Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Dow Jones Data Breach

In a letter to customers sent today, Dow Jones & Co has revealed that its services were breached, possibly exposing the credit and debit card information of customers. Reportedly only impacting “fewer than 3,500 individuals,” the information provided shows that the unauthorized accesses took place between August 2012 and July 2015.

“In today’s world – where literally anyone connected to the Internet is vulnerable – it’s no longer just a question of spending, it’s a question of processes and skills. Following the Dow Jones breach, I’m heartened that the CEO has publically said that no company is immune to cyberattacks. Solely recognizing that all organizations need comprehensive security solutions is the first step to reducing the onslaught of breaches we’ve witnessed over the last few years,” said Grayson Milbourne, Security Intelligence Director of Webroot.

“As large company breaches have revealed, security isn’t always a question of budget but also a question of skills and background checks. The name of the game is to find out what is going on in an environment and reduce the risk. Overall, there is a clear trend of attacks that aim to compromise companies who store vast amounts of user data. These businesses need to prepare for continued attacks by updating their security policies and systems to be on high alert.”

While Dow Jones & Co is reporting the information has been possibly compromised, they are also reporting that no evidence is pointing toward the information actually being used in authorized manners.

Avoid Unwanted Applications

Has your home page changed? Are you getting pop-up ads that are “Provided by” some company you’ve never heard of? Are your search results coming from a different search engine? Welcome to the world of Potentially Unwanted Applications (PUAs.) While they can be annoying, PUAs are easily avoided.

The easiest way to avoid PUAs is to only install programs from their official download sites. Third-party download sites continue to be one of the main sources for PUAs. If you search for software downloads, chances are you will end up on a third-party site rather than an official download page and end up inadvertently installing PUAs.

When installing software, always pay attention to the install process – don’t just click “next” until the install is complete. Most installers allow you to opt-out of installing optional software, but they don’t always make it easy. Pay attention to any available install options, and always choose a custom install when possible. Watch for “skip” or “decline” buttons that will allow you to not install bundled applications. Look for check boxes that ask you if you want to install additional applications of change your home page or search settings. If you follow these suggestions it will help you to avoid installing PUAs.

Phishing Attacks and Lessons Learned

Phishing attacks have been a prevalent, and often quite successful method of obtaining sensitive data from unsuspecting victims for quite a few years now. These attacks are extremely common through email and usually only require the user to click on a link contained within, and enter the information requested. Due to the simplicity of obtaining potentially valuable data from users, many companies have been instituting security training  for these types of attacks by using phishing tests to determine their employees’ ability to discern a real email from a possible phish.

With the latest breach coming from the United States’ Office of Personnel Management, the question remains of what could have been done to prevent such a high-security organization from making a simple mistake that could be catastrophic? The answer seems to be increasing the amount of security training that is taking place within these organizations, in regards to phishing attacks and basic online security.

Unfortunately, many users continue to fail these types of tests, while still holding high-level security clearance. This is likely due to the lack of reprisal for the user, aside from more security training sessions, which allows the poor behaviour to carry on. Paul Beckman, CISO for the Department of Homeland Security, has a different idea about consequences for these individuals, who are often senior managers or other C-level employees. He states, “Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government”, and suggests that these employees should have their security clearance removed until such time that they can prove to be responsible with extremely sensitive information.

Beckman said he hopes to move forward with the discussion of cracking down on repeat offenders, but it will all take more time and getting more CISOs on board. Meanwhile, these types of attacks are becoming more personal and thus, more difficult to prevent against.

With other companies able to learn lessons based off the circumstances surround the OPM hack though, we hope too see a continued shift towards education and understanding from the largest corporations down to the standard internet user. Maintaining awareness and understanding of the threats on the internet, especially effective ones such as phishing, is the first step in moving towards safer browsing habits.

History of Mac Malware

The subject that fan boys of each side love to argue about.  Mac malware.  The fact is that malware for Mac is real and it continues to grow as a problem.  In 2012 Apple removed the statements “It doesn’t get PC viruses” and “A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers.”  I would like to shed light on the malware from beginning to now in hopes that it will bring an understanding of why security is needed on all operating systems, including your Mac.

macmalware11982 – The first threat that occurred was the Elk Cloner (this however did not actually affect the Mac) which would cause the Apple II to boot up with a poem:

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes, it’s Cloner!

It will stick to you like glue
It will modify RAM too
Send in the Cloner!

1987-2003

There were a few different malware families that came out but being as they are using an operating system that is not really used I won’t go into great detail.  In 1987 nVIR virus began to infect Macintosh computers.  In 1988 HyperCard viruses started to gain traction. HyperCard was software created by Apple to execute scripts immediately on opening.  MDef was discovered in 1990.  MDef infected application and system files on the Mac.  In 1995 Microsoft released a virus that would infect both PC and Mac users via Microsoft Word called Concept.  In 1996 Laroux, the first Excel macro virus was found but didn’t actually do anything to Macs until Excel ’98 was released.  In 1998 Both AutoStart 9805 and Sevendust were discovered.

2004-Present – This brings us into the modern operating system we all know and love OS X. Also the time frame where threats are created that can still affect systems in use today.

2004 – Renepo was found. It had the ability to disable a system firewall, and it would try to copy itself to /System/Library/StartupItems.

macmalware22004– Amphimix a program which is also a MP3 file. When launched it displays a dialog box which reads “Yep, this is an application. (So what is your iTunes playing now?)” It then loads itself into iTunes as an MP3 file called “Wild Laugh”, playing four seconds laughter.

 

macmalware32006 – Leap is widely considered to be the original Mac Trojan. Leap used iChat to spread itself; forwarding itself as a latestpics.tgz file to the contacts on the machine. Inside the Gzipped Tar File (.tgz) was an executable file masked as a JPEG. When executed, it infected all Cocoa applications.

2006 – Inqtana was the second worm for Mac OSX. The worm propagated through a vulnerability in unpatched OSX systems.

2008 was a big year for Mac malware… Apple published an advisory to use antivirus software. They removed the statement from its website after being up for about two weeks.

2008 – BadBunny is a multi-platform worm written in several scripting languages and distributed as an OpenOffice document containing a macro.  It spreads itself by dropping script files that affect the behavior of popular IRC (Internet Relay Chat) programs, causing it to send the worm to other users.

2008 – RSPlug is a Trojan that changed DNS to send users to malicious servers. It originally spread as a video codec that was downloaded from various porn websites.

2008 – AppleScript.THT tries to disable security software, steal user’s passwords, turn on file sharing, take screenshots of the desktop, and take a photo of the user via the built-in camera.  The malware exploits a vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.

macmalware42008 – MacSweeper, Mac’s first ‘rogue’ application (a fake antivirus misleading users by reporting infections that doesn’t exists). When the infected user tried to remove the “infections”, MacSweeper asked to provide credit card details and pay $39.99 for a “lifetime subscription serial key.”

I won’t lie, before I got into threat research, I ended up with this on my Mac…

2008 – Hovdy tried to install itself to /Library/Caches. It disabled syslog/system updates, stole password hashes, open ports in the firewall, disabled security software, installed LogKext keylogger and started web server, VNC, and SSH. It also tried to get root access by way of ARDAgent vulnerability.

2009 – Iservice was discovered in a pirated version of iWork ’09. It copied itself to /usr/bin/iWorkServices and tried to execute a HTTP request. Updated variants were later found in a pirated versions of many high use programs.

August 28, 2009 – Apple released an anti-malware tool called XProtect,at release it could protect a Mac against only two threats (RSPlug and Iservice).

2010 – HEllRTS (aka HellRaiser) is a Trojan that allows control of a computer by a remote user. The remote user has the ability to transfer files, pop up chat messages, display pictures, and even restart or shut down the infected machine.

2010 – Boonana, a Trojan that spread via social media and email disguised as a video. It runs as a Java applet, which downloads its installer to the machine.  After installed it starts running in the background and communicating with a variety of servers such as command and control servers.

2011 – MacDefender, another rogue like MacSweeper that installs itself into the /Application folder and wants you to pay them for the “infections” to be removed from your mac.

macmalware52011/2012 – Flashback was disguised as a Flash player download and targets a Java vulnerability on Mac OS X. The system is infected after the user is redirected to a compromised bogus site, where JavaScript code causes an applet containing an exploit to load. The Flashback malware was the largest attack to date, hitting more than 600,000 Mac computers.

2013 – Lamadai, a backdoor Trojan, targeted NGOs (Non-Government Organizations) and exploited a Java vulnerability to drop further malware code.

2013 – Hackback spied on victims and was designed to take a list of certain file types, find all files matching those types, compress them into a zip located in /tmp/ and upload them to a remote server.

2014 – LaoShu went viral via spam emails posing as a notification from FedEx. It contacts a remote server sending system information, files, and screenshots. It is important to note that it is signed with a valid Apple developer ID certificate.

2014 – CoinThief is designed to steal Bitcoins from infected machines, and is disguised as legitimate apps.  The source code was on Github for a while under an app named StealthBit.

macmalware6

It’s worth mentioning that these have been the main threats seen on the Mac and not all of them.  There are many smaller variants and proof of concepts that are not listed.  Also, that I didn’t include any adware variants such as Genieo or VSearch on here, but I did write about in my last blog.  Even after seeing all of these there will still be those that refuse to believe that their mac is vulnerable to attack, but trust me it will only get worse from here.  Apple is increasing their market share and with that comes an opportunity for malware writers to make more money.

The most difficult question in computer security

Whenever I think of security awareness, there is one question that haunts me: How do we educate the not-so-technically inclined about security? It seems like a simple enough question, we know the basic tips and tricks, it’s second nature to many of us. Keeping Windows fully patched and up to date pretty much takes care of itself with the proper settings in Windows Update. Many other applications check for updates regularly by default. Running antivirus software should be a no-brainer and if you run a cloud-based AV solution like Webroot SecureAnywhere you don’t even need to worry about updates.

Then you try to explain how to identify a suspicious email to that friend or family member that always comes to you for computer support. You came prepared with sample emails complete with circles and arrows and highlighted text. You explain how to  check email headers, hover over links to check where they actually go, and look for obvious spelling and grammatical errors. To the non-techie this can seem like a bunch of techno-babble that they will not remember.

The technical approach is simply not going to work on some people. Yo can suggest treating any email that they were not expecting to receive, is from an unknown sender, and contains a link or an attachment as suspicious. This can work, but has it’s own issues. People order products over the internet all the time. Order and shipment confirmation emails are something people expect, so when someone receives a fake email claiming to be from a shipping company it can be quite effective. These emails may be obviously suspicious to you, but you said to be suspicious of emails that they were not expecting, remember? It tends to just get more complicated from there. We want to educate and help develop healthy suspicions, not distrust and paranoia.

So how do we explain how to identify a suspicious email in simple terms that even the less technical people can understand? This is a question that we need to continue to ask ourselves, and we each need to do our part in educating others on security issues.

As a note, tomorrow begins National Cyber Security Awareness Month and with that, we will be posting regular security tips to keep you and your family safe while online.

Heartbleed continues to put devices at risk

Over a year has now passed since we were first alerted to a flaw in the OpenSSL cryptography library, widely used in the implementation of Transport Layer Security (TLS) protocol. The bug CVE-2014-0160, was quickly dubbed “Heartbleed” (http://heartbleed.com/) after a missing bounds check in the TLS heartbeat extension. Despite the passing of time and the high profile nature of the flaw, IoT crawler Shodan has recently discovered the vulnerability still exists on over 200,000 internet connected devices.

Shodan (http://www.shodanhq.com/) launched in 2009, is a search tool that seeks out internet-of-things (IoT) and other internet connected devices collecting the information returned by these devices to build up a picture of what services are being offered. The data can then displayed in a variety ways including by geo-region breakdown. This is great tool for IT and security teams and unfortunately also for the bad guys.

Many people will deem 200,000 vulnerable devices on the internet as unacceptable, and in many ways it is. At the same time I think it is important for us all to understand why this happens and why there is currently no easy fix. I believe we will see vulnerabilities like Heartbleed in the wild for many years to come. Whereas I do believe there is a certain level of ignorance to the threat, I also believe there are many other factors.

There are users who aware their devices are vulnerable, not realizing their device uses the buggy version of OpenSSL, or even uses SSL for communication. There will be others that haven’t heard of Heartbleed and many not understanding the tech details, the fix, or the ramifications. Sometimes putting two and two together is little more difficult that we’d like to think. Hey, we are asking users to understand and fix their devices, when at present they still haven’t changed the device’s default admin password – even worst, they’ve not realized their device is even connected to the internet.

Ignorance and even arrogance with regards to the lack of patching has been observed. Not patching a device when possible, believing it is unlikely to be exploited is simply not acceptable. We need to move away from setup and configure once, then leave alone. Users need to research, revisit and understand the devices on the network and especially those connected to the internet.

Search engines like Shodan mean that susceptible devices are less likely to go under the radar – it also highlights the appetite the business and personal sector have for security. Once the configuring and setup of these devices required a certain skill level. That’s all changed now, especially with WPS and other technologies, many devices are completely ‘plug and play’. The complexities of such systems are hidden from the user – even if patches are available for said devices, I very much doubt many users would know how to install them.

There are also many manufacturers that focus on the delivering of ‘cheap’ affordable technology, OEM and unbranded to an untrained eye in many cases. These cheaper offerings normally come at a price – limited aftercare. Put simply you’ll be lucky to ever see manufactures release new firmware and software updates after purchasing and that’s if the vendor still exists.

The mobile phone industry has used a similar business model for years, after a while updates stop, if they even started – meaning customers will need to go out and purchase the a new handset/hardware to have the latest and most secure software. What we are left with is millions of vulnerable internet connected devices. Most devices, especially legacy devices, the ones most likely to be at risk have no OTA (over the air) update capabilities, many do not even include a manual update feature – many are not even capable of running the newer firmware and software.

There’s a lot of bad news, but it doesn’t mean a certain level of protection cannot be offered – something the Shodan results are unable to factor in. Internet connected devices need continuous monitoring to detect common attacks, the use of automated vulnerability scanning solutions, the use of tools like Shodan. There are many possible ways to mitigate risk, like the separating of networks. Heartbleed has been a big wake up call, the number of probable vulnerable devices, the extra media attention along with the slick branding propelled this security risk from the geeks and IT and security professionals all the way to the boardroom. It’s important not to be fooled in to thinking this is only an IoT issue, a proportion of the devices highlighted belong to the more traditional internet infrastructure hardware group. That said, the mass adoption of IoT will only make future vulnerabilities more difficult to correct.

I don’t see these current findings as a ‘we haven’t patched Heartbleed’ issue, it’s another example of what happens without regulation and standardization, without user education and best practices, coupled with the ‘security as an afterthought’ mentality.

ORX Locker

Only a month has gone by since the last RaaS (Ransomware as a Service) came to light. It looks this new business model that was first introduced by TOX a few months ago is spreading fairly rapidly. The idea is that now ALL malware authors of ranging skill can now create encrypting ransomware on a easy to use platform. This latest variant called ORX Locker is no different.

Simply enter in the desired info (price, identifiers, time limit, ect.) and the site will generate a new binary tailored to your specifications. The hackers are still responsible for distributing the malware, but renting time on many operational botnets and email phishing campaigns is also fairly easy to do in the underground darknet marketplace.

Once a victim is infected there is no GUI popup once all files are encrypted. It just changes the extension of all encrypted files to “.LOCKED” so you have a nice surprise when you try open one of your compromised files. Instructions on how to get your files back are left on your desktop as locally stored web page.

Special instructions are given to show a novice user how to connect to onion links and pay the ransom. Once you successfully connect to the darknet then the payment page is presented.

The instructions are clear on what you need to do to get your files back. Bitcoin is the criminal industry standard now and you’ll have a hard time paying for any ransom without it. While some ransoms will also accept the legacy money mules like ukash and moneypak, that is quickly dying out in favor of a better fee structure bitcoin launderers offer. Once you’ve paid you just download their tools and it will unlock all of your files using the AES 256 key that was generating during encryption.

This variant does not delete the VSS so as long as you have system restore enabled you can get your files back without paying the ransom. Just download a shadow copy tool like shadow explorer and you can restore files from a previous restore point. While the variant we analyzed showed no advanced techniques and is relatively simple in design, it remains a threat to unprotected systems and should be taken seriously. Improvement tweaks in the future are always possible and may “patch” the back doors it left open to your files.

  • MD5 Analyzed:89E1EFDC766E9C7D41305566993BA800
  • Additional MD5: D6ED4D4E8B1A95A224EBDD54529B3751
  • Additional MD5: 1914724AEEA3CA954322053DD883B14A

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

Security Advice is fundamentally the same

Thinking back on the changes in what we like to call the “threat landscape” over the years, a lot has changed. From the days of actual viruses and worms spreading their way through networks, to the rise of spyware and adware that slowed your computer to a crawl with pop-up ads and toolbars, to the scourge of encrypting ransomware that we see today.

As much as things have changed, the methods of distribution have remained fairly constant. The majority of malware we see is distributed via exploits or through some form of social engineering. While there seems to be no shortage of zero-day exploits being used, many of the exploits used to install malware have been patched for a long time. We see infections that use exploits that were patched years ago on a regular basis. Social engineering has certainly become more advanced, but users continue to click on malicious links or attachments in email messages.

The following is an updated to our Webroot Internet Security FAQ from around 2005. Some of the terminology may be a bit older but the information is still relevant today.

How can I prevent computer viruses? Take these steps to fortify your computer security against viruses right away:

  • Use anti virus protection and a firewall
  • Update your operating system regularly
  • Increase your browser security settings
  • Avoid questionable Web sites
  • Only download software from sites you trust
  • Practice safe email protocol
  • Don’t open messages from unknown senders
  • Immediately delete messages you suspect to be spam
  • Avoid free software and file-sharing applications
  • Get anti-spyware software protection

So while the types of threats out there are changing, the fundamentals are staying the same which luckily allows the potential victim to take similar approaches to rectifying the attack and staying safe online. As always, it is best to stay updated with newest trends in security, but always remember the core foundation of staying safe online.

AdBlock Plus exploit puts OSX users at risk

A visit to the Apple store will give any consumer a false sense of security, you will be told that by buying a Mac you are safe from threats and malware. I have even been told this even after I explain what I do for a career. A vast majority of Mac users still believe that they are safe from the threat of malware because of this, even though the magic myth of Mac immunity has long been disproven and really exploited in the past years with such concepts of Thunderstrike and root privilege exploits. However, most of the malware that we come across for Mac has been adware. The annoying pop ups or redirects that try to get you to spend money or download shady software.

Variants of VSearch and Genieo have been on top of the list for most downloaded Mac malware. Most people’s cure for this would be to install an ad blocker such as AdBlock Plus. I can’t blame them for this as I also run an ad blocker on my personal Mac. The downfall to this is that these adware companies have figured this out and added code to their program to allow their ads even with your blocker running. This is why the Mac community needs a strong security software on their machines. Researching one of these variants, we came across code that will search for your ad blocking program, download an exception text file and insert it into the settings of your ad blocker. Here is a sample of the exception text it downloaded.

[Adblock Plus 2.0] @@||search.yahoo.com^$document @@||bing.com^$document @@||genieo.com^$document @@||strtpoint.com^$document

This code allows their ads to run and the user is none the wiser. The adware creates its own rules for your security plugin. This is just the beginning of what could be a crucial change in the malware found on Macs. Malware may only be using exploits like this for advertisements currently but what is stopping it from using this same kind of exploit to send personal data out in the future? Putting your security in the hands of a software that only protects you from one type of malware simply isn’t enough anymore. It is easy to find articles that claim Apple computers are invincible but the fact is malware for Mac is real and it is getting increasingly better at ensuring its survival.

What Now After Black Hat 2015?

It’s good to see that at last some alternatives to traditional AV endpoint protection are gaining traction. A lot of the questions I was asked at the show were to compare Webroot to other exhibitors who were making similar claims. (But because we lead the Predict, Prevent, Detect, and Respond model there are really no true one to one comparisons. There is however a lot of plagiarism on our market positioning, which I take as an indirect compliment, as does my CMO).

My primary concern now is efficacy, just how good are other solutions at stopping attacks and infections? The other vendors have little or no track record and are in light use. Nor do Webroot or I really care about a kill chain, it’s too damn late if you’re looking at a kill chain. As the Financial Services industry keep saying your investment may well go up or down.

Another annoyance I and the people I talked to have is that there is also no real ‘independent’ testing of next generation AV. We have tried unsuccessfully for over three years to get endpoint tests by all the ‘big’ testers updated. But, there is too much self-interest in their keeping things the same. That’s a shame, as their credibility is truly shot as any security professional sees day in and day out the disconnect between 100% detection test results and their real-life infection rates.

Perhaps the most surprising event (given other infamous events) was the pertinence of John McAfee’s speech quickly followed by the weaknesses in Android being at last partly admitted in Public. Google are willing to let you share your full contacts with a flashlight app and still don’t see any issues. Yet the people who say “don’t worry you’ve nothing to fear if you’ve nothing to hide” are all the actors I want to stay as far away from as possible – as they are ALWAYS up to no good.

So what now after Black Hat 2015? Are we turning failure into success? I’m afraid the answer is still no. Commercial, Government and Hacker interests are still harmoniously aligned and we will not see success until they are hoisted on their own petard. Frankly that cannot come soon enough (as long as they don’t take us all down with them).

Why are we using biometrics as passwords?

After seeing a great presentation on newly discovered biometrics/fingerprint vulnerabilities (“Fingerprints On Mobile Devices: Abusing And Leaking”, by Tao Wei and Yulong Zhang) at Blackhat 2015, I have to wonder why we are even using a lone fingerprint as a password. Wouldn’t fingerprints be better implemented as a username?

When your fingerprint is compromised, it is compromised forever. We’re talking about something associated with criminal records, banking, and other fairly-critical segments of one’s identity. It only makes sense your fingerprint remain part of your identity and not some password you hope to remain secret for the rest of your life. You can’t change them. Not easily, anyways… As your username, it would simply remain a part of your identity, unable to be used against you without the secrets you can more easily hide and change: passwords, pins, etc.

casFingerprints would normally need to be physically gathered, dusting for prints and all that, making their compromise a less-than-likely situation. The issues outlined in the presentation I saw, however, showed it could be possible for their digital counterparts to be gathered remotely and en masse. Imagine if a fingerprint wasn’t the password, but only the login. That wouldn’t be that big of a deal anymore. So they know your username, so what? They still can’t log in. Email addresses are scraped up off the internet all the time. Someone’s email address is bound to be in many places they don’t want it to be, but the threat of compromise is still extremely low if they’re securing their account properly. In reality, a leaked fingerprint is a big deal because you can do things like pay someone via PayPal with it. The fingerprint is the password and the username can be gotten easily (they’re almost always stored insecurely and most of the time it’s just an email address anyways).

Other situations and issues involving fingerprints being used as a mix authentication and authorization – depending on what app you’re in – are outlined in the presentation as well. In one example, they showed malicious actors’ ability to snag fingerprints in the background, causing you to authorize a payment when unlocking your phone, for instance. Yet another situation where, if the print was your username, there wouldn’t be an issue.

At the very least, there clearly needs to be better security standards around fingerprint data and sensors. Still, making them less powerful (read: not the sole password used to access banking information) would be the best way to go.

Recap of Black Hat 2015, Day 1

This is hacker week. Well, not really that officially, but with Black Hat USA and DefCon happening in Vegas, the biggest collection of black and white hat hackers have come together with experts and companies in the security sector to talk protection, exploits, and hacking. Coming at the conference with a big approach, our threat team has attended sessions all day, taking in the lessons being shared in hopes of continuing our advancement of our threat intelligence.

So coming out of the sessions, I have asked our attending team to share their takeaways of Black Hat 2015 Day 1.

On Internet of Things

Attended the, Intel security presentation on attacking hypervisors through firmware and guest operating systerms. The data they presented verified the work we are doing in the IOT (internet of things) field in bring real time behavior monitoring to industrial endpoints.  John Sirianni – Vice President, Strategic Partners, Internet of Things

On Endpoints

Windows updates for drivers can lead to execution of malware. This isvVery interesting, but requires a proxy configured. None the less, I’d love to test this myself.  Tyler Moffitt – Senior Threat Research Analyst

On Mobile

With regards to Stagefright, everyone is going to need patches to be 100% safe. But the good news is both Google and Samsung have announced 30-day update schedules, and upates for older devices are looking more and more likely. Google is acknowledging this issue much more than we expected and things are going in a good direction for android security.  Cameron Palan – Senior Mobile Threat Research Analyst

On Exploits and Malware

The game over Zeus presentation was great. It  was interesting to see the collaboration it took to take the botnet down. The FBI is offering $3  million USD for info leading to the arrest of the main guy they attribute to the botnet. The same guy also wrote CryptoLocker. Brenden Vaughan made a good observation that the same guy is probably behind Poweliks as it came out very shortly after game over was taken offline.  Grayson Milbourne – Security Intelligence Director

Direct from the team, there is no mistaking the value of Black Hat and the surrounding events. From revelations to new ideas and concepts, day 1 has been packed with incredible information.  We look forward to tomorrow and what it has in store.

If you have any questions for our team, comment below and we will respond with our thoughts and answers.