Category Archives: Mobile Security

Survey Reveals 92 Percent of IT Professionals Concerned About Public Wi-Fi Security Risks on Corporate Devices

A new survey revealed that 92 percent of IT professionals are concerned about Wi-Fi security risks related to accessing public networks on corporate devices.

According to a Spiceworks, most IT professionals believe organizations could do more to address these risks. Just 63 percent of respondents said they are confident that employees use a virtual private network (VPN) when accessing public Wi-Fi on a corporate device, and even fewer (55 percent) said they think organizations are protected against these threats overall.

IoT Sparks Wi-Fi Security Concerns

Their concerns are justified: Twelve percent of respondents said their organization has suffered a security incident that involved an employee connecting to public Wi-Fi. Even more troubling is the fact 34 percent of IT professionals don’t know whether their employer has experienced such an incident due to the difficulty of detecting these events.

But IT professionals aren’t just concerned about public Wi-Fi — they’re also worried about the security of devices that are connecting to corporate networks. Respondents to the Spiceworks survey attributed the greatest risk of Wi-Fi attacks to Internet of Things (IoT) devices, such as IP-enabled controllers (52 percent), appliances (49 percent), video equipment (42 percent) and electronic peripherals (40 percent). By contrast, 32 percent ranked Windows laptops as the greatest risk, while 18 percent cited iOS smartphones.

“While adoption of IoT devices is increasing in the workplace, many IT professionals are still wary of connecting these often unpatchable devices to corporate Wi-Fi networks,” said Peter Tsai, senior technology analyst at Spiceworks, in a press release. “As a result, some organizations are delaying the adoption of IoT devices and holding out hope that the forthcoming WPA3 protocol might improve Wi-Fi security.”

Don’t Wait for WPA3

But organizations don’t have to wait for WPA3 to begin addressing the persistent challenges associated with Wi-Fi security. In the meantime, they can use standard Wi-Fi security protocols and create guest Wi-Fi networks for visitors. If they haven’t done so already, they can also set up complex admin passwords on networking devices, implement strong service set identifier (SSID) networking names and enact MAC address filtering.

The post Survey Reveals 92 Percent of IT Professionals Concerned About Public Wi-Fi Security Risks on Corporate Devices appeared first on Security Intelligence.

McAfee Blogs: Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.



McAfee Blogs

Warning: Crypto-Currency Mining is Targeting Your Android

Cryptocurrency, a virtual form of currency designed to work as a secure form of exchange, has gained a lot of traction in the world of finance and technology. But for many, the concept of obtaining cryptocurrency, or “crypto mining,” is obscure. Investopedia defines crypto-mining as, “the process by which transactions are verified and added to the public ledger, known as the blockchain, and also the means through which new currencies such as Bitcoin and Ethereum are released.”

The practice has been around since 2009, and anyone with access to the Internet, the required programs and hardware can participate in mining. In fact, by the end of this month, Forbes Magazine will have published its first “Top Richest” list dedicated to Crypto Millionaires.

With the rise in popularity of digital currency, it’s no surprise that cybercriminals across the globe are leveraging malicious code to obtain it. Hackers would rather develop or utilize mining malware instead of paying the expensive price tag associated with mining machines, which can be upwards of $5000. In China, the ADB Miner malware is spreading and targeting thousands of Android devices for the primary purpose of mining cryptocurrency. The malware is spread through the publicly accessible Android Debug Bridge (abd) on an opened port 5555. This port is typically closed but can be opened by an ADB debug tool. Once infected, a device will look for other devices with the same vulnerability to spread the malware and leverage other Android-based smartphones, tablets, and televisions for crypto-mining.

So why are cybercriminals now targeting Android mobile devices? This could be due to the fact that hackers know they can easily manipulate vulnerabilities in Google Play’s app vetting system. Last year McAfee Mobile Threat Research identified more than 4,000 apps that were removed from Google Play without notification to users. Currently, the app store does not have consistent or centralized reporting available for app purchasers. Even if an app is supported by Google Play at the time of download, it could later be identified as malicious and Android users may be unaware of the fact that they’re harboring a bad app.

Researchers have found over 600 blacklisted malicious cryptocurrency apps across 20 app stores including Apple and Google Play. Google Play was found to have the highest amount of malicious crypto apps, with 272 available for download. In the United States, researchers have found another crypto-mining malware that is so demanding of phone processors, its causing them to implode. Loapi, a newly-discovered Trojan crypto-miner, can cause phone batteries to swell up and burst open the device’s back cover, and has been found in up to 20 mobile apps.

Crypto-mining malware isn’t a new phenomenon. Before the WannaCry attacks last summer, cryptocurrency malware sprung up as another malicious software looking to take advantage of the same Windows vulnerabilities that WannaCry exploited. But, instead of locking down systems with ransomware, these cybercriminals were putting them to work, using a cryptocurrency mining malware called Adylkuzz.

Here are a few tips to ensure your Android-devices are protected from crypto-mining malware:

  • Download your apps from a legitimate source. While some malicious apps may slip through the cracks, app stores like Google Play do have security measures in place to protect users, and it’s much safer than downloading from an unknown source.
  • Delete any apps that you haven’t used over the past 6-months. An app’s security can change over time; applications that were once supported by an app store can be flagged as malicious and removed from the platform without notification. If an app is no longer supported in the app store, you should delete it immediately.
  • Keep all of your software up to date. Many of the more harmful malware attacks we’ve seen, like the Equifax data breach, take advantage of software vulnerabilities in common applications, such as operating systems and browsers. Having the latest software and application versions ensures that any known bugs or exploits are patched, and is one of the best defenses against viruses and malware.
  • Double up on your mobile security software. I can’t stress enough how important is to use comprehensive security software to protect your personal devices.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Warning: Crypto-Currency Mining is Targeting Your Android appeared first on McAfee Blogs.

Millions of Android devices forced to mine Monero for crooks

No device is safe from criminals looking to make it stealthily mine cryptocurrency for them. However weak its processing power is, it still costs them nothing. With that in mind, forced crypto mining attacks have also begun hitting mobile phones and tablets en masse, either via Trojanized apps or redirects and pop-unders. An example of the latter approach has been recently documented by Malwarebytes’ researchers. The attack “In a campaign we first observed in late … More

Blog | Avast EN: Avast Android App Report reveals: These apps crush your phone’s battery

It won’t be exactly groundbreaking news when we tell you that your apps consume your Android’s battery, data, and storage. But here’s what far fewer people know: most apps run invisible in the background and the worst offenders drain all three (battery, data, and storage) at the same time. To help you navigate the digital sea of apps and learn which ones are sapping your resources, Avast, the global leader in digital security products, regularly releases the Avast Android App Performance & Trend Report.



Blog | Avast EN

McAfee Blogs: Share Your Heart, Not Your Identity: Here’s How You Can Stay Safe on Valentine’s Day

I love Valentine’s day, it’s the one day of the year exclusively dedicated to sharing: we share our feelings, our affection, and special gifts with our loved ones. It’s a great time to show the people in our lives just how much they mean to us. Thanks to social media and mobile friendly retailers, giving your loved ones the world is just a few clicks away.

Tech devices have made it so much easier to share our hearts with the people we care about. But, could our emotional vulnerability ultimately leave us vulnerable to cyber-attacks? Historically, Valentine’s day has been a big day for cybercrime. Criminals have found clever ways to take advantage of retail, online dating platforms, and social media to launch attacks against romantic hopefuls. If you’re wondering how to avoid the most common V-day scams, here are a few things to remember when sharing the love online, and some useful tips to keep your precious data safe.

Dating Apps Are a Data Goldmine

Apps like Tinder or Zoosk are very attractive to hackers around this time of year. Considering the amount of intimate details shared on these platforms, dating apps are prime targets for cybercriminals looking to gain access to personal data and even payment information. In fact, online dating has seen a growing number of cyber-threats since 2015.

If you’re wondering “what’s the worst that could happen if my Tinder account is hacked?”, look no further than the hundreds of pages of data that the app keeps stored on its users. This particular dating app doesn’t just match singles looking to spark a connection, it also collects behavioral data, such as how often you connect, when and where you connect, and even your “likes” and posts from other associated accounts. Some of this data might seem trivial to unsuspecting users, but if placed in the wrong hands this information could be detrimental to the security of your identity.

Florist Are a Favorite for Phishing Scams

A bright, beautiful bouquet of roses is my favorite gift to receive when February 14th rolls around. Unsurprisingly, flowers make one of the most common gifts given around Valentine’s Day but, sending and receiving flowers may not be as harmless as it seems. In 2016, cybercriminals leveraged the popularity of flower services to attack unsuspecting vendors through a series of DDoS attacks designed to extort money from them. While these attacks did not result in leaked information, it’s important to be cautious of which vendors you allow to keep your credit card information on file. After all, you’re expecting your florist to deliver an assortment of beautiful flowers, not a bouquet of personal data to cyber criminals!

If an attack on your friendly florist isn’t enough to peak your senses, hackers have also been known to take advantage of admirers looking to send flowers. Cybercriminals prey on the likelihood that you’ve sent flowers to your loved ones to launch phishing scams, using bogus packages and “Failure to Deliver” notices to collect your data.

Social Media Isn’t Always Your “Friend” 

Valentine’s day is easily one of the most socially sharable days of the year. With so much love in the air, you can’t help but share pictures and posts about your loved ones with other friends and family online. Although most people associate cyber-attacks with some form of malware, many do not realize how vulnerable they are when sharing personal information on social media. Through social engineering, hackers use the information you share online to exploit you. The more personal information you choose to share on social media, the easier it is to exploit that information. Through social media, hackers can find out information about your job, the places you frequent, and even your mother’s maiden name. But don’t worry, we’ve got a few tips up our sleeve to help you share all of the love you want across social.

Seasonal events, like Valentine’s Day, present an opportunity for cybercriminals to leverage their schemes. But don’t be deterred from sharing the love— here’s how you can connect securely and keep your data safe from hackers:

  • Get friendly with your privacy settings on your social media apps. Social platforms like Facebook are making it easier to adjust your privacy settings through a  “privacy center” so you can stay on top of the information you share and who you share it with.
  • Be careful of which accounts you link. Being connected to your online community is great, but linking accounts across platforms only gives cybercriminals easier access to your data. While Tinder does require you to link your Facebook account to sign up, you can turn off Tinder Social so that Tinder won’t be able to post anything to Facebook. And, when possible, avoid linking your dating profiles to other personal accounts.
  • Think before you click that link. Hover over it to see if the URL address looks legitimate to avoid phishing scams. If you know you didn’t send flowers, send that scam to your spam.
  • Double up on your security software. There are plenty of apps that keep your phone safe from malicious attacks. Consider using a service for your phone that offers web protection and antivirus.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Share Your Heart, Not Your Identity: Here’s How You Can Stay Safe on Valentine’s Day appeared first on McAfee Blogs.



McAfee Blogs

Share Your Heart, Not Your Identity: Here’s How You Can Stay Safe on Valentine’s Day

I love Valentine’s day, it’s the one day of the year exclusively dedicated to sharing: we share our feelings, our affection, and special gifts with our loved ones. It’s a great time to show the people in our lives just how much they mean to us. Thanks to social media and mobile friendly retailers, giving your loved ones the world is just a few clicks away.

Tech devices have made it so much easier to share our hearts with the people we care about. But, could our emotional vulnerability ultimately leave us vulnerable to cyber-attacks? Historically, Valentine’s day has been a big day for cybercrime. Criminals have found clever ways to take advantage of retail, online dating platforms, and social media to launch attacks against romantic hopefuls. If you’re wondering how to avoid the most common V-day scams, here are a few things to remember when sharing the love online, and some useful tips to keep your precious data safe.

Dating Apps Are a Data Goldmine

Apps like Tinder or Zoosk are very attractive to hackers around this time of year. Considering the amount of intimate details shared on these platforms, dating apps are prime targets for cybercriminals looking to gain access to personal data and even payment information. In fact, online dating has seen a growing number of cyber-threats since 2015.

If you’re wondering “what’s the worst that could happen if my Tinder account is hacked?”, look no further than the hundreds of pages of data that the app keeps stored on its users. This particular dating app doesn’t just match singles looking to spark a connection, it also collects behavioral data, such as how often you connect, when and where you connect, and even your “likes” and posts from other associated accounts. Some of this data might seem trivial to unsuspecting users, but if placed in the wrong hands this information could be detrimental to the security of your identity.

Florist Are a Favorite for Phishing Scams

A bright, beautiful bouquet of roses is my favorite gift to receive when February 14th rolls around. Unsurprisingly, flowers make one of the most common gifts given around Valentine’s Day but, sending and receiving flowers may not be as harmless as it seems. In 2016, cybercriminals leveraged the popularity of flower services to attack unsuspecting vendors through a series of DDoS attacks designed to extort money from them. While these attacks did not result in leaked information, it’s important to be cautious of which vendors you allow to keep your credit card information on file. After all, you’re expecting your florist to deliver an assortment of beautiful flowers, not a bouquet of personal data to cyber criminals!

If an attack on your friendly florist isn’t enough to peak your senses, hackers have also been known to take advantage of admirers looking to send flowers. Cybercriminals prey on the likelihood that you’ve sent flowers to your loved ones to launch phishing scams, using bogus packages and “Failure to Deliver” notices to collect your data.

Social Media Isn’t Always Your “Friend” 

Valentine’s day is easily one of the most socially sharable days of the year. With so much love in the air, you can’t help but share pictures and posts about your loved ones with other friends and family online. Although most people associate cyber-attacks with some form of malware, many do not realize how vulnerable they are when sharing personal information on social media. Through social engineering, hackers use the information you share online to exploit you. The more personal information you choose to share on social media, the easier it is to exploit that information. Through social media, hackers can find out information about your job, the places you frequent, and even your mother’s maiden name. But don’t worry, we’ve got a few tips up our sleeve to help you share all of the love you want across social.

Seasonal events, like Valentine’s Day, present an opportunity for cybercriminals to leverage their schemes. But don’t be deterred from sharing the love— here’s how you can connect securely and keep your data safe from hackers:

  • Get friendly with your privacy settings on your social media apps. Social platforms like Facebook are making it easier to adjust your privacy settings through a  “privacy center” so you can stay on top of the information you share and who you share it with.
  • Be careful of which accounts you link. Being connected to your online community is great, but linking accounts across platforms only gives cybercriminals easier access to your data. While Tinder does require you to link your Facebook account to sign up, you can turn off Tinder Social so that Tinder won’t be able to post anything to Facebook. And, when possible, avoid linking your dating profiles to other personal accounts.
  • Think before you click that link. Hover over it to see if the URL address looks legitimate to avoid phishing scams. If you know you didn’t send flowers, send that scam to your spam.
  • Double up on your security software. There are plenty of apps that keep your phone safe from malicious attacks. Consider using a service for your phone that offers web protection and antivirus.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post Share Your Heart, Not Your Identity: Here’s How You Can Stay Safe on Valentine’s Day appeared first on McAfee Blogs.

8 Easy Ways to Hack-Proof Your Family’s Smartphones

Smartphones have changed the face of parenting in profound ways. But for all the efficiency they’ve introduced into family life, those same devices simultaneously bring risk.

With smartphone and tablet use growing at ten times the rate of PCs, hackers know precisely where to shift their focus these days. Cyber thieves love smartphones because once inside, they can access private information, location, email, photos, social media, and bank accounts.

If you’re a parent, a smartphone breach is an even bigger deal. Shoring up the security gaps in your phone isn’t a big deal but what about the other four or more smartphones under your roof? If you were to multiply the risk, you’d soon realize the potential havoc that’s looming.

While you can’t shut out every digital risk, you can tackle the most prominent ones. Let’s get started!

8 Ways to Hack-Proof Your Family’s Smartphones

  1. Think Like a Criminal. Work a potential hack backward. Look at every possible entryway into your phone and ask yourself, “How could I get into this phone if I were determined?” Then, methodically lock up each digital door. Challenge yourself to find every security gap. Examine your password strength, social profiles, web browsing security, general and app settings.
  2. Juice Up Your Password. How do you create a password that a criminal can’t hack? With great intention and a few extra layers. 1) Avoid the common error of using easy passwords such as “12345” or “password.” Get complex and create a combination that isn’t logical. 2) Use multi-factor authentication (MFA). Having multiple factors to authenticate your phone use such as your fingerprint, face, or a trusted device, increases security. Most smartphones offer MFA so, even if it seems tedious, use it. The more factors — or digital layers — you can combine, the more protected your smartphone will be. Too many passwords crowding your brain? Consider a password manager.
  3. Trust No App. Not all apps you download to your phone are created equal. Many third-party apps do not go through rigorous security vetting of Google or Apple. Hackers can infect apps with malware or viruses that demolish your phone’s security and allow hackers access to your data. Beware. Examine all apps, read reviews, and steer clear of apps that ask for too much access. Even legitimate apps can be used for malicious purposes such as listening in via a phone’s microphones and even spying using a phone’s camera. To pull back an app’s access, just go to your settings. On Android: Go to Apps and Notifications, choose App Permissions and make changes. On iOS: Go to your settings, select Privacy, and make changes to app permissions accordingly.
  4. Passcode, Track Your Phone. Be proactive in case your phone gets stolen or lost. Make sure your device is passcode and fingerprint protected. Take a few minutes to enable phone tracking. For Android, you’ll download the app Find My Device and for Apple use Find My iPhone. Make sure those apps are always enabled on your phone. If your phone is lost or stolen it can be tracked online.
  5. Log out, Lock Online Services. If you bank, shop, or access sensitive accounts via your smartphone do it with extreme care. This means logging out and locking those accounts when not in use and avoiding using auto-login features. Instead, use a password manager app the forces you to re-enter a master password each time you want to access an account. It’s worth the extra step. An essential part of this equation is disabling keychain and auto-fill in your browser. You can do this by finding your web browser in Settings and toggling each option to OFF. Also, avoid using public Wi-Fi for accessing sensitive accounts or conducting any transactions.
  6. Turn Off Bluetooth. Bluetooth carries inherent vulnerabilities and is another open door for hackers to enter. When Bluetooth is turned on it is constantly looking for other open connections. Hackers work quickly through open Bluetooth connections, and often victims don’t even know there’s been a breach (there’s no evidence a phone has connected with a criminal source). Make sure to switch Bluetooth off if you are not using it.
  7. Take Updates Seriously. Because people design phones, phones will be flawed. And, it’s just a matter of time before a hacker discovers and exploits those flaws. Developers use updates to combat all kinds of breaches, which make them critical to your phone’s security. Along with staying on top of updates, consider the added safeguard of antivirus, identity, and privacy protection that covers all family devices.
  8. Stop! Don’t Click that Link. Unless you are 100% sure of the legitimacy of a link sent to you through text, email, or direct message, do not click it. Random links sent by hackers to access your data are getting more and more sophisticated as well as destructive.toni page birdsong 

     

    Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post 8 Easy Ways to Hack-Proof Your Family’s Smartphones appeared first on McAfee Blogs.

Lenovo Warns Critical WiFi Vulnerability Impacts Dozens of ThinkPad Models

Lenovo issued a security bulletin Friday warning customers of two previously disclosed critical Broadcom vulnerabilities impacts 25 models of its popular ThinkPad laptops.

Security Glue Between the Silos of Endpoint, Server, Cloud and Network Security Gets More Critical

Endpoint and Host security techniques have diverged. There used to be considerable similarity between the techniques and tools used to secure desktops, servers, and even networks. Desktops evolved to become Endpoints, as mobile devices proliferated and they were assembled into a collective of being in the category of not-a-server.

But as practitioners know, it isn’t all about the tech. Organizations changed, too: operations groups diverged into distinct endpoint ops and data center or server ops teams. At the same time security shifted to more often becoming about monitoring and ensuring security than by implementing it and operating it.

BYOD and mobile workers pushed Endpoint Protection Platforms (EPP) into new tasks, like encryption, application control and DLP.  Server communication and composition changed, and servers became increasingly virtual and are highly replaceable through orchestration. Server security became very different and subdivided into unique types reflecting the different exposures between web servers, data servers, and others.

The future sees this trend continuing. In the near term, containers mean that intra-server security becomes more complex and a bigger task. Containers shouldn’t normally house data, but they handle it and therefor become a target, especially if the application security regime doesn’t include container security. The communication between containers and between containers and apps becomes a key point to embed security. But likely not the only place, as the algorithms inside apps and containers become a future target. In the mid term, serverless becomes the new milestone in a changing data center as to how servers evolve and present new security challenges. “Is the server secured?” becomes a degree more abstract and moves towards “Are the server(s) secured?”

Network security is under organizational pressure as network ops gets sometimes forgotten in the move to hybrid and cloud. Contrary to the belief that network security goes away, it becomes more critical as your data moves to new and odd places. Endpoints and servers still need securing, and so too does the connection to them. There isn’t enough space in this blog entry to cover all the security dynamics of cloud security.

Clearly, all this disruption and specialization has created very narrow silos. Meanwhile, attacks are going low and slow. Within these silos the challenge today is in spotting meaningful attacks but how fast the label of meaningful is assigned and then the time to resolution of an alert. And that is within a silo. As the whitespace between the security silos of endpoint, server, network and cloud expand the opportunity to pull together becomes more important. SIEM is a critical tool, but the pre-SIEM and post-SIEM phases in reducing alert resolution effort and time there is wealth of security-relevant information lying between these silos. Better glue between these silos can mean better pre-SIEM secfurity operations creating fewer alerts to resolve, what comes out of the SIEM is more relevant, and these resulting alerts can have a faster time to resolution. Too often we rely on the least-scalable resource to be this glue between the silos, our “meat computers” – our people.  There are other security and tech silos as well I haven’t mentioned such as data, personnel, and data center.

The greatest challenges and opportunities in security present themselves when the organization and technology go orthogonal. As our technology, security, and organizations gets more specialized and more silo’d, putting more non-human security glue between these silos is a big opportunity. Specifically, recognizing that security happens across silos, even when security itself isn’t structured that way.

Why Device ID May Not Be Enough to Stop Fraud

Protecting your organization against fraud is a continuous game of cat and mouse. It seems like as soon as you implement a detection mechanism, the bad guys find a way to get around it.

Device ID — the ability to uniquely identify and later recognize a user’s device — was one of the first tools enterprises used for authentication and fraud detection. Using regular and Adobe Flash cookies, you could tag a device and use that as the “something you have” component of the authentication process, thus replacing onerous hardware tokens. If a device was unknown, the enterprise could step up authentication measures.

Modern device ID solutions have become significantly more sophisticated than these early cookie-based solutions. They collect information on myriad device characteristics, both static and dynamic, including browser, operating system, internet connection and other properties. This allows security teams to create a unique fingerprint of the device, which can be used to authenticate customers or detect suspicious interactions.

While device ID remains an important and sometimes effective tool in the enterprise fraud detection arsenal, it is not nearly enough to constitute a complete fraud detection solution. Why is this?

Read the white paper: How digital banking is transforming fraud detection

Fraud Has Caught Up With Device ID Techniques

When device ID was first developed, bad actors quickly learned that they could copy cookies and use them on other devices, enabling them to appear legitimate. As the technique evolved to include things such as IP address and the type and version of browser and operating system, bad actors have reverse engineered device ID solutions and created increasingly detailed spoofing techniques to fool security algorithms.

Many malware strains today collect not only credentials, but also the data used to create a device ID. Bad actors can then manipulate their own device to appear to use the same browser extension, OS attributes and more to further impersonate their intended victim. This practice is known as device ID spoofing. Modern device ID solutions should include spoofing detection capabilities. Moreover, to keep up with the pace of sophisticated fraud activity, device ID spoofing detection must be updated daily based on ongoing research and threat intelligence.

RATs and Social Engineering

The eruption of remote access Trojans (RATs) and other similar threats has resulted in a new way for bad actors to avoid device ID-based fraud detection. An attacker using a RAT is actually using the victim’s device, which completely sidesteps any fraud detection capabilities based on device ID.

In addition to RATs, threat actors constantly develop schemes that take advantage of the weakest element of security strategy — humans — using social engineering tactics. Social engineering attacks such as business email compromise (BEC) target employees with access to company finances and trick them into making wire transfers to criminal bank accounts. In these cases, the fraudulent action comes from both the right device and the right user, something that a device ID-based fraud detection solution would be unable to detect.

Of course, the attacks that circumnavigate device ID-centric solutions are not yet simple enough to be conducted at scale. Fraudsters must invest significant time and research to complete these attacks successfully, but that doesn’t mean they should be overlooked. In fact, bad actors who employ these techniques generally target an institution’s highest-value accounts, making every successful attack potentially catastrophic.

Best Practices for Improving Fraud Strategies

What should an enterprise look for when implementing a fraud detection strategy? It should still include complex device ID as an integral feature, but it should be paired with a strong device ID spoofing tool that includes ongoing threat research and automatically adapts to new threats.

Perhaps more importantly, enterprises should think of device ID as just one tool in a multilayered identification toolbox. Device ID solutions should include additional indicators of fraudulent activity relative to the user, device, behavior or session. These can include behavioral biometrics, malware detection, phishing detection and global identity networks exposing repeated usage patterns over the multitude of these perspectives. It’s also important to consider ongoing transaction monitoring to identify accounts that might be compromised by social engineering.

From a wider security perspective, enterprises should always be wary of one-trick pony solutions. Any solution that uses device ID, biometrics or malware detection exclusively will never be enough to prevent fraud. Multilayered security solutions provide the depth needed to defeat the bad actors of today and tomorrow because they are infused with many layers of cognitive fraud detection and analytics to help prevent digital identity fraud.

In addition to highly complex device ID tools with spoofing detection, these solutions include ongoing global threat intelligence research, behavioral biometrics, malware detection, RAT detection and more. The security layers are pre-integrated, both on the technical level and on the derived risk balancing level, which helps organizations avoid the potential pitfalls of device ID-based fraud protection so they can offer their customers a seamless user experience.

Read the white paper: How digital banking is transforming fraud detection

The post Why Device ID May Not Be Enough to Stop Fraud appeared first on Security Intelligence.

How to keep our kids safe online – start by talking about it

Whether or not you’re lucky enough to be a parent or grandparent, as adults we should all be concerned about the safety of children online. That’s why, on Safer Internet Day, a day dedicated to promoting the safe and positive use of digital technology for children and young people, I wanted to share some thoughts on what we can do about it. Because we all have a responsibility to look out for the generation of tomorrow.

Firstly, let’s agree on a few basic truths. Today’s generation of children are unlike any that have come before them. The fortunate ones have grown up with technology all around them, and children are engaging and interacting with technology from an ever-younger age. What’s more, this isn’t always a case of stealing mum’s mobile phone, or dad’s iPad. No, much of it is technology aimed specifically at kids.

It’s not a surprise therefore that today’s generation of children are often seen glued to their phones, tablets and connected toys. And while most of this technology is incredible stuff, the unfortunate reality is that it often opens children up to a whole host of dangers. These might seem like trivialities to the younger generation, but how many children forget to inform their parents about who they are talking to online, the pages they are visiting and what they are sharing.

So what can be done about it, and how can we ensure that children are able to take advantage of the many benefits of technology, while also protecting them from its darker side? As with many things in this world, talking about it helps.

Below are some conversation starters you can use to help talk about these issues with children. These are from Safer Internet Day’s online resource, but there are lots of others out there should you want more inspiration.

Get the conversation started on a positive note:

  • Ask them what they like most about the internet and why?
  • What’s their favourite game/app/site?
  • Ask them to show you the most creative thing they’ve made online, e.g. a video they’ve made, or picture they’ve drawn.
  • Explain how the internet offers brilliant opportunities for making connections with others. Ask them who they like to keep in touch with online and what apps or services do they use?

Talk about safety:

  • Ask them what they would do if they saw that a friend online needed some help or support?
  • Ask them how they stay safe online? What tips do they have and where did they learn them?
  • Ask them to show you how to do something better or safer online.
  • Ask them to tell you what it’s okay to share online. What is it not okay to share online?
  • Do they know where to go for help, where to find safety advice and how to use safety tools on their favourite apps and games?

Discuss digital lives and wellbeing:

  • Ask them how the internet and technology makes their life better?
  • Ask how does the internet make them feel? Do different apps and games makes them feel differently?
  • Ask what could they do if being online was making them feel worse rather than better?
  • Ask them how might they know if they were using the internet and technology too much?

Talk about respect:

  • Ask what could they do if someone online was making them or someone they know feel worried or upset?
  • Who do they look up to or respect online? Why?
  • Ask them if people can say or do whatever they want online? Why / why not?
  • Ask what is different about talking online to someone compared to talking face to face? Is there anything that is the same?
  • Do they have any tips for how to be positive and show respect online?

In the hyper-connected world in which we live, it really is the responsibility of all adults to protect children online. And Safer Internet Day is the perfect opportunity to talk to your child about using the internet safely, responsibly and positively.

If you want to find out more there’s a whole host of resources to be found on the Safer Internet Day website, here: https://www.saferinternet.org.uk/advice-centre

And if you’re interested in joining the discussion on how to keep children safe online, we’ll be hosting a Twitter chat from 13:00 GMT today. You can get involved by including #SetUpSafe in your tweet.

The post How to keep our kids safe online – start by talking about it appeared first on McAfee Blogs.

Android Device Management: Sweet Features, No Toothache

People love their Android devices. In fact, it has become one of the world’s most popular mobile operating systems (OS). Consumers expect to put this technology to work, not just use it outside the office. This has made Android device management a critical tool in any security team’s arsenal.

In addition, Google’s commitment to making compatible devices enterprise-ready has made the Android OS so good, organizations won’t want to miss out on the full potential of the platform. Since its initial release, Google has added more features to maximize productivity, bolster security and improve the OS’s overall adaptability in the enterprise.

Learn More about putting the Sweet Features of Android to Work!

Tracking the Evolution of the Android OS

Below is an abbreviated look at the evolution of the OS and the key security features associated with each iteration.

  • When Android 5.0 (Lollipop) was released in 2014, a key feature was adding work profiles. This addition was designed to separate work from play and help protect user privacy. Only approved applications can be installed in these profiles, and work data is encrypted to keep it safe if the device is lost or stolen.
  • Android 6.0 (Marshmallow), released in 2015, included security and management enhancements, such as fingerprint access, which improves the user experience without compromising security.
  • The following year, Android 7.0 (Nougat) added an always-on virtual private network (VPN) feature, which directed all traffic from the work profile or specific apps through a secure connection.
  • The newest release, Android 8.0 (Oreo), brings zero-touch enrollment, which saves users time and hassle when getting set up for Android device management.

Three Tips for Managing Android Devices

When implementing Android in the enterprise, organizations should follow the key steps outlined below to make sure the deployment is successful.

Use a UEM Solution

Industry analysts have adopted the term unified endpoint management (UEM) to describe a solution that encompasses all types of data and devices, from smartphones and tablets to laptops, desktops and Internet of Things (IoT) devices. This tool should be able to manage any enrolled Android device, along with all other commonly used platforms, with ease.

Manage Devices With Remote Support and Simple Enrollment

Over-the-air (OTA) and remote support are some of the best tools to have when managing Android devices. Even if a device is miles away, IT can see exactly what the end user sees and provide technical support from afar. With Android zero-touch enrollment, the IT team can manage devices without physically touching them at all.

Be Secure, but Don’t Burn Trust

Today’s technology landscape has raised user, device and data security as one of the most important issues for IT and security leaders to address. When managing Android devices, security teams should set rules to ensure that the organization’s data is encrypted in case of a breach. It’s also important for end users to feel confident that their personal data is truly private, even from the IT team. Trust and reassurance between IT and the user population is key.

Android Device Management Can Be Easy

When implementing an Android device management solution, it’s important to assess the needs of the organization, the IT department and end users, especially when it comes to privacy. Security leaders should be sure to follow all the proper steps for a successful UEM rollout.

Managing Android devices doesn’t need to be difficult — especially when you’re using a UEM solution that provides fast deployment and management of all the organization’s users, devices, apps and content — Android and otherwise — from a single console. After enrolling devices, IT can implement security policies and compliance rules to help protect users and their data without impeding productivity or violating user privacy.

Learn More about putting the Sweet Features of Android to Work!

The post Android Device Management: Sweet Features, No Toothache appeared first on Security Intelligence.

Cyware News – Latest News: Here’s why you should avoid porn on Android phones

If you're gonna look at porn on your Android devices, you'll likely run into malware.Photo by PA Images via Getty Images If you own an Android device, think twice before you look at porn. Kaspersky Lab, a Russian cybersecurity company, found that at least 1.2 million people came across porn-disguised malware on Google's Android operating system last year, according to a report released Wednesday. That's about a quarter of the 4.9 million people who encountered malware on Android devices last year, the company said. Kaspersky Lab researchers said they'd seen porn used as malware bait "almost from the first day of adult online content." On desktops, Kaspersky researchers found porn-related malware more than 300,000 times, but that pales in comparison to how much they discovered on mobile devices. Kaspersky Lab's findings didn't involve devices that run Apple's iOS software.

Cyware News - Latest News

Crypto-Mining: The Next Ransomware

Hackers are opportunistic by nature. As device manufacturers continue to add more CPU cores and gigabytes of RAM to smartphones and tablets as well as enterprise-grade cloud servers, these devices

The post Crypto-Mining: The Next Ransomware appeared first on The Cyber Security Place.

The Future of IoT: What to Expect From Our Devices This Year

The beginning of the new year is always an exciting time for consumer technology enthusiasts. Business leaders, pioneers and forward-thinking companies gather in Las Vegas to showcase their latest devices at The International Consumer Electronics Show (CES), where next-generation innovations take center-stage and the world gets a glimpse into the future of IoT. I had the pleasure of attending CES with my colleagues this year and was blown away by the breadth of technology showcased. While the innovations stretched across many industries, I’d like to focus on the reoccurring themes in home and personal technology and how we can secure ourselves through the gadget-filled year ahead:

Smart Homes Will Become “Smarter” 

My favorite devices are the ones designed to enhance the smart home. Companies are striving to advance technology and make our lives easier in the comfort of our homes. From smart thermostats to smart assistants, there is certainly no shortage of household innovation; and companies like Google and Samsung are making strides to contribute to the smart home ecosystem. During CES, Samsung pledged to make all of its devices “smarter” by 2020, linking together all devices via its SmartThings cloud. Meanwhile, Google announced that Google Assistant will now be built in (or compatible) with a range of household products including your smart doorbell and ceiling fan.

As our homes become increasingly connected, the need to secure our internet-connected devices is critical. More IoT devices mean more points of data to attack and leverage for cybercrime. Hackers have the ability to access your personal information through connected home devices, which poses a threat to your identity. Consider using a service with built-in security to ensure every device in your home is well protected― especially the ones that often fly under the radar. Secure routers and gateways can protect all of your connected devices, even the ones without screens.

Smart Technology Will Track Your Sleep 

Technology is even changing the way we sleep, with smart sleep solutions for consumers. At CES 2018, Terraillon announced HOMNI, a device designed to help improve a user’s sleep environment. This device tracks the sleeper’s movement, sending your sleep data to a free app so that users can see how well they’ve slept. There’s nothing technology can’t solve for, including a good night’s sleep. However, when it comes to our personal data, it’s wise to be aware of how your data is being tracked or used.

As the use of connected devices in our homes and personal lives grow, so does the need for security beyond your PC or mobile phone. Many of the devices that we welcome into our daily routine aren’t equipped with proper security controls. It’s important to remember that these connected devices often run on our personal information, information such as your name, age, location –and in this case, your sleeping habits. While a sleep tracker may collect your information with the intentions of helping perfect your sleeping patterns, it has the potential to put your information in places that you might not intend. This is another example of why it’s exceedingly important to secure the connection at its source: your home.

“Ask Alexa” Will Live in Your Eyewear

Amazon Alexa has the ability to communicate with just about every connected device, so it’s no wonder that the Alexa Voice Service will have the ability to connect with your glasses soon, too. During CES, Vuzix announced that its latest pair of AR glasses, the Vuzix Blade, can communicate with Amazon Alexa. Blending augmented reality with AI assistant’s functionality, this headset acts as a fully functional computer with the ability to send email and text notifications via Bluetooth through the processing power of Android and unparalleled display.

Amazon Alexa has become a pseudo-family member in many households, offering assistance in the kitchen and even reading bedtime stories to children. To keep Cybercriminals from gaining access to your personal data , be sure you enable an extra measure of security, like setting up a PIN code for your voice command purchases.

Adding an extra layer of security to your smart devices is key to becoming an empowered consumer in today’s day and age. By taking these extra steps you’ll be able to enjoy the benefits of a secured smart home.

Interested in learning more about IoT and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

 

The post The Future of IoT: What to Expect From Our Devices This Year appeared first on McAfee Blogs.

Security-as-a-Service Bolsters Customer Satisfaction

Communications service providers (CSPs), which have notoriously poor customer satisfaction ratings as an industry, can bolster loyalty by delivering security-as-a-service for mobile devices, research has revealed.According to Allot Communications’ latest

The post Security-as-a-Service Bolsters Customer Satisfaction appeared first on The Cyber Security Place.

McAfee Blogs: How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World

Tomorrow, January 28, is National Data Privacy Day. While that may not mean a lot to you at first glance, the day shines a light on one of the most critical issues facing families today — protecting personal information in a hyper-connected world.

The day gives us an opportunity to 1) honestly examine the many ways our lives are connected and, 2) to take responsibility (and steps) to safeguard each area of personal privacy we expose — or potentially misuse — every time we power up.

Data Channels

Every day we connect our lives to external sources that are useful, productive, and entertaining without even realizing the many ways others can exploit our digital connections. There are the obvious sources that present a risk to our data such as social networks, online shopping, web browsing, and apps. Then there are the not-so-obvious sources that gather our information such as medical offices, schools, financial institutions, retail businesses, household assistants, TVs, home security systems, appliances, toys, and wearables.

Studies show that most of us certainly are not going to give up our connected lives to prevent a data breach. So, the next practical step is to get more intentional about our family’s privacy and take specific actions to minimize our risk.

The Risks Are Real

If you’ve never suffered the consequences of another person or organization exploiting your personal information, then you may not understand the seriousness of protecting it. However, as we all become more seamlessly connected in an Internet of Things (IoT) world, chances are you will experience some data misuse or abuse in the future. Those acts might be large-scale breaches such as the ones we’ve seen with Equifax, Uber, and Verizon or the breach may be on a smaller scale but just as financially and emotionally damaging.

When personal data gets hacked, sold, or exploited several things can happen. Digital fallout includes identity theft, credit card fraud, medical fraud, home break-ins, data misuse by companies, reputation damage, location and purchasing tracking, ransomware, and much more.

So the technology-driven future we’ve imagined is here — and it’s pretty awesome — but so too are the risks. And who among us could have guessed that parenting in the 21st century would include teaching kids about cybercriminals, data mining, and privacy breaches?

Step-Up Family Privacy

Treat privacy like gold. If more of us saw our personal information the way cybercriminals see it — like gold — then we may be more inclined to lock it up. Guiding your family in this mind-shift requires real effort. Teach your kids to view their personal information — address, habits, personal routine, school name, relationships, passwords, connected devices — as gold. Gold is to be treasured, locked up, and shared with great discernment. This attitude change may take time but, hopefully, the return on investment will mean your kids pause before handing over personal info to an app, a social network, a retail store, or even to friends.

Stress responsibility and respect. Stopping to think before you share online or connect a digital device is a key to safeguarding digital privacy. By teaching your kids that living in a connected world comes with responsibility for one’s actions and respect for others, you a leap in securing our family’s online privacy.

Routinely secure the basics. There are fundamental security measures under our roofs that cybercriminals are counting on all of us to neglect (and many of us do just that). Powerful security steps include: 1) Update all software (PC, phone, tablets, etc.) routinely 2) Establish and maintain strong passwords 3) Secure privacy settings on all social networks 4) Lock down your home network 5) Don’t overshare family details (names, travel, location, address, friends) online.

Make privacy fun. Here’s something to ponder. Challenge your kids to keep a low profile online. Talk about the power of being discreet, private, and mysterious in their digital peer group. Encourage them to set themselves apart by being the one who isn’t so easily accessed. Ask: Is digital sharing an enjoyable thing or, in reality, has it become an exhausting habit? Challenge them to go undercover (dark) online for a week and journal the pros and cons of being hyper private online. Come up with an incentive that works for your family.

Enjoy the Wows

Overall, stop and consider what your digital devices, apps, games, and products are asking of you. Is that fitness tracker getting a little too personal? Does that new toy, home security system, or household assistant know more than your family than your own mother does?Then don’t fill in every blank box. Go into the privacy settings and shore up product access, freshen up your passwords, and make sure you stay on top of software updates. Stop giving retailers, government agencies, and online marketers your email address. In short — pay attention, protect, and cherish your personal data. You can enjoy the wows of your technology without opening up your family’s privacy.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World appeared first on McAfee Blogs.



McAfee Blogs

How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World

Tomorrow, January 28, is National Data Privacy Day. While that may not mean a lot to you at first glance, the day shines a light on one of the most critical issues facing families today — protecting personal information in a hyper-connected world.

The day gives us an opportunity to 1) honestly examine the many ways our lives are connected and, 2) to take responsibility (and steps) to safeguard each area of personal privacy we expose — or potentially misuse — every time we power up.

Data Channels

Every day we connect our lives to external sources that are useful, productive, and entertaining without even realizing the many ways others can exploit our digital connections. There are the obvious sources that present a risk to our data such as social networks, online shopping, web browsing, and apps. Then there are the not-so-obvious sources that gather our information such as medical offices, schools, financial institutions, retail businesses, household assistants, TVs, home security systems, appliances, toys, and wearables.

Studies show that most of us certainly are not going to give up our connected lives to prevent a data breach. So, the next practical step is to get more intentional about our family’s privacy and take specific actions to minimize our risk.

The Risks Are Real

If you’ve never suffered the consequences of another person or organization exploiting your personal information, then you may not understand the seriousness of protecting it. However, as we all become more seamlessly connected in an Internet of Things (IoT) world, chances are you will experience some data misuse or abuse in the future. Those acts might be large-scale breaches such as the ones we’ve seen with Equifax, Uber, and Verizon or the breach may be on a smaller scale but just as financially and emotionally damaging.

When personal data gets hacked, sold, or exploited several things can happen. Digital fallout includes identity theft, credit card fraud, medical fraud, home break-ins, data misuse by companies, reputation damage, location and purchasing tracking, ransomware, and much more.

So the technology-driven future we’ve imagined is here — and it’s pretty awesome — but so too are the risks. And who among us could have guessed that parenting in the 21st century would include teaching kids about cybercriminals, data mining, and privacy breaches?

Step-Up Family Privacy

Treat privacy like gold. If more of us saw our personal information the way cybercriminals see it — like gold — then we may be more inclined to lock it up. Guiding your family in this mind-shift requires real effort. Teach your kids to view their personal information — address, habits, personal routine, school name, relationships, passwords, connected devices — as gold. Gold is to be treasured, locked up, and shared with great discernment. This attitude change may take time but, hopefully, the return on investment will mean your kids pause before handing over personal info to an app, a social network, a retail store, or even to friends.

Stress responsibility and respect. Stopping to think before you share online or connect a digital device is a key to safeguarding digital privacy. By teaching your kids that living in a connected world comes with responsibility for one’s actions and respect for others, you a leap in securing our family’s online privacy.

Routinely secure the basics. There are fundamental security measures under our roofs that cybercriminals are counting on all of us to neglect (and many of us do just that). Powerful security steps include: 1) Update all software (PC, phone, tablets, etc.) routinely 2) Establish and maintain strong passwords 3) Secure privacy settings on all social networks 4) Lock down your home network 5) Don’t overshare family details (names, travel, location, address, friends) online.

Make privacy fun. Here’s something to ponder. Challenge your kids to keep a low profile online. Talk about the power of being discreet, private, and mysterious in their digital peer group. Encourage them to set themselves apart by being the one who isn’t so easily accessed. Ask: Is digital sharing an enjoyable thing or, in reality, has it become an exhausting habit? Challenge them to go undercover (dark) online for a week and journal the pros and cons of being hyper private online. Come up with an incentive that works for your family.

Enjoy the Wows

Overall, stop and consider what your digital devices, apps, games, and products are asking of you. Is that fitness tracker getting a little too personal? Does that new toy, home security system, or household assistant know more than your family than your own mother does?Then don’t fill in every blank box. Go into the privacy settings and shore up product access, freshen up your passwords, and make sure you stay on top of software updates. Stop giving retailers, government agencies, and online marketers your email address. In short — pay attention, protect, and cherish your personal data. You can enjoy the wows of your technology without opening up your family’s privacy.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures). 

The post How to Treat Your Family’s Personal Data Like Gold in a Hyper-Connected World appeared first on McAfee Blogs.

CAPTCHA + reCAPTCHA: Are they the Best Fraud Prevention Solution for your Business?

As someone who has worked in cybersecurity for years, it’s been fascinating to watch the evolution of CAPTCHA. Whilst you’re probably familiar with the acronym, you may not know that

The post CAPTCHA + reCAPTCHA: Are they the Best Fraud Prevention Solution for your Business? appeared first on The Cyber Security Place.

Your Back To School Tech Plan

I am such a fan of school holidays! No music lessons, no sport, no commitments. Bliss!! The crazy school term routine is no more and people can just ‘be’. Marvellous!! But all good things must come to an end. So, unless you want the police knocking on your door, the kids must go back to school. Ughh! So much to do. Where to start?

So, there’s shoes, uniforms, enrolments in music, drama and sport, haircuts, stationery and then of course, all things technology! Ah yes, the ‘t’ word. When you’re juggling work, running a house and a tribe of kids, managing your kids and their tech lives can be overwhelming. But as parents, it is essential that we take the time to make sure we have all things technology covered for our kids.

What Are The Main Risks Kids Face Online?

The internet, our connected devices and online activity are such a huge (and permanent) feature of our modern lives. As parents, we owe it to our kids to make sure we can prevent some of the dangers associated with a connected life. Whether it’s phishing scams, online predators, oversharing, downloading malware, falling for an online scam or worst case, becoming the victim of cyberbullying, teaching our kids how to navigate some of the perils of the online world is essential.

How Can I Help My Kids Navigate Online Dangers?

Without a doubt, the absolute best way of protecting our kids is taking the time to better understand how the online world really works. And I understand that means time – something many of just don’t have. But if you could scan the tech news of your favourite online news site every day and then allocate 20 minutes each week to research a new app or social media platform, you’d be surprised how quickly you could get yourself into good cyber parenting shape.

The Back To School To-Do List

But let’s keep it simple. It’s already January and there isn’t a lot of time left to get organised. So, here’s what I think you should focus on tech-wise to make sure you can cross technology off your ‘back to school’ to-do list.

1. Install Security Software On ALL Devices.

Many people invest in security software for their laptops, which is great. However, all devices need to be protected. Anything you can download on a laptop, you can download on a tablet or phone.

Many security software packages will include coverage for a ‘fleet’ of devices. McAfee® Total Protection software provides premium antivirus, identity and privacy protection for all your PCs, Macs, smartphones and tablets – in one subscription. Easy!

2. Know How To Connect Safely On Public Wi-Fi Networks.

Wi-Fi can be an extraordinarily risky affair with hackers spending a lot of time developing ways to extract users’ personal information. If your kids absolutely must connect, ensure it is a secured Wi-Fi which means it requires a password. However, this is still not 100% safe so no banking, financial or shopping transaction should be conducted on Wi-Fi.

Why not consider investing in a Virtual Private Network (VPN)? A VPN provides a secure encrypted connection which means that anything you send or receive is safe. Check out McAfee’s VPN, McAfee® Safe Connect – it provides bank-grade Wi-Fi encryption, which means you can relax!

3. Schedule Regular Data Backups.

‘Losing’ a document is so frustrating! Avoid those late-night homework traumas and ensure your kids regularly scheduled data backups for their main devices. You could choose to back-up to a hard drive, but I think an online backup service is probably easier to use. Whether it’s Google Drive, Dropbox or OneDrive – find an online provider and set this up BEFORE school projects get underway!

4. Ensure All Device Software Is Up-To-Date.

Software updates (and reminders) can be super annoying and interrupt the flow of a busy day. But keeping your software up-to-date is actually one of the best ways of protecting yourself from the latest online threats.

Why not select auto-updates for software on all your devices – including your smartphones? If your software doesn’t offer auto-updates, schedule a monthly reminder in your calendar to check for and install available updates.

5. Understand Your Child’s School BYOD Policy.

Make sure you understand the Bring Your Own Devices (BYOD) policy of your child’s school. Some schools require parents to be responsible (and pay) for repairs, insurance and online security associated with your child’s laptop or tablet; others will provide this for an annual fee. Please take the time to understand this before the school year starts and an issue occurs.

I know it may seem like a bit of work but taking these precautionary steps now means your kids are as protected as can be when enjoying their online lives and of course doing their homework this year! And make sure you also take the same steps to protect the adults (and their devices) in your house as well! They are just as important.

Here’s to a great school year!!

Take care,

Alex xx

 

The post Your Back To School Tech Plan appeared first on McAfee Blogs.

WeLiveSecurity: Are mobile devices insecure by nature?

It is no easy feat to recall going through life without the vast variety of mobile devices that are now part of our day-to-day. What is more, it is downright impossible to imagine a future without these devices. Recent times have been marked by a diversity of trends that revolve around flexibility and that have

The post Are mobile devices insecure by nature? appeared first on WeLiveSecurity



WeLiveSecurity

5 Ways to Be Proactive When Protecting Your Personal Data

WannaCry, Equifax and Uber—in the wake of a data emergency, I often find myself hyperconscious of my online security measures: I immediately change my passwords, I’m careful about what emails I open, and what links I click. However, once the news cycle passes, I admit I fall back into my old habits, which aren’t always as secure as they should be. It’s important to incorporate good practices into your daily routine to keep your digital life safe even before a breach happens, and well after the latest hack becomes old news. Here are 5 simple ways you can help improve your online security.

Take a Break to Update

We all know how frustrating it can be to receive pop-ups for a software update when you’re busy. They can take time, slow down what you’re working on, and often seem unimportant. But, they are important. Updates fix bugs—bugs that potentially could leave your device vulnerable to an attack. In fact, operating systems and browsers require regular updates to stay on top of vulnerabilities. So, take the time to let the updates run as needed—think of it as investing time in your security.

Delete, Delete, Delete

Does your device have pages of apps that haven’t been used in months? If so, it’s time to delete. It’s a good security practice to take a minimalist approach to your application use, especially since some older apps may no longer be supported by the Google or Apple stores. Over time apps can get infected with malware and could be part of a larger data problem. Check the status of your mobile apps regularly, and delete them if they’re no longer supported in stores, and you haven’t used them in months.

Keep Your Private Passwords, Private

The age-old saying, “sharing is caring” should never apply to personal passwords. Last year’s survey showed that 59% of people were open to sharing their passwords. But when it comes to online safety, passwords should never be shared with anyone under any circumstance. It may be exciting to share the latest video streaming app with your friends and loved ones, but your privacy could be compromised. It’s simply not worth the risk, so keep your passwords to yourself.

Stay Current on Your URLs

Hackers are masters of disguise, and often hide behind convincing URLs to launch phishing attacks. Pay close attention before you click on a link — if the link looks “phishy,” go directly to the company site to confirm that the URL is legitimate.

Enlist Some Backup

As major data breaches continue to hit the scene, it’s important to be proactive in protecting your identity. Reviewing your account info, and setting up alerts if there’s a chance your personal data has been compromised is a key component to securing information that has been compromised. Consider using a comprehensive monitoring and recovery tool that can help you take action.

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post 5 Ways to Be Proactive When Protecting Your Personal Data appeared first on McAfee Blogs.

Meeting Identity and Access Management Challenges in the Era of Mobile and Cloud

Organizations are flocking to cloud services and mobile devices to cut costs and boost productivity. Despite the benefits, these technologies exacerbate the challenge of verifying identities and managing access to applications and data by consumers, employees and business partners from multiple devices and locations.

Let’s take a look at some of the most common identity and access management (IAM) challenges and how organizations can resolve them without compromising employee productivity.

Common Identity and Access Management Challenges

Organizations struggle to vet identities and approve access requests because the data resides in various locations and business units. Requesters often encounter roadblocks when seeking access, leading them to escalate requests to upper management and override the proper vetting process. Furthermore, those tasked with approving requests lack sufficient insight into which employees require access to confidential data.

The lack of a centralized, authoritative identity repository for users makes reconciliation another significant challenge. Additional problems arise when privileges on systems either exceed or lack access levels that were previously granted and provisioned.

When it comes to certification and accreditation, examiners may have insufficient knowledge of access needs. Not to mention, processes tend to be manual, cumbersome and inconsistent between business units. This task becomes even more difficult when examiners must conduct multiple, redundant and granular validations.

Provisioning and deprovisioning identities can pose a critical challenge when manual provisioning processes are ineffective. Organizations that fail to remove improper IAM privileges or resort to cloning access profiles will face similar struggles.

Failure to segregate duties and monitor administrators, power users and temporary access privileges can further impede enforcement. Other issues include lack of support for centralized access management solutions, such as directories and single sign-on, outdated or nonexistent access management policies, and failure to establish rule-based access.

Finally, compliance concerns arise when performance metrics do not exist and/or do not align with security requirements, such as removing identities and access privileges automatically upon an employee’s termination. Laborious and time-consuming audits only make this problem worse.

The CISO’s Role in Resolving IAM Issues

Chief information security officers (CISOs) must meet these challenges. Their teams must vet identities, approve appropriate access entitlements, and grant or revoke user identities, access and entitlements in a timely manner. Security leaders must also provision proper access to applications, data and resources for users who need it and examine identities and the corresponding access privileges periodically to realign with users’ job functions.

Enforcing compliance in accordance with the organization’s IAM policy is another key responsibility of the CISO. A strong IAM strategy also requires security leaders to define performance metrics and implement periodic or real-time automated auditing tools.

Considerations for Mobile and Cloud

Today, many organizations have gone mobile with bring-your-own-device (BYOD) policies, enabling employees to access corporate data remotely. IAM serves as a foundational security component in environments that connect to mobile platforms.

Cloud services have also added daunting complexity to the IAM equation, forcing organizations to operate their capabilities on-premises and integrate with similar capabilities delivered by a cloud service provider (CSP). While these cloud platforms increase reliance on logical access controls, they also reduce network access controls.

Federation, role-based access and cloud-based IAM solutions exist to address these requirements. For example, the need to access apps hosted on the cloud goes hand in hand with the need to manage identities to protect personally identifiable information (PII).

Identity-as-a-service (IDaaS) is another effective solution to accelerate IAM deployments in the cloud. IDaaS supports federated authentication, authorization and provisioning, and it is a viable alternative to on-premises IAM solutions. When it comes to return on security investment, IDaaS eliminates the expense of implementing an on-premises solution.

It’s important to understand the need for IAM capabilities that effectively govern access to internally hosted apps. In a hybrid cloud IAM model, the IDaaS solution will need agent APIs or appliances that operate within the IT infrastructure to completely outsource the function. Securing these agents and interfaces represents a new source of risk for most organizations, and this risk must be managed.

Integrating Identity Management With Data Loss Prevention

It’s common for security professionals to provide identity information from an IAM tool to a data loss prevention (DLP) solution that continuously monitors sensitive data and correlates events to minimize the risk of losing sensitive data. The events are also correlated with analytical artificial intelligence and machine learning tools that analyze historical access behaviors to detect potential fraud.

Both IAM and DLP solutions must be leveraged to address insider threats and emerging threat vectors. Behavioral analytics and incident forensics tools provide additional monitoring capabilities. By integrating both of these solutions, organizations can handle the fast pace of emerging IT trends and threats with mobile and cloud computing.

Securing Social Media Identities

Organizations often leverage social media to interact with their customers, increase brand awareness and create a common identity repository. But if these social identities are breached, companies can face legal, regulatory, operational and reputational risks that may lead to the loss of customers.

Social media services must deploy strong IAM solutions to protect corporate accounts. These solutions include multifactor authentication (MFA) and notifications to alert users of multiple failed login attempts or attempts to authenticate from anomalous geographic regions. Awareness programs to educate employees about social media security must be an essential ingredient. CISOs should also inquire with legal to ensure that service-level agreements (SLAs) with social media providers account for proper IAM practices.

The Best of Both Worlds

In our increasingly mobile and connected world, IAM is more crucial than ever. To remain competitive, businesses around the world must embrace technologies and policies that enable employees to be as productive as possible.

However, it only takes one major data breach to negate all the benefits of that productivity. With a strong IAM program that proactively monitors user behavior for potentially malicious activity and periodically realigns access privileges with shifting job roles, organizations can have the best of both worlds: an empowered, productive workforce and a robust data security strategy.

Read the white paper: Deploy silent security to protect identities and future-proof your IAM

The post Meeting Identity and Access Management Challenges in the Era of Mobile and Cloud appeared first on Security Intelligence.

Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructe

In a report released today, by IOACTIVE, researchers’ advice that critical infrastructure mobile applications are being developed without secure coding compliance that could allow hackers to target Supervisory Control and

The post Mobile App Flaws of SCADA ICS Systems Could Allow Hackers To Target Critical Infrastructe appeared first on The Cyber Security Place.

The High ROI of Cyberweapons: Five Factors Driving the Rise in Threats

When you look at the payoff calculus of cyberweapons, it is no surprise that business is booming. Compared with conventional weapons, cyberweapons have a low barrier to entry and a low-risk, low-cost, high-reward payoff calculus that is attractive to malicious actors.

What’s Driving Up the ROI of Cyberweapons?

The high return on investment (ROI) of cyberweapons is contributing to a rise in threats across the technology landscape. Here is a look at five major factors behind this influx.

1. Low Barrier to Entry

Unlike conventional weapons, cyberweapons can be acquired with very little monetary or organizational resources. While nuclear weapons, for example, are only the in purview of nation-states, cyberweapons can be leveraged by small groups and individuals. For example, a British teenager hacked CIA Director John Brennan’s email account with nothing more than an internet connection and social engineering. The availability of these tools dramatically expands the set of actors who can access and leverage cyber weapons.

2. Low Risk, Low Cost, High Reward

Because of the attribution dilemma in cyberspace, cybercriminals face a low risk of getting caught. And because there is a low risk of getting caught, as well as very little overhead executing an attack from a keyboard, the payout is virtually all profit. The ROI is hard to beat when compared with any conventional weapon or tactic.

3. An Asymmetrical Weapon

In addition, because of the potential damage that can be done with very few resources, cyberweapons are asymmetrical tools that act as force multipliers for actors large and small, state and nonstate, rich and poor. For smaller actors, cyber weapons level the playing field with larger actors.

4. The Rapidly Maturing Cybercrime Market

Contrary to the theory that there is no honor among thieves, cybercriminals have established a very stable and mature market for selling not only the products of cybercrime such as personally identifiable information, health records and credit cards, but also state-level tools, cyber weapons and hacking services — putting cyber weapons in the hands of anyone with enough motivation.

5. More Devices, More Opportunity

Gartner estimated that there will be 20.4 billion devices connected to the internet by 2020. Every insecure device that connects to the internet is another potential attack vector that can be exploited by a malicious actor. And the rise of the Internet of Things (IoT) is an explosion of opportunity for cybercriminals and malicious cyber actors.

Changing the Payoff Calculus

The best defense we have against malicious actors in cyberspace is to change the payoff calculus by fortifying our networks to increase the costs to mount an attack, reduce the probability of success and minimize the ROI of cyber weapons.

Don’t make it easy for cybercriminals to cash in on your valuable data. Pull the trigger on a robust security strategy to ensure that your organization is prepared for whatever advanced threats come its way in 2018.

Read the white paper: The Evolving Face of Cyberthreats

The post The High ROI of Cyberweapons: Five Factors Driving the Rise in Threats appeared first on Security Intelligence.

Inspection of Electronic Devices: CBP Redraws Data Handling Borders

The rules that regulate the inspection of electronic devices at U.S. border entry points are changing. As noted by ABC News, almost 20,000 devices were inspected by border agents in 2016, and that figure rose nearly 60 percent to just over 30,000 devices last year.

Not surprisingly, the increased scrutiny and seizure of devices has digital privacy groups worried. How much power is too much when it comes to accessing personal electronic devices? A new directive from U.S. Customs and Border Protection (CBP) has redrawn basic data handling rules and placed restrictions on how agents manage specific searches.

CBP Intensifies Inspection of Electronic Devices

Under the old rules, agents were allowed to conduct device searches, which involved physically examining devices, viewing photos and messages, copying data and accessing information stored in the cloud, with or without suspicion.

According to Threatpost, the new directive divides such searches into two categories: basic and advanced. Basic searches can still be conducted without suspicion but are limited to viewing photos and messages and physically examining the devices. Advanced searches now require reasonable suspicion. Agents are allowed to “review, copy and analyze a digital device’s contents,” but not to access cloud data.

As noted by Lexology, while this is a significant change from prior policy, it is largely a reflection of a recent Federal Court of Appeals finding, which confirmed that “officers needed reasonable suspicion of criminal activity before they could justify a forensic search of a laptop seized at the border.”

It also doesn’t affect agents’ ability to seize devices with supervisor approval and hold them for a “reasonable period of time.” Typically, this period is no more than five days, but if CBP claims “extenuating circumstances,” the seizure could be extended indefinitely.

The Traveler’s Dilemma

There’s a real and growing need to manage the influx of digital data across U.S. points of entry, but tech-savvy travelers are understandably reticent to hand over their mobile devices. Travelers are used to having bags and briefcases searched, but digital devices often contain personal and business data that many are unwilling to share with anyone, including customs agents. Even under the new rules, basic searches are permitted without suspicion, and officers typically ask travelers to provide their passcodes to simplify access and speed evaluation.

As noted by the Electronic Frontier Foundation (EFF), travelers can limit their risk by leaving some devices at home and deleting data on devices they carry. It’s also worth noting that U.S. citizens cannot be denied entry to the country if they refuse to consent to device searches, but foreign visitors can be turned away.

Even with redrawn lines of authority, CBP agents still possess broad powers when it comes to the inspection of electronic devices. The requirement for reasonable suspicion and restrictions on accessing cloud data are solid starting points, but more work is required to balance the need for data security against the digital privacy of citizens.

The post Inspection of Electronic Devices: CBP Redraws Data Handling Borders appeared first on Security Intelligence.

North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk

Recently, South Korean media wrote about North Korean refugees and journalists being targeted by unknown actors using KakaoTalk (a popular chat app in South Korea) and other social network services (such as Facebook) to send links to install malware on victims’ devices. This method shows that attackers are always looking for different ways to deliver malware.

The McAfee Mobile Research Team has acquired malicious APK files that were used in the targeted attacks. According to the articles, Google-shortened URLs were used to spread malware. We analyzed those statistics.

There are two versions of the dropper malware: “북한기도” (Pray for North Korea) and “BloodAssistant” (a health care app). In both cases, most clicks originated in South Korea and the most common browser and operating system combination was Chrome and Windows. (Android was the second most common.) The referrers diagram of BloodAssistant shows Facebook was used in 12% of cases to send the link to its targets.

In the case of the journalist who was targeted, the attacker sent a shortened link showing a thumbnail of another story written by the journalist, according to the news article. The link directs to ihoodtec[.]com/upload/newslist[.]php (now offline), which seems to be used for redirecting to links in other domains. This shortened URL was clicked by someone with an account at mail[.]police[.]go[.]kr, suggesting the shortened URL was also sent via email to the police address.

The number of clicks might not be meaningful because it can include access from malware researchers, but what is meaningful is that malware-download links were spread using different platforms: Facebook, KakaoTalk, email, etc.

Analysis

Dropper

All the malicious APK files (including additional variants) dropped the Trojan on the victim’s device. Although the apps look different, the dropper mechanism is identical. The following screens show the execution of the dropper files.

Figure 1: Screenshots of droppers.

When the dropper APK executes, it first checks whether the device is already infected. If not infected, it phishes the victim to turn on the accessibility permission. If the victim clicks the pop-up window, the view changes to the accessibility settings menu so the app can acquire the permission.

When the accessibility service starts, it overlays the window (by playing a video, for example) to hide the process of turning on required settings and dropping and installing the Trojan. The overlay is removed after the Trojan is installed. The following diagram explains the flow after executing the dropper malware.

Figure 2: Execution flow of the dropper.

Trojan

The dropped Trojan uses popular cloud services Dropbox and Yandex as a control server to upload data and receive commands. The following diagram explains the execution flow of the Trojan. The names of broadcast receivers and services (with some misspellings) may vary between samples but the execution is the same.

Figure 3: Execution flow of the Trojan.

When the dropped Trojan is installed, it saves device information in a temporary folder and uploads it to the cloud. It then downloads a file containing commands and other data to control the infected device. (We’ll explain the format of the downloaded file in the next section.) Most of the malicious behaviors—such as saving SMS, contact information, etc.—are implemented inside a separate dex file “core,” which is downloaded from the control server. This dex file is referenced in many places in the malware. The malicious functionality can be extended, as we’ll explain in the following section.

Command file structure

The command file has its own format. The following diagram explains the types of values. Offset designators are used to retrieve each value when parsing the file. The next table explains each value.

Figure 4: Command file format.

Figure 5: Command file values.

The handler for command code received from the cloud (CMD value) is implemented as a separate dex file and is downloaded either before or after the malware parses the command file. This mechanism allows the attacker to easily extend its malicious functionality without needing to update the whole malware.

Our analysis shows that only some of the commands are implemented now and uploaded to the cloud control server. Note Command 12 captures KakaoTalk chat logs.

Figure 6: Implemented commands.

Variants

We have found variants of the APKs that news articles initially reported on Google Drive. (The APKs on Google Drive are marked as malware and cannot be downloaded.) Some variants use different cloud services as their control servers while others drop the separate call-recording app “com.toh.callrecord” (assets/bbb). The following graph shows the relationships among variants and dropped files.

Figure 7: Relationships among variants.

The Actors

Initial malicious APKs we found were uploaded to Google Drive by the same account, and we found a connected social network account. By following activities of this account, we conclude with high confidence that this account was used to send shortened URLs to victims to get them to download malicious APK files.

The group behind this campaign is certainly familiar with South Korean culture, TV shows, drama, and the language because the account names associated with the cloud services are from Korean drama and TV shows, including the following:

Figure 8: Cloud service accounts.

We found the use of an interesting word, “피형” (“blood type”), which is not used in South Korea but is used in North Korea. (“혈액형” is the word for blood type in South Korea.) We also found a North Korean IP address in test log files of some Android devices that are connected to accounts used to spread the malware. However, Wi-Fi was on so we cannot exclude the possibility that the IP address is private.

By looking at the list of deleted folders in the cloud, we found one with the name “sun Team Folder,” possibly the name of the actors. This group has been active since 2016, according to the cloud storage creation date.

Figure 9: Deleted folder in the cloud.

Conclusion

This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors.

McAfee Mobile Security detects this malware as Android/HiddenApp.BP. Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware.

The post North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk appeared first on McAfee Blogs.

FBI Director Calls Smartphone Encryption an ‘Urgent Public Safety Issue’

The debate over the government's authority to access private encrypted data on digital devices was amplified when the Federal Bureau of Investigation Director Christopher Wray called unbreakable encryption an 'urgent public safety issue.'

Top 8 cyber-security mistakes in Star Wars

The Death Star is the easiest-to-hack infrastructure in the entire universe

If the Galactic Empire from Star Wars had had just a basic knowledge of cyber-security, the popular saga would have had the same duration as a 10 or 15 minute short film instead of three trilogies.

This is because the security measures implemented by the Death Star, and the action protocols used by the stormtroopers, are so poor that instead of sending out a group of Jedi Knights with lightsabres, a single hacker with basic computing knowledge would have been enough to defeat Darth Vader’s army and the Emperor.

What’s more, if a CISO had been on board of the Death Star, they wouldn’t have needed lightsabres or laser blasters to defend themselves from such intruders as Luke Skywalker, Obi-Wan Kenobi, Han Solo or Chewbacca. The elderly character portrayed by Alec Guinness would never have been able to deactivate the tractor beam that captured the Millennium Falcon, nor would R2-D2 have been able to find the cell where Princess Leia was imprisoned.

Since the Stars Wars saga is too long to be analyzed in a single post, we’ll focus our attention on the first installment of the original trilogy: Stars Wars: A New Hope.

Anti-spoofing protection failures

The cyber-security flaws affecting the Galactic Empire are not just in the Death Star. The Imperial stormtroopers can be considered the weakest link in the entire Empire cyber-security chain. Unfortunately, this is not science fiction, as the same happens in the real world. In any organization, people are the most productive attack vector used by hackers.

The scene in Mos Eisley in which Obi-Wan uses a mind trick on a group of stormtroopers to allow him and Luke Skywalker access to the village is a clear example of this. Had the Galactic Empire had an ‘anti-spoofing system for neural networks’, the elderly Jedi and his apprentice would have never gone beyond that point.

Remember that the term ‘spoofing’ refers to a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver.

Wrong network segmentation

As soon as our heroes arrive at the Death Star and get passed the stormtroopers that watch the landing bay where the Millennium Falcon is located, they sneak into a control center where there is an access point to the battle station’s main computer.

Without hesitating for a moment, Obi-Wan orders the droids to connect to the computer, because from there they will be able to “access the entire Imperial network.” This would have never happened if the bad guys had segmented their network correctly.

Access by ‘malicious dongles’ allowed

Although the term ‘dongle’ is little known among the general public, we all are familiar with those small pieces of hardware that we connect to our smartphone or PC to provide it with additional functionality. A dongle, for example, is that small antenna you plug into your computer’s USB port to receive the signal of your wireless mouse. They are also very common with Apple devices, for example, in order to connect a Mac to a TV via an HDMI cable.

On the Death Star, R2-D2 uses his small gyroscopic arm as a dongle to connect to the Imperial network. This way, the good guys get all the information they need to attack the system and find Princess Leia. A security system that prevented unauthorized devices from connecting to the network would have been enough for Darth Vader to stop his daughter from being rescued.

Lack of document security and encryption

While Luke Skywalker and his friends are still hiding in the Death Star control center, we see another major cyber-security mistake. Once R2-D2 manages to access the Galactic Empire’s computer network, he gets the space station’s blueprints without difficulty.

Given that this information is so critical for the security of all the inhabitants of this gigantic artificial planet, you would expect that, at least, access to those files would be password-protected.

Also, it would have been advisable to encrypt all of those documents to protect them from prying eyes.

Lack of physical barriers

Nor does it make much sense to see the tractor beam control unit on board the Death Star with such poor security. Obi-Wan Kenobi manages to access the console and turn off the device without problems, in order to allow Han Solo’s and Chewbacca’s ship to escape. If only the architects who designed the battle station had put a door in front of the controls, it would have been much more difficult for the Jedis to escape.

Need for better action protocols in the event of a security incident

Luckily for Luke, Han and Chewie, the stormtroopers don’t have an adequate action protocol to follow in the event of a security incident. Any company in the real world that stores valuable information or materials (we are not aware of any company that is holding a galactic princess captive in its basement), would have responded much more effectively to the attack launched on the Death Star’s dungeons.

It is unbelievable that so much time passes between the time when Han and Chewbacca destroy all surveillance cameras in the detention center, and the time when someone finally realizes that there is something wrong and decides to send troops to put the situation under control.

Top executives are not very receptive to the CISO’s advice

If the Death Star were an organization in the real world, Admiral Wilhuff Tarkin, who is responsible for supervising the operation of the battle station, would be the General Manager. Despite knowing all the intricacies and potential of the gigantic ship, it is really surprising that he pays absolutely no attention to any warnings regarding security risks.

At the end of the movie, when the Rebel Alliance’s X-wing squadron is attacking the Death Star, a member of the battle station’s crew – equivalent to a CISO or a member of the IT security team in a real-world organization – warns Tarkin of potential vulnerabilities. Had the Admiral been more receptive to these cyber-security recommendations, he would have evacuated all personnel from the space station.

No patch management policies

Nevertheless, the most serious security mistake affecting the Death Star is the vulnerability found and exploited by the rebel forces in order to destroy it. This is a tiny space, only 2 meters wide, which Luke Skywalker fires at, blowing up the Death Star.

However, a few minutes before the young Jedi fires his proton torpedoes, the Death Star engineers also discover its one fatal flaw. Had they installed a security patch, the Galactic Empire would probably still be ruling the Galaxy.

Reality vs fiction

“This is one more example in which parallels can be drawn between fictional and real-life situations,” states Hervé Lambert, Global Retail Product Manager at Panda Security. “Almost any connected device is susceptible to hacking and reprogramming for shutdown or for any other purpose other than the intended one. Device and/or program developers must be aware of this and reinforce security protocols.

The bad guys’ goals have changed, their techniques have become more sophisticated, the attack vectors have multiplied, and their tools are more precisely designed. Attackers are meticulously studying their victims to adapt their strategy and achieve the greatest possible impact.
The efficiency, effectiveness, and profitability of the real world’s dark side are proven time and again, and we must be vigilant to implement the mindset shifts and strategies required to achieve the highest levels of security.”

Download your Antivirus

The post Top 8 cyber-security mistakes in Star Wars appeared first on Panda Security Mediacenter.

New Rules Announced for Border Inspection of Electronic Devices

The U.S. Customs and Border Patrol announced new restrictions on when agents can copy data from digital devices at border crossing points.

5 Cybersecurity Resolutions to Consider for the New Year

2018 is officially here, and you know what that means: a bunch of resolutions that will probably take a back seat come mid-February. While I’m not one for setting unrealistic expectations of myself, there is something to be said about learning from the previous year so I do not repeat the same mistakes.

As I look back on 2017, I can’t help but think of all of the teachable moments in mobile and IoT security. From fraudsters phishing with social media bait to bitcoin mining at your local coffee shop, this year was full of moments that remind us just how tricky our connected lives can be.

So, in light of all the events in 2017, here are the top five “cyber-resolutions” to consider for 2018.

Secure your Social Media

If there’s one thing phishing scams have taught me, it’s that scammers have gotten savvier at social engineering. While social media does a great job at connecting us to our loved ones, it can also connect us to people we don’t want to share our personal information with. Cybercriminals know how to use the information you share on social media to gain access to your personal data. I’ve said it once and I’ll say it again, always make sure your account is set to “private” and is only visible to family and friends.

Don’t skip your updates

With the holidays in our rear-view, many of us probably have a few new devices in our homes. There are so many new and exciting tech toys on the market, it’s hard to avoid getting caught up in the IoT way of life. When you’re interrupted from your shiny new device by a software update, it’s tempting to hit “skip” when you’re eager to get back to your gadgets. But if our hackable gifts have shown us anything, it’s that skipping your updates leaves the door open for hackers. Software updates are important because they often include critical patches to new bugs or flaws in the system. So, resolve to keep your software up to date!

Don’t fall for the free Wi-Fi

When it comes to public Wi-Fi, a VPN is a VIP. Access to the internet on the go is a privilege of the times. But while the Wi-Fi at your local coffee shop may claim to be secure, public Wi-Fi networks lack encryption. If you’re in the habit of using Wi-Fi on the go, get a VPN to scramble the data being sent over the network. Private online activity such as shopping or accessing your banking information without a VPN could expose your sensitive information to hackers. Investing in a VPN is a smart way to keep your private information, private.

Set Better Passwords

I can’t stress enough that using a secure password is one of the best practices for protection on the web. When you’re trying to keep up with all of your logins, it can be tempting to use the same simple combination for every account. But, choosing a solid password should always take priority. Mix it up, throw in some numbers and symbols to complicate the password, stay away from using your birthday, and remember ‘123456’ is never an acceptable password!

Secure your home

Our homes are more connected now than they’ve ever been. It’s important to make sure each individual device is secure. However, securing your connection at the source is as important as securing your front door. Consider using a home gateway with built-in security to ensure every device in your house is well protected.

Let’s start the year off on the right foot. Don’t give cybercriminals the upper hand when it comes to your personal data.

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

 

The post 5 Cybersecurity Resolutions to Consider for the New Year appeared first on McAfee Blogs.

Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist

‘Twas the night after Christmas, when all through the house
All the smart toys were buzzing and beeping about,
The chargers were plugged near the chimney with care,
Without a clue that the hackers soon would be there.

With the height of the season now behind us, you may be experiencing a bit of a holiday hangover. But as you wade through the holiday fallout of wrapping paper, instruction manuals, batteries packs, and downloads, don’t forget that the most important step to your family enjoying its cache of digital gifts is protecting them.

McAfee’s Most Hackable Toys  2017 survey revealed our shared habits of connectivity minussolid safeguards. What we know: While most of us realize the importance of protecting our internet-connected devices, we aren’t too concerned with making device security a priority.

So, now that you’ve purchased that new smartphone, drone, smart toy, or appliance, take that next simple step to secure your expanding digital home. Here’s a short, post-holiday checklist to help get you started.

Smart Gift Checklist

Settings, passwords, software. Once you’ve powered up your new device: 1) Make sure it’s password protected with tw0-step authentication. 2) Set a pin or passcode to lock your device. 3) Install the latest software versions as soon as possible and update them regularly. 4) Protect your new devices with additional security software if possible. 5) Avoid downloading suspicious apps and never click on strange links that arrive via email, messenger, or text. 6) And here’s a biggie: If you are selling, donating, or recycling your old devices, make sure you wipe them clean.

Research the risks. According to the same McAfee study, some of the most popular digital gifts of 2017 include tablets, smartphones, drones, digital assistants, and connected toys and appliances — all of which come with inherent security risks. With the growing list smart devices, hackers have a million new entryways into our homes. Google the name and model of your new gift and read about possible security holes. Another valuable resource is online reviews posted by people who have encountered security issues.

‘Take Five’ before having fun. Securing a new gift often takes five minutes, but it’s a must in today’s wired world. Go into your new product’s privacy settings and change manufacturer settings and set a new password. Keep the process simple and allow your kids to do it alongside you so that device security is more likely to become a habit.

Don’t be duped by cute. From fuzzy talking puppies to adorable dolls, toys can also carry massive security risks. It’s important to research if there have been any reported security vulnerabilities with toys you’ve purchased or have been gifted, so you know how to secure them. Don’t let a toy’s appearance lull you into a false sense of security. Remember: It may look like a kitty cat, but if it connects to the world wide web, then it’s a computer that could be transmitting data to a remote server. When using connected toys: 1) Use toys in places with trusted and secured wi-fi. 2) Monitor your child’s activity with the toys (such as conversations and voice recordings) through the toy’s partner parent application, if available. 3) Take time to read the toy’s disclosures and privacy policies.

Refresh passwords on your home network. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, make it a point to change your passwords regularly.

It’s impossible to protect against all risks, but you can frustrate a hacker’s plans by putting up some security obstacles. Even though security and privacy risks come with our new gifts, it’s clear that the demand for faster, better, more impressive digital products is here to stay. Taking the time to boost your family’s security will help make sure this holiday remains a happy one into the New Year and beyond.

The post Be Unhackable: Here’s Your Post-Holiday Gift Safety Checklist appeared first on McAfee Blogs.

How the IoT supports the world’s largest industries

The Internet of Things (IoT) has already helped to connect our world in so many ways, bringing huge improvements and convenience to our lives, homes and health. But we’re often guilty of taking it for granted and failing to celebrate the many ways in which being connected supports some of the world’s largest industries, such as transport, agriculture, manufacturing and even the cities in which we live. With around half of the world’s population now online and discovering more and more sectors are turning to tech everyday, I thought it would be a perfect time to highlight some of the fundamental changes IoT has made society what it is today.

Agriculture

Farmers are increasingly using their smartphones for new techniques that improve the production of livestock and field activity – also known as ‘agritech’. This includes looking after the health of cattle, analysing grazing time, and even water consumption through sensor-fitted collars. These can even alert farmers when they sense motions associated with labour from pregnant cattle. Meanwhile, organisations like the Wildlife Conservation Society are monitoring endangered species prone to poaching activities through the use of motion-sensing cameras.  

Not only are they finding that IoT minimises their operational costs, but also allows them to achieve better results. For example, harmful pesticides and extreme weather conditions that could have adverse effects on crops can be detected in advance – This way a course of action can be put in place.

Climate and environment

Networking and telecommunications company Ericsson claims that the footprint of IoT could help cut up to 63.5 gigatons of greenhouse gas emissions by 2030. Whilst The International Telecommunication Union predicted that rural areas and developing countries will evolve the way they access electricity and the internet thanks to smarter energy saving solutions.  

Various organisations are already providing smarter solutions for protecting the planet, for example, San Franciscan startup, Rainforest Connection, enhanced the protection of forests vulnerable to deforestation including Indonesia and the Amazon. This was achieved by transforming mobile phones into solar-powered listening devices attached to the trees, these are set to alert rangers if they sense the sound of a chainsaw from over a kilometre away. Other examples can be seen through IBM’s China Research Lab and London’s Pigeon Air Patrol, which are scaling up the quality of the city’s air through a forecasting system that monitors pollution levels in different neighbourhoods.   

Transport

In many ways, it feels as though the transport industry has long used IoT, thanks to technologies like sensor street lights, speed cameras, and Sat Navs which have been commonplace since 2013. And the innovation hasn’t stopped there – we’re continuing to see plenty of movement in the space, for example, Transport for London (TfL) supports approximately 21 million commuter trips each day – and has predicted that the city will be populated by a total of 10 million people by 2030. It’s no wonder the introduction of Oyster cards in 2003 was a huge success, later to be replaced by a contactless payment system that today accounts for more than one billion journeys. We later saw London’s iconic red buses also go green in 2014 with the introduction of wirelessly charging hybrid buses. Similarly, car manufacturers such as Mercedes, BMW, and Tesla all have plans to launch driverless cars in the near future, with predictions that 10 million self-driving cars will be on the road by 2020.

Although it’s interesting to see the how IoT has become so widespread and had such a massive impact on various industries and people’s lives, it’s almost natural to forget the dangers and risks that come with it or envisage a time when we managed without it. As more and more industries take advantage of the benefits offered by IoT, poorly secured devices pose a growing risk. For this reason we need to remember that all devices need to be protected with secure networks and the latest software. In the age of the internet of things, this will be more important than ever.

To keep up-to-date with the latest cybersecurity news, take a look at the McAfee Security blog here.

The post How the IoT supports the world’s largest industries appeared first on McAfee Blogs.

Kids, Travel and Wi-Fi

If your brood of kids is anything like mine, holiday travel is all about devices and Wi-Fi. Sure, we’ll focus on sights and activities when we get to our destination, but the journey is made all the sweeter with a huge dose of technology!

And as all my boys have pretty basic mobile phone plans (I’m paying!), a technology binge means Wi-Fi! Whether it’s connecting at the airport, on the plane – yes this is a thing now, in trains or in hotels – finding Wi-Fi is possibly more important to my boys than finding the next snack bar.

But unfortunately, Wi-Fi is not the great nirvana. There can be some serious risks associated with connecting to random Wi-Fi outlets, as I continuously tell my offspring. The recent KRACK Wi-Fi saga, which potentially affected iOS and Android users worldwide, gave us all a big scare and reminded us yet again that modern Wi-Fi is not risk free.  Discovered by a Belgian researcher, the KRACK vulnerability meant a hacker could access your device even through a password protected Wi-Fi network. It was such a big deal that even the US Department of Homeland Security issued a warning!

‘It Won’t Happen To Me’

Regardless of the warnings, there are still many amongst us that are not convinced Wi-Fi poses genuine risks, particularly when we travel. Many of my friends and family members still believe horror stories only happen to ‘other people’.

And research conducted by McAfee confirms this very opinion with the majority Aussies surveyed not worried about the risks associated with Wi-Fi. In fact, 62% of people on holiday either don’t care or don’t bother ensuring they have a secure Wi-Fi connection. And 41% believe our personal information is as secure when we connect to public Wi-Fi on holiday as when we are home or at work. Eeek!!!

Why Do We Need To Worry?

In short, accessing dodgy Wi-Fi means you are more likely to get hacked which can cause you a world of pain! If you have connected to a Wi-Fi hotspot that has either been set up by a hacker or a hacker has broken in to, anything you send or share online – you are also sharing with the hacker: banking details, online shopping logins, social media passwords… the list goes on. And once the hacker has that information, he/she can access your accounts as if they were you.

In addition to potentially stealing your private information, hackers can also use public Wi-Fi to distribute malware aka malicious software.  Some hackers have been known to hack the Wi-Fi connection point itself to try and trick Wi-Fi users into downloading malicious software. Attractive, believable pop-ups appear on users’ screens offering free upgrade to commonly used software. However, clicking the link in the pop-up ad downloads the malicious software!

What Should We Do To Stay Safe?

Well, let me tell you I’m not staying home… holidays keep me going! So, what we need to do is spend just a little time implementing a few strategies so we can securely manage our kids and their online lives when we travel. Not only will this minimise the risk but just as importantly, the stress!

Here is how I’ll be managing my boys and their Wi-Fi connections when we set off on our annual family vacation this year:

1. Ban Free Wi-Fi

If your kids just have to connect to Wi-Fi, ensure it is password protected option NOT a random free Wi-Fi. While this does not provide any guarantee of security, it is another layer of protection. However, no banking, financial or shopping transactions are to be undertaken on this Wi-Fi – no exceptions!

2. Invest in a VPN

A Virtual Private Network (VPN) is one of the best services you can sign up to. In simple terms, it creates a secure encrypted connection which means that anything you send or receive is safe. McAfee’s VPN, SafeConnect, provides bank-grade Wi-Fi encryption which means your personal data and online activities are kept private even when you are connected to public Wi-Fi.

3. Update ALL Your Devices Before You Leave Home

I know it is a pain but if the software and apps on your devices are not up to date, you’re essentially leaving a ‘back door’ open for a hacker. App creators and hardware vendors will release patches or updates when they become aware of a security vulnerability – so it is essential you have the latest and greatest installed before you walk out of your door!

4. Turn Off Bluetooth When Not Using It

This needs to become a family rule – just like turning off the lights before you leave the house! When your Bluetooth is active, hackers can see which networks you have connected previously. It then takes very little effort for them to copy these networks and fool your device into connecting with their Bluetooth devices. Within minutes, the hacker can steal your data, download malware and create a world of pain!

5. Download Security Software for All Your Devices including Smartphones!

Ensuring your devices are protected with comprehensive security software is the same as locking the backdoor and turning on the house alarm – common sense. McAfee’s Total Protection software provides protection for your entire fleet of devices and includes anti-virus and anti-malware software, a firewall, anti-spam functions, parental controls and a password management tool.

So, don’t cancel your holiday. Managing Wi-Fi safely when you travel with kids is absolutely possible with just a little planning. And if Nana and Pop are joining you on vacation, please ensure they are up to speed with the family Wi-Fi rules too! With 85% of older Australians accessing the internet every day, they will very likely have their eye on the Wi-Fi too!

Happy Christmas and Safe Travels!

Alex xx

The post Kids, Travel and Wi-Fi appeared first on McAfee Blogs.

Hacked for the Holidays: Preparing Your Home for Hackable Toys

The holidays are in full swing and all my kids can think about is their wishlist. With so many new and exciting tech toys on the market, who can blame them? From flying drones to smartphones, the advent of the Internet of Things (IoT) has brought holiday shopping to new and unexpected heights.

I’ll be the first to admit, I look forward to welcoming some of these connected toys into our home and life as much as my kids do. But, as this year’s hackable gifts show us, it’s important to keep security in mind when shopping for presents that could be a potential target for hackers.

Connected toys offer a fun and unique way to show our loved ones we appreciate them. Whether it’s the gift of unlimited streaming to a movie buff, or a virtual experience to a gaming guru, IoT has made the art of gift-giving that much more personal. However, shoppers should be aware that these devices are just as appealing to cybercriminals because of their access to our personal information.

In our digital lives, we’ve come to understand the importance of adding an extra layer of security to our laptops, smartphones, and tablets. But some devices such as smart home appliances, media players, and streaming sticks often fly under the radar when it comes to proper security. In fact, this year’s Most Hackable Holiday Gifts survey found fewer than 30% of consumers considered the security of popular devices such as drones and VR headsets.

What’s the worst that could happen? It’s just a toy.

You may wonder, what cyberattacks could impact a drone? Believe it or not, drones are near the top of our Most Hackable Gifts list and can be compromised by hackers in mid-flight. If a cyber-hijacking isn’t enough to put a damper on your holidays, consider the threats that connected toys might bring into your home without your knowledge. Earlier this year it was discovered that the interactive Cayla doll not only allowed cybercriminals to record video and audio of you without your consent, but also gave them the ability to unlock smart doors. The severity of attack can vary when it comes to connected devices in the home, so it’s important to add a few extra measures of security to them before they cross your threshold.

So, what can you do to keep your family safe from the hackable toy army? Follow these tips:

Get smart about your smart toys: Before you purchase a connected device, research the latest threats and ensure your intended product has security built-in. For example, if you’re considering purchasing a drone, purchase one that has encrypted communication.

Update: Do not default to the factory security settings on your devices. Update your security settings immediately! Make sure you reset your devices with a new and unique password as soon as you get them. Also, remember to update your device software to account for any new bugs or flaws in the system.

Talk to your kids: Talk to children about cyber threats that could affect the devices they have access to. Make sure they’re in the know on security breaches and scams, and are aware of the dangers of password sharing.

Secure your home: Always secure your connection at its source: your home. Consider using a solution like McAfee Secure Home Platform to ensure every device in your house is well protected.

It’s easy to get in the holiday spirit of giving, just don’t get tricked into giving hackers access to your home!

Interested in learning more about mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

 

The post Hacked for the Holidays: Preparing Your Home for Hackable Toys appeared first on McAfee Blogs.

Your Year-End Gift from eLearnSecurity

If you thought Threat Hunting Professional was the final cap to our 2017, well you better ho ho hold up, because we’re not yet done!

While our aspiring threat hunters are looking forward to the upcoming THP launch offers, we intend to jingle all the way this year and get everybody else in the holiday cheer:

Kick start your merry-making with a Year-End Gift from eLearnSecurity: a $200 gift card, which you can use towards getting your next (or first) eLearnSecurity certification!

Cross an entry off your 2018 resolutions early by getting started with any of the training courses or bundles below:

Stand-alone training courses

Penetration Testing Professional
Penetration Testing eXtreme
Mobile Application Security and Penetration Testing
Web Application Penetration Testing
Web Application Penetration Testing eXtreme
Practical Network Defense
Practical Web Defense
Advanced Reverse Engineering of Software

 

Training course bundles

The Elite Pentester
4-In-A-Box

No need to wait for a reindeer to drop off your presents, get your Year-End Gift here today: https://www.elearnsecurity.com/offers/xmas_2017

Happy holidays from the eLS team!

 

Better get dashing (through the snow) soon, all Year-End Gifts left under the tree after December 31st, 2017, 11:59 PM PT goes off with the New Year’s Eve fireworks!


Use the code DEC-217 at the checkout page to redeem $200 gift card. Valid for new enrollments into eLearnSecurity training courses until 31st December 2017 11:59 PM PT. Gift cards cannot be combined with any other offers, and cannot be refunded or exchanged.

5 Apps To Be Thankful For This Season

If ever there was a time of year to reflect on the little things that make life wonderful, it’s the holiday season. While friends, family, and food always top the list of things I’m grateful for, there is also a special place in my heart for the gizmos and gadget that also make life great. The internet of things (IoT) has literally given the world access to technology at our fingertips, allowing us to live well-connected lives.

But know that this well-connected life can also be difficult to navigate; the world of IoT and smart phones coupled with cyber safety can often feel like a complicated waltz.  Once we take the necessary steps to ensure we’re safe online, there is nothing wrong with enjoying the apps that make our lives easier.

Since it is the season of giving thanks, here are the five apps I’m most thankful for this year. Some are well known, and some are welcomed new additions to the mobile world.

Venmo

When I want to go to dinner with my friends, Venmo takes the pressure out of splitting the bill when it’s time for the check. Thanks to this free app, sending and receiving money from loved ones is simple and uncomplicated.  The best part is, this application offers a two-factor authentication that will alert me via text or email if someone attempts to sign in from an unknown device. Talk about instant gratitude.

Skype

If you have loved ones all around the world like I do, it’s likely this application which makes it easier to connect with them. When a phone call simply isn’t enough, Skype lives up to its promise by giving me a chance to share cherished moments, in real-time, with loved ones far away. Calls are encrypted so private moments stay private. Just be sure that you’re logged into a secure network and ensure your connection is secure. If secure WiFi isn’t available, consider a personal VPN to help keep your connection safe.

Facebook

It’s always fun to reflect during this time of year. When I’m feeling nostalgic for friends I haven’t seen in a while, Facebook can connect me with a click of a button. It’s great to share important life moments with friends via Facebook, as long as you remember to adjust your settings to “private” and only allow your friends to view your posts. In the world of digital oversharing, we all know Facebook is a culprit, but if we take the extra steps in securing our posts, I don’t see why we shouldn’t still enjoy it.

Waze

Planning a trip to grandma’s house this holiday? Waze will show you the way. If you spend a lot of time on the road, Waze is like a trusted companion to accompany you on your journey. With real-time traffic insights from other “Wazers”, it’s like having a personal travel guide. I couldn’t imagine navigating without it. But, always be cautious when giving other applications access to your location settings.

Postmates

Food on demand—enough said! Not only does Postmates bring delicious food right to my home, it can also deliver my dry cleaning, or anything else I need at the moment. This app is the epitome of convenience; just remember to stay up to date on your software installments as a security measure.

We should all take a moment to appreciate the little things that make our lives easier. While we revel in the convenience of our apps, it’s important to keep these tips in mind to ensure your devices stay safe:

  • Authenticate! If you’re using an application like Venmo, it’s important to set up your two-factor authentication immediately, to reduce the risk of having your account compromised.
  • Avoid Risky WiFi. I’ve said it once, and I’ll say it again, unsecured networks are an easy target for hackers to gain access to your devices. Steer clear of open networks because you never know who your data could be going to.
  • Exercise safety on social media. It’s important to make sure your account is set to “private” and is only visible to family and friends. Cybercriminals know how to use the information you share on social media to gain access to your personal data. Make sure you know who has their eyes on your account.

Can’t get enough mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post 5 Apps To Be Thankful For This Season appeared first on McAfee Blogs.

Don’t Let the Grinch Hack Your Christmas!

What’s on your family’s Christmas list this year? Let me guess – technology! Our desire for shiny, fast, connected devices is almost a biological condition this time of year. However, our single-minded desire to get these devices in our hands at all costs, often means we forget about the risks…

To try and understand how us Aussies are planning on managing the risks associated with this season’s must-have Christmas gifts, McAfee Australia interviewed over 1000 Aussies aged 18-55. Participants were asked whether they were planning on buying internet-connected gifts this Christmas, how they plan to buy them and what they know about how to secure their new devices. And the findings were very interesting…

  • Online shopping is Booming But We Are Taking Risks!

76% of us are likely to purchase gifts online this coming holiday season – an increase of 2% from last year. And while most of us will purchase from online stores of well-known retailers,

some of us (18%) will choose stores that we find randomly through online shopping searches.

  • There Is Still Confusion About Protecting Our Devices

90% of us feel it is important that our online identity and connected devices are safe and secure but alarmingly, only 14% of us feel that it is necessary to protect devices with security software – down from 15% in 2016.

  • Our Devices are Collecting Our Information But Most of Us Are OK with It

Many consumers (76%) believe their devices are collecting their personal information

  • Some of Us ‘Need’ The Latest Devices At All Costs

Despite acknowledging that our chosen device may be susceptible to security breaches, 22% of us still commit to buying it!

There is no doubt we value our digital assets with 61% of us believing their digital assets (our online files and media) are worth more than $1000 and 34% worth more than a whopping $5000!!

So, What Does This All Mean?

There is no doubt that we love our technology! In fact, in recent research from Telefonica, we are ranked 3rd worldwide when it comes to embracing technology. We even beat the Japanese!

However, the way we shop online, protect (or not) our devices and share our information plays a major role in how easy (or not) it is for cybercriminals to hack us, putting our much-loved digital assets at risk. And add a dose of Christmas cheer (and chaos) into the mix – and you can see how the risk increases!

Which Are The Most Hackable Devices?

To minimise the chance of the Grinch (aka cybercrims) ruining our Christmas this year, McAfee Australia has compiled a list of the devices most Australians have nominated as top of their Christmas lists. Each of the device’s security vulnerabilities has then been highlighted so you can take the required steps to ensure you are not hacked!! Here’s the lowdown:

1. Laptops, Smartphones and Tablets

According to our McAfee experts, laptops, smartphones and tablets take out first place for being the ‘Most Hackable’ gifts for Christmas 2017! As soon as those Christmas decorations come out, so do the sexiest models about. Slim, powerful yet light PCs, laptops and smartphones packed with the latest features and apps fill the stores… and we go into a frenzy!

Risks: Malware, especially ransomware, continues to dominate the headlines and has grown to more than 10 million samples worldwide. Just like laptops and PCs, tablets and smartphones are vulnerable to ransomware and can be compromised.

Tips: Slow down and think before clicking. One of the easiest ways for cybercriminals to infect your PC or smartphone is through malicious links. Be sceptical if you receive a link you are not expecting, use comprehensive security software that is kept updated, and install parental controls on all your children’s devices.

2. Drones

Drones won second place this year in the ‘Most Hackable’ stakes and it seems we can’t get enough of them. US drone sales are expected to top US$1 billion (A$1.3 billion) in 2017, up from US$799 million (A$1.04 billion) in 2016. And what a terrific gift – perfect for the amateur flight enthusiast through to the professional photographer looking to get that unique angle from up high!

Risks: Drones can be vulnerable in multiple ways. While it’s true they can be hacked in flight, they can also emit a Wi-Fi signal designed to steal your personal information after connecting.

Tips: Always keep the software updated on your drone, and apply software patches when they are made available from the manufacturer.  Be careful about connecting to unsecured Wi-Fi networks. If you must connect, do so with a Virtual Private Network (VPN) like McAfee Safe Connect.

3. Digital Assistants

The must-have tech gadget of 2017, the Digital Assistant comes in at 3rd place on the ‘Most Hackable’ honours list. Digital Assistants are without doubt the perfect gift for anyone. However, like any connected device digital assistants can also be the target of cybercriminals. As new technology comes to market the cybercriminals are always trying to stay a step ahead – Digital Assistants are no exception!

Risks: Built-in microphones that are always listening for a wake-up command and, in some cases, cameras, can be compromised and turned into listening devices.

Tips: Just like your smartphone or PC, be sure to keep your device’s software up-to-date, and never allow physical access to anyone you do not trust.

4. Connected Toys

Coming in at 4th place, Connected Toys seem to be featured on every mini digital native’s Christmas list this year. Many of the must-have connected toys come equipped with GPS chips, cameras and an interactive conversation ability making them super attractive!

Risks: Be aware of the privacy and security risks that could affect connected toys. Manufacturers may not be putting the device’s security as a top priority which could leave it vulnerable to leaking personal information, location, or even allow a hacker to hijack the camera or microphone.

Tips: Research before you buy to make sure the toy you plan to purchase has not had any reported security issues. If the toy comes with a default password, ensure you change it to something more secure. Finally, monitor children when they are playing with connected devices and turn the toy off when it’s not in use to ensure that their privacy is being protected.

5. Connected Appliances

Vacuums, refrigerators, bathroom scales and cameras that connect to the internet aka ‘connected appliances’ are also on hackers’ lists this year. I’m very partial to some of these devices – they just make modern life so much easier!

Risks: While an attack on your refrigerator is unlikely, it’s not unheard of for connected home appliances to be hijacked and used as a pawn in a distributed denial of service attack (DDoS). A connected appliance could also leak personal information or provide details about your home, like its size and dimensions, making you a bigger target for cybercriminals.

Tips: Do not allow your connectable devices to connect to the internet without any filtering. Always change your connected devices’ default manufacturer passwords to something strong and complex. Read the privacy policies provided by manufacturers so you know exactly what information your device is collecting.

Before you start wrapping up your shiny tech Christmas gifts, please make sure you have a plan in place to protect the device from a Christmas hack. Why not write share a few of the above tips with the lucky recipients in their Christmas card? Or better still, why not spend a little time on Christmas Day working through it together. A great Christmas bonding exercise!

Happy Christmas!

Alex x

The post Don’t Let the Grinch Hack Your Christmas! appeared first on McAfee Blogs.

How Cybercriminals Are Shopping for Personal Data This Black Friday

Thanksgiving is here, which means it’s time to stuff our bellies and prep our bank accounts for lots of bargain shopping. Black Friday and Cyber Monday have practically become holidays themselves, as each year they immediately shift our attention from stuffing and turkey toward holiday shopping. They also get quite a bit attention from cybercriminals, so it’s unsurprising that a new Black Friday scam has emerged this holiday season, which includes more than 32,000 malicious Black Friday-themed apps spoofing the branding of top U.S. online retailers.

According to a recent report, one in 25 Black Friday apps are fake, with at least 15 malicious Black Friday apps for each of the top five U.S. e-commerce brands. These apps are said to scam users in a multitude of ways, either tricking shoppers into entering credit card information, giving up Facebook and Gmail log-in details, or even downloading malware and ransomware. Plus, they’re available on legitimate app stores such as the Apple App Store or Google Play.

But the threats don’t just stop there. As our Most Hackable Gifts survey highlighted, both online holiday shopping and the gifts being bought make personal data more vulnerable than ever. Laptops, smartphones, tablets, IoT toys, digital assistants – the gifts that fill our wish lists are make cybercriminals feel like kids on Christmas morning. Beyond these vulnerable gifts, there’s also the potential for scammers to create fake retailer microsites, invent targeted phishing scams for fake deals, create malvertisements, or execute new malware to swoop all the financial data from physical point-of-sale systems. Therefore, it’s important consumers understand securing their information now more than ever. To do just that, follow these tips:

  • Go to the source. One easy way to avoid counterfeit Black Friday apps is to go to the retailer’s website on your mobile browser and look for a link to the app from their website. With Safari on iOS, if a website already has an app, you will get a box at the top asking if you want to open the page in the app or download the app if it isn’t already installed.
  • Avoid “too good to be true” deals. With Black Friday and Cyber Monday, we’re all trying to save as much money as we can. But here’s the reality: if a deal seems too good to be true, it often is. These deals are usually a cybercriminal attempting to lure you in via phishing so that you cough up your personal data. Trust deals that are advertised directly from the vendor, and if you’re unsure about their legitimacy, scan their site or call their support line for reassurance.
  • Pay with a credit card. Credit cards overall offer better protection against financial fraud than debit cards. You won’t be liable for fraudulent purchases and the thieves won’t be able to drain your bank account if they get ahold of your account number. Any abnormal use of your credit card number will be automatically flagged or not approved by your bank.
  • Use a mobile security solution. As fake or malicious Black Friday apps work to infect mobile devices, be sure to cover these devices with a mobile security solution, such as McAfee Mobile Security.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post How Cybercriminals Are Shopping for Personal Data This Black Friday appeared first on McAfee Blogs.

Lazarus Cybercrime Group Moves to Mobile Platform

When it comes to describing cyberattacks, the word sophisticated is used a lot. Whether to explain yet another “advanced” campaign by a threat actor group hoping to steal information or disrupt computer systems, it seems the precursor to any analysis is to call it sophisticated. Yet the modus operandi for many of these groups is to begin an attack with a simple email, which for some time has been one of the most effective malware delivery mechanisms.

The McAfee Mobile Research team has identified a new threat—Android malware that poses as a legitimate app available from Google Play and targets South Korean users—that suggests a deviation from the traditional playbook. An analysis of campaign code, infrastructure, and tactics and procedures suggests the Lazarus group is responsible, as they evolve their attack tactics to now operate within the mobile platform. And although the debate regarding attribution of attacks will always rage, documenting evolving tactics by threat actor groups allows organizations and consumers to adapt their defenses accordingly.

Based on what we know, the app first appeared in the wild in March 2017. The distribution is very low and is aimed at a Korean Audience (based on telemetry hits).

Although we cannot be certain, persons associated with GodPeople, an organization based in Seoul with a history of supporting religious groups in North Korea and the developers of the original application, could be the intended targets. GodPeople is sympathetic to individuals from North Korea, helping to produce a movie about underground church groups in the North. Previous dealings with the Korean Information Security Agency on discoveries in the Korean peninsula have shown that religious groups are often the target of such activities in Korea.

Evolving Attack Tactics

Leveraging email as the entry vector allows attackers to be very specific about whom they wish to target, often described as the spear phishing. Developing a malicious application does not provide the same level of granularity. However, in this instance the attackers developed malware that poses as a legitimate APK, advertising itself as means for reading the Bible in Korean. Leveraging the mobile platform as the attack vector is potentially significant—particularly as South Korea has a significant mobile population that is “in a race to be first with 5G,” according to a Forbes article. Typically when a mobile platform is mentioned, we think about our mobile phones. However, in this case, we know South Korea has an increasing use of tablets, replacing traditional laptops. How well secured are tablets and how are they monitored?

Evolving attacks onto the mobile platform are likely to continue, and this appears to be the first example of the Lazarus group using mobile. Such a change, therefore, is significant, demonstrating that criminals are keeping up with platform popularity. Indeed, according to the International Telecommunication Union, the global number of mobile subscriptions worldwide now exceeds the global population, which suggests that such a tactic is only likely to increase as our dependency on mobile platforms grows.

Source: International Telecommunication Union.

Keeping Safe

Understanding the evolving tactics by nefarious actors is imperative. It is critical that we adopt simple security measures to counter these new tactics. This malware is detected as “Android/Backdoor” by McAfee Mobile Security. Always keep your mobile security application updated to the latest version. And never install applications from unverified sources.

The post Lazarus Cybercrime Group Moves to Mobile Platform appeared first on McAfee Blogs.

Android Malware Appears Linked to Lazarus Cybercrime Group

The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research Team.)

The malware poses as a legitimate APK, available from Google Play, for reading the Bible in Korean. The legit app has been installed more than 1,300 times. The malware has never appeared on Google Play, and we do not know how the repackaged APK is spread in the wild.

Figure 1: Description of the legitimate app on Google Play.

Figure 2: An overview of the malware’s operation.

 

Comparing Certificates

The repackaged APK has been signed by a different certificate from the legitimate APK. We can see the differences in the following two screen captures:

Figure 3: The certificate of the malicious, repackaged APK.

Figure 4: The certificate of the legitimate APK.

Once the malicious APK installs its code, it attempts to execute the backdoor ELF from “assets/while.” If the ELF successfully executes, it turns the device into a bot.

Figure 5. The main function for executing the backdoor ELF.

 

Analyzing the Backdoor

Once the backdoor ELF starts, it turns into a zombie process to protect itself. It remains as a zombie even if the parent process terminates, as long as the “dex” execute() method has been implemented successfully.

Figure 6. The malware turns itself into a zombie process.

The malware contains a list of IP addresses of control servers. The list is encoded and written to the file /data/system/dnscd.db.

The preceding table lists information for each of the IP addresses. None of these is available now.

Figure 7. The flow of writing the encoded control server IPs to a file.

The IP address array is encoded by a simple routine when it is loaded into memory from the read-only data section; that encoded data is written to the file /data/system/dnscd.db. The decoded file is then loaded into memory to select an IP address to connect to.

One of control servers is selected randomly immediately before the backdoor process attempts to connect to its address. The attempt is performed repeatedly to successfully connect with one of the control servers.

Figure 8. The malware creates a socket and connects to a randomly selected control server.

Once connected with a control server, the malware begins to fill the buffer using a callback beacon. Figure 9 shows a part of the message-generating code. Several fields of the packet are hardcoded, particularly the bytes at offsets 0, 4, and 5. After we realized that the message only pretended to use the SSL handshake protocol, we understood the meaning of the hardcoded bytes. The byte at offset 0 is the handshake type; offsets 4 and 5 are the SSL version of the handshake layer, a part of transport layer security.

Figure 9. A part of the function for generating a callback beacon.

Figure 10. Transferring data to be used as the callback beacon to the control server.

After the message is generated, it sends the following packet (Figure 11) to the control server as a callback beacon. There is a randomly selected well-known domain in the packet where the server name indicator field is placed as a field of extension data. We suspect this is an evasion technique to avoid detection by security solutions looking for suspicious behaviors.

Figure 11. A captured packet from the callback beacon.

Figure 12. The list of legitimate (well-known) domains in the binary.

After sending the callback beacon, the malware assigns global variables that contain device information which is transferred to the control server once it receives the command code 0x5249. Figure 13 shows the jump table for implementing commands and its pseudo code.

Figure 13. The jump table for implementing commands from the control server and the structure for receiving data.

The functions are described in the following table. Command code and arguments arrive as structured data from the control server, as shown in Figure 13. The command code and arguments are assigned, respectively, to the CMD and DATA member variables of the received data structure.

After performing commands received from the control server, the malware returns the results to the control server using the codes in Figures 14 and 15. Before transferring the results, the return code and data are stored in a structure described in the following pseudo code.

Figures 14 and 15. The codes and data structure returned to the control server.

 

Similarities to Lazarus Malware

In Figure 16, the function on the left is from the backdoor ELF we have analyzed. On the right, we see procedures found in several executables used by the Lazarus Group in various attacks.

Figure 16. Similar functions to the executable used in the Sony Pictures attack.

Both functions look very similar. And the hexadecimal seeds for generating a key for encryption and decryption are the same. Both functions are also used to generate a message encryption and decryption key between the victim and control server. Figure 17 shows the functions of both the backdoor ELF and an executable recently used by the Lazarus Group. The function connects to the control server, and generates a disguised SSL ClientHello packet. Then the generated packet is sent to the control server as callback beacon.

Figure 17. The functions to establish a connection to the control server (ELF on the left).

The function in Figure 18 generates a disguised ClientHello packet to use as a callback beacon.

Figure 18. Generating the disguised ClientHello packet (ELF on the left).

Both backdoors use same protocol, as we confirmed when analyzing the function for receiving a message from the control server. Figure 19 shows the protocol for transferring a message between the backdoor and the control server.

Figure 19. The receive message function included in the checking protocol (ELF on the left).

To transfer a message from the source, the malware first sends a five-byte message to the destination. The message contains information on the size of the next packet, a hardcoded value, and the type of message. The hardcoded value is 0x0301 and the type of message can be between 0x14–0x17. The message type can also be used to check the validation of the received packet. The following is pseudo code from the receive function:

Figure 20. The five-byte packet sent before the source sends its primary message.

Figure 21. Pseudo code from the receive message function.

 

Conclusion

The security industry keeps an eye on the Lazarus Group, and McAfee Mobile Security researchers actively monitor for mobile threats by Lazarus and other actors. We compared our findings with the threat intelligence research of our Advanced Threat Research team, which studies several groups and their techniques. Due to the reuse of recent campaign infrastructure, code similarities, and functions such as the fake transport layer security, these tactics match many we have observed from the Lazarus Group.

We do not know if this is Lazarus’ first activity on a mobile platform. But based on the code similarities we can say it with high confidence that the Lazarus Group is now operating in the mobile world.

 

McAfee Mobile Security detects this malware as “Android/Backdoor.” Always keep your mobile security application updated to the latest version. And never install applications from unverified sources. This habit will reduce the risk of infection by malware.

 

Indicators of Compromise:

Hashes

12cc14bbc421275c3c6145bfa186dff

24f61120946ddac5e1d15cd64c48b7e6

8b98bdf2c6a299e1fed217889af54845

9ce9a0b3876aacbf0e8023c97fd0a21d

 

Domains

mail[.]wavenet.com.ar

vmware-probe[.]zol.co.zw

wtps[.]org

 

IP addresses

110[.]45.145.103

114[.]215.130.173

119[.]29.11.203

124[.]248.228.30

139[.]196.55.146

14[.]139.200.107

175[.]100.189.174

181[.]119.19.100

197[.]211.212.31

199[.]180.148.134

217[.]117.4.110

61[.]106.2.96

The post Android Malware Appears Linked to Lazarus Cybercrime Group appeared first on McAfee Blogs.

Top Tips For Securing Your Devices

By now most of us know how important it is to protect our computers and smartphones from malware and other threats, but what about the connected devices we have in our homes?  You might not have thought about it before, but devices like your router, security cameras, baby monitor, and smart appliances can also be hacked if you don’t take steps to protect them.

You may remember last year when major websites such as Twitter, Amazon and GitHub were all knocked offline in a high-profile attack that used thousands of infected webcams to overload the sites with traffic. The cybercriminals behind the attack took advantage of the lax security in consumer webcams, accessing them without the owners’ knowledge.

Given how easy it is for hackers to reach unprotected network devices, it’s worth taking a few minutes to learn how to safeguard them. This way your devices cannot be accessed as part of a larger attack, or used to invade your privacy, or even steal your data.

Tips for Protecting Your Devices:

Know your devices—Before you invest in a new device, know what it does and does not do. For instance, a smart fridge or speaker may sound cool, but what if you knew it could be tampered with to eavesdrop on you? Make sure that any features you’re not comfortable with can be turned off.

Reset & apply any updates—Out of precaution, reset new devices to ensure they work as intended, and haven’t been altered in the supply chain to do something nefarious, such as leak data. Refer to your manual to see if there is a reset button.

Once you’ve done that, check to see if there are any firmware updates or security fixes that have become available since you purchased it. This is often the case with routers, and you can check for updates by following the manufacturer’s online instructions.

Change the default password—Many connected devices are protected with a default password. You’ll want to change the manufacturer’s default password as soon as possible. This is because default passwords are widely known by hackers, allowing them to easily access your device. Change the default password to something random and difficult to guess, and don’t re-use passwords.

Use encryption & a firewall—When setting up your home Wi-Fi make sure to turn on the Wi-Fi Protected Access (WPA2) encryption protocol, which scrambles the data sent over the network so that third parties cannot read it. You’ll also want to use a firewall to prevent unauthorized users from accessing the network.

Consider a private network—Most home routers have the option of creating a VLAN, or virtual local area network, which allows you to create a private network just for your devices. This network could be separate from your computer network, making it impossible for cybercriminals to reach your devices through your home computers.

Alternatively, investing in a product such as Secure Home Platform will provide security to all of your connected devices, from computers and smartphones, to IoT devices.

Use comprehensive security—Services like McAfee Total Protection™ also offer cross-device support, as well as secure cloud backup to make sure that your private information is protected.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post Top Tips For Securing Your Devices appeared first on McAfee Blogs.

New Android Malware Found in 144 GooglePlay Apps

McAfee’s Mobile Research team has found a new Android malware in 144 “Trojanized” applications on Google Play. We named this threat Grabos because we found this string in several elements of the code, including variable and method names. Grabos was initially found in the Android application “Aristotle Music audio player 2017,” which claimed to be a free audio player on Google Play:

Figure 1. Trojanized music app in Google Play.

At the time Aristotle Music was discovered, the application had a very good rating. According to Google Play, the application was installed between one and five million times and had a recent comment from a user saying that the application was detected as malware:

Figure 2. User reporting the application Aristotle Music being detected as malware.

Grabos on Google Play

McAfee Mobile Research notified Google about Grabos in September and confirmed that Google promptly removed the reported application. After further research, we found another 143 applications (see complete list at the end of this post); all have been removed from Google Play. Six were removed after we reported the first to Google:

Figure 3. Additional Grabos Trojanized apps formerly on Google Play.

At the time of writing this post, 34 applications still had their webpages available in cache, so we were able to obtain additional information such as the approximate number of installs, last updated date, and rating. Most of these apps were last updated in August and October. They had an average rating of 4.4, and between 4.2 million and 17.4 million users downloaded these apps from Google Play:

Figure 4. Malicious apps details from Google Play.

Grabos likely evaded Google Play security measures because the injected code is protected with a commercial obfuscator, making it very difficult to statically analyze without executing the application. Even dynamic analysis to stop its execution is difficult without knowing what the app is checking. However, once we unpacked the code, we proceeded with our analysis.

“Fake” vs. “real” apps

We found Grabos injected in file explorer and music player applications, some of them open source. Every time that the app is opened, it checks if any of the following settings is not true to decide whether to launch the “fake” (legitimate functionality) or “real” (injected packed code) app:

  • isOnline: Checks if the device has Internet connectivity
  • getIsBlacklisted: Checks if the Android debug bridge (adb) and development settings are enabled or if the device is in an emulator. If the latter is the case, the device is blacklisted and the “fake” app is launched.
  • getIsForcedBlacklisted: Flag set by the control server.

The code also has a test mode that allows the execution of the “real” app in case it is running in an emulator or has adb and development settings enabled. These checks detect if the app is currently being dynamically analyzed and prevent the execution of the hidden code if necessary.

In case the app is not being analyzed or is in test mode, the “real” app launches. This hidden music downloader searches for a specific song on YouTube. Once the song is selected, it can be downloaded in MP3 or MP4 format to be played offline.

Figure 5. “Fake” vs “real” app flow. “BL” stands for “blacklisted.”

At this point, the application seems to be just a music downloader hidden in a Trojanized app that checks for dynamic analysis to avoid being removed from Google Play due to its downloading of copyrighted music. In the background, however, more is happening.

Communicating with the Control Server

In addition to the “fake” and “real” app functionality, Grabos is also present in the AndroidManifest as a receiver that executes every time there is a connectivity change or when the app is installed:

Figure 6. Grabos receiver in the AndroidManifest.

If the receiver is executed due to a connectivity change, the execution ends if the device is offline or if fewer than five seconds have passed since the last connection. If more than five seconds have already passed, the method “updateRemoteSettingsSynchronousTask” executes. This method collects and encrypts (Base64 plus Advanced Encryption Standard) the following data from the infected device:

  • Device information:
    • android_version
    • build_model
    • install_referrer
    • network_country
    • sim_country
    • carrier_name
    • language_code
    • country_code
    • time_timezone
  • Device location: Grabos uses free IP geolocation API services to obtain IP address information such as city, country code, ISP, organization, region, and ZIP code.
  • Device configuration:
    • is_emulator
    • is_rooted
    • is_adb_enabled
    • is_dev_settings_enabled
    • allow_mock_location
    • allow_non_market (unknown sources enabled/disabled)
    • is_vpn_connected
    • dp checks (additional root, debug, and emulator checks provided by the commercial obfuscator)
  • Installed Grabos app information: version_code, package_name, and install_time
  • Specific apps installed: Grabos reports if any app in a predefined list is currently installed on the infected device (more on this later).

All the information is encrypted and submitted to a control server. The remote server responds with encrypted data that contains parameters required to download music (URLs, API keys, user agents, client_id, etc.) to show advertainments (nativead_id, interstitial_id, banner_id, etc.) and display customized notifications such as asking the user to rate the app in Google Play:

Figure 7. “Rate this app” parameters provided by the control server.

The rating pop-up appears the first time the app is opened. If the button “Rate 5 Stars” is clicked, the app opens in Google Play so the user can rate the app there.

Figure 8. Rating pop-up.

In a similar way, the remote server also provides parameters to ask the user to share the app with friends and promising faster download speeds:

Figure 9. “Share the app” parameters provided by the control server.

The control server also sends the parameter “is_forced_blacklisted,” which manually blacklists the device if the value is “true”—to prevent the execution of the hidden app.

Mysterious functionality

In addition to reporting an infected device’s location and configuration, Grabos checks if specific social and Google apps are installed using the method isPackageInstalled and the app package name. Depending whether an app is currently installed, the corresponding value is set to true or false and that information is encrypted and reported to the control server:

Figure 10. Social and Google apps reported to the control server.

We reported this finding to Google, who are investigating. At this point we do not know the purpose of this app reporting. However, we believe this information could be very useful to malware authors because Grabos has implemented several mechanisms to trick users into installing applications provided by the remote server. Let’s look into those functions.

Custom Push Notifications and Additional Apps

After the initial settings are obtained from the remote server, the AsyncTask ShowNotificationIfNeeded is executed to check if the parameters n_title, n_description, and n_package were provided by the control server. If that is the case, Grabos checks if the app is available on Google Play (if “pack” is a name and not a URL) or on a remote server (if “pack” starts with HTTP).

If the application is not installed and is available, Grabos gathers additional parameters (for example, icon and bigicon) from the remote server response to create a custom notification and trick the user into installing the app:

Figure 11. Parameters provided by the control server to create a custom notification.

Grabos also checks if the remote server provided the following parameters:

  • interstitial_letang_options: provides values to delay and repeat the display of an activity (initial_delay and min_interval)
  • interstitial_letang: includes the following remote commands:
    • admob: executes method “showAdmobInterstitial”
    • nothing
    • grabos_direct

If the command is grabos_direct, Grabos gets the title, package, and max_times_shown values in the parameter grabos_direct_interstitial to open the app in Google Play or trigger a download:

Figure 12. Downloading an APK from a URL or open app on Google Play.

Both the notification and the interstitial_letang methods, to trick the user into downloading or installing apps, are executed in the background every time there is a connectivity change. However, Grabos also implements another app delivery method when the music downloader executes. This method, ShowGrabosIfNeeded, is very similar to interstitial_letang in that it checks if the required parameters are present and the app is available as well as checking if the app should be opened without the user’s consent:

Figure 13. Grabos checking whether the installed app should be opened.

As soon as Grabos confirms that the device is online, the app is available either on Google Play or a remote server, and the package is not installed, the malware gets the following parameters from the remote server response to create an AlertDialog and trick the user into downloading another app:

Figure 14. Grabos parameters to create an AlertDialog.

Flying Under the Radar: Evading Analysis

In addition to the multiple efforts to detect if the app is being dynamically analyzed (emulator, adb, development settings) and the encryption of the injected code, Grabos updates its remote settings every 24 hours (unless it is in test mode). This restriction can be easily bypassed by changing the date and time of the device used to analyze the app. However, recent versions of Grabos include checks to detect if the automatic date and time and time zone are enabled:

Figure 15. Grabos checks if automatic date and time and time zone are enabled.

The status of this setting is reported to the control server in the fields time_is_auto and time_timezone_is_auto. Although this check is not used in the Grabos code, the information could be used to determine if the app is being dynamically analyzed and decide if an additional payload should be delivered.

The URLs used as control servers indicate that Grabos tries to masquerade its network traffic as legitimate. At first sight the URLs appear to belong to familiar adware companies; the names are identical. However, instead of finishing with .com, Grabos uses domains such as .link and .click, which are not registered by the company.

Finally, Grabos defines an additional mechanism, currently not implemented, to blacklist or whitelist a specific device. For example, the device could be blacklisted or whitelisted in a future version depending on the country code or configured language of the infected device:

Figure 16. Blacklist and whitelist functions based on language and country code.

Grabos also defines (but does not implement) methods to blacklist a device based on IP address:

Figure 17. Blacklist functions based on IP address information.

Conclusion

During our analysis of this threat, the control servers always provided empty parameters for the custom notifications to trick users into installing applications. Taking into account the functionality to display ads and the high number of downloads, we believe the main purpose of Grabos is to make money by promoting the installation of apps.

Grabos gained popularity on Google Play because it allowed users to download music for free while constantly asking them to rate the app. However, users were not aware of the hidden functionality that comes with those apps, exposing them to custom notifications to download and install additional apps and open them without their consent.

Considering that Grabos also reports the presence of specific social and Google apps on infected devices, cybercriminals could use that information to deliver additional apps by tricking users into installing them using any of the notification methods implemented in the code. Although during our analysis the remote servers did not deliver the required parameters to trigger custom notifications, the devices remain exposed to the download of additional Android apps.

McAfee Mobile Security detects this threat as Android/Grabos. To protect yourselves from threats like this on Google Play, employ security software on your mobile devices, check user reviews, and avoid installing suspicious apps with screenshots or functionality that do not correspond to the name of the app.

We would like to thank Sebastian Porst and Jason Woloz from Google’s Android Security for their helpful contributions on this research.

List of Grabos Package Names

  • com.picklieapps.player
  • com.musicaplayer.stonetemples
  • com.mp3musicplayer.playmusicmp3
  • com.densebutter.musicplayer
  • com.airplaneapps.soundmeter
  • com.dinosaursr.musicplayer
  • com.tenuousllc.humneate
  • com.astropie.musicplayer
  • info.chargeshoes.videoplayer
  • com.callsaver.doubtful
  • com.unfestenedsail.freeapp
  • com.extendmilk.freeplayer
  • com.excellentlossapps.playermusic
  • com.AliciaTech.free
  • com.mp3player.musicplayer.freelocalmusicplayer
  • com.freemusicplayer.freemusicplayer.free
  • com.afromusicplayer.fremediaplayer
  • com.info_astro.glider_player
  • com.illfatednotice.humdrum
  • com.headybowl.musicplayer
  • com.musicgratisplayerfree.free
  • com.naturityllc.mp3player
  • info.anothertube.music.player
  • com.startdancingapps.callrecorder
  • com.social.video.saver.pro
  • es.gratis.video.downloader.hd
  • com.sportingapps.copyleft_music.player
  • com.auto_call_recorder.freeapp
  • com.freenewsreader.rssfeed
  • ar.music.video.player
  • com.curatorinc.ringtone.search
  • com.mp3musicplayer.local_files_player
  • com.copyleft.stream.musica.player
  • info_de.mp3.music.player
  • com.nobodybeats.musicplayer
  • com.file.manager.pronessbest
  • info.ark.music.mp3.player
  • com.air.browser.free
  • com.aneeoboapps.playlistmanager
  • com.local_music_player.free_mp3_player
  • com.greenlinellc.voicechanger
  • com.free.playlist.creator.tube
  • com.toporganizer.fileorganizer
  • com.thumb.webbrowse
  • com.aspirator.ringtones.player
  • com.freevideoplayer.musicplayer
  • com.vimfast.videodl
  • com.whimsical.piano.free
  • com.truckneat.freeapp
  • com.crowdedarmy.volume.controller
  • com.arnold_legal.mp3.musica
  • com.descent.shutterfly
  • com.thankyou.arrowplayer
  • com.pocahantasapps.musicplayer
  • com.astroplayer.freee
  • com.couchpotato.musica.play_stream
  • com.abstractly.musica.player
  • com.matsumoto.mp3player
  • com.musicequalizer.freeequalizer
  • com.lifesbad.fileexplorer
  • com.videolunch.free
  • legal.copyleft.cc.mp3.music
  • com.ark.music.mp3.player
  • info.musik.mp3.music
  • com.streamerplayer.stream_videos
  • info.voicerecorder.recordvoice
  • com.snip.browser
  • com.checkrein.musicapp
  • com.mp3musicplayer.freemusicplayer.playmusic
  • com.jadedprogram.mp3player
  • com.preoral.freeborn
  • com.voice.changer.freeappsapp
  • es.streamplay.stream.player
  • com.localmp3music.freeplayer
  • com.drummachine.machinedrums
  • com.coloringbook.freetrynow
  • com.videodownloader.social_video_download
  • com.ElephantApps.FileManager
  • com.scaricare.app.musica
  • com.quicksearch.tube.player
  • com.rooseveltisland.mp3player
  • com.mindprogram.musicf
  • com.freeborn.sdkintegration
  • com.koseapps.tubemusica
  • fr.baixar.videos.gratis
  • info.adeptly.forgoneapp
  • us.musicas.gratis.player
  • com.miniaturef.swanky
  • com.insta.mp3.music.streamer
  • com.anchor.musicplayer
  • com.repeate.mp3musicplayer
  • com.FeisalLLC.MusicPlayer
  • com.shelfshare.freeapp
  • info.simple.streamer.player
  • com.streamplayer.freearnold
  • com.freeturkish.video.downloader
  • com.cowherd.freeapp
  • com.localmp3musicplayer.local_player
  • com.scaricare.apps.musica
  • com.silymove.freeapp
  • com.pinkphone.funfreetube
  • info.tissuepaper.freemusic
  • com.chopsuey.musicplayer
  • com.branchnotice.musicplayer
  • com.fradcip.MasterApp
  • sv.music.player.mp3.ares
  • com.social.video.downloader.for_fb
  • com.frobenius.time.tube
  • com.spelldoom.comeup
  • com.bailymusic.player
  • com.sportifco.musicplayer
  • com.topsaver.video.downloader
  • com.coupleweeks.modcium
  • com.unbecomingllc.videodownloader
  • com.video.for_fb.downloader.saver
  • com.macdrop.apptool
  • com.callsaver.recorderfreeapp
  • com.arnie_legal.mp3.musica
  • com.kikiapps.freeplayer
  • com.pintaapps.expensetracker
  • com.marble.musicequalizer
  • com.artproject.searcher
  • com.UnitTest.FreeApp
  • com.exudedplayer.freemusicplayer
  • com.blackballed.player
  • com.mp3player.decisiveapps
  • com.rusticd.musicplayer
  • com.byunhyeong.jungfree
  • com.voicelessapps.mp3musicplayer
  • com.localmp3player.freeplayer
  • com.kinokunya.free
  • com.socialvideo.downloader_vim
  • com.viastore.video.saver_for_fb
  • com.disarmbit.reache
  • com.crackerbalancellc.mp3converter
  • info.vaskollc.jpfree
  • com.freemusicplayer.musicplayfreetoolpalyer
  • com.combustionapps.musique
  • com.arnold.mp3.musica
  • com.purpleheadphones.audioplayer
  • com.unscalableapps.free
  • com.freefile.organizerfree
  • com.free.mp3.stream_cc_music
  • com.mp3uncle.musiccamera

 

The post New Android Malware Found in 144 GooglePlay Apps appeared first on McAfee Blogs.

Warning: Lokibot Is Looking to Access Your Android

This time of year is always busy for me. Between pre-holiday online shopping, and the push to connect with friends before the season gets underway, it’s especially a busy time of year for my online activity.

In an age of social technology, we use our apps to help get through our active holiday calendar. We use our messaging apps to connect with friends on the go, and our banking apps to balance accounts, as well as send and receive money from loved ones. We need our apps to make the holidays happen. Which, unfortunately, makes the new LokiBot malware the perfect Trojan horse to infiltrate your mobile device.

What is Lokibot?

Lokibot is a new Android banking trojan that’s targeting mobile banking applications and communication apps like WhatsApp, Skype, and Outlook. Much like its banking Trojan counterparts, Lokibot disguises itself as the login screen of your banking app, hoping to trick you into giving it administrative access. Once it has access, it can use your browser and SMS texts against you to share your personal information with cybercriminals and spread spam to all of your contacts. According to researchers, this Trojan has targeted at least 119 apps already.

How Does Lokibot work?

Lokibot is like an unwanted guest, it just won’t leave. When users realize they’ve been duped and try to remove the trojan’s administrative privileges, it automatically locks the device and turns into ransomware. Fortunately, the Lokibot ransomware feature is faulty and has only been successful at renaming files instead of encrypting them. Unfortunately, Lokibot still has the ability to lock you out of your phone.

How do I protect myself?

The good news is: if your device has been infected, you can give Lokibot the boot by putting your phone into Safe Mode and removing the malicious application along with its admin user privileges. When it comes to cybersecurity, everybody knows that the best defense is a good offense. You can keep your devices safe by following these tips:

 

  • Don’t fall for the money bait. If you see an unanticipated “deposit” notification from your banking app, contact your bank directly. Lokibot is known to use fake notifications to lure unsuspecting users into its trap.
  • Keep an eye out for fishy looking login screens. Trojans are masters of disguise and often gain access when users give up their access for login to what appears to be a trusted app. If it looks suspicious, proceed with caution.
  • Download your apps from a legitimate source. Google Play has strong security standards for their applications. If an app is no longer supported in the play store, you should delete it immediately.

 

Following these steps will help keep you out of Lokibot’s way, so you can enjoy your busy holiday season.

 

Can’t get enough mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post Warning: Lokibot Is Looking to Access Your Android appeared first on McAfee Blogs.

Marcher Malware Uses Both Credential and Credit Card Phishing to Steal Financial Data

Actors turned models turned singers — pretty much the definition of a “triple threat” in the entertainment industry. However, the definition changes a bit for the cybersecurity space, as Android users are faced with a different type of “triple threat.” In fact, it’s a new attack campaign involving three malicious tactics: credential phishing, credit card data theft, and the Marcher banking trojan.

What is it and how does it work?

The newest form of Marcher pairs credential and credit card phishing with banking trojans into one multi-step scheme. The attack starts with a phishing email containing a bit.ly link to a fake version of the Bank Austria login page, which was registered to a variety of domains containing “bankaustria” in the title in order to give the appearance of legitimacy. Upon opening the page, users will be asked to supply their customer details, email, and phone number– which gives the attackers what they need for the next stage of the attack.

Leveraging the customer data that was provided by the unknowing user, the attack intimidates the victim into downloading the “new Bank Austria” app, aka a fake app. The user is then directed to a link for app download. Once installed, the app asks permission to a plethora of personal data and device settings, and places a legitimate looking icon on the phone’s home screen. Mind you, the app and everything involved in the campaign uses stolen branding from Bank Austria. So, it’s easy to believe that this scam is the real thing.

Finally, Marcher moves onto data collection. But it’s important to remember — this version of Marcher isn’t just a banking trojan, it also enables the direct theft of credit card details. Plus, beyond stealing credit card info and banking details, the threat also goes after date of birth, address, and password data.

How do I protect myself?

So far, it’s been reported that this campaign has tricked almost 20,000 people into divulging their personal information. Plus, new campaigns targeting Raffeisen and Sparkasse banks are already underway. Therefore, the next step is to start thinking about protection. To ensure your personal and financial information stays secure, follow these tips:

  • Be careful what you click on. This malware, like many others before it, was distributed via phishing emails. Be sure to only click on emails that you are sure came from a trusted source. If you don’t know the sender, or the email’s content doesn’t seem familiar, remain wary and avoid interacting with the message.
  • Always use legitimate app stores. This malware campaign depends on victims downloading a fake app outside of a legitimate app store. It’s crucial users only download applications by heading directly to official stores, like Google Play or the Apple App store, to ensure they don’t become part of larger malware schemes like Marcher.
  • Place a fraud alert. If you know your data has been compromised by this attack, be sure to place a fraud alert on your credit so that any new or recent requests undergo scrutiny. It’s important to note that this also entitles you to extra copies of your credit report so you can check for anything sketchy. And if you find an account you did not open, make sure you report it to the police or Federal Trade Commission, as well as the creditor involved so you can put an end to the fraudulent account.
  • Use a mobile security solution. As malware campaigns continue to infect mobile devices, be sure to cover these devices with a mobile security solution, such as McAfee Mobile Security, which is prepared to protect your data from Marcher malware and others like it.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Marcher Malware Uses Both Credential and Credit Card Phishing to Steal Financial Data appeared first on McAfee Blogs.

Malware-Aussichten 2018: Android, nimm dich in Acht vor Ransomware!

2017 ist fast schon wieder Geschichte und damit beginnt die Saison der Jahresrückblicke. SophosLabs hat die Schadware in 2017 analysiert und Prognosen erstellt. Ein dominantes Security-Thema in 2017 ist Malware für Mobilgeräte, vornehmlich für Android. SophosLabs analysierte, dass es bis Ende 2017 geschätzte 10 Millionen verdächtige Android-Apps geben wird, darunter auch Ransomware, wie sie beispielsweise […]

Secret Selfies: iPhone Apps Can Take Pictures and Videos of You Without Your Knowledge

“Let’s take a selfie” has become quite the popular request in 2017. Most everyone captures the occasional self-portrait using the reverse camera setting on the iPhone. But what happens if there are selfies occurring without your knowledge? And no, we’re not talking about paparazzi photos or some reality show. We’re talking about your iPhone, which has been discovered to include a feature allowing any app that has permission to access the phone’s camera to secretly take pictures and videos of you as long as it is running in the foreground.

So, how did this discovery first come to light? A developer from Google detailed a proof-of-concept project in his blog, and showed iPhone users that even if you don’t see the camera “open” in the form of an on-screen viewfinder, an app can still take photos and videos of you pretty much at any time. Also, it’s important to note that this discovery is not a bug, but likely intended behavior.

So, what exactly can this feature do? Once you grant an app access to your camera, it can:

  • Record you at any time the app is in the foreground
  • Take pictures and videos without telling you
  • Upload the pictures/videos it takes immediately
  • Run real-time face recognition to detect facial features or expressions

Clearly, the feature has some potential. Especially since most of us only think the camera is only being used if we see camera content or a LED is blinking, and the iPhone has no mechanism to indicate to a user that the camera is on.

So beyond staying aware of this feature, it’s important you take precautionary steps to safeguard your personal privacy. To do just that, follow these tips:

  • Use camera covers. Though this trick might seem a little old school, it’s still just as effective, as it allows you to be selective when you want your face to be seen. There’s a variety of camera covers you can purchase online, or you can even use a sticky note.
  • Get picky with what apps get camera access. When you first download an app, you’ll get a notification requesting camera access. Unless it requires it, or you truly want the app to have it, don’t provide the app with access. Mind you, you can also revoke camera access for all apps. Also, when possible, always use the built-in camera app and use the image picker of each app to select the photo.
  • Use a mobile security solution. Even though this feature was not a bug, it is important to always secure the personal data stored on your phone in case this trick gets into the wrong hands. Add an extra layer of security onto your phone with a mobile security solution, such as McAfee Mobile Security.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post Secret Selfies: iPhone Apps Can Take Pictures and Videos of You Without Your Knowledge appeared first on McAfee Blogs.

Working 9 to 5 on Mobile Security

I love watching old movies, like the classic “9 to 5” and realizing how antiquated the tools used in the workplace are. Rolodexes, typewriters and fax machines – oh my! While devices like these were the standard of their time, technology has evolved, bringing in new equipment that allows employees to be more efficient, but also brings about security concerns.

In the age of technology, there is a growing trend around Bring Your Own Device or BYOD, specifically with mobile devices in the workplace. Companies want employees to have the flexibility to use devices they’re comfortable with, but placing gadgets in the hands of employees can take a turn for the worse.

Security breaches happen, but often times, the source of a breach comes from an internal employee. Think about it. If you use your device (that has data from your work) to check your email and get caught up in a phishing scam or ransomware attack, your company information is exposed.

Most companies do as much as they can to keep their data secure, but what can you do as an employee to make sure you’re keeping yourself and your company safe from threats? Here are some strategies that can potentially reduce the risk of a mobile security breach:

  • Ask questions: Think there’s something fishy or insecure on your phone? Talk to your IT department, they’ll be more than happy to help you stay secure.
  • Pay attention: If your company has an internal training or guide to keeping your devices safe, tune in. As our devices evolve, so do security methods.
  • Follow protocol: If you’re victim to attack, be sure to follow the directives of your IT team and alert them as fast as you can. A quick response to a threat can help to minimize the damage.

Of course, good mobile security hygiene wouldn’t be complete without simple best practices that you can implement every day:

  • Multi-factor authentication: Keep your devices and your accounts (social media channels, emails, etc.) secure with an added layer of security.
  • Complex passwords: It’s 2017, you know better than to have “password” or “1234” as a safeguard for your devices.
  • Selective Wi-Fi: Avoid connecting to unsecure Wi-Fi, especially if you plan on connecting to an internal corporate system.
  • Security, security, and security: Always use comprehensive security software to protect your personal devices. If your company provides you with a device, be sure to follow their directives on the type of security to load on your device.

Can’t get enough mobile security tips and trends? Follow @McAfee_Home on Twitter, and like us on Facebook.

The post Working 9 to 5 on Mobile Security appeared first on McAfee Blogs.

Artificial Intelligence: Friend Or Foe?

The future of cyber safety and personal development lies in the partnership between humans and machines.

While our primary interactions with the digital world today may be through our PCs, laptops, smartphones, and smart watches, in the future they will become much more sophisticated.

Overall, the digital world will inevitably become a lot less cumbersome and confusing. A large number of the purposeful decisions we are forced to make every day will be made for us by digital assistants powered by artificial intelligence.  For some this will sound scary or unsettling, but there are actually incredibly significant benefits that these new technologies will bring in streamlining the ways we associate with the ever more pervasive, digitally-connected world … all the while keeping us safe.

Contrary to popular belief, our cyber safety is not usually compromised by some “dark force” hacking away at our online lives and personas, in an unknown or unspecified location.  It’s more often because we, as individuals, have developed a casual approach to what needs to be done to keep ourselves and our families safe when we’re online.

That’s not to suggest that anyone is “at fault”. The speed at which technology constantly develops means that it’s getting harder and harder to keep up with healthy online practices, that would keep us all digitally savvy.

In the future, much of what will be required of us to remain safe online could actually be offloaded to these increasingly present, artificially intelligent digital assistants, thus removing the boring part of having to improve security at the cost of an enjoyable and exciting user experience.

Looking at this further, we can even see that the combination of digitally-powered, situational awareness around cyber safety could be combined with behavioural analysis to make for more educated, intelligent human beings.

For example, scientifically-proven behavioural and psychological research could be applied to help shape, guide or restrict kids and developing adults’ interactions with the digital world, with the appropriate levels of intervention from parents. In this way, we would be able to create situations where computers are no longer the enemy of conscientious parents, and actually become a positive influence and assistance in helping to raise healthy, well-balanced young people.

Computers – in all their forms – are often an area of great uncertainty, confusion and, even, anxiety for parents. Take screen-time, for example. It’s a commonly debated topic. Are kids spending too much time in front of screens? What are the social, psychological, and future-professional ramifications of social media? Are there other things I should be worrying about that I’m not aware of? These are just some of the questions commonly asked by parents, and they will evolve as technology changes.

Imagine if a digital assistant powered by artificial intelligence, which is programmed by scientific research around brain and human development, could interject at crucial points during a child’s interaction with digital content to educate them. It could tell them to perform a chore before allowing more online access.  Or limit their screen time when a scientifically-proven or parent-enforced limit has been reached.  All the while keeping them safe online. Parents should be able to set guidelines and goals, and use digital assistants to see that these are met.

This week is Stay Smart Online Week, and it serves as a timely reminder that the challenge, in a rapidly developing, hyper-connected world, is in having to keep up with an increasing number of technologies. The way forward is in allowing the machines to aid ourselves and our kids in our quest to be smarter, safer, and future-proofed in a rapidly accelerating digital landscape.

The post Artificial Intelligence: Friend Or Foe? appeared first on McAfee Blogs.

Back That App Up: Gaining Root on the Lenovo Vibe

In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should work with Motorola, who it had acquired and was now responsible for Lenovo’s mobile product portfolio. Mandiant then disclosed the vulnerabilities to Motorola for correction. The vulnerabilities discovered by Mandiant’s Red Team were as follows:

  • Local backups enabled in Lenovo “Security” application (CVE-2017-3750)
  • Local backups enabled in Lenovo “Idea Friend” application (CVE-2017-3749)
  • Improper access controls in “nac_server” binary (CVE-2017-3748)

The official Lenovo advisory that includes the affected devices and software versions can be found on Motorola’s website. Motorola has indicated that these vulnerabilities have since been patched, and the company supported Mandiant regarding the release of this post.

We have provided general details in an FAQ, and a technical analysis of the vulnerabilities follows.

FAQ

What devices are affected and (potentially) how many devices are affected?

The vulnerabilities described in this post affect a subset of Lenovo-branded devices. A full list of the affected devices can be found within Motorola’s official advisory. Note that the vulnerabilities described in this post do not affect the Android Open Source Project (“AOSP”) developed by Google.

How is the issue being addressed?

Motorola has redesigned the affected mechanism to use a more secure process.

How would an attacker exploit these vulnerabilities?

The described exploit chain requires local, physical access to a device. Therefore, is very unlikely to see this exploit “in the wild”. Users are recommended to update their devices to the most recent software package provided by Lenovo, and protect their devices using strong lock screen settings.

Who discovered these vulnerabilities?

Jake Valletta (@jake_valletta)

Technical Analysis

Now we will walk through the exploitation process Mandiant’s Red Team used to obtain code execution as the user “root” by chaining the disclosed vulnerabilities together in a unique way.

Identifying Our Target: “nac_server”

A popular process for escalating privileges on Android devices is to enumerate locally listening sockets. While AF_INET sockets (think IP addresses and TCP/UDP ports) listening locally are rare on Android devices, AF_UNIX sockets (hereforth refered to as “UNIX sockets”) are used frequently by native Android daemons, including “netd”, “installd”, and “vold”, most of which run with elevated privileges. UNIX sockets are represented as files on the filesystem, and are typically bound to socket-type files in the “/dev/socket/” directory. A specific subset of UNIX sockets bind to the abstract namespace (which are not bound to a filesystem-backed file), and are denoted with a leading ‘@’ character, such as “@android:debuggerd32” and “@jdwp-control”.

Using the “netstat” module of the “busybox” utility on a test Vibe, we can note interesting abstract sockets that do not appear to be part of the Android Open Source Project (“AOSP”), as highlighted in Figure 1. Note that we’ll be using the Android Debug Bridge (“adb”) to interface with a test Lenovo Vibe throughout the post.


Figure 1: Abstract sockets on test Lenovo Vibe device

To find the binary that may be responsible for these UNIX sockets, a string search across all DEX bytecode and binaries on the device can be useful. A string search across system binaries (located on the device in the directories “/system/bin/”, “/vendor/bin/”, and “/system/xbin/”) indicated that the strings “nac_server”, “nac_safe_server”, and “supercmdlocalsocket” were all present in the binary file “/system/bin/nac_server”, a non-AOSP binary.

To confirm this, we can extract and view the “/init.rc” file present on the Vibe. In this file, we can see that Lenovo added an init service called “nac_server”, shown in Figure 2.


Figure 2: “nac_server” service defined in “/init.rc” file

The “init” process registers the “nac_server” service and runs as the user “root” at system boot. We can confirm this by checking the “init.svc.nac_server” system property and by viewing the running processes on a test device, shown in Figure 3 and Figure 4 respectively. It is also important to note that the “nac_server” binary was running under the SE for Android (“SEAndroid”) context “nac_server”.


Figure 3: Checking “init.svc.nac_server” system property


Figure 4: “nac_server” process running as “root” user and “nac_server” SEAndroid context

Since we know this process runs as a privileged process and listens on UNIX sockets, we shifted our analysis to the “nac_server” binary to understand its full capabilities.

Binary Analysis of the “nac_server”

To map out the capabilities of the “nac_server” binary, Mandiant’s Red Team worked along side FireEye Labs Advanced Reverse Engineers (“FLARE”) (shoutout to @m_r_tz). As stated above, the “init” process starts “/system/bin/nac_server” at system boot as the user “root”. Once started, “nac_server” spawns three threads, each bound to an abstract UNIX socket: “nac_server”, “nac_safe_server”, and “supercmdlocalsocket”. Each of these threads expects to receive a file path from a client across the socket. “nac_server” then performs the following security checks based on the file path:

  • Tokenizes the file path based on “/”, and assumes the third element is the calling package name, and the fourth argument the file to execute. The package name is then checked against a whitelist, shown in Figure 5.


Figure 5: Whitelisted Lenovo-branded applications in “nac_server”

  • Parses the “/data/system/packages.xml” file to check if the calling package name is installed and the signature matches a list of internal signatures. One of the allowed signatures is depicted in Figure 6.


Figure 6: Hardcoded package signature in “nac_server”

After validating the file path, “nac_server” copies the file from the fourth argument to the directory “/data/local/root_channel/[package_name]”, sets the SEAndroid context to “root_channel”, and then executes the file using the “system(..)” function as the user “root”. We’ll be exploring the significance and capabilities of the “root_channel” SEAndroid context in the following section.

In short, the “nac_server” binary provides a mechanism for applications signed by Lenovo to execute files as a privileged process and context. There are obvious malicious reasons to include this functionality; however, Mandiant’s research suggests that Lenovo used this functionality to create custom “iptables” firewall rules from the Android runtime.

Because the “nac_server” falsely assumes the caller is the third token of the file path, we are able to confuse the service and feed it a file that we control (CVE-2017-3748).

Understanding SEAndroid Contexts

SEAndroid is a security feature added to Android devices starting in Android 4.3 (“Jelly Bean”). One of the key reasons for adopting SEAndroid was to provide granular security control of powerful UIDs such as those associated with “system”, “radio”, and “root”. Note that this section will not be a complete tutorial on SEAndroid (a more comprehensive description of SEAndroid can be found here). The SEAndroid-related files for our analysis are as follows:

  • /sepolicy – Binary kernel policy file loaded at system boot
  • /seapp_contexts – Rules for determining the SEAndroid domain and type of Android applications
  • /etc/security/mac_permissions.xml – x.509 certificate information to determine the correct domain to apply when the Zygote process spawns a new application (more information on the Zygote process can be found here)
“nac_server” UNIX Socket Analysis

Unfortunately for us, attempting to connect to any of the three aforementioned UNIX sockets as the built-in “shell” user results in SEAndroid policy violation. Figure 7 shows a “Permission denied” error when we attempted to connect to the UNIX socket “supercmdlocalsocket” using the “socat” utility.


Figure 7: Attempting to connect to “supercmdlocalsocket” abstract socket using “socat”

Figure 8 shows the SEAndroid policy violation captured in the Android log buffers.


Figure 8: Policy violation included in Android log buffers

In Figure 8, we see that the operating system denied the source context “shell”, the “connectto” permission of the “unix_stream_socket” class for the “nac_server” type. As a researcher, we now want to know: who can access this permission? To answer this, we can use the “sesearch” utility as follows:


Figure 9: Performing lookup for “connectto” permission using “sesearch”

Running this tool indicates that three SEAndroid domains possess the correct permission: “system_app”, “platform_app”, and “unconfineddomain”. Fortunately, there are over 100 applications running in either the “platform_app” or “system_app” security domain. Based on this, our next goal is to achieve code execution in either the “system_app” or the “platform_app” domains so that we can connect to the “nac_server” UNIX sockets.

“root_channel” Analysis

It is also worth exploring the capabilities of the “root_channel” SEAndroid context that the “nac_server” binary applies just prior to executing the command. On the Lenovo Vibe, the “root_channel” context is quite powerful, and includes full access to application data and Android runtime and write access to the “/data/” filesystem. What this context lacks is the ability to mount or remount filesystems and disable SEAndroid (we will leave this as an exercise for the reader).

Triggering the “nac_server” Bug via Local Backups

Android introduced local backups in Android 2.2 (“Froyo”). Local backups allow a user with physical access to a device with USB debugging enabled to download application data for specific applications and restore this data back to the device. Determination of whether an application can be backed up is controlled by the “android:backupAllowed” attribute within an application’s “AndroidManifest.xml” file. By default, this value is set to “true” for all applications except applications running as the shared UID “android.uid.system”.

To create a backup of an application locally, we can use the “adb” command “backup” shown in Figure 10.


Figure 10: Creating a local backup for the “com.some.app” application using “adb”

These local backups can then be unpacked using the open-source Android Backup Extractor (“abe”) and the “tar” utility. Since these backups are not signed, we are free to make changes to the backup, such as edit configuration files or even add new files entirely. To repackage the backup, we can reverse the steps and use “tar” (or the “pax” utility), “abe”, and finally the “adb” command “restore” to restore the backup on our device. Figure 11 shows the command to restore a backup.


Figure 11: Restoring new local backup using “adb”

Abusing Backups Part 1: Code Execution (CVE-2017-3749)

One particularly dangerous side effect of allowing local backups is that a malicious user can modify an application’s private files without the application knowing. This typically includes modifying configuration files to alter the behavior of the application (like changing your Angry Bird high score data), but in more rare cases, an attacker can modify supplemental DEX bytecode included as part of an application to take full control of an application. Note that an application’s primary DEX bytecode is processed upon installation and stored outside of the application’s data directory, so it is not a target.

This is the case for the Idea Friend application (“com.lenovo.ideafriend”), which is the Lenovo-branded contact manager application. This application did not run as a privileged UID, but it did run in the “platform_app” SEAndroid domain, shown in Figure 12.


Figure 12: “com.lenovo.ideafriend” application running in “platform_app” security context

Identifying and Modifying Supplemental Bytecode

If we create a local backup for the Idea Friend application using the aforementioned process, we will notice the directory “f/parse/” (which corresponds to “/data/data/com.lenovo.ideafriend/files/parse/” on a test device) contains 14 signed Java JAR archives, each containing DEX bytecode, as shown in Figure 13.


Figure 13: JAR archives included in “f/parse/” directory of Idea Friend backup

The DEX code included in the JAR files “ParseUtilBubble_8.jar” and “parseUtilMain_8.jar” is loaded dynamically by the Idea Friend application when launched, which means that if we can modify these JAR files, we can execute arbitrary code as the Idea Friend application. These JAR files are signed, which does not permit us to modify the contents of the archives; however, because our test device utilizes the Android Runtime (“ART”), the operating system automatically optimizes DEX bytecode using “dex2oat” to produce an unsigned ELF binary. To confirm this behavior, we can see two OAT files in the directory “r/app_outdex” (which corresponds to “/data/data/com.lenovo.ideafriend/app_outdex/” on a test device). Figure 14 shows the OAT binaries optimized from the JAR files “ParseUtilBubble_8.jar” and “parseUtilMain_8.jar” found in the directory “r/app_outdex/”, and Figure 15 confirms that these are ELF binaries (the file format used by ART).


Figure 14: Optimized OAT binaries in Idea Friend backup


Figure 15: Determining file type of ART binaries

Using techniques described in the Black Hat Asia 2014 white paper “Hiding Behind ART”, it is possible to create our own OAT ELF binaries given the original DEX bytecode. The process is summarized as follows:

  1. Disassemble the existing DEX bytecode. For this, we can use “baksmali”.
  2. Modify the disassembled DEX bytecode. In our case, we are going to add a LocalSocket client to connect to the UNIX socket “supercmdlocalsocket” within a method we know will be called by the Idea Friend application (keep reading for more on this).
  3. Reassemble the new DEX. We can use “smali” for this.
  4. Push the new DEX bytecode to our device with a filename that matches the exact length of the destination filename. For example, if our destination filename is “/data/data/com.lenovo.ideafriend/app_outdex/parseUtilMain_8.dex”, we need to push a file with the exact filename size of 63, or “/data/local/tmp/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.jar”. This is important for a later step.
  5. Manually invoke the “dex2oat” utility on our test device against the DEX bytecode to generate an optimized OAT file.
  6. Pull the new OAT binary from the test device.
  7. Replace the padded filename (which corresponds to the “dex_file_location_data” field) in the OAT DEX file header with the original file path. Note that because we padded it to the proper length, this will not affect any offsets in the binary. A text editor such as vim or 010 works here.
  8. Reset the “dex_file_location_checksum” CRC32 checksum in the DEX header to be that of the original OAT binary. For this, we can use “dexdump” to obtain the checksum, and “dd” to replace it.

We will use this process in conjunction with a local backup for the Idea Friend application to connect to one of the UNIX sockets exposed by the “nac_server” binary. First, we will need to modify one of the JAR files and insert our malicious code.

Creating the Socket Client

Our first step is to generate the bytecode to connect to one of the “nac_server”’s abstract UNIX socket. For this example, we have chosen to use the “supercmdlocalsocket” UNIX socket. We start by creating a Java class similar to Figure 16.


Figure 16: “run()” method written in Java to connect to “supercmdlocalsocket” abstract UNIX socket

We can then compile this class, convert the class to DEX bytecode, and then disassemble using “smali”. Next, we find an opportune location to place this function.

Inserting the Hook

By performing static and dynamic analysis on the Idea Friend application, we determined that the Idea Friend application executed the method “getBubbleViewVersion(..)” of the class “cn.com.xy.sms.sdk.Iservice.ParseUtilBubble” contained in the JAR “parseUtilBubble_8.jar” when the application was launched. Knowing this, we add our malicious code to this class, and insert our hook in the “getBubbleViewVersion(..)” method, as shown in Figure 17 and Figure 18.


Figure 17: Hook in “getBubbleViewVersion(..)” to call malicious code


Figure 18: “run()” method written in disassembled Dalvik to connect to “supercmdlocalsocket”

We can then perform steps 3-8 in the previously described process to generate our new ELF and restore our modified backup. All that remains now is to stage our malicious payload to be executed by the “nac_server” binary.

Abusing Backups Part 2: Staging a Payload (CVE-2017-3750)

We know that the Idea Friend application can communicate with the “nac_server” UNIX sockets, but unfortunately, the Idea Friend application is not in the whitelist checked by the “nac_server” binary. This means we will need to find a second application to stage our payload. By comparing the list of applications in the whitelist of “nac_server” (Figure 5) against applications that allow local backups, we can determine a few potential targets. We will use the Lenovo Security application (“com.lenovo.security”) as our target.

We will first follow the process outlined in the section “Abusing Backups Part 1: Code Execution” to generate a local backup for the Lenovo Security application. We then modify the backup to include the “go.sh” shell script depicted in Figure 19. The “go.sh” script will simply start a telnet server on TCP port 1234 when executed.


Figure 19: Contents of “go.sh”

After re-packaging and restoring the backup, we can confirm that the file has been pushed to the device successfully using “ls”:


Figure 20: Successfully pushed “go.sh” to Lenovo Security application

Chaining the Vulnerabilities

With our chain of vulnerabilities mapped out, we can now trigger the exploit with the following steps:

  1. Launch the Settings application and clear the application data for the Idea Friend application. This removes any legitimate OAT binaries that may already exist.
  2. Create a local backup of the Lenovo Security application.
  3. Modify the local backup to contain the “go.sh” payload.
  4. Restore the modified backup to the device.
  5. Create a local backup of the Idea Friend application.
  6. Modify the local backup to include our malicious OAT binary.
  7. Restore the modified backup to the device.
  8. Launch the Idea Friend application. Since the OAT binaries already exist (and appear valid), the application will execute our code. This will cause the Idea Friend application to connect to the UNIX sockets exposed by “nac_server” and pass the file path of our staged payload, “go.sh”. The “nac_server” will then execute our payload, starting the telnetd server.
  9. Connect to the device using a telnet connection.

Figure 21 depicts this process, and shows the output of the command “id”, indicating that we have code execution as the user “root”, with SEAndroid context of “root_channel”.


Figure 21: Running as UID “root” and “root_channel” SEAndroid context

Conclusions

Platform developers should exercise caution when exposing sensitive functionality using abstract UNIX sockets. Instead, use file-based UNIX sockets with the proper filesystem permissions and SEAndroid policy in conjunction with a privileged Android System Services to create a more structured and secure model. Based on follow up analysis, this is the model that Motorola has decided to use.

In addition, allowing backups on privileged applications can also be detrimental and should be disallowed. Just because an application is not running as a privileged Android user ID such as “android.uid.system”, does not mean that it cannot introduce vulnerabilities and be used to escalate privileges. Finally, applications should never allow executable code (Java classes, ELF binaries, or shared objects) within backups. This can be limited using a BackupAgent.

What are you doing? – DSEncrypt Malware

Executive Summary

Have you ever downloaded and installed a large Android application that had very few actual UI elements or functionality? Recently, FireEye Labs mobile security researchers have discovered a new kind of mobile malware that encrypts an embedded Android application with an attachment in an asset folder – concealing all malicious activities within a seemingly benign application.

The malware app disguises itself as the Google Play store app, placing its similar icon close to the real Google Play store icon on the homescreen. Once installed, the hacker uses a dynamic DNS server with the Gmail SSL protocol to collect text messages, signature certificates and bank passwords from the Android devices.

The relationship between the main application, the attached application and the malicious classes are shown below.

[caption id="attachment_5675" align="alignnone" width="552"]Fig. 1. The relationship of the mask app and the embedded malware. Fig. 1. The relationship of the masked app and the embedded malware.[/caption]

The malware package name is com.sdwiurse and the app title is “google app stoy.” Android users can’t remove the app once the device is infected because the “uninstall” function is disabled and the app continues to run as services in the back-end. These services can be killed manually but will restart once the Android phone is restarted.

Owing to the unique nature of how the malware is packaged, as of June 13, 2014, the Virus Total score for this app is only 3 out of 51 anti-virus vendors. Because most vendors only use signature-based algorithms to detect malware, they fail to detect the malicious content concealed within apps that appear to be basic or run-of-the-mill.

[caption id="attachment_5700" align="alignnone" width="533"] Fig. 2. The Virus Total detection out of 51 AV vendors. The score was taken on 06/13/2014.[/caption]

The app we observed only has 711 lines of code but is over 1.7MB in size upon downloading. The single largest file, named “ds,” is embedded in the asset folder and is 597KB. After decryption and decompression however, the real dex package file expands up to 2.2MB with the full malware. The little amount of code in the superficial app is one of the evasion techniques used by the hackers to mask the malicious classes that swell the app’s size.

User Experience

After installation, a new icon of “googl app stoy” is shown on the Android homescreen. The icon is the same as “Google Play” to confuse users into clicking it. Once clicked, the app asks for administrator privileges of the device as shown in figure three.

[caption id="attachment_5681" align="alignnone" width="547"]Fig. 3. The newly installed icon on Android desktop and the activation page. Fig. 3. The newly installed icon on the Android desktop and the activation page.[/caption]

When we observe the app in action, the sole user interface for the app contains pops up saying “Program Error” and “It’s Deleted!” when translated to English from Korean. Next, the app terminates and a notification message appears reading “Unfortunately, google app stoy has stopped.” After this occurs, the app icon on the homescreen is removed, tricking the user into thinking it’s gone as shown in figure four.

[caption id="attachment_5683" align="alignnone" width="541"] Fig. 4. The misleading "uninstalling" page and Toast message.[/caption]

However, when opening “Setting->Apps,” we can still find the app in the “Downloaded” tab and “Running Apps” tab. Furthermore, in the “Downloaded” tab, the app cannot be stopped or uninstalled:

[caption id="attachment_5684" align="alignnone" width="547"] Fig. 5. The app can't be removed in the "Settings-Downloaded" page.[/caption]

In the “Running Apps” tab, there are five services running that were started by the malicious app:

1.    uploadContentService

2.    UninstallerService

3.    SoftService

4.    uploadPhone

5.    autoRunService

[caption id="attachment_5685" align="alignnone" width="548"] Fig. 6. The 5 background services started by the app. You won't discover them unless digging into the long list of "Running App" tab.[/caption]

Decryption

The file is encrypted using the javax.crypto package of Java Cryptographic Extension (JCE) framework as shown below.

[caption id="attachment_5686" align="alignnone" width="422"]Fig. 7. Decipher code. Fig. 7. Decipher code.[/caption]

The cryptographic algorithm is based on the Data Encryption Standard (DES). The key string is “gjaoun” as shown in the code below. After the file is decrypted, it's loaded as the dex class:

[caption id="attachment_5688" align="alignnone" width="488"]Fig. 8. The embedded and encrypted dex file.  Fig. 8. The code of decryption and class loading for the embedded file.[/caption]

All the malicious activities and services happen in the loaded dex file.

Malicious Methods

In the source code of the malicious dex package, “class.dex” is decompressed from the decrypted file “x.zip.” Analyzing this code, we found there are three ways to steal private information from the infected Android device. We will first introduce how the malware works and then analyze the network traffic as evidence of the malicious behaviors.

1. SMS Message Theft

[caption id="attachment_5689" align="alignnone" width="542"]Fig. 9. The code to steal personal SMS. Fig. 9. The code to steal personal SMS.[/caption]

In the code, ak40.txt is a file in /storage/sdcard0/temp/ folder containing a string. When the content equals to “1,” the SMS message is sent to an email address. The email address and password are stored among other files in /storage/sdcard0/temp/. The hacker is smart enough to use the Gmail SSL protocol to evade the signature detection in network traffic by most AV vendors.

2. Signature Certificate and Key Theft

[caption id="attachment_5691" align="alignnone" width="546"]Fig. 11. The code to steal signature certificate and keys. Fig. 11. The code to steal signature certificate and keys.[/caption]

The variable v1 is the phone number of the compromised Android phone, while the Url.getSDPath() is the “temp” folder in the mounted storage:

[caption id="attachment_5692" align="alignnone" width="533"]Fig. 12. The location of the temporary folder that the malware app uses to collect signature certificate and keys. Fig. 12. The location of the temporary folder that the malware app uses to collect signature certificate and keys.[/caption]

The same zip file is named as “all.zip” to upload to a server and also named as “{PHONE_NUMBER}_npki.zip” to send through Gmail as an attachment.

3. Bank Account Password Theft

[caption id="attachment_5693" align="alignnone" width="545"]Fig. 13. The code to steal personal bank account and password. Fig. 13. The code to steal personal bank account and password.[/caption]

Network Traffic

We have intercepted the network traffic of the malicious app in the FireEye Mobile Threat Prevention (MTP) Platform to verify the malicious activities we found in the code above.

1. SMS Message Transmission

Because the destination, including the email address and the password is stored in a cached file on the phone, we have replaced it with a testing email account and redirected a testing SMS to the newly created email address to simulate the scenario of receiving SMS in the MTP platform. Here is an example of the SMS messages that we have intercepted from the testing email account:

[caption id="attachment_5694" align="alignnone" width="541"]Fig. 14. The testing email and SMS we intercepted in the FireEye MTP platform. Fig. 14. The testing email and SMS we intercepted in the FireEye MTP platform.[/caption]

The time stamp shows the email address received the content (at 9:39 PM) of the victim’s incoming SMS (at 9:38 PM) within 1 minute.

2. Signature Certificate and Key Transmission

We captured the PCap information in the FireEye MTP platform. The PCap shows that the “all.zip” is uploaded to domain “dhfjhewjhsldie.xicp.net”.

[caption id="attachment_5695" align="alignnone" width="557"]Fig. 15. The PCap of the signature certificate and keys. Fig. 15. The PCap of the signature certificate and keys.[/caption]

The same file is renamed to {PHONE_NUMBER}_npki.zip and sent as Gmail attachment using SSL configuration. The picture below shows the signature certificate file and signature primary key after unzipping from the attachment that the malware app leaks to the SMTP server.

[caption id="attachment_5696" align="alignnone" width="554"]Fig. 16. The content of the signature certificate and keys. Fig. 16. The content of the signature certificate and keys.[/caption]

3. Bank Account Password Transmission

We have found email evidence containing victims’ bank accounts and passwords and worked with Google’s Gmail team to take down hacker’s email accounts.

JS-Binding-Over-HTTP Vulnerability and JavaScript Sidedoor: Security Risks Affecting Billions of Android App Downloads

Third-party libraries, especially ad libraries, are widely used in Android apps. Unfortunately, many of them have security and privacy issues. In this blog, we summarize our findings related to the insecure usage of JavaScript binding in ad libraries.

First, we describe a widespread security issue with using JavaScript binding (addJavascriptInterface) and loading WebView content over HTTP, which allows a network attacker to take control of the application by hijacking the HTTP traffic. We call this the JavaScript-Binding-Over-HTTP (JS-Binding-Over-HTTP) vulnerability. Our analysis shows that, currently, at least 47 percent of the top 40 ad libraries have this vulnerability in at least one of their versions that are in active use by popular apps on Google Play.

Second, we describe a new security issue with the JavaScript binding annotation, which we call JavaScript Sidedoor. Starting with Android 4.2, Google introduced the @JavascriptInterface annotation to explicitly designate and limit which public methods in Java objects are accessible from JavaScript. If an ad library uses @JavascriptInterface annotation to expose security-sensitive interfaces, and uses HTTP to load content in the WebView, then an attacker over the network could inject malicious content into the WebView to misuse the exposed interfaces through the JS binding annotation. We call these exposed JS binding annotation interfaces JS sidedoors.

Our analysis shows that these security issues are widespread, have affected popular apps on Google Play accounting for literally billions of app downloads. The parties we notified about these issues have been actively addressing them.

Security Issues with JavaScript Binding over HTTP

Android uses the JavaScript binding method addJavascriptInterface to enable JavaScript code running inside a WebView to access the app’s Java methods. However, it is widely known that this feature, if not used carefully, presents a potential security risk when running on Android 4.1 or below. As noted by Google: “Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application.” [1]

In particular, if an app running on Android 4.1 or below uses the JavaScript binding method addJavascriptInterface and loads the content in the WebView over HTTP, then an attacker over the network could hijack the HTTP traffic, e.g., through WiFi or DNS hijacking, to inject malicious content into the WebView – and thus take control over the host application. We call this the JavaScript-Binding-Over-HTTP (JS-Binding-Over-HTTP) vulnerability. If an app containing such vulnerability has sensitive Android permissions such as access to the camera, then a remote attacker could exploit this vulnerability to perform sensitive tasks such as taking photos or record video in this case, over the Internet, without a user’s consent.

We have analyzed the top 40 third-party ad libraries (not including Google Ads) used by Android apps. Among the apps with over 100,000 downloads each on Google Play, over 42 percent of the free apps currently contain at least one of these top ad libraries. The total download count of such apps now exceeds 12.4 billion. From our analysis, at least 47 percent of these top 40 ad libraries have at least one version of their code in active use by popular apps on Google Play, and contain the JS-Binding-Over-HTTP vulnerability. As an example, InMobi versions 2.5.0 and above use the JavaScript binding method addJavascriptInterface and load content in the WebView using HTTP.

Security Issues with JavaScript Binding Annotation

Starting with Android 4.2, Google introduced the @JavascriptInterface annotation to explicitly designate and limit which public Java methods in the app are accessible from JavaScript running inside a WebView. However, note that the @JavascriptInterface annotation does not provide any protection for devices using Android 4.1 or below, which is still running on more than 80 percent of Android devices worldwide.

We discovered a new class of security issues, which we call JavaScript Sidedoor (JS sidedoor), in ad libraries. If an ad library uses the @JavascriptInterface annotation to expose security-sensitive interfaces, and uses HTTP to load content in the WebView, then it is vulnerable to attacks where an attacker over the network (e.g., via WIFI or DNS hijacking) could inject malicious content into the WebView to misuse the interfaces exposed through the JS binding annotation. We call these exposed JS binding annotation interfaces JS sidedoors.

For example, starting with version 3.6.2, InMobi added the @JavascriptInterface JS binding annotation. The list of exposed methods through the JS binding annotation in InMobi includes:

  • createCalendarEvent (version 3.7.0 and above)
  • makeCall (version 3.6.2 and above)
  • postToSocial (version 3.7.0 and above)
  • sendMail (version 3.6.2 and above)
  • sendSMS (version 3.6.2 and above)
  • takeCameraPicture (version 3.7.0 and above)
  • getGalleryImage (version 3.7.0 and above)
  • registerMicListener (version 3.7.0 and above)

InMobi also provides JavaScript wrappers to these methods in the JavaScript code served from their ad servers, as shown in Appendix A.

InMobi also loads content in the WebView using HTTP. If an app has the Android permission CALL_PHONE, and is using InMobi versions 3.6.2 to 4.0.2, an attacker over the network (for example, using Wi-Fi or DNS hijacking) could abuse the makeCall annotation in the app to make phone calls on the device without a user’s consent – including to premium numbers.

In addition, without requiring special Android permissions in the host app, attackers over the network, via HTTP or DNS hijacking, could also misuse the aforementioned exposed methods to misguide the user to post to the user’s social network from the device (postToSocial in version 3.7.0 and above), send email to any designated recipient with a pre-crafted title and email body (sendMail in version 3.6.2 and above), send SMS to premium numbers (sendSMS in version 3.6.2 and above), create calendar events on the device (createCalendarEvent in version 3.7.0 and above), and to take pictures and access the photo gallery on the device (takeCameraPicture and getGalleryImage in version 3.7.0 and above). To complete these actions, the user would need to click on certain consent buttons. However, as generally known, users are quite vulnerable to social engineering attacks through which attackers could trick users to give consent.

We have identified more than 3,000 apps on Google Play that contain versions 2.5.0 to 4.0.2 of InMobi – and which have over 100,000 downloads each as of December, 2013. Currently, the total download count for these affected apps is greater than 3.7 billion.

We have informed both Google and InMobi of our findings, and they have been actively working to address them.

New InMobi Update after FireEye Notification

After we notified the InMobi vendor about these security issues, they promptly released new SDK versions 4.0.3 and 4.0.4. The 4.0.3 SDK, marked as “Internal release”, was superseded by 4.0.4 after one day. The 4.0.4 SDK made the following changes:

  1. Changed its method exposed through annotation for making phone calls (makeCall) to require user’s consent.
  2. Added a new storePicture interface to download and save specified files from the Internet to the user’s Downloads folder. Despite the name, it can be used for any file, not just images.
  3. Compared with InMobi’s earlier versions, we consider change No. 1 as an improvement that addresses the aforementioned issue of an attacker making phone calls without a user’s consent. We are glad to see that InMobi made this change after our notification.

    InMobi recently released a new SDK version 4.1.0. Compared with SDK version 4.0.4, we haven't seen any changes to JS Binding usage from a security perspective in this new SDK version 4.1.0.

    Moving Forward: Improving Security for JS Binding in Third-party Libraries

    In summary, the insecure usage of JS Binding and JS Binding annotations in third-party libraries exposes many apps that contain these libraries to security risks.

    App developers and third-party library vendors often focus on new features and rich functionalities. However, this needs to be balanced with a consideration for security and privacy risks. We propose the following to the mobile application development and library vendor community:

    1. Third-party library vendors need to explicitly disclose security-sensitive features in their privacy policies and/or their app developer SDK guides.
    2. Third-party library vendors need to educate the app developers with information, knowledge, and best practices regarding security and privacy when leveraging their SDK.
    3. App developers need to use caution when leveraging third-party libraries, apply best practices on security and privacy, and in particular, avoid misusing vulnerable APIs or packages.
    4. When third-party libraries use JS Binding, we recommend using HTTPS for loading content.
    5. Since customers may have different requirements regarding security and privacy, apps with JS-Binding-Over-HTTP vulnerabilities and JS sidedoors can introduce risks to security-sensitive environments such as enterprise networks. FireEye Mobile Threat Prevention provides protection to our customers from these kinds of security threats.

      Acknowledgement

      We thank our team members Adrian Mettler and Zheng Bu for their help in writing this blog.

      Appendix A: JavaScript Code Snippets Served from InMobi Ad Servers

      a.takeCameraPicture = function () {

      utilityController.takeCameraPicture()

      };

      a.getGalleryImage = function () {

      utilityController.getGalleryImage()

      };

      a.makeCall = function (f) {

      try {

      utilityController.makeCall(f)

      } catch (d) {

      a.showAlert("makeCall: " + d)

      }

      };

      a.sendMail = function (f, d, b) {

      try {

      utilityController.sendMail(f, d, b)

      } catch (c) {

      a.showAlert("sendMail: " + c)

      }

      };

      a.sendSMS = function (f, d) {

      try {

      utilityController.sendSMS(f, d)

      } catch (b) {

      a.showAlert("sendSMS: " + b)

      }

      };

      a.postToSocial = function (a, c, b, e) {

      a = parseInt(a);

      isNaN(a) && window.mraid.broadcastEvent("error", "socialType must be an integer", "postToSocial");

      "string" != typeof c && (c = "");

      "string" != typeof b && (b = "");

      "string" != typeof e && (e = "");

      utilityController.postToSocial(a, c, b, e)

      };

      a.createCalendarEvent = function (a) {

      "object" != typeof a && window.mraid.broadcastEvent("error",

      "createCalendarEvent method expects parameter", "createCalendarEvent");

      "string" != typeof a.start || "string" != typeof a.end ?

      window.mraid.broadcastEvent("error",

      "createCalendarEvent method expects string parameters for start and end dates",

      "createCalendarEvent") :

      ("string" != typeof a.location && (a.location = ""),

      "string" != typeof a.description && (a.description = ""),

      utilityController.createCalendarEvent(a.start, a.end, a.location, a.description))

      };

      a.registerMicListener=function() {

      utilityController.registerMicListener()

      };

      Monitoring Vulnaggressive Apps on Google Play

      Vulnaggressive Characteristics in Mobile Apps and Libraries

      FireEye mobile security researchers have discovered a rapidly-growing class of mobile threats represented by popular ad libraries affecting apps with billions of downloads. These ad libraries are aggressive at collecting sensitive data and able to perform dangerous operations such as downloading and running new code on demand. They are also plagued with various classes of vulnerabilities that enable attackers to turn their aggressive behaviors against users. We coined the term “vulnaggressive” to describe this class of vulnerable and aggressive characteristics. We have published some of our findings in our two recent blogs about these threats: “Ad Vulna: A Vulnaggressive (Vulnerable & Aggressive) Adware Threatening Millions” and “Update: Ad Vulna Continues”.

      As we reported in our earlier blog “Update: Ad Vulna Continues”, we have observed that some vulnaggressive apps have been removed from Google Play, and some app developers have upgraded their apps to a more secure version either by removing the vulnaggressive libraries entirely or by upgrading the relevant libraries to a more secure version which address the security issues. However, many app developers are still not aware of these security issues and have not taken such needed steps. We need to make a community effort to help app developers and library vendors to be more aware of these security issues and address them in a timely fashion.

      To aid this community effort, we present the data to illustrate the changes over time as vulnaggressive apps are upgraded to a more secure version or removed from Google Play after our notification. We summarize our observations below, although we do not have specific information about the reasons that caused these changes we are reporting.

      We currently only show the chart for one such vulnaggressive library, AppLovin (previously referred to by us as Ad Vulna for anonymity). We will add the charts for other vulnaggressive libraries as we complete our notification/disclosure process and the corresponding libraries make available new versions that fix the issues.

      The Chart of Apps Affected by AppLovin

      AppLovin (Vulna)’s vulnerable versions include 3.x, 4.x and 5.0.x. AppLovin 5.1 fixed most of the reported security issues. We urge app developers to upgrade AppLovin to the latest version and ask their users to update their apps as soon as the newer versions are available.

      The figure below illustrates the change over time of the status of vulnerable apps affected by AppLovin on Google Play. In particular, we collect and depict the statistics of apps that we have observed on Google Play with at least 100k downloads and with at least one version containing the vulnerable versions of AppLovin starting September 20. Over time, a vulnerable app may be removed by Google Play (which we call “removed apps”, represented in gray), have a new version available on Google Play that addresses the security issues either by removing AppLovin entirely or by upgrading the embedded AppLovin to 5.1 or above (which we call “upgradable apps”, represented in green), or remain vulnerable (which we call “vulnerable apps”, represented in red), as shown in the legend in the chart.

      Please note that we started collecting the data of app removal from Google Play on October 20, 2013. Thus, any relevant app removal between September 20 and October 20 will be counted and shown on October 20. Also, for each app included in the chart, Google Play shows a range of its number of downloads, e.g., between 1M and 5M. We use the lower end of the range in our download count so the statistics we show are conservative estimates.

      applovin1117

      We are glad to see that over time, many vulnerable apps have been either removed from Google Play or have more secure versions available on Google Play. However, apps with hundreds of millions of downloads in total still remain vulnerable. In addition, note that while removing vulnaggressive apps from Google Play prevents more people from being affected, the millions of devices that already downloaded them remain vulnerable since they are not automatically removed from the devices. Furthermore, because many users do not update their downloaded apps often and older versions of Android do not auto-update apps, even after the new, more secure version of a vulnerable app is available on Google Play, millions of users of these apps will remain vulnerable until they update to the new versions of these apps on their devices. FireEye recently announced FireEye Mobile Threat Prevention. It is uniquely capable of protecting its customers from such threats.