Browsing articles in "Internet Security"
Dec 7, 2017
John
Comments Off on How we can stop the New Mafia’s digital footprint from spreading in 2018

How we can stop the New Mafia’s digital footprint from spreading in 2018

Cybercriminals are the New Mafia of today’s world. This new generation of hackers are like traditional Mafia organizations, not just in their professional coordination, but their ability to intimidate and paralyze victims.

To help businesses bring a good security fight to the digital streets, we released a new report today: The New Mafia, Gangs, and Vigilantes: A Guide to Cybercrime for CEOs. This report details the evolution of cybercrime from early beginnings to the present day and the emergence of four distinct groups of cybercriminals: traditional gangs, state-sponsored attackers, ideological hackers, and hackers-for-hire. We worked with a global panel of experts from a variety of disciplines, including PwC, Leeds University, University of Sussex, the Centre for Cyber Victim Counselling in India, and the University of North Carolina to collect the data within the report.

The guide shines a light on the activities of cybercriminals to understand how they work, to examine their weapons of choice—namely ransomware—and to assess what action is needed to protect against them.

Right now, the New Mafia is winning. We found that ransomware attacks have grown by almost 2,000 percent from September 2015 to September 2017. And cyberattacks on businesses have increased 23 percent in 2017. What these attacks show is that we as an ecosystem—vendors, governments, companies—aren’t learning from our mistakes.

Instead of coming together to defeat a common enemy, the focus remains on shaming victims. Whether they be individuals or companies, we’re all quick to point the finger. But that narrative must change. Those affected by cybercrime are often embarrassed and they don’t speak out, which can have dangerous consequences as organizations delay or cover up breach incidents without a plan to prevent them from happening again. We need to educate the C-suite so that CEOs and IT departments both recognize the signs of an attack and can minimize damages, while educating victims instead of shaming them.

This new mentality is important as we face the future of cybercrime. I read articles every week about the billions of devices that will be connected in the future. While the overarching goal is to make our lives easier, it also presents a threat.

The New Mafia is well prepared to exploit the increase in connected devices from cars to pacemakers. We are still making our way through the Wild West of the Internet of Things with early security solutions and a lack of legislation.

For now, we need to keep our digital streets clean with a collaborative model between the public and private sector, a general awareness about the dangers of cybercrime, and the use of proactive defenses.  Shifting from victim shaming those who have been attacked to engaging with them will remove the crime bosses from our highways of digital opportunity in 2018.

To view the full report, featuring original data and insight taken from a global panel of experts from a variety of disciplines, including PwC, Leeds University, University of Sussex, the Centre for Cyber Victim Counselling in India, and the University of North Carolina, visit here.

The post How we can stop the New Mafia’s digital footprint from spreading in 2018 appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 6, 2017
John
Comments Off on Use TeamViewer? Fix this dangerous permissions bug with an update

Use TeamViewer? Fix this dangerous permissions bug with an update

TeamViewer, the remote control/web conference program used to share files and desktops,  is suffering from a case of “patch it now.” Issued yesterday, the fix addresses an issue where one user can gain control of another’s PC without permission.

Windows, Mac, and LinuxOS are all apparently affected by this bug, which was first revealed over on Reddit. According to TeamViewer, the Windows patch is already out, with Mac and Linux to follow on soon. It’s definitely worth updating, as there are shenanigans to be had whether acting as client or server:

As the Server: Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the “switch sides” feature, which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.

As the Client: Allows for control of mouse with disregard to server’s current control settings and permissions.

This is all done via an injectible C++ DLL. The file, injected into TeamViewer.exe, then allows the presenter or the viewer to take full control.

It’s worth noting that even if you have automatic updates set, it might take between three to seven days for the patch to be applied.

Many tech support scammers make use of programs such as TeamViewer, but with this new technique they wouldn’t have to first trick the victim into handing over control. While in theory a victim should know immediately if a scammer has gained unauthorised control over their system and kill off the session straight away, in practice it doesn’t always pan out like that.

TeamViewer has had other problems in the past, including being used as a way to distribute ransomware, denying being hacked after bank accounts were drained, and even being temporarily blocked by a UK ISP. Controversies aside, you should perhaps consider uninstalling the program until the relevant patch for your operating system is ready to install. This could prove to be a major headache for the unwary until the problem is fully solved.

The post Use TeamViewer? Fix this dangerous permissions bug with an update appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 6, 2017
John
Comments Off on Internet of Things (IoT) security: what is and what should never be

Internet of Things (IoT) security: what is and what should never be

The Internet has penetrated seemingly all technological advances today, resulting in Internet for ALL THE THINGS. What was once confined to a desktop and a phone jack is now networked and connected in multiple devices, from home heating and cooling systems like the Nest to AI companions such as Alexa. The devices can pass information through the web to anywhere in the world—server farmers, company databases, your own phone. (Exception: that one dead zone in the corner of my living room. If the robots revolt, I’m huddling there.)

This collection of inter-networked devices is what marketing folks refer to as the Internet of Things (IoT). You can’t pass a REI vest-wearing Silicon Valley executive these days without hearing about it. Why? Because the more we send our devices online to do our bidding, the more businesses can monetize them. Why buy a regular fridge when you can spend more on one that tells you when you’re running out of milk?

Internet of Things

Unfortunately (and I’m sure you saw this coming), the more devices we connect to the Internet, the more we introduce the potential for cybercrime. Analyst firm Gartner says that by 2020, there will be more than 26 billion connected devicesexcluding PCs, tablets, and smartphones. Barring an unforeseen Day After Tomorrow–style global catastrophe, this technology is coming. So let’s talk about the inherent risks, shall we?

What’s happening with IoT cybercrime today?

 Both individuals and companies using IoT are vulnerable to breach. But how vulnerable? Can criminals hack your toaster and get access to your entire network? Can they penetrate virtual meetings and procure a company’s proprietary data? Can they spy on your kids, take control of your Jeep, or brick critical medical devices?

So far, the reality has not been far from the hype. Two years ago, a smart refrigerator was hacked and began sending pornographic spam while making ice cubes. Baby monitors have been used to eavesdrop on and even speak to sleeping (or likely not sleeping) children. In October 2016, thousands of security cameras were hacked to create the largest-ever Distributed Denial of Service (DDoS) attack against Dyn, a provider of critical Domain Name System (DNS) services to companies like Twitter, Netflix, and CNN. And in March 2017, Wikileaks disclosed that the CIA has tools for hacking IoT devices, such as Samsung SmartTVs, to remotely record conversations in hotel or conference rooms. How long before those are commandeered for nefarious purposes?

Privacy is also a concern with IoT devices. How much do you want KitchenAid to know about your grocery-shopping habits? What if KitchenAid partners with Amazon and starts advertising to you about which blueberries are on sale this week? What if it automatically orders them for you?

At present, IoT attacks have been relatively scarce in frequency, likely owing to the fact that there isn’t yet huge market penetration for these devices. If just as many homes had Cortanas as have PCs, we’d be seeing plenty more action. With the rapid rise of IoT device popularity, it’s only a matter of time before cybercriminals focus their energy on taking advantage of the myriad of security and privacy loopholes.

Security and privacy issues on the horizon

According to Forrester’s 2018 predictions, IoT security gaps will only grow wider. Researchers believe IoT will likely integrate with the public cloud, introducing even more potential for attack through the accessing of, processing, stealing, and leaking of personal, networked data. In addition, more money-making IoT attacks are being explored, such as cryptocurrency mining or ransomware attacks on point-of-sale machines, medical equipment, or vehicles. Imagine being held up for ransom when trying to drive home from work. “If you want us to start your car, you’ll have to pay us $300.”

It’ll be like a real-life Monopoly game.

Privacy and data-sharing may become even more difficult to manage. For example, how do you best protect children’s data, which is highly regulated and protected according to the Children’s Online Privacy Protection Rule (COPPA), if you’re a maker of smart toys? There are rules about which personally identifiable information can and cannot be captured and transmitted for a reason—because that information can ultimately be intercepted.

Privacy concerns may also broaden to include how to protect personal data from intelligence gathering by domestic and foreign state actors. According to the Director of National Intelligence, Daniel Coats, in his May 2017 testimony at a Senate Select Committee on Intelligence hearing: “In the future, state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks.”

In a nutshell, this could all go far south—fast.

So why are IoT defenses so weak?

Seeing as IoT technology is a runaway train, never going back, it’s important to take a look at what makes these devices so vulnerable. From a technical, infrastructure standpoint:

  • There’s poor or non-existent security built into the device itself. Unlike mobile phones, tablets, and desktop computers, little-to-no protections have been created for these operating systems. Why? Building security into a device can be costly, slow down development, and sometimes stand in the way of a device functioning at its ideal speed and capacity.
  • The device is directly exposed to the web because of poor network segmentation. It can act as a pivot to the internal network, opening up a backdoor to let criminals in.
  • There’s unneeded functionality left in based on generic, often Linux-derivative hardware and software development processes. Translation: Sometimes developers leave behind code or features developed in beta that are no longer relevant. Tsk, tsk. Even my kid picks up his mess when he’s done playing. (No he doesn’t. But HE SHOULD.)
  • Default credentials are often hard coded. That means you can plug in your device and go, without ever creating a unique username and password. Guess how often cyber scumbags type “1-2-3-4-5” and get the password right? (Even Dark Helmet knew not to put this kind of password on his luggage, nevermind his digital assistant.)

From a philosophical point of view, security has simply not been made an imperative in the development of these devices. The swift march of progress moves us along, and developers are now caught up in the tide. In order to reverse course, they’ll need to walk against the current and begin implementing security features—not just quickly but thoroughly—in order to fight off the incoming wave of attacks.

What are some solutions?

Everyone agrees this tech is happening. Many feel that’s a good thing. But no one seems to know enough or want enough to slow down and implement proper security measures. Seems like we should be getting somewhere with IoT security. Somehow we’re neither here nor there. (Okay, enough quoting Soul Asylum.)

Here’s what we think needs to be done to tighten up IoT security.

Government intervention

In order for developers to take security more seriously, action from the government might be required. Government officials can:

  • Work with the cybersecurity and intelligence communities to gather a series of protocols that would make IoT devices safer for consumers and businesses.
  • Develop a committee to review intelligence gathered and select and prioritize protocols in order to craft regulations.
  • Get it passed into law. (Easy peasy lemon squeezy)

Developer action

Developers need to bake security into the product, rather than tacking it on as an afterthought. They should:

  • Have a red team audit the devices prior to commercial release.
  • Force a credential change at the point of setup. (i.e., Devices will not work unless the default credentials are modified.)
  • Require https if there’s web access.
  • Remove unneeded functionality.

Thankfully, steps are already being taken, albeit slowly, in the right direction. In August 2017, Congress introduced the Internet of Things Cybersecurity Improvement Act, which seeks to require that any devices sold to the US government be patchable, not have any known security vulnerabilities, and allow users to change their default passwords. Note: sold to the US government. They’re not quite as concerned about the privacy and security of us civies.

And perhaps in response to blowback from social and traditional media, including one of our one posts on smart locks, Amazon is now previewing an IoT security service.

So will cybersecurity makers pick up the slack? Vendors such as Verizon, DigiCert, and Karamba Security have started working on solutions purpose-built for securing IoT devices and networks. But there’s a long way to go before standards are established. In all likelihood, a watershed breach incident (or several), will lead to more immediate action.

How to protect your IoT devices

 What can regular consumers and businesses do to protect themselves in the meantime? Here’s a start:

  • Evaluate if the devices you are bringing into your network really need to be smart. (Do you need a web-enabled toaster?) It’s better to treat IoT tech as hostile by default instead of inherently trusting it with all your personal info—or allowing it access onto your network. Speaking of…
  • Segment your network. If you do want IoT devices in your home or business, separate them from networks that contain sensitive information.
  • Change the default credentials. For the love of God, please come up with a difficult password to crack. And then store it in a password manager and forget about it.

The reason why IoT devices haven’t already short-circuited the world is because a lot of devices are built on different platforms, different operating systems, and use different programming languages (most of them proprietary). So developing malware attacks for every one of those devices is unrealistic. If businesses want to make IoT a profitable model, security WILL increase out of necessity. It’s just a matter of when. Until then…gird your loins.

The post Internet of Things (IoT) security: what is and what should never be appeared first on Malwarebytes Labs.

Powered by WPeMatico

Dec 6, 2017
John
Comments Off on How to harden AdwCleaner’s web backend using PHP

How to harden AdwCleaner’s web backend using PHP

More and more applications are moving from desktop to the web, where they are particularly exposed to security risks. They are often tied to a database backend, and thus need to be properly secured, even though most of the time they are designed to restrict access to authenticated users only. PHP is used to develop a lot of these web applications, including several dedicated to AdwCleaner management.

There is no magic unique solution to harden a web application, but as always in security, it’s a matter of layers including:

  • Applying the latest security patch and updates
  • Sending the correct HTTP headers
  • Hardening the language stack
  • Hardening the OS
  • Taking network security measures

Since we’re in 2017, we’ll consider that security patches and updates are applied properly so this article will focus on several must-have HTTP headers, as well as how we harden our web stack at a PHP level in an effective and easy way for the AdwCleaner web management application.

Securing a web application using HTTP headers

There are a lot of standard HTTP headers for various uses (like encoding and caching) and a lot of them aim to enforce smart security behaviors, like mitigating XSS, for HTTP clients (i.e web browsers). Here are a few useful ones.

XSS vulnerability example

A website suffering of XSS, without the proper HTTP headers in place to mitigate it.

Strict-Transport-Security

This instructs the browser to connect to the website using HTTPS directly for a certain period of time using the max-age directive. It can also be applied to subdomains with includeSubDomains directive.

Referrer-Policy

This header aims to have a fine-grained control over when the referrer is transmitted. Several directives are available, from no-referrer to completely disable the referrer header to strict-origin-when-cross-origin, which means that the full URL is sent with any request made in TLS in the same domain. (Whereas only the domain is sent as referrer if the request is made on a different domain or subdomain.) Finally, if the request is made in HTTP, the referrer is not sent.

It’s a handy header especially to reduce internal URL leaks to external services.

X-Content-Type-Option

It enforces the MIME type of resources, and states that they shouldn’t be changed. If the MIME type is not the one advertised with the Content-Type header, then the request is dropped in order to mitigate MIME confusion attacks. There’s only one directive: nosniff.

Mozilla Documentation

X-Frame-Options

This header controls whether or not the page can be loaded as an iframe or an object. There are different directives, from DENY to forbid this behaviour, to SAMEORIGIN, which allows it only from the same origin (domain or subdomain), and ALLOW-FROM which allows the operator to specify a whitelist of origins.

RFC 7034

X-Robots-Tag

This controls how the page should be handled by crawling bots (i.e search engines). Several directives exist: the noindex, nofollow, nosnippet, noarchive directives will avoid the page to be indexed in search results and instruct the crawler to not follow the links of the page. The crawler will also not store any copy of the page.

Google documentation

X-XSS-Protection

This legacy header instructs the browser to block any detected XSS request when set to 1; mode=block. It’s now superseded by the Content-Security-Policy header, but is still useful on older web browsers. This header would have mitigated the XSS on the website at the beginning of this article.

Content-Security-Policy

This powerful header allows the operator to define rules specifying how the webpage resources can be loaded and where from. It’s particularly efficient against XSS. For instance, it’s possible to enforce loading resources on HTTPS only using default-src: https:, or to forbid any inline scripts with the directive default-src: ‘unsafe-inline’.

It’s possible to create more complex rules, for instance:

base-uri ‘none’;  Forbid the usage URI.
default-src ‘self’; Will use the origin as fallback for any fetch directive which is not specified.
frame-src; forbid any external content to be loaded using iframes.
connect-src ‘self’; Forbid ping, Fetch, XMLHttpRequest, WebSocket, and EvenSource to load external content.
form-action ‘self’; Enforce the forms submissions to the origin.
frame-ancestors ‘none’; As X-Frame-Options: Deny, it forbids loading the page using iframes, objects, embed, or applets.
img-src ‘self’ data:; Allow tags to use data uris from the origin only.
media-src ‘none’;  Forbid loading any