Daily Archives: May 9, 2019

What is Malware

Malware is software--a computer program--used to perform malicious actions. In fact, the term malware is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them or gain access to what they contain. Once installed, these attackers can use malware to spy on your online activities, steal your passwords and files, or use your system to attack others.

Weekly Update 138

Weekly Update 138

After a mammoth 30-hour door-to-door journey, I'm back in the USA! It's Minnesota this week and I've just wrapped up a couple of days of Hack Yourself First workshop followed by the opening keynote at NDC followed by PubConf. All great events but combined with the burden of travel, all a bit tiring too (plus, it turns out that emails don't stop coming in when you're busy...) There's a real crypto theme to this week's update courtesy of some of the contents in my keynote, a really ridiculous article on PC Mag I came across and a lovely meeting with a few of the folks from Let's Encrypt. There's also a follow-up to the video I promised to include in this blog post...

After recording this piece, I went and checked what had changed on that PC Mag article about certs. As expected, it turns out it was just promotional content on Sectigo, specifically changing the name from Comodo and also changing some of the content. Here's a diff of the archive.org version from earlier this month versus today:

Weekly Update 138
Weekly Update 138

Gotta keep that "good reputation"! Still in the PC Mag article:

  1. "you're probably best off clicking away from [sites using DV certs] as fast as you can"
  2. "most modern web browsers will indicate that an EV certificate is being used by showing a green Uniform Resource Locator (URL) bar"
  3. "You usually get what you pay for"

To be clear too: archive.org shows a few edits of that article in October and November last year then nothing until the 6th of May which is the day I tweeted this:

You can see why this sort of thing is so frustrating to folks like Scott and I; imagine what it's like for people actually trying to figure out what certificate they should acquire! Anyway, all that and more in this week's update:

Weekly Update 138
Weekly Update 138
Weekly Update 138

References

  1. I'm doing another Hack Yourself First workshop in New York next week (we've still got tickets available for that one, kicks off on Monday!)
  2. PC Mag did an absolute hatchet piece on certificates full of disinformation and clearly motivated by commercial desires (I've linked to my tweet as the ensuing discussion makes for "entertaining" reading)
  3. Some people remain insistent on arguing about Let's Encrypt's success to the fullest extent possible (but they're easily debunked arguments, which brings me to the next point...)
  4. Let's Encrypt certs are now used by 38% of the Alexa Top 1M sites serving content over HTTPS (that's based on Scott's nightly crawler stats)
  5. There's some real upsides to having phishing sites served over HTTPS (that's Scott's piece from Jan last year)
  6. Varonis is sponsoring my blog this week (they're talking about insider threats again, courtesy of the course I made for them 🙂)

Another NSA Leaker Identified and Charged

In 2015, the Intercept started publishing "The Drone Papers," based on classified documents leaked by an unknown whistleblower. Today, someone who worked at the NSA, and then at the National Geospatial-Intelligence Agency, was charged with the crime. It is unclear how he was initially identified. It might have been this: "At the agency, prosecutors said, Mr. Hale printed 36 documents from his Top Secret computer."

The article talks about evidence collected after he was identified and searched:

According to the indictment, in August 2014, Mr. Hale's cellphone contact list included information for the reporter, and he possessed two thumb drives. One thumb drive contained a page marked "secret" from a classified document that Mr. Hale had printed in February 2014. Prosecutors said Mr. Hale had tried to delete the document from the thumb drive.

The other thumb drive contained Tor software and the Tails operating system, which were recommended by the reporter's online news outlet in an article published on its website regarding how to anonymously leak documents.

Zavvi Champions League Final Competition Winner Email Blunder

Like many Zavvi customers this morning, I received an email titled "Congratulations, you're our Mastercard Competition WINNER!" in my inbox. An amazing prize consisting of two tickets to watch Liverpool and Spurs battle it out in the 2019 UEFA Champions League Final in Madrid. The prize also included two nights at a 4-star hotel, flights, transfers and a £250 prepaid card.
Zavvi Winners Email

Obviously, my initial thought it was a phishing email, decent quality and a well-timed attempt given Liverpool and Tottenham Hotspur were confirmed as finalists after very dramatic semi-final matches on the previous nights. I logged into my Zavvi account directly, then reset my password just in case, and after a bit checking with the embedded links within the email, and research on the Zavvi website, I soon established it was a genuine email from Zavvi.

But before embarking on a Mauricio Pochettino style injury-time winning goal celebration, I had a quick scan of my social media feeds, and it quickly became apparent there were many others believing and bragging they had also won this fantastic prize.

Image result for pochettino
Pochettino Celebrating an unbelievable Spurs Comeback in the Semi-Final

So unless the Athletico Madrid stadium has undergone a huge capacity upgrade, it became obvious that someone at Zavvi had made a huge blunder, resulting in personalised competition winner emails to be sent on mass to thousands of Zavvi customers.

UCL Final Ticket Allocation?

This kind of mass emailing replicates the time-tested phishing technique deployed by cybercriminals. But instead of having a malicious web link, a hidden malware-laced attachment, or the opening dialogue of a social engineering scam, it took its recipients on an emotional rollercoaster which ended with them feeling as flat as the Ajax players, after they lost their place in the final following an injury-time strike by Spurs' Brazilian striker Lucas Moura.
Image result for ajax players heartbreak
Zavvi left their customers feeling as flat as Ajax players did last night

What compounded matters was Zavvi keeping relatively stum about the blunder throughout the day. The e-commerce entertainment retail store published an apology mid-morning on their Facebook page, but after 100s of comments by angry customers, they deleted the post a couple of hours later. It took them almost 8 hours before Zavvi finally followed up to the "Congratulations" email, by emailing an apology which offered a mere 15% discount off their website products. I suspect most Zavvi customer won't be too happy about that, especially those that went through the day believing they had won a once in a lifetime competition.
Zavvi Apology Email - Sent almost 8 hours after the Winners Email

Detecting credential theft through memory access modelling with Microsoft Defender ATP

Stealing user credentials is a key step for attackers to move laterally across victim networks. In today’s attacks, we see a range of tools used to achieve credential theft, requiring protections that target the root behavior and not just individual known tools as is often done by traditional antimalware software.

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s unified endpoint protection platform, uses multiple approaches to detect credential dumping. In this post, we’ll discuss one of them: a statistical approach that models memory access to the Local Security Authority Subsystem Service (lsass.exe) process.

The lsass.exe process manages many user credential secrets; a key behavior associated with credential theft, and therefore common across many tools used by attackers, is to read large amounts of data from this process’ memory space.

Microsoft Defender ATP instruments memory-related function calls such as VirtualAlloc and VirtualProtect to catch in-memory attack techniques like reflective DLL loading. The same signals can also be used to generically detect malicious credential dumping activities performed by a wide range of different individual tools.

A statistical approach to detecting credential theft

Reviewing the behavior of multiple known tools, we see that the number and size of memory reads from the lsass.exe process related to credential dumping are highly predictable. The diagram below shows a (slightly simplified) view of this.

Fig1-number-of-read-perations-vs-number-of-bytes-read

By contrast, legitimate reads from the lsass.exe process, such as routine handling of users signing in, fall outside this cluster.

Microsoft Defender ATP uses such a model to discriminate between expected and unexpected accesses to lsass.exe process memory, and raise an alert in the latter case:

Fig2-Sensitive-credential-memory-read

Microsoft Defender ATP’s process tree view of the alert identifies the tool performing the suspicious credential access activity, in this example, sqldumper.exe. This is a legitimate administrator tool found on many database servers, but attackers have been known to abuse it to dump credentials to avoid the risk of downloading custom tooling that may be flagged by antimalware solutions.

Fig3-Alert-process-tree

Similarly, Microsoft Defender ATP detects attacker abuse of otherwise legitimate administrator tooling, such as the Microsoft Sysinternals tool ProcDump or Task Manager, when these are repurposed to dump lsass.exe process memory. Attackers take this approach, sometimes referred to as living-off-the-land, to avoid tools that they know are commonly detected as malicious. In the memory-dumping scenario described here, they may even exfiltrate the memory dump and perform the credential extraction offline rather than on the victim machine.

Over time we have also seen Microsoft Defender ATP identify several distinct custom tools using this memory modelling technique. A couple of open-source examples are shown here.

Fig4-Sample-open-source-tools

Foiling cyberattacks by stopping credential theft

In this blog post we illustrated one of several ways in which Microsoft Defender ATP detects credential theft. Security operations (SecOps) teams can use the alerts in Microsoft Defender ATP to quickly identify and respond to attacks: stopping credential dumping techniques empowers SecOps to resolve cyberattacks before the latter stages, such as lateral movement, command-and-control, and exfiltration.

Microsoft Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks. Enhanced instrumentation and detection capabilities in Microsoft Defender ATP can better expose covert, sophisticated attacker techniques like credential theft and other in-memory attacks. Microsoft Defender ATP demonstrated its strength in detecting credential dumping and other high-impact attacker techniques in MITRE’s evaluation of EDR solutions.

Microsoft Defender ATP contributes to and benefits from security signals shared across Microsoft’s security solutions through Microsoft Threat Protection, which provides seamless, integrated, and comprehensive security across multiple attack vectors. The enriched security data drives stronger protection and the orchestration of threat remediation across identities, endpoints, email and data, apps, and infrastructure.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

To learn more about Microsoft Threat Protection, read our monthly updates on the evolution of this comprehensive security solution.

 

 

Rob Mead and Tim Burrell
Microsoft Threat Intelligence Center

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

 

The post Detecting credential theft through memory access modelling with Microsoft Defender ATP appeared first on Microsoft Security.

Safeguard your most sensitive data with Microsoft 365

I am Security Operations’ (SecOps) worst nightmare. Or at least I used to be.

As an industrious product marketer, I often share intellectual property (think: details of new product capabilities) or spreadsheets that contain customer personal identifying information (PII) with colleagues and vendors. We need this information to create compelling marketing programs to sell our products, but if the data gets in the wrong hands, it could be devastating to the company. Like most of us in tech, my deadlines are tight and I work hard to get things done quickly.

At beginning of my career, this included finding ways around obstacles that slowed me down, even those designed to secure sensitive information. It wasn’t that I wanted to put my company at risk, but I couldn’t do my job without sharing information with the agencies and consultants I worked with.

Most organizations employ people like (the younger) me. They have the best of intentions but may inadvertently cause a data privacy violation. Leaked data can cause reputational damage and result in big fines levied against firms that don’t violate privacy regulations, like General Data Protection Regulation (GDPR). The Safeguard your most sensitive data e-book sheds light on how Microsoft 365 helps employees make the right decisions about data and comply with data privacy regulations. It provides a window into the various scenarios when employees come into contact with and share sensitive data. The e-book narrates the story of Enzo, a (fictitious) sales manager, who shares and works with private data. His organization uses Microsoft 365 products to label and protect information, wherever it travels.

Label and protect data easily

Azure Information Protection can be configured to detect sensitive data in files and automatically classify and apply protections, or it can suggest labels to the file owner. You decide how much responsibility you want to give to your users and which circumstances require automatic labeling. The Safeguard your most sensitive data e-book provides examples of the different data types that can be detected and the templates that can simplify the process for both you and the user.

Protect data even when it travels

Once a file is labeled, Microsoft Cloud App Security works with Azure Information Protection to enforce protections even as it travels through third-party cloud apps and partner organizations. Azure Information Protection lets document owners define user permissions, such as limiting a specific user or domain to view access only. You can even monitor files and revoke access after they leave the enterprise ecosystem. The Safeguard your most sensitive data e-book details several real-life scenarios, so you can visualize how different capabilities can be applied to your unique situation.

Apply security policies to historical, on-premises data

For companies in the beginning or middle phases of a cloud migration, one daunting roadblock is privileged data stored in on-premises repositories. It can be difficult to determine what sensitive data has accumulated over the years and where it is stored. The Azure Information Protection scanner can be configured to scan on-premises file servers to detect PII and other sensitive data. Once the data is detected, the scanner can automatically apply labels and protection.

Learn more

In my first marketing role at a cybersecurity company years ago, I was lucky to work with an engaged chief information security officer (CISO) who took the time to help me understand the implications of sharing sensitive data. Microsoft 365 makes it even easier to do the right thing. Azure Information Protection, Microsoft Cloud App Security, and other Microsoft 365 products remind me when I’m handling sensitive data, so I can make sure that only the people who truly need it can view it.

For more details on how you can use Microsoft 365 Enterprise E5 to keep customer and enterprise data safe, download the Safeguard your most sensitive data e-book.

Read all six e-books

The post Safeguard your most sensitive data with Microsoft 365 appeared first on Microsoft Security.

Queue the Hardening Enhancements

Posted by Jeff Vander Stoep, Android Security & Privacy Team and Chong Zhang, Android Media Team

[Cross-posted from the Android Developers Blog]

Android Q Beta versions are now publicly available. Among the various new features introduced in Android Q are some important security hardening changes. While exciting new security features are added in each Android release, hardening generally refers to security improvements made to existing components.

When prioritizing platform hardening, we analyze data from a number of sources including our vulnerability rewards program (VRP). Past security issues provide useful insight into which components can use additional hardening. Android publishes monthly security bulletins which include fixes for all the high/critical severity vulnerabilities in the Android Open Source Project (AOSP) reported through our VRP. While fixing vulnerabilities is necessary, we also get a lot of value from the metadata - analysis on the location and class of vulnerabilities. With this insight we can apply the following strategies to our existing components:

  • Contain: isolating and de-privileging components, particularly ones that handle untrusted content. This includes:
    • Access control: adding permission checks, increasing the granularity of permission checks, or switching to safer defaults (for example, default deny).
    • Attack surface reduction: reducing the number of entry/exit points (i.e. principle of least privilege).
    • Architectural decomposition: breaking privileged processes into less privileged components and applying attack surface reduction.
  • Mitigate: Assume vulnerabilities exist and actively defend against classes of vulnerabilities or common exploitation techniques.

Here’s a look at high severity vulnerabilities by component and cause from 2018:

Most of Android’s vulnerabilities occur in the media and bluetooth components. Use-after-free (UAF), integer overflows, and out of bounds (OOB) reads/writes comprise 90% of vulnerabilities with OOB being the most common.

A Constrained Sandbox for Software Codecs

In Android Q, we moved software codecs out of the main mediacodec service into a constrained sandbox. This is a big step forward in our effort to improve security by isolating various media components into less privileged sandboxes. As Mark Brand of Project Zero points out in his Return To Libstagefright blog post, constrained sandboxes are not where an attacker wants to end up. In 2018, approximately 80% of the critical/high severity vulnerabilities in media components occurred in software codecs, meaning further isolating them is a big improvement. Due to the increased protection provided by the new mediaswcodec sandbox, these same vulnerabilities will receive a lower severity based on Android’s severity guidelines.

The following figure shows an overview of the evolution of media services layout in the recent Android releases.

  • Prior to N, media services are all inside one monolithic mediaserver process, and the extractors run inside the client.
  • In N, we delivered a major security re-architect, where a number of lower-level media services are spun off into individual service processes with reduced privilege sandboxes. Extractors are moved into server side, and put into a constrained sandbox. Only a couple of higher-level functionalities remained in mediaserver itself.
  • In O, the services are “treblized,” and further deprivileged that is, separated into individual sandboxes and converted into HALs. The media.codec service became a HAL while still hosting both software and hardware codec implementations.
  • In Q, the software codecs are extracted from the media.codec process, and moved back to system side. It becomes a system service that exposes the codec HAL interface. Selinux policy and seccomp filters are further tightened up for this process. In particular, while the previous mediacodec process had access to device drivers for hardware accelerated codecs, the software codec process has no access to device drivers.

With this move, we now have the two primary sources for media vulnerabilities tightly sandboxed within constrained processes. Software codecs are similar to extractors in that they both have extensive code parsing bitstreams from untrusted sources. Once a vulnerability is identified in the source code, it can be triggered by sending a crafted media file to media APIs (such as MediaExtractor or MediaCodec). Sandboxing these two services allows us to reduce the severity of potential security vulnerabilities without compromising performance.

In addition to constraining riskier codecs, a lot of work has also gone into preventing common types of vulnerabilities.

Bound Sanitizer

Incorrect or missing memory bounds checking on arrays account for about 34% of Android’s userspace vulnerabilities. In cases where the array size is known at compile time, LLVM’s bound sanitizer (BoundSan) can automatically instrument arrays to prevent overflows and fail safely.

BoundSan instrumentation

BoundSan is enabled in 11 media codecs and throughout the Bluetooth stack for Android Q. By optimizing away a number of unnecessary checks the performance overhead was reduced to less than 1%. BoundSan has already found/prevented potential vulnerabilities in codecs and Bluetooth.

More integer sanitizer in more places

Android pioneered the production use of sanitizers in Android Nougat when we first started rolling out integer sanization (IntSan) in the media frameworks. This work has continued with each release and has been very successful in preventing otherwise exploitable vulnerabilities. For example, new IntSan coverage in Android Pie mitigated 11 critical vulnerabilities. Enabling IntSan is challenging because overflows are generally benign and unsigned integer overflows are well defined and sometimes intentional. This is quite different from the bound sanitizer where OOB reads/writes are always unintended and often exploitable. Enabling Intsan has been a multi year project, but with Q we have fully enabled it across the media frameworks with the inclusion of 11 more codecs.

IntSan Instrumentation

IntSan works by instrumenting arithmetic operations to abort when an overflow occurs. This instrumentation can have an impact on performance, so evaluating the impact on CPU usage is necessary. In cases where performance impact was too high, we identified hot functions and individually disabled IntSan on those functions after manually reviewing them for integer safety.

BoundSan and IntSan are considered strong mitigations because (where applied) they prevent the root cause of memory safety vulnerabilities. The class of mitigations described next target common exploitation techniques. These mitigations are considered to be probabilistic because they make exploitation more difficult by limiting how a vulnerability may be used.

Shadow Call Stack

LLVM’s Control Flow Integrity (CFI) was enabled in the media frameworks, Bluetooth, and NFC in Android Pie. CFI makes code reuse attacks more difficult by protecting the forward-edges of the call graph, such as function pointers and virtual functions. Android Q uses LLVM’s Shadow Call Stack (SCS) to protect return addresses, protecting the backwards-edge of control flow graph. SCS accomplishes this by storing return addresses in a separate shadow stack which is protected from leakage by storing its location in the x18 register, which is now reserved by the compiler.

SCS Instrumentation

SCS has negligible performance overhead and a small memory increase due to the separate stack. In Android Q, SCS has been turned on in portions of the Bluetooth stack and is also available for the kernel. We’ll share more on that in an upcoming post.

eXecute-Only Memory

Like SCS, eXecute-Only Memory (XOM) aims at making common exploitation techniques more expensive. It does so by strengthening the protections already provided by address space layout randomization (ASLR) which in turn makes code reuse attacks more difficult by requiring attackers to first leak the location of the code they intend to reuse. This often means that an attacker now needs two vulnerabilities, a read primitive and a write primitive, where previously just a write primitive was necessary in order to achieve their goals. XOM protects against leaks (memory disclosures of code segments) by making code unreadable. Attempts to read execute-only code results in the process aborting safely.

Tombstone from a XOM abort

Starting in Android Q, platform-provided AArch64 code segments in binaries and libraries are loaded as execute-only. Not all devices will immediately receive the benefit as this enforcement has hardware dependencies (ARMv8.2+) and kernel dependencies (Linux 4.9+, CONFIG_ARM64_UAO). For apps with a targetSdkVersion lower than Q, Android’s zygote process will relax the protection in order to avoid potential app breakage, but 64 bit system processes (for example, mediaextractor, init, vold, etc.) are protected. XOM protections are applied at compile-time and have no memory or CPU overhead.

Scudo Hardened Allocator

Scudo is a dynamic heap allocator designed to be resilient against heap related vulnerabilities such as:

  • Use-after-frees: by quarantining freed blocks.
  • Double-frees: by tracking chunk states.
  • Buffer overflows: by check summing headers.
  • Heap sprays and layout manipulation: by improved randomization.

Scudo does not prevent exploitation but rather proactively manages memory in a way to make exploitation more difficult. It is configurable on a per-process basis depending on performance requirements. Scudo is enabled in extractors and codecs in the media frameworks.

Tombstone from Scudo aborts

Contributing security improvements to Open Source

AOSP makes use of a number of Open Source Projects to build and secure Android. Google is actively contributing back to these projects in a number of security critical areas:

Thank you to Ivan Lozano, Kevin Deus, Kostya Kortchinsky, Kostya Serebryany, and Mike Antares for their contributions to this post.

What’s New in Android Q Security

Posted by Rene Mayrhofer and Xiaowen Xin, Android Security & Privacy Team

[Cross-posted from the Android Developers Blog]

With every new version of Android, one of our top priorities is raising the bar for security. Over the last few years, these improvements have led to measurable progress across the ecosystem, and 2018 was no different.

In the 4th quarter of 2018, we had 84% more devices receiving a security update than in the same quarter the prior year. At the same time, no critical security vulnerabilities affecting the Android platform were publicly disclosed without a security update or mitigation available in 2018, and we saw a 20% year-over-year decline in the proportion of devices that installed a Potentially Harmful App. In the spirit of transparency, we released this data and more in our Android Security & Privacy 2018 Year In Review.

But now you may be asking, what’s next?

Today at Google I/O we lifted the curtain on all the new security features being integrated into Android Q. We plan to go deeper on each feature in the coming weeks and months, but first wanted to share a quick summary of all the security goodness we’re adding to the platform.

Encryption

Storage encryption is one of the most fundamental (and effective) security technologies, but current encryption standards require devices have cryptographic acceleration hardware. Because of this requirement many devices are not capable of using storage encryption. The launch of Adiantum changes that in the Android Q release. We announced Adiantum in February. Adiantum is designed to run efficiently without specialized hardware, and can work across everything from smart watches to internet-connected medical devices.

Our commitment to the importance of encryption continues with the Android Q release. All compatible Android devices newly launching with Android Q are required to encrypt user data, with no exceptions. This includes phones, tablets, televisions, and automotive devices. This will ensure the next generation of devices are more secure than their predecessors, and allow the next billion people coming online for the first time to do so safely.

However, storage encryption is just one half of the picture, which is why we are also enabling TLS 1.3 support by default in Android Q. TLS 1.3 is a major revision to the TLS standard finalized by the IETF in August 2018. It is faster, more secure, and more private. TLS 1.3 can often complete the handshake in fewer roundtrips, making the connection time up to 40% faster for those sessions. From a security perspective, TLS 1.3 removes support for weaker cryptographic algorithms, as well as some insecure or obsolete features. It uses a newly-designed handshake which fixes several weaknesses in TLS 1.2. The new protocol is cleaner, less error prone, and more resilient to key compromise. Finally, from a privacy perspective, TLS 1.3 encrypts more of the handshake to better protect the identities of the participating parties.

Platform Hardening

Android utilizes a strategy of defense-in-depth to ensure that individual implementation bugs are insufficient for bypassing our security systems. We apply process isolation, attack surface reduction, architectural decomposition, and exploit mitigations to render vulnerabilities more difficult or impossible to exploit, and to increase the number of vulnerabilities needed by an attacker to achieve their goals.

In Android Q, we have applied these strategies to security critical areas such as media, Bluetooth, and the kernel. We describe these improvements more extensively in a separate blog post, but some highlights include:

  • A constrained sandbox for software codecs.
  • Increased production use of sanitizers to mitigate entire classes of vulnerabilities in components that process untrusted content.
  • Shadow Call Stack, which provides backward-edge Control Flow Integrity (CFI) and complements the forward-edge protection provided by LLVM’s CFI.
  • Protecting Address Space Layout Randomization (ASLR) against leaks using eXecute-Only Memory (XOM).
  • Introduction of Scudo hardened allocator which makes a number of heap related vulnerabilities more difficult to exploit.

Authentication

Android Pie introduced the BiometricPrompt API to help apps utilize biometrics, including face, fingerprint, and iris. Since the launch, we’ve seen a lot of apps embrace the new API, and now with Android Q, we’ve updated the underlying framework with robust support for face and fingerprint. Additionally, we expanded the API to support additional use-cases, including both implicit and explicit authentication.

In the explicit flow, the user must perform an action to proceed, such as tap their finger to the fingerprint sensor. If they’re using face or iris to authenticate, then the user must click an additional button to proceed. The explicit flow is the default flow and should be used for all high-value transactions such as payments.

Implicit flow does not require an additional user action. It is used to provide a lighter-weight, more seamless experience for transactions that are readily and easily reversible, such as sign-in and autofill.

Another handy new feature in BiometricPrompt is the ability to check if a device supports biometric authentication prior to invoking BiometricPrompt. This is useful when the app wants to show an “enable biometric sign-in” or similar item in their sign-in page or in-app settings menu. To support this, we’ve added a new BiometricManager class. You can now call the canAuthenticate() method in it to determine whether the device supports biometric authentication and whether the user is enrolled.

What’s Next?

Beyond Android Q, we are looking to add Electronic ID support for mobile apps, so that your phone can be used as an ID, such as a driver’s license. Apps such as these have a lot of security requirements and involves integration between the client application on the holder’s mobile phone, a reader/verifier device, and issuing authority backend systems used for license issuance, updates, and revocation.

This initiative requires expertise around cryptography and standardization from the ISO and is being led by the Android Security and Privacy team. We will be providing APIs and a reference implementation of HALs for Android devices in order to ensure the platform provides the building blocks for similar security and privacy sensitive applications. You can expect to hear more updates from us on Electronic ID support in the near future.

Acknowledgements: This post leveraged contributions from Jeff Vander Stoep and Shawn Willden

Security Alert: Mass Credit Card Stealing Campaign Detected in Online Shops

Security researchers unveiled a still-ongoing mass credit card stealing campaign, which started collecting data from unsuspecting online shoppers sometime in October 2018.

The target of this campaign was a pool of over 100 online shops, all of them otherwise deemed legitimate and trustworthy. Six of the targeted websites were even listed in the one million websites Alexa Top.

Moving forward with reporting on this, we’ll dub the mass credit card stealing campaign Magento Analytics, since that’s the name of the domain used for injecting malicious scripts into the code of the online shops.

How Does the Magento Analytics Mass Credit Card Stealing Campaign Operate?

The domain magento-analytics.com was first picked up by the radars of cybersecurity researchers back in October 2018, when they noticed something seemed off about it. Even though the traffic was pretty low, there seemed no purpose to the domain and its traffic was increasingly stealthily, via other portals.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.

SECURE YOUR ONLINE BROWSING!

Get Thor Foresight

The name seemed innocent enough at a first glance. Magento is a major e-commerce platform and its engine is used by countless online shops around the world. It would make sense for something called Magento Analytics to be spotted running through these websites from time to time. But the domain didn’t actually contain anything if you tried to access it directly.

Another dubious thing which tipped off the security researchers who looked into it was the fact that the registration address & IPs for the domain was ever changing. While initially the magento-analytics.com domain was registered in Panama, the IP from which it was operating changed a lot. Initially, it seemed to be located in Arizona, US, but then it moved to Moscow, Russia for a while, before heading to Hong Kong, China. This alone warranted a second look from the cybersecurity researchers on the case.

But shifting IPs were not the only thing wrong with this domain, by far. While the domain itself returns just a 430 error page if you try to access it directly (not recommended, though), the researchers were seeing various pages (sub-domains) of the domain with nothing meaningful on them, either. Instead, all of these contained JS scripts.

Through continuous traffic monitoring, the security researchers realized that the Magento Analytics was actually injecting these malicious scripts into the code of 3rd party websites. These websites (online shops) had no idea that the Magento Analytics mass credit card stealing campaign was actually collecting the credit card info of their users.

trysend function in magento analytics malware

As soon as the JS code is loaded, a timer is set and the TrySend function is called every 500ms. This function attempts to try to get input data from credit cards

What Were the Losses Incurred by the Magento Analytics Malware Campaign?

Data revealed by the security researchers showed that the TrySend function called by the JS scripts collected the following information from users: card number, name of the cardholder, expiry date, and the CVV code. Basically, it’s everything a hacker would need in order to steal your money afterward.

For now, no one came through to complain explicitly about losing money to the Magento Analytics campaign. But this doesn’t mean that there have been no losses yet. Most likely, the losses were small, or the legitimate card owners managed to annul the transactions, or they just haven’t been able to connect the loss with this particular campaign yet.

We will keep you updated on reports about the losses incurred through Magento Analytics as more is revealed.

The scary part about the Magento Analytics mass credit card stealing campaign is precisely the fact that the injected JS codes weren’t even that sophisticated. All in all, it amounts at a pretty rudimentary online scam. It just shows how disastrous it can be for online stores to allow security holes in their systems, since there will always be malicious 3rd parties interested in exploiting them.

Data provided in this analysis was obtained by Netlab 360.

The post Security Alert: Mass Credit Card Stealing Campaign Detected in Online Shops appeared first on Heimdal Security Blog.

Dissecting Weird Packets

I was investigating traffic in my home lab yesterday, and noticed that about 1% of the traffic was weird. Before I describe the weird, let me show you a normal frame for comparison's sake.


This is a normal frame with Ethernet II encapsulation. It begins with 6 bytes of the destination MAC address, 6 bytes of the source MAC address, and 2 bytes of an Ethertype, which in this case is 0x0800, indicating an IP packet follows the Ethernet header. There is no TCP payload as this is an ACK segment.

You can also see this in Tshark.

$ tshark -Vx -r frame4238.pcap

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: May  7, 2019 18:19:10.071831000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1557253150.071831000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb), Dst: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
    Destination: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        Address: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        Address: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.4.96, Dst: 52.21.18.219
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 52
    Identification: 0xd98c (55692)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0x553f [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.4.96
    Destination: 52.21.18.219
Transmission Control Protocol, Src Port: 38828, Dst Port: 443, Seq: 1, Ack: 1, Len: 0
    Source Port: 38828
    Destination Port: 443
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A····]
    Window size value: 296
    [Calculated window size: 296]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x08b0 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps: TSval 26210782, TSecr 2652693036
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 26210782
            Timestamp echo reply: 2652693036
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000000000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]

0000  fc ec da 49 e0 10 38 ba f8 12 7d bb 08 00 45 00   ...I..8...}...E.
0010  00 34 d9 8c 40 00 40 06 55 3f c0 a8 04 60 34 15   .4..@.@.U?...`4.
0020  12 db 97 ac 01 bb e3 42 2a 57 83 49 c2 ea 80 10   .......B*W.I....
0030  01 28 08 b0 00 00 01 01 08 0a 01 8f f1 de 9e 1c   .(..............
0040  e2 2c   

You can see Wireshark understands what it is seeing. It decodes the IP header and the TCP header.

So far so good. Here is an example of the weird traffic I was seeing.



Here is what Tshark thinks of it.

$ tshark -Vx -r frame4241.pcap
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: May  7, 2019 18:19:10.073296000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1557253150.073296000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 66 bytes (528 bits)
    Capture Length: 66 bytes (528 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:llc:data]
IEEE 802.3 Ethernet
    Destination: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        Address: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        Address: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Length: 56
        [Expert Info (Error/Malformed): Length field value goes past the end of the payload]
            [Length field value goes past the end of the payload]
            [Severity level: Error]
            [Group: Malformed]
Logical-Link Control
    DSAP: Unknown (0x45)
        0100 010. = SAP: Unknown
        .... ...1 = IG Bit: Group
    SSAP: LLC Sub-Layer Management (0x02)
        0000 001. = SAP: LLC Sub-Layer Management
        .... ...0 = CR Bit: Command
    Control field: U, func=Unknown (0x0B)
        000. 10.. = Command: Unknown (0x02)
        .... ..11 = Frame type: Unnumbered frame (0x3)
Data (49 bytes)
    Data: 84d98d86b5400649eec0a80460341512db97ac0d0be3422a...
    [Length: 49]

0000  fc ec da 49 e0 10 38 ba f8 12 7d bb 00 38 45 02   ...I..8...}..8E.
0010  0b 84 d9 8d 86 b5 40 06 49 ee c0 a8 04 60 34 15   ......@.I....`4.
0020  12 db 97 ac 0d 0b e3 42 2a 57 83 49 c2 ea c8 ec   .......B*W.I....
0030  01 28 17 6f 00 00 01 01 08 0a 01 8f f1 de ed 7f   .(.o............
0040  a5 4a                                             .J

What's the problem? This frame begins with 6 bytes of the destination MAC address and 6 bytes of the source MAC address, as we saw before. However, the next two bytes are 0x0038, which is not the same as the Ethertype of 0x0800 we saw earlier. 0x0038 is decimal 56, which would seem to indicate a frame length (even though the frame here is a total of 66 bytes).

Wireshark decides to treat this frame as not being Ethernet II, but instead as IEEE 802.3 Ethernet. I had to refer to appendix A of my first book to see what this meant.

For comparison, here is the frame format for Ethernet II (page 664):

This was what we saw with frame 4238 earlier -- Dst MAC, Src MAC, Ethertype, then data.

Here is the frame format for IEEE 802.3 Ethernet.


This is much more complicated: Dst MAC, Src MAC, length, and then DSAP, SSAP, Control, and data.

It turns out that this format doesn't seem to fit what is happening in frame 4241, either. While the length field appears to be in the ballpark, Wireshark's assumption that the next bytes are DSAP, SSAP, Control, and data doesn't fit. The clue for me was seeing that 0x45 followed the presumed length field. I recognized 0x45 as the beginning of an IP header, with 4 meaning IPv4 and 5 meaning 5 words (40 bytes) in the IP header.

If we take a manual byte-by-byte comparative approach we can better understand what may be happening with these two frames. (I broke the 0x45 byte into two "nibbles" in one case.)

Note that I have bolded the parts of each frame that are exactly the same.


This analysis shows that these two frames are very similar, especially in places where I would not expect them to be similar. This caused me to hypothesize that frame 4241 was a corrupted version of frame 4238.

I can believe that the frames would share MAC addresses, IP addresses, and certain IP and TCP defaults. However, it is unusual for them to have the same high source ports (38828) but not the same destination ports (443 and 3339).  Very telling is the fact that they have the same TCP sequence and acknowledgement numbers. They also share the same source timestamp.

Notice one field that I did not bold, because they are not identical -- the IP ID value. Frame 4238 has 0xd98c and frame 4241 has 0xd98d. The perfectly incremented IP ID prompted me to believe that frame 4241 is a corrupted retransmission, at the IP layer, of the same TCP segment.

However, I really don't know what to think. These frames were captured in a Linux 16.04 VirtualBox VM by netsniff-ng. Is this a problem with netsniff-ng, or Linux, or VirtualBox, or the Linux host operating system running VirtualBox?

I'd like to thank the folks at ask.wireshark.org for their assistance with my attempts to decode this (and other) frames as 802.3 raw Ethernet. What's that? It's basically a format that Novell used with IPX, where the frame is Dst MAC, Src MAC, length, data.

I wanted to see if I could tell Wireshark to decode the odd frames as 802.3 raw Ethernet, rather than IEEE 802.3 Ethernet with LLC headers.

Sake Blok helpfully suggested I change the pcap's link layer type to User0, and then tell Wireshark how to interpret the frames. I did it this way, per his direction:

$ editcap -T user0 excerpt.pcap excerpt-user0.pcap

Next I opened the trace in Wireshark and saw frame 4241 (here listed as frame 3) as shown below:


DLT 147 corresponds to the link layer type for User0. Wireshark doesn't know how to handle it. We fix that by right-clicking on the yellow field and selecting Protocol Preferences -> Open DLT User preferences:

Next I created an entry fpr User 0 (DLT-147) with Payload protocol "ip" and Header size "14" as shown:

After clicking OK, I returned to Wireshark. Here is how frame 4241 (again listed here as frame 3) appeared:


You can see Wireshark is now making sense of the IP header, but it doesn't know how to handle the TCP header which follows. I tried different values and options to see if I could get Wireshark to understand the TCP header too, but this went far enough for my purposes.

The bottom line is that I believe there is some sort of packet capture problem, either with the softare used or the traffic that is presented to the software by the bridged NIC created by VirtualBox. As this is a lab environment and the traffic is 1% of the overall capture, I am not worried about the results.

I am fairly sure that the weird traffic is not on the wire. I tried capturing on the host OS sniffing NIC and did not see anything resembling this traffic.

Have you seen anything like this? Let me know in a comment here on on Twitter.

PS: I found the frame.number=X Wireshark display filter helpful, along with the frame.len>Y display filter, when researching this activity.

5 Cyber Security Best Practices For Your Small to Medium-Size Business

Estimated reading time: 2 minutes

Small to medium-sized businesses often tend to underestimate cybersecurity. The reasons range from practicality – they may not have the resources, to sheer over-confidence – the notion that they are not important enough to be at risk of cybersecurity threats and so on. Nothing could be further than the truth.

A survey by the United Kingdom government and KPMG among 1,000 small businesses in the country, threw up worrisome statistics: Only 23% of small businesses felt cyber security was a top security concern while 29% of businesses who had not experienced a breach felt they would suffer reputational damage. Another worrying statistic arrived from another report: at least 61 percent of the hacked industries and enterprises functioned with a smaller workforce, i.e. not even 1,000 employees.

Even if a business is small or medium-sized, it does not mean it is not at risk of cybersecurity threats. In fact, it may well be the opposite – they are sitting ducks as cyber criminals are aware that SMEs may not be as concerned about their security compared to bigger businesses. In fact, the consequences may be even more severe – even a minor data breach could leave a SME crippled and unable to recover.

Its clear then that SMEs must be extremely serious when it comes to cybersecurity. Here are some of the best practices they must follow:

Invest in Training – Since most cybersecurity risks primarily originate due to user negligence, it is important to train and educate employees about cybersecurity. Employees should know what to do in case of security alerts and they should also understand to be cautious about what links they click on, what information they share and what USB devices they plug in their machines.

Have a MDM plan – With almost all employees owning a plethora of gadgets and smartphones, it is crucial for SMEs to regulate the usage of these devices. A lot of sensitive information and emails can be accessed on these devices and they also contain access to the company’s wireless networks. So monitoring and regulating such mobile devices is essential.

Backup Data – When it comes to data backup, we recommend following the 3-2-1 rule. As per this, SMEs should maintain 3 different copies of all their sensitive data, over 2 different formats and locations and at least 1 of these locations should be offline. Following this rule will ensure that all confidential company information remains in the hands of the organization itself.

Data Encryption – Simply saving and storing data is not enough anymore, as it can be breached and accessed at any time. It is always advisable to encrypt data when it is saved and backed up. Access to this data should only be granted to specific people and such security measures help enterprises maintain the integrity of their critical data in the long term.

Use a Security Solution – When it comes to effective enterprise security solutions, there is no dearth of options available in the market. It is important to choose a solution that meets the exact requirements of the organization, and does exactly what it promises to do. Extra features and customizations can always be added later, so the SME should know its precise needs before choosing a solution.

The post 5 Cyber Security Best Practices For Your Small to Medium-Size Business appeared first on Seqrite Blog.

Episode 489 – Common Reasons Companies Get Breached

Companies get breached all the time and the reasons are more simple than you think. This episode talks about the common reasons companies get breached and what you can do to avoid the same mistakes. Be aware, be safe. *** Support the podcast with a cup of coffee *** – Ko-Fi Security In Five Don’t […]

The post Episode 489 – Common Reasons Companies Get Breached appeared first on Security In Five.

Webroot Spotlight: Michael Balloni, Senior Manager of Software Development

Reading Time: ~3 min.

From recruiting top talent to daily technical leadership, a day-in-a-life of a software engineering is never boring. After chatting with Webroot Senior Manager of Software Development, Michael Balloni, it became even more obvious.  

Michael is working hard to build a robust and efficient team, and is undeniably enthusiastic about every stage of the process. The conversation only got more interesting as we dug into his role and responsibilities. 

What is your favorite part of working as a Senior Manager of Software Development?  

Hiring is my favorite part. Whether we’re sourcing talent on paper, on the phone, or in-person, it’s always fun to see how things evolve, right up to the offer and the day-one lunch. We use an agency called Accolo, and their excellent recruiter, Adam Robles. They have effective screener questions and a scoring system that helps us zero in on good candidates.  Given that score and a reasonable resume, we set up a phone call to discuss their claimed skillset. If that goes well, we bring them onsite and treat them like human beings. Finally, we put them to work on the whiteboard with problem solving. 

What does a week as a Senior Manager of Software Development look like? 

I interface with other teams to get big things up and running, like the collaborative Mac DNSP project. We marched through our code base to identify which modules would give us the most trouble and to put the porting process through its paces. We picked a module to port and worked through the process of creating the shared codebase and the mechanics thereof. Also, I promote technical leadership through mentoring and setting direction. 

So, what does promoting technical leadership look like? Do you have any criteria for promoting technical leadership? 

Technical leadership involves staying up-to-date on our industry and the technical craft, and sharing that information with the broader team. It also involves staying up-to-date on the development of the products at hand and steering that direction as needed. Most of the time there is no need to change direction, but sometimes there is, and it’s tough to identify. I’ve learned that getting clarification and input should happen before prescribing a fix to what may not be a problem at all. 

What is your greatest accomplishment in your career at Webroot so far? 

Promoting my colleague, Bindu Pillai, to software development manager. She’s my partner in crime, and has been indispensable with the latest round of, you guessed it, hiring! Promoting Bindu to a leadership position gave her delivery teams a capable leader. Bindu was what’s called a Product Owner, the technical and managerial lead of the delivery team. When her teams’ Agile Team Coordinator (who manages the digital resources like bug tracking and documentation, and make sure that developers have the tools they need and nothing blocking them) quit, Bindu took over the responsibility of the ATC. She did so without complaint or friction to the point where she took the loss of an ATC in stride. She delivers product on schedule, and keeps her direct reports productive and well-fed. 

What brought you to Webroot after your last job? 

I had fun working with Webroot’s CTO Hal Lonas in the 2000s at a previous company, so coming to work with him again was a no-brainer. 

How did you get into the technology field? 

I did hard math and physics in high school, which got me into Harvey Mudd College. That’s where I met my wife, and (only) did well at software development. So here we are. 

What is your favorite thing about working at Webroot? 

Everybody says it, but it’s the people.  All sharp and hardworking and friendly.  We’ve got a good thing here. 

Check out career opportunities at Webroot here: www.webroot.com/careers 

The post Webroot Spotlight: Michael Balloni, Senior Manager of Software Development appeared first on Webroot Blog.

Global Information Services Company Discloses Malware Attack

A global information services company has disclosed a malware attack that affected several of its applications and platforms. On 6 May, global solutions provider Wolters Kluwer published a statement in which it confirmed that it was suffering network issues: We are experiencing network and service interruptions affecting certain Wolters Kluwer platforms and applications. Out of […]… Read More

The post Global Information Services Company Discloses Malware Attack appeared first on The State of Security.

Amazon Is Losing the War on Fraudulent Sellers

Excellent article on fraudulent seller tactics on Amazon.

The most prominent black hat companies for US Amazon sellers offer ways to manipulate Amazon's ranking system to promote products, protect accounts from disciplinary actions, and crush competitors. Sometimes, these black hat companies bribe corporate Amazon employees to leak information from the company's wiki pages and business reports, which they then resell to marketplace sellers for steep prices. One black hat company charges as much as $10,000 a month to help Amazon sellers appear at the top of product search results. Other tactics to promote sellers' products include removing negative reviews from product pages and exploiting technical loopholes on Amazon's site to lift products' overall sales rankings.

[...]

AmzPandora's services ranged from small tasks to more ambitious strategies to rank a product higher using Amazon's algorithm. While it was online, it offered to ping internal contacts at Amazon for $500 to get information about why a seller's account had been suspended, as well as advice on how to appeal the suspension. For $300, the company promised to remove an unspecified number of negative reviews on a listing within three to seven days, which would help increase the overall star rating for a product. For $1.50, the company offered a service to fool the algorithm into believing a product had been added to a shopper's cart or wish list by writing a super URL. And for $1,200, an Amazon seller could purchase a "frequently bought together" spot on another marketplace product's page that would appear for two weeks, which AmzPandora promised would lead to a 10% increase in sales.

This was a good article on this from last year. (My blog post.)

Amazon has a real problem here, primarily because trust in the system is paramount to Amazon's success. As much as they need to crack down on fraudulent sellers, they really want articles like these to not be written.

Slashdot thread. Boing Boing post.

Different types of cyber attacks

This blog has been updated to reflect industry updates. Originally published 1 December 2017.

A lot of organisations have experienced cyber attacks, but how are they actually hit? There are many types of cyber attack, and the one the criminal hacker chooses depends on what they are trying to do. Some want data, whereas others want a ransom to be paid.

The most common types of cyber attack are malware and vectors. Malware is designed to disrupt and gain unauthorised access to a computer system. There are the main forms:

Ransomware

Ransomware one of the fastest-growing forms of cyber attacks and has been behind a number of high-profile breaches, including the massive NHS data breach in 2017. It is a type of malicious software that encrypts a victim’s files and demands a payment to release them. However, paying the ransom does not guarantee the recovery of all encrypted data. Staff awareness is the best strategy to manage ransomware threats.

DDoS (distributed denial-of-service) attack

A DDoS attack is a malicious attempt to disrupt normal web traffic and take a site offline. This is done by flooding a system, server or network with more access requests than it can handle. DDoS attacks are often launched from numerous compromised devices, and are usually distributed globally through botnets.

Social engineering

Social engineering deceives and manipulates individuals into divulging sensitive information by convincing them to click malicious links or grant access to a computer, building or system. Two examples of social engineering are:

  • Phishing– this is an attempt to access sensitive information such as passwords and bank information by posing as a trusted individual. This is done via electronic communication, most commonly by email, and can inflict enormous damage on organisations.
  • Pharming– this is an attack that redirects a website’s traffic to a fake website, where users’ information is then compromised.

Viruses

A virus is a piece of malicious code that is loaded onto a computer without the user’s knowledge. It can replicate itself and spread to other computers by attaching itself to another computer file.

Worms

Worms are similar to viruses in that they are self-replicating, but they do not need to attach themselves to a program. They continually look for vulnerabilities and report back any weaknesses that are found to the worm author.

Spyware/adware

Spyware/adware can be installed on your computer without your knowledge when you open attachments, click links or download infected software. It then monitors your computer activity and collects personal information.

Trojans

A Trojan is a type of malware that disguises itself as legitimate software, such as virus removal programs, but performs malicious activity when executed.

Attack vectors

Attack vectors are used to gain access to a computer or network in order to infect them with malware or harvest stolen data. Vectors have four main forms:

  • Drive-by

A drive-by cyber attack targets a user through their Internet browser, installing malware on their computer as soon as they visit an infected website. It can also happen when a user visits a legitimate website that has been compromised by criminal hackers, either infecting them directly or redirecting them to a malicious site.

  • MITM (man in the middle)

An MITM attack is where an attacker alters the communication between two users, impersonating both victims in order to manipulate them and gain access to their data. The users are not aware that they are actually communicating with an attacker rather than each other.

  • Zero-day attack

The use of outdated (unpatched) software (e.g. Microsoft XP) opens up opportunities for criminal hackers to take advantage of known vulnerabilities that can bring entire systems down. A zero-day exploit can occur when a vulnerability is made public before a patch or solution has been rolled out by the developer. Patch management is one of the five basic cyber security controls proposed by the UK government’s Cyber Essentials scheme.

  • Sequel injection

An SQL (Structured Query Language) injection occurs when an attacker inserts malicious code into a server that uses SQL. SQL injections are only successful when a security vulnerability exists in an application’s software. Successful SQL attacks force a server to provide access to or modify data.

Download the infographic >>

How to protect against cyber security attacks

Any one of these cyber attacks can be easily implemented if your organisation does not have the proper cyber security in place. It is vital to assess your organisation’s level of cyber security in order to see where your weaknesses are, and how you can ensure that you are fully protected.

The most effective strategy to mitigate and minimise the effects of a cyber attack is to build a solid foundation upon which to grow your cyber security technology stack.

Solution providers often tell their clients that their applications are 100% compatible and will operate seamlessly with the current IT infrastructure, which, for the most part, is true. The problem arises when organisations add IT security solutions from different manufacturers regardless of the granularity of their configuration settings, and technology gaps are exposed.

Technology gaps appear for one simple reason: developers always keep certain portions of their code proprietary to retain their competitive advantage, meaning applications from different developers are never completely compatible. It is through the resulting gaps that attacks usually occur.

Robust cyber security will help you identify these gaps and mitigate the risk of an attack.

Start your journey to being cyber secure today

IT Governance has a wealth of experience in the cyber security and risk management fields. We’ve worked with hundreds of organisations in a range of industries for more than 15 years, and all of our consultants are qualified, experienced practitioners.

Our services can be tailored for organisations of all sizes in any industry and location. Browse our wide range of solutions below to kick-start your cyber security project.

Find out more >>

The post Different types of cyber attacks appeared first on IT Governance Blog.

Smashing Security #127: I do love the Dutch

Israel strikes back at Hamas’s hacking HQ, a new sextortion email comes with a twist, and Carole saves the world with some help from hacked Roomba vacuum cleaners.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Malicious Life’s Ran Levi.

That’s classified! Our top secret guide to helping people protect information

As information security professionals, we often face a challenge when trying to explain what we mean by ‘data classification’. So here’s my suggestion: let’s start by not calling it that. In my experience, the minute you call it that, people switch off.

Our role should be to try to engage an audience, not scare them away. Classification sounds like a military term, and if the reaction that greets you is an eye-roll that says: ‘you’re talking security again’, then they’ve zoned out before you’ve even got to the second sentence. I try and change the language, because otherwise, what we have here is a failure to communicate.

In reality, it’s very simple if you explain what you mean by classification. If we strip away any jargon or names, what we’re doing is asking an organisation to decide what information is most important to it. Then, it’s about asking the organisation’s people to apply appropriate layers of protection to that information based on its level of importance.

De do do do, de da da da

Who needs to use data classification? These days, it’s everyone. Why is it important? Why make people do this work? Data is a precious commodity. Think of it like water in many parts of the world: there’s a lot of it about, it’s too easily leaked if you don’t protect it, it’s extremely valuable if you control the source, and you can combine it with other things to increase its worth. Well, it’s a similar story with data. Data is just a bunch of numbers, but context turns it into information. You could have 14 seemingly random numbers, and that’s data. Now, split them into two groups, one of eight digits and another of six digits with some dashes in between. Suddenly those numbers become a bank account number and sort code. Then it’s information.

Message in a bottle

The first step for security professionals to win people over to the concept is to make it real for their audience. If your message is personal, people can relate it to what they have to do in their work.

We handle types of information in different ways and make decisions all the time on who should have access to it. Think of it this way: do you file paperwork – utility bills, appointment letters, bank statements – at home? Would you leave your payslip lying around the home for your kids to read?

In a work context, a CEO might want their executive assistant to access their calendar for meetings, but they don’t necessarily want to share their bank account details to see how much money they make or what they spend it on.

Naturally, the type of information that’s most valuable will vary by industry, so you have to adapt any message to suit. In healthcare, it might be sensitive medical records about someone’s health. For someone working in food and drinks industry, maybe IP (intellectual property) like the recipe to the secret sauce or the package design are the most valuable items to protect. In pharmaceuticals, it might be the blueprints or ingredients in a new drug.

You don’t have to put on the red light

So now we’ve established that information may have different values, how do we group them? Deciding on the value of information may require the employee to apply good judgement. I like using the traffic light idea of three tiers of information (red amber and green) rather than the binary option of just public or private. Those three levels then become public (green), confidential (amber), and restricted or private (red). It allows for an extra level of data management, and therefore protection, where needed but is still a simple number to grasp.

Photo by Harshal Desai on Unsplash

This approach is easy to picture. People can very quickly understand what category information falls into, and what to do with it. Using the traffic light approach, public material (green) might be a brochure about a new product, or it could be the menu in the staff canteen. That’s the material that you want many people to see. The company contact directory or minutes from a meeting would be confidential (amber). Items that aren’t for general distribution outside board level (such as merger discussions) are extremely sensitive or privileged (red).

Once we know what we’re protecting, we get to the how.

  • If we’re dealing with physical paper documents, we can mark the sensitive information with a red sticker or red mark on the corner. The rule might be: never leave a red file unattended unless an authorised person is actively reading it and doing something with it. You know it shouldn’t leave the building unless it’s extremely well protected.
  • If the mark or sticker is amber, the person holding it must lock it away overnight.
  • Any document with a green mark doesn’t have to be locked away.

Every breath you take

You can extend that system beyond individual files to folders and to filing cabinets if necessary. You can apply this very easily by adding the appropriate colour to each document, folder, filing cabinet or even rooms in the building. Leave marker pens, stickers or anything that clearly shows the classification available for people to use.

It’s relatively easy to get people to apply the exact same marking system to electronic data. So you mark the Word file or Excel sheet with the same colour scheme, and folders, and so on. Once you’ve put the colours on it, the application of it is easy. If you use templates or forms of any kind it’s easy to start applying rules automatically, and you can then tie in the classification to your data leakage prevention tools, or DLP solutions, by blocking the most sensitive information from leaving the organisation, or at least flagging it for attention. It’s possible to put markers in the metadata of document templates, so amber or red documents could flag to the user that they need to encrypt before sending.

Ultimately, we’re in the business of changing behaviour, and the net result should be that people become more aware of information and data protection because it’s a relatable concept that they’re applying in their daily work, almost without realising.

So if not classification, what do we call it? The importance of information? Data management? It’s still not very snappy, so any suggestions or answers on a postcard please.

Oh, and as a footnote, if you have any information you want everyone in the company to read, just put it in an unsealed envelope marked “CONFIDENTIAL” and leave it near the printer/photocopier/coffee area. I guarantee everyone passing will take a look.

The post That’s classified! Our top secret guide to helping people protect information appeared first on BH Consulting.