SE Labs

Posts tagged 'ransomware'

Big Time Crooks

federal_bureau_of_investigation_seal-8620436
When an online scam becomes too successful, the results can be farcical.

In the movie Small Time Crooks, Woody Allen leads an inept gang of would-be robbers who rent a store next to a bank. They plan to tunnel into the vault. As a cover, Allen’s girlfriend (played by Tracey Ullman) sets up a cookie business in the store. Ullman’s business takes off, and to maintain the cover the gang must set up production facilities, hire staff, find distributors, and so on.

Why is this relevant? Well, rewind to 2002. The internet had already taken off in a big way and people were pouring online as new opportunities exploded into the public consciousness. Also exploding was cybercrime, as the internet presented a new breed of tech savvy crooks with their own set of opportunities. For one gang, an Allenesque adventure was about to begin.

Humble Beginnings
How many times have you browsed a web page that suddenly throws up an alarming warning that your computer is infected and the only thing that can save you is to immediately buy a special program or call a special number? If you’re up to date with system patches and use a reputable anti-virus solution, you’re rarely in danger from such sites these days.

It was not always so.

For millions of internet users back in the day, who were running without protection, the apparent authority of such “scareware” sites made them act. They downloaded free “anti-virus” software that infected them with real malware, they parted with real cash, and many also paid again to have their computers cleaned by professionals.

computer-health-alert-large-6338481Look through the history of scareware, and one company repeatedly appears: Innovative Marketing Inc (to give it the name used in US Federal Trade Commission paperwork but also known by a wide
range of other names). Innovative was registered in Belize in 2002. Despite the appearance of being a legitimate business, its initial products were dodgy: pirated music, porn and illicit Viagra, along with sales of “grey” versions of real anti-virus products.

After Symantec and McAfee both put pressure on the company to stop those software sales in 2003, Innovative tried to write its own. The resulting Computershield wasn’t effective as anti-virus protection, but the company sold it anyway as a defence against the MyDoom worm. Innovative aggressively marketed its new product, and according to press reports, it was soon raking in $1 million per month. As the threat from MyDoom receded, so too did profits.

The company initially turned to adware as a new revenue source. This enabled so-called “affiliates” to use malicious web sites to silently install the adware on vulnerable Windows computers. Getting victims to visit those sites was achieved by placing what looked like legitimate adverts on real sites. Click them, and you became infected. The affiliates then pocketed a fee of 10 cents per infection, but it’s through that Innovative made between $2 and $5 from sales of the advertised products.

Meanwhile, development of completely fake anti-virus software snowballed at the company’s Kiev office. A classic example is “XP Antivirus 2008”, though it also went by a large number of pseudonyms and evolved through many versions. A video of it trashing an XP machine can be found here. Its other major names include Winfixer, WinAntivirus, Drivecleaner, and SystemDoctor.

In many ways, Innovative’s scareware was, well, innovative. It disabled any legitimate protection and told you the machine was heavily infected, even going to the trouble of creating fake blue screens of death. At the time, some antivirus companies had trouble keeping up with the rate of development.

xp2bantivirus2b2008-7843602

Attempts to access Windows internet or security settings were blocked. The only way of “cleaning” the machine was to register the software and pay the fee. Millions of people did just that. The FTC estimates that between 2004 and 2008, the company and its subsidiaries raked in $163 million.

In 2008, a hacker with the handle NeoN found a database belonging to one of the developers, revealing that in a single week one affiliate made over $158,000 from infections.

The Problem of Success
Initially, Innovative used banks in Canada to process the credit card transactions of its victims, but problems quickly mounted as disgruntled cardholders began raising chargebacks. These are claims made to credit card companies about shoddy goods or services.

With Canadian banks beginning to refuse Innovative’s business, it created subsidiary companies to hide its true identity, and approached the Bank of Kuwait and Bahrain. Trouble followed, and in 2005 this bank also stopped handling Innovative’s business due to the high number of chargebacks. Eventually, the company found a Singaporean bank called DBS Bank to handle the mounting backlog of credit card transactions.

The only solution to the chargeback problem was to keep customers happy. So, in true Allenesque style, Innovative began to invest in call centres to help customers through their difficulties. It quickly opened facilities in Ukraine, India and the USA. Operatives would talk the customers through the steps needed for the software to miraculously declare their systems free of malware. It seems that enough customers were satisfied to allow the company to keep on raking in the cash.

But people did complain, not to the company but to the authorities. The FTC received over 3,000 complaints in all and launched an investigation. Marc D’Souza has been convicted of his role in the company and ordered to pay £8.2 million, along with his father who received some of the money. The case of Kristy Ross for her part in the scam is still going through the US courts, with lawyers arguing that she was merely an employee.

Several others, including Shaileshkumar “Sam” Jain and Bjorn Daniel Sundin, are still at large, and have had a $163 million judgement entered against them in their absence. Jain and Sundin remain on the FBI’s Most Wanted Cyber Criminal list with rewards for their arrests totalling $40,000.

shaileshkumar-p-jain-3887344 bjorn-daniel-sundin-8778038

An Evergreen Scam
Scareware is a business model that rewards creativity while skirting the bounds of legality. Unlike ransomware, where criminal gangs must cover their tracks with a web of bank accounts and Bitcoin wallets, scareware can operate quite openly from countries with under-developed law enforcement and rife corruption. However, the gap between scareware and ransomware is rapidly closing.

peteris-sahurovs-in-us-federal-court-for-cybercrime-5312054Take the case of Latvian hacker Peteris Sahurovs, AKA “Piotrek” AKA “Sagade”. He was arrested on an international arrest warrant in Latvia in 2011 for his part in a scareware scam, but he fled to Poland where he was subsequently detained in 2016.

He was extradited to the US and pled guilty in February this year to making $150,000 – $200,000.  US authorities claim the total made by Sahurovs’ gang was closer to $2 million. He’s due to be sentenced in June.

According to the Department of Justice, the Sahurovs gang set up a fake advertising agency that claimed to represent a US hotel chain. Once adverts were purchased on the Minneapolis Star Tribune’s website, they were quickly swapped out for ones that infected vulnerable visitors with their malware. This made computers freeze and produce pop-ups explaining that victims needed to purchase special antivirus software to restore proper functionality. This case is interesting as it shows a clear cross over from scareware to ransomware. All data on the machines was scrambled until the software was purchased.

The level of sophistication and ingenuity displayed by scareware gangs is increasing, as is their boldness. You have probably been called by someone from India claiming to be from Microsoft, expressing concern that your computer is badly infected and offering to fix it. Or they may have posed as someone from your phone company telling you that they need to take certain steps to restore your internet connection to full health. There are many variations on the theme. Generally, they want you to download software that confirms their diagnosis. Once done, you must pay them to fix the problem. This has led to a plethora of amusing examples of playing the attackers at their own game.

It’s easy to see the people who call you as victims of poverty with no choice but to scam, but string them along for a while and the insults soon fly. They know exactly what they’re doing, and from the background chatter on such calls, so do hundreds of others. Scareware in all its forms is a crime that continues to bring in a lot of money for its perpetrators and will remain a threat for years to come.

Predictably Evil

pmr-1176337

A common criticism of computer security products is that they can only protect against known threats. When new attacks are detected and analysed security companies produce updates based on this new knowledge. It’s a reactive approach that can provide attackers with a significant window of opportunity.

It’s why anti-virus has been declared dead on more than one occasion.

Latest report now online.

Security companies have, for some years, developed advanced detection systems, often labelled as using ‘AI’, ‘machine learning’ or some other technical-sounding term. The basic idea is that past threats are analysed in deep ways to identify what future threats might look like. Ideally the result will be a product that can detect potentially bad files or behaviour before the attack is successful.

(We wrote a basic primer to understanding machine learning a couple of years ago.)

So does this AI stuff really work? Is it possible to predict new types of evil software? Certainly investors in tech companies believe so, piling hundreds of millions of funding dollars into new start-ups in the cyber defence field.

We prefer lab work to Silicon Valley speculation, though, and built a test designed to challenge the often magical claims made by ‘next-gen’ anti-malware companies.

With support from Cylance, we took four of its AI models and exposed them to threats that were seen in well-publicised attacks (e.g. WannaCry; Petya) months and even years later than the training that created the models.

It’s the equivalent of sending an old product forward in time and seeing how well it works with future threats. To find out how the Cylance AI models fared, and to discover more about how we tested, please download our report for free from our website.

Follow us on Twitter and/ or Facebook to receive updates and future reports.

Brexit and Cybersecurity

Is the UK headed for a cybersecurity disaster?

istock-big-ben-parliament-standard-5154835

With Brexit looming and cybercrime booming, the UK can’t afford major IT disasters, but history says they’re inevitable.

The recent WannaCry ransomware tsunami was big news in the UK. However, it was incorrectly reported that the government had scrapped a deal with Microsoft to provide extended support for Windows XP that would have protected ageing NHS computers. The truth is far more mundane.

In 2014, the government signed a one-year deal with Microsoft to provide security updates to NHS Windows XP machines. This was supposed to force users to move to the latest version of Windows within 12 months, but with a “complete aversion to central command and control” within the NHS, and no spare cash for such an upgrade, the move was never completed.

This isn’t the first IT Whitehall IT disaster by a very long way.

During the 1990s, for example, it was realised that the IT systems underpinning the UK’s Magistrates’ Courts were inadequate. It was proposed that a new, unified system should replace them. In 1998, the Labour government signed a deal with ICL to develop Project Libra. Costing £146m, this would manage the courts and link to other official systems, such as the DVLA and prisons systems.

Described in 2003 as “One of the worst IT projects ever seen“, Project Libra’s costs nearly tripled to £390m, with ICL’s parent company, Fujitsu, twice threatening to pull out of the project.

This wasn’t Labour’s only IT project failure. In total, it’s reckoned that by the time the government fell in 2010, it had consumed around £26b of taxpayer’s money on failed, late and cancelled IT projects.

The coalition government that followed fared no better. £150m paid to Raytheon in compensation for cancelling the e-Borders project, £100m spent on a failed archiving system at the BBC, £56m spent on a Ministry of Justice system that was cancelled after someone realised there was already a system doing the same thing: these are just a few of the failed IT projects since Labour left office seven years ago.

The Gartner group has analysed why government IT projects fail, and discovered several main factors. Prominent amongst these is that politicians like to stamp their authority on the nation with grandiose schemes. Gartner says such large projects fail because of their scope. It also says failure lies in trying to re-implement complex, existing processes rather than seeking to simplify and improve on them by design. The problem is, with Brexit looming, large, complex systems designed to quickly replace existing systems are exactly what’s required.

ukba_and_police-7387838

A good example is the ageing HM Customs & Excise CHIEF system. Because goods currently enjoy freedom of movement within the EU, there are only around 60 million packages that need checking in through CHIEF each year. The current system is about 25 years old and just about copes. Leaving the EU will mean processing an estimated 390 million packages per year. However, the replacement system is already rated as “Amber/Red” by the government’s own Infrastructure and Projects Authority, meaning it is already at risk of failure before it’s even delivered.

Another key system for the UK is the EU’s Schengen Information System (SIS-II). This provides real time information about individuals of interest, such as those with European Arrest Warrants against them, terrorist suspects, returning foreign fighters, missing persons, drug traffickers, etc.

Access to SIS-II is limited to countries that abide by EU European Court of Justice rulings. Described by ex-Liberal Democrat leader Nick Clegg as a “fantastically useful weapon” against terrorism, after Brexit, access to SIS-II may be withdrawn.

Late last year, a Commons Select Committee published a report identifying the risks to policing if the UK loses access to SIS-II and related EU systems. The report claimed that then-Home Secretary Theresa May had said that such systems were vital to, “stop foreign criminals from coming to Britain, deal with European fighters coming back from Syria, stop British criminals evading justice abroad, prevent foreign criminals evading justice by hiding here, and get foreign criminals out of our prisons.

The UK will either somehow have to re-negotiate access to these systems, or somehow quickly and securely duplicate them and their content on UK soil. To do so, we will have to navigate the EU’s labyrinthine data protection laws and sharing agreements to access relevant data.

If the UK government can find a way to prevent these and other IT projects running into problems during development, there’s still the problem of cybercrime and cyberwarfare. Luckily, there’s a strategy covering this.

In November 2016, the government launched its National Cyber Security Strategy. Tucked in amongst areas covering online business and national defence, section 5.3 covers protecting government systems. This acknowledges that government networks are complex, and contain systems that are badly in need of modernisation. It asserts that in future there will be, “no unmanaged risks from legacy systems and unsupported software”.

The recent NHS WannaCry crisis was probably caused by someone unknowingly detonating an infected email attachment. The Strategy recognises that most attacks have a human element. It says the government will “ensure that everyone who works in government has a sound awareness of cyber risk”. Specifically, the Strategy says that health and care systems pose unique threats to national security due to the sector employing 1.6 million people in 40,000 organisations.

The problem is, the current Prime Minister called a snap General Election in May, potentially throwing the future of the Strategy into doubt. If the Conservatives maintain power, there’s likely to be a cabinet reshuffle, with an attendant shift in priorities and funding.

european-union-flag-std_1-9767927

If Labour gains power, things are even less clear. Its manifesto makes little mention of cyber security, but says it will order a complete strategic defence and security review “including cyber warfare”, which will take time to formulate and agree with stakeholders. It also says Labour will introduce a cyber charter for companies working with the Ministry of Defence.

Regardless of who takes power in the UK this month, time is running out. The pressure to deliver large and complex systems to cover the shortfall left by Brexit will be immense. Such systems need to be delivered on time, within budget and above all they must be secure – both from internal and external threats.

Testing anti-malware’s protection layers

layers-3683923

Our first set of anti-malware test results for 2017 are now available.

Endpoint security is an important component of computer security, whether you are a home user, a small business or running a massive company. But it’s just one layer.

Latest reports now online

Using multiple layers of security, including a firewall, anti-exploit technologies built into the operating system and virtual private networks (VPNs) when using third-party WiFi is very important too.

What many people don’t realise is that anti-malware software often actually contains its own different layers of protection. Threats can come at you from many different angles, which is why security vendors try to block and stop them using a whole chain of approaches.

A fun video we created to show how anti-malware tries to stop threats in different ways

How layered protection works

For example, let’s consider a malicious website that will infect victims automatically when they visit the site. Such ‘drive-by’ threats are common and make up about one third of this test’s set of attacks. You visit the site with your web browser and it exploits some vulnerable software on your computer, before installing malware – possibly ransomware, a type of malware that also features prominently in this test.

browser-8901457

Here’s how the layers of endpoint security can work. The URL (web link) filter might block you from visiting the dangerous website. If that works you are safe and nothing else need be done.

But let’s say this layer of security crumbles, and the system is exposed to the exploit.

toaster-9827773Maybe the product’s anti-exploit technology prevents the exploit from running or, at least, running fully? If so, great. If not, the threat will likely download the ransomware and try to run it.

At this stage file signatures may come into play. Additionally, the malware’s behaviour can be analysed. Maybe it is tested in a virtual sandbox first. Different vendors use different approaches.

Ultimately the threat has to move down through a series of layers of protection in all but the most basic of ‘anti-virus’ products.

The way we test endpoint security is realistic and allows all layers of its protection to be tested.

Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Back from the Dead

email-1932571Forgotten web sites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for web sites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

The friendly, well written message was a refreshing change from the usual approach, which most often demands immediate, unthinking action. The sender, however, could only call me “J” as he didn’t have my forename. There was a protected file attached, but the sender had supplied the password. It was a contract, he said, and he looked forward to hearing back from me.

The headers said the email came from a French telecoms company. Was someone on a spending spree with my money? My PayPal and bank accounts showed no withdrawals.

Curious about the payload, I spun up a suitably isolated Windows 10 victim system, and detonated the attachment. It had the cheek to complain about having no route to the outside world. I tried again, this time with an open internet connection. A randomly-named process quickly opened and closed, while the file reported a corruption. Maybe the victim system had the wrong version of Windows installed, or the wrong vulnerabilities exposed. Maybe my IP address was in the wrong territory. Maybe (and this is more likely) the file spotted the monitoring software watching its every move, and aborted its run with a suitably misleading message.

Disappointed, after deleting the victim system I wondered which site out of hundreds could have been compromised. I’ll probably never know, but it does reveal a deeper worry about life online.

Over the years, we all sign up for plenty of sites about which we subsequently forget, and usually with whichever email address is most convenient. It’s surely only a matter of time before old, forgotten sites get hacked and return to haunt us with something more focused than malicious commodity spam – especially if we’ve been silly enough to provide a full or real name and address. Because of this, it pays to set up dedicated accounts for registrations, or use temporary addresses from places such as Guerrilla Mail.

17 Things Spammers Get Wrong


No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why.

ransomware-8145580The headlines say phishing scams are at an all-time high, and ransomware is growing exponentially, but conspicuous by their absence are examples of the emails behind successful attacks. It’s becoming the cliché in the room, but there may be a reason: embarrassment.

Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.

To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.

This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.

With that in mind, what follows is a short list of 17 mistakes I routinely see, all of which immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.

1.    No Subject Header

This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.

2.    No Set Dressing

tesco-6478043

Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.

3.    Generic Companies

generic-1081819

Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.

4.    Multiple Recipients

This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.

5.    Poor Salutation

Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.

6.    No Body Text

Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.

7.    Auto-translated Body Text

paypal2-9354648

Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.

8.    The Third Person

This is a great example of a spam writer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?

9.    Finger Trouble

apple2bicloud2b2-6952704

I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.

10.    Unexpected Plurals and Tenses

Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile.

11.    Missing Definite Article

Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.

12.    The Wrong Word

“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.

13.    Misplaced Emphasis

paypal-1531640

Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.

14.    Tautological Terrors

cps-7972121

“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.

15.    Grandiosity

splayer-6973270

Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway.  Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.

What they really meant was: “To mark the release of our new software”.  The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.

16.    Overly-grand Titles

Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash.

17.    Obfuscated URLs

If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.

Predictions for 2017

golden-2017-new-year-text-with-glowing-glitter-effect-and-fireworksStill dazed from the year that was, Jon Thompson dons his Nostradamus hat, dusts off his crystal ball
and stares horrified into 2017.

Prediction is difficult. Who would have thought a year ago that ransomware would now come with customer care, or that Russia would be openly accused of hacking a bombastic businessman into the Whitehouse. Who even dreamed Yahoo would admit to a billion-account compromise?

So, with that in mind, it’s time to gaze into the abyss and despair…

Let’s get the obvious stuff out of the way first. Mega credential breaches won’t go away. With so many acres of forgotten code handling access to back end databases, it’s inevitable that the record currently held by Yahoo for the largest account breach will be beaten.

Similarly, ransomware is only just beginning. Already a billion-dollar industry, it’s cheap to buy into and easy to profit from. New techniques are already emerging as gangs become more sophisticated. First came the audacious concept of customer service desks to help victims through the process of forking over the ransom. By the end of 2016, the Popcorn Time ransomware gang was offering decryption for your data if you infect two of your friends who subsequently pay up. With this depth of innovation already in place, 2017 will hold even greater horrors for those who naively click attachments.

Targeted social engineering and phishing attacks will also continue to thrive, with innovative

campaigns succeeding in relieving companies of their revenues. Though most untargeted bulk phishing attempts will continue to show a low return, phishers will inevitably get wise and start to make their attacks more believable. At SE Labs, we’ve already seen evidence of this.

It’s also obvious that the Internet of Things will continue to be outrageously insecure, leading to DDoS attacks that will make the 1.1Tbps attack on hosting company OVH look trivial. The IoT will also make ransomware delivery even more efficient, as increasing armies of compromised devices pump out the pink stuff. By the end of 2017, I predict hacking groups (government-backed or otherwise) will have amassed enough IoT firepower to knock small nations offline. November’s test of a Mirai botnet against Liberia was a prelude to the carnage to come.

Bitcoin  btc-mono-ring-orange-6370546recently passed the $1,000 mark for the first time in three years, which means criminals will want even more than ever to steal the anonymous cryptocurrency. However, a flash crash in value is also likely as investors take profits and the market panics in response to a sudden fall. It’s happened before, most noticeably at the end of 2013. There’s also the distinct possibility that the growth in value is due to ransomware, in which case the underlying rally will continue regardless of profit takers.

The state-sponsored use of third party hacking groups brings with it plausible deniability, but proof cannot stay hidden forever. One infiltration, one defection, one prick of conscience, and someone will spill the beans regardless of the personal cost. It’s highly likely that 2017 will include major revelations of widespread state-sponsored hacking.

This leads me neatly on to Donald Trump and his mercurial grasp of “the cyber”. We’ve already delved into what he may do as president, and much of what we know comes straight from the man himself. For example, we already know he skips his daily security briefings because they are “repetitive”, and prefers to ask people around him what’s going on because “You know, I’m, like, a smart person.

Trump’s insistence on cracking down on foreign workers will have a direct impact on the ability of the US to defend itself in cyberspace. The shift from filling jobs with overseas expertise to training homegrown talent has no discernible transition plan. This will leave a growing skills gap for several years as new college graduates find their way to the workplace. This shortfall will be exploited by foreign threat actors.

Then there’s Trump’s pompous and wildly indiscreet Twitter feed. Does the world really need to know when secret security briefings are postponed, or what he thinks of the intelligence presented in those meetings? In espionage circles, everything is information, and Trump needs to understand that. I predict that his continued use of social media will lead to internal conflict and resignations this year, as those charged with national cybersecurity finally run out of patience.

donald-trump-spars-with-univision-journalist-jorge-ramos-6442066

It’s not all doom and gloom, however. The steady development of intelligent anti-spam and anti-malware technologies will see a trickledown from advanced corporate products into the hotly contested consumer market. The first AV vendor to produce an overtly next gen consumer product will change the game – especially if a free version is made available.

There’s also a huge hole in “fake news” just begging to be filled. I predict that 2017 will see the establishment of an infosec satire site. Just as The Onion has unwittingly duped lazy journalists in the past, there’s scope for the same level of hilarity in the cybersecurity community.

However, by far the biggest threat to life online in 2017 will continue to be the end user. Without serious primetime TV and radio campaigns explicitly showing exactly what to look for, users will continue to casually infect themselves and the companies they work for with ransomware, and to give up their credentials to phishing sites. When challenged, I also predict that governments will insist the problem is being addressed.

So, all in all, it’s business as usual.

Happy 2017!

What is Machine Learning?

machine_learning-1991327… and how do we know it works?

What’s the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy but digital computers find hard, such as driving cars, playing chess or recognising sarcasm. Machine learning is a subset of AI dedicated to developing techniques for making machines learn to solve these and other “human” problems without the insanely complex task of explicitly programming them.

A machine is said to learn if, with increasing experience, it gets better at solving a problem. Let’s take identifying malware as an example. This is known as a classification problem. Let’s also call into existence a theoretical machine learning program called Mavis. Consistent malware classification is difficult for Mavis because it is deliberately evasive and subtle.

silicon2bbrain-1881268For it to successfully classify malware, we need to show Mavis a huge number of files that are known to be malicious. Once Mavis has digested several million examples, it should be an expert in what makes a file “smell” like malware.

The spectrum of ways in which Mavis might be programmed to learn this task is very wide indeed, and filled with head-spinning concepts and algorithms. Suitable approaches all have advantages and disadvantages. All that counts, however, it’s whether Mavis can spot and stop previously unknown malware even when the “smell” is very faint or deliberately disguised to confuse it into an unfortunate misclassification.

A major problem for developers lies in proving that their implementation of Mavis intelligently detects unknown malware. How much training is enough? What happens when their Mavis encounters a completely new threat that smells clean? Do we need a second, signature-based system until we’re 100% certain it’s getting it right every time? Some vendors prefer a layered approach, while others go all in with their version of Mavis.

Every next generation security product vendor using machine learning says their approach is the best, which is entirely understandable. Like traditional AV products, however, the proof is in the testing. To gain trust in their AI-based products, vendors need to hand them over to independent labs for a thorough, painstaking work out. It’s the best way for the public, private enterprises, and governments to be sure that Mavis in her many guises will protect them without faltering.

Monitor Unknown Connections with Currports

currports2b-2bprocess2bdetail-7373569
Uncover dodgy connections and malicious activity with this handy, free utility.

If you’ve ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections. Written and maintained by Nir Sofer, Currports gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer. Unlike Process Monitor, which is part of the excellent Windows Sysinternals suite, Currports isn’t a massive firehose of events that needs taming to be of any use.

You can download Currports from its homepage. The link is near the bottom. If you run a 64-bit architecture, be sure to download the 64-bit version. You can run Currports from anywhere including the desktop. It will create a configuration file called cports.cfg in whichever folder you run it from (including the desktop).

Setting Up
Run Currports and expand the display. By default, the listing is unsorted and doesn’t automatically update, but we can change that. Press Alt + 1 to set an update time of one second, Alt + 2 for two seconds and so on.

Scroll across the display to see the information offered on each connection. Each time you press CTRL+Plus (on the keypad) the columns will auto-resize themselves.

If you double click on a line, a pop-up appears giving details of the process. This basically summarises the data in each of the columns. You can highlight a piece of information, then copy and paste it into other documents etc.

If you grab a column header with the mouse, you can pull it to wherever you want. I advise pulling “Process Created On” to the very left of the display because this acts as a handy time index to events. You can also go to View -> Choose Columns and re-order them, or switch off those you don’t require. If you find it difficult to follow lines across the screen, you can also mark every other line in light grey, and add gridlines from this menu.

There’s another useful column way over to the right of the display. It’s the Remote IP Country column. This will give you the country each remote IP address is assigned to, but it doesn’t display anything until we download the legacy GeoLite City Database. Download the Binary/xz version of the file and place it in the same directory as the same folder as Currports. Re-run Currports, move the Remote IP Country column to a place where you can see it, and you should see the column start to populate as connections are made. If not, you probably downloaded the wrong database. It’s the Binary/xz format you need. You don’t have to unpack it; just place it in the same directory as Currports.

To test the setup, open the Edge browser to generate lots of connections. Sure enough, the screen fills with new connections to different IP addresses as it accesses news, adverts and lots of other guff from multiple countries. The names of servers are resolved into host names where possible, as are city and country names if you downloaded the GeoLite City Database.

Setting Options
Currports has a range of useful options. Most control what’s displayed. Particularly useful is Mark Ports of Unidentified Applications, which is set by default. Any suspicious ports are coloured pink. Suspicious in this context means no icon, no version information, and so on.

To save you from having to sit and actively monitor Currports waiting for an infection to make its move, you can set the Beep on New Ports option. This can become quite noisy on a busy system, but if you just need to know if a suspect process on a specially prepared victim system is making outside connections without you having to stare at the screen for hours, this is the option for you.

You can also log activity by selecting File -> Log Changes. This begins writing to cports.log, which is a plain text file. It logs new connections and connections that close. The log file is written to the same folder from which you started Currports.

You can also filter Currports’ on-screen output. The format of a filter varies slightly depending on what you filter.

For example, to remove all instances of svchost.exe from the display, enter the following line:

exclude:process:svchost.exe

To only show HTTP and HTTPS traffic and exclude all other connected processes:

include:remote:tcp:80
include:remote:tcp:443

You can use local, remote or both to define which end of the connection you’re interested in.  Similarly, the allowed protocols are TCP, UDP and TCPUDP (both).

The include directive means that everything else is excluded, so you’ll need to build up the output using multiple include lines.

Nice Touches
The icon bar gives you quick access to some useful functionality. For example, select a process, hit the red cross, and its connections will drop. This isn’t recommended in normal use, but if you want to see if a piece of malware automatically re-establishes its connection it’s what you need.

Select one or more processes and hit the floppy disk icon. This allows you to save all the data from those lines as a text file.

Drag and drop the target icon onto an application and it should highlight the processes for you. On a fresh installation of Windows 10 Home this didn’t work, but your mileage may vary.

You can set and toggle the display filter with the next two icons. This second option is very useful in cases where you need to clear down the display to just the processes that interest you, then open it back up to all processes. 

currports2b-2bhtml2boutput-7200668

The next two icons deal with copying the details for one or more processes into the paste buffer for inclusion in another document, and viewing a process’ properties (double clicking also displays the properties).

Searching for strings is accomplished with the binoculars icon, which allows you to specify case sensitivity.

Finally, you can export the entire display into HTML format, which is then opened in your default browser.

All pretty interesting stuff, but what can you do with Currports other than satisfy your curiosity?

Using Currports
Currports comes into its own as part of the behavioural analysis of potential malware. If you’ve downloaded a piece of older, unsupported application, it’s immensely useful to see if it’s leaking information or calling home.

Depending on the type of infection, several things may happen. A botnet client will try to contact its command server for instructions, a payload and a target list. Ransomware might also call home for an encryption key, but much of it also explores your network looking for other machines with unprotected shares to hold hostage. If it does so, you’ll see multiple connection attempts to lots of other addresses on the subnet.

It’s not unusual for some forms of malware to open connections to the site router while attempting to find vulnerabilities to exploit. It’s easier to attack your router from the inside of the network than from the (supposedly) hardened public side. If it can install a fake certificate or subvert DNS caching, it can redirect traffic to attack servers.

Many drive-by infections need somewhere to download and run their payloads. They can’t use the system directories, so tend to use your temporary directory. In a similar vein, much of today’s malware likes to masquerade as legitimate system processes, such as svchost.exe. A Svchost with a process path leading to your temporary directory instead of WINDOWSSystem32 is clearly not legitimate, for example. Anything out of the ordinary (Excel making connections to Romania?) should be investigated.

There are also times where all hell seems to let loose, but which are completely benign. Windows Update, for example. For this reason, it’s useful to install Windows in a VM, download and set Currports running, and just get a feel for what happens during various major operating system events. Also, install an antivirus product and watch the connections fly as it updates itself.

So, there we have it: a simple, useful utility to give you a clear 1,000-foot view of the connections being made. I may have missed one or two options, but if you have any interesting uses for Currports, please feel free to post them in the comments.

A Modest Proposal

IoT security is a mess, but who’s to blame?
 

title2bimage-8671476The internet of things is quickly becoming every cybercriminal’s wet dream, especially given the release of the Mirai botnet source code. The cause is shockingly insecure devices, but can shaming manufacturers avert the coming chaos?
 

Last year, Symantec released a damning report revealing security flaws in common IoT devices. Some, like not using SSL to communicate and not signing updates, are shot through with incompetence and hubris. The report also described basic flaws in some IoT web portals. It’s uneasy reading unless you’re building a botnet, in which case it’s pure gold.
 

Many IoT devices call home for instructions and updates but don’t bother with chains of trust. Using ARP cache poisoning, an army of devices is yours to update with new firmware, and to then command.
 

So, how big is the coming IoT cyber-storm? According to Gartner, by 2020 there will be a staggering 13 billion IoT consumer items online. Driving this growth is a gold rush that will be worth $263bn to manufacturers by the end of the decade.
 

To put this into context, the recent 1Tb/s DDoS against French hosting provider OVH involved just 152,000 hacked devices. To borrow from Al Jolson, we ain’t seen nothin’ yet. 

dsl2bmodem2bspam2bin2bshiva-5468945
We could simply build stronger defences, such as Google’s Project Shield, but this does nothing to address the underlying problem: insecure products.
 

Cybersecurity professionals increasingly spend excessive time and energy defending against those products. And apart from bad publicity, there seems to be little consequence for manufacturers.

Ah, but surely responsible IoT companies provide updates as they become available? Well, yes. Up to a point.
 

Do your parents have any idea how to locate and install a firmware update from a support site? Mine neither. Why should they? They bought white goods, not a system administration course. By now, all IoT updates should just happen automatically, using a chain of trust that begins with code locked securely into the CPU and ends via client and server identity verification with cryptographically signed firmware images.
 

Online safety is at the heart of the problem. Consumers have a right to safe goods. IoT manufacturers have a responsibility to prevent their products harming others online. Do baby monitors that can be accessed by anyone sound safe to you?
 

baby2bmonitor2badmin2bpassword-1273135The lamps in your lounge won’t randomly explode and set the curtains on fire. They meet legally enforceable standards. But a smart lightbulb can be hacked. We live in a changed world, and mere lightbulbs serving ransomware is becoming possible.
 

It’s not as if good IoT security is difficult to implement. Because of this, there’s an obvious and urgent need to enforce legal cyber-safety standards against manufacturers. One potential and very detailed testing methodology comes from the OWASP Internet of Things Project.
 

My modest proposal is that IoT manufacturers be made to implement strong security in their products in order to offer them for sale. For this, we need independent testing bodies. Those products that fail would be denied a safety certificate, just like any other consumer item. Foreign imports would be subject to trading standards examination, with sellers facing prosecution for selling insecure goods just as they do for selling fakes.
 

Maybe then, as older devices fail and are replaced, will the IoT will slowly revert to the consumer paradise it was meant to be.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press