Tag Archives: security

The scourge of Ransomware

From Wikipedia:

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. Some ransomware encrypts files.

To say that Ransomware has become a serious problem in recent times is putting it mildly. In the last year, numerous SA businesses and users have become victims of this nasty type of malware. According to BlueCoat, a security vendor, Ransomware is now the leading mobile threat and ranks very high on the list of desktop/server threats.

Briefly, Ransomware infection is primarily by email link or email attachment. Once the user clicks a link in the infected email or runs the attachment, the infection silently takes place. From there, files accessed by the user are encrypted with a key, known only by the malware author. A message ( in the form of a file typically called HELP_DECRYPT.TXT ) is left in the folder where the file was first encrypted – the message provides details of how to send payment, often in bitcoins, to the malware author, so that they will send the key to unencrypt your files.

CryptoWall 3 and earlier versions, as well as some competing malware, targeted specific files that you accessed. Newer variants like CrytoWall 4 will now encrypt an entire folder and not just the files you access. They also have the ability to infect/encrypt files on the network shares of servers. Chimera is a new type of Ransomware that threatens to post copies of your documents and images on the Internet unless a ransom is paid. PowerWorm has recently come to light as another variant that encrypts files – but it has a bug in that the key is destroyed ( mistakenly ) after encryption.  Which means that paying a ransom will not get you your files back – ever.

Another method of infection is through websites that are compromised by the Angler exploit kit. Just visiting the site results in a drive-by attack called Pony which scours the infected computer for any login credentials for websites, banking, network resources and applications. Once done, the infected computer is then redirected to alternate sites where Angler will install CryptoWall 4 which in turn will result in encrypted files. CryptoWall 4 also renames files with randomly generated characters meaning that you don’t even know which files have been encrypted.

This is real scary stuff …

Paying, what amounts to around R 5,000 – 30,000 ( 1 – 6 bitcoins ) per infection, is beyond the ability of most.  Another issue is that there is no guarantee that the perpetrator will actually send you the encryption key. Paying a ransom is not a good idea …

 

What can I do to protect myself?

  • always keep your Operating System and installed applications up to date
  • do not use Adobe Flash and plugins for browsers, and try to limit your usage of Java
  • make sure you have  a good Anti-Virus package installed and make sure it is updated continuously
  • do NOT click on links in emails ( even if they look genuine ) and do not save or run attachments from emails that appear to be from friends, family or known business connections
  • use common sense and logic when accessing email and visiting websites; look for things that are out of the ordinary and double check items that look ordinary
  • attend Security Awareness Training which gives you the tools to navigate email, websites and other internet applications safely
  • backup your data regularly

What can I do if I’m infected?

The answer to this is: nothing – if you’ve not followed the last recommendation above. The only option is to clear out the infection and restore data from backups. Clearing out the infection often means rebuilding the infected device from scratch, reinstalling all applications and restoring your data.

If you don’t have a backup, then there are no further options. Unless you want to take a chance and have the funds available to pay the ransom ….

Adobe: Stop using Flash

Wow! This is one for the books – Adobe telling everyone to stop using a product of theirs!

http://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html?scid=social_20151201_55826586&adbid=671559505906282496&adbpl=tw&adbpr=63786611

This is just reinforcing what we’ve known all along – Flash is a security nightmare! Mozilla and Chrome have been actively blocking flash for some time now and I must say, I don’t really miss it. Considering the huge amount of Flash placeholders on the sites I visit, it’s still very much in use … which means that website builders are not getting the message.

The bulk of internet users out there may still not understand the implications, and they continue to use Flash even though it’s probably one of the most insecure and hacked pieces of software ever. Time for awareness and change.

Security issues invade non-traditional areas

We’re mostly used to malicious attacks being associated with computer, servers, mobiles and other IT-related systems. But more and more, computing is being pushed into areas that aren’t traditional for these attacks yet are fast becoming critical areas.

InternetOfThings (IoT ) devices and automotive applications are starting to appear on hackers’ radars.

Some security researchers recently used a vulnerability in the Jeep’s Uconnect service to gain control of some critical functions of the Cherokee including braking and steering – that is very worrying. Those action sequences in spy movies from only a few years ago where cars are remotely controlled, are suddenly reality.

One has to wonder at the rational ( or stupidity ) behind Jeep’s decision to merge control and infotainment systems – isn’t it obvious that issues with the internet-accessible infotainment system will enable access to the control system?

The problem is set to become much worse because IoT is spreading to every facet of our lives and security is not always on developers’ minds when designing new products. ADSL modems and routers are perfect examples of this – many never receive any updates during their lifetime, others remain full of holes even with updates and considering the home environment these are often used in, end-users don’t patch or don’t know to patch these devices.

The recent installment of Terminator ( genisys ) proposes a reality where everyone will be installing the latest version of the perpetrator’s Operating System – at that point, Skynet takes over. Considering the spread of software and IoT in the last few years ( think fridges, washing machines, children’s toys, cars, mobiles, kiosks, etc. ) this as not as far fetched as you might think.

Malicious parties have been infecting and controlling millions of devices around the planet for a number of years, performing denial of service attacks, enacting financial fraud and generally causing massive mischief.

What can we do? Not a whole lot, except protect the systems that we have control over and make sure they don’t become part of the problem. Everything else? Well it’s a bit of a crap-shoot.

Flash triple threat

The last week has been a very interesting one ( read OMG it’s almost the end of the world ) in the security world. There were new threats from all corners but Adobe Flash stole the show with 3 critical issues in 2 days.

All 3 issues could result in remote code execution or DoS attacks. Grim stuff.

The CVE details are:

http://www.cvedetails.com/cve/CVE-2015-5123/

http://www.cvedetails.com/cve/CVE-2015-5122/

http://www.cvedetails.com/cve/CVE-2015-5119/

What’s really scary is that CVE lists 30 critical issues of level 10 for Flash in July alone. If ever there was a time to stop using Flash, it’s now. The problem is that many sites are still using it in frames, ads and other areas, including sites that actively promote not using Flash.

To be clear, these vulnerabilities are actively being exploited at this time. We’ve also seen an alarming rise in Remote Trojan/Ransomware attacks locally here in SA, which may or may not be related to Flash vulnerabilities. These result in the encryption of client data and a subsequent blackmail request for payment to unlock the data. The primary injection method for this is spam email and associated attachments.

What can you do?

  • Disable and remove Flash completely – this is the best choice but it may result in some websites breaking – it’s a choice you need to live with ( or not ). Also, disabling Flash in your browser does not disable it in your OS and will result in the OS still being vulnerable to application-based attacks. Complete removal is the only option.
  • Disable Flash in browser and set to ask for activation – Firefox ( I”m not sure about other browsers ) can set a plugin like Flash, to ask for activation on each event. So normally, Flash does not work however you can click a placeholder to activate a particular Flash element on a page.
  • Carry on using Flash – no comment

For applications that rely on Flash in the Operating System, it’s time to send a friendly email to the developers asking them why they are opening their clients up to potential security issues.

For users of Youtube, most browsers already support Google’s HTML5 Flash-less option. You can check the status of browser support here:

https://www.youtube.com/html5

Of course, you also need to update your OS regularly and any other 3rd party applications. And keep an eye open for spam emails.

For those with a few extra minutes, Steve Jobs wrote a fairly famous open letter to Adobe in 2010 criticizing Flash. I’m not a Jobs fan but this hits the nail on the head – well said.

The latest issues are a direct result of the hacking of one of the largest hacking companies ( The Hacking Team ), based Italy. Hacking the hackers – where have I heard that before? Some movie I think …

MS Windows critical font vuln

Microsoft release an out-of-order patch yesterday for a critical vulnerability relating to custom fonts resulting in remote execution of code on a machine. More details here:

http://gizmodo.com/go-update-windows-right-now-1719187152

Note that because Windows Server 2003 has just gone end-of-life, there is no update for it.

Home routers: security fail

It’s no secret that I absolutely hate non-business/home-based ( ADSL/3G/other ) routers. From  a security point of view, they have a history of never-ending security issues that result in a variety of malicious attacks including DNS reflection, remote control, spam, malware infections and  other attacks.

There are other serious issues including ( but not limited to ):

  • vendors of these devices are slow to react to vulnerabilities and often don’t even patch these
  • users either don’t know that updates are available, don’t know how to apply patches/updates or just can’t be bothered to apply updates
  • the firewall/protection features of these devices are limited
  • there are common back-doors included in many of these devices which opens up access to attackers

Because non-business grade routers/firewalls don’t carry any sort of guarantee or warranty in terms of performance, vendors do not put ( as much ) effort into these in terms of keeping them secure. The following link describes just how bad the situation is:

http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/

If you have any concern over your internet security or use your internet link for any secure services ( like online shopping or internet banking ), consider purchasing/using a business-grade firewall that will:

  • provide you with a decent level of protection
  • be updated regularly by the manufacturer

Keeping your desktop computers, laptops and mobile devices safe is only one part of home security. You also need to look at the security of your network devices  including routers, printers and WiFi access points as these are an important point of access to your home network and can compromise your systems as easily as a virus on your computer.

Online security in the shopping season

Online security should always be the focus of anyone using the internet.  Yet major holidays tend to be more important seeing as there are many who only shop online around this time. Black Friday especially is a big draw-card.

The fact is that online security is part common sense and part preventative maintenance. If you get the basics right, then you’re 90% there …

Richard Henderson @ Fortinet has put a great list together that will help perennial shoppers, daily buyers and those just dipping their toes into the water.

Take a look …

Apple Pay thoughts and security

The big Apple event on Tuesday wasn’t that big a deal in my opinion. The iPhone 6 was expected although not in 2 editions but that is the least that Apple had to do to catch up with Android. Apple watch? Meh … sleek industrial design and interesting software options but ultimately I still think that smart watches in general have a limited use.

Couple of reasons why:

  • short battery life – until you start using one of these, you won’t realise what an issue that is ( my current Seiko is going on for 4 years now on the same battery, 1 day on a charge for smart watches is a problem)
  • you don’t get any health info while your watch is on charge because you can’t wear it at the same time as charging
  • security – smart watches can be hacked; do you really want your health and personal info out there for all to see? And how do the vendors handle your privacy and security?
  • you still need a phone to use in conjunction with most smart watches – no phone? limited usefulness …

So onto the main crux of this article: Apple’s new NFC-based payment system. What’s new? Well pretty much nothing that hasn’t been done before – think Google Wallet. They have some  good integration with Touch ID on the iPhone, and the on-board security chip, along with agreements with a number of American banks and the 3 main payment networks AMEX, Mastercard and Visa. The only benefit Apple brings to the table is a large user base as well as a knack for popularizing systems like this. And that is it.

With Apple stepping into the NFC payments game we will see a large increase in the people using it. This of course will lead to security and privacy concerns, not only in potential vulnerabilities in the technology itself and how criminals can exploit them. But also in how users may not secure their devices, and therefore their electronic wallets, properly. Some banks are even putting transaction limits in place as a form of risk analysis/protection.

Although the recent nude celebrities hack on iCloud wasn’t entirely Apple’s fault, this episode goes to show how far end users and vendors have to go to understand personal security and privacy properly. And that’s the crux of the matter. We’ll also have to see how country-specific consumer rights, privacy and legal laws impact on a global product like this.

But security is always a primary concern. And while Apple has promised fixes to iCloud and iOS in the next period, the perception of Apple’s security is not good, and their track record is similarly poor.

Anyone can spend $1500 buying Elcomsoft’s iOS Forensic Toolkit or $79 on the Phone Password Breaker and proceed to literally pull an iPhone apart, getting access to pretty much every single piece of data you’ve ever put on there. There are also cheaper ( $0 ) hacks out there involving an iPhone and iTunes running on a Windows machine. Scary stuff when you’re storing potentially vital personal data on your phone.

So what else can we say about Apple Pay? There are some more practical issues:

  • battery life of your phone will suffer with having NFC switched on all the time ( I can’t see people turning it on and off when required )
  • there is a much wider attack surface with NFC being switched on all the time, potentially leading to a security nightmare
  • the payment industry is actually moving away from NFC towards bio-metrics
  • many US retailers and banks have cited the high cost of NFC-enabled payment equipment as a reason for not going all in

So, while I think Apple could be moderately successful with something like this, there are significant issues to be worked out in the practical implementation. We’ll see …

Heartbleed finally results in some resources for OpenSSL

Heartbleed continues to cause enormous issues around the globe and is being actively attacked. Saying that, the bulk of solutions and systems out there using OpenSSL have been patched by now so the risk surface is growing smaller and smaller by the day.

OpenSSL President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code. That is paltry compared to many other open source projects and one can easily understand that with such limited resources, it would be very difficult to create a high quality product.

Everyone seems to have woken up now and the Linux Foundation is arranging a 3 yr initiative worth about $4 million to help under-funded open source projects, the first one being OpenSSL.

So hopefully we’re going to be seeing a better staffed OpenSSL project with higher quality code rising out of the ashes soon.

It’s interesting to see that Theo de Raadt’s ( not someone I’ve ever looked up to ) OpenBSD project is forking the code arguing that OpenSSL is full of “discarded leftovers” and unreadable code. Easy to say when you’ve got a big group behind you. I wonder what Theo would’ve said if he’d been the only developer?

Heartbleed SSL attack

The latest SSL attack in the form of Heartbleed ( ref. CVE-2014-0160 ) has burst onto the scenes in the last 24 hours with a bang. Effectively, Heartbleed is a weakness in OpenSSL that allows the theft of information that is under normal circumstances protected by SSL/TLS. It allows the memory of affected systems to be read and information extracted ( including passwords and other vulnerable information ), and it also allows the keys ( both public and private ) used on those systems to be compromised.

The solution is to upgrade to the latest version of OpenSSL ( 1.0.1g ) – however that alone may not be enough. If your site was compromised previously, there would be no trace of that attack and simultaneously, your keys may be compromised. So you may need to regenerate private and public keys for these systems.

Analysis:

The media coverage of this is extensive, and to be fair, this is a very serious issue. However, we need to consider what the attack surface is. And in my own testing, the attack surface is low to non-existent – every single client of mine that I’ve tested, does not have a vulnerable implementation of OpenSSL or is not using the SSL Heartbeat extension ( this may be simply because I stick to 2 Linux distros alone ). Is this issue being blown out of proportion? I can’t talk for others but my own experience says yes.

That’s not to say you should not be vigilant – as a security professional, it’s always best to err on the side of caution. Prevention is better than cure …

There are a number of tools available for testing purposes as well as online SSL checkers like those from Qualys and Comodo. Test and make sure you’re covered.

UPDATE: The guys who wrote masscan, scanned the entire internet today and released some interesting numbers on vulnerable systems: approximately 600,000 out of ~ 28 million SSL-enabled servers. That’s 2.1% … not an entirely significant no but still a big issue depending on which sites are vulnerable.

There has been a lot of calls in the media for users of websites to change passwords. Make sure though that you change your password AFTER the affected site has been sorted out otherwise you’re just perpetuating the issue.

The end of Windows XP

Windows XP support will officially end on April the 8th next week.

This is a very important change that appears to have escaped many people. Why important? Because you will no longer be receiving any updates ( security or other ) from Microsoft for XP. That effectively means that if there is a security hole discovered in Windows XP from the 8th of April, it will be open for anyone to exploit and no fixes will be forthcoming from Microsoft.

While Windows XP has never been what you might term a secure operating system, Microsoft have to this point, continued to fix vulnerabilities, bugs and other issues in XP.  And it’s these fixes that have improved the security level of XP significantly. That will no longer be the case from next week on.

What is really worrying is that many companies are still running a fairly large percentage of Windows XP systems – it’s estimated that up to 25% of Enterprise/Corporate systems are still Windows XP. And many smaller businesses have a higher percentage as they can’t afford the Windows software and hardware upgrade cycle.

The risk of security breaches on systems running Windows XP beyond April 2014 is high. This is not an overstatement – it’s a certainty! Even the European Cybercrime Centre has warned of impending XP security risks.

What can you do?

1. make an asset list of both hardware and software

It’s important to understand what hardware and software you have as this will dictate whether you can upgrade to a newer version of Windows or not. As well, certain older applications will not be able to run on Windows 7 and later, even in compatibility mode.

2. Test your hardware

Use one of your PCs/Laptops as a test-bed for checking if Windows 7/8 will run on them without issue. Use the Windows 7 Upgrade Advisor and Microsoft Upgrade Advisor to see if your machines meet the minimum requirements. Minimum requirements also don’t mean a good experience; Windows has, and always will, require more memory and faster disk to perform adequately.

Note that certain MS Windows version upgrades won’t keep any of your existing data or applications so you need to a. create backups and b. do a clean install. Check with your hardware vendor to see if there are any driver updates for your hardware that is required for Windows upgrades.

Here is more info on upgrading Windows XP to Windows 7. Note also that Windows 7 support ends in 2020 which is not that far away so keep that in mind when upgrading.

2. Test your applications

Take a Windows 7 or later system and run all your applications on that system to make sure they will execute without issues. If you find any issues, try the application compatibility modes in Windows 7 and later – if this does not solve the issue, then approach the manufacturer for a fix or look for equivalent applications that are compatible.

3. Update or install a good Anti-Virus package

It cannot be underestimated how valuable a good AV package is. This is generally the first line of defense when accessing network resources or using portable data devices ( USB, CD, DVD etc. ). The package should include malware protection, email scanning and URL/Link scanning. Many AV packages now also come with cloud-based sandbox technologies which enhance the ability to detect 0-day vulnerabilities. Note that AV packages will NOT be able to provide full protection for Windows XP systems after the end-of-support date.

4. Do not use Internet Explorer 6 or earlier

In fact, don’t use Internet Explorer at all – use an alternate browser such as Firefox or Chrome.

5. Do not use a Windows XP system to do banking or other financial transactions

You are literally inviting crackers into your bank account if you continue to use Windows XP from next week on for banking and/or other financial transactions. Use an alternate locked-down system running a memory stick-based system like Linux for any secure internet browsing requirements. You are welcome to contact me for pre-configured memory sticks or pen drives.

6. Contact your technical IT support  company for assistance

Your IT service company is in the best position to determine possible solutions for you in this regard. Don’t underestimate the value they can provide in assisting you in either mitigating the security risks for XP or upgrading to Windows 7 or something else.

9 years ago, I took the decision to ditch Windows altogether. I’ve never looked back – not only does my current system ( Linux ) provide good performance on lower spec hardware but it’s also relatively immune to the bulk of exploits out there. This means I’m secure in the knowledge that when I’m doing Internet Banking, my money is not going to disappear.

This path is not for everyone. However, you need to look at the  alternatives – whether it’s upgrading Windows to a newer version or migrating to a completely new platform like Mac OS or Linux, you need to make the decision now.

Any delay beyond next week is likely to be a costly move.

Security issues in ADSL and other routers

I’ve never been a fan of using ADSL/Wifi routers as the main firewall for a network ( which unfortunately ends up being the case for most home users ). These are devices built to the cheapest price, using the cheapest software development and generally, there are very few ( if any updates ) for security issues on these devices. Even if there are firmware updates available, end-users tend not to update these either through ignorance or lack of skill.

There are many vulnerabilities relating to ADSL/Wireless routers in the wild, often causing havoc with DNS and other systems. The latest bug relates to open DNS proxies on routers resulting in a 24-million router DNS denial of service attack on ISPs.

A backdoor in some Linksys and Netgear wireless routers that allows malicious users to reset the devices’ configuration to factory settings and, therefore, to default router administration username and password, has been discovered and its existence shared with the world.

Another is the Wifi hacking trojan, RBrute which infects Wifi routers and then distributes the Sality malware family which can subsequently infect Windows systems with web/dns redirection, remote access, information theft, rootkit capabilities, disabling firewalls/av and downloading additional malware. The list goes on and on. This stuff is nasty to say the least.

This doesn’t stop at low-end routers like TP-Link, Netgear and Dlink – others like Linksys and Belkin are also often targeted. The main problems with these routers come in 2 areas:

1. mis-configuration

2. software issues

The mis-configuration issue can be laid at both the end-users’ and manufacturers doors. First, end-users aren’t always skilled enough to configure these systems properly. Second, manufacturers often add additional accounts to routers that aren’t normally used and end-users are unaware of. These then present back-doors for malware and attackers to misuse.

The quality of software development in these systems is of a very low quality resulting in all sorts of vulnerabilities such as cross-site scripting issues to DNS amplification attacks. Manufacturers also tend to update their routers very seldom ( if at all ) resulting in the bulk of routers out there having some issue or other.

If you are going to use an ADSL/Wifi router, then make sure you update its firmware to the latest available, and clsoe/change passwords for any accounts on the unit. Better yet, you should put the unit into bridge mode and use a proper firewall for your protection.