Cybersecurity: Russian Hackers, Privacy, and You

WordCamp

I was invited to give a presentation about Cybersecurity at WordCamp Orange County 2017, I chose to discuss privacy aimed toward the average user. It was my first WordCamp presentation.

WordCamp is a conference that focuses on everything WordPress. WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.

 

Here is the video of my presentation:

References

Recognizing Computer Threats: Email

By Chris Williams

Promotional email

Chances are, if you see an unsolicited email that appears to originate from a company that you don’t recall signing up for, it’s probably spam or phishing. Since many retailers require double opt-ins now, it’s more difficult to get “accidentally” registered for an email subscription than it was a decade ago. Regardless, we recommend doing a follow-up with the company in question just to be sure; our goal is to rule out the possibility that your email account was hacked (see previous posts on compromised email accounts for a primer on this topic).

When dealing with a potential phishing email do not use the URL, email address, or phone number provided within the suspicious communication; instead look up the company’s information via your preferred search engine, making sure you are on the company’s direct website (not a competitor, affiliate, or knock-off). If the message is a scam the contact info provided won’t usually point to the real entity—it will more likely take you to a fake site that will attempt to capture your credentials or trick you into installing malware.

Scenario: fake offer with malicious “unsubscribe” link

Tom signs into his Gmail account and reads the contents of his inbox. He sees a bunch of ads for games and T-shirts he’d like to have, along with an advertisement from a company he doesn’t remember doing business with: “wigits.com”. Maybe someone registered his email address on their mailing list due to a typo? No problem: Tom simply clicks the Unsubscribe link down at the bottom of the email message, expecting it to take him to a website where he can manage his “subscription”; only one problem, the email was actually a phishing scam, and the moment his browser navigated to the malicious URL (disguised as the Unsubscribe link, of course) it started a drive-by-download which infected his system with malware. Antivirus warnings start flashing and the threat is neutralized—or is it?

What could Tom have done differently? For starters, he could have done a Google search on this company to make sure it’s even real. Sometimes phishing emails are convincing, sophisticated messages with official-looking logos (stolen from PayPal, Amazon, etc.); sometimes they are terrible hacks with bad grammar and poor punctuation. In the latter case, the companies being represented may or may not even exist.

Let’s discuss our hypothetical in a bit more detail:

If wigits.com came up as a search result via a reliable search engine such as Google, at least Tom would know that the company isn’t totally fictitious. However, that doesn’t mean the communication itself is legit, so we must dig a bit deeper.

Both the web address and phone number for wigits.com should be published online. Tom can simply navigate to their site (again, using a reliable search engine to locate it) and find whatever contact info he needs to verify his “subscription”. He can call, email, or see if they offer a way to manage email opt-outs directly on the site.

Let’s assume there is no email address or subscription management feature on the site. No problem! A phone call to customer service will suffice. We expect one of two scenarios to occur:

  • Tom calls and speaks to an agent, provides his information, and is told that his email address is not on file with wigits.com.

OR

  • Tom calls and speaks to an agent, provides his information, and learns that he was in fact signed up for wigits.com promo emails. He then unsubscribes, assuming at this point that it was due to a mistake (maybe his address is similar to another user’s—it’s pretty commonplace for that to occur).

Malicious attachments

“What if there’s no URL in the body of the message? Perhaps the email just has a harmless little .zip file attached… no way that can be bad, right?”

Malicious attachments are one of the most insidious vectors used to infect victims with malware; within this category of threat, there are perhaps two major methodologies in widespread use: disguising the attachment’s file extension, and hiding the payload inside “real” data. An example of the former would be a malicious file masquerading as a .pdf file or Word document; an example of the latter would be a Macro-enabled Excel workbook that runs a malicious script when opened.

Fortunately, many email filtering systems can be configured to block any attachments with mismatched file extensions (the file extension shown in the document name doesn’t match its actual file type), and most systems can simply blacklist certain “high-risk” file extensions altogether. For instance, files with .zip extensions are often blocked entirely by anti-spam platforms; this is because they are so prevalent in phishing campaigns and very effective. As long as the file containing the payload is still zipped it will typically appear clean to antivirus software. While there may be a window of time to scan the file and prevent infection, this isn’t always the case.

The takeaway

Spam and phishing emails are increasing in frequency and complexity as scammers become savvier. Unfortunately, a contributing factor in this increase is the fact that these scams successfully fool a lot of people; users that open links and attachments they should have avoided are a major vector for the spread of malware. Similarly, unsuspecting users can be led to bogus versions of real sites and voluntarily give up their personal and account info.

Some file extensions are more suspect than others, but all attached files should be treated as suspect unless you have reasonable assurances of their legitimacy.

For the sake of repetition: never click a link provided in an email message if you aren’t sure of the authenticity of the message and/or its sender. Contact the company using a known-good phone number or email address.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Misconceptions: Safe in the Cloud

By Chris Williams

A cloud of confusion

“Just put it in the cloud, and it’ll be safe. Right?”

Well, it’s not nearly that simple. While cloud applications are often viewed as a great way to offload security concerns to a third-party that act alone does not necessarily make your data more secure. On the contrary, a poor choice of cloud service provider might instead make your data less secure.

The cloud really isn’t a specific thing or place, nor is it defined by a new or emerging technology. It’s a metaphor and a buzz-word at the same time. All “cloud” actually means is that the resource in question is remotely located and Internet-accessible. This definition includes many rather mundane concepts such as offsite data centers, hosted web and/or application servers, as well as web-based email such as Yahoo. Google Docs and Dropbox, which many users take for granted (both in terms of accessibility and security) are located in the cloud.
In summary, if you’re using it, and you or your organization does not support it onsite using your own resources, then it’s probably cloud.

Cloud security characteristics

What characteristics make the cloud more secure than your environment? Scale is most likely one such characteristic, as cloud service providers are typically large enterprises that bring almost immeasurable resources to the table. Unless your organization utilizes all of the latest technologies and techniques to manage threats, supported by an elite stable of IT security professionals, chances are that a malicious attacker will get through your defenses before, for instance, Amazon’s.

Cloud providers also have to meet at least a minimum of security standards to stay in operation, based on whatever laws are pertinent to the service in question. These standards vary greatly, from Federal laws to unenforceable industry recommendations, but they do exist. As a cloud customer, your Service Level Agreement should specify that data security is an integral part of the services being performed; therefore, liability (in the event of a breach) may to some extent fall upon the third party. However, the concept of cyber indemnity is still somewhat a grey area.

Now, scale can work the other way as well. This is due to two factors: one, cloud data centers hold much more data from a variety of end users when compared to private onsite storage facilities. Consequently the risk/reward ratio leans much more heavily towards the “reward” side as far as hackers are concerned; the fact that large enterprises handle so many customers’ data means they can, for lack of a better way of putting it, generally afford to get hit a couple times before consequences are felt. Imagine it from a criminal’s perspective: would you rather infiltrate a single company, or get the data from a dozen companies all in one campaign?

Other considerations

There’s also the issue of data-in-transit; many administrators forget about this topic, focusing on the more obvious issue of data-at-rest. But there needs to be a discussion about how your data gets to the cloud (Internet connection), what the ramifications are for supporting that connection, and what might go wrong even if the connection is configured properly.

Suppose your environment is not intended to be connected to the web—it is an enclosed network segment with no publicly visible IP addresses, nor any gateway between that LAN and the outside world. Then, suppose we add a router and a public IP (which is Network Address Translated to a bunch of private IPs)—now, we have Internet access and can access our cloud storage and backup services, but there’s also an additional access point for bad guys that did not exist before. Was that a net security increase, or decrease?

Let’s also suppose that your data is encrypted while in transit, as it should be. Can it be intercepted while traversing public Internet infrastructure? Technically, yes, although the encryption would be hard (not impossible) to break. And, although you could potentially get a VPN from your gateway to the other endpoint, that adds additional cost, more overhead such as key management, etc. while still not achieving 100% security.

The takeaway

As an IT professional, I don’t believe in security through obscurity. However, I also must concede that some cloud providers are extremely attractive to attackers due to the sheer volume of data contained. While I can entertain the thought of navigating this quandary by selecting a less well-known service provider to store my data, at that point am I simply compromising on the advantages of scale and resources that made cloud so compelling to begin with?

Companies that offer cloud services of all types from SaaS to IaaS want to sell you on those services. If “reducing the size of your IT workforce by 70% by switching to cloud” sounds too good to be true, that’s because it is. Similarly, it sounds like a great idea to transfer risk to a third party—until it becomes evident that the scope of risk being transferred is only a small portion of your organization’s true risk expectancy.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Misconceptions: Antivirus Software

By Chris Williams

The antivirus dichotomy

Is antivirus (AV) software a necessity, or does it simply offer users a false sense of security? In reality, this is a false dichotomy as both perspectives on this topic are somewhat true. While AV software protects inexperienced users from a variety of common threats, it doesn’t protect high-profile users (managers, executives, etc.) from advanced threats; in the latter case, training these users to avoid high-risk behavior is vital. Safe Internet browsing practices, awareness of common social engineering tactics, and use of physical access controls within the environment are all important to reduce malware exposure. If systems never come in direct contact with malicious code, then the chances of infection drop accordingly.

Does this mean that end users with little to no security training should go without antimalware protection of any sort? Absolutely not. However, it is critical to understand that in IT security, defensive technology is perpetually catching up to offense. If you’re a high-profile enough target for a malicious attacker to expend one of their most valuable commodities (E.G. a zero day exploit) to crack, then just know that by definition your AV software is not going to prevent the resulting damage—if it detects the attack at all. In other words, additional defense mechanisms are required to compensate for the limitations posed by antivirus programs.

Defense-in-depth

Defense-in-depth is the methodology which IT security practitioners rely upon to secure complex systems from a wide variety of threats; the basic premise is to employ multiple overlapping security measures to protect each asset.

The term “layering” is often used to describe defense-in-depth. For each access point that exists within a system, there must exist at least one defense mechanism, or layer. Each successive layer adds to the security of the system, since an attack which breaches the first layer should hypothetically fail to breach the second layer. (Otherwise, why is the second layer even there?) If multiple security measures are vulnerable to the same exploit, it defeats the purpose; that would be like having an outside security door, an inside security door, and the door to the most securely guarded portion of the building all keyed to the same key. If a malicious person obtains that key, then all of the security mechanisms are defeated simultaneously.

What does this have to do with antivirus software? Simply this: AV programs have known shortcomings that can, and must, be anticipated in order to maintain a secure environment. And while the protection offered by these software platforms does almost unarguably outweigh the negatives, there is no antivirus on the market which can be considered “perfect”. Lastly, even if a perfect AV package were developed (hypothetically), malware is only one threat vector; there are dozens of other means that malicious attackers use which would be virtually unhindered.

The takeaway

Even with all of the above caveats in mind, it is essential in today’s reality to run antivirus software on endpoints such as user workstations and public-facing servers. The following points may provide some additional guidance:

  • Administrators and security professionals should research and learn about all of the AV software on the market and select one which suits their needs. The most popular platforms aren’t necessarily the best, nor are the most expensive options inherently better than others.
  • A second-opinion software option should be kept on stand-by just in case; due to differences in definitions and analysis methods, it is often necessary to scan using multiple different vendors.
  • Become familiar with services such as VirusTotal (virustotal.com) which can, for no charge, examine suspicious files and URLs in a sandbox environment.
  • Not all malware are viruses, and it is often necessary to use specialized tools to detect or remove threats such as spyware/adware.
  • One cannot stress this enough: AV software is simply one piece of the larger puzzle, rather than a one-and-done solution to all network security ailments.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Current Events – Top 5 Cybersecurity Developments of 2016

By Chris Williams

To kick off the new year, we’ll take a look back at 5 of the most important cybersecurity events and trends from 2016, along with the circumstances that made each noteworthy.

5 – IoT-fueled DDoS attacks result in highest throughput events in Internet history

The threat posed by distributed denial of service (DDoS) attack has increased significantly over the past year; as attack techniques including reflection and amplification become more sophisticated, the amount of traffic which can be directed to attack a target now measures in hundreds of Gbps and will likely break the 1 Tbps threshold (if it hasn’t already) in a single attack before long.

We examine some of the causes and implications of this trend in greater detail, in an earlier article: https://paradoxprimeia.com/2016/12/06/mirai-ddos-iot-security/

4 – Among the first publicized instances of a nation state employing cyber warfare to influence the democratic process of another nation state

No voting machines were breached, and no tallies were altered—one cannot say that the election was “hacked” in a strict sense. Instead, information was obtained illegally by a team of hackers and then disseminated for use in a large-scale information campaign designed to influence the outcome of the election by shifting public opinion; a much more roundabout method that creates a measure of “plausible deniability” for all those involved, to be sure.

According to what has been released, the team that breached the Democratic National Committee’s network and obtained incriminating emails from key DNC personnel was not working directly for Russia. This is hardly a surprise. According to those same reports, however, investigators have been able to determine the origin of the hackers as well as their financial ties to Russian stakeholders; this, combined with various intelligence that demonstrates Russian officials had some knowledge in the campaign, paints a fairly compelling albeit circumstantial case.

However, the “who/what/when/where/why/how” isn’t necessarily the most pressing issue we face—our follow-up question should be, “what comes next?” Since the floodgates of political interventionism have apparently been opened, and the United States still has yet to address a multitude of issues with its critical infrastructure (among many other targets), there is ample cause for concern. Could a more direct election hack be next? Could we face a Stuxnet-style attack on our nuclear plants, or an attack similar to the one which took down power stations in the Ukraine? With the latest attacks in Kiev also being linked to Russia, it’s definitely a question worth asking.

3 – Ransomware continues to increase in prevalence, cybersecurity experts talk preparedness

Although ransomware has existed in some form for the better part of this decade, 2015 and 2016 both saw significant leaps in both the complexity and ubiquity of this unique strain of malware. By the end of 2016, losses to consumers and businesses skyrocketed to an estimated $1B; that figure puts this rapidly expanding form of cybercrime in a position to potentially replace credit card fraud as the top fiscal threat to organizations and consumers. It’s of course too early to see what 2017 holds, but we can only hope that increased awareness of the risks (as well as mitigating strategies such as appropriate back-up procedures for critical data) causes this trend to reverse itself.

In the meantime, hospitals, retailers, law enforcement agencies, and even private users should all be wary of suspicious files, unsolicited emails, and other potential vectors that we’ve discussed in previous posts. Like many attacks, a human element must be exploited in order to be successful; cybersecurity experts continually point to users as the most easily exploitable target, but training methods have not kept pace with threats.

2 – Apple sets a precedent by favoring consumer privacy over the demands of intelligence agencies

The terrorist attacks which occurred in San Bernardino in late 2015 had consequences which will almost certainly influence consumer privacy and data security for many years—due not to the nature of the attacks themselves, but rather the course of subsequent investigation and legal maneuverings which continued well into 2016.

At issue was one of the iPhones used by the attackers, which was locked using Apple’s built-in device encryption feature; the FBI requested Apple to provide them a means of bypassing that encryption, but their request was refused on the grounds of privacy protection. (There were other factors, however the premise “If we give you a backdoor then anyone can potentially have the same backdoor” is a fair argument which summarizes Apple’s position). Even after the conflict had escalated to a lawsuit, Apple stayed the course, declining to provide a workaround to investigating agencies; however, since the FBI eventually found another way of cracking the phone’s security measures, the suit was dropped and the whole affair essentially fizzled out.

Apple’s refusal to cooperate is a polarizing topic, with their stance drawing both praise and criticism from cybersecurity professionals. Regardless of how that debate plays out, the important thing to note is that private companies cannot be compelled to provide consumer information to government agencies without due process—at least not yet. Additionally, Apple was among the first companies of its size to publicly decline putting a backdoor into their systems; technology and telecom companies have historically complied with even the most invasive of federal programs in the interests of national security.

1 – Data breaches result in billions of compromised consumer records throughout organizations worldwide

The following is a “short list” of data breaches which were publicized (not necessarily took place) in 2016:

  • Yahoo 1 billion user accounts
  • Yahoo (again) 500 million user accounts
  • MySpace 360 million user accounts
  • LinkedIn 167 million user accounts
  • Office of Child Support Enforcement 5 million records
  • 21st Century Oncology 2.2 million patient records
  • Verizon 1.5 million enterprise clients
  • Centene 950,000 patient records
  • IRS 700,000 taxpayer records
  • FBI 20,000 employee records
  • DHS 9,000 employee records

Over the past few weeks we’ve examined data breach trends and discussed some potential safeguards which consumers should be cognizant of. You can check out these articles at:

https://paradoxprimeia.com/2016/12/23/recognizing-computer-threats-data-breach-awareness-1/

The takeway

If 2016 was any indication, the cybersecurity landscape for 2017 will consist of a vast array of threats; consumers, businesses, and governments are all susceptible in part because of the common (human) element. User training & awareness programs should be considered by all organizations, regardless of size.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Recognizing Computer Threats – Data Breach Awareness, Part II

By Chris Williams

Recap from Part I

Large-scale data breaches are increasing in both frequency and magnitude, leading to an unprecedented threat to consumers’ confidential personal and financial information. Laws currently on the books concerning data breach notifications are fairly weak; compromised organizations often sit on information for weeks or months (occasionally years) before notifying affected customers that their data has been leaked—this is completely unacceptable yet seems to be common practice in certain industries such as web-based email.

Users should use unique passwords that are not shared among multiple accounts; re-using passwords creates a single point of failure that dramatically increases a consumer’s risk of private data being exposed during a hack.

There are a number of ways in which the average consumer can protect themselves from exposure, and it starts by understanding the companies you do business with; get to know their practices and policies, and make sure that they follow all applicable laws concerning what is done with your data.

Data privacy laws

How are organizations protecting your data? Do you have any recourse if you suspect they are not following these practices?

The Privacy Act of 1974 states that consumers have a right to determine how their personally identifiable information is used: more specifically, that they must give prior consent in writing before any of their PII is disseminated by a company (or organization/agency); they must be able to obtain copies of their personal records with that company upon request; and they must be provided with a means to amend or correct any incorrect information that exists in that company’s records. This doesn’t give users the level of granularity which many would like, but it’s a start.

Organizations that collect personal information of any kind should post their privacy policies online. Most do, even if these policies can be difficult to locate; alongside this, consumers can usually find the contact information for whomever is responsible for providing copies of records, and updating incorrect records. While creating an account or signing up for a service, email subscription, etc. the end-user agreement should also spell out the organization’s privacy and data collection policies—if not, that could be a potential red flag.

The Privacy act does include some provision for redressing violations in civil court: “The Privacy Act provides for four separate and distinct civil causes of action, see 5 U.S.C. § 552a(g), two of which provide for injunctive relief – amendment lawsuits under (g)(1)(A) and access lawsuits under (g)(1)(B) – and two of which provide for compensatory relief in the form of monetary damages – damages lawsuits under (g)(1)(C) and (g)(1)(D).” Litigation aside, there’s plenty of incentive for organizations to comply with these rules; among those incentives is simply public image. Customers can be very quick to turn upon companies that fail to meet privacy regulations; this can cascade quickly into widespread distrust and loss of reputation with consumers and/or industry peers. That in mind, contacting the organization to address a complaint might be more than sufficient—no need to call a lawyer just yet.

FERPA (Family Educational Rights and Privacy Act) is another federal law which governs disclosure and maintenance of information, this time dealing with the educational sector. Student records such as transcripts are protected, requiring express written consent from the student (or their legal guardian if under 18) before being disseminated for any reason, other than on official school business. Much like the Privacy Act, concerned individuals must follow a designated path to request corrections or amendments; additionally, the record owner has a right to request copies of those records as well as to receive them in a timely manner.

For information on understanding your FERPA rights, or for reporting suspected violations, visit the following: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/students.html

HIPAA (Health Insurance Portability and Accountability Act) is another federal law; aimed at the healthcare sector, it is otherwise similar in concept to the previous two. Health insurance providers, doctors, hospitals, specialists, and anyone who deals with protected health information (PHI) of any kind must follow these rules. This also includes HR employees at organizations that offer health care plans as part of compensation packages.

If you have additional HIPAA questions or need to report a potential violation, the following page should help: https://www.hhs.gov/hipaa/filing-a-complaint/index.html?language=es

The takeaway

It’s extremely critical that organizations treat confidential consumer information with the respect it deserves. Many companies do not have policies or procedures that address this issue, however. Where possible avoid an unnecessary risk of doing business with organizations that have poor/nonexistent privacy policies; same holds true for companies that consistently disregard information security best practices. Laws such as the Privacy Act, HIPAA, and FERPA contain numerous measures to enforce compliance; it is important to report suspected violations for both your protection as well as the protection of other consumers.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Recognizing Computer Threats – Data Breach Awareness, Part I

By Chris Williams

Data breach

If it seems like data breaches are becoming more and more commonplace all the time, that’s because it’s true: the frequency of data breach and security incidents that result in some level of data leakage is on the rise. On top of that, the public’s perception of these incidents is becoming more acute. This is in part because a larger percentage of data breaches are being publicized than ever before. Due to the prevalence of both national and state laws which require companies to notify consumers when their personally identifiable information (PII) is compromised, it is essentially unavoidable: organizations must have procedures in their incident response plans to deal with these types of contingencies. Private organizations such as Payment Card Institute (PCI) have their own rules concerning how breach notifications must take place; they typically enforce such policies through audits and by assessing non-compliance penalties.

Breach notifications

Best practice after a data breach is to send breach notification notices out as soon as the scope of the incident has been reasonably well determined; this is both for compliance purposes as well as for good “public relations”. On the other hand, companies that are slow to publicize data breaches are often maligned in the court of public opinion. Despite the bad PR that can occur when a company’s security practices are implicated after a security incident, some public forgiveness can be gained by simply being forthcoming. Additionally, when organizations provide supplemental services such as credit monitoring to data breach victims, the extra expense is typically justified by the positive effect on consumer confidence. Transparency, expediency, and ownership of the incident are surprisingly effective tools in retaining customers after an incident occurs.

All this being said, with the sheer number of incidents happening, consumers still need to understand how to minimize their risks. It is important to know what steps to take if an incident occurs targeting a service provider or retailer that they utilize. It is also vital to recognize that not all organizations are forthcoming when a breach occurs, even if the law says they should be.

Webmail accounts: use unique passwords

A data breach that compromises your email account password can mean more than just a loss of privacy (although that is of course the primary concern since most of us are uncomfortable with the prospect of strangers reading our emails). Exposure of personally identifiable information (PII) is often linked to identity theft and other forms of fraud; criminals may use this info directly or sell it via black market. This information is used to open fraudulent bank accounts, make purchases with compromised payment cards, and so on. Many users fail to consider the considerable level of PII that is exposed during a data breach. The following non-comprehensive list includes a few good examples:

Correspondences with companies you do business with, including healthcare providers (noteworthy because of the depth of information these companies retain); lists of personal friends, family members, and associates; employment-related messages such as recruitment or application emails; vacation plans; event invites; receipts for purchases, often with partially visible payment information; billing and shipping addresses; and much, much more.

A compromised webmail account can provide hackers with tremendous detail regarding your personal life—and accounts you may have with e-commerce sites and other services—therefore it is important not to re-use any passwords across multiple different services.

Scenario: compromised webmail password

Tom uses Yahoo for webmail. Tom’s yahoo.com email address is also the user name for his Amazon account, and the passwords for his Yahoo and Amazon profiles are identical. Let’s imagine his Yahoo password is stolen during a mass data breach; hackers can then gain access to his inbox, and read all of his messages. From there they determine that he has an Amazon account by skimming through transaction emails. Their next step will of course be Amazon.com. By simply entering the same password used to access his Yahoo inbox they will easily gain access to Tom’s Amazon account, because the password was re-used for both accounts; by contrast, they could not have done so if the passwords were different. (They would, however, still have his Amazon user name since it’s the same as his Yahoo email address).

Amazon, like most e-commerce retailers, allows customers to re-use payment cards that they have previously saved.  Whoever has access to Tom’s account also has access to make unauthorized purchases—without even having to provide a credit card.

The takeaway

Breach notification laws exist to protect consumers whose protected information may have been affected by a security breach. Unfortunately, these laws are not as comprehensive or as compelling as they could be, and so many companies are still slow to report & publicize incidents.

Using the same credentials for multiple email and/or other accounts is inadvisable. This practice creates a single point of failure by which attackers can gain access to all of your private data. Monitor your inbox for unsolicited messages, and check your Sent folder from time to time. Again, just because your webmail provider has not announced an incident does not mean no such event has taken place.

There’s plenty more so say about this topic: we’ll be back soon with part II!

Copyright © 2016 ParadoxPrime IA, All rights reserved

Recognizing Computer Threats – Malware

By Chris Williams

Why is my PC running so slowly?

Could it be malware? Some non-malicious events can certainly make your Windows computer run slowly. Such causes range from operating system updates downloading from Microsoft at inopportune times, unnecessary processes/services running in the background, disk fragmentation, or it could just be overdue for a restart (this fixes more ailments than you might think!).

However, if you’re fairly certain it isn’t any of these issues, or if you’re just more paranoid than most, the next several paragraphs detail some things to look at which you can easily access via the Resource Monitor. Keep in mind, that the more you understand about the computer’s performance under normal conditions, the more likely you’ll be able to spot malicious activity taking place. For example, many Windows users have a fairly good idea of how much storage space is left on their computers; this is certainly useful information to have for normal day-to-day operations of the machine. Same holds true when it comes to monitoring how much memory, CPU time, or bandwidth is being utilized.

Consistently High CPU Usage

Malware tends to consume a significant amount of CPU time, so if your CPU Usage meter is consistently pegged at close to 100% it could be an indication of malware infection. Looking at the CPU Usage History can help differentiate if it’s just a short-term spike as opposed to something that’s been going for a longer time frame. We recommend scanning for malware, in particular if your CPU time doesn’t fall to a normal level after a period of relative inactivity.

Memory (RAM) Allocation

Malicious software can run processes in the background that require noticeable amounts of memory, as well as spawning related services that you may not recognize. One approach is to (with as few open applications as possible) make note of any processes or services you are suspicious of, and simply Google them. You will likely find a lot of info regarding Windows system processes as well as services that are related to legitimate applications; in the event that you discover a process that appears to be malicious, it’s important to conduct a thorough malware scan immediately.

Missing Disk Space

Viruses are self-replicating and can, if left unchecked, take up a sizable portion of disk space within a short period of time. This adversely affects the computer’s performance because, as the disk’s capacity approaches its limit, the read/write speed of that drive effectively diminishes. If one day your drive has 200 GB space remaining and the next day that same drive is inexplicably down to 20 GB, the next logical step would be to scan for malware.

Network Utilization

Some malware types—in particular, spyware—can be used to obtain information about you or your computer and then forward it back “home” to a hacker or other malicious user. Whether this information is used for identity theft, or is simply reconnaissance for a future attack, there is still some amount of network activity required for that data to reach its destination. It can be difficult to detect in a home environment but it is still important to know the signs; these include unfamiliar networking services or connections to unknown hosts, and an unusually high level of network activity (in particular when you’re not browsing the internet and have few or no networked devices talking back and forth).

Browser Redirection

After installing a “free” program or file of dubious origin, you may find that your web browser’s home page has been changed, or perhaps there are unusual toolbars you didn’t previously have installed; both cases are cause for concern and should be investigated. Spyware and adware often contain browser hijacking components, create pop-up ads, and cause other inconveniences when surfing the Web. While it is common for legitimate sites to try to bundle you with unwanted programs, there will (should) always be an opt-out, simply requiring you de-select extra software prior to confirming the download and/or installation. Less reputable sites may not give you this option—this is of course a red flag, but it comes too late as you’ll have already exposed your system to the threat.

Crashing or Locking Up

When a PC frequently crashes or freezes, it could mean a few things, imminent hardware failure being among them. While a corrupted hard disk or a bad memory module is definitely urgent, the threat of malware requires greater immediacy in order to ensure your personal privacy and critical data are protected; therefore it is recommended to scan the system for intrusion upon recovery from a crash. (Provided that the system is stable enough to do so.)

Addressing the threat of Malware

To supplement whatever your preferred antivirus/anti-malware is capable of detecting (which isn’t everything), it is recommended to run more than one antivirus application on a regular basis; by conducting in-depth scans using multiple different detection engines you can have some certainty that your computer is safe. Additionally, some varieties of malware (spyware, frequently) simply necessitate having specialized tools available to combat them. Lastly, since many advanced malware programs can obfuscate themselves, detection methods also need to take that into consideration; one such example is Avast’s “boot-time scan” feature, which scans the computer prior to booting up the operating system—thus negating the malware’s ability to hide itself within the file system.
A long list of recommendations is sure to follow in a future post. But for now, here are some answers to the specific threats mentioned in this article:
Avast (antivirus)
Malwarebytes (antivirus)
Webroot (antivirus)
Hitman Pro (“second opinion” antivirus)
Spybot Search and Destroy (anti-spyware)
TDSSKiller (rootkit remover)

Understanding and avoiding future threats

Detection, prevention, and remediation are critical to keeping your computer safe from malware; but, an even better approach is to avoid infection in the first place. Certain “high risk” activities amplify your chances for exposure almost exponentially. This includes P2P sharing, visiting adult websites, and downloading software through unscrupulous repositories. Less reputable repository sites tack on additional programs, usually spyware or adware, without your explicit permission. (You can get frequently around this by paying attention during the installation process, and deselecting any add-ons).

Phishing and questionable links/files

Another major threat comes via email. While phishing emails certainly aren’t new, the sheer volume and complexity of these messages is increasing dramatically. The average user will most likely be fooled at some point and click on something they shouldn’t have. This frequently comes in the form of a malicious link that delivers its payload via cross-site scripting. Another method which is less common nowadays due to spam filtering techniques is to send a specially crafted file which spoofs a .pdf, .zip, or other type of benign file extension, but actually contains a malware package which installs itself once executed by the user. Whatever the mechanism, the goal is to compromise the victim’s system by infecting it with malware.

One last thing to be very conscious of is that attackers can spoof addresses from your contact list in order to make the phishing message seem more trustworthy; for all of these reasons, here are some good practices to follow:
• Assume that all unsolicited file attachments are phishing attempts and delete them, regardless of type.
• Verify the legitimacy of suspicious links you receive from known contacts before clicking on them. Same holds true with URLs sent to you via messaging apps and SMS/MMS.
• If the subject line doesn’t match the body, or if there is no message body, consider it suspicious.
• Check the email header information to verify that the “from” address matches the actual sender’s email address. This can be difficult with advertisement emails as they often use aliases.
• When in doubt, delete the message.
• Use free services such as Virustotal.com to analyze even “safe” URLs, for additional reassurance.

The Takeaway

PCs tend to slow down and generally perform less optimally over time. However, excessive slowness can be a sign of malware or other malicious activity affecting your system. Any single anti-malware solution is insufficient to address all of the various threats on the landscape; instead of relying on just one favorite become accustomed to using multiple virus detection engines to minimize risks. Safe browsing practices and an understanding of phishing campaigns are two of the keys to staying relatively safe online.

 

Copyright © 2016 ParadoxPrime IA, All rights reserved

Mirai, DDoS Attacks, and the State of IoT Security

By Chris Williams

Mirai

A malware package designed to infect network-connected devices that lacked security, gaining remote access to a large number of hosts (bots) for the purpose of conducting distributed denial of service attacks. Hackers control infected bots from a centralized platform or control server—this control server can issue arbitrary commands to the entire botnet, send additional malicious payloads (malware) to individual bots, and more. The “Mirai” malware infects a wide variety of improperly secured smart devices, leading to renewed criticism of the IoT and its often lackadaisical security standards; for instance, attackers can potentially compromise web cams and digital video recorders based on publicly known factory default credentials. Manufacturers often hard-code these credentials so that they cannot be changed during configuration of the device.

Mirai’s source code was released into the wild in October 2016, following a series of attacks in which Mirai-powered botnets proved devastatingly effective. Among those targeted were noted Cybersecurity blogger Brian Krebs (KrebsOnSecurity.com) whose site was protected by Cloudflare’s DDoS mitigation services at the time. Subsequently, attacks on the Domain Name Service provider Dyn were conducted, at least in part, using Mirai-powered botnets; this series of attacks caused major outages across a number of high-profile retailers and service providers.

Device Vulnerabilities

Vendors that manufacture “smart” devices traditionally have not put security on the forefront of their design goals; many such devices, for example, transmit credentials in clear text—thus being susceptible to potential vectors such as eavesdropping, sniffing, and man-in-the-middle attacks. Many more devices ship with weak default passwords which end-users are never required to update. Looking up these credentials is possible via a simple Google search thanks to a number of Internet resources (plus the manufacturer’s own documentation, in many cases). Additionally, not all vendors publish regular updates to address security issues, and those that do generally do not make such updates mandatory. Instead, manufacturers expect end-users to keep track of and install the latest firmware—not a realistic expectation for a large portion of these products’ target audiences.

Although there is little one can do to prevent sniffing or MITM exploits (HTTPS is not even an optional configuration setting on most of these devices), protecting the networks in which they reside is perhaps more feasible. In many cases, this entails disabling the SSID broadcast, setting up MAC filtering, and implementing a secure WPA-2 key—all measures which will keep honest people honest but won’t necessarily deter a sophisticated attacker. Securing routers and implementing network-based firewalls can mitigate attempts to locate and compromise IoT devices from the Internet. Regarding the weak default credentials, best practice is to change any vendor-supplied passwords where possible (not always an option, as mentioned above). Make sure the new credentials meet with standard complexity and length requirements as well. Users should also visit device manufacturers’ websites and download/install updates.

Botnets

Several components comprise the malware packages used to create botnets. Included are: a backdoor, with which the attacker can gain remote access to an infected host, and various payloads which can then be executed against that host, such as keyloggers, sniffers, adware, spyware, etc. An attacker can, from a remote location, execute arbitrary commands on the victim, as well as use them for a variety of other criminal activities, from spamming to participating in DDoS attacks. In the latter-most case, an attacker will direct thousands, tens of thousands, or even millions of infected hosts to send requests to a specific target.

The goal is to overwhelm both its processing power and its network bandwidth such that it crashes, stops responding, or at least becomes unreachable for the duration of the attack. Attacks can be relatively brief, just long enough to make a point, or sustained. Sustained DDoS attacks can last indefinitely, at least until the hackers reach some kind of objective (usually ransom, occasionally a political goal).

Botnets consist of so many victim hosts that it is impossible to monitor and direct them all individually—hence the need for control servers that can communicate with the entire botnet simultaneously through a single administrative console; this gives attackers the ability to launch highly coordinated and effective attacks which would otherwise not be possible.

Reflected and amplified DDoS

Current DDoS attack techniques exhibit a high level of sophistication. It is much more than simply pointing bots at a target and ordering them to start sending malicious traffic until that target goes down. Instead of each participant in the attack having to interact directly with the victim, hackers use reflection techniques to conduct these advanced attacks. Reflected attacks exploit a third party to “bounce” the malicious traffic from, thus concealing the identities of attacking hosts as well as that of the command server. Additionally, amplification techniques significantly increase the payload of malicious traffic which hits the target.

An example of an amplified and reflected DDoS attack:

  • Attacker botnet A sends a barrage of specially crafted DNS queries to host B, a DNS server
  • These queries use a spoofed IP address and appear to be coming from host C, which is the actual target of the attack
  • Host C received responses from Host B instead of the attacking botnet
  • Changing the type to “ANY” or using DNS extensions which increase the size of the DNS response (for instance encryption, which adds additional overhead to each packet) significantly inflates the amount of traffic
  • The extreme volume of requests floods Host C so that it cannot consistently respond to legitimate traffic—it begins refusing connections, drops packets, and may even crash

DNS infrastructure: single point of failure

The Friday, October 21st attacks against managed DNS provider Dyn brought down Etsy, Twitter, PayPal, Pinterest, and dozens of other clients for several hours. The scope and sophistication of the attacks caught many off guard, as there had not previously been large-scale attacks of this nature against the DNS infrastructure itself. Additionally, these events illustrated a weakness that had previously received very little (if any) attention: managed DNS without a layer of additional redundancy is still a risk. Most of the companies affected by Dyn’s managed DNS outage did not have any form of back-up domain name resolution strategy in place—no secondary provider was available on “stand by” in case of such an event. Thus, managed DNS became a single point of failure for these companies and the sites/services they offer, and the failure (or lack of) business continuity planning was very evident in retrospect.

The volume of traffic, from a network throughput perspective, was among the largest in Internet history. This event was significantly larger than previous DDoS attacks, which is alarming since they have been steadily becoming more sophisticated over the last few years. Experts estimate the total traffic generated by both the Krebs and Dyn attacks at 600-700 Gbps, which is enough to overwhelm just about any target, even those using DDoS mitigation services such as Cloudflare. (For reference, most DDoS attacks still generate < 10 Gbps.) We can conclude from this data that DDoS mitigation alone does not eliminate the risks satisfactorily.

Pressure device manufacturers

As widely-publicized DDoS attacks using botnets become more common, including those directed at public DNS infrastructure, consumers and security experts alike are asking, “How can we make these products more secure?” There is no clear answer, however, given the lack of industry-wide standardization. We do not presently have way to force these vendors to improve the security of their devices.

One can hope that a coalition of vendors, retailers, experts, and consumer advocates will come together and author an enforceable, open source compliance standard. Or, we may see legal intervention on the part of the U.S. government. (Not likely, however, given past reluctance to formulate nationwide security standards outside of federal agencies and other specific contexts like educational institutions). Short of either happening, consumers can still opt to put financial pressure on these vendors. If non-secure products fail to continue selling, vendors will move to make their products more secure in the future.

 

Copyright © 2017 ParadoxPrime IA, All rights reserved