All posts

Trump’s Cybersecurity Policy

What does a Trump presidency mean for global cybersecurity? Does Trump’s Cybersecurity Policy exist? Or will it?

Washington is nervous. No one knows if President Trump understands cybersecurity, or whether he’ll listen to those who do.

Impending drama

Some pundits are already suggesting that his first 100 days in office will include a cyber emergency.

How he responds is crucial, but his comments so far have instilled little confidence.

“Cyber is becoming so big today, it’s becoming something that a number of years ago, a short number of years ago wasn’t even a word.”

“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

Trump’s Cybersecurity Policy

To be fair, Trump’s campaign site does say that he’ll order a review of “all U.S. cyber defences and vulnerabilities” by a specially assembled Cyber Review Team formed from “the military, law enforcement and the private sector”.

But Washington needs to know if he will implement or even believe the Cyber Review Team’s recommendations. After all, this is the man who, when experts discovered Russian-backed groups attacking the Democratic National Committee, said:

“I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?”

Dread

According to The Washington Post, a sense of dread is descending on the US intelligence community. Former CIA director Michael Hayden summed up the mood:

“I cannot remember another president-elect who has been so dismissive of intelligence received during a campaign or so suspicious of the quality and honesty of the intelligence he was about to receive.”

Anti-China-Hacker

Trump’s policy also places an onus on deterring attacks by state and non-state actors, and he has a has a particular thing about China’s hackers. He seems openly irritated by the country’s refusal to observe intellectual property law. His plan here is to:

“Enforce stronger protections against Chinese hackers … and our responses to Chinese theft will be swift, robust, and unequivocal.”

By this logic, it’s apparently difficult to attribute an attack when it’s Russia, but not when it’s China. This kind of thinking will need to change or it could damage superpower relationships at a uniquely dangerous point in world history.

Part of the danger is that a sufficiently irked President could order a pre-emptive cyber-strike against China to show everyone who’s boss. How will he pick the right target if he doesn’t listen to his advisors? China’s a very big place, and what looks like state-sponsored hacking to some might in fact turn out to be private enterprise. Such actions could be taken as an act of war, and even a limited cyberwar could leave swathes of the internet useless until rebuilt.

Slip of the tongue

Trump also famously likes to abandon the script and simply ad lib during speeches, but national security depends on secrecy. Will he blurt out something in a speech that gives an enemy state a clue about America’s capabilities or, even worse, her vulnerabilities?

Torture works
Trump's Cybersecurity Policy

Trump’s view that “torture works” could also irreparably damage the relationship between GCHQ and the NSA. Torture is a no-no for the UK. The Cheltenham Doughnut is expressly forbidden from sharing intelligence with countries that openly engage in torture.

A change in policy by the US would further compromise the flow of intelligence already put at risk by Brexit. The Open Rights Group also believes that Trump will exert a great deal of influence over the UK’s intelligence community.

Retaining skilled infosec talent from abroad is also about to become more of a problem for US companies, because Trump plans a crackdown on H-1B work visas. Taking up the slack means boosting cybersecurity degree courses, but any increase in trained manpower will take time to trickle through. In the meantime, who will fill the skills gap?

Listen

Ultimately, Trump is going to have to stop threatening and promising things he can’t deliver, and start listening to his advisors. To do so, he must leave his preconceptions at the door to the Oval Office and think calmly and clearly before acting. Whether that will happen is anyone’s guess, but it’s not hyperbole to suggest that a huge amount depends on it.

All posts

Does your anti-malware stop hacking attacks?

An attack rarely ends when the malware runs. That’s just the beginning…

Latest reports now online.

Testing security software is a challenging task and it’s tempting to take clever shortcuts. However, while doing so might save the tester time and other resources, it doesn’t always produce useful results. And if the results aren’t accurate then the test becomes less valuable to you when you’re choosing which product to use.

Can anti-malware stop hacking?

We are big supporters of the idea of full product testing. This means installing the security product the way it was intended to be used, on systems commonly used in the real world and ensuring that every component of that product has a chance to defend the system.

In practice this means that we installed the anti-malware products tested in this report on regular PCs that are connected to a simple network that has unfiltered internet access. We visit malicious websites directly, where possible, and use a special replay system when the bad guys start to interfere with our activities.

Since the beginning of this year we started including targeted attacks in our testing. These types of attacks try to compromise the target using infected documents and browser exploits. Once an exploit has succeeded we then continue ‘hacking’ the target. This step is crucial because in many cases it is these post-exploitation hacking activities that can trigger an alert.

Full product testing doesn’t just mean turning on (or leaving enabled) all of a product’s features. It also means running a full attack as realistically as possible. Testers should not make assumptions about how a product works. You need to act like a real bad guy to understand how these products protect the system. Can anti-malware stop hacking? Test like a hacker and find out. And read our results!

These reports, for enterprises, small businesses and home users are now available for free from our website.

All posts

Malicious Connections monitoring with CurrPorts

Uncover dodgy and malicious connections on your network with this handy, free utility.

If you’ve ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections.

Written and maintained by Nir Sofer, CurrPorts gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer.

Continue reading “Malicious Connections monitoring with CurrPorts”
All posts

Interview With The Bank Manager (online fraud)

Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us? 

To find the truth, we talked candidly to a branch manager from UK bank NatWest.

SE: First of all, what’s the scale of the online fraud problem from the bank’s perspective?

I won’t lie. It’s massive. We’re always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.

SE: If you’re scammed can you get your money back?

It all depends. The basic thing is if it’s not a transaction you’ve made, its fraud and we can help. If it’s something you’ve done yourself that’s it, the money’s gone. Where it gets tricky is when you think you’re signing up to a one-off payment but the small print says it’s every month and you don’t realise. It might be cleverly worded, but it’s up to you to read what it is you’re buying.  If there’s any doubt, don’t do it or bring it in for us to check.

SE: How do you protect people’s money in general?

Online fraudThe monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they’re legitimate. Tell us you’re going to France for the week and we’ll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It’s just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It’s a pain for them, but if you tell us what you’re doing it’s usually fine.

We see a lot of “Make $2000 a month from home”-style spam. What’s the scam there?

It’s usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It’s an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you’re being used. Basically, if you’re caught acting as a money mule, then you’re as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people’s accounts. Again, it’s one of the things the system looks for that’s out of the ordinary.

Can the banks stop people being duped into sending money to scammers abroad?

nat2bwest2bsite-6365254


You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it’s their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it’s a large amount, we’ll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they’re doing and where they’re sending it. We have had cases where people have lost considerable amounts because they’re convinced the online fraud is real.

What’s the most outrageous thing you’ve seen?

I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That’s all it was. But it prevented the card from being returned, so people walk off thinking the machine’s swallowed it. You pull on the wire and the card pops out. It’s called a Lebanese Loop.  Simple and easy. Once you’ve got the card you’ve got the expiry date and the CVV number on the back and you can go shopping.

What’s your personal message to customers?

Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it’s still a scam. These people aren’t stupid. No one wants to give you free money. You haven’t won a foreign lottery, either. There’s no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it’s very profitable for them. Start with the idea that everything’s a scam, ask us to confirm anything you get that you don’t understand and you’ll be alright.

What other guidance is there for people?

little2bbook2bof2bbig2bscams-4102409


There’s lots about but it’s a bit scattered. Barclays did a good TV advert about phone scams. We’ve published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That’s the best thing to tackle online fraud.

All posts

Security for the internet of things

IoT security is a mess, but who’s to blame? The tech industry must improve security for the internet of things.

The internet of things is quickly becoming every cybercriminal’s wet dream, especially given the release of the Mirai botnet source code. The cause is shockingly insecure devices, but can shaming manufacturers avert the coming chaos?

Continue reading “Security for the internet of things”
All posts

A Very Sophisticated Hack…


If you search for the phrase “very sophisticated hack” and do a little digging, you’ll soon discover that what are initially claimed to be diabolical plots by fiendish cybercriminals often turn out to be nothing more than incompetence or naivety on the part of the victims. They only appear sophisticated to the average Joe.

Banks, casinos, hospitals, health insurers, dating sites, even telecoms providers have all fallen in the past year. Digging reveals SQL injections (I’m looking at you, TalkTalk) to second hand switches with no firewalls protecting the SWIFT network in Bangladesh.

While these issues are bread and butter to security testing and code review companies, there is one piece of the IT security puzzle that can never be truly secured, no matter how hard you try. It weighs about 1.3Kg (about 3lbs in old money) and it sits in front of every endpoint, every BYOD, every spam email, everything, wondering whether to click that link, install that program, insert the flash drive it found, or type in its credentials.

Sophisticated attacks

talktalk-2579443It’s been said that your brain starts working the moment you wake, and doesn’t stop until you get to work. Many incidents reported as “sophisticated” confirm this truism, along with the one about not being able to make anything idiot proof because idiots are so ingenious. Fooling someone into doing or telling you something they shouldn’t is the oldest hack in the book, but it’s no less potent for its age. For that reason, the unwitting symbiosis of naive user and cybercriminal is virtually unbeatable.

Part of my work involves maintaining the company spam honeypot network. By the time you’ve seen your 100th identical, badly-spelt phishing email whizz by in the logs, you can’t believe anyone would fall for them. But they do, especially spear phishing attacks. There’s a ransomware epidemic, and it’s making millions a day.

I’m left concluding that people don’t approach their inboxes with a high enough degree of

adobe-9399157

cynicism. Would HR really summon you to a disciplinary meeting by sending you an email demanding you click a link to an external web site and enter your corporate username and password to prove it’s you?

Catching threats

Like suspiciously quiet toddlers, the human element will always be the unpredictable elephant in the cybersecurity room. At SE Labs, we test the endpoint protection that keeps users safe from themselves. To do so, we use fresh threats caught painstakingly in the wild on a daily basis. We can always help build better protection, but cybercriminals will always strive to make better toddlers out of users.

But users are not toddlers; they’re responsible, busy adults. To them, cybersecurity is just a very dull art practised by dull people in IT, and their equally friends who come in with laptops every so often to check everything.

This point leads me to one final truism: get them laughing, get them learning. All the user security training in the world will fail to change behaviours if it’s dull. People best remember what they enjoy. Make cyber security fun for users, and you may just get them to apply a healthy dose of cynicism to their inboxes.

All posts

Went The Day Well?

Could localised pattern recognition solve the password crisis?

Getting answers nearly right could be a way to detect unauthorised access. Security shibboleths can detect the right, and wrong people.

In The Great Escape, a Gestapo officer wishes Gordon Jackson’s character “good luck” in English as he attempts to board a bus. In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word “lollapalooza” to spot Japanese spies amongst Filipino allies.

Continue reading “Went The Day Well?”
All posts

The Great Anti-Virus Conspiracy

20110517023616-6824093One problem with the internet is that anyone can set themselves up as an expert. There’s money to be made from convenient messages. Examples abound in nutrition and health, as well as many other areas.
There are certainly internet opinions on security tests!
 
Despite widespread public ridicule, such sites thrive and make their owners rich because they play into what people already believe. The tendency being exploited is called confirmation bias, and it can even exert enough power over us to compromise the online safety of entire nations.

Anti-Virus Conspiracy

Take this post from the Above Top Secret forum from 2008. The author began with the hunch that the biggest beneficiaries of malware are the anti-virus (AV) companies themselves. However, Google only returned stories explaining why this view on an anti-virus conspiracy was incorrect.
This raised the author’s suspicions. Did anyone else have any information?
 
The ensuing nine pages of comments were a tour de force of ideas, theories and claims, but a recurring theme was distrust. Many commenters simply don’t trust what they don’t understand, and they don’t understand computers or AV. 

above2btop2bsecret2bpost2b2-2590096

 

above2btop2bsecret2bpost2b1-5852347
 
It took a few seconds to find similar examples from other forums, some dating back to 2005 and even 2002. There are many more and they usually cover the same ideas, but a common theme is still distrust. Compounding this, some commenters vaguely remember something about John McAfee once claiming to have written viruses to create demand for his first AV product, which of course proves everything.

anandtech2bpost2b1-8075294
 
That was a decade or more ago, but with phishing and ransomware now firmly in the public eye, the benefit of online protection will be obvious, right? Not necessarily.

Detection issues

In August 2016, the Daily Mail reported that some AV products can fail to adequately secure your computer. The research being reported actually identified the potential for man-in-the-middle certificate attacks. It’s something our own Simon Edwards wrote about in a more general context in his own blog over 18 months earlier
 
As usual, the comment section of the Daily Mail’s report was far more revealing than the article:
 
daily2bmail2bpost2b3-6769095

 

daily2bmail2bpost2b1-8831954

 

daily2bmail2bpost2b2-8316150
 
And so on. Perhaps what’s most disturbing is that despite living in a world now publicly trying to cope with a grand cybercrime epidemic, such uninformed views are so mainstream. There’s even a certain pride to some of them.
 
The McAfee virus-writing story is also still doing the rounds. Mr McAfee hasn’t helped matters by claiming to have planted keyloggers in laptops he then gave away to government officials in Belize. But did he really write malware to create demand for his own AV software?

John McAfee, virus author?

In March 2014, McAfee went on the Alex Jones show to talk conspiracies (what else?). A caller asked if he was indeed responsible for writing early malware. Despite Jones talking over portions of his answer, this was the nub of his reply:

There were at the time thousands of computer viruses, he said. We could barely keep up with the viruses that were out there, so we certainly had no time to build new ones. It would just be a senseless thing to do. So I can categorically say, and you can talk to any of the McAfee employees that were there are the time, that thought never crossed anyone’s mind.

Indeed, in his book Computer Viruses and Malware, John Aycock of the University of Calgary in Canada also points out that if AV companies really are writing malware and yet simultaneously failing to detect some of it, then what’s the point in all that effort being expended for zero gain? The anti-virus conspiracy is starting to look less likely…
 
So, how do you protect the distrustful, the misinformed, and even the downright cynical online? One solution is to do it automatically, but this demands that governments, their intelligence agencies, and the ISPs become involved in actively blocking malicious content. Public reaction to any such suggestion is predictably very bad.
 
When GCHQ recently proposed their DNS filtering technology to block malicious domains, there was instant outrage. The Guardian, which broke the Edward Snowden story, has little love for the Cheltenham Doughnut, and was predictably upset. As usual, it’s the public’s comments that are really interesting. 

grauniad2bpost2b1-7296248

Trust no-one

So, we’re at an impasse. Despite their poor reputations, governments and the intelligence agencies they run are the only entities with the authority and capabilities to attempt to protect entire nations online. However, the tools they use are by their very nature shadowy, double-edged and closed to scrutiny. The public at large worries that policing cyberspace means the erosion of freedom and privacy. Nothing will convince us that this isn’t the start of a dictatorship or a new world order. Too much evidence of past lies and misdeeds confirms this deep-seated bias. 

grauniad2bpost2b2-7557116

If the public won’t listen to the government, who will it listen to? Who is it listening to?

Something about the caller who asked John McAfee if he wrote early viruses keeps coming back to me. He seemed to remember being told something by some old OSS guy. This idea of an unnamed source vaguely remembered is a common feature of discussions where facts are scarce and conjecture runs free. It’s a feature of the threads I referenced above about the anti-virus conspiracy.
 
That being the case, maybe it’s down to us, as infosec professionals, to be those sources in future. Maybe it’s down to us to engage friends and family, to explain how cybercrime works, how it relies on them not protecting themselves, and what to do about it.
 
But then again, I would say that wouldn’t I. 😉
All posts

All Your File…

Block malicious scripts from running on your computer

 
petya-7835478

Back in the salad days of early summer, JavaScript was usually employed to download ransomware payloads. Now, however, JavaScript is the ransomware.

The reason is the direct nature of the attack. There’s no connection to a suspicious subdomain, no payload to download and no relying on the user to run a suspicious upgrade to a Windows component.

Simply open the email attachment promising unexpected riches and, to misquote the 1980s game Zero Wing, All your file are belong to us.

Block malicious scripts

By hiding the true nature of the file with a second, benign extension, JavaScript attachment attacks become even more likely to detonate. Spew millions of such emails from a rented botnet for a few days at a time, and then simply wait for the Bitcoins to come rolling in.

It’s little wonder that ransomware gangs are setting up customer helplines for bemused punters queuing up to get their files back.
 
But surely your browser’s sandbox should contain any malicious JavaScript? Sadly, this is not so for JavaScript email attachments. JavaScript downloaded as part of a browsed web page is run in the browser. Email attachments are nothing to do with a web page. Double click them and they’re passed to the Windows Based Script Host, which is obviously outside the browser’s authority and control.

Open with a safe app

It is, however, very simple for you as an end user to stop JavaScript email attachments from automatically being accidentally run. Simply open notepad and create a new file. Save it as dummy.js. Notepad will complain about the extension, but continue anyway. Next, right click the .js file and select Open With…. As you can see from the image below, by default Windows will open all such files with Windows Based Script Host, which is what we need to prevent.
 
capture-7097448
 
To do so, first click More Apps and select Notepad from the list. Tick the check box for Always use this app to open .js files and click OK. Now, whenever you absent-mindedly click on a JavaScript email attachment it will safely open in Notepad and display its bad self.
 
You can also selectively prevent the JavaScript downloaded as part of a web page from running in your browser. This gives you more control over your browsing experience and can speed up web page loading.
 
For Firefox, the go-to solution here is the NoScript plugin (which is the one I’m most familiar with). By default, NoScript blocks everything on a domain-by-domain basis. It’s easy and quick to unblock trusted domains as you go, while leaving all others (including those called by the primary domain) securely blocked. This not only serves as an extra line of defence, but also prevents some adverts from being displayed without sites accusing you of using an ad blocker. It’s also very interesting, and sometimes worrying, to see just how many secondary domains some of your favourite web sites rely on to deliver content.
 

All posts

Ransomware: Don’t Die of Ignorance

spread of ransomware

How can we spread the word to users and stop the spread of ransomware?

According to a recent Herjavec Group report, profits from ransomware will spiral this year to over $1bn, and next year will see further explosive growth. The main vector for ransomware is always email. The reason is simple: Ignorance of the risks equals fat profits. It’s that obvious. The solution is to stop users clicking dodgy attachments, but how?

For the seeds of a possible answer, cast your mind back in the mid-1980s. As the AIDS epidemic hit the UK, the government’s response was a huge public awareness campaign. Everyone who was around at the time remembers “AIDS: Don’t Die of Ignorance“. There were TV and radio adverts, cinema and press adverts, and every home received a frank leaflet explaining everything. Cool new condom brands popped up almost overnight (pun intended). OK, since then, infection rates have risen, but the point is it seemed to help at the time, as the sharp dip in infection rates around that time implies.

Ransomware impact

Back to 2016, and according to Get Safe Online in the year to March cybercrime cost UK businesses over £1bn. The total figure will be much higher in the coming year due to ransomware. A recent Malwarebytes report claims that over half of all UK businesses have already been hit by ransomware. 9% were completely unable to function after the attack. Only 40% of those affected didn’t pay the ransom, so a whopping 60% decided to cough up.

If this is blindingly obvious to the cybersecurity industry, and to the pundits surrounding it, it should be equally apparent to the UK government and its advisors. But where are the hard-hitting TV and adverts and the leaflet campaigns aimed at the end user? After all, it’s the end user putting themselves and the companies they work for at risk.

Stopping the spread of ransomware

Ransomware awareness campaigns are happening, but they can be limited in scope. They tend to be targeted at individual sectors, and at C-level executives, rather than end users. Until public awareness changes fundamentally, ransomware will charge ahead at full speed, and so will the otherwise avoidable financial losses.

If this is a war, then the sky is black with metaphorical bombers. Can you imagine the outcry if, during WWII in Britain, people were unaware that they should not open their blackout curtains to look at the planes going over? Equate this to opening dodgy attachments to see what they are, and you begin to see the scale and seriousness of the problem.

Contact us

Give us a few details about yourself and describe your inquiry. We will get back to you as soon as possible.

Get in touch

Feel free to reach out to us with any questions or inquiries

info@selabs.uk Connect with us Find us