SE Labs

Posts tagged 'targeted attacks'

Next-generation firewalls: latest report

2017q1-2088039

Using layers of security is a well-known concept designed to reduce the chances of an attacker succeeding in breaching a network. If one layer fails, others exist to mitigate the threat.

Latest reports now online.

In this report (PDF) we explore the effectiveness of network appliances designed to detect and block attacks against endpoint systems.

The systems we have tested here are popular appliances designed to sit between your endpoints and the internet router. They are designed to detect, and often protect against, threats coming in from the internet or passing through the local network.

Their role is to stop threats before they reach the endpoints. If they fail to stop a threat, they might learn that an attack has happened and generate an alert, while subsequently blocking future, similar attacks.

In some cases an appliance will take information it considers suspicious and send it to a cloud-based service for further analysis. In this way it might allow a threat through the first time, explore it more deeply using the cloud service and send back information to the appliance so that it will block  that same (or similar) attack in future.

It’s a little like an immune system.

As immune systems adapt to protect against known threats, so threats adapt in an arms race to defeat protection mechanisms. This report includes our first public set of network security appliance results.

Future reports will keep you updated as to how well the industry competes with the bad guys in the real world.

Can anti-malware be 100 per cent effective?

2017q2-4940659

You can probably guess the answer, but we’ll explore how products can score very well in tough tests, and which are the best.

Latest reports now online

There are a lot of threats on the web, and going online without protection is very risky. We need good, consistently effective anti-malware products to reduce our risk of infection.

And the ones included in these reports look great – in fact, some score 100 per cent. That means they stopped all the threats that we exposed them to and didn’t block anything legitimate.

But wait a minute! Those in the security industry know full well that there is no such thing as 100 per cent security. There is always a way past every security measure, and this is as true in the anti-malware world as with any other measures for threat protection.

This test includes some of the very best anti-malware products in the world, and pits them against prevalent threats, be they ones that affect hundreds of thousands of users worldwide, or those that could be used to target individuals and organisations. It’s a tough test, but a fair one.

You could argue that any anti-malware product worth its salt would score 100 per cent or thereabouts.

Products can score 100 per cent in our tests because we’re not choosing thousands of weird and wonderful rare pieces of malware to test. Regular users are extremely unlikely to encounter those in the real world.

We’re looking at the threats that could affect you.

Our mission is to help improve computer security through testing, both publicly and privately. We also want to help customers choose the best products by publishing some of those test results.

But don’t forget that success today is not a guarantee of success tomorrow. It’s important to keep monitoring test results.

Our latest reports, for enterprise, small business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Testing anti-malware’s protection layers

layers-3683923

Our first set of anti-malware test results for 2017 are now available.

Endpoint security is an important component of computer security, whether you are a home user, a small business or running a massive company. But it’s just one layer.

Latest reports now online

Using multiple layers of security, including a firewall, anti-exploit technologies built into the operating system and virtual private networks (VPNs) when using third-party WiFi is very important too.

What many people don’t realise is that anti-malware software often actually contains its own different layers of protection. Threats can come at you from many different angles, which is why security vendors try to block and stop them using a whole chain of approaches.

A fun video we created to show how anti-malware tries to stop threats in different ways

How layered protection works

For example, let’s consider a malicious website that will infect victims automatically when they visit the site. Such ‘drive-by’ threats are common and make up about one third of this test’s set of attacks. You visit the site with your web browser and it exploits some vulnerable software on your computer, before installing malware – possibly ransomware, a type of malware that also features prominently in this test.

browser-8901457

Here’s how the layers of endpoint security can work. The URL (web link) filter might block you from visiting the dangerous website. If that works you are safe and nothing else need be done.

But let’s say this layer of security crumbles, and the system is exposed to the exploit.

toaster-9827773Maybe the product’s anti-exploit technology prevents the exploit from running or, at least, running fully? If so, great. If not, the threat will likely download the ransomware and try to run it.

At this stage file signatures may come into play. Additionally, the malware’s behaviour can be analysed. Maybe it is tested in a virtual sandbox first. Different vendors use different approaches.

Ultimately the threat has to move down through a series of layers of protection in all but the most basic of ‘anti-virus’ products.

The way we test endpoint security is realistic and allows all layers of its protection to be tested.

Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Back from the Dead

email-1932571Forgotten web sites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for web sites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

The friendly, well written message was a refreshing change from the usual approach, which most often demands immediate, unthinking action. The sender, however, could only call me “J” as he didn’t have my forename. There was a protected file attached, but the sender had supplied the password. It was a contract, he said, and he looked forward to hearing back from me.

The headers said the email came from a French telecoms company. Was someone on a spending spree with my money? My PayPal and bank accounts showed no withdrawals.

Curious about the payload, I spun up a suitably isolated Windows 10 victim system, and detonated the attachment. It had the cheek to complain about having no route to the outside world. I tried again, this time with an open internet connection. A randomly-named process quickly opened and closed, while the file reported a corruption. Maybe the victim system had the wrong version of Windows installed, or the wrong vulnerabilities exposed. Maybe my IP address was in the wrong territory. Maybe (and this is more likely) the file spotted the monitoring software watching its every move, and aborted its run with a suitably misleading message.

Disappointed, after deleting the victim system I wondered which site out of hundreds could have been compromised. I’ll probably never know, but it does reveal a deeper worry about life online.

Over the years, we all sign up for plenty of sites about which we subsequently forget, and usually with whichever email address is most convenient. It’s surely only a matter of time before old, forgotten sites get hacked and return to haunt us with something more focused than malicious commodity spam – especially if we’ve been silly enough to provide a full or real name and address. Because of this, it pays to set up dedicated accounts for registrations, or use temporary addresses from places such as Guerrilla Mail.

Inside the CIA…

cia-ioc-9786148

Who is behind the CIA’s hacking tools? Surprisingly ordinary geeks, it seems.

At the start of March came the first part of yet another Wikileaks document dump, this time detailing the CIA’s hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.

The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware that stands the least chance of detection, analysis and attribution to Langley. We’ve also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).

There’s also a deeper tale to tell. It’s about the personalities behind the redacted names working on these tools and techniques. They don’t seem so different from anyone else working in infosec.

User #524297 says he is a “Coffee addict, Connoisseur of International Barbecues, and Varied Malt Beverage Enthusiast.” Thanks to his comments, we know an ex-boss (nicknamed “Panty-Raider”) was considered “really odd”. Another had a large, carved wooden desk that went with him from job to job.

User #524297 also maintains a page dedicated to some interesting ideas. One is to use the OpenDNS DNSCrypt service to hide DNS requests emanating from a compromised host.

Another fun-loving User is #71473. He has a page called “List of ideas for fun and interesting ways to kill/crash a process“, which enumerates a dozen homebrew techniques and variations. Most are still at the concept stage, but under the list of uses to which they may be put, he includes “Knockover (sic) PSPs” and “Troll people”.

He also describes several proof-of-concept tools for his process crashing techniques. One is called DisorderlyShutdown, which waits a programmable amount of time (plus a random offset to make things seem natural) to select a random process to crash in the hope of leading to “data loss and gnashing of teeth”. Another is WarheadsToForeheads, which attempts to crash processes. About this tool, he says: “Considering making this an infinite enumeration to squash all user processes and make the user experience especially horrific.”

Revealingly, User #71473 also likes to hack the home pages of other Users: ” Its 11:30… time to deface people’s unprotected user pages…”

User #11628962 was deeply impressed by Subramaniam and Hunt’s “Practices of an Agile Developer”, and went to great lengths to enumerate the principles behind the work for others in his group. 

Meanwhile, we learn that User # 71475 loves to listen to music online and lists several streaming services and YouTube channels. He’s also an avid collector of ASCII-based emoticons. Everyone needs a hobby, right? ¯_(ツ)_/¯

Amusingly, User #20873595 is keen for people understand that his last name does not begin with C, implying that it is in fact Hunt. There was also some debate about what User #72907’s office nickname should be. “Monster Lite” was the apparent front runner.

hearthstone_screenshot-1364834

We also learned from the dump that some of the Users are heavily into the online card game Hearthstone, which unfriendly foreign state actors are likely now feverishly trying to hack.

The public at large has moved on, and the first of the vulnerabilities highlighted in the dump has been patched, but the industrious CIA hackers who originally found them are still beavering away, creating new tools to replace the old ones, finding new zero-days, thinking up new nicknames, trolling each other, and of course playing Hearthstone.

Predictions for 2017

golden-2017-new-year-text-with-glowing-glitter-effect-and-fireworksStill dazed from the year that was, Jon Thompson dons his Nostradamus hat, dusts off his crystal ball
and stares horrified into 2017.

Prediction is difficult. Who would have thought a year ago that ransomware would now come with customer care, or that Russia would be openly accused of hacking a bombastic businessman into the Whitehouse. Who even dreamed Yahoo would admit to a billion-account compromise?

So, with that in mind, it’s time to gaze into the abyss and despair…

Let’s get the obvious stuff out of the way first. Mega credential breaches won’t go away. With so many acres of forgotten code handling access to back end databases, it’s inevitable that the record currently held by Yahoo for the largest account breach will be beaten.

Similarly, ransomware is only just beginning. Already a billion-dollar industry, it’s cheap to buy into and easy to profit from. New techniques are already emerging as gangs become more sophisticated. First came the audacious concept of customer service desks to help victims through the process of forking over the ransom. By the end of 2016, the Popcorn Time ransomware gang was offering decryption for your data if you infect two of your friends who subsequently pay up. With this depth of innovation already in place, 2017 will hold even greater horrors for those who naively click attachments.

Targeted social engineering and phishing attacks will also continue to thrive, with innovative

campaigns succeeding in relieving companies of their revenues. Though most untargeted bulk phishing attempts will continue to show a low return, phishers will inevitably get wise and start to make their attacks more believable. At SE Labs, we’ve already seen evidence of this.

It’s also obvious that the Internet of Things will continue to be outrageously insecure, leading to DDoS attacks that will make the 1.1Tbps attack on hosting company OVH look trivial. The IoT will also make ransomware delivery even more efficient, as increasing armies of compromised devices pump out the pink stuff. By the end of 2017, I predict hacking groups (government-backed or otherwise) will have amassed enough IoT firepower to knock small nations offline. November’s test of a Mirai botnet against Liberia was a prelude to the carnage to come.

Bitcoin  btc-mono-ring-orange-6370546recently passed the $1,000 mark for the first time in three years, which means criminals will want even more than ever to steal the anonymous cryptocurrency. However, a flash crash in value is also likely as investors take profits and the market panics in response to a sudden fall. It’s happened before, most noticeably at the end of 2013. There’s also the distinct possibility that the growth in value is due to ransomware, in which case the underlying rally will continue regardless of profit takers.

The state-sponsored use of third party hacking groups brings with it plausible deniability, but proof cannot stay hidden forever. One infiltration, one defection, one prick of conscience, and someone will spill the beans regardless of the personal cost. It’s highly likely that 2017 will include major revelations of widespread state-sponsored hacking.

This leads me neatly on to Donald Trump and his mercurial grasp of “the cyber”. We’ve already delved into what he may do as president, and much of what we know comes straight from the man himself. For example, we already know he skips his daily security briefings because they are “repetitive”, and prefers to ask people around him what’s going on because “You know, I’m, like, a smart person.

Trump’s insistence on cracking down on foreign workers will have a direct impact on the ability of the US to defend itself in cyberspace. The shift from filling jobs with overseas expertise to training homegrown talent has no discernible transition plan. This will leave a growing skills gap for several years as new college graduates find their way to the workplace. This shortfall will be exploited by foreign threat actors.

Then there’s Trump’s pompous and wildly indiscreet Twitter feed. Does the world really need to know when secret security briefings are postponed, or what he thinks of the intelligence presented in those meetings? In espionage circles, everything is information, and Trump needs to understand that. I predict that his continued use of social media will lead to internal conflict and resignations this year, as those charged with national cybersecurity finally run out of patience.

donald-trump-spars-with-univision-journalist-jorge-ramos-6442066

It’s not all doom and gloom, however. The steady development of intelligent anti-spam and anti-malware technologies will see a trickledown from advanced corporate products into the hotly contested consumer market. The first AV vendor to produce an overtly next gen consumer product will change the game – especially if a free version is made available.

There’s also a huge hole in “fake news” just begging to be filled. I predict that 2017 will see the establishment of an infosec satire site. Just as The Onion has unwittingly duped lazy journalists in the past, there’s scope for the same level of hilarity in the cybersecurity community.

However, by far the biggest threat to life online in 2017 will continue to be the end user. Without serious primetime TV and radio campaigns explicitly showing exactly what to look for, users will continue to casually infect themselves and the companies they work for with ransomware, and to give up their credentials to phishing sites. When challenged, I also predict that governments will insist the problem is being addressed.

So, all in all, it’s business as usual.

Happy 2017!

How To Really Stop Phishing

If phishing sites want data, they’ll get it!
phishing-3415461
Running a honeypot, you soon realise there are four types of spam. The first is basically just adverts. Next comes social engineering spam, which is mostly advanced fee fraud. There’s a ton of cash or a pretty girl waiting if you send a small processing fee. By far the largest category is ransomware, but this is closely followed by that perennial favourite, phishing spam.

Phishing works. Its “product” nets huge profits in two ways. First, by direct use of the stolen data. Second, from sales of that data to other criminals. This got me thinking about how to fight back.

Phishing sites tend to be static replicas of the real thing, with a set of input boxes and a submit button. That is their major weakness. Another is that, though the inputs might be scrubbed to remove the possibility of a sneaky SQL injection, the information being entered might not be checked. Who’s to say that the date of birth, password, bank details etc. that you enter are real? What if you were to enter a thousand different sets of bogus information? How about a million, or even ten million?

paypal-6108084
What I propose is that when a phishing site is discovered, it would be fun to deploy a script to flood it with random data of the appropriate format for each input field. Finding real data in the collected noise would become nearly impossible, and so would help protect the innocent. If such poor-quality data is sold on to third parties, then Mr Big will soon want his money back and probably a lot more besides.

Diluting phished data to homeopathic strengths is one thing, but the general idea could be applied in other ways. One of the main tasks in running a spam honeypot is “seeding”. This involves generating email addresses to accidentally-on-purpose leave in plain sight for later harvesting by spammers. If someone were to set up a honeypot with a huge number of domains pointing to it, and with a huge number of active login accounts, those accounts can be leaked or even sold (with all profits going to charity, naturally!) as being demonstrably live and real. If the buyer tests any of them, they’ll work. Set up the honeypot in enough interesting detail, and Mr Big won’t be able to tell he’s been duped for quite some time.

Phishing is popular because it’s easy, relatively safe for the perpetrator, and highly profitable. Frustrating the efforts of criminals, casting doubt on the phished data being sold, and hopefully causing wars between cybergangs is certainly one potentially very entertaining way of fighting back.

Of course, flooding phishing sites with bogus data may already be quietly happening. I certainly hope so…

What is Machine Learning?

machine_learning-1991327… and how do we know it works?

What’s the difference between artificial intelligence and machine learning? Put simply, artificial intelligence is the area of study dedicated to making machines solve problems that humans find easy but digital computers find hard, such as driving cars, playing chess or recognising sarcasm. Machine learning is a subset of AI dedicated to developing techniques for making machines learn to solve these and other “human” problems without the insanely complex task of explicitly programming them.

A machine is said to learn if, with increasing experience, it gets better at solving a problem. Let’s take identifying malware as an example. This is known as a classification problem. Let’s also call into existence a theoretical machine learning program called Mavis. Consistent malware classification is difficult for Mavis because it is deliberately evasive and subtle.

silicon2bbrain-1881268For it to successfully classify malware, we need to show Mavis a huge number of files that are known to be malicious. Once Mavis has digested several million examples, it should be an expert in what makes a file “smell” like malware.

The spectrum of ways in which Mavis might be programmed to learn this task is very wide indeed, and filled with head-spinning concepts and algorithms. Suitable approaches all have advantages and disadvantages. All that counts, however, it’s whether Mavis can spot and stop previously unknown malware even when the “smell” is very faint or deliberately disguised to confuse it into an unfortunate misclassification.

A major problem for developers lies in proving that their implementation of Mavis intelligently detects unknown malware. How much training is enough? What happens when their Mavis encounters a completely new threat that smells clean? Do we need a second, signature-based system until we’re 100% certain it’s getting it right every time? Some vendors prefer a layered approach, while others go all in with their version of Mavis.

Every next generation security product vendor using machine learning says their approach is the best, which is entirely understandable. Like traditional AV products, however, the proof is in the testing. To gain trust in their AI-based products, vendors need to hand them over to independent labs for a thorough, painstaking work out. It’s the best way for the public, private enterprises, and governments to be sure that Mavis in her many guises will protect them without faltering.

How The Clinton Campaign Was Really Hacked

hillary-clinton-3961580The 2016 US Presidential Election may not be the first held in the shadow of Wikileaks, but it is the most entertaining.

When John Podesta received an email apparently from Google in March this year warning that someone had used his password to sign into his account, events began to resemble an episode of Veep, with Chinese whispers quickly replacing information.

Not knowing any better, Podesta forwarded the email to a member of staff to deal with. After a hop or two, the email was passed to the Clinton campaign’s IT Helpdesk Manager. He in turn made the rookie mistake of not inspecting the message’s header or checking the Bit.ly  link it contained. Both would have shown this to be a phishing attack. 

phish-5291731

Instead, the Helpdesk Manager concluded that the email was real, and Mr Podesta should change his password right away. However, the reply also contained the advice that Podesta should ignore the email and log in directly to Google. He even supplied the correct URL to do this and explicitly said that Podesta should turn on 2-factor authentication at the same time.

The Helpdesk Manager has since been somewhat unfairly vilified in the press. The fact is that his explicit advice was lost in favour of a simpler message as his reply began to filter back up the chain of command.

podesta-it-email-1-8250640

According Wikileaks, Sara Latham seems to have been the person who actually contacted the helpdesk on Podesta’s behalf. She also received the Manager’s reply, and added her own endorsement of the phishing link.

Having been told it was real, it seems that either Special Assistant Milia Fisher or Podesta himself then clicked on the original phishing link and attempted to change the password. The rest has been pundit fodder ever since.

reply-2589288

You can bet that the Clinton campaign  spent money on insurance, health and safety training, and other measures to ensure a safe working environment, so why not basic cybersecurity training? Maybe it did, and the people concerned simply didn’t attend. It seems sensible that in future campaigns, no one should get access to devices without first demonstrating that they can spot a simple phishing email, IT helpdesk Managers included.

Does your anti-malware stop hacking attacks?

2016q3-9738923

An attack rarely ends when the malware runs. That’s just the beginning…

Latest reports now online.

Testing security software is a challenging task and it’s tempting to take clever shortcuts. However, while doing so might save the tester time and other resources, it doesn’t always produce useful results. And if the results aren’t accurate then the test becomes less valuable to you when you’re choosing which product to use.

We are big supporters of the idea of full product testing. This means installing the security product the way it was intended to be used, on systems commonly used in the real world and ensuring that every component of that product has a chance to defend the system.

In practice this means that we installed the anti-malware products tested in this report on regular PCs that are connected to a simple network that has unfiltered internet access. We visit malicious websites directly, where possible, and use a special replay system when the bad guys start to interfere with our activities.

Since the beginning of this year we started including targeted attacks in our testing. These types of attacks try to compromise the target using infected documents and browser exploits. Once an exploit has succeeded we then continue ‘hacking’ the target. This step is crucial because in many cases it is these post-exploitation hacking activities that can trigger an alert.

Full product testing doesn’t just mean turning on (or leaving enabled) all of a product’s features. It also means running a full attack as realistically as possible. Testers should not make assumptions about how a product works. You need to act like a real bad guy to understand how these products protect the system.

Our latest reports, for enterprises, small businesses and home users are now available for free from our website. Please download them and follow us on Twitter to receive updates and future reports.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press