Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Friday, 30 September 2016

A Very Sophisticated Hack...

If you search for the phrase "very sophisticated hack" and do a little digging, you'll soon discover that what are initially claimed to be diabolical plots by fiendish cybercriminals often turn out to be nothing more than incompetence or naivety on the part of the victims. They only appear sophisticated to the average Joe.

Banks, casinos, hospitals, health insurers, dating sites, even telecoms providers have all fallen in the past year. Digging reveals SQL injections (I'm looking at you, TalkTalk) to second hand switches with no firewalls protecting the SWIFT network in Bangladesh.

While these issues are bread and butter to security testing and code review companies, there is one piece of the IT security puzzle that can never be truly secured, no matter how hard you try. It weighs about 1.3Kg (about 3lbs in old money) and it sits in front of every endpoint, every BYOD, every spam email, everything, wondering whether to click that link, install that program, insert the flash drive it found, or type in its credentials.

It's been said that your brain starts working the moment you wake, and doesn't stop until you get to work. Many incidents reported as "sophisticated" confirm this truism, along with the one about not being able to make anything idiot proof because idiots are so ingenious. Fooling someone into doing or telling you something they shouldn't is the oldest hack in the book, but it's no less potent for its age. For that reason, the unwitting symbiosis of naive user and cybercriminal is virtually unbeatable.

Part of my work involves maintaining the company spam honeypot network. By the time you've seen your 100th identical, badly-spelt phishing email whizz by in the logs, you can't believe anyone would fall for them. But they do, especially spear phishing attacks. There's a ransomware epidemic, and it's making millions a day.

I'm left concluding that people don't approach their inboxes with a high enough degree of

cynicism. Would HR really summon you to a disciplinary meeting by sending you an email demanding you click a link to an external web site and enter your corporate username and password to prove it's you?

Like suspiciously quiet toddlers, the human element will always be the unpredictable elephant in the cybersecurity room. At SE Labs, we test the endpoint protection that keeps users safe from themselves. To do so, we use fresh threats caught painstakingly in the wild on a daily basis. We can always help build better protection, but cybercriminals will always strive to make better toddlers out of users.

But users are not toddlers; they're responsible, busy adults. To them, cybersecurity is just a very dull art practised by dull people in IT, and their equally friends who come in with laptops every so often to check everything.

This point leads me to one final truism: get them laughing, get them learning. All the user security training in the world will fail to change behaviours if it's dull. People best remember what they enjoy. Make cyber security fun for users, and you may just get them to apply a healthy dose of cynicism to their inboxes.

Tuesday, 27 September 2016

Went The Day Well?


In The Great Escape, a Gestapo officer wishes Gordon Jackson's character "good luck" in English as he attempts to board a bus.

In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word "lollapalooza" to spot Japanese spies amongst Pilipino allies.

Judges 12-6: "Then said they unto him, 'Say now Shibboleth' And he said Sibboleth, for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan".

These are all examples of shibboleths, named after the final example, in which a group of Gileadites identify an enemy Ephraimite from how he says a word.

Could subtle shibboleths also buy time until we can properly resolve the password reuse crisis? To answer that, we need a sprinkle of theory.

To log into a service, you must authenticate yourself by presenting certain bona fides. These fall into three broad categories:

  • Something you know
  • Something you have
  • Something you are
Passwords fall into the first category, as do your mother's maiden name, your first pet, and so on.

To shore up authentication, two factor authentication is becoming more popular, and usually involves a password backed by something you have, such as a mobile phone to receive a passcode. Something you have could also be a special device that generates a one-time code. Some banks insist on such devices being present when transferring money from accounts.

What about things you are? Biometrics are the best known examples, but gait recognition has also been examined as a method of identifying people. Early research focused on thwarting smartphone theft, but has since been used in other applications.

The trouble with all this is that everything beyond simple passwords make the user do something extra or use special hardware. Everyday users tend to resist being made to change their ways for someone else's convenience. There are also parts of the world where secondary authentication is impossible. Are we condemning those users to a second class, less secure internet. This is where shibboleths could help.

When your bank identifies rogue transactions, it's identifying shibboleths in normal spending patterns. If you've ever had a text asking you to confirm unusual payments after some toerag has cloned your card, you'll be thankful for this.

Think about this in terms of passwords. If a typical user types the same password for many years, he naturally falls into a predictable rhythm of key presses. If anyone else enters that password, the timing data will be different.

Encrypt the timing data before storing it, and it must be included in any password decryption effort. Remote brute force attacks would become impossibly difficult. Dumb phishing campaigns that don't collect timing data would also be rendered useless overnight, and God knows that'd be a good thing.

It's far from a perfect solution. You can probably think of a dozen difficulties (keyloggers, for example), but competent client-side shibboleth-spotting could at least buy the world time while someone clever creates a solution to password reuse that doesn't divide the internet into secure haves and insecure have-nots.

Tuesday, 20 September 2016

The Great Anti-Virus Conspiracy

One problem with the internet is that anyone can set themselves up as an expert. There's money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.

Despite widespread public ridicule, such sites thrive and make their owners rich because they play into what people already believe. The tendency being exploited is called confirmation bias, and it can even exert enough power over us to compromise the online safety of entire nations. 

Take this post from the Above Top Secret forum from 2008. The author began with the hunch that the biggest beneficiaries of malware are the anti-virus (AV) companies themselves. However, Google only returned stories explaining why this view was incorrect. This raised the author's suspicions. Did anyone else have any information?

The ensuing nine pages of comments were a tour de force of ideas, theories and claims, but a recurring theme was distrust. Many commenters simply don't trust what they don't understand, and they don't understand computers or AV. 

It took a few seconds to find similar examples from other forums, some dating back to 2005 and even 2002. There are many more and they usually cover the same ideas, but a common theme is still distrust. Compounding this, some commenters vaguely remember something about John McAfee once claiming to have written viruses to create demand for his first AV product, which of course proves everything.

That was a decade or more ago, but with phishing and ransomware now firmly in the public eye, the benefit of online protection will be obvious, right? Not necessarily.

In August 2016, the Daily Mail reported that some AV products can fail to adequately secure your computer. The research being reported actually identified the potential for man-in-the-middle certificate attacks. It's something our own Simon Edwards wrote about in a more general context in his own blog over 18 months earlier

As usual, the comment section of the Daily Mail's report was far more revealing than the article:

And so on. Perhaps what's most disturbing is that despite living in a world now publicly trying to cope with a grand cybercrime epidemic, such uninformed views are so mainstream. There's even a certain pride to some of them.

The McAfee virus-writing story is also still doing the rounds. Mr McAfee hasn't helped matters by claiming to have planted keyloggers in laptops he then gave away to government officials in Belize. But did he really write malware to create demand for his own AV software?

In March 2014, McAfee went on the Alex Jones show to talk conspiracies (what else?). A caller asked if he was indeed responsible for writing early malware. Despite Jones talking over portions of his answer, this was the nub of his reply:
"There were at the time thousands of computer viruses," he said. "We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone's mind."
Indeed, in his book Computer Viruses and Malware, John Aycock of the University of Calgary in Canada also points out that if AV companies really are writing malware and yet simultaneously failing to detect some of it, then what's the point in all that effort being expended for zero gain? 

So, how do you protect the distrustful, the misinformed, and even the downright cynical online? One solution is to do it automatically, but this demands that governments, their intelligence agencies, and the ISPs become involved in actively blocking malicious content. Public reaction to any such suggestion is predictably very bad.

When GCHQ recently proposed their DNS filtering technology to block malicious domains, there was instant outrage. The Guardian, which broke the Edward Snowden story, has little love for the Cheltenham Doughnut, and was predictably upset. As usual, it's the public's comments that are really interesting. 

So, we're at an impasse. Despite their poor reputations, governments and the intelligence agencies they run are the only entities with the authority and capabilities to attempt to protect entire nations online. However, the tools they use are by their very nature shadowy, double-edged and closed to scrutiny. The public at large worries that policing cyberspace means the erosion of freedom and privacy. Nothing will convince us that this isn't the start of a dictatorship or a new world order. Too much evidence of past lies and misdeeds confirms this deep-seated bias. 

If the public won't listen to the government, who will it listen to? Who is it listening to?
Something about the caller who asked John McAfee if he wrote early viruses keeps coming back to me. He seemed to remember being told something by "some old OSS guy". This idea of an unnamed source vaguely remembered is a common feature of discussions where facts are scarce and conjecture runs free. It's a feature of the threads I referenced above.

That being the case, maybe it's down to us, as infosec professionals, to be those sources in future. Maybe it's down to us to engage friends and family, to explain how cybercrime works, how it relies on them not protecting themselves, and what to do about it.

But then again, I would say that wouldn't I. ;)

Thursday, 15 September 2016

All Your File...

Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.

The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious "upgrade" to a Windows component.

Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, "All your file are belong to us".

By hiding the true nature of the file with a second, benign extension, JavaScript attachment attacks become even more likely to detonate. Spew millions of such emails from a rented botnet for a few days at a time, and then simply wait for the Bitcoins to come rolling in.

It’s little wonder that ransomware gangs are setting up customer helplines for bemused punters queuing up to get their files back.

But surely your browser’s sandbox should contain any malicious JavaScript? Sadly, this is not so for JavaScript email attachments. JavaScript downloaded as part of a browsed web page is run in the browser. Email attachments are nothing to do with a web page. Double click them and they’re passed to the Windows Based Script Host, which is obviously outside the browser’s authority and control.

It is, however, very simple for you as an end user to stop JavaScript email attachments from automatically being accidentally run. Simply open notepad and create a new file. Save it as dummy.js. Notepad will complain about the extension, but continue anyway. Next, right click the .js file and select "Open With…". As you can see from the image below, by default Windows will open all such files with Windows Based Script Host, which is what we need to prevent.

To do so, first click "More Apps" and select Notepad from the list. Tick the check box for "Always use this app to open .js files" and click OK. Now, whenever you absent-mindedly click on a JavaScript email attachment it will safely open in Notepad and display its bad self.

You can also selectively prevent the JavaScript downloaded as part of a web page from running in your browser. This gives you more control over your browsing experience and can speed up web page loading.

For Firefox, the go-to solution here is the NoScript plugin (which is the one I’m most familiar with). By default, NoScript blocks everything on a domain-by-domain basis. It’s easy and quick to unblock trusted domains as you go, while leaving all others (including those called by the primary domain) securely blocked. This not only serves as an extra line of defence, but also prevents some adverts from being displayed without sites accusing you of using an ad blocker. It’s also very interesting, and sometimes worrying, to see just how many secondary domains some of your favourite web sites rely on to deliver content.

Friday, 9 September 2016

Ransomware: Don't Die of Ignorance

According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It's that obvious. The solution is to stop users clicking dodgy attachments, but how?

For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government's response was a huge public awareness campaign. Everyone who was around at the time remembers "AIDS: Don't Die of Ignorance". There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.

Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware, with 9% being left completely unable to function after the attack. Only 40% of those affected didn't pay the ransom, meaning that a whopping 60% had no choice but to cough up.

Email filtering services and next generation endpoint protection is out of the financial grasp of many SMBs, and it's the work of a few clock cycles to add some random junk to a payload to defeat traditional AV. Ransomware is getting through, and users are detonating it. There should be no doubt in anyone's mind that we're in the midst of a major and deepening crisis.

If this is blindingly obvious to the cybersecurity industry and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it's the end user putting themselves and the companies they work for at risk.

Ransomware awareness campaigns are happening, but they can be limited in scope, targeted at individual sectors, and at C-level executives rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.

If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.