Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Friday, 30 September 2016

A Very Sophisticated Hack...

If you search for the phrase "very sophisticated hack" and do a little digging, you'll soon discover that what are initially claimed to be diabolical plots by fiendish cybercriminals often turn out to be nothing more than incompetence or naivety on the part of the victims. They only appear sophisticated to the average Joe.

Banks, casinos, hospitals, health insurers, dating sites, even telecoms providers have all fallen in the past year. Digging reveals SQL injections (I'm looking at you, TalkTalk) to second hand switches with no firewalls protecting the SWIFT network in Bangladesh.

While these issues are bread and butter to security testing and code review companies, there is one piece of the IT security puzzle that can never be truly secured, no matter how hard you try. It weighs about 1.3Kg (about 3lbs in old money) and it sits in front of every endpoint, every BYOD, every spam email, everything, wondering whether to click that link, install that program, insert the flash drive it found, or type in its credentials.

It's been said that your brain starts working the moment you wake, and doesn't stop until you get to work. Many incidents reported as "sophisticated" confirm this truism, along with the one about not being able to make anything idiot proof because idiots are so ingenious. Fooling someone into doing or telling you something they shouldn't is the oldest hack in the book, but it's no less potent for its age. For that reason, the unwitting symbiosis of naive user and cybercriminal is virtually unbeatable.

Part of my work involves maintaining the company spam honeypot network. By the time you've seen your 100th identical, badly-spelt phishing email whizz by in the logs, you can't believe anyone would fall for them. But they do, especially spear phishing attacks. There's a ransomware epidemic, and it's making millions a day.

I'm left concluding that people don't approach their inboxes with a high enough degree of

cynicism. Would HR really summon you to a disciplinary meeting by sending you an email demanding you click a link to an external web site and enter your corporate username and password to prove it's you?

Like suspiciously quiet toddlers, the human element will always be the unpredictable elephant in the cybersecurity room. At SE Labs, we test the endpoint protection that keeps users safe from themselves. To do so, we use fresh threats caught painstakingly in the wild on a daily basis. We can always help build better protection, but cybercriminals will always strive to make better toddlers out of users.

But users are not toddlers; they're responsible, busy adults. To them, cybersecurity is just a very dull art practised by dull people in IT, and their equally friends who come in with laptops every so often to check everything.

This point leads me to one final truism: get them laughing, get them learning. All the user security training in the world will fail to change behaviours if it's dull. People best remember what they enjoy. Make cyber security fun for users, and you may just get them to apply a healthy dose of cynicism to their inboxes.

Tuesday, 27 September 2016

Went The Day Well?


In The Great Escape, a Gestapo officer wishes Gordon Jackson's character "good luck" in English as he attempts to board a bus.

In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word "lollapalooza" to spot Japanese spies amongst Pilipino allies.

Judges 12-6: "Then said they unto him, 'Say now Shibboleth' And he said Sibboleth, for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan".

These are all examples of shibboleths, named after the final example, in which a group of Gileadites identify an enemy Ephraimite from how he says a word.

Could subtle shibboleths also buy time until we can properly resolve the password reuse crisis? To answer that, we need a sprinkle of theory.

To log into a service, you must authenticate yourself by presenting certain bona fides. These fall into three broad categories:

  • Something you know
  • Something you have
  • Something you are
Passwords fall into the first category, as do your mother's maiden name, your first pet, and so on.

To shore up authentication, two factor authentication is becoming more popular, and usually involves a password backed by something you have, such as a mobile phone to receive a passcode. Something you have could also be a special device that generates a one-time code. Some banks insist on such devices being present when transferring money from accounts.

What about things you are? Biometrics are the best known examples, but gait recognition has also been examined as a method of identifying people. Early research focused on thwarting smartphone theft, but has since been used in other applications.

The trouble with all this is that everything beyond simple passwords make the user do something extra or use special hardware. Everyday users tend to resist being made to change their ways for someone else's convenience. There are also parts of the world where secondary authentication is impossible. Are we condemning those users to a second class, less secure internet. This is where shibboleths could help.

When your bank identifies rogue transactions, it's identifying shibboleths in normal spending patterns. If you've ever had a text asking you to confirm unusual payments after some toerag has cloned your card, you'll be thankful for this.

Think about this in terms of passwords. If a typical user types the same password for many years, he naturally falls into a predictable rhythm of key presses. If anyone else enters that password, the timing data will be different.

Encrypt the timing data before storing it, and it must be included in any password decryption effort. Remote brute force attacks would become impossibly difficult. Dumb phishing campaigns that don't collect timing data would also be rendered useless overnight, and God knows that'd be a good thing.

It's far from a perfect solution. You can probably think of a dozen difficulties (keyloggers, for example), but competent client-side shibboleth-spotting could at least buy the world time while someone clever creates a solution to password reuse that doesn't divide the internet into secure haves and insecure have-nots.

Tuesday, 20 September 2016

The Great Anti-Virus Conspiracy

One problem with the internet is that anyone can set themselves up as an expert. There's money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.

Despite widespread public ridicule, such sites thrive and make their owners rich because they play into what people already believe. The tendency being exploited is called confirmation bias, and it can even exert enough power over us to compromise the online safety of entire nations. 

Take this post from the Above Top Secret forum from 2008. The author began with the hunch that the biggest beneficiaries of malware are the anti-virus (AV) companies themselves. However, Google only returned stories explaining why this view was incorrect. This raised the author's suspicions. Did anyone else have any information?

The ensuing nine pages of comments were a tour de force of ideas, theories and claims, but a recurring theme was distrust. Many commenters simply don't trust what they don't understand, and they don't understand computers or AV. 

It took a few seconds to find similar examples from other forums, some dating back to 2005 and even 2002. There are many more and they usually cover the same ideas, but a common theme is still distrust. Compounding this, some commenters vaguely remember something about John McAfee once claiming to have written viruses to create demand for his first AV product, which of course proves everything.

That was a decade or more ago, but with phishing and ransomware now firmly in the public eye, the benefit of online protection will be obvious, right? Not necessarily.

In August 2016, the Daily Mail reported that some AV products can fail to adequately secure your computer. The research being reported actually identified the potential for man-in-the-middle certificate attacks. It's something our own Simon Edwards wrote about in a more general context in his own blog over 18 months earlier

As usual, the comment section of the Daily Mail's report was far more revealing than the article:

And so on. Perhaps what's most disturbing is that despite living in a world now publicly trying to cope with a grand cybercrime epidemic, such uninformed views are so mainstream. There's even a certain pride to some of them.

The McAfee virus-writing story is also still doing the rounds. Mr McAfee hasn't helped matters by claiming to have planted keyloggers in laptops he then gave away to government officials in Belize. But did he really write malware to create demand for his own AV software?

In March 2014, McAfee went on the Alex Jones show to talk conspiracies (what else?). A caller asked if he was indeed responsible for writing early malware. Despite Jones talking over portions of his answer, this was the nub of his reply:
"There were at the time thousands of computer viruses," he said. "We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone's mind."
Indeed, in his book Computer Viruses and Malware, John Aycock of the University of Calgary in Canada also points out that if AV companies really are writing malware and yet simultaneously failing to detect some of it, then what's the point in all that effort being expended for zero gain? 

So, how do you protect the distrustful, the misinformed, and even the downright cynical online? One solution is to do it automatically, but this demands that governments, their intelligence agencies, and the ISPs become involved in actively blocking malicious content. Public reaction to any such suggestion is predictably very bad.

When GCHQ recently proposed their DNS filtering technology to block malicious domains, there was instant outrage. The Guardian, which broke the Edward Snowden story, has little love for the Cheltenham Doughnut, and was predictably upset. As usual, it's the public's comments that are really interesting. 

So, we're at an impasse. Despite their poor reputations, governments and the intelligence agencies they run are the only entities with the authority and capabilities to attempt to protect entire nations online. However, the tools they use are by their very nature shadowy, double-edged and closed to scrutiny. The public at large worries that policing cyberspace means the erosion of freedom and privacy. Nothing will convince us that this isn't the start of a dictatorship or a new world order. Too much evidence of past lies and misdeeds confirms this deep-seated bias. 

If the public won't listen to the government, who will it listen to? Who is it listening to?
Something about the caller who asked John McAfee if he wrote early viruses keeps coming back to me. He seemed to remember being told something by "some old OSS guy". This idea of an unnamed source vaguely remembered is a common feature of discussions where facts are scarce and conjecture runs free. It's a feature of the threads I referenced above.

That being the case, maybe it's down to us, as infosec professionals, to be those sources in future. Maybe it's down to us to engage friends and family, to explain how cybercrime works, how it relies on them not protecting themselves, and what to do about it.

But then again, I would say that wouldn't I. ;)

Thursday, 15 September 2016

All Your File...

Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.

The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious "upgrade" to a Windows component.

Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, "All your file are belong to us".

By hiding the true nature of the file with a second, benign extension, JavaScript attachment attacks become even more likely to detonate. Spew millions of such emails from a rented botnet for a few days at a time, and then simply wait for the Bitcoins to come rolling in.

It’s little wonder that ransomware gangs are setting up customer helplines for bemused punters queuing up to get their files back.

But surely your browser’s sandbox should contain any malicious JavaScript? Sadly, this is not so for JavaScript email attachments. JavaScript downloaded as part of a browsed web page is run in the browser. Email attachments are nothing to do with a web page. Double click them and they’re passed to the Windows Based Script Host, which is obviously outside the browser’s authority and control.

It is, however, very simple for you as an end user to stop JavaScript email attachments from automatically being accidentally run. Simply open notepad and create a new file. Save it as dummy.js. Notepad will complain about the extension, but continue anyway. Next, right click the .js file and select "Open With…". As you can see from the image below, by default Windows will open all such files with Windows Based Script Host, which is what we need to prevent.

To do so, first click "More Apps" and select Notepad from the list. Tick the check box for "Always use this app to open .js files" and click OK. Now, whenever you absent-mindedly click on a JavaScript email attachment it will safely open in Notepad and display its bad self.

You can also selectively prevent the JavaScript downloaded as part of a web page from running in your browser. This gives you more control over your browsing experience and can speed up web page loading.

For Firefox, the go-to solution here is the NoScript plugin (which is the one I’m most familiar with). By default, NoScript blocks everything on a domain-by-domain basis. It’s easy and quick to unblock trusted domains as you go, while leaving all others (including those called by the primary domain) securely blocked. This not only serves as an extra line of defence, but also prevents some adverts from being displayed without sites accusing you of using an ad blocker. It’s also very interesting, and sometimes worrying, to see just how many secondary domains some of your favourite web sites rely on to deliver content.

Friday, 9 September 2016

Ransomware: Don't Die of Ignorance

According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It's that obvious. The solution is to stop users clicking dodgy attachments, but how?

For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government's response was a huge public awareness campaign. Everyone who was around at the time remembers "AIDS: Don't Die of Ignorance". There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.

Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware, with 9% being left completely unable to function after the attack. Only 40% of those affected didn't pay the ransom, meaning that a whopping 60% had no choice but to cough up.

Email filtering services and next generation endpoint protection is out of the financial grasp of many SMBs, and it's the work of a few clock cycles to add some random junk to a payload to defeat traditional AV. Ransomware is getting through, and users are detonating it. There should be no doubt in anyone's mind that we're in the midst of a major and deepening crisis.

If this is blindingly obvious to the cybersecurity industry and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it's the end user putting themselves and the companies they work for at risk.

Ransomware awareness campaigns are happening, but they can be limited in scope, targeted at individual sectors, and at C-level executives rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.

If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.

Friday, 5 August 2016

Anti-malware vs. ransomware: latest reports

Ransomware is a nasty category of attack that we’ve seen dominating the so-called 'threat landscape' in recent months. It can affect every type of computer user including home users, small businesses and even extremely large enterprises. Anyone who stores valuable data on a computer is at risk of this digital extortion racket, which encrypts data files and offers the key to recovery for a hefty price.

Over the last three months we have been monitoring the threats that affect real users and businesses. We've used many of these attacks to test systems protected by a range of different security products, including some very well-known anti-malware programs.

Because we're seeing a lot of ransomware on the internet, and because we believe that testing security products should revolve around the significant threats out there (rather than the very obscure, rare ones), there was a large amount of ransomware used in the test. We are proud to present the results of that work in these reports.

Read about how the leading anti-malware products handle today's threats.
(To access the business reports you need a free account. Register now.)

Large businesses/ enterprises


Small to medium businesses


Home users/ consumers


Monday, 1 August 2016

Defeat ransomware with free backups

Ransomware is a serious problem but protecting your data can be simple and inexpensive - if you choose your cloud storage provider carefully...

I know, I know. You were tired at the time and not really concentrating. You double-clicked an infected attachment and the world suddenly became a very hostile place.

Your files might as well be in Swahili. A ransom note, with a grasp of English you'd normally find endearing, is mocking you for your bad luck. If you don't figure out what a Bitcoin is, and how to send one to a person whom you'd very much like to die a slow and painful death, you'll lose everything forever. Or will you?

You could try to identify the exact strain of the exact family of infection, and see if a kindly anti-virus company or independent researcher has managed to figure out how to decrypt your precious files. If they haven't, what then?

By now, any computer expert worth their salt should be saying, "Wipe the machine and restore last night's backup." Of course, the backups! Cloud storage will save us! But there could be a problem…

If your cloud backup service re-uses space, and has over-written previous backups with the newly encrypted files (which, after all, look just like a bunch of freshly updated documents that need to be backed-up), then technically there is no backup. So, Bitcoins and a seedy alley on the dark web it is.

If you're busy, on the move, or have "non-technical" users to look after, you need backups that will both protect you from ransomware and take care of themselves. For safety from fire and theft, those backups also need to be stored off-site, which is why cloud backup services are ideal.

However, rather than continuously and efficiently updating a single archive, the ransomware threat means that you really need a service that keeps previous versions of everything.

There are many online backup services that offer file versioning, and to the best of my knowledge, the following all provide it on their free plans.
  • Blaucloud includes a versioning app that will keep old versions of files until you run out of space.
  • CrashPlan allows you to set backup frequency and versioning frequency.
  • Cubby contains versioning as standard in the free plan.
  • Dropbox has unlimited versioning as standard.
  • ElephantDrive provides unlimited versioning on its free Lite plan.
  • Google Drive keeps up to 100 versions per file, stored for up to 30 days.
  • iDrive stores up to 30 versions.
  • Mozy stores old versions for up to 30 days
  • pCloud stores old versions and deleted files can be restored.
  • PowerFolder stores the last versions of files.
Ransomware is a 21st century plague, fuelled by greed. How you respond to it is paramount, because not paying the ransom is possibly the only way that will cause it to fall from favour with criminals. Versioning online backups are one way of helping that happy day come sooner.

Author: Jon Thompson (Email: jon@selabs.uk; Twitter: @jon_thompson_uk)