Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Monday, 28 November 2016

What is Machine Learning?

What is machine learning, and how do we know it works?

What's the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy but digital computers find hard, such as driving cars, playing chess or recognising sarcasm. Machine learning is a subset of AI dedicated to developing techniques for making machines learn to solve these and other "human" problems without the insanely complex task of explicitly programming them.

A machine is said to learn if, with increasing experience, it gets better at solving a problem. Let's take identifying malware as an example. This is known as a classification problem. Let's also call into existence a theoretical machine learning program called Mavis. Consistent malware classification is difficult for Mavis because it is deliberately evasive and subtle.

For it to successfully classify malware, we need to show Mavis a huge number of files that are known to be malicious. Once Mavis has digested several million examples, it should be an expert in what makes a file "smell" like malware.

The spectrum of ways in which Mavis might be programmed to learn this task is very wide indeed, and filled with head-spinning concepts and algorithms. Suitable approaches all have advantages and disadvantages. All that counts, however, it's whether Mavis can spot and stop previously unknown malware even when the "smell" is very faint or deliberately disguised to confuse it into an unfortunate misclassification.

A major problem for developers lies in proving that their implementation of Mavis intelligently detects unknown malware. How much training is enough? What happens when their Mavis encounters a completely new threat that smells clean? Do we need a second, signature-based system until we're 100% certain it's getting it right every time? Some vendors prefer a layered approach, while others go all in with their version of Mavis.

Every next generation security product vendor using machine learning says their approach is the best, which is entirely understandable. Like traditional AV products, however, the proof is in the testing. To gain trust in their AI-based products, vendors need to hand them over to independent labs for a thorough, painstaking work out. It's the best way for the public, private enterprises, and governments to be sure that Mavis in her many guises will protect them without faltering.

Friday, 18 November 2016

Recovering From Password Fatigue

How do we solve the need for lots of strong passwords?

Mention password strength online and someone will usually reference the famous XKCD password cartoon. If you haven't seen it, the idea is that the entropy of the password must be as high as possible, and that this can be adequately achieved by stapling together easily-remembered conjunctions of words
rather than difficult-to-remember strings of meaningless symbols. Some commentators have since pointed out flaws in the logic behind that cartoon.

Entropy is a head-twisting concept. Put simply, it is a measure of the chaos, disorder or unpredictability something contains. In information theory, entropy can be calculated and boils down to how many unknowns there are in a piece of data.

Consider a game of hangman. At the beginning of the game, none of the letters are known. Because there are many different possibilities, we can say that the unknown word contains high entropy. As you reveal each letter, the entropy quickly drops because of the way the English language works. Q is usually followed by U, for example, and not P or S or J. After revealing surprisingly few letters, we can usually infer the full word and win the game.

Passwords need high entropy. There should be no relationship between letters, so that if one character becomes known, it does not compromise the rest. If someone shoulder surfs you and spots you typing something like "M4nch3st" and they know you're a Manchester City or United fan from glancing at your coffee mug, then your carefully placed capital and number substitutions are all for naught.

Many people still think that strong passwords are required to protect from brute force attacks, but this is largely false. When cybercriminals want passwords, they either take them by the million using attacks such as SQL injections, or have people hand them over in phishing attacks. Because of this, we need lots of passwords to compartmentalise our lives into discrete blocks. Compromise one account and the others stay secure. Re-use them across accounts, and one key fits many locks.

There are lots of strategies for generating and remembering high entropy passwords. One successful technique is as follows:

1: Take a long line from a favourite book, play, song, nursery rhyme, whatever.
2: Take the initial letters from the words in the line and put them together.
3: Change vowels into numbers and other symbols, capitalise others.

Et voila! A long, high entropy password you cannot forget. Here's an example based on an episode of a sitcom that came to mind just now quite by chance:

In the Fawlty Towers episode The Germans, the Major says something like: "I must have been keen on her; I took her to see India!"

The 13 initials in this phrase are: imhbkohithtsi

Changing some letters to symbols and capitalising others gives: !mHbK0H1ThTsI

The online password strength meters I tried claim this password is strong or even very strong. Someone would have to know you were keen on that episode of that sitcom, guess the exact line from it, and guess exactly how you'd mangled the initials to stand a chance of recovering the generated password.

Now do that for the dozens of sites you need to log into, even those sites you intend to use very little but for which you must still set up an account. Ideally, each password must be different and unrelated. It's just not practical, is it? In fact, that sinking feeling you're probably experiencing has a name: password fatigue.

We could just store all our passwords in our browsers and create a master password to protect them. But what if we want to log in from another laptop, tablet or phone? This problem has led to the rise of the password manager.

A good password manger needs to securely store all your passwords, and to sync across all your devices. It should automatically capture the passwords you enter as it goes, and should contain some nice-to-have features. For example, the option to generate random, very high entropy passwords would be good. Intelligent form filling would also be useful.

There are other potential advantages to password managers. Because they recognise the sites you visit, if you get taken in by a phishing email and click on a link to enter your password, the manager will not recognise it, and should fail to cough up the creds. If you've allowed the manager to generate random passwords that you never see, there's no danger of you overriding it either.

I'm not going to recommend a single password manager, but you should check them out sooner rather than later. Instead I will point you to a comparison chart for you to make your own decision.

There are pros and cons to using password managers, however. Some people, like our own Simon Edwards, have argued that caution is needed. Last year, for example, cloud-based password manager LastPass was hacked and user data spilled (including security questions and encrypted passwords). Malware has also targeted local password managers such as KeepPass that do not use a cloud service.

Because of these weaknesses and attacks, passwords and password managers may not be enough. A good password manager also needs to feature 2-factor authentication. Biometric authentication would be even better as this is substantially harder to subvert.

Friday, 11 November 2016

Trump's Cybersecurity Policy

What does a Trump presidency mean for global cybersecurity?

Washington is nervous. No one knows if President Trump understands cybersecurity, or whether he'll listen to those who do.

Some pundits are already suggesting that his first 100 days in office will include a cyber emergency.

How he responds is crucial, but his comments so far have instilled little confidence.
"Cyber is becoming so big today, it's becoming something that a number of years ago, a short number of years ago wasn't even a word."
"We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable."
To be fair, Trump's campaign site does say that he'll order a review of "all U.S. cyber defences and vulnerabilities" by a specially assembled Cyber Review Team formed from "the military, law enforcement and the private sector".

But Washington needs to know if he will implement or even believe the Cyber Review Team's recommendations. After all, this is the man who, when experts discovered Russian-backed groups attacking the Democratic National Committee, said:
"I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?"
According to The Washington Post, a sense of dread is descending on the US intelligence community. Former CIA director Michael Hayden summed up the mood:
"I cannot remember another president-elect who has been so dismissive of intelligence received during a campaign or so suspicious of the quality and honesty of the intelligence he was about to receive."
Trump's policy also places an onus on deterring attacks by state and non-state actors, and he has a has a particular thing about China's hackers. He seems openly irritated by the country's refusal to observe intellectual property law. His plan here is to:
"Enforce stronger protections against Chinese hackers … and our responses to Chinese theft will be swift, robust, and unequivocal."
By this logic, it's apparently difficult to attribute an attack when it's Russia, but not when it's China. This kind of thinking will need to change or it could damage superpower relationships at a uniquely dangerous point in world history.

Part of the danger is that a sufficiently irked President could order a pre-emptive cyber-strike against China to show everyone who's boss. How will he pick the right target if he doesn't listen to his advisors? China's a very big place, and what looks like state-sponsored hacking to some might in fact turn out to be private enterprise. Such actions could be taken as an act of war, and even a limited cyberwar could leave swathes of the internet useless until rebuilt.

Trump also famously likes to abandon the script and simply ad lib during speeches, but national security depends on secrecy. Will he blurt out something in a speech that gives an enemy state a clue about America's capabilities or, even worse, her vulnerabilities?

Trump's view that "torture works" could also irreparably damage the relationship between GCHQ and the NSA. Torture is a no-no for the UK. The Cheltenham Doughnut is expressly forbidden from sharing intelligence with countries that openly engage in torture.

A change in policy by the US would further compromise the flow of intelligence already put at risk by Brexit. The Open Rights Group also believes that Trump will exert a great deal of influence over the UK's intelligence community.

Retaining skilled infosec talent from abroad is also about to become more of a problem for US companies, because Trump plans a crackdown on H-1B work visas. Taking up the slack means boosting cybersecurity degree courses, but any increase in trained manpower will take time to trickle through. In the meantime, who will fill the skills gap?

Ultimately, Trump is going to have to stop threatening and promising things he can't deliver, and start listening to his advisors. To do so, he must leave his preconceptions at the door to the Oval Office and think calmly and clearly before acting. Whether that will happen is anyone's guess, but it's not hyperbole to suggest that a huge amount depends on it.

Monday, 7 November 2016

How The Clinton Campaign Was Really Hacked

The 2016 US Presidential Election may not be the first held in the shadow of Wikileaks, but it is the most entertaining.

When John Podesta received an email apparently from Google in March this year warning that someone had used his password to sign into his account, events began to resemble an episode of Veep, with Chinese whispers quickly replacing information.

Not knowing any better, Podesta forwarded the email to a member of staff to deal with. After a hop or two, the email was passed to the Clinton campaign's IT Helpdesk Manager. He in turn made the rookie mistake of not inspecting the message's header or checking the Bit.ly  link it contained. Both would have shown this to be a phishing attack. 

Instead, the Helpdesk Manager concluded that the email was real, and Mr Podesta should change his password right away. However, the reply also contained the advice that Podesta should ignore the email and log in directly to Google. He even supplied the correct URL to do this and explicitly said that Podesta should turn on 2-factor authentication at the same time.

The Helpdesk Manager has since been somewhat unfairly vilified in the press. The fact is that his explicit advice was lost in favour of a simpler message as his reply began to filter back up the chain of command.

According Wikileaks, Sara Latham seems to have been the person who actually contacted the helpdesk on Podesta's behalf. She also received the Manager's reply, and added her own endorsement of the phishing link.

Having been told it was real, it seems that either Special Assistant Milia Fisher or Podesta himself then clicked on the original phishing link and attempted to change the password. The rest has been pundit fodder ever since.

You can bet that the Clinton campaign  spent money on insurance, health and safety training, and other measures to ensure a safe working environment, so why not basic cybersecurity training? Maybe it did, and the people concerned simply didn't attend. It seems sensible that in future campaigns, no one should get access to devices without first demonstrating that they can spot a simple phishing email, IT helpdesk Managers included.

Tuesday, 1 November 2016

Does your anti-malware stop hacking attacks?

An attack rarely ends when the malware runs. That's just the beginning...

Latest reports now online.

Testing security software is a challenging task and it's tempting to take clever shortcuts. However, while doing so might save the tester time and other resources, it doesn't always produce useful results. And if the results aren't accurate then the test becomes less valuable to you when you're choosing which product to use.

We are big supporters of the idea of full product testing. This means installing the security product the way it was intended to be used, on systems commonly used in the real world and ensuring that every component of that product has a chance to defend the system.

In practice this means that we installed the anti-malware products tested in this report on regular PCs that are connected to a simple network that has unfiltered internet access. We visit malicious websites directly, where possible, and use a special replay system when the bad guys start to interfere with our activities.

Since the beginning of this year we started including targeted attacks in our testing. These types of attacks try to compromise the target using infected documents and browser exploits. Once an exploit has succeeded we then continue ‘hacking' the target. This step is crucial because in many cases it is these post-exploitation hacking activities that can trigger an alert.

Full product testing doesn't just mean turning on (or leaving enabled) all of a product's features. It also means running a full attack as realistically as possible. Testers should not make assumptions about how a product works. You need to act like a real bad guy to understand how these products protect the system.

Our latest reports, for enterprises, small businesses and home users are now available for free from our website. Please download them and follow us on Twitter to receive updates and future reports.