Category: Information Security

05
May
2020

EventBot Android Malware and Why I Won’t Leave the iPhone

The Hacker News reports that there is a new Android based malware called “EventBot” that is making the rounds in rogue app stores and APK download sites that are not part of the official Google Play ecosystem. In reading The Hacker News article, this sounds pretty nasty but it begs the question, why are users of Android devices are so bent on using app stores and websites that they have no way of know are providing legitimate apps or not? It makes no sense to me.

  • Is it because they don’t know any better?
  • Is it because their phone manufacturer pushes some junk alternative app store to their customers?
  • Is it because they want to use apps they can’t in the Google Play store?
  • Is it because they want to feel rebellious?
  • Is it because they don’t want to be kept down by the “man?”

I have no idea, and I don’t know why these phone users expose themselves to these risks with such a valuable trove of information sitting on their device.

Full disclosure, I am an Apple iPhone user, and probably will be forever. It’s not because I love everything Apple and must have everything Apple. Clearly that isn’t the case given my professional background. It is a combination of economic factors, security factors, and usability factors.. I am bought into the Apple mobile device app ecosystem and it is too costly to leave.

Apple Strengths

There are some things that Apple does do better than the Android community can do, primarily because it is a closed ecosystem.

  1. They keep their users safer because bad actors have a much harder time getting truly malicious software past the app store guardians. Sure there are people that jail break their iPhones, but let’s face it, they are few and far between and most users don’t care to spend the time doing so only to void their Apple Care plan.
  2. I don’t care what kind of Snapdragon processor you have in your Android phone or many milliamp-hours your battery is rated for, they just cannot outlast and out perform an iPhone. You may be able to outperform an iPhone at certain tasks and drain your battery in an hour, or you may be able to make your battery last all day but not get any performance but you won’t be able to do both easily. I have yet to see an Android phone (you can throw any Samsung SXX model out there at this) hold up against any serious comparison to the iPhone processors and battery life combination. I attribute this to the closed Apple ecosystem as well. The software written for apple devices is always highly optimized for just that platform. There is no need to trade off compatibility for performance or battery life. Android’s open ecosystem approach just can’t do this effectively when you have hundreds or thousands of device models you have to play nicely with.
  3. The phones are reliable and they don’t crash*. I can’t count the number of times I have had Android OS phones just restart on me in the past or crash outright. Maybe it was a bad app, or maybe my specific manufacturer’s device model wasn’t tested with the app. Or maybe it was a combination of the app and some random launcher I am using on my Android phone that caused it. Needless to say, my iPhone 11 pro just doesn’t crash, at all. It reboots when I want it to or when it does an update.

*assuming you aren’t running a beta version of their iOS software or trying to us a really old device with a new iOS version. If you want to be bleeding edge or never buy new hardware, you are going to have issues on any platform.

Android Strengths

On the flip side, you can do some really cool things with Android devices that you can’t do with Apple devices.

  1. You can interact with your device at the hardware level and as long as you give an app permission to do it, they can do a whole lot. Want to record phone calls? No problem. Want to quickly and easily side load an app? No problem. Want to completely change how your phone keys work? No problem. Android is all about letting people do what they want when they want. For better or worse.
  2. You can make the phone look and feel exactly how you want. Don’t like that app launcher? Change it. Don’t like the app manager and user interface? Change it. Want the light to flash purple when you get a slack message? Go for it. Again, Android is all about the ability to make the phone do anything you want, regardless of the performance and security impacts it may have.
  3. You can find a model of phone with just the features you want at the price you want. There is no “Apple tax” when buying an Android device. Just pick the model from the thousands out there that fits your needs and budget.

What is Best For Me

The nerd in me loves these things about Android, but the practical user side of me does not. When I pick up my phone I want to know that it is going to work without any issues – every time. I don’t want to worry about a new app launcher eating up my battery and destroying the CPU usage. I don’t want to worry if that app I just downloaded has malware in it it. I don’t want to have to manage app permissions at such a granular level that I have to worry about every little thing it has access to in the OS.

At the end of the day, I just want a device that works. That means iPhone with iOS will consistently be more capable and secure for my use case. I am willing to live with the lack of customization in some respects in order to have a better overall user experience with performance and security. An experience that doesn’t require my constant attention to achieve. I have enough other things to worry about each day, my phone should not have to be one of them.

23
Mar
2020

Information Security in the Age of COVID-19

The Hacker News is running several interesting articles related to information security and COVID-19 as they relate to emerging threats. Specifically, the threats that a newly mobilized remote workforce faces when many of them have little on detecting threats outside of their normal work environment. While the article referenced specifically touts Cynet’s service offering, the guidance offered is applicable across the board.

Take for example, all of your new remote workers who are receiving all or some of their direction via personal communication channels whether they be phone, SMS, or email. How many of these staff are capable of discerning phishing messages on their personal devices? It is one thing when they have a corporate suite of products assisting them to make these judgement calls, but when they don’t have those can they still be trusted to determine who the bad actors are? In all likelihood the answer is going to be that remote workers are going to be less capable of protecting themselves without new training programs and time to become acclimated to their new reality. COVID-19, however, has made it so there is no time to do so in the face of mandates to have 100% of your workforce out of the office. Introducing new training for these workers about how to protect themselves in this chaotic time is going to be crucial not only for them but also for the well being of the organization as a whole. In addition to training, all information security teams should be looking at how to best to detect unauthorized data loss as well as unauthorized access into corporate networks. It also goes without saying that any remote access solutions should also be protected by two-factor authentication.

Be well, be safe, and secure your networks.

23
Jan
2020

Microsoft Exposes Elasticsearch Database to the World

Security Week reports that Microsoft has suffered a mishap with a handful of its Elasticsearch databases causing approximately 250 million customer support records to be exposed. While financial information for these clients was not exposed, it does appear that the data could be used for phishing attacks and tech support scams.

Of course the kicker is that Microsoft runs one of the largest cloud services on earth where users must take great pains to secure these systems that they setup. Now it turns out the company running these types of services can’t secure their own systems. While I know that these Elasticsearch databases were not really part of the Azure cloud service, it does beg the question that if Microsoft can’t secure their own systems, how can their clients ever hope to completely secure their own systems in the Azure cloud. If nothing else, this should serve as a reminder that no company, person, organization, etc. is immune to security lapses and great care should always be taken to secure both internal and cloud systems.

03
Dec
2019

VNC Client and Server Software Vulnerabilities Found

The Hacker News reports that dozens of new VNC client and server vulnerabilities have been found in the open source versions of the tools used by IT departments all over the world. If you are like me and think “VNC, who uses that any more?” then you should go check out a YouTube video by Tobias M├Ądel where he connects to open VNC servers all over the internet. Sure, the video is from 2015, but when you think about how quickly industrial plant management software and device firmware is updated you can bet money that there are still plenty of open VNC servers still running and accessible.

The moral of the story? Don’t expose critical systems and services (like RDP and VNC) over the internet unless it is absolutely essential. If it is essential, and you can’t put them behind a VPN, then you had better use a very strong and complex password to secure the access. Even with a VPN you should do that. Lastly, you need to makes sure you and any vendor you are purchasing software and devices from have a strong policy of pushing out updates anytime a vulnerability is found. You can’t afford to wait five years for an update when your chemical plan control system is left completely exposed on the internet through remote access software flaws.

13
Nov
2019

The End is Nigh! Time to Ditch Windows 7 Now

ITWorld has a very interesting long running series of articles chronicling the slow but steady demise of Windows 7 and the slow but stead rise of Windows 10 in terms of market share. Come January 14th 2020, Windows 7 support will officially end (unless you want to keep paying Microsoft for security updates on a per PC basis) and you will no longer get all of those critical updates needed to keep your organization secure.

What amazes me about the whole process is the prediction by Net Applications that Windows 7 may retain 10+ percent market share well into 2022, long after support has ended and almost every known flaw will be easily exploitable. Don’t get me wrong, I know first hand how painful it can be to update and replace thousands of physical PCs to get rid of an old OS but as hard as that may be, it is well worth it. In my own experience, the reduction in vulnerabilities just from going to a fully patched version of Windows 7 to a fully patched version of Windows 10 will make a world of difference on your audit scorecards.

Please do you and your organization a favor and move to Windows 10 now. You will be happy you did and it will allow you to sleep better at night.

11
Nov
2019

Your People Are Your Biggest Threat

The Hacker News has an article posted from November 7th about a rogue TrendMicro employee stealing customer data and selling it to a tech support scammer. This goes to show, once again, that your people are always your biggest threat. Whether they are clicking on malicious links in from that prince who sent them an email or actively stealing data to sell on the black market, they are likely going to do something to cause you serious pain. Many companies don’t know how to combat these threats or are completely oblivious to what their people may be doing. Here are some ideas to help protect your organization:

  1. Invest in training – Train, train, train, and then train your staff again to be vigilant and know how to recognize a malicious email, phone call, or text message before they divulge any information. If they fall for one, deliver on-the-spot training to help them learn from their mistake.
  2. Invest in more than your average anti-virus software – Advanced Persistent Threats (APTs) are the buzzword of the decade. While you don’t need to listen to all the marketing hype, you should have a host based security solution on your PCs and servers that does more than just look for known signatures. It needs to identify unknown threats as well as known threats, block ransomware, stop data being transferred to removable storage, and more.
  3. Adopt a policy of least privilege – Does that receptionist really need local administrative privileges on their PC? Does that staff trainer really need access to the marketing database? I don’t think so. If people don’t need access to data, make sure they can’t get to it.
  4. Classify your data – What is in that random word document on the accounting shared drive? Is it something that shouldn’t leave the building? If it is, make sure you are tagging the document and putting restrictions in place on your firewalls to stop it from leaving. Do this for all of your data and put rules in place to protect it where it is stored.
  5. Invest in Data Loss Prevention (DLP) tools – Make sure data isn’t leaving your organization. Have tools that can observe data movement, alert, and stop it from happening if needed.
  6. Protect your data from and in the Cloud – Invest in Cloud Access Security Brokers (CASBs) if you allow your staff to store data and work in the cloud. You don’t want data stored improperly in services like Slack, Office 365, Dropbox, Gmail, or somewhere else.

There are many other things you could do as well, but I would argue if you have these tools in place and configured properly, you just might avoid ending up like TrendMicro.

10
Nov
2019

The Best Defense is a Good Offense

Krebs on Security has an article published on October 16th from this year (I know I am behind) detailing the attack of a known black market card fraud site BriansClub. What is interesting about this whole hack is that it is not some vigilante group going after the site to save consumers, but rather it is a rival black market operation trying to sabotage the operations of one of their competitors. In essence, this was a business decision made by one of BriansClub’s competitors to try and take them out of business. It’s similar two warring cartels attacking each other until the other doesn’t have the resources or the people to continue operations.

This does beg the question though, why not make offensive operations against these kinds of sites the norm, not the outlier? In the financial services industry we have a number of cybersecurity information sharing organizations, maybe it is time to establish an offensive cyber operations organization that doesn’t just share information about known threats but actively seeks them out and attempts to disrupt illegal operations. Of course there are potential pitfalls with this type of setup. The efforts of this type of group would have to be carefully watched by both the industry and law enforcement to ensure the operations were focused solely against illegal operations in the dark web. The last thing you would want would be to have a group that was supposed to protect consumers decide to go rogue.

Risks aside, it seems like it is time to open up and publicly establish more direct industry operations against these criminal elements. Sharing information will never prevent fraud, these sites have to be shown it isn’t worth operating because they will be taken down before they can ever make any money.

26
Aug
2019

Time To Unplug Your Smart Ovens

The Verge reports that owners of the June smart oven have been experiencing some seriously concerning incidents recently involving the oven’s preheating without their owner’s knowing. This continues to raise questions about just how much control you want to give smart devices over your house and its critical systems. While I am not sure what the true cause of the issue is, it should make everyone re-think connecting so called “smart” devices that can cause serious physical damage if something goes wrong. An oven is a perfect example of this kind of device.

Smart ovens, locks, etc. all sound great until they are hacked, poorly programmed, designed poorly, etc. When your smart device can let a malicious person into your home, cause your food to go bad, burn down your home, track your movements, etc. then it is time to rethink just how smart you want your home to be. I know smart devices are the way of the future, I have many of them myself, but I never hook them up to anything that could physically damage my home. There is too much risk to take given that the health of you and your family are at stake.

I urge anyone considering these devices to evaluate why they are needed and if you can live without them. After all, preheating your oven is great, but not burning down your house is even better.

07
Apr
2019

New Breach Identification Service Launches

There is a new data breach identification service, Breach Clarity, that is the first of its kind to offer guidance on what a consumer should do if they are part of a breach. The service doesn’t replace the work that other sites like Have I Been Pwned do but complements it. Once a consumer verifies that their information has been exposed as part of a data breach through a site like Have I Been Pwned, they then can go and enter the name of that breach on the Breach Clarity site to determine what they need to do to protect themselves based on the data that was harvested.

This is a huge positive step in the fight to help protect consumers when their personally identifiable information (PII) has been disclosed. Up until now, there has not been a resource that gives real guidance on what to do if you were a victim of one of these breaches. The best you could do was know that you were a part of the breach and then if you read sites like Krebs On Security, you would know to freeze your credit reports. With Breach Clarity consumers now have a resource that provides real guidance on what to do when their data is no longer private. I strongly encourage you to check this site out and make sure that you have taken some of the steps it suggests if you have been part of a data breach.

As a reminder, some of the best things you can do whether you are a part of a current data breach or not are:

  1. Use a different password for every online account, never use the same one multiple times. You will need to find a password manager program like 1Password or LastPass to help you mange these.
  2. Freeze your credit reports – it is just a good idea to do that. There is no need to leave them unfrozen and if you know you are going to need to get a loan or have a credit check done, use a temporary thaw period.
  3. Disclose as little about yourself on social media as you can. Do you really need everyone to know your phone number, email addresses, addresses, etc? Protect that information and only disclose it to those that really need it. If you are using your mobile phone or email as a second factor of authentication on accounts, it is even more important to protect these details.
  4. Always use two factor authentication when a service provider allows it. Even better, use an app like Google Authenticator or Authy to provide the one-time passcodes for these services. Don’t use your phone number or email address unless there is not another option.

Stay safe out there.