies in Silicon Valley were equally affected (or unaffected, depending on how you look at it) by Edward Snowden’s actions. Yet, over time, they have felt the effects of people’s change in behaviors and actions toward their services. In the face of increasing pressure from criminal actions and public perception in key demographics, companies like Google, Apple, and Facebook have taken steps to beef up the encryption of and better secure user data. But is this enough to make people trust them again?

Challenge: Put your money where your mouth is

In reality, particularly in commerce, we may have reservations about allowing companies to collect from us, especially because we have little influence on how they use it, but that doesn’t stop us from doing so. The care for the protection of our own data, and that of others, may well be nonexistent—signed away in an End-User Licensing Agreement (EULA) buried 18 pages deep.

Case in point: Students of the Massachusetts Institute of Technology (MIT) conducted a study in 2017 and revealed that, among other findings, there is a paradox between how people feel about privacy and their willingness to easily give away data, especially when enticed with rewards (in this case, free pizza).

Indeed, we have a complicated relationship with our data and online privacy. One minute, we’re declaring on Twitter how the system has failed us and the next, we’re taking a big bite of a warm slice of BBQ chicken pizza after giving away your best friend’s email address.

This begs the question: Is getting something in exchange for data a square deal? More specifically, should we have to give something away to use free services? Has a scam just taken place? But more to the point: Do people really, really care about privacy? If they do, why, and to what extent?

In search of answers

Before we conducted our survey, we had theories of our own, and these were colored by many previous articles on the topic. We assumed, for example, that Millennials and Gen Zeds, having grown up with the Internet already in place, would be much less concerned about their privacy than Baby Boomers, who spent a few decades on the planet before ever having created an online account. Rather than further a bias, we started from scratch—we wanted to see for ourselves how people of different generations truly felt about privacy.

Privacy by generations: an overview

This section outlines the survey’s overall findings across generations and regions. A breakdown of each generation’s privacy profile follows, including some correlations from studies that tackled similar topics in the past.

  • An overwhelming majority of respondents (96 percent) feel that online privacy is crucial. And their actions speak for themselves: 97 percent say they take steps to protect their online data, whether they are on a computer or mobile device.
  • Among seven options provided, below are the top four cybersecurity and privacy practices they follow:
    • “I refrain from sharing sensitive personal data on social media.” (94 percent)
    • “I use security software.” (93 percent)
    • “I run software updates regularly.” (90 percent)
    • “I verify the websites I visit are secured before making purchases.” (86 percent)
  • Among seven options provided, below are the top four cybersecurity faux pas they admitted to:
    • “I skim through or do not read End User License Agreements or other consent forms.” (66 percent)
    • “I use the same password across multiple platforms.” (29 percent)
    • “I don’t know which permissions my apps have access to on my mobile device.” (26 percent)
    • “I don’t verify the security of websites before making a purchase. (e.g. I don’t look for “https” or the green padlock on sites.)” (10 percent)

This shows that while respondents feel the need to take care of their privacy or data online, we can deduce that they can only consistently protect it at least most of the time and not all the time.

  • There is a near equal percentage of people who trust (39 percent) and distrust (34 percent) search engines across all generations.
  • Across the board, there is a universal distrust of social media (95 percent). We can then safely assume that respondents are more likely to trust search engines to protect their data than social media.
  • When asked to agree or disagree with the statement, “I feel confident about sharing my personal data online,” 87 percent of respondents disagree or strongly disagree.
  • On the other hand, confident data sharers—or those who give away information to use a service they need—would most likely share their contact info (26 percent), such as name, address, phone number, and email address; card details when shopping online (26 percent); and banking details (16 percent).
  • A small portion (2 percent) of highly confident sharers are also willing to share (or already have shared) their Social Security Number (SSN) and health-related data.
  • In practice, however, 59 percent of respondents said they don’t share any of the sensitive data we listed online.
  • When asked to rate the statement, “I am more conscious of data privacy when at work than I am at home,” a large share (84 percent) said “false.”
Breaking it down

There are many events that happened within this decade that have shaped the way Internet users across generations perceive privacy and how they act on that perception. The astounding number of breaches that have taken place since 2017 and the billions of data stolen, leaked, and bartered on the digital underground market—not to mention the seemingly endless number of opportunities for governments, institutions, and individuals to spy and harvest data on people—can either drive Internet users with a modicum of interest in preserving privacy to (1) live off the grid or (2) completely change their perception of data privacy. The former is unlikely to happen for the majority of users. The latter, however, is already taking place. In fact, not only have perceptions changed but so has behavior, in some cases, almost instantly.

We profiled each age group in light of past and present privacy-related events and how these have changed their perceptions, feeling, and online practices. Here are some of the important findings that emerged from our survey.

Centennials are no noobs when it comes to privacy.*

It’s important to note that while many users who are 18 years old and under (83 percent) admit that privacy is important to them, even more (87 percent) are taking steps to ensure that their data is secure online. Ninety percent of them do this by making sure that the websites they visit are secure before making online purchases. They also refrain from sharing sensitive PII on social media (86 percent) and use security software (86 percent).

Jerome Boursier, security researcher and co-founder of AdwCleaner, is also a privacy advocate. He disagrees with Gen Zeds’ claims that they don’t disclose their personally identifiable information (PII) on social media. “I think most people in the survey would define PII differently. People—especially the younger ones—tend to have a blurry definition of it and don’t consider certain information as personally identifiable the same way older generations do.”

Other notable practices Gen Z admit to partaking in are borrowed from the Cybersecurity 101 handbook, such as using complicated passwords and tools like a VPN on their mobile devices, while others go above-and-beyond normal practices, such as checking the maliciousness of a file they downloaded using Virus Total and modifying files to prevent telemetry logging or reporting—something Microsoft has been doing since the release of Windows 7.

They are also the generation that is the most unlikely to update their software.

Contrary to public belief, Millennials do care about their privacy.

This bears repeating: Millennials do care about their privacy.

An overwhelming majority (93 percent) of Millennials admitted to caring about their privacy. On the other hand, a small portion of this age group, while disclosing that they aren’t that bothered about their privacy, also admit that they still take steps to keep their online data safe.

One reason we can cite why Millennials may care about their privacy is that they want to manage their online reputations, and they are the most active at it, according to the Pew Research Center. In the report “Reputation Management and Social Media,” researchers found that Millennials take steps to limit the amount of PII online, are well-versed at personalizing their social media privacy settings, delete unwanted comments about them on their profiles, and un-tag themselves from photos they were tagged in by someone else. Given that a lot of employers are Google-ing their prospective employees (and Millennials know this), they take a proactive role in putting their best foot forward online.

Like Centennials, Millennials also use VPNs and Tor to protect their anonymity and privacy. In addition, they regularly conduct security checks on their devices and account activity logs, use two-factor authentication (2FA), and do their best to get on top of news, trends, and laws related to privacy and tech. A number of Millennials also admit to not having a social media presence.

While a large share (92 percent) of Millennials polled distrust social media with their data (and 64 percent of them feel the same way about search engines), they continue to use Google, Facebook, and other social media and search platforms. Several Millennials also admit that they can’t seem to stop themselves from clicking links.

Lastly, only a little over half of the respondents (59 percent) are as conscious of their data privacy at home as they are at work. This means that there is a sizable chunk of Millennials who are only conscious of their privacy at work but not so much at home.

Gen Xers feel and behave online almost the same way as Baby Boomers.

Gen Xers are the youngest of the older generations, but their habits better resemble their elder counterparts than their younger compatriots. Call it coincidence or bad luck—depending on your predisposition—or even “wisdom in action.” Either way, being likened to Baby Boomers is a compliment when it comes to privacy and security best practices.

Respondents in this age group have the highest number of people who are privacy-conscious (97 percent), and they are no doubt deliberate (98 percent) in their attempts to secure and take control of their data. Abstaining from posting personal information on social media ranks high in their list of “dos” at 93 percent. Apart from using security software and regularly updating all programs they use, they also do their best to opt out of everything they can, use strong passwords and 2FA, install blocker apps on browsers, and surf the web anonymously.

On the flip side, they’re second only to Millennials for The Generation Good at Avoiding Reading EULAs (71 percent). Gen Xers also bagged The Least Number of People in a Generation to Reuse Passwords (24 percent) award.

When it comes to a search engine’s ability to secure their data, over half of Gen Xers (65 percent) distrust them, while nearly a quarter (24 percent) chose to be neutral in their stance

Baby Boomers know more about protecting privacy online than other generations, and they act upon that knowledge.

Our findings of Baby Boomers have challenged the longstanding notion that they are the most clueless bunch when it comes to cybersecurity and privacy.

Of course, this isn’t to say that there are no naïve users in this generation—all generations have them—but our survey results profoundly contrast what most of us accepted as truth about what Boomers feel about privacy and how they behave when online. They’re actually smarter and more prudent than we care to give them credit for.

Baby Boomers came out as the most distrustful generation (97 percent) of social media when it comes to protecting their data. Because of this, those who have a social media presence hardly disclose (94 percent) any personal information when active.

In contrast, only a little over half (57 percent) of Boomers trust search engines, making them the most trustful among other groups. This means that it is highly likely for a Baby Boomer to trust search engines with their data over social media.

Boomers are also the least confident (89 percent) generation in terms of sharing personal data online. This correlates to a nationwide study commissioned by Hide My Ass! (HMA), a popular VPN service provider, about Baby Boomers and their different approach to online privacy. According to their research, Boomers are likely to respond “I only allow trusted people to see anything I post & employ a lot of privacy restrictions.”

Lastly, they’re also the most consistent in terms of guarding their data privacy both at home and at work (88 percent).

“I am immediately surprised that Baby Boomers are the most conscious about data privacy at work and at home. Anecdotally, I guess it makes sense, at least in work environments,” says David Ruiz, Content Writer for Malwarebytes Labs and a former surveillance activist for the Electronic Frontier Foundation (EFF). He further recalls: “I used to be a legal affairs reporter and 65-and-up lawyers routinely told me about their employers’ constant data security and privacy practices (daily, changing Wi-Fi passwords, secure portals for accessing documents, no support of multiple devices to access those secure portals).”

Privacy by region: an overview of EMEA and NA

A clear majority of survey respondents within the EMEA region are mostly from countries in Europe. One would think that Europeans are more versed in online privacy practices, given they are particularly known for taking privacy and data protection seriously compared to those in North America (NA). Although being well-versed can be seen in certain age groups in EMEA, our data shows that the privacy-savviness of those in NA are not that far off. In fact, certain age groups in NA match or even trump the numbers in EMEA.

Comparing and contrasting user perception and practice in EMEA and NA

There is no denying that those polled in EMEA and NA care about privacy and take steps to secure themselves, too. Most of them refrain from disclosing any information they deemed as sensitive in social media (an average of 89 percent of EMEA users versus 95 percent of NA users), verify websites where they plan to make purchases are secure (an average of 90 percent of EMEA users versus 91 percent of NA users), and use security software (an average of 89 percent of EMEA users versus 94 percent of NA users).

However, like what we’ve seen in the generational profiles, they also recognize the weaknesses that dampen their efforts. All respondents are prone to skimming through or completely avoiding reading the EULA (an average of 77 percent of EMEA users versus 71 percent of NA users). This is the most prominent problem across generations, followed by reusing passwords (an average of 26 percent of EMEA users versus 38 percent of NA users) and not knowing which permissions their apps have access to on their mobile devices (an average of 19 percent of EMEA users versus 17 percent of NA users).

As you can see, there are more users in NA that are embracing these top online privacy practices than those in EMEA.

All respondents from EMEA and NA are significantly distrustful of social media—92 and 88 percent, respectively—when it comes to protecting their data. For those who are willing to disclose their data online, they usually share their credit card details (26 percent), contact info (26 percent), and banking details (16 percent). Essentially, the most common pieces of information you normally give out when you do online banking and purchasing.

Millennials in both EMEA and NA (61 percent) feel the least conscious about their data privacy at work vs. at home. On the other hand, Baby Boomers (85 percent) in both regions feel the most conscious about their privacy in said settings.

It’s also interesting to note that Baby Boomers in both regions appear to share a similar profile.

Privacy in EMEA and NA: notable trends

When it comes to knowing which permissions apps have access to on mobile devices, Gen Zeds in EMEA (90 percent) are the most aware compared to Gen Zeds in NA (63 percent). In fact, Gen Zeds and Millennials (73 percent) are the only generations in EMEA that are conscious of app permissions. Not only that, they’re the less likely group to reuse passwords (at 20 and 24 percent, respectively) across generations in both regions. Although Gen Xers in EMEA have the highest rate of users (31 percent) who recycle passwords.

It also appears that the average percentage of older respondents—the Gen Xers (31 percent) and Baby Boomers (37 percent)—in both regions are more likely to read EULAs or take the time to do so than the average percentage of Gen Zeds and Millennials (both at 18 percent).

Gen Zeds in NA are the most distrustful generation of search engines (75 percent) and social media (100 percent) when it comes to protecting their data. They’re also the most uncomfortable (100 percent) when it comes to sharing personal data online.

Among the Baby Boomers, those in NA are the most conscious (85 percent) when it comes to data privacy at work. However, Baby Boomers in EMEA are not far off (84 percent).

With privacy comes universal reformation, for the betterment of all

The results of our survey have merely provided a snapshot of how generations and certain regions perceive privacy and what steps they take (and don’t take) to control what information is made available online. Many might be surprised by these findings while others may correlate them with other studies in the past. However you take it, one thing is clear: Online privacy has become as important an issue as cybersecurity, and people are beginning to take notice.

With this current privacy climate, it is not enough for Internet users to do the heavy lifting. Regulators play a part, and businesses should act quickly to guarantee that the data they collect from users is only what is reasonably needed to keep services going. In addition, they should secure the data they handle and store, and ensure that users are informed of changes to which data they collect and how they are used. We believe that this demand from businesses will continue at least for the next three years, and any plans or reforms that elevate the importance of online privacy of user data will serve as cornerstones to future transformations.

At this point in time, there is no real way to have complete privacy and anonymity when online. It’s a pipe dream in the current climate. Perhaps the best we can hope for is a society where businesses of all sizes recognize that the user data they collect has a real impact on their customers, and to respect and secure that data. Users should not be treated as a collection of entries with names, addresses, and contact numbers in a huge database. Customers are customers once again, who are always on the lookout for products and services to meet their needs.

The privacy advocate mantle would then be taken upon by Centennials and “Alphas” (or iGeneration), the first age group entirely born within the 21st century and considered the most technologically infused of us all. For those who wish to conduct future studies on privacy like this, it would be really, really interesting to see how Alphas and Centennials would react to a free box of pizza in exchange for their mother’s maiden name.

[*] The Malwarebytes Labs was only able to poll a total of 31 respondents in Gen Zed. This isn’t enough to create an accurate profile of this age group. However, this author believes that what we were able to gather is enough to give an informed assessment of this age group’s feelings and practices.

The post Labs survey finds privacy concerns, distrust of social media rampant with all age groups appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 25 – March 3)

Malwarebytes - Mon, 03/04/2019 - 18:03

Last week, we delved into the realm of K-12 schools and security, explored the world of compromised websites and Golang bruteforcers, and examined the possible realms of pay for privacy. We also looked at identity management solutions, Google’s Universal Read Gadget, and did the deepest of dives into the life of Max Schrems.

Other security news
  • Big coin, big  problems: Founder of My Big Coin charged with seven counts of fraud (Source: The Register)
  • Another day, another exposed list: Specifically, the paid-for Dow Jones watchlist (Source: Security Discovery)
  • Mobile malware continues to rise: Mobile threats may have been a little quiet recently, but that certainly doesn’t mean they’ve gone away. Ignore at your peril (Source: CBR)
  • PDF tracking: Viewing some samples in Chrome can lead to tracking behaviour (source: Edgespot)
  • Verification bait and switch: Instagram users who desire verification status should be wary of a phish currently in circulation (Source: PCMag)
  • Missile warning sent from hacked Twitter account: The dangers of not securing your social media profile take on a whole new terrifying angle (Source: Naked Security)
  • Graphics card security update: NVIDIA rolls out a fix patching no less than 8 flaws for their display driver (Source: NVIDIA)
  • Momo, oh no: The supposed Momo challenge has predictably turned out to be an urban myth, except it was known to be a so-called creepypasta hoax for a long time (Source: IFLScience)
  • Police arrest supplier of radios: Turns out you really don’t want to install fraudulent software from someone Homeland security considers to be a security threat (Source: CBC news)

Stay safe, everyone!

The post A week in security (February 25 – March 3) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Spectre, Google, and the Universal Read Gadget

Malwarebytes - Fri, 03/01/2019 - 16:43

Spectre, a seemingly never ending menace to processors, is back in the limelight once again thanks to the Universal Read Gadget. First seen at the start of 2018, Spectre emerged alongside Meltdown as a major potential threat to people’s system security.

Meltdown and Spectre

Meltdown targeted Intel processors and required a malicious process running on the system to interact with it. Spectre could be launched from browsers via a script. As these threats were targeting hardware flaws in the CPU, they were difficult to address and required BIOS updates and some other things to ensure a safe online experience. As per our original blog:

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

This is not a great situation for everyone to suddenly find themselves in. Manufacturers were caught on the backfoot and customers rightly demanded a solution.

If this is the part where you’re thinking, “What caused this again?” then you’re in luck.

Speculative patching woes

The issues came from something called “speculative execution.” As we said in this follow up blog about patching difficulties:

Speculative execution is an effective optimization technique used by most modern processors to determine where code is likely to go next. Hence, when it encounters a conditional branch instruction, the processor makes a guess for which branch might be executed based on the previous branches’ processing history. It then speculatively executes instructions until the original condition is known to be true or false. If the latter, the pending instructions are abandoned, and the processor reloads its state based on what it determines to be the correct execution path.

The issue with this behaviour and the way it’s currently implemented in numerous chips is that when the processor makes a wrong guess, it has already speculatively executed a few instructions. These are saved in cache, even if they are from the invalid branch. Spectre and Meltdown take advantage of this situation by comparing the loading time of two variables, determining if one has been loaded during the speculative execution, and deducing its value.

Four variants existed across Spectre and Meltdown, with Intel, IBM, ARM, and AMD being snagged by Spectre and “just” Intel being caught up by Meltdown.

The vulnerabilities impacting CPUs (central processing units) made it a tricky thing to fix. Software alterations could cause performance snags, and hardware fixes could be even more complicated. A working group was formed to try and thrash out the incredibly complicated details of how this issue would be tackled.

In January 2018, researchers stressed the only real way to solve Spectre was redesigning computer hardware from the ground up. This is no easy task. Replace everything, or suffer the possible performance hit from any software fixes. Fairly complex patching nightmares abound, with operating systems, pre/post Skylake CPUs, and more needing tweaks or wholesale changes.

Additional complications

It wasn’t long before scams started capitalising on the rush to patch. Now people suddenly had to deal with unrelated fakes, malware, and phishes on top of actual Meltdown/Spectre threats.

Alongside the previously mentioned scams, fake websites started to pop up, too. Typically they claimed to be an official government portals, or plain old download sites offering up a fix. They might also make use of SSL, because displaying a padlock is now a common trick of phishers. That’s a false sense of security—just because there’s a padlock, doesn’t mean it’s a safe site. All it means is the data on it is encrypted. Beyond that, you’re on your own.

The site in our example offered up a zipfile. Contained within was SmokeLoader, well known for attempting to grab additional malicious downloads.

Click to enlarge

Eventually, the furore died down and people slowly forgot about Spectre. It’d pop up again in occasional news articles, but for the most part, people treated it as out of sight, out of mind.

Which brings us to last week’s news.

Spectre: What happened now?

What happened now is a reiteration of the “it’s not safe yet” message. The threat is mostly the same, and a lot of people may not need to worry about this. However, as The Register notes, the problem hasn’t gone away and some developers will need to keep it in mind.

Google has released a paper titled, unsurprisingly enough, “Spectre is here to stay: An analysis of side-channels and speculative execution.”

The Google paper

First thing’s first: It’s complicated, and you can read the full paper [PDF] here.

There’s a lot of moving parts to this, and frankly nobody should be expected to understand everything in it unless they’re working in or around this in some capacity. Some of this has already been mentioned, but it’s already about 700 words or so ago so a short recap may be handy:

  1. Side channels are bad. Your computer may be doing a bunch of secure tasks, keeping your data safe. All those bits and pieces of hardware, however, are doing all sorts of things to make those secure processes happen. Side channel attacks come at the otherwise secure data from another angle, in the realm of the mechanical. Sound, power consumption, timing between events, electromagnetic leaks, cameras, and more. All of these provide a means for a clever attacker to exploit this leaky side channel and grab data you’d rather they didn’t.
  2. They do this in Spectre’s case by exploiting speculative execution. Modern processors are big fans of speculative execution, given they make use of it extensively. It helps improve performance, by making guesses about what programs will do next and then abandoning if it turns out that doesn’t happen after all. Conversely, the retained paths are deployed and everything gets a nice speed boost. Those future potential possibilities is where Spectre comes in.
  3. As the paper says, “computations that should never have happened…allow for information to be leaked” via Spectre. It allows the attacker to inject “dangerously speculative behaviour” into trusted code, or untrusted code typically subjected to safety checks. Both are done through triggering “ordinarily impossible computations” through specific manipulations of the processor’s shared micro-architectural states.

Everything is a bit speed versus security, and security lost out. The manufacturers realised too late that the speed/security tradeoff came with a hefty security price the moment Spectre arrived on the scene. Thinking bad actors couldn’t tamper with with speculative executions—or worse, not considering this in the first place—has turned out to be a bit of a disaster.

The paper goes on to list that Intel, ARM, AMD, MIPS, IBM, and Oracle have all reported being affected. It’s also clear that:

Our paper shows these leaks are not only design flaws, but are in fact foundational, at the very base of theoretical computation.

This isn’t great. Nor is the fact that they estimate it’s probably more widely distributed than any security flaw in history, affecting “billions of CPUs in production across all device classes.”

Spectre: no exorcism due

The research paper asserts that Spectre is going to be around for a long time. Software-based techniques to ward off the threat will never quite remove the issue. They may ward off the threat but add a performance cost, with more layers of defence potentially making things too much of a drag to consider them beneficial.

The fixes end up being a mixed bag of trade-offs and performance hits, and Spectre is so variable and evasive that it quickly becomes impossible to pin down a 100 percent satisfactory solution. At this point, Google’s “Universal Read Gadget” wades in and makes everything worse.

What is the Universal Read Gadget?

A way to read data without permission that is for all intents and purposes unstoppable. When multiple vulnerabilities in current languages run on the CPU, it allows construction of said read gadget and that’s the real meat of Google’s research. Nobody is going to ditch speculative execution anytime soon, and nobody is going to magically come up with a way to solve the side channel issue, much less something like a Universal Read Gadget.

As the paper states,

We now believe that speculative vulnerabilities on today’s hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations…as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.

On the other hand, it’s clear we shouldn’t start panicking. It sounds bad, and it is bad, but it’s unlikely anyone is exploiting you using these techniques. Of course, unlikely doesn’t mean unfeasible, and this is why hardware and software organisations continue to wrestle with this particular genie.

The research paper stresses that the URG is very difficult to pull off.

The universal read gadget is not necessarily a straightforward construction. It requires detailed knowledge of the μ-architectural characteristics of the CPU and knowledge of the language implementation, whether that be a static compiler or a virtual machine. Additionally, the gadget might have particularly unusual performance and concurrency characteristics

Numerous scenarios will require different approaches, and it lists multiple instances where the gadget will potentially fail. In short, nobody is going to come along and Universal Read Gadget your computer. For now, much of this is at the theoretical stage. That doesn’t mean tech giants are becoming complacent however, and hardware and software organisations have a long road ahead to finally lay this spectre to rest.

The post Spectre, Google, and the Universal Read Gadget appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Key considerations for building vs. buying identity access management solutions

Malwarebytes - Thu, 02/28/2019 - 16:00

Time and time again, organizations learn the hard way that no matter which security solutions they have in place, if they haven’t properly secured the end user, their efforts can be easily rendered moot.

The classic slip-up most often associated with end-user-turned-insider-threat is falling for a phishing email that in turn infects the endpoint. Now imagine that end user is someone with access to highly-sensitive information.

In a recently released report, Forrester noted that 80 percent of data breaches are related to compromised privileged credentials, highlighting the need for secure identity and access management (IAM).

IAM is a framework of policies and technologies that ensure that the proper people in an enterprise have the appropriate access to resources. Identity and access management products provide IT managers with the tools necessary to control user access to critical information within an organization, whether that’s employees or customers. IAM tools help define and manage the roles and access privileges of individual network users, as well as the circumstances in which users are granted (or denied) those privileges.

Therefore, having a strong identity and access management solution is critical to the security of your organization. It ensures that the right people have access to your system—and keeps unauthorized users out.

When it comes to an IAM solution, organizations have two basic options: build it or buy it. How do you know which option is the right one for your business? Here are the factors you need to consider.

Risk mitigation

When deciding between building and buying an access management solution, the first step is to assess the company’s cybersecurity needs and potential risks. A good question to ask is: What’s at stake if your organization is compromised or breached? Are you in a field that regularly manages private or sensitive proprietary data, such as genetic research or wealth portfolio management? Do you store large databases of customers’ personally identifiable information (PII)? Consider what the consequences would be if an unauthorized person gained access to your system.

Once you’ve assessed the company’s risk, consider whether your development team could build in the security safeguards needed to manage those risks. If you have especially complex or demanding security needs, building the necessary protections into your existing system will be more difficult.

If your in-house engineering team does not have security experience, consider partnering with third parties for security testing, audits, and other services. Having a trusted third party look at your system can help ensure your security measures are sufficient.

Another factor to consider is whether you partner with any other third parties, such as software-as-a-service providers, that enable features within your system. If so, you’ll need to assess the security aspects of these third parties as well and whether they could better integrate with a homemade or other third-party solution.

Capabilities and available resources

Even if your development staff is skilled, keep in mind that building an access management solution requires a specific skill set. Evaluate the skills, knowledge, and background of your current team members and consider whether you would need to hire additional staff to complete the build.

Building your own solution will also take a considerable amount of time. Do you have enough development resources for this project? Even if you do, think about whether building an IAM solution is the most high-value task your team could be working on. There may be other more profitable projects you may want to prioritize, especially because so many pre-built solutions are available.

Remember, too, that building your solution won’t be a one-time investment. You’ll also have to dedicate time and resources to maintaining and updating your system.

The best option for your organization depends in part on which resource you have more of—time or money. If you have funding but not time, a pre-built solution is likely best. If your situation is reversed, building your own solution may save you money, providing you have the capabilities needed to build an adequate program.

Complexity of the solution

The complexity of the solution you need will also influence whether or not it’s possible to build your own with the resources and capabilities you have. If you only have one or two simple applications and a small number of users, you may be able to build a system on your own relatively easily.

If, however, your system includes large numbers of applications and users with a wide range of necessary privileges, building and maintaining an access management solution will be more challenging.

Also, consider the potential that your company might expand the number of applications or users in the near future. Is your company likely to grow substantially within the next few years? If it does, can your custom-built solution scale? Can a third-party solution do the same?

Third-party verification needs

Another consideration is the possible need for third-party verification, industry standards compliance, and regulatory compliance. You might be subject to certain rules based on your sector, location, or the type of data you handle. Ensuring you comply with these requirements adds an extra layer of complication to building or buying a solution.

Pre-built systems, however, may already comply with the necessary standards. Make sure you have a thorough understanding of all compliance requirements that impact you before you begin building a solution or looking for one to purchase.

Time-to-market needs

How quickly does your access management solution need to be up and running? If it’s a matter of security, that timeframe might be significantly shorter.

Building an access management solution is a time-intensive process, so if you need your solution to be ready quickly, this is not the best option. Purchasing a pre-built solution will enable you to roll out your new access management solution much more quickly than building one on your own would.

To build or to buy

Your identity and access management solution will be an important component for the security and accessibility of your system, both for employees and customers. It’s crucial that you employ a solution that adequately meets your organization’s needs. That’s why choosing between building and buying an access management solution is such an important decision.

To ensure you choose the right option, make sure you ask the right questions when evaluating the needs of your organization.

The post Key considerations for building vs. buying identity access management solutions appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Will pay-for-privacy be the new normal?

Malwarebytes - Wed, 02/27/2019 - 17:04

Privacy is a human right, and online privacy should be no exception.

Yet, as the US considers new laws to protect individuals’ online data, at least two proposals—one statewide law that can still be amended and one federal draft bill that has yet to be introduced—include an unwelcome bargain: exchanging money for privacy.

This framework, sometimes called “pay-for-privacy,” is plain wrong. It casts privacy as a commodity that individuals with the means can easily purchase. But a move in this direction could further deepen the separation between socioeconomic classes. The “haves” can operate online free from prying eyes. But the “have nots” must forfeit that right.

Though this framework has been used by at least one major telecommunications company before, and there are no laws preventing its practice today, those in cybersecurity and the broader technology industry must put a stop to it. Before pay-for-privacy becomes law, privacy as a right should become industry practice.

Data privacy laws prove popular, but flawed

Last year, the European Union put into effect one of the most sweeping set of data privacy laws in the world. The General Data Protection Regulation, or GDPR, regulates how companies collect, store, share, and use EU citizens’ data. The law has inspired countries everywhere to follow suit, with Italy (an EU member) issuing regulatory fines against Facebook, Brazil passing a new data-protective bill, and Chile amending its constitution to include data protection rights.

The US is no exception to this ripple effect.

In the past year, Senators Ron Wyden of Oregon, Marco Rubio of Florida, Amy Klobuchar of Minnesota, and Brian Schatz, joined by 14 other senators as co-sponsors, of Hawaii, proposed separate federal bills to regulate how companies collect, use, and protect Americans’ data.

Sen. Rubio’s bill asks the Federal Trade Commission to write its own set of rules, which Congress would then vote on two years later. Sen. Klobuchar’s bill would require companies to write clear terms of service agreements and to send users notifications about privacy violations within 72 hours. Sen. Schatz’s bill introduces the idea that companies have a “duty to care” for consumers’ data by providing a “reasonable” level of security.

But it is Sen. Wyden’s bill, the Consumer Data Protection Act, that stands out, and not for good reason. Hidden among several privacy-forward provisions, like stronger enforcement authority for the FTC and mandatory privacy reports for companies of a certain size, is a dangerous pay-for-privacy stipulation.

According to the Consumer Data Protection Act, companies that require user consent for their services could charge users a fee if those users have opted out of online tracking.

If passed, here’s how the Consumer Data Protection Act would work:

Say a user, Alice, no longer feels comfortable having companies collect, share, and sell her personal information to third parties for the purpose of targeted ads and increased corporate revenue. First, Alice would register with the Federal Trade Commission’s “Do Not Track” website, where she would choose to opt-out of online tracking. Then, online companies with which Alice interacts would be required to check Alice’s “Do Not Track” status.

If a company sees that Alice has opted out of online tracking, that company is barred from sharing her information with third parties and from following her online to build and sell a profile of her Internet activity. Companies that are run almost entirely on user data—including Facebook, Amazon, Google, Uber, Fitbit, Spotify, and Tinder—would need to heed users’ individual decisions. However, those same companies could present Alice with a difficult choice: She can continue to use their services, free of online tracking, so long as she pays a price.

This represents a literal price for privacy.

Electronic Frontier Foundation Senior Staff Attorney Adam Schwartz said his organization strongly opposes pay-for-privacy systems.

“People should be able to not just opt out, but not be opted in, to corporate surveillance,” Schwartz said. “Also, when they choose to maintain their privacy, they shouldn’t have to pay a higher price.”

Pay-for-privacy schemes can come in two varieties: individuals can be asked to pay more for more privacy, or they can pay a lower (discounted) amount and be given less privacy. Both options, Schwartz said, incentivize people not to exercise their privacy rights, either because the cost is too high or because the monetary gain is too appealing.

Both options also harm low-income communities, Schwartz said.

“Poor people are more likely to be coerced into giving up their privacy because they need the money,” Schwartz said. “We could be heading into a world of the ‘privacy-haves’ and ‘have-nots’ that conforms to current economic statuses. It’s hard enough for low-income individuals to live in California with its high cost-of-living. This would only further aggravate the quality of life.”

Unfortunately, a pay-for-privacy provision is also included in the California Consumer Privacy Act, which the state passed last year. Though the law includes a “non-discrimination” clause meant to prevent just this type of practice, it also includes an exemption that allows companies to provide users with “incentives” to still collect and sell personal information.

In a larger blog about ways to improve the law, which was then a bill, Schwartz and other EFF attorneys wrote:

“For example, if a service costs money, and a user of this service refuses to consent to collection and sale of their data, then the service may charge them more than it charges users that do consent.”

Real-world applications

The alarm for pay-for-privacy isn’t theoretical—it has been implemented in the past, and there is no law stopping companies from doing it again.

In 2015, AT&T offered broadband service for a $30-a-month discount if users agreed to have their Internet activity tracked. According to AT&T’s own words, that Internet activity included the “webpages you visit, the time you spend on each, the links or ads you see and follow, and the search terms you enter.”

Most of the time, paying for privacy isn’t always so obvious, with real dollars coming out or going into a user’s wallet or checking account. Instead, it happens behind the scenes, and it isn’t the user getting richer—it’s the companies.

Powered by mountains of user data for targeted ads, Google-parent Alphabet recorded $32.6 billion in advertising revenue in the last quarter of 2018 alone. In the same quarter, Twitter recorded $791 million in ad revenue. And, notable for its CEO’s insistence that the company does not sell user data, Facebook’s prior plans to do just that were revealed in documents posted this week. Signing up for these services may be “free,” but that’s only because the product isn’t the platform—it’s the user.

A handful of companies currently reject this approach, though, refusing to sell or monetize users’ private information.

In 2014, CREDO Mobile separated itself from AT&T by promising users that their privacy “is not for sale. Period.” (The company does admit in its privacy policy that it may “sell or trade mailing lists” containing users’ names and street addresses, though.) ProtonMail, an encrypted email service, positions itself as a foil to Gmail because it does not advertise on its site, and it promises that users’ encrypted emails will never be scanned, accessed, or read. In fact, the company claims it can’t access these emails even if it wanted.

As for Google’s very first product—online search— the clearest privacy alternative is DuckDuckGo. The privacy-focused service does not track users’ searches, and it does not build individualized profiles of its users to deliver unique results.

Even without monetizing users’ data, DuckDuckGo has been profitable since 2014, said community manager Daniel Davis.

“At DuckDuckGo, we’ve been able to do this with ads based on context (individual search queries) rather than personalization.”

Davis said that DuckDuckGo’s decisions are steered by a long-held belief that privacy is a fundamental right. “When it comes to the online world,” Davis said, “things should be no different, and privacy by default should be the norm.”

It is time other companies follow suit, Davis said.

“Control of one’s own data should not come at a price, so it’s essential that [the] industry works harder to develop business models that don’t make privacy a luxury,” Davis said. “We’re proof this is possible.”

Hopefully, other companies are listening, because it shouldn’t matter whether pay-for-privacy is codified into law—it should never be accepted as an industry practice.

The post Will pay-for-privacy be the new normal? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

New Golang brute forcer discovered amid rise in e-commerce attacks

Malwarebytes - Tue, 02/26/2019 - 16:00

E-commerce websites continue to be targeted by online criminals looking to steal personal and payment information directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externally. Its purpose is to watch for user input, in particular around online shopping carts, and send the perpetrators that data, such as credit card numbers and passwords, in clear text.

Compromising e-commerce sites can be achieved in more than one way. Vulnerabilities in popular Content Management Systems (CMSes) like Magento, as well as in various plugins are commonly exploited these days. But because many website owners still use weak passwords, brute force attacks where multiple logins are attempted are still a viable option.

Our investigation started following the discovery of many Magento websites that were newly infected. We pivoted on the domain name used by the skimmer and found a connection to a new piece of malware that turned out to be a brute forcer for Magento, phpMyAdmin, and cPanel. While we can’t ascertain for sure whether this is how the skimmer was injected, we believe this may be one of many campaigns currently going after e-commerce sites.

Compromised website

The malicious code was found injected directly into the site’s homepage, referencing an external piece of JavaScript. This means that the shopping site had been compromised either via a vulnerability or by brute forcing the administrator password.

The online store is running the Magento CMS and using the OneStepCheckout library to process customers’ shopping carts. As the victim enters their address and payment details, their data is exfiltrated via a POST request with the information in Base64 format to googletagmanager[.]eu. This domain has been flagged before as part of criminal activities related to the Magecart threat groups.

Using VirusTotal Graph, we found a connection between this e-commerce site and a piece of malware written in Golang, more specifically a network query from the piece of malware to the compromised website. Expanding on it, we saw that the malware was dropped by yet another binary written in Delphi. Perhaps more interestingly, this opened up another large set of domains with which the malware communicates.

Payload analysis Delphi downloader

The first part is a downloader we detect as Trojan.WallyShack that has two layers of packing. The first layer is UPX. After unpacking it with the default UPX, we get the second layer: an underground packer using process hollowing.

The downloader is pretty simple. First, it collects some basic information about the system, and then it beacons to the C2. We can see that the domain names for the panels are hardcoded in the binary:

The main goal of this element is to download and run a payload file:

Golang payload

Here the dropped payload installs itself in the Startup folder, by first dumping a bash script in %TEMP%, which is then deployed under the Startup folder. The sample is not packed, and looking inside, we can find artifacts indicating that it was written in Golang version 1.9. We detect this file as Trojan.StealthWorker.GO.

The procedure of reversing will be similar to what we have done before with another Golang sample. Looking at the functions with prefix “main_”,  we can distinguish the functions that were part of the analyzed binary, rather than part of statically-linked libraries.

We found several functions with the name “Brut,” suggesting this piece of malware is dedicated to brute forcing.

This is the malware sample that communicated with the aforementioned compromised e-commerce site. In the following section, we will review how communication and tasks are implemented.

Bot communication and brute forcing

Upon execution, the Golang binary will connect to 5.45.69[.]149. Checking that IP address, we can indeed see a web panel:

The bot proceeds to report the infected computer is ready for a new task via a series of HTTP requests announcing itself and then receiving instructions. You can see below how the bot will attempt to brute force Magento sites leveraging the /downloader/directory point of entry:

Brute force attacks can be quite slow given the number of possible password combinations. For this reason, criminals usually leverage CMS or plugin vulnerabilities instead, as they provide a much faster return on investment. Having said that, using a botnet to perform login attempts allows threat actors to distribute the load onto a large number of workers. Given that many people are still using weak passwords for authentication, brute forcing can still be an effective method to compromise websites.

Attack timeframe and other connections

We found many different variants of that Golang sample, the majority of them first seen in VirusTotal in early February (hashes available in the IOCs section below).

Checking on some of these other samples, we noticed that there’s more than just Magento brute forcing. Indeed, some bots are instead going after WordPress sites, for example. Whenever the bot checks back with the server, it will receive a new set of domains and passwords. Here’s an example of brute forcing phpMyAdmin:

POST: set_session=&pma_username=Root&pma_password=Administ..&server=1&target= index.php&token= User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

As we were investigating this campaign, we saw a tweet by Willem de Groot noting a recent increase in skimmers related to googletagmanager[.]eutied to Adminer, a database management utility. The shopping site on which we started our research was compromised only a few days ago. Without server logs and the ability to perform a forensic investigation, we can only assume it was hacked in one of many possible scenarios, including the Adminer/MySQL flaw or brute forcing the password.

Multiple weaknesses

There are many different weaknesses in this ecosystem that can be exploited. From website owners not being diligent with security updates or their passwords, to end users running infected computers turned into bots and unknowingly helping to hack web portals.

As always, it is important to keep web server software up-to-date and augment this protection by using a web application firewall to fend off new attacks. There are different methods to thwart brute force attacks, including the use of the .htaccess file to restrict which IP address is allowed to log in.

Skimmers are a real problem for online shoppers who are becoming more and more wary of entering their personal information into e-commerce websites. While victims may not know where and when theft happened, it does not bode well for online merchants when their platform has been compromised.

Malwarebytes detects the malware used in these attacks and blocks the skimmer gate.

With additional contributions from @hasherezade.

Indicators of Compromise (IOCs)

Skimmer domain

googletagmanager[.]eu

Delphi downloader

cbe74b47bd7ea953268b5df3378d11926bf97ba72d326d3ce9e0d78f3e0dc786

Delphi C2

snaphyteplieldup[.]xyz tolmets[.]info serversoftwarebase[.]com

Golang bruteforcer

fdc3e15d2bc80b092f69f89329ff34b7b828be976e5cbe41e3c5720f7896c140

Similar Golang bruteforcers

46fd1e8d08d06cdb9d91e2fe19a1173821dffa051315626162e9d4b38223bd4a 05073af551fd4064cced8a8b13a4491125b3cd1f08defe3d3970b8211c46e6b2 fdc3e15d2bc80b092f69f89329ff34b7b828be976e5cbe41e3c5720f7896c140 96a5b2a8fdc28b560f92937720ad0dcc5c30c705e4ce88e3f82c2a5d3ad085aa 81bd819f0feead6f7c76da3554c7669fbc294f5654a8870969eadc9700497b82 5e7581e3c8e913fe22d56a3b4b168fd5a9f3f8d9e0d2f8934f68e31a23feabd5 d87b4979c26939f0750991d331896a3a043ecd340940feb5ac6ec5a29ec7b797 36d62acd7aba4923ed71bfd4d2971f9d0f54e9445692b639175c23ff7588f0a7 7db29216bcb30307641b607577ded4a6ede08626c4fa4c29379bc36965061f62 4e18c0b316279a0a9c4d27ba785f29f4798b9bbebb43ea14ec0753574f40a54f 91a696d1a0ef2819b2ebb7664e79fa9a8e3d877bedcb5e99f05b1dc898625ed5 8b1b2dee404f274e90bd87ff6983d2162abee16c4d9868a10b802bd9bcbdbec6 046c5b18ec037ec5fbdd9be3e6ee433df3e4d2987ee59702b52d40e7f278154d 6b79345a2016b2822fd7f7bed51025b848b37e026d4638af59547e67078c913e 181ebf89a32a37752e0fc96e6020aa7af6dbb00ddb7ba02133e3804ac4d33f43 5efd1a27717d3e41281c08f8c048523e43b95300fb6023d34cb757e020f2ff7f 5dccce9b5611781c0edee4fae015119b49ce9eb99ee779e161ec0e75c1c383da

C2 server

5.45.69[.]149:7000

The post New Golang brute forcer discovered amid rise in e-commerce attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What K–12 schools need to shore up cybersecurity

Malwarebytes - Tue, 02/26/2019 - 13:00

Crumbling infrastructure. Gaps in curriculum. Antiquated devices. Difficult COPPA laws. Lack of funding. Those are just a few of the obstacles facing K–12 schools looking to adopt technology into their 21st century learning initiatives.

Now add security concerns to the list, and you can see why many schools struggle not only to keep up with consumer technology trends, but also protect against threats that target them.

Despite the uphill battle, schools know the importance of securing their students’ data, and many have found ways to safely incorporate cybersecurity awareness, as well as affordable technologies, to protect that data. We talked with members of the school board, administrators, educators, and security directors to discuss the cybersecurity challenges specific to K–12 schools (both private and public), and what can be done to overcome.

The challenges

In our 2019 State of Malware report, we found education to be consistently in the top 10 industries targeted by cybercriminals. However, when we zoomed in to look at the major threats that dominated in 2018, including information-stealing Trojans and more sophisticated ransomware attacks, schools were even higher on the list, ranking as number one and number two, respectively.

In addition to K–12 school systems, key academic services, such as the SAT and ACT, are susceptible to data breaches, which can undermine the legitimacy of the college admissions process.

US schools are data-rich targets for cybercriminals, including the names, Social Security Numbers, and email addresses of students, their academic and health records, financial information, and more. According to EdWeek, US K–12 schools have experienced 425 publicly-reported cybersecurity incidents since January 2016; the real number is likely much higher.

Digging into this data, presented on an interactive map from the K–12 Cybersecurity Resource Center (pictured below), schools were most impacted by data breaches (purple flags), phishing attacks (blue), and ransomware infections (yellow).

Map courtesy of the K–12 Cybersecurity Resource Center

Knowing they’re a target for threat actors, which major hurdles must schools jump over in order to shore up their cybersecurity?

The first is lack of professional development. Teachers, administrators, and support staff have access to highly-confidential student data that is housed online, and because they don’t know enough about cybersecurity, they can inadvertently allow for a breach. Yet, professional development is nearly always related to changes in curriculum adoption, school events, and the occasional technology training course on how to use a particular software program or Internet-connected classroom device, such as a smart board.

In a related issue, while students are typically far more tech-savvy than their teachers, they are often not taught fundamental cybersecurity awareness at home.

“We might assume that when students get devices from home, such as phones or tables, there are restrictions put in place or guidelines given, but very often, there are not,” said Tami Espinosa, Principal of Luigi Aprea Elementary School in Gilroy, CA. “We need to be sure to address how to properly use technology, because it is and will be such an integral part of their lives.”

Even if filters or other restrictions are put in place, many students are able to find ways around them, compromising security in the process. If they knew their actions could lead to their student records being accessed and changed, would they be so reckless?

Another challenge for shoring up cybersecurity in K–12 is a lack of funding. In a nutshell, there is none—or at least very little. What is available is usually applied directly to instruction and curriculum, as many in the school community don’t support diverting funds away from core subject areas.

“Cybersecurity isn’t a tangible item that directly impacts instruction, so many staff and community members wouldn’t support money going towards it, especially when facilities need to be fixed, curriculum needs to be purchased, and more support staff is needed,” said Tami Ortiz, a San Francisco Bay Area educator. “Cybersecurity is vital, but invisible.”

In fact, because the district or federal funding often doesn’t come through for cybersecurity, schools looking for funds often have to apply for grants or host fundraising events to subsidize.

Finally, updating infrastructure is a massive obstacle for schools hoping to tighten up security. Pubic schools especially struggle in this area, as it’s expensive to overhaul hardware every few years and requires support staff that can manage and secure not only the devices, but also any data stored on premise or in the cloud. From operating systems to specialized educational software that needs updating, vulnerabilities are rampant and can be easily exploited—and that’s without including negligent staff who might open an unwanted email and infect their machine.

The solutions

To help persuade community members and staff to divert funds, the severity of the situation must be impressed upon them. According to The 2018 State of K–12 Cybersecurity report, nearly half of the reported breaches of the year were caused by students and staff, and 60 percent of them resulted in student data being compromised.

This tells us that awareness is a key factor in combatting breaches, but also that technologies must be deployed in order to safeguard from tech-savvy students looking to get around the protections put in place.

Doron Aronson, Vice President of the Cambrian School Board of Trustees, said that with their limited budgets, school boards look at technology holistically, with security being an important component. There are three main areas they consider when making funding decisions: infrastructure, hardware, and security; instructional practices and professional learning; and digital curriculum, tools, data and assessment. And while security is mentioned only as part of infrastructure, it can actually be incorporated into all three areas. Here’s how:

Infrastructure, hardware, and security 

One of the “easiest” ways that schools can combat data breaches and other cyberattacks is by selecting and deploying cybersecurity solutions that combat threats which have historically targeted schools. IT directors should look for programs with dynamic, behavior-based detection criteria that shield from ransomware, Trojans, and other active malware families. Firewalls, supplementary email security, and encrypted data storage/backup systems provide additional coverage against breaches, phishing, and ransomware attacks.

In addition, developing a cybersecurity policy and incident response plan will help prepare schools in the event of a breach. Bonus points for incorporating a layer of security with top remediation capabilities, so that the aftermath, including restoring backups and cleaning up computers, is relatively painless.

Instructional practices and professional learning

Convince leadership to provide outsourced IT and security services, especially for professional development. Start by partnering outsider trainers with those who know the most—the IT/tech department—and then move on to administration, staff, paraprofessionals, and aides.

Fresno-based educational consultant Alex Chavez advises schools to “get serious about security. Put it on the leadership meeting agenda next to school site safety. Collaborate with the outsourced security to keep up-to-date with the latest threats and best practices.”

If funding for outside awareness training is non-existent, designate or ask for a volunteer to be the cyber coordinator for the school. Look to your community for volunteers: tech-savvy younger teachers, or parents who work in technology or security would be a good place to start.

“Get some trusted outside help,” said John Donovan, Head of Security at Malwarebytes. “Designate someone on your staff to be an internal leader/point of contact, and give them some time and incentives to learn and bring that info to your school—especially if it’s a volunteer position.”

Do the same within your student body. Designate a classroom cyberhero, or select a few older students to be the cyber police for the school. Reward with extra credit, less homework, or a points system within the school for getting swag.

Once staff and volunteers have had some initial training, broaden that training out to the wider school and community by offering both formal and informal lessons, including assembly talks and workshops, and occasionally testing that knowledge through simple, fun exercises.

Digital curriculum, tools, data, and assessment

Putting the infrastructure in place, including the right antivirus software, cybersecurity policies, and support staff (volunteer or professional), plus providing professional development are steps in the right direction to shoring up cybersecurity in our elementary, middle, and high schools. However, perhaps the most important step is knowing what to teach students and teachers alike about cybersecurity hygiene, and how best to teach it.

“My advice would be to make sure there is a plan in place for the intentional teaching of cyber safety,” said Espinosa. “So often we think a lot of this is common sense, however, it is not.”

To that end, we suggest the following best practices, especially relevant to those in education:

  • Install security software on all endpoints in the school environment, including mobile devices teachers may use to check their emails during the day.
  • Beware of phishing emails and other social engineering, such as technical support scams or video game games, aimed at both teachers and students. Look at the sender’s email address and be hyper aware if there are attachments or links within the body of the email asking for personal information.
  • Student data should be backed up and encrypted end-to-end in storage and in transmission.
  • Use or create digital curriculum that is COPPA compliant.
  • Use password managers for any teacher, administrator, or even student accounts.
  • Keep all software and hardware updated regularly. Systems and software that have reached end of life (EOL) and are no longer supported with security updates should be purged and replaced.
How to teach it
  • Incorporate cybersecurity hygiene into digital citizenship discussions, as well as digital literacy learning.
  • Make cybersecurity part of curriculum that aligns to state standards for ELA or even math by assimilating knowledge about threats, hackers, or other online dangers into reading comprehension instruction, word problems, or even project-based learning activities.
  • Create gamified lessons, such as phishing tests.
  • Offer rewards for good cybersecurity hygiene, such as stars or points for logging out of accounts before closing browsers.
  • Assign cybersecurity as a research topic for reports.
Resources

Engaging students in cybersecurity: a primer for educators
Malwarebytes Labs

Stop, Think, Connect
US Department of Homeland Security

Stay Safe Online/National Cyber Security Awareness Month
National Cyber Security Alliance

Privacy and Internet Safety
Common Sense Media

Framework for Improving Critical Infrastructure Cybersecurity
National Institute of Standards and Technology

The post What K–12 schools need to shore up cybersecurity appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 18 – 24)

Malwarebytes - Mon, 02/25/2019 - 16:52

Last week on Malwarebytes Labs, we explored the world of crack hunting, gave you a 101 on the world of bots and their threats and advantages, and took a look at some clever phishing scams. We also explained how a Mac fends off malware, posted a handy “lazy person’s guide to cybersecurity,” and dug into some APT action.

Other security news
  • YouTube ran into major problems, specifically, a network of pedophiles. (Source: Wired)
  • Facebook improved location settings: Android users will now find they possess greater control over which information is shared with Facebook. (Source: Facebook)
  • Big extortion, big money: Research reveals “salaries” of up to a quarter of a million dollars in return for getting up to dubious antics online. (Source: The Register)
  • Flaw, blimey: A 19-year-old WinRAR bug was discovered. (Source: CheckPoint)
  • Political infighting leads to data blowout: It’s all very exciting over in the UK, as a major political party reported a former member for alleged breach-related activity. (Source: The Guardian)
  • Collection leaks and compromised passwords: How to steer clear of trouble related to the ongoing “Collection” dumps. (Source: Help Net Security)
  • An egg in this trying time: A malware campaign offers up an eggy attack targeting job seekers. (Source: Proofpoint)
  • ATM hacking: A look at how easy ATM shenanigans has become. (Source: Wired)
  • BabyShark phishing: Yes, it’s a spear phishing campaign called BabyShark. (Source: ZDNet)
  • Wi-Fi and social engineering: A look at some of the most common social engineering tricks deployed against networks. (Source: Security Boulevard)

Stay safe, everyone!

The post A week in security (February 18 – 24) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Max Schrems: lawyer, regulator, international man of privacy

Malwarebytes - Mon, 02/25/2019 - 16:00

Almost one decade ago, disparate efforts began in the European Union to change the way the world thinks about online privacy.

One effort focused on legislation, pulling together lawmakers from 28 member-states to discuss, draft, and deploy a sweeping set of provisions that, today, has altered how almost every single international company handles users’ personal information. The finalized law of that effort—the General Data Protection Regulation (GDPR)—aims to protect the names, addresses, locations, credit card numbers, IP addresses, and even, depending on context, hair color, of EU citizens, whether they’re customers, employees, or employers of global organizations.

The second effort focused on litigation and public activism, sparking a movement that has raised at least nearly half a million dollars to fund consumer-focused lawsuits meant to uphold the privacy rights of EU citizens, and has resulted in the successful dismantling of a 15-year-old intercontinental data-transfer agreement for its failure to protect EU citizens’ personal data. The 2015 ruling sent shockwaves through the security world, and forced companies everywhere to scramble to comply with a regulatory system thrown into flux.

The law was passed. The movement is working. And while countless individuals launched investigations, filed lawsuits, participated in years-long negotiations, published recommendations, proposed regulations, and secured parliamentary approval, we can trace these disparate yet related efforts back to one man—Maximilian Schrems.

Remarkably, as the two efforts progressed separately, they began to inform one another. Today, they work in tandem to protect online privacy. And businesses around the world have taken notice.

The impact of GDPR today

A Portuguese hospital, a German online chat platform, and a Canadian political consultancy all face GDPR-related fines issued last year. In January, France’s National Data Protection Commission (CNIL) hit Google with a 50-million-euros penalty—the largest GDPR fine to date—after an investigation found a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

The investigation began, CNIL said, after it received legal complaints from two groups: the nonprofit La Quadrature du Net and the non-governmental organization None of Your Business. None of Your Business, or noyb for short, counts Schrems as its honorary director. In fact, he helped crowdfund its launch last year.

Outside the European Union, lawmakers are watching these one-two punches as a source of inspiration.

When testifying before Congress about a scandal involving misused personal data, the 2016 US presidential election, and a global disinformation campaign, Facebook CEO Mark Zuckerberg repeatedly heard calls to regulate his company and its data-mining operations.

“The question is no longer whether we need a federal law to protect consumers privacy,” said Republican Senator John Thune of South Dakota. “The question is what shape will that law take.”

Democratic Senator Mark Warner of Virginia put it differently: “The era of the Wild West in social media is coming to an end.”

A new sheriff comes to town

In 2011, Schrems was a 23-year-old law student from Vienna, Austria, visiting the US to study abroad. He enrolled in a privacy seminar at the Santa Clara University School of Law where, along with roughly 22 other students, he learned about online privacy law from one of the field’s notable titans.

Professor Dorothy Glancy practiced privacy law before it had anything to do with the Internet, cell phones, or Facebook. Instead, she navigated the world of government surveillance, wiretaps, and domestic spying. She served as privacy counsel to one of the many subcommittees that investigated the Watergate conspiracy.

Later, still working for the subcommittee, she examined the number of federal agency databases that contained people’s personally identifiable information. She then helped draft the Privacy Act of 1974, which restricted how federal agencies collected, used, and shared that information. It is one of the first US federal privacy laws.

The concept of privacy has evolved since those earlier days, Glancy said. It is no longer solely about privacy from the government. It is also about privacy from corporations.

“Over time, it’s clear that what was, in the 70s, a privacy problem in regards to Big Brother and the federal government, has now gotten so that a lot of these issues have to do with the private [non-governmental] collection of information on people,” Glancy said.

In 2011, one of the biggest private, non-governmental collectors of that information was Facebook. So, when Glancy’s class received a guest presentation from Facebook privacy lawyer Ed Palmieri, Schrems paid close attention, and he didn’t like what he heard.

For starters, Facebook simply refused to heed Europe’s data privacy laws.

Speaking to 60 Minutes, Schrems said: “It was obviously the case that ignoring European privacy laws was the much cheaper option. The maximum penalty, for example, in Austria, was 20,000 euros. So, just a lawyer telling you how to comply with the law was more expensive than breaking it.”

Further, according to Glancy, Palmieri’s presentation showed that Facebook had “absolutely no understanding” about the relationship between an individual’s privacy and their personal information. This blind spot concerned Schrems to no end. (Palmieri could not be reached for comment.)

“There was no understanding at all about what privacy is in the sense of the relationship to personal information, or to human rights issues,” Glancy said. “Max couldn’t quite believe it. He didn’t quite believe that Facebook just didn’t understand.”

So Schrems investigated. (Schrems did not respond to multiple interview requests and he did not respond to an interview request forwarded by his colleagues at Noyb.)

Upon returning to Austria, Schrems decided to figure out just how much information Facebook had on him. The answer was astonishing: Facebook sent Schrems a 1,200-page PDF that detailed his location history, his contact information, information about past events he attended, and his private Facebook messages, including some he thought he had deleted.

Shocked, Schrems started a privacy advocacy group called “Europe v. Facebook” and uploaded redacted versions of his own documents onto the group’s website. The revelations touched a public nerve—roughly 40,000 Europeans soon asked Facebook for their own personal dossiers.

Schrems then went legal. With Facebook’s international headquarters in Ireland, he filed 22 complaints with Ireland’s Data Protection Commissioner, alleging that Facebook was violating EU data privacy law. Among the allegations: Facebook didn’t really “delete” posts that users chose to delete, Facebook’s privacy policy was too vague and unclear to constitute meaningful consent by users, and Facebook engaged in illegal “excessive processing” of user data.

The Irish Data Protection Commissioner rolled Schrems’ complaints into an already-running audit into Facebook, and, in December 2011, released non-binding guidance for the company. Facebook’s lawyers also met with Schrems in Vienna for six hours in February 2012.

And then, according to Schrems’ website, only silence and inaction from both Facebook and the Irish Data Protection Commissioner’s Office followed. There were no meaningful changes from the company. And no stronger enforcement from the government.

Frustrating as it may have been, Schrems kept pressing. Luckily, according to Glancy, he was just the right man for the job.

“He is innately curious,” Glancy said. “Once he sees something that doesn’t quite seem right, he follows it up to the very end.”

Safe Harbor? More like safety not guaranteed

On June 5, 2013, multiple newspapers exposed two massive surveillance programs in use by the US National Security Agency. One program, then called PRISM (now called Downstream), implicated some of the world’s largest technology companies, including Facebook.

Schrems responded by doing what he did best: He filed yet another complaint against Facebook—his 23rd—with the Irish Data Protection Commissioner. Facebook Ireland, Schrems claimed, was moving his data to Facebook Inc. in the US, where, according to The Guardian, the NSA enjoyed “mass access” to user data. Though Facebook and other companies denied their participation, Schrems doubted the accuracy of these statements.

“There is probable cause to believe that ‘Facebook Inc’ is granting the NSA mass access to its servers that goes beyond merely individual requests based on probable cause,” Schrems wrote in his complaint. “The statements by ‘Facebook Inc’ are in light of the US laws not credible, because ‘Facebook Inc’ is bound by so-called ‘gag orders.’”

Schrems argued that, when his data left EU borders, EU law required that it receive an “adequate level of protection.” Mass surveillance, he said, violated that.

The Irish Data Protection Commissioner disagreed. The described EU-to-US data transfer was entirely legal, the Commissioner said, because of Safe Harbor, a data privacy carve-out approved much earlier.

In 1995, the EU adopted the Data Protection Directive, which, up until 2018, regulated the treatment of EU citizens’ personal data. In 2000, the European Commission approved an exception to the law: US companies could agree to a set of seven principles, called the Safe Harbor Privacy Principles, to allow for data transfer from the EU to the US. This self-certifying framework proved wildly popular. For 15 years, nearly every single company that moved data from the EU to the US relied, at least briefly, on Safe Harbor.

Unsatisfied, Schrems asked the Irish High Court to review the Data Protection Commissioner’s inaction. In October 2013, the court agreed. Schrems celebrated, calling out the Commissioner’s earlier decision.

“The [Data Protection Commissioner] simply wanted to get this hot potato off his table instead of doing his job,” Schrems said in a statement at the time. “But when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it.”

Less than one year later, the Irish High Court came back with its decision—the Court of Justice for the European Union would need to review Safe Harbor.

On March 24, 2015, the Court heard oral arguments for both sides. Schrems’ legal team argued that Safe Harbor did not provide adequate protection for EU citizen’s data. The European Commission, defending the Irish DPC’s previous decision, argued the opposite.

When asked by the Court how EU citizens might best protect themselves from the NSA’s mass surveillance, the lawyer arguing in favor of Safe Harbor made a startling admission:

“You might consider closing your Facebook account, if you have one,” said Bernhard Schima, advocate for the European Commission, all but admitting that Safe Harbor could not protect EU citizens from overseas spying. When asked more directly if Safe Harbor provided adequate protection of EU citizens’ data, the European Commission’s legal team could not guarantee it.

On September 23, 2015, the Court’s advocate general issued his initial opinion—Safe Harbor, in light of the NSA’s mass surveillance programs, was invalid.

“Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights [to respect for privacy and family life and protection of personal data,]” the opinion said.

Less than two weeks later, the entire Court of Justice agreed.

Ever a lawyer, Schrems responded to the decision with a 5,500-word blog post (assigned a non-commercial Creative Commons public copyright license) exploring current data privacy law, Safe Harbor alternatives, company privacy policies, a potential Safe Harbor 2.0, and mass surveillance. Written with “limited time,” Schrems thanked readers for pointing out typos.

The General Data Protection Regulation

Before the Court of Justice struck down Safe Harbor, before Edward Snowden shed light on the NSA’s mass surveillance, before Schrems received a 1,200-page PDF documenting his digital life, and before that fateful guest presentation in professor Glancy’s privacy seminar at Santa Clara University School of Law, a separate plan was already under way to change data privacy.

In November 2010, the European Commission, which proposes legislation for the European Union, considered a new policy with a clear goal and equally clear title: “A comprehensive approach on personal data protection in the European Union.”

Many years later, it became GDPR.

During those years, the negotiating committees looked to Schrems’ lawsuits as highly informative, Glancy said, because Schrems had successfully proven the relationship between the European Charter of Fundamental Human Rights and its application to EU data privacy law. Ignoring that expertise would be foolish.

“Max [Schrems] was a part of just about all the committees working on [GDPR]. His litigation was part of what motivated the adoption of it,” Glancy said. “The people writing the GDPR would consult him as to whether it would solve his problems, and parts of the very endless writing process were also about what Max [Schrems] was not happy with.”

Because Schrems did not respond to multiple interview requests, it is impossible to know his precise involvement in GDPR. His Twitter and blog have no visible, corresponding entries about GDPR’s passage.

However, public records show that GDPR’s drafters recommended several areas of improvement in the year before the law passed, including clearer definitions of “personal information,” stronger investigatory powers to the EU’s data regulators, more direct “data portability” to allow citizens to directly move their data from one company to another while also obtaining a copy of that data, and better transparency in how EU citizens’ online profiles are created and targeted for ads.

GDPR eventually became a sweeping set of 99 articles that tightly fasten the collection, storage, use, transfer, and disclosure of data belonging to all EU citizens, giving those citizens more direct control over how their data is treated.

For example, citizens have the “right to erasure,” in which they can ask a company to delete the data collected on them. Citizens also have the “right to access,” in which companies must provide a copy of the data collected on a person, along with information about how the data was collected, who it is shared with, and why it is processed.

Approved by a parliamentary vote in April 2016, GDPR took effect two years later.

GDPR’s immediate and future impact

On May 23, 2018, GDPR’s arrival was sounded not by trumpets, but by emails. Facebook, TicketMaster, eBay, PricewaterhouseCoopers, The Guardian, Marriott, KickStarter, GoDaddy, Spotify, and countless others began their public-facing GDPR compliance strategies by telling users about updated privacy policies. The email deluge inspired rankings, manic tweets, and even a devoted “I love GDPR” playlist. The blitz was so large, in fact, that several threat actors took advantage, sending fake privacy policy updates to phish for users’ information.

Since then, compliance looks less like emails and more like penalties.

Early this year, Google received its €50 million ($57 million) fine out of France. Last year, a Portuguese hospital received a €400,000 fine for two alleged GDPR violations. Because of a July 2018 data breach, a German chat platform got hit with a €20,000 fine. And in the reported first-ever GDPR notice from the UK, Canadian political consultancy—and murky partner to Cambridge Analytica—AggregateIQ received a notice about potential fines of up to €20 million.

To Noyb, the fines are good news. Gaëtan Goldberg, a privacy lawyer with the NGO, said that data privacy law compliance has, for many years, been lacking. Hopefully GDPR, which Goldberg called a “major step” in protecting personal data, can help turn that around, he said.

“[We] hope to see strong enforcement measures being taken by courts and data protection authorities around the EU,” Goldberg said. “The fine of 50 [million] euros the French CNIL imposed on Google is a good start in this direction.”

The future of data privacy

Last year, when Senator Warner told Zuckerberg that “the era of the Wild West in social media is coming to an end,” he may not have realized how quickly that would come true. In July 2018, California passed a statewide data privacy law called the California Consumer Privacy Act. Months later, three US Senators proposed their own federal data privacy laws. And just this month, the Government Accountability Office recommended that Congress pass a data privacy law similar to GDPR.

Data privacy is no longer a concept. It is the law.

In the EU, that law has released a torrent of legal complaints. Hours after GDPR came into effect, Noyb lodged a series of complaints against Google, Facebook, Instagram, and WhatsApp.

Goldberg said the group’s legal complaints are one component of meaningful enforcement on behalf of the government. Remember: Google’s massive penalty began with an investigation that the French authorities said started after it received a complaint from Noyb.

Separately, privacy group Privacy International filed complaints against Europe’s data-brokers and advertising technology companies, and Brave, a privacy-focused web browser, filed complaints against Google and other digital advertising companies.

Google and Facebook did not respond to questions about how they are responding to the legal complaints. Facebook also did not respond to questions about its previous legal battles with Schrems.

Electronic Frontier Foundation International Director Danny O’Brien wrote last year that, while we wait for the results of the above legal complaints, GDPR has already motivated other privacy-forward penalties and regulations around the world:

“In Italy, it was competition regulators that fined Facebook ten million euros for misleading its users over its personal data practices. Brazil passed its own GDPR-style law this year; Chile amended its constitution to include data protection rights; and India’s lawmakers introduced a draft of a wide-ranging new legal privacy framework.”

As the world moves forward, one man—the one who started it all—might be conspicuously absent. Last year, Schrems expressed a desire to step back from data privacy law. If anything, he said, it was time for others to take up the mantle.

“I know I’m going to be deeply engaged, especially at the beginning, but in the long run [Noyb] should absolutely not be Max’s personal NGO,” Schrems told The Register in a January 2018 interview. Asked to clarify about his potential future beyond privacy advocacy, Schrems said: “It’s retirement from the first line of defense, let’s put it that way… I don’t want to keep bringing cases for the rest of my life.”

Surprisingly, for all of Schrems’ public-facing and public-empowering work, his interviews and blog posts sometimes portray him as a deeply humble, almost shy individual, with a down-to-earth sense of humor, too. When asked during a 2016 podcast interview if he felt he would be remembered in the same vein as Edward Snowden, Schrems bristled.

“Not at all, actually,” Schrems said. “What I did is a very conservative approach. You go to the courts, you have your case, you bring it and you do your thing. What Edward Snowden did is a whole different ballgame. He pretty much gave up his whole life and has serious possibilities to some point end up in a US prison. The worst thing that happened to me so far was to be on that security list of US flights.”

During the same interview, Schrems also deflected his search result popularity.

“Everyone knows your name now,” the host said. “If you Google ‘Schrems,’ the first thing that comes up is ‘Max Schrems’ and your case.”

“Yeah but it’s also a very specific name, so it’s not like ‘Smith,’” Schrems said, laughing. “I would have a harder time with that name.”

If anything, the popularity came as a surprise to Schrems. Last year, in speaking to Bloomberg, he described Facebook as a “test case” when filing his original 22 complaints.

“I thought I’d write up a few complaints,” Schrems said. “I never thought it would create such a media storm.”

Glancy described Schrems’ initial investigation into Facebook in much the same way. It started not as a vendetta, she said, but as a courtesy.

“He started out with a really charitable view of [Facebook],” Glancy said. “At some level, he was trying to get Facebook to wake up and smell the coffee.”

That’s the Schrems that Glancy knows best, a multi-faceted individual who makes time for others and holds various interests. A man committed to public service, not public spotlight. A man who still calls and emails her with questions about legal strategy and privacy law. A man who drove down the California coast with some friends during spring break. Maybe even a man who is tired of being seen only as a flag-bearer for online privacy. (He describes himself on his Twitter profile as “(Luckily not only) Law, Privacy and Politics.)

“At some level, he considers himself a consumer lawyer,” Glancy said. “He’s interested in the ways in which to empower the little guy, who is kind of abused by large entities that—it’s not that they’re targeting them, it’s that they just don’t care. [The people’s] rights are not being taken account of.”

With GDPR in place, those rights, and the people they apply to, now have a little more firepower.

The post Max Schrems: lawyer, regulator, international man of privacy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Advanced Persistent Threat Files: APT1

Malwarebytes - Fri, 02/22/2019 - 17:59

We’ve heard a lot about Advanced Persistent Threats (APTs) over the past few years. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target.

While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. Starting with Mandiant’s APT1 report in 2013, there’s been a continuous stream of exposure of nation-state hacking at scale.

Cybersecurity companies have gotten relatively good at observing and analyzing the tools and tactics of nation-state threat actors; they’re less good at placing these actions in context sufficient enough for defenders to make solid risk assessments. So we’re going to take a look at a few APT groups from a broader perspective and see how they fit into the larger threat landscape.

Today, we’re looking at APT1. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.)

Who is APT1?

APT1 has been identified by various parties as unit 61398 of the People’s Liberation Army. They were one of the first APT groups to be publicly named, in a report released by Mandiant (now owned by FireEye) in 2013. APT1 was noted for wide scale and high volume collection, targeting roughly 150 mostly English-speaking companies at time of reporting.

Targeting industries noted as internal development areas by China’s 12th 5 year plan, APT 1 was notable in contrast to more familiar threat groups by their persistence (average observed persistence on target was 356 days), and their ability to compromise a target using multiple attack vectors.

Malware commonly deployed

APT1 is known for deploying the following malware:

  • Poison Ivy
  • Custom backdoors delivered by spear phish
  • Mimikatz
  • SeaSalt

NOTE: It’s generally inappropriate to attribute an attack based solely on the malware deployed. APT actors do not operate in a vacuum; they’re capable of collaborating with each other, as well as selling malware to other groups upon conclusion of an ops cycle.

Should you be worried?

Probably not. After a catastrophic OPSEC failure like the Mandiant report, it’s highly unlikely that the group still exists in the form originally disclosed. Disclosure of specific threat actors in the unit, as well as the unit’s physical location and infrastructure, eroded their counterintelligence posture such that it would be difficult to continue network operations without significant changes.

In 2015, President Obama and Xi Jinping met to discuss how both countries would address cyber espionage. Since that time, broad spectrum indiscriminate collection of the type APT1 engaged in has since waned in favor of targeted attacks, or upstream targeting of service providers to high value targets. If you do not belong to a cleared government contracting company, a large scale telecom, or a law firm providing services to either of the above, you most likely do not face a significant threat from any Chinese APT group.

What might they do next?

Probably not much, due to both political priority changes, and counterintelligence failures exposing experienced operators. However, in October 2018, Mcafee released a report on code reused from an APT1 backdoor employed to launch attacks against targets in the US, South Korea, and Canada. Differences in TTPs suggest this is not an APT1 operation, but instead a new campaign that is reusing old code from a variety of sources.

Given that APT1 themselves were no longer able to operate with impunity, it seems reasonable that they would disseminate tools to threat actor groups with better counterintelligence postures.

Additional resources

Mandiant report on APT1

Mysterious return of years-old Chinese malware

IOC samples historically associated with APT1

The post The Advanced Persistent Threat Files: APT1 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The lazy person’s guide to cybersecurity: minimum effort for maximum protection

Malwarebytes - Thu, 02/21/2019 - 17:00

Are you tired of that acquaintance who keeps bugging you with computer questions? Do you avoid visiting certain people because you know you will spend most of the evening cleaning up their machine?

My uncle Bob is one of those people. He’s a nice guy, but with computers, he’s not just an accident waiting to happen—he’s an accident waiting to become a catastrophe. To keep Uncle Bob’s computer safe without blowing up the Internet, we need to give him the simplest of instructions that result in protecting him against as much as possible. Uncle Bob needs a lazy person’s guide to cybersecurity.

It’s not that Uncle Bob is lazy. It’s that he’s overwhelmed by the amount of stuff he has to do to keep his data and devices secure. Multiple passwords, reading through EULAs, website cookies that he clicks “agree” to without really paying attention—they’re giving him a serious case of security fatigue. And as his helper, you’re probably pretty over it, too.

The funny thing is, with adequate cybersecurity, Uncle Bob’s—and by extension all of our—problems would be much less frequent and less severe. So, let’s see if we can work out a system of minimum effort that renders reasonable results.

Before we begin, we will should note that lazy cybersecurity should not apply to devices used to store sensitive data, conduct financial transactions, or communicate confidential or proprietary information. Lazy security is a good way to protect those who prefer to do nothing rather than be overwhelmed by 50 somethings, but it shouldn’t have severe consequences if it goes wrong.

User education

Your first step should always be user education. So many of today’s most dangerous threats are delivered through social engineering, i.e., by tricking users into giving up their data or downloading the malware themselves from an infected email attachment. Therefore, knowing what not to click on and download can keep a good portion of threats off a lazy person’s device.

With most people, it helps to know why they shouldn’t download or click on links in emails that look like they came from a legitimate institution. Just telling them “don’t do that” may help for a bit, but advice is better retained if it’s grounded in practical reasoning. Therefore, each item in this list is accompanied by a brief explanation.

  • Do not click on links asking to fill out your personal information. Your financial institutions will not send emails with links to click, especially if those links are asking you to update personally identifiable information (PII). If a website promises you something in return for filling out personal data, they are phishing. In return for your data, you will probably get lots more annoying emails, possibly an infection, and no gift.
  • Don’t fall for too-good-to-be-true schemes. If you get offered a service, product, game, or other tantalizing option for free, and it is unclear how the producers of said service or item are making money, don’t take it. Chances are, you will pay in ways that are not disclosed with the bargain, including sitting through overly-obnoxious ads, paying for in-game or in-product purchases, or being bombarded with marketing emails or otherwise awful user experiences.
  • Don’t believe the pop-ups and phone calls saying your computer is infected. Unsolicited phone calls and websites that do so are tech support scams. The only programs that can tell if you have an infection are security platforms that either come built into your device or antivirus software that you’ve personally purchased or downloaded. Think about it: Microsoft does not monitor billions of computers to call you as soon as they notice a virus on yours.
  • Don’t download programs that call themselves system optimizers. We consider these types of software, including driver updaters and registry cleaners, potentially unwanted programs. Why? They do nothing helpful—instead, they often take over browser home pages, redirect to strange landing pages, add unnecessary toolbars, and even serve up a bunch of pop-up ads. While not technically dangerous themselves, they let a lot of riff raff in the door.
  • Never allow web push notifications. I have yet to find a useful reason for these, beyond advertising.

Beyond staying away from “allow” and “download” buttons, and steering clear of links asking for PII, users who conduct any kind of financial transaction on their machines, be it online shopping or banking, should approach those transactions with extreme caution. Here’s where we ask users to take action, looking for security clues and doing a little research before paying that bill or buying that new book.

  • Use a designated browser you trust. This needn’t be for all surfing, but for purchasing especially, research the different browsers and see which one you feel safest with, whether that’s because they have few vulnerabilities, don’t track your surfing behavior, or encrypt all communication. Major browsers such as Firefox, Safari, and Chrome have strengths and weaknesses they bring to the game, so it’s a matter a personal preference. We do suggest staying away from older browsers rife with security holes, such as Internet Explorer.
  • Look for HTTPS and the green padlock. No, it’s no longer a guarantee that the site is safe just because it has a green padlock, but it does mean the communication is encrypted. If you combine that with being on the true website of a trusted vendor, you can breathe easier knowing your payment details cannot be intercepted in transit.
  • Use a password manager. Simple as that. Passwords are a real problem, as users tend to re-use the same ones across multiple accounts, keep old ones laying around because they’re the only ones they can remember, or write them down somewhere they can be easily found. No need for 27 different passwords. Just one manager, preferably with multi-factor authentication. (Bonus points for healthcare or bank organizations with logins that use physical or behavioral biometrics.)

This could turn out to be too confusing for the Uncle Bobs of this world, however. If so, best to point them in the direction of brick-and-mortar stores for shopping, the checkbook for paying bills, and the actual bank to conduct other financial business.

How to set up a system for a non-tech-savvy person

Perhaps Uncle Bob can only manage so much security education before feeling overburdened with technical knowledge. In that case, it helps for a tech-savvy friend or relative to pitch in and tighten up a few things on the backend.

Hardware

First of all, if someone is looking for a new computer for non-sensitive purposes, such as browsing, social media, games, and some basic email or chat functions, you can chime in with recommendations. For someone not invested in heavy gaming, a Chromebook would be a good option, as it will save them some money and can perform all those functions, plus any browser-based gaming. However, someone with an interest in PC gaming will likely need an entirely different OS and an intense graphics card (and therefore lots of protection against cryptominers). Meanwhile, Macs are good options for users looking to get into graphic design.

Software

Installing software on a system usually comes with the task of having to keep it up-to-date. Therefore, any software programs that Uncle Bob selects should minimize the potential pitfalls.

When Uncle Bob is shopping for software, recommend he finds programs that have a self-updating function. We know this isn’t always recommended in a work environment, but for the lazy security person, it’s perfect. One less thing to worry about.

In addition, selecting software that allows users to minimize notifications to only dire warnings will keep Uncle Bob from getting confused. Notifications coming from programs can have strange effects on the less computer savvy for several reasons:

  • They don’t understand to which program they belong, which takes away the context for them.
  • The text in the notifications is designed to be short, not always maximized for clarity.
  • Technical terms used in the notification are unknown to the receiver.

Their reactions may vary. Some will simply click until they disappear. This is the behavior that usually gets them into trouble, so you don’t want to give them another reason to click–click–click away. Others may get worried and call for backup immediately, asking what’s wrong and why they are getting this “pop-up.” So, any software that can be set to only issue a warning when something is really amiss deserves another plus.

Browser add-ons

There are some secure browsers out there that value your privacy, but I’m pretty sure my Uncle Bob does not like using them. There is a learning curve involved that may not seem steep to you and me, but my uncle Bob…you know what I mean. But there is hope on the horizon. Some of the more user-friendly browsers can be equipped with extensions/add-ons/plugins that boost security by adding an extra protective layer.

There are browser extensions that can make your browser more secure by:

Read: How to tighten security and increase privacy on your browser

It’s a fine line

Everyone deserves to experience a safe Internet, but unfortunately, this is not always easy to accomplish. Peoples’ skill-sets and levels of experience differ, as does their tolerance for bad news—or any news at all! What comes naturally to some can be downright overwhelming for others. While you might wish that Uncle Bob could have his computer license revoked, it’s better to sit him down and show him basic survival skills—all the better to not only protect himself, but others from dangers lurking on the web.

And if you go that one step further and help those less tech-savvy folks in your life by setting up some automated support in the background, you’ll save them time and and money having to run repairs or clean up an infected machine.

We always sign off by telling our readers to stay safe. This time, stay safe…and help your friends do the same.

The post The lazy person’s guide to cybersecurity: minimum effort for maximum protection appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How does macOS protect against malware?

Malwarebytes - Thu, 02/21/2019 - 16:00

Mac users often are told that “Macs don’t get viruses.” This is not really true, of course. Macs can and do get infected. However, it is true that macOS provides some basic protection against malware. This protection can be quite effective in some ways, but, unfortunately, quite ineffective in others. Let’s take a look at how macOS features protect you from malware, and how malware can get past these features.

Quarantine

macOS has a feature that is called Quarantine. Any time a file is downloaded from the Internet, it gets marked with a Quarantine “flag.” When you try to open a downloaded app with this flag set, macOS will kick off a whole bunch of checks.

If all of those checks are successful, macOS will display a message alerting you that you’re opening an application downloaded from the Internet, which you’ll have to allow if you want to use the file. (macOS flashes this message to users to display the true nature of the file, in case it was disguised as another type, for example, an app disguised as a document.)

Once the app has been opened successfully for the first time, the Quarantine flag is removed, and these checks won’t be repeated again.

Some of the other protection features in macOS depend on Quarantine, and unfortunately, there are some ways that apps can get onto your hard drive without being marked with a Quarantine flag. Some examples:

  • Not all apps will properly set a Quarantine flag on files they download; torrent apps and malicious downloaders are two good examples.
  • Copying an app to another Mac after the Quarantine flag has been removed will result in the app not being quarantined on the second Mac.
  • Copying a file to a non-Mac file share or a USB flash drive that is not Mac formatted will result in the Quarantine flag being lost.
  • Vulnerabilities that enable creation of files without going through legitimate download methods allow for flagless apps on the hard drive.
Gatekeeper

Rewind back to when an app is downloaded from the Internet, and a Quarantine flag has been planted. The first of the checks conducted on a quarantined app is a check of the app’s code signature.

A code signature is a bit of cryptographic data that identifies the creator of the app and can be used to determine whether the app has been tampered with. It depends on a certificate obtained from Apple, as part of a $99 developer account.

If the code signature indicates that the app has been tampered with, or that the certificate used to create the signature has been revoked by Apple, macOS won’t allow the app to run at all.

Unfortunately, Gatekeeper is not infallible, and its biggest weakness is Quarantine itself. Gatekeeper checks do not happen for apps that are not quarantined, which includes apps that were quarantined, but have already been opened at least once and are thus no longer quarantined.

This means that an innocent-looking app could download all kinds of malicious processes in the background once installed, and those processes would not be subject to Gatekeeper checks. Similarly, if you had run a malicious app on your computer, and some time later Apple revoked the developer certificate used for its code signature, the app would continue to run on your Mac because code signature checks only happen for quarantined apps as part of Gatekeeper.

This also means that malware could maliciously modify apps on your Mac, which would make the malware devilishly hard to find and remove.

XProtect

A hidden feature of the system that you’d never know was there, XProtect is a basic anti-malware feature also tied to Quarantine. XProtect has a relatively small number of rules for identifying known malicious apps, and every quarantined app that you attempt to open is run past XProtect first. If it matches any of the rules, macOS will not allow you to open it.

XProtect suffers from the same problems as Gatekeeper, in that it can’t protect against anything that doesn’t have a Quarantine flag. There’s a bigger problem, however: at the time of this writing, the most recent rule added to XProtect was on March 13, 2018. So it’s missing rules for nearly an entire year of new malware! The future of XProtect is unclear, but it’s definitely not protecting you against current threats.

Malware Removal Tool

In 2012, a series of attacks on macOS through vulnerabilities in Java resulted in malware being installed simply by visiting a website. Since this bypassed Quarantine, it was not something that the security measures in macOS at that time were equipped to deal with. Thus, Apple silently created the Malware Removal Tool, or MRT.

The MRT is a black box. Nobody really knows exactly how or when it works, and it runs silently, without any notifications to the person using the computer. Its sole purpose is to remove known malware that has gotten onto the computer.

Like XProtect, MRT recognizes only known malware via what appear to be hard-coded rules inside the MRT code. Nobody really knows how those rules work, and lately Apple has taken to obfuscating the malware name strings in the MRT code, so we can’t tell what it’s capable of detecting, either.

There’s no malware called OSX.28a9883.A, but that’s what Apple’s calling it

Unfortunately, MRT has not seen many updates lately that can be identified easily. Because it’s such a black box, it’s impossible to know, but it certainly doesn’t look like it is capable of detecting much recent malware.

System Integrity Protection

Abbreviated as SIP, this feature protects the core system files from modification. Also referred to as “rootless,” this SIP works by preventing all users, including the all-powerful root user, from changing a large number of restricted files on the system. Only certain pieces of Apple software can make changes to these files. This feature can only be turned off by rebooting the computer into recovery mode and entering an arcane command in the Terminal, which is not something the average person is likely to do.

Although SIP caused problems for some software at the time of its introduction, it has proven to be an excellent security measure, ensuring that the system files cannot be tampered with.

thomas$ sudo mkdir /System/blah Password: mkdir: /System/blah: Operation not permitted

As a result, some people believe that SIP plays a role in preventing malware from infecting Macs. Unfortunately, that’s not the case. Even before SIP, only some malware made changes to the files that are now protected by SIP. Malware can infect a Mac quite easily without doing that, and without even needing root permissions. This means SIP does nothing to prevent malware from invisibly infecting your Mac if you make the mistake of opening the wrong app.

Transparency, Consent, and Control

This mouthful is shortened simply to TCC, and it is a new feature of macOS 10.14 (Mojave). TCC protects certain user data against outside access, with the goal of preventing apps from surreptitiously doing things like slurping up your web browsing history.

This is a noble goal, but despite its short life so far, TCC has had some issues. These range in seriousness from a proliferation of permission request dialogs that can cause “dialog fatigue” to vulnerabilities that could allow apps to reach right past TCC and get access to the data anyway.

An example of a TCC dialog. Many people will just click OK to make it go away.

TCC does not prevent malware infection itself. However, it does—when working correctly—prevent malware from gaining access to some of your data. Don’t get too comfortable, though, as malware is still gobbling up unprotected data, such as passwords and credit cards stored in Chrome’s autofill, which is not covered by TCC.

My brain is exploding! What does all this mean?

The good news is that Apple is constantly working on making macOS a safer place. Although security experts are quick to point out holes in the protection features in macOS, your Mac is definitely more secure with them than without them.

However, it’s important to keep in mind that each and every one of these protections does have holes. Malware creators know exactly where those holes are, and are adept (some of them, anyway) at exploiting them. So don’t let your guard down.

In the security world, we like to talk about layers of protection. Having multiple layers is good practice, because if malware gets beyond one or two, it can still be blocked by another layer. With the various holes in current protection features, it makes sense to add another layer of protection to your Mac, such as antivirus software.

Malwarebytes for Mac, for example, can help to plug holes by detecting current threats that XProtect and MRT don’t. With the newly-introduced App Block feature, it can also help plug the holes in Gatekeeper.

So knowing what your Mac is capable of protecting against on its own and where it needs assistance can keep you more secure, whether you’re downloading apps from the Internet or simply taking an extra second to read through those dialog boxes.

The post How does macOS protect against malware? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Sophisticated phishing: a roundup of noteworthy campaigns

Malwarebytes - Wed, 02/20/2019 - 19:21

Phishing is a problem nearly as old as the Internet. Yet, criminals continue to reach into their bag of phishing tricks in 2019 because, in a nutshell, it just works. Dialing into the human psyche and capitalizing on emotions such as fear, anxiety, or plain laziness, phishing attacks are successful because they take aim at our weaknesses and exploit them—in much the same way an exploit kit takes advantage of a vulnerability in a software program.

To understand why phishing attacks continue to work, we look to cutting-edge tactics devised by threat actors to obfuscate their true intentions and capitalize on basic negligence. To that end, we’ve put together a roundup of noteworthy, out-of-the-box phishing campaigns of the last year. Here are the attacks that stood out.

You can’t easily dismiss this one

Myki, makers of the top-rated password manager with the same name, recently discovered a deceptive Facebook phishing scam that is so utterly convincing that it piqued the interest of security researchers.

The hullabaloo began when the company started receiving multiple reports from users that their Myki password manager was refusing to automatically fill a Facebook pop-up window on sites they visited, citing this as a bug.

After further investigation, Myki security researchers realized that it wasn’t a bug, and, in fact, their product was protecting their clients from trusting the purported Facebook pop-up. Below is a video demo of the phishing campaign they were able to unearth and successfully reproduce:

Video demo (Courtesy of Myki)

“[The] Hacker designs a very realistic-looking social login pop-up prompt in HTML,” wrote Antoine Vincent Jebara, Co-founder and CEO of Myki, in a blog post. “The status bar, navigation bar, shadows, and content are perfectly reproduced to look exactly like a legitimate login prompt.”

The fake pop-up looks and feels so real that users can drag and dismiss it like one could with a legitimate pop-up. But while it brings a convincing level of legitimacy to the attack, the pop-up gives the game away once users attempt to drag it out of the page, which can’t happen because the parts touching the edge of the browser window disappear, making users realize that the pop-up is part of the web page itself.

So, the next time you notice that your password manager is acting funny—like, not pre-filling on pop-up windows as you know it’s supposed to—try dragging the pop-up away from your browser. If a section (or mostly all) of it disappears after reaching the browser’s edge, it’s a fake pop-up. Close the page tab immediately!

Phishing by a thousand characters

By any sane standard, a 400- to 1,000-character long URL is overkill. Yet this didn’t stop a phisher from using it in his/her campaign. Not just once but in multiple instances in a phishing campaign email—much to the annoyance of clever recipients.

Screenshot of the kilometric long URL used in the campaign (Courtesy of MyOnlineSecurity)

The extracted URL above was taken from an email purporting to be a notification from the recipient’s email domain, telling them that their account was blacklisted due to multiple login failures. It then instructed recipients to upgrade and verify their email account before the service provider suspends or terminates the account.

No one knows for sure why someone would be crazy enough to attempt this. By now, fraudsters known there are better, more sustainable ways of obfuscating URLs. But alas, hardworking phishers are still out there. It’s not easy copying and pasting all those characters, after all, much less manually typing them out.

Let’s give them an A for effort, shall we? Nevertheless, phishing is no laughing matter, so let’s keep an eye on this one.

(Not) lost in (Google) translation

Online translation services were designed to serve one purpose: translate content from its original language to another. Who would have expected that phishers could use a legitimate Google Translate page as the landing page for users they’re attempting to own?

Screenshot of the phishing email (Courtesy of Akamai)

To: {recipient}
From: Security Accounts <facebook_secur@hotmail[.]com>
Subject: Security Alert
Message body:

Connecting to a new device

[redacted]

A user has just signed in to your Google Account from a new Windows device. We are sending you this email to verify that it is you.

[Consult the activity]

‘Why do this?’ you might wonder. According to Larry Cashdollar, Senior Security Response Engineer from Akamai, in a blog post, “Using Google Translate does some things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses.”

He also noted that this kind of tactic could be accepted by targets without suspicion when viewed on a mobile device, as the phishing email and landing page appear more legitimate. When viewed on a laptop or desktop, however, the flaws of this tactic are glaring.

Cashdollar mentioned that this phishing campaign is a two-prong attack, wherein phishers aimed at harvesting Google credentials first and then Facebook credentials next. The domain for the fake Facebook login is not hosted on a Google Translate page, mind you.

“…it’s highly uncommon to see such an attack target two brands in the same session,” Cashdollar further wrote.

For users to avoid falling for such a phish, Cashdollar has this to say: “The best defense is a good offense. That means taking your time and examining the message fully before taking any actions. Does the “from” address match what you’re expecting? Does the message create a curious sense of urgency, fear, or authority, almost demanding you do something? If so, those are the messages to be suspicious of, and the ones most likely to result in compromised accounts.”

Where did the quick brown fox go?

Unfortunately, it was replaced by letters placed in locations they weren’t supposed to so phishers could hide the source code of their landing page to make it look less suspicious.

This was what our friends at Proofpoint found when they encountered a campaign that leveraged custom font files for decoding and hiding content.

This particular phishing attack started off as an email purporting to originate from a major US bank, and when users clicked the link in the email, they were directed to a convincing replica of the bank’s official page, ready and waiting to receive credential input.

The custom font files, namely woff and woff2, installed a substitution cipher, which then replaced the letters users see on the page with other letters in the source code via direct character substitution. So, the text “The quick brown fox…” seen in the normal font file, for example, was “Eht wprcx bivqn fvk…” in the custom font file.

Screenshot of the woff font file (Courtesy of Proofpoint)

Proofpoint noted that the phishing kit may have been available since May 2018, if not earlier.

To combat this tactic and the others noted in this roundup, users must continue sticking to established safe computing protocols, such as not clicking links of emails that are suspicious and visiting bank websites directly from the browser instead of via email.

Businesses can also stay on top of less obvious phishing attacks by incorporating them into employee training programs. Any good anti-phishing plan will use techniques currently being used in the wild (whereas the Nigerian Prince, while still out there, is probably not one you still need to train on.)

As always, stay safe, and stay informed!

The post Sophisticated phishing: a roundup of noteworthy campaigns appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Good bots, bad bots: friend or foe?

Malwarebytes - Wed, 02/20/2019 - 16:00

One of the most talked about technologies online today is the ubiquitous bot. Simultaneously elusive yet also responsible for all of civilisation’s woes, bots are a hot topic of contention. If we went purely by news reports, we’d assume all bots everywhere are evil, and out to get us (or just spreading memes). We’d also assume every single person we ever disagreed with online is a bot. 

It might surprise you to learn that not all bots are bad. You may only hear about the negatives, but they can be a genuine form of assistance for both people at home and in the workplace.

First, let’s pin down exactly what a bot is (and isn’t).

What is a bot?

Good question.

Bots, as we understand them, perform basic or complex tasks at a speed much faster than we humans can. They’re often there to prop up the bits of a process that humans can’t get to, keeping the plates spinning on our behalf.

The ones you’ve probably heard doing good deeds are search engine web crawlers, chatbots in Skype, Slack, or various forms of instant messaging, and even front line support queries for businesses.

The rest? Those could be bad, but their mileage may vary. More areas of business depend upon bots than you may think, and they’re increasingly being used for all manner of tasks. Some benefit people at home, others simply benefit the organisation running them. However they stack up, we’re going to look at some of the more common ones and give you some things to think about. If you’re putting your own bot together, we hope this will help.

Crawlers

Crawlers do exactly what the name suggests: they crawl. They weave their merry way across the Internet, grabbing, analysing, and cataloguing unimaginable amounts of data daily. Without them going about their business, many things we take for granted simply wouldn’t function as well as they do.

For example, search engine crawlers help us to flesh out search engines. If they didn’t do their job and do it well, you might never actually find the thing you were looking for. Search engine crawler stagnation essentially equals the same for your website—stagnation, marooned on an island of “doesn’t live here.” There are some cases where website owners may not want to be crawled, and they can block bot access via the Robots Exclusion Standard.

Robots.txt is a file you can place in your website directory to prevent specific content from being scraped. Essentially, the Robots.txt is itself a form of (ro)bot, politely turning visitors away. Want a specific example? Many people don’t want old versions of their websites recorded for all time. As a result, they may include a line in Robots to exclude Internet Archive to come calling and scrape the content.

Where this method often goes wrong is that the polite turn away is exactly that—too polite.

Rules: meant to be broken

When the bad bots show up, they’re likely to ignore the “we’re full, sorry” notice and just throw a chair through the window. In fact, some security people will suggest not bothering with a Robots.txt at all. The theory is that some rogue entities will deliberately look for it, and then immediately go poking around all the site portions the owner wanted to hide.

“Wait, which bots are the bad bots creeping around the Internet?!” I hear you cry. Well, there’s a lot of them and poor old Robots.txt file probably won’t be much help here. One of the best ways to tell a bad bot from a good one is to examine its behavior. Bad bot behavior includes:

  • Brute force login attempts
  • Content scraping to steal or mirror content
  • Probing for hidden areas
  • Overloading the website with traffic
  • Vulnerability hunting: looking to exploit outdated apps, plugins, or content management systems

Even if you think your website is up-to-date, the server it runs on may not be, which means the bot issue is likely out of your hands. There’s a lot to contend with for a website admin.

Not all is lost, however. You can make use of a variety of scanning tools to mimic bot behaviour and see which form of bad bottery you’re most susceptible to. At that point, you can apply the correct fix as required.

Good, bad, or somewhere in-between

For some people, lines may blur a little between good bots versus bad ones. The most basic of interactions can produce all manner of knock on effects. For example:

Imagine your site is attacked by a content scraper, and all your hard work ends up on a cut and paste merchant’s website. Not cool. You then sign up to a copyright detection bot service, which crawls the web in search of your pilfered text. The scammer running the site has a block in its robots.txt file explicitly requesting the copyright sniffer not to come knocking. At this point, the bot is fully justified in avoiding the polite request to go in, scan the text, then report back to base that someone’s been up to no good. Your bot is now breaking the rules, and you’re tainted with justified wrongdoing forever.

Beating the system

Additionally, search engines can be gamed. SEO poisoning, where rogue links are included in results, was a problem for a long time before major providers started clamping down (with variable success). Even so, there are variations on these attempts. And outside of those, you still have the threat of compromised sites giving bad portals a boost.

If your organisation intends to deploy a web-scraping bot of its own, you may want to keep some of these developments in mind. It’s a fine line between helpful and nuisance, and not all rival bots play nice. It only takes a few mishaps with another org’s service or website, and you’ve got a major PR issue to deal with.

Time for a chat?

Chatbots have been around for a long time. The first was ELIZA, created in 1966 by Joseph Weizenbaum. While he considered ELIZA to highlight the superficiality of human/computer interaction, he was surprised at people attributing human emotions to the dialogue. Wind forward a couple of decades, and you have Roman Mazurenko turned into a chatbot for friends and family to interact with after his tragic early death. Years later, the same questions are being asked in terms of where the line is drawn, and whether such interactions are even healthy.

Many people think of chatbots (at least the good ones) as a recent development. However, chatbots have been used for some time for nefarious purposes—the first thing that springs to mind is pornography spam bots asking for credit card details. Quite often, that association is accompanied by thoughts of of malware and other shenanigans. Spreading out from forums and old-style chatrooms/IRC to instant messaging platforms and social media, bots have improved in their ability to actually help, instead of pilfer data or infect machines.

Often sporting limited phrases and becoming the butt of endless “look at me fool this spam bot” jokes, many businesses didn’t bother to invest in bots because the technology wasn’t there. Nowadays, you’ll find decent bot assistance for everything from shopping portals and banking to utility service providers.

Healthy living

Even Microsoft are in on the action at this point, with their Microsoft Healthcare Bot. This allows providers to customise their own AI-driven bot solution and roll it out to customers and clients. Elsewhere, chat-centric health bots are clearly seen as the future of medical assistance, with everything from therapy to simple daily reminders to take your pills. This view may be a little optimistic, as the potential for incorrect diagnosis or faulty advice is there. Integration with household IoT devices known to occasionally glitch out could increase that possibility. However, this is a clear use-case for mostly maligned bot technology as a force for good.

Fun for all the family?

Chatbots for children/teens are also a big thing now. Many of them are integrated with Facebook messenger, and will allow them to talk some Hearthstone, Marvel, or (for the older bot fans) converse with an AI replica of a dead horror movie character.

Ad fraud

Ad fraud is something that seems to have been around as long as ads themselves. Bots automate the process of clicking ads to provide a bump in income for the person who placed the ad. The more clicks, the more revenue generated. This is most commonly accomplished by infecting as many PCs as possible, then using those PCs to click ads.

There’s been many ad fraud trends over the years. One of the biggest I can remember is the rush to profit from high pay-outs on the word “Mesothelioma,” a rare form of cancer related to asbestos. For this, websites hijacked IE users, infected their PCs, and used instant messaging to send bad links while opening the ads in the unaware user’s browser.

Quite sophisticated, and apart from scale and profit, nothing much has changed. Ad fraud is entirely harmful, and often goes hand-in-hand with malvertising and ransomware attacks. These bots were designed to do bad, and they are accomplishing what they were meant to do.

Snipers in commerce land

Let the bidding wars begin! Automated commerce tools are pretty cut and dry. Not everyone wants web pages crawling, but you aren’t really going to lose out to someone in direct competition. Company X may use chatbots and your business doesn’t, but some customers will prefer the human touch and vice-versa. It isn’t going to make or break anything, particularly.

Where sales are concerned though, it’s pretty black and white. Where cash is involved, anything can happen and usually does. It’s a long time since scammers used bots to “buy” from other bots and bump up fake reputations, and that was quickly replaced in popularity by sniper tools.

Sniping tools have been around for a long time, and are somewhat controversial in seller circles. The basic idea is to give the sniper tool access to your eBay account (or any other bidding service), and at the very last moment before a sale ends, it’ll throw in your bid. Rivals are unable to counter because there’s nothing they can do about an automated service working to nanoseconds instead of a human hammering at a keyboard. So is this bad? For the other users, yes. For eBay as a platform, absolutely. Overall? Remains to be seen.

Fending off the bad bidders

Fixed price sales are a bidding bot’s worst enemy, because there’s nothing to gamble. Take it or leave it at the listed price. Some sites will offer a time extension if a last minute bid comes in, which may or may not help ward off the snipers. One of the biggest drawbacks to sniping is you often must hand over login details to the sniping tool. Do you trust it? Is it safe? Can the people who operate the service see your credentials? All of this and more are natural drawbacks to sniping, and could keep your business on top of those grabbing all the best items.

In the digital space of non-tangible goods, bidding and trading also reigns supreme. Sadly, it comes with major risks. Steam, the video game platform juggernaut, offers its own marketplace. There, you can buy all manner of in-game items, cosmetics, game cards, and so on. Some of these items sell for pennies and cents, others fetch hundreds of pounds and dollars.

A short-lived victory

One enterprising individual made a trading bot for the Steam marketplace, and spent some time  buying low and selling high across three separate Steam accounts. Ultimately, they amassed game items worth $10,000, which included 2,261 Team Fortress 2 keys.

Valve discovered the botting antics, and subsequently banned all accounts and deleted all the items. Yes, all ten thousand dollars’ worth. This is a clear case of gaming the system and would have also arguably impacted others. While this may have caused a few people to grab some items at a lower price, overall, it’s tough to call this one an example of a good bot (except maybe for the creator).

Bots by any other name

Most of our examples are essentially quite crude bots, living out their days simply sniffing the web or making the occasional product bid. There’s a big push for bots on your devices instead of scouring the web, mostly in the form of personal digital assistants. To a large degree, any regular mobile device does a lot of this anyway (Ahem, hi Siri!). Personalising said tasks and wrapping them up under a friendly interface is the name of the game.

As with other bot types, much of the information you’ll come across online is aimed at the bad stuff. That’s fine—it’s usually easier to spot things getting up to no good than invisible processes ticking along in the background harming nobody. Even so, plugging “mobile bots” into Google brings back nothing but bad bots, mobile game hijacks, scams, and more bad stuff. There are a few hints as to how this new realm of bot may play out as a force for good, including some outside of the mobile world, that illustrate the positive directions botting could move in.

While the word “bot” may never quite shake its negative associations, it’s absolutely worth revisiting and re-evaluating the next time your work colleagues mention a cool new bot program they’ve been assigned. Who knows, you may even give them some helpful suggestions to get the ball rolling.

The post Good bots, bad bots: friend or foe? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (February 11 – 17)

Malwarebytes - Mon, 02/18/2019 - 16:30

Last week on Malwarebytes Labs we discussed the return of the Sextortion Bitcoin scams, we gave you an early overview of the exploit kits in the winter of 2019, we talked about the destruction of VFEmail service, for consumers we discussed whether you should remove yourself from social media, for businesses we discussed the implementation of an anti-phishing plan, and the concept of whole team security to relieve overworked IT departments.

  • Security researchers have found that Intel’s Software Guard Extensions (SGX) don’t live up to their name. In fact they can be used to hide pieces of malware that silently masquerade as normal applications. (Source: The Register)
  • A targeted phishing campaign is underway that states your email has been blacklisted and then asks you to confirm it by entering your credentials. For some reason, this campaign is using phishing links that can contain almost 1,000 characters. (Source: BleepingComputer)
  • Malicious actors have been hacking WordPress websites by exploiting vulnerabilities in a fairly popular plugin called WP Cost Estimation & Payment Forms Builder. Developed by Loopus, the plugin allows WordPress website administrators to create cost calculators and payment forms. (Source: SecurityWeek)
  • The Emotet Trojan, a thorn in the side of financial institutions and your average individual alike, is back with new techniques and an upsurge in attacks. In recent campaigns malicious documents containing Emotet are being distributed via URLs hosted on threat actor-owned infrastructure as well as traditional spam email attachments. (Source: ZDNet)
  • In the weeks leading up to Valentine’s Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails. Hackers love the holidays, and Valentine’s Day is no exception. (Source: DarkReading)
  • New research published by the International Computer Science Institute in California suggests that at least 17,000 Android applications are creating permanent records of your online activity for advertising purposes even when you ask for such information to be forgotten. (Source: ZDNet)
  • Microsoft booted eight malicious apps from its official desktop and mobile app store after researchers found the programs surreptitiously mined for Monero cryptocurrency. All these apps were likely developed by the same person or group. (Source: ThreatPost)
  • A new phishing attack bent on stealing Facebook credentials has been spotted – and it’s turning researchers’ heads due to how well it hides its malicious intent. The status bar, navigation bar, shadows and content were perfectly reproduced to look exactly like a legitimate login prompt. (Source: ThreatPost)
  • Jeff Bezos became the most famous and powerful person to claim to be a victim of sextortion, the term often used to describe the otherwise underreported cases of extortion using intimate or sexually explicit photographs or videos. (Source: Wired)
  • Malta’s leading bank resumes operations after cyberheist-induced shutdown. The Bank of Valetta, which went dark for a day after the fraudulent transfers of €13 million, is now looking to get the money back. (Source: WeLiveSecurity)

Stay safe, everyone!

The post A week in security (February 11 – 17) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Crack hunting: not all it’s cracked up to be

Malwarebytes - Mon, 02/18/2019 - 16:00

People sometimes ask us in the forums if a keygen or software crack is safe to use. Sometimes, these programs do what they say on the tin. Other times, they’re not what they say they are. In this post, I’ll describe what happened when I went crack hunting, and why it is often unsafe to carry out this activity.

Researchers like myself often browse crack and keygen sites because they are known to host many affiliate links to third-party applications, many of which include Potentially Unwanted Programs (PUPs), adware, or worse. Many of these sites also host downloads for malware.

These sources are important to research because users often browse crack and keygen sites looking to find paid software for free. This is risky practice, though, because the user may end up downloading unwanted software that can do more harm than good.

In this case, I was looking for a crack for Windows 10 Pro, since it’s popular software. The crack download itself was actually not a crack, but a file we detect as PUP.Optional.InstallCore.Generic. This “crack” did not run properly on my test machine, most likely because of sandbox sensitivity.

While the “crack” was being downloaded, the download page redirected to a page advertising DriverFix. The advertisement is one of many adverts offered by ad rotators.

I clicked on the link, which in turn opened the following site:

Clicking the “download now” button downloaded the file from the DriverFix site and delivered basic instructions on how to get the program to run.

According to the website, DriverFix is a Windows application that scans your machine to find outdated drivers, and allows users to update those drivers from within the application with one click. So I tried it.

Once the software was installed, it automatically launched, ran a scan, and displayed the results of the scan. Here are results from two different machines. Notice the results show drivers as being “Extremely old.”

This gives users false ideas that their machine has issues that must be fixed. When I expanded the info for my batteries and checked it, indeed there are newer drivers available, though calling my drivers “extremely old” is a bit of a fallacy.

When the user attempts to “update all” or update one driver, they are presented with a pricing page to pay for the services to update their drivers.

The user then has the choice to update one driver, update all drivers on their system, or purchase the “family pack,” which will update as many as three PCs. Many users will opt-out of purchasing the services at this point.

This is where things get hairy. One does not have to buy new drivers. In my case, all I did was Google the driver description “Microsoft ACPI-compliant control method battery driver Windows 10” and found results right from the Microsoft Update Catalog site.

If this proves to be difficult for the not-so-tech-savvy folk, you can also open Device Manager, expand the driver in question, open the Driver tab, and click “Update Driver.” Microsoft will download the driver your system needs at no cost. Plus, you can be sure it is coming from Microsoft.

If the user decides not to purchase and simply closes DriverFix, eventually they end up with warning messages from DriverFix regarding their outdated drivers when they do anything on their machine that uses the drivers flagged in the initial scan. Below is the notification I received from DriverFix when I was saving a file to my machine.

This is not typical behavior from benign software. This behavior is designed to scare the user into thinking they have severe issues that will only be solved by purchasing services from DriverFix.

This is after the user might have thought they were getting a free product that promised to fix driver issues in one click when they ran into the initial advertisement.

Unless your machine is very old, Microsoft provides compatible drivers, or the computer manufacturer automatically provides driver updates through its own built-in software at no cost.

Between discovery of this program on December 19, 2018 and January 9, 2019, the installer for this product has been detected 3,245 times by Malwarebytes. There have also been 839 reported traces detected as a result of installs during the same time frame.

Malwarebytes blocks the website that hosts DriverFix downloads, and stops the application installer from launching.

We detect the application as PUP.Optional.DriverFix.

If you installed DriverFix, we have instructions on how to remove it or how to add exclusions if you decide to keep it.

As long as sites continue to try pushing cracked software that seem too good to be true (and thus, is actually harmful to users), we will continue to detect such programs in order to protect our customers.

And for those looking for the silver bullet software in crack or keygen sites, we suggest making sure you can spot benign programs from those that try to squeeze a few bucks out of unsuspecting users. Exploring these sites is not for the uninitiated—best to stick to tried and true, legitimate versions of software programs instead of risking illegal crack or keygen sites and programs.

The post Crack hunting: not all it’s cracked up to be appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tackling the shortage in skilled IT staff: whole team security

Malwarebytes - Fri, 02/15/2019 - 16:40

Is your IT department understaffed, overworked, and are you looking for reinforcements in vain? Maybe these hard-to-hire reinforcements can be hired from within, rather than having to outsource or hire expensive, short-term extra help. While this was usually only done if your own staff was falling too far behind, the burden of the shortage of skilled IT staff in the workforce is starting to take its toll, and this is now be a viable option for all.

Undoubtedly, there is a person in every group who is more computer-savvy than others. The one who can end your problem or answer your question in seconds, when it would take hours, if not days, to get someone from the IT department to look at it. These people shield the IT department from several questions each day, and keep frustrated endpoint users at bay that had given up asking the overwhelmed crew for help and assistance.

Nevertheless, professionals often frown upon the help given by these helpful troubleshooters on the floor level. How can we ensure that the help given by these often self-appointed volunteers is nothing short of the first-tier support provided by the IT department?

Pros and cons

First of all, make sure that your IT staff is willing to share their responsibilities with people on the work floor. Without their full cooperation, this plan is destined to fail. We can all agree that trained and weathered IT professionals will generally do a much better job than people who have been trained for other jobs. But if you are facing the same problem as most companies and you just can’t hire enough IT professionals, you will probably welcome all the help you can get. And having to rely on a frustrated and overworked IT staff might be worse than letting volunteers that feel recognized and empowered help in any way they can.

On the other hand, in “any way they can” might be just turn out to be the problem with this solution. It should be made crystal clear when the volunteers are expected to call in the help of the professionals. You do not want to face some catastrophe because one of the benevolent volunteers Googled a half-baked solution for a problem that was reported to them.

This whole team security strategy fits nicely in the ongoing shift to BYOD, and even Bring Your Own Security (BYOS). Generally speaking, it will make your employees happier, but it takes some planning and attention to make sure it also works for the company as a whole.

BYOD strategy

One important thing to consider is whether the company has adapted a user-centric or device-centric approach to technology integration. If every user is equipped with a device according to their personal preference, there could be a multitude of devices in use. This can be frustrating enough for a trained professional to deal with, let alone a volunteer who is about to find out that everything works just a little bit differently on their colleagues’ devices.

Determine at the outset the composition of your technology and workforce, and you can better structure a plan for your volunteers—and your IT staff, too.

Education and training

Training your entire staff in security basics will certainly result in less work for your IT staff. And while providing your employees with security awareness training is a good and necessary start, you can bolster support for your IT team by offering additional IT and security training to those who are interested. There are lots of useful training programs that deal with common issues found in the software that your employees are using on a daily basis. And if the trainee is motivated and interested (as we would expect from these volunteers), it shouldn’t take up a large amount of their time.

In addition to training, you’ll also want to set up a system of rewards for your volunteers, whether that’s monetary compensation, company swag (for example, custom hoodies designating them as IT helpers), or other perks. While many volunteers may be happy to help out of the goodness of their hearts, given them additional incentive will only strengthen their commitment and attract others to the team.

Enablement

Once the volunteers have received proper awareness training, equip them with the tools and authority to help their peers and make sure the rest of their department knows that they have been properly trained and can be asked for help with certain issues. This way, the people in that department are comfortable with asking for their help and will know when they can go to them instead of IT.

What this means: Volunteers will need access to certain software, systems, or cloud-based services. They’ll also need a way to communicate their actions to the IT team, so they’re aware of minor issues, even if they didn’t have to fix them themselves. Do they develop a ticketing system? Do they integrate with the current system for reporting issues? Do they spend an hour at the help desk?

No matter how you decide to enable your volunteer staff, make sure that they understand the consequences of their actions. Don’t tell them to “just do this” without explaining why you want it done that way. Give them some background so they can build out their expertise and learn how you want to run things.

Empowerment

Another important step is to give volunteers the administrative powers to make the actual changes themselves. With the ongoing uptick in Bring Your Own Device (BYOD) policies, most of these users have learned how to make the necessary changes to their own devices, and how to troubleshoot some of the more common issues. They may even have some specialists outside of the company that they turn to when there are problems with the device that they consider their own.

One caveat: Make sure that the volunteer is informed about the risks of combining work and personal information on the same device—and what the consequences are if they don’t adhere to company policies. As always, clear communication is a key to success. Make sure everyone is aware of what is expected of them, and what they can expect in return.

Points of attention

Finding the right people to assist your IT staff with easy-to-fix issues or simple roll-outs can make your employees happier. The IT staff can concentrate on problems that are more challenging and don’t have to run around like headless chicken playing whack-a-mole for every minor problem, like users who just need to reboot, haven’t turned on the power, or are holding the mouse upside-down. Meanwhile, your volunteers will feel that their helpful attitude has paid off, and they are now officially allowed to help their peers.

The volunteers will need the training, tools, permission, and rewards to perform their new tasks. But, and we cannot stress this enough, they will also have to be informed about their boundaries. You don’t want to see them go overboard because they are reluctant to admit that something is over their head. Remember that difficult problems may show up as minor issues at first. So empower them to help, but make sure they know when to step aside. That way, the whole team can keep your organization secure.

The post Tackling the shortage in skilled IT staff: whole team security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Pages

Subscribe to Furiously Eclectic People aggregator - Techie Feeds