The train wreck that is Android security continues…
A new strain of malware by security firm Wandera found in China has the following charming characteristics, according to a recent blog post.
Zero-day threat previously unknown within the mobile security community
Group of at least 50 functioning apps containing the sophisticated RedDrop malware
Apps are distributed from a complex network of 4,000+ domains registered to the same underground group
Once the app is opened, at least seven further APKs are silently downloaded, unlocking new malicious functionality
When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected
These additional APKs include spyware-like components, harvesting sensitive data, including passively recording the device’s audio, photos, contacts, files and more
RedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion and blackmailing purposes
This is frightening stuff as it turns the victim’s phone into a bug, compromising phone calls made on the device as well as conversations in the vicinity.
As usual, the key problem here is that the app follows the rules and asks the user to approve a (long) list of permissions which are then used to compromise the device. Many users don’t bother to read/think about these permission prompts, leading them to basically invite the malware authors to take over their device.
Security pros need to make their users aware of the need to read and think about security prompts EXTRA carefully on their Android devices.
I spend a lot of time telling people to use two factor authentication on their important web accounts. This may explain why I don’t get invited to parties.
While using 2FA is a great idea, there is one issue which you (and your employees) should be aware of.
If your 2FA solution relies on text messages to deliver it’s one time passcodes, it may be vulnerable to “mobile number port out” scams. This article from the always informative Brian Krebs explains the mechanics of this.
The solution? If a site offers the choice between using text messages and an authenticator app, choose the app. If you have to use text based authentication, make sure that your mobile phone account is protected from porting using a PIN or password.
Our main argument is that a message from ETI cannot be decontaminated with certainty. For anything more complex than easily printable images or plain text, the technical risks are impossible to assess beforehand. We may only choose to destroy such a message, or take the risk. The risk for humanity may be small, but not zero. The probability of encountering malicious ETI first might be very low. Perhaps it is much more likely to receive a message from positive ETI. Also, the potential benefits from joining a galactic network might be considerable.
If the aliens have the ability to create Flash content, we are doomed.
A few lessons for us infosec professionals from this:
First: The definition of insiders expands as businesses continue to outsource functions which used to be done in house.
Second: Vendor Risk Management programs need to pay special attention to law firms. These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.
If you are going to use Infrastructure as a Service providers like Amazon, make sure that the people using them take the time to learn about and use the security features. Amazon provides the means to store data securely and has a wealth of documentation on security best practices. Having a breach due to an improperly configured S3 bucket is amateur hour, folks.
When acquiring new companies, especially small ones, security due diligence needs to be job one. Finding out where sensitive information is stored and how it is protected is a must.
Know your third parties (and those of your acquisitions) – FedEx blamed the breach on an un-named third party. Remember – you can outsource the function, but you cannot outsource responsibility for security. When doing an acquisition, look at the list of every vendor that the target company pays and figure out which ones might be holding data.
I have been through the acquisition process a few times in the past ten years – identifying show stopper issues during due diligence is important, but it is vital to keep the process going after the deal is done. The more you dig into the security of the acquired firm, the more “interesting” security issues you will find.
…a person’s credit rating (listed A-H); the number of active credit lines; whether the person is a credit card user; if they own or rent their home; the type of home the person lives in; marital status; the number of children a person has; how many children are in the home; occupational details; education; net worth; and total household income.
In addition, some records indicate a person’s political donations, including fields denoting conservative donations, liberal donations, or general political causes.
Other fields list personal donations (i.e. veteran’s charities, local community charities, healthcare charities, international charities, animal charities, arts or culture charities, children’s charities); and financial investments (foreign and domestic, including personal investments, stocks and bonds, or real estate).
There are travel indicators too, including fields for people who travel internationally, and fields for those who visit casinos. Finally, the profiles indicate buying preferences, such as if a person is into home gardening, or has recently purchased auto parts.
The price for this treasure trove? US$600.
With this information in hand, cyber attackers could craft extremely realistic phishing attacks targeted with laser precision. They could choose victims to concentrate their effects on for maximum profit. Real world attackers could also use this information to plan crimes such as burglaries or kidnappings. Governments (both foreign and domestic) could use this information to select targets for surveillance.
The source of this information is not yet clear, but of it is genuine, it most probably came from a private company aggregating it for marketing use. If companies are to be allowed to capture and collate this kind of data, they must be held to strict standards when it comes to data protection. If this data is real, whoever let it fall into unauthorized hands should be subject to some serious legal and civil action.
This story does not seem to have made it to the mainstream media as of yet – I am hoping that this is because they are working to validate whether the data is in fact real. If this turns out to be a real story, I think we have the winner for the biggest non political hack of 2016.
A reminder that while iOS still seems to be safer from malware threats (as long as you don’t jailbreak your device), Apple’s walled garden is not totally weed free. Researchers found malicious apps in Apple’s App Store which use vulnerabilities in iOS’s digital rights management software to install malware on standard (non jailbroken) devices. This particular family of malware only targets devices located in mainland China, but there is no guarantee that others may try and exploit this issue to infect other users.
Apple removed the malicious apps from the App Store when they were informed of the issue, but it is important to note that the apps stayed up in spite of multiple reviews by Apple until then.
We iDevice users have been quite lucky when it comes to malware, but it is important to remember that iOS is not immune to malware attacks. The best defense is to be choosy about the apps you install – if you have not heard of an app, look for reviews and information out on the net before downloading it to your phone.
Of course, Donald Trump promises to build a “terrific” wall around Apple’s App Store and make Mexico pay for it…
Yesterday, at ShmooCon, security researcher Sean Cassidy announced a vulnerability in the popular LastPass password manager. He demonstrated a way that an attacker could send a user a phishing email, redirecting them to a specially crafted web page which logged them out of LastPass and presenting a “pixel perfect” copy of the LastPass login screen where the user could then enter their user name, master password and two factor authentication code. This information would be sent to the attacker, who would then have access to all of the user’s passwords.
Key to this evil plan was a “cross site request forgery” (CSRF) vulnerability in LastPass, which allowed the attacker to force the user to log out of the password manager. This vulnerability has been fixed in the latest version of the application, so this particular attack will not work today and LastPass users should not panic.
I have been a proponent of password managers in general and LastPass in particular and still think that LastPass, DashLane, Keepass and the like are great solutions for protecting your online accounts. In my opinion, the extra security you achieve by having unique long, strong passwords for each of your accounts outweighs the risks posed by using a password manager.
One of the debates around LassPass and its online brethren is whether their practice of storing encrypted versions of passwords in the cloud to allow them to be shared amongst devices and browsers presents too much of a security risk. Many people prefer to use offline password managers like Keepass which store the encrypted passwords locally. I can see the case for either choice, but I feel that for most people, the ease of use of a synchronized solution like LastPass or DashLane makes it more likely that they will use long, strong, unique passwords for all sites. In particular, the ability to use these programs with both mobile and desktop devices is important – non synchronized password managers can be a pain to use and keep up to date on mobile devices, where we are increasingly leading much of our online lives.
I did take this opportunity, however, to look at LastPass’ main competitors, Dashlane and was quite impressed with it from an ease of use point of view. It definitely gives a superior user experience on the mobile platform, but it does not seem to allow you to store attachments in Secure Notes, which is a LastPass feature I like and use. Dashlane is more expensive than LastPass ($39 per year versus LastPass’ $12 price tag). Dashlane seems to be easier to configure for the non technical user and uses the device itself as a second form of authentication, obviating the need for a separate authorization code. Of course, this means that a stolen phone or iPad could give an attacker access to your passwords, but you can specify a PIN or use the iPhone’s fingerprint reader to control access. I was able to import my LastPass data into Dashlane really easily and they provide a 30 day trial of their premium features, which I am currently taking advantage of. I’ll let you know how it goes.
To summarize, this vulnerability points out how seemingly innocuous vulnerabilities (being able to remotely log someone out of a website or tool) can be leveraged by malicious miscreants for their nefarious purposes. However, it is not a show stopper for LastPass and they seem to have responded in a timely fashion. Password managers are still a great security solution.
A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. Case in point – the DPRK’s Red Star Linux distribution. In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.
The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.
There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely. My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment. Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs. This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs. For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.
I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier. MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.
It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine. If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection. So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.