Category Archives: security

iBoss blog: Understanding the keys to writing successful ransomware

Posted on by
Reply

It’s ironic that we have to look tothe authors of ransomware forexamples of some of the leading aspects of software engineering. And while what they are doing is reprehensible and criminal, they ply their trade with improvements in customer service, using the cloud to package their programs, and leading in understanding the psychology of their ultimate victims. With all this effort going towards developing malware, it isn’t that surprising that this category has become very adept at making money. Perhaps legit software vendors can learn from some of these experiences, while hopefully avoiding some of the darker forces. There are also some important lessons from these activities that IT folks can learn to help better defend their networks.

First, there is using the cloud. Several ransomware authors are making use of the cloud to deliver some of the key elements of their code. The malware authors deploy a NW Javascript library that appears harmless, but allows access to operating system functions to better control their target PCs. This ups the ante in terms of danger and also complicates efforts to protect such infected computers. A second aspect of using the cloud is how some ransomware samples download their initial infection from a series of shared Google Docs accounts, to try and make these sources more difficult to track.

But coding prowess is just one side of the ransomware effort. Another is the ability to exploit human psychology and social engineering.One group researching the underlying operations of Cryptowall found that the ransomware was advertising different pricing at different geographical locations. For instance, the US fee was several hundred dollars higher than the fees for countries like Russia, Mexico and Israel. This demonstrates that the purveyors of malware understand median incomes and will changes demands when their victim’s locale calls for it. If the ransom isn’t paid on time, it doubles.  This shows prior criminal experience and understanding of how we all think: act now to pay less!

Anotherpart of the underlying Cryptowall infrastructure is how it exploits the Bitcoin payment network, moving money from collector accounts until it’sultimately out of the network and presumably into the criminal’s own banks for final payment.

Finally, there is the built-in live chat support. Many legit apps and SaaS-based services now come with live operators who will enter into text chats with end users to help them solve any problems and answer questions on how to pay their ransoms. A ransomware sample called Jigsaw now offers this chat “feature” to better collect their ransoms from their victims. “By providing a human voice to go to and by making the process of paying the ransom easier, the purveyors of the new Jigsaw variant appear to be trying to convince users into paying up,” according to Trend Micro researchers that first uncovered the chat routine. Jigsaw also exploits some social engineering of its own, starting off by locking just a few files and then adding more to its encrypted repository if the victim hesitates to pay the ransom.

The malware authors offer “better support than [users] get from their own Internet service providers,” says Angela Sasse, a psychologist and computer scientist at University College London who isquoted in this Nature magazine article. She says that many of the victims of ransomware rave about the customer service and support they got to pay their ransoms.

All of this shows that ransomware is attracting more professional developers, as the funds collected from their malware efforts are also attracting more ill-gotten gains. It’s too bad that all this coding couldn’t be used for good rather than evil.

Announcing Inside Security: a new email newsletter

Posted on by
Reply

I am excited to announce that beginning today there is a new source of high-quality infosec news, analysis, reviews and trends. I have joined forces with Jason Calacanis’ Inside.com to produce Inside Security. The email newsletter will appear twice a week and contain links to content that I find interesting, useful, and cutting edge for CIOs, CISOs, and other IT professionals that want to stay on top of the latest exploits and defenses.

You can subscribe here and view a sample newsletter to see if this is relevant to your interests. Inside Security joins other newsletters such as Inside Tesla, Inside VR&AR, and a tech-based daily brief.

IBM SecurityIntelligence blog: Can You Still Protect Your Most Sensitive Data?

Posted on by
Reply

An article in The Washington Post called “A Shift Away From Big Data” chronicled several corporations that are actually deleting their most sensitive data files rather than saving them. This is counterintuitive to today’s collect-it-all data-heavy landscape.

However, enterprises are looking to own their encryption keys and protecting  their metadata privacy. Plus, there is a growing concern that American-based companies are more vulnerable to government requests than offshore businesses.

You can read more on IBM’s SecurityIntelligence.com blog here.

EventTracker blog: Should I be doing EDR? Why anti-virus isn’t enough now

Posted on by
Reply

Detecting virus signatures is so last year. Creating a virus with a unique signature or hash is quite literally child’s play, and most anti-virus products catch just a few percent of the malware that is active these days. You need better tools, called endpoint detection and response (EDR), such as those that integrate with SIEMs, that can recognize errant behavior and remediate endpoints quickly.

I like to think about EDR products in terms of hunting and gathering. You can read more in my post in EventTracker’s blog this week here.

 

Authentic8 whitepaper: Why a virtual browser is important for your enterprise

Posted on by
Reply

The web browser has become the defacto universal user applications interface. It is the mechanism of choice for accessing modern software and services. But because of this ubiquity, it puts a burden on browsers to handle security more carefully.

silo admin console2Because more malware enters via the browser than any other place across the typical network, enterprises are looking for alternatives to the standard browsers. In this white paper that I wrote for Authentic8, makers of the Silo browser (their console is shown here), I talk about some of the issues involved and benefits of using virtual browsers. These tools offer some kind of sandboxing protection to keep malware and infections from spreading across the endpoint computer. This means any web content can’t easily reach the actual endpoint device that is being used to surf the web, so even if it is infected it can be more readily contained.

Network World 9-vendor multifactor authentication roundup

Posted on by
2

Due to numerous exploits that have defeated two-factor authentication, many IT departments now want more than a second factor to protect their most sensitive logins and assets. The market has evolved toward what is now being called multi-factor authentication or MFA, featuring new types of tokens and authentication methods.

For this review in Network World, we looked at nine products, five that were included in our 2013 review, and four newcomers. Our returning vendors are RSA’s Authentication manager, SafeNet’s Authentication Service (which has been acquired by Gemalto), Symantec VIP, Vasco Identikey Authorization Server, and TextPower’s SnapID app. Our first-timers are NokNok Labs S3 Authentication Suite (pictured above), PistolStar PortalGuard, Yubico’s Yubikey and Voice Biometrics Group Verification Services Platform.

All of these products are worthy of inclusion in this review as representative of where the MFA market is heading. In addition, if you want to stay on top of MFA developments, we recommend you follow our Twitter list here.

My review also features a collection of screencaps here, and an overall trends rundown as well here.

 

iBoss blog: When geolocation goes south

Posted on by
Reply

 

What do a Kansas farm and a seaside McMansion have in common? Both have been discovered as the result of various geolocation-programming errors over the past several years.

Certainly the use of global positioning system (GPS) chips now built-in to tablets and smartphones is mostly a benefit when it comes to navigating to a meeting spot or finding a nearby gas station or restaurant. But the ubiquity of GPS tech also has its downsides too.

Take the case of that Kansas pasture. For more than a decade, the owners of a small family farm outside of Wichita started getting regular visitors and calls thinking their farmhouse were the center of criminal activity or digital abuse. The reason had to do with a deliberate rounding error of their latitude and longitude for the center of the continental US. And thanks to software that matches up IP addresses with a location, their farm was showing up on thousands of records, including the default location for scammers and other questionable situations.

“The harassment continued to the point where the local sheriff had to intervene. He placed a sign at the end of their driveway warning people to stay away from the house and to call him with questions,” according to the post. Sadly, that didn’t help. One irate visitor even dumped a defective toilet on their driveway in frustration.

Others around the country have suffered a similar fate, such as a man in Ashburn Virginia whose home has been attached to millions of IP addresses from the Internet service providers who are located in nearby data centers. Think of them as “living in an IP flood zone” as the above article calls these geolocation disasters.

However, there certainly are other unintended consequences.One report ties the tracking bracelet that was worn by noted cartel boss El Chapo as the way his confederates helped locate the escape tunnel they dug to come out precisely inside his cell. And an ISIS fighter found out too late that his Tweets were being geo-tagged, broadcasting his whereabouts. In another case, a divorce lawyer monitored the social media of his client’s Gen Y children to geolocate properties that weren’t mentioned in the original filings. “We were able to go to the court with a list of assets that we conservatively estimated at $60 million, which the court then seized.”

Even if you don’t geotag your social media posts, there are still ways to figure out where you live, according to this academic research paper published last year. The scientists examined their friends’ geolocations and were able to estimate the target within a few miles.

So what can you do to prevent this? First, understand the accuracy limitations of any enterprise-level geolocation technology that you use. Actual mileage, as the saying goes, can vary. Although geolocation technology has been around for more than a decade, it isn’t as precise a location down to a particular household or street address. Facebook’s “safety check” warnings that its users might be inside a disaster zone turned out initially to not be very accurate, after people around the world were warned they might be near a bombing in Pakistan. Hopefully, the alert location algorithms have been improved since then.

Second, examine the developer tools that are available to employ geolocation and understand what apps you are trying to build. Look at what Google and Facebook are doing in this field and how you can tie into existing mapping efforts from these giant software vendors.

Finally, examine the settings for any corporate-owned phones and tablets and make sure you turn the geolocation features off if this is a concern.

Veracode blog: What kind of tools do you need to secure mobile apps?

Posted on by
Reply

The days when everyone is chained to a fixed desktop computer are long over. But it isn’t just about being more mobile, or using more mobile devices, or letting your users bring their own devices and use them at work. It isn’t that the workday is no longer 9-to-5 and users expect to get their jobs done whenever and wherever they might be in the world. No, it is about moving to a completely new way of delivering IT services, which presents both challenges and opportunities for IT.

 

The challenge is being able to secure all these different devices and still allow users to get their work done. The opportunity is that IT can become a more agile place, while at the same time being able to finally implement a consistent and universal applications security policy across the enterprise. This means that we need to secure the app and not the endpoint device itself, whatever it may be. We need to build apps from the start with the requisite security, rather than rely on some dubious perimeter protection.

 

It makes sense for IT to allow users to bring their own devices. “We started out trying to manage our mobiles and standardize on particular corporate-owned devices, but within two or three months, we found that we had a completely new set of devices to choose from. Phones were being introduced faster than we could vet them for our approved list,” said American Red Cross CIO John Crary. Now the Red Cross can focus on more important matters.

There are several ways to do this. One is to deploy a mobile device management (MDM) tool. These products set up security policies for a device, such as what happens a device is lost or stolen, or how personal data is stored on the phone or tablet. A recent survey by independent analyst Jack Gold shows that there is a wide variation in which MDM components are actually deployed by large enterprises.

 

Another is to purchase a single-sign on (SSO) product that offers some MDM features. I agree with Gartner and other analysts who see a bright future when these two types of products can be better integrated. Single sign-on products could be a good choice if you want to protect your mobile endpoints with more than just their login passwords but don’t want to purchase a separate MDM solution.

While MDM and SSO tools are useful, an even better method is to make use of an application construction kit such as what Veracode offers and build in security controls for each mobile app. If you go this route, you’ll want to think about the following five issues:

  1. To stop SQL injection, developers must prevent untrusted input from being interpreted as part of a SQL command. What is untrusted input? Basically anything and everything coming from the Internet. The best way to do this and stop SQL Injection is with the programming technique known as Query Parameterisation.  While you are browsing this link, check out some of the other common vulnerabilities that Open Web Application Security Project has compiled. Better yet, make sure you have their top 10 list covered by your developers, or that they know where to find and fix them with appropriate security controls.
  2. Make sure you treat your passwords with care. Forget about storing them in plain text, you should employ the most current encryption techniques to protect them, such as using salted random numbers and one-way encryption algorithms.
  3. Do you need geofencing? If your staff travels outside of the United States, having the ability to lock or permit access from particular geographies could be important for keeping your data on your mobile devices more secure. There are numerous tools that can help build this into your app.
  4. Properly authenticate your user logins. An application should require users to re-authenticate to complete a transaction or event to prevent in-session hijacks. They also should make use of multi-factor authentication as part of the app itself, or deploy this authentication inside an SSO or MDM tool.
  5. Know the vulnerabilities in your chosen programming language and make sure your code avoids them. There are various tools (such as from Veracode) that can help spot these.

iBoss blog: Turning the tide on polymorphic malware

Posted on by
Reply

Security startups are using the techniques of polymorphic malware to better protect enterprises and use a tool from the hacker’s world for good instead of for evil. Let’s look at why is this important and why you should care.

Polymorphic malware is nasty stuff. It adapts to a variety of conditions, operating systems and circumstances and tries to evade whatever security scans and protection products to infect your endpoints. It is called that because it shifts its signatures, attack methods, and targets so that you can’t easily identify and catch it.

But turnabout is fair play, especially when it comes to infosec. And now some very clever companies are taking the notion of polymorphism and using it as a defensive countermeasure. These vendors such as JumpSoftMorphisecShape Security and CyActive (now part of PayPal) who can make a target Web server or other piece of network infrastructure appear to change frequently so it can’t be easily identified or infected.

This can thwart attackers that are trying to identify your servers or domain accounts or unpatched endpoints and used targeted exploits to worm their way into your network. As Dudu Mimran, the CTO of Morphisec says on his blog, “An attack is composed of software components and to build one, the attacker needs to understand their target systems. Since IT has undergone standardization, learning which system the target enterprise uses and finding its vulnerabilities is quite easy.”

Actually, poiymorphism isn’t exactly new. Academics have been writing research papers about it for years, under the rubric of “moving target defenses.” There are been two Association of Computing Machinery (ACM) conferences: one in November 2014 in Arizona and a second one last November in Denver. Both covered many ways of implementing such a defense, such as with game theory and other advanced algorithms.

In an article for Network World, a Morphisec executive wrote about three categories of polymorphic defenses. These include using network actions (such as changing the apparent IP address), host actions (such as changing host names and other characteristics), and application actions (such as changing the memory layout of a process to find and execute the app).

The products are still mostly at the startup stage, but they are quickly evolving and gaining customers. For example, Shape sells an appliance that sits behind an enterprise load balancer and with a few configuration commands can protect your network from DDOS, man-in-the-browser and account takeover attacks. It dynamically changes the code behind each page displayed by your webserver every time it is loaded. This defeats many of the automated scripts used in these kinds of exploits.

Today’s polymorphic defenses generally perform a series of actions. First, some kind of trusted source controls the dynamic, real-time changes to a host server, such as a web or database server. Then they create something that isn’t easily recognized by typical attack patterns. These changes are then implemented so that external users can predict what will happen, and thus can’t easily respond or use existing attack methods. Finally, they make sure their code is hardened in such a way that it can’t be easily reverse engineered.

Whether these polymorphic defenses will prove vulnerable to even more sophisticated exploits isn’t yet clear. And whether they will ultimately prove unworkable given all the security features that they have to manage under the covers also isn’t a sure bet. But at least the bad guys are finally getting a taste of their own evil-tasting medicine, and they could prove to be a valuable tool in your security arsenal.

iBoss blog: How Stronger Authentication Methods Can Better Secure Cloud Access

Posted on by
Reply

There are many myths about cloud computing. One common one is that servers in the cloud are less secure than when they are located on-premises. Like so many other myths, this has some basis in fact, but only under a very limited set of circumstances. In my latest post for iBoss’ blog, I talk about ways to better secure your cloud-based servers using multifactor authentication (MFA) and single sign-on (SSO) methods to better protect these assets.