All posts
IoT security is a mess, but who’s to blame? The tech industry must improve security for the internet of things.
The internet of things is quickly becoming every cybercriminal’s wet dream, especially given the release of the Mirai botnet source code. The cause is shockingly insecure devices, but can shaming manufacturers avert the coming chaos?
Continue reading “Security for the internet of things”All posts
If you search for the phrase “very sophisticated hack” and do a little digging, you’ll soon discover that what are initially claimed to be diabolical plots by fiendish cybercriminals often turn out to be nothing more than incompetence or naivety on the part of the victims. They only appear sophisticated to the average Joe.
Banks, casinos, hospitals, health insurers, dating sites, even telecoms providers have all fallen in the past year. Digging reveals SQL injections (I’m looking at you, TalkTalk) to second hand switches with no firewalls protecting the SWIFT network in Bangladesh.
While these issues are bread and butter to security testing and code review companies, there is one piece of the IT security puzzle that can never be truly secured, no matter how hard you try. It weighs about 1.3Kg (about 3lbs in old money) and it sits in front of every endpoint, every BYOD, every spam email, everything, wondering whether to click that link, install that program, insert the flash drive it found, or type in its credentials.
It’s been said that your brain starts working the moment you wake, and doesn’t stop until you get to work. Many incidents reported as “sophisticated” confirm this truism, along with the one about not being able to make anything idiot proof because idiots are so ingenious. Fooling someone into doing or telling you something they shouldn’t is the oldest hack in the book, but it’s no less potent for its age. For that reason, the unwitting symbiosis of naive user and cybercriminal is virtually unbeatable.
Part of my work involves maintaining the company spam honeypot network. By the time you’ve seen your 100th identical, badly-spelt phishing email whizz by in the logs, you can’t believe anyone would fall for them. But they do, especially spear phishing attacks. There’s a ransomware epidemic, and it’s making millions a day.
I’m left concluding that people don’t approach their inboxes with a high enough degree of
cynicism. Would HR really summon you to a disciplinary meeting by sending you an email demanding you click a link to an external web site and enter your corporate username and password to prove it’s you?
Like suspiciously quiet toddlers, the human element will always be the unpredictable elephant in the cybersecurity room. At SE Labs, we test the endpoint protection that keeps users safe from themselves. To do so, we use fresh threats caught painstakingly in the wild on a daily basis. We can always help build better protection, but cybercriminals will always strive to make better toddlers out of users.
But users are not toddlers; they’re responsible, busy adults. To them, cybersecurity is just a very dull art practised by dull people in IT, and their equally friends who come in with laptops every so often to check everything.
This point leads me to one final truism: get them laughing, get them learning. All the user security training in the world will fail to change behaviours if it’s dull. People best remember what they enjoy. Make cyber security fun for users, and you may just get them to apply a healthy dose of cynicism to their inboxes.
All posts
Getting answers nearly right could be a way to detect unauthorised access. Security shibboleths can detect the right, and wrong people.
In The Great Escape, a Gestapo officer wishes Gordon Jackson’s character “good luck” in English as he attempts to board a bus. In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word “lollapalooza” to spot Japanese spies amongst Filipino allies.
Continue reading “Went The Day Well?”All posts
One problem with the internet is that anyone can set themselves up as an expert. There’s money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.
“There were at the time thousands of computer viruses,“ he said. “We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone’s mind.“
If the public won’t listen to the government, who will it listen to? Who is it listening to?
All posts
Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.
The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious “upgrade“ to a Windows component.
Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, “All your file are belong to us“.
All posts
How can we spread the word to users and stop the spread of ransomware?
According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It’s that obvious. The solution is to stop users clicking dodgy attachments, but how?
For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government’s response was a huge public awareness campaign. Everyone who was around at the time remembers “AIDS: Don’t Die of Ignorance“. There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.
Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware. 9% were completely unable to function after the attack. Only 40% of those affected didn’t pay the ransom, so a whopping 60% decided to cough up.
If this is blindingly obvious to the cybersecurity industry, and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it’s the end user putting themselves and the companies they work for at risk.
Ransomware awareness campaigns are happening, but they can be limited in scope. They tend to be targeted at individual sectors, and at C-level executives, rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.
If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.
All posts
Ransomware is a nasty category of attack that we’ve seen dominating the so-called ‘threat landscape’ in recent months. It can affect every type of computer user including home users, small businesses and even extremely large enterprises.
Anyone who stores valuable data on a computer is at risk of this digital extortion racket, which encrypts data files and offers the key to recovery for a hefty price.
Continue reading “Anti-malware vs. ransomware: latest reports”All posts
Ransomware is a serious problem but protecting your data can be simple and inexpensive – if you choose your cloud storage provider carefully…
I know, I know. You were tired at the time and not really concentrating. You double-clicked an infected attachment and the world suddenly became a very hostile place.
Your files might as well be in Swahili. A ransom note, with a grasp of English you’d normally find endearing, is mocking you for your bad luck. If you don’t figure out what a Bitcoin is, and how to send one to a person whom you’d very much like to die a slow and painful death, you’ll lose everything forever. Or will you?
All posts
Why does software seem so insecure? Massive software companies seem incapable of fixing their products for any length of time. Is it their fault, or are they fighting a battle they can’t win?
At its core, Windows is the result of several decades of constant development. Despite this, Microsoft is still obliged to observe Patch Tuesday each month, when users receive the latest fixes to installed products. A large number of these updates fix security vulnerabilities.
This month, for example, Patch Tuesday includes 16 security update bundles covering in excess of 40 new security holes found in products as diverse as IIS, Microsoft’s web server, and the supposedly secure Edge browser. How can it be that this monthly ritual is still required? After all, it’s not like Microsoft is a small company caught out by sudden success, while trying to manage a huge ball of undocumented code. On the contrary, it is literally one of the biggest, best funded tech companies in the history of the planet.
Let’s take another case. Adobe’s Flash and Reader products are also mature, stable software. Yet black hat hackers love them as the gifts that keep on giving. This week brought news of yet another critical Flash vulnerability, which is already being exploited in the wild.
The complexity of some software, despite its maturity, makes it vulnerable. It needs to be all things to all (wo)men at all times. In the case of Adobe Reader, every PDF document it loads must display perfectly, regardless of its complexity or the limitations of the software used to create it. Anything not explicitly forbidden is, therefore, permissible. Reader will always try to render the file you give it.
Such complexity leads neatly to a fundamental question: If companies such as Adobe and Microsoft can’t find all the exploitable bugs in their code, how come private researchers and black hats can?
The answer lies in a technique called fuzz testing, or fuzzing.
In his presentation to CodenomiCON 2010 , Charlie Miller showed that with a little thought, a few lines of Python code and some time, it’s possible to use fuzzing, in the form of completely random mutations to a file, to find a number of hitherto unreported and potentially exploitable crashes in Adobe Reader.
He took 80,000 PDFs from the internet and reduced that total to just over 1,500 based on their uniqueness from each other. From these files, he generated 3 million variations containing random mutations.
When loaded into Reader, these corrupted files caused crashes in over 2,500 cases. Miller showed that several crashes revealed exploitable situations, some of which were subsequently found, reported and patched by Adobe, but others were new.
Given that there are a total of 2 ^ NUMBER_OF_BITS theoretical mutations that can be made to a PDF, and the ease with which each mutation can be automatically evaluated, PDF readers alone should remain a goldmine for new exploits for some time. Meanwhile, there are many other programs and file types that can be also attacked with various fuzzing methods.
 |
| Bugtraq has been highlighting software vulnerabilities for years |
Take a look at the Bugtraq mailing list archive and you’ll see what I mean. Every day brings a new crop of reports and proofs of concept for all kinds of software. In fact, another six were added while I wrote this blog post. Buried amongst the plethora of obscure libraries and applications are often complete howlers in major products. How are these bugs being found? In the case of closed source software, fuzzing techniques can be the primary tools.
Fuzzing comes in many forms, with some methods and frameworks being more intelligent and guided than others, but the aim is always to automate the discovery of exploitable bugs by finding situations for which complex software either hasn’t been tested or cannot be tested.
You may be wondering why, with their wealth and resources, major software manufacturers don’t fuzz their products to death, as well as performing more traditional testing. The short answer is that they do, but due to the sheer number of possibilities and the time required, all they can do is fuzz as much as possible before the release deadline. The overwhelming majority of possible tests may still remain to be run by other, potentially malicious individuals and groups.
Security holes in software are not going away any time soon, so ensure that the security software you run is capable of protecting you. How? Checking out good anti-malware reviews that include exploit attacks such as ours would be a good start.
All posts
PayPal communicates with customers all over the world. But sometimes people pretending to be PayPal try to trick you. Luckily they don’t always do such a great job…
Continue reading “Poor grammar foils spammer”Give us a few details about yourself and describe your inquiry. We will get back to you as soon as possible.
info@selabs.uk
Connect with us
Find us
