Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Friday, 14 October 2016

Interview With The Bank Manager

Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us? 

To find the truth, we talked candidly to a branch manager from UK bank NatWest.

SE: First of all, what's the scale of the online fraud problem from the bank's perspective?

I won’t lie. It's massive. We're always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.

SE: If you're scammed can you get your money back?

It all depends. The basic thing is if it's not a transaction you've made, its fraud and we can help. If it's something you've done yourself that's it, the money's gone. Where it gets tricky is when you think you're signing up to a one-off payment but the small print says it's every month and you don't realise. It might be cleverly worded, but it's up to you to read what it is you're buying.  If there's any doubt, don't do it or bring it in for us to check.

SE: How do you protect people's money in general? 

The monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they're legitimate. Tell us you're going to France for the week and we'll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It's just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It's a pain for them, but if you tell us what you're doing it's usually fine.

We see a lot of "Make $2000 a month from home"-style spam. What's the scam there?

It's usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It's an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you're being used. Basically, if you're caught acting as a money mule, then you're as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people's accounts. Again, it's one of the things the system looks for that's out of the ordinary.

Can the banks stop people being duped into sending money to scammers abroad?

You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it's their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it's a large amount, we'll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they're doing and where they're sending it. We have had cases where people have lost considerable amounts because they're convinced it's real.

What's the most outrageous thing you've seen?

I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That's all it was. But it prevented the card from being returned, so people walk off thinking the machine's swallowed it. You pull on the wire and the card pops out. It's called a Lebanese Loop.  Simple and easy. Once you've got the card you've got the expiry date and the CVV number on the back and you can go shopping.

What's your personal message to customers?

Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it's still a scam. These people aren't stupid. No one wants to give you free money. You haven't won a foreign lottery, either. There's no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it's very profitable for them. Start with the idea that everything's a scam, ask us to confirm anything you get that you don't understand and you'll be alright.

What other guidance is there for people?

There's lots about but it's a bit scattered. Barclays did a good TV advert about phone scams. We've published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That's the best thing.

Tuesday, 4 October 2016

A Modest Proposal

IoT security is a mess, but who's to blame?

The internet of things is quickly becoming every cybercriminal's wet dream, especially given the release of the Mirai botnet source code. The cause is shockingly insecure devices, but can shaming manufacturers avert the coming chaos?

Last year, Symantec released a damning report revealing security flaws in common IoT devices. Some, like not using SSL to communicate and not signing updates, are shot through with incompetence and hubris. The report also described basic flaws in some IoT web portals. It's uneasy reading unless you're building a botnet, in which case it's pure gold.

Many IoT devices call home for instructions and updates but don't bother with chains of trust. Using ARP cache poisoning, an army of devices is yours to update with new firmware, and to then command.

So, how big is the coming IoT cyber-storm? According to Gartner, by 2020 there will be a staggering 13 billion IoT consumer items online. Driving this growth is a gold rush that will be worth $263bn to manufacturers by the end of the decade.

To put this into context, the recent 1Tb/s DDoS against French hosting provider OVH involved just 152,000 hacked devices. To borrow from Al Jolson, we ain't seen nothin' yet. 

We could simply build stronger defences, such as Google's Project Shield, but this does nothing to address the underlying problem: insecure products.

Cybersecurity professionals increasingly spend excessive time and energy defending against those products. And apart from bad publicity, there seems to be little consequence for manufacturers.

Ah, but surely responsible IoT companies provide updates as they become available? Well, yes. Up to a point.

Do your parents have any idea how to locate and install a firmware update from a support site? Mine neither. Why should they? They bought white goods, not a system administration course. By now, all IoT updates should just happen automatically, using a chain of trust that begins with code locked securely into the CPU and ends via client and server identity verification with cryptographically signed firmware images.

Online safety is at the heart of the problem. Consumers have a right to safe goods. IoT manufacturers have a responsibility to prevent their products harming others online. Do baby monitors that can be accessed by anyone sound safe to you?

The lamps in your lounge won't randomly explode and set the curtains on fire. They meet legally enforceable standards. But a smart lightbulb can be hacked. We live in a changed world, and mere lightbulbs serving ransomware is becoming possible.

It's not as if good IoT security is difficult to implement. Because of this, there's an obvious and urgent need to enforce legal cyber-safety standards against manufacturers. One potential and very detailed testing methodology comes from the OWASP Internet of Things Project.

My modest proposal is that IoT manufacturers be made to implement strong security in their products in order to offer them for sale. For this, we need independent testing bodies. Those products that fail would be denied a safety certificate, just like any other consumer item. Foreign imports would be subject to trading standards examination, with sellers facing prosecution for selling insecure goods just as they do for selling fakes.

Maybe then, as older devices fail and are replaced, will the IoT will slowly revert to the consumer paradise it was meant to be.

Friday, 30 September 2016

A Very Sophisticated Hack...

If you search for the phrase "very sophisticated hack" and do a little digging, you'll soon discover that what are initially claimed to be diabolical plots by fiendish cybercriminals often turn out to be nothing more than incompetence or naivety on the part of the victims. They only appear sophisticated to the average Joe.

Banks, casinos, hospitals, health insurers, dating sites, even telecoms providers have all fallen in the past year. Digging reveals SQL injections (I'm looking at you, TalkTalk) to second hand switches with no firewalls protecting the SWIFT network in Bangladesh.

While these issues are bread and butter to security testing and code review companies, there is one piece of the IT security puzzle that can never be truly secured, no matter how hard you try. It weighs about 1.3Kg (about 3lbs in old money) and it sits in front of every endpoint, every BYOD, every spam email, everything, wondering whether to click that link, install that program, insert the flash drive it found, or type in its credentials.

It's been said that your brain starts working the moment you wake, and doesn't stop until you get to work. Many incidents reported as "sophisticated" confirm this truism, along with the one about not being able to make anything idiot proof because idiots are so ingenious. Fooling someone into doing or telling you something they shouldn't is the oldest hack in the book, but it's no less potent for its age. For that reason, the unwitting symbiosis of naive user and cybercriminal is virtually unbeatable.

Part of my work involves maintaining the company spam honeypot network. By the time you've seen your 100th identical, badly-spelt phishing email whizz by in the logs, you can't believe anyone would fall for them. But they do, especially spear phishing attacks. There's a ransomware epidemic, and it's making millions a day.

I'm left concluding that people don't approach their inboxes with a high enough degree of

cynicism. Would HR really summon you to a disciplinary meeting by sending you an email demanding you click a link to an external web site and enter your corporate username and password to prove it's you?

Like suspiciously quiet toddlers, the human element will always be the unpredictable elephant in the cybersecurity room. At SE Labs, we test the endpoint protection that keeps users safe from themselves. To do so, we use fresh threats caught painstakingly in the wild on a daily basis. We can always help build better protection, but cybercriminals will always strive to make better toddlers out of users.

But users are not toddlers; they're responsible, busy adults. To them, cybersecurity is just a very dull art practised by dull people in IT, and their equally friends who come in with laptops every so often to check everything.

This point leads me to one final truism: get them laughing, get them learning. All the user security training in the world will fail to change behaviours if it's dull. People best remember what they enjoy. Make cyber security fun for users, and you may just get them to apply a healthy dose of cynicism to their inboxes.

Tuesday, 27 September 2016

Went The Day Well?


In The Great Escape, a Gestapo officer wishes Gordon Jackson's character "good luck" in English as he attempts to board a bus.

In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word "lollapalooza" to spot Japanese spies amongst Pilipino allies.

Judges 12-6: "Then said they unto him, 'Say now Shibboleth' And he said Sibboleth, for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan".

These are all examples of shibboleths, named after the final example, in which a group of Gileadites identify an enemy Ephraimite from how he says a word.

Could subtle shibboleths also buy time until we can properly resolve the password reuse crisis? To answer that, we need a sprinkle of theory.

To log into a service, you must authenticate yourself by presenting certain bona fides. These fall into three broad categories:

  • Something you know
  • Something you have
  • Something you are
Passwords fall into the first category, as do your mother's maiden name, your first pet, and so on.

To shore up authentication, two factor authentication is becoming more popular, and usually involves a password backed by something you have, such as a mobile phone to receive a passcode. Something you have could also be a special device that generates a one-time code. Some banks insist on such devices being present when transferring money from accounts.

What about things you are? Biometrics are the best known examples, but gait recognition has also been examined as a method of identifying people. Early research focused on thwarting smartphone theft, but has since been used in other applications.

The trouble with all this is that everything beyond simple passwords make the user do something extra or use special hardware. Everyday users tend to resist being made to change their ways for someone else's convenience. There are also parts of the world where secondary authentication is impossible. Are we condemning those users to a second class, less secure internet. This is where shibboleths could help.

When your bank identifies rogue transactions, it's identifying shibboleths in normal spending patterns. If you've ever had a text asking you to confirm unusual payments after some toerag has cloned your card, you'll be thankful for this.

Think about this in terms of passwords. If a typical user types the same password for many years, he naturally falls into a predictable rhythm of key presses. If anyone else enters that password, the timing data will be different.

Encrypt the timing data before storing it, and it must be included in any password decryption effort. Remote brute force attacks would become impossibly difficult. Dumb phishing campaigns that don't collect timing data would also be rendered useless overnight, and God knows that'd be a good thing.

It's far from a perfect solution. You can probably think of a dozen difficulties (keyloggers, for example), but competent client-side shibboleth-spotting could at least buy the world time while someone clever creates a solution to password reuse that doesn't divide the internet into secure haves and insecure have-nots.

Tuesday, 20 September 2016

The Great Anti-Virus Conspiracy

One problem with the internet is that anyone can set themselves up as an expert. There's money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.

Despite widespread public ridicule, such sites thrive and make their owners rich because they play into what people already believe. The tendency being exploited is called confirmation bias, and it can even exert enough power over us to compromise the online safety of entire nations. 

Take this post from the Above Top Secret forum from 2008. The author began with the hunch that the biggest beneficiaries of malware are the anti-virus (AV) companies themselves. However, Google only returned stories explaining why this view was incorrect. This raised the author's suspicions. Did anyone else have any information?

The ensuing nine pages of comments were a tour de force of ideas, theories and claims, but a recurring theme was distrust. Many commenters simply don't trust what they don't understand, and they don't understand computers or AV. 

It took a few seconds to find similar examples from other forums, some dating back to 2005 and even 2002. There are many more and they usually cover the same ideas, but a common theme is still distrust. Compounding this, some commenters vaguely remember something about John McAfee once claiming to have written viruses to create demand for his first AV product, which of course proves everything.

That was a decade or more ago, but with phishing and ransomware now firmly in the public eye, the benefit of online protection will be obvious, right? Not necessarily.

In August 2016, the Daily Mail reported that some AV products can fail to adequately secure your computer. The research being reported actually identified the potential for man-in-the-middle certificate attacks. It's something our own Simon Edwards wrote about in a more general context in his own blog over 18 months earlier

As usual, the comment section of the Daily Mail's report was far more revealing than the article:

And so on. Perhaps what's most disturbing is that despite living in a world now publicly trying to cope with a grand cybercrime epidemic, such uninformed views are so mainstream. There's even a certain pride to some of them.

The McAfee virus-writing story is also still doing the rounds. Mr McAfee hasn't helped matters by claiming to have planted keyloggers in laptops he then gave away to government officials in Belize. But did he really write malware to create demand for his own AV software?

In March 2014, McAfee went on the Alex Jones show to talk conspiracies (what else?). A caller asked if he was indeed responsible for writing early malware. Despite Jones talking over portions of his answer, this was the nub of his reply:
"There were at the time thousands of computer viruses," he said. "We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone's mind."
Indeed, in his book Computer Viruses and Malware, John Aycock of the University of Calgary in Canada also points out that if AV companies really are writing malware and yet simultaneously failing to detect some of it, then what's the point in all that effort being expended for zero gain? 

So, how do you protect the distrustful, the misinformed, and even the downright cynical online? One solution is to do it automatically, but this demands that governments, their intelligence agencies, and the ISPs become involved in actively blocking malicious content. Public reaction to any such suggestion is predictably very bad.

When GCHQ recently proposed their DNS filtering technology to block malicious domains, there was instant outrage. The Guardian, which broke the Edward Snowden story, has little love for the Cheltenham Doughnut, and was predictably upset. As usual, it's the public's comments that are really interesting. 

So, we're at an impasse. Despite their poor reputations, governments and the intelligence agencies they run are the only entities with the authority and capabilities to attempt to protect entire nations online. However, the tools they use are by their very nature shadowy, double-edged and closed to scrutiny. The public at large worries that policing cyberspace means the erosion of freedom and privacy. Nothing will convince us that this isn't the start of a dictatorship or a new world order. Too much evidence of past lies and misdeeds confirms this deep-seated bias. 

If the public won't listen to the government, who will it listen to? Who is it listening to?
Something about the caller who asked John McAfee if he wrote early viruses keeps coming back to me. He seemed to remember being told something by "some old OSS guy". This idea of an unnamed source vaguely remembered is a common feature of discussions where facts are scarce and conjecture runs free. It's a feature of the threads I referenced above.

That being the case, maybe it's down to us, as infosec professionals, to be those sources in future. Maybe it's down to us to engage friends and family, to explain how cybercrime works, how it relies on them not protecting themselves, and what to do about it.

But then again, I would say that wouldn't I. ;)

Thursday, 15 September 2016

All Your File...

Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.

The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious "upgrade" to a Windows component.

Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, "All your file are belong to us".

By hiding the true nature of the file with a second, benign extension, JavaScript attachment attacks become even more likely to detonate. Spew millions of such emails from a rented botnet for a few days at a time, and then simply wait for the Bitcoins to come rolling in.

It’s little wonder that ransomware gangs are setting up customer helplines for bemused punters queuing up to get their files back.

But surely your browser’s sandbox should contain any malicious JavaScript? Sadly, this is not so for JavaScript email attachments. JavaScript downloaded as part of a browsed web page is run in the browser. Email attachments are nothing to do with a web page. Double click them and they’re passed to the Windows Based Script Host, which is obviously outside the browser’s authority and control.

It is, however, very simple for you as an end user to stop JavaScript email attachments from automatically being accidentally run. Simply open notepad and create a new file. Save it as dummy.js. Notepad will complain about the extension, but continue anyway. Next, right click the .js file and select "Open With…". As you can see from the image below, by default Windows will open all such files with Windows Based Script Host, which is what we need to prevent.

To do so, first click "More Apps" and select Notepad from the list. Tick the check box for "Always use this app to open .js files" and click OK. Now, whenever you absent-mindedly click on a JavaScript email attachment it will safely open in Notepad and display its bad self.

You can also selectively prevent the JavaScript downloaded as part of a web page from running in your browser. This gives you more control over your browsing experience and can speed up web page loading.

For Firefox, the go-to solution here is the NoScript plugin (which is the one I’m most familiar with). By default, NoScript blocks everything on a domain-by-domain basis. It’s easy and quick to unblock trusted domains as you go, while leaving all others (including those called by the primary domain) securely blocked. This not only serves as an extra line of defence, but also prevents some adverts from being displayed without sites accusing you of using an ad blocker. It’s also very interesting, and sometimes worrying, to see just how many secondary domains some of your favourite web sites rely on to deliver content.

Friday, 9 September 2016

Ransomware: Don't Die of Ignorance

According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It's that obvious. The solution is to stop users clicking dodgy attachments, but how?

For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government's response was a huge public awareness campaign. Everyone who was around at the time remembers "AIDS: Don't Die of Ignorance". There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.

Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware, with 9% being left completely unable to function after the attack. Only 40% of those affected didn't pay the ransom, meaning that a whopping 60% had no choice but to cough up.

Email filtering services and next generation endpoint protection is out of the financial grasp of many SMBs, and it's the work of a few clock cycles to add some random junk to a payload to defeat traditional AV. Ransomware is getting through, and users are detonating it. There should be no doubt in anyone's mind that we're in the midst of a major and deepening crisis.

If this is blindingly obvious to the cybersecurity industry and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it's the end user putting themselves and the companies they work for at risk.

Ransomware awareness campaigns are happening, but they can be limited in scope, targeted at individual sectors, and at C-level executives rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.

If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.