Skip to content

Mobile Security

Rampant Android bloatware a privacy and security hellscape

I spent the past week examining an AT&T android. The bloatware was off the scale as was the spyware. Removing these via ADB broke the system. Even installing a firewall broke the system as it appeared that the firewall was detected and it simply blocked calls even the firewall was disabled (but installed). I will next look at and Android One Device to see if it is any better as they claim to be pure Android and no bloatware. I am not just picking on AT&T, but as the article and the PDF study that generated it points out, the practice is rampant.

Quote

The apps bundled with many Android phones are presenting threats to security and privacy greater than most users think.

This according to a paper (PDF) from university researchers in the US and Spain who studied the pre-installed software that 214 different vendors included in their Android devices. They found that everyone from the hardware builders to mobile carriers and third-party advertisers were loading products up with risky code.

“Our results reveal that a significant part of the pre-installed software exhibit potentially harmful or unwanted behavior,” the team from Universidad Carlos III de Madrid, Stony Brook University and UC Berkeley ICSI said.

 

The study, An Analysis of Pre-installed Android Software, was written by Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. It is being presented later this month at the 41st IEEE Symposium on Security and Privacy.

 

“While it is known that personal data collection and user tracking is pervasive in the Android app ecosystem as a whole we find that it is also quite prevalent in pre-installed apps.”

To study bundled software, the team crowdsourced firmware and traffic information from a field of 2,748 volunteers running 1,742 different models of devices from 130 different countries.

Across all those different vendors, carriers, and locales, one theme was found: Android devices are lousy with bloatware that not only takes up storage, but also harvests personal information and in some cases even introduces malware.

“We have identified instances of user tracking activities by preinstalled Android software – and embedded third-party libraries – which range from collecting the usual set of PII and geolocation data to more invasive practices that include personal email and phone call metadata, contacts, and a variety of behavioral and usage statistics in some cases,” the team wrote.

“We also found a few isolated malware samples belonging to known families, according to VirusTotal, with prevalence in the last few years (e.g., Xynyin, SnowFox, Rootnik, Triada and Ztorg), and generic trojans displaying a standard set of malicious behaviors (e.g., silent app promotion, SMS fraud, ad fraud, and URL click fraud).”
Beware the bloat

The device vendors themselves were not the only culprits. While the bundled apps can be installed by the vendors, bloatware can also be introduced by the carriers who add their own software to devices as well as third parties that may slip in additional advertising or tracking tools into otherwise harmless and useful software.

Addressing this issue could prove particularly difficult, the researchers note. With vendors and carriers alike looking to eke a few extra bucks out of every device sold, bundled apps and bolted on advertising and tracking tools are highly attractive to companies, and absent pressure from a higher-up body, the bottom line will almost always win out.

To that end, they recommend someone steps in to offer audits of the supply chain and catch potential security and privacy threats in bundled software.

“Google might be a prime candidate for it given its capacity for licensing vendors and its certification programs,” the researchers note.

“Alternatively, in absence of self-regulation, governments and regulatory bodies could step in and enact regulations and execute enforcement actions that wrest back some of the control from the various actors in the supply chain.”

The study, An Analysis of Pre-installed Android Software, was written by Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. It is being presented later this month at the 41st IEEE Symposium on Security and Privacy. ®

Security Panic as panic alarms meant to keep granny and little Timmy safe prove a privacy fiasco

QUOTE

Simple hack turns them into super secret spying tool

A GPS tracker used by elderly people and young kids has a security hole that could allow others to track and secretly record their wearers.

The white-label product is manufactured in China and then rebadged and rebranded by a range of companies in the UK, US, Australia and elsewhere including Pebbell 2, OwnFone and SureSafeGo. Over 10,000 people in the UK use the devices.

It has an in-built SIM card that it used to pinpoint the location of the user, as well as provide hands-free communications through a speaker and mic. As such it is most commonly used by elderly people in case of a fall and on children whose parents want to be able to know where they are and contact them if necessary.

 

It has an in-built SIM card that it used to pinpoint the location of the user, as well as provide hands-free communications through a speaker and mic. As such it is most commonly used by elderly people in case of a fall and on children whose parents want to be able to know where they are and contact them if necessary.

But researchers at Fidus Information Security discovered, and revealed on Friday, that the system has a dangerous flaw: you can send a text message to the SIM and force it to reset. From there, a remote attacker can cause the device to reveal its location, in real time, as well as secretly turn on the microphone.

The flaw also enables a third party to turn on and off all the key features of the products such as emergency contacts, fall detection, motion detection and a user-assigned PIN. In other words, a critical safety device can be completely disabled by anybody in the world through a text message.

 

But researchers at Fidus Information Security discovered, and revealed on Friday, that the system has a dangerous flaw: you can send a text message to the SIM and force it to reset. From there, a remote attacker can cause the device to reveal its location, in real time, as well as secretly turn on the microphone.

The flaw also enables a third party to turn on and off all the key features of the products such as emergency contacts, fall detection, motion detection and a user-assigned PIN. In other words, a critical safety device can be completely disabled by anybody in the world through a text message.

The flaw was introduced in an update to the product: originally the portable fob communicated with a base station that was plugged into a phone line: an approach that provided no clear attack route. But in order to expand its range and usefulness, the SIM card was added so it was not reliant on a base station and would work over the mobile network.

The problem arises from the fact that the Chinese manufacturer built in a PIN to the device so it would be locked to the telephone number programmed into the device. Which is fine, except the PIN was disabled by default and the PIN is currently not needed to reboot or reset the device.

And so it is possible to send a reset command to the device – if you know its SIM telephone number – and restore it to factory settings. At that point, the device is wide open and doesn’t need the PIN to make changes to the other functions. Which all amounts to remote access.
Random access memory

But how would you find out the device’s number? Well, the researchers got hold of one such device and its number and then ran a script where they sent messages to thousands of similar numbers to see if they hit anything.

They did. “Out of the 2,500 messages we sent, we got responses from 175 devices (7 per cent),” they wrote. “So this is 175 devices being used at the time of writing as an aid for vulnerable people; all identified at a minimal cost. The potential for harm is massive, and in less than a couple of hours, we could interact with 175 of these devices!”

The good news is that it is easy to fix: in new devices. You would simply add a unique code to each device and require it be used to reset the device. And you could limit the device to only receive calls or texts from a list of approved contacts.

But in the devices already on the market, the fix is not so easy: even by using the default PIN to lock it down, the ability to reset the device is still possible because it doesn’t require the PIN to be entered. The researchers say they have contacted the companies that use the device “to help them understand the risks posed by our findings” and say that they are “looking into and are actively recalling devices.” But it also notes that some have not responded.

In short, poor design and the lack of a decent security audit prior to putting the updated product on the market has turned what is supposed to provide peace of mind into a potential stalking and listening nightmare.

Apps Give Private Data To Facebook Without User’s Knowledge or Permission

Why does this surprise anyone? And it is not just data going to Facebook. Most of the apps we see on Android have such wide open permissions and no or awful privacy policies, that it astounds me anyone would use them. Why does a “torch” (flashlight) app need to be able read my contacts or have full internet access? That is just one example. Running a PC with out a strict application firewall these days is plainly crazy. But how many users run application firewalls on their mobile devices? They should.

Facebook needs to wound down. The best way to do that is to simply boycott any and all of their properties. Just say no to Facebook and all their properties like Messenger, Whatsapp, Instagram, Masquerade (MSQRD), Moves App, …

Well back to the news

Quote

NPR’s Mary Louise speaks with The Wall Street Journal’s Sam Schechner about how several apps they tested sent sensitive personal data to Facebook without users’ permission or knowledge.

MARY LOUISE KELLY, HOST:

Let’s dig deeper now into how some of these apps are sharing users’ data without their knowledge. Laura mentioned The Wall Street Journal just there. It recently published another story headlined “You Give Apps Sensitive Personal Information. Then They Tell Facebook.” Sam Schechner is one of the reporters on the story, and I asked him what sensitive personal information we’re talking about here.

Facebook says that they offer services to the developers that send it. They offer analytic services so you can see how users are interacting with that app. And they allow the app developer to then target users of the app on Facebook properties with ads. It’s worth noting, however, that Facebook’s terms of service give it wide latitude to use that information for other purposes, such as targeting ads more generally, for personalizing their service, including the news feed, and for research and development.

SAM SCHECHNER: Well, it could be your weight, if you’re having your period, your height, your blood pressure. We saw all of that kind of information being transferred from apps directly to Facebook servers in testing that we ran over the last few months.

KELLY: Yeah, you give an example of an app that allows women to track when they’re getting their period and ovulation. They enter that in, and then it immediately gets fed straight over to Facebook.

SCHECHNER: Yeah. What we saw – and this was actually part of what set off the investigation. While we were doing the testing, I was entering information to the app, and I saw that it was immediately sending a notification that I had altered the dates of my period to Facebook.

KELLY: Your virtual period. I assume – (laughter) I’ll make a wild leap and assume here.

SCHECHNER: Sending the dates of my virtual period. I was using the app even though I don’t get one. And in addition, it would send a notification to Facebook when you entered pregnancy mode. The app would show kind of confetti on the screen. But behind the scenes, the app was informing Facebook that it was now in pregnancy status.

KELLY: Here’s the sentence from your article that stopped me cold. I’m just going to read it. (Reading) The social media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it even if the user has no connection to Facebook. Really? I mean, even if I don’t have a Facebook account, this is happening.

SCHECHNER: Yes, that is correct. And the reason is ’cause apps build in software from Facebook in order to do all kinds of things, including to track their users’ behavior. And that software sends the data back to Facebook regardless of whether or not you’re a user. In fact, the app doesn’t have any way of knowing whether you’re a user when it sends the data.

KELLY: And what does Facebook say they are doing with this data?

SCHECHNER: Facebook says that they offer services to the developers that send it. They offer analytic services so you can see how users are interacting with that app. And they allow the app developer to then target users of the app on Facebook properties with ads. It’s worth noting, however, that Facebook’s terms of service give it wide latitude to use that information for other purposes, such as targeting ads more generally, for personalizing their service, including the news feed, and for research and development.

KELLY: Does it appear based on your reporting that regulators are sitting up and paying attention?

SCHECHNER: Well, already New York Governor Andrew Cuomo has directed state agencies to look into the matter. And already since our report, at least five of the apps that we highlighted have stopped sending the information that we highlighted to Facebook. And Facebook has sent out letters to those apps and other major app developers telling them to stop sending any health-related information or other potentially sensitive information.

KELLY: Did you find yourself changing settings or deleting apps as you reported this out?

SCHECHNER: I definitely did. I advised my wife to use a different app to track her own cycle, and I certainly made sure that, you know, when I exercise, I’m using apps that didn’t in my testing turn up to be sending this specific data. Of course I am a tech reporter, not a, you know, software engineer, so the likelihood is that I’m still being tracked. And in fact when I go on my phone, I see plenty of ads for exercise apps probably from the fact that I just went running.

KELLY: Wall Street Journal reporter Sam Schechner, thanks so much.

SCHECHNER: Thanks for having me.

Security Password managers may leave your online crown jewels ‘exposed in RAM’ to malware

Quote

A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.

Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.

The problem here is mainly secure memory management. To some degree, every one of the four password managers left passwords – either the master password or individual credentials – accessible in memory. This would potentially allow malware on a system, particular malware with admin rights, to obtain those passwords.

And yeah, sure… we know. We get it. If spyware has infected your computer, you’re pretty much screwed. The point here is to demonstrate that software nasties can potentially mine all your login details straight from your password manager in one go. Think of this as a heads up to developers of passphrase managers, and malware researchers.

For what it’s worth, we reckon that if malware has taken hold of your PC it could probably impersonate your password manager, and snaffle your master passphrase that way, but on the other hand, why go to that trouble if the goodies are laying around in RAM?

So, what we’re saying here is: this isn’t anything to panic over right now – it’s something the designers of password managers, at least, should now be aware of.

The team noted that the password managers are not vulnerable when they are not running, such as right after the system boots up, but rather are exposed after the user opens the manager and types in their master password. That means the passwords stored on disk are safe, at least.

“All password managers we examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive,” Team ISE explained.

“Each password manager also attempted to scrub secrets from memory. But residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets.”

The password managers are not necessarily getting better in their newer editions, either. The ISE studied two versions of 1Password (4.6.2.626 and 7.2.576) and found that the earlier build was in fact better at protecting passwords than the newer version. This is because the later build loaded all passwords into memory as plain text as soon as the master password was entered.

Some of the described flaws have already been fixed. A LastPass spokesperson told The Register it had sorted the memory disclosure issues described in its products, and that even when the flaw was present, a real-world exploit would require the attacker to have local access to the machine with admin clearance.

The report doesn’t by any means suggest you should not be using a password manager. Even with the mild flaws ISE found, a password manager remains by far the best way to keep your login credentials secure, and experts routinely recommend them as a way to manage multiple unique and strong passphrases for your online accounts.

“First and foremost, password managers are a good thing,” Team ISE noted. “All password managers we have examined add value to the security posture of secrets management.”

See their afore-linked report for more dos and don’ts on staying safe

AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don’t believe them

…and neither should you!

QUOTE

US cellphone networks have promised – again – that they will stop selling records of their subscribers’ whereabouts to anyone willing to cough up cash.

In a statement on Thursday, AT&T said: “In light of recent reports about the misuse of location services, we have decided to eliminate all location aggregation services – even those with clear consumer benefits,” adding: “We are immediately eliminating the remaining services and will be done in March.”

That same March deadline was referenced by T-Mobile US’s CEO John Legere who had promised last June to end the sale of subscribers’ private location data. Legere tweeted this week: “T-Mobile is completely ending location aggregator work. We’re doing it the right way to avoid impacting consumers who use these types of services for things like emergency assistance. It will end in March, as planned and promised.”

While there is money to be made and no law preventing it, it is a virtual certainty that AT&T and others will figure out a way to profit from selling their customers’ private data. Last time around, FCC boss Ajit Pai refused to investigate the matter, and while there has been no response from Pai on the renewed calls for an investigation thanks to the partial US government shutdown, it is a virtual certainly that he will continue his pro-telco agenda and stay away from the issue.

Meanwhile, pressure grows in Congress to introduce a privacy law – an American version of Europe’s GDPR – especially in the light of abuses by Facebook and others. But that process is very far from certain given that many of the companies that benefit most from selling user data are also some of the most powerful and generous lobbyists in Washington DC.

Our Cellphones Aren’t Safe

Great article by Cooper Quintin og the Electronic Frontier Foundation with one glaring omission. Even if the cell networks were 100% secure, the apps people install are an even larger source of malware and privacy leaks.

Quote

America’s cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country’s. According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it.

This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities.

Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners’ knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications.

These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims’ accounts.

How did we get here, and why is our cellular infrastructure so insecure?

The international mobile communications system is built on top of several layers of technology, parts of which are more than 40 years old. Some of these old technologies are insecure, others have never had a proper audit and many simply haven’t received the attention needed to secure them properly. The protocols that form the underpinnings of the mobile system weren’t built with security in mind.

SS7, invented in 1975, is still the protocol that allows telephone networks all over the world to talk to one another. It was built on the assumption that anyone who can connect to the network is a trusted network operator. When it was created, there were only 10 companies using SS7. Today, there are hundreds of companies all over the world connected to SS7, making it far more likely that credentials to the system will be leaked or sold. Anyone who can connect to the SS7 network can use it to track your location or eavesdrop on your phone calls. A more recent alternative to SS7 called Diameter suffers from many of the same problems.

Another protocol, GSM, invented in 1991, allows your cellphone to communicate with a cell tower to make and receive calls and transmit data. The older generation of GSM, known as 2G, doesn’t verify that the tower that your phone connects to is authentic, making it easy for anyone to use a cell-site simulator and impersonate a cell tower to obtain your location or eavesdrop on your communications.

Larger carriers have already begun dismantling their 2G systems, which is a good start, since later generations of GSM such as 3G, 4G and 5G solve many of its problems. Yet our phones all still support 2G and most have no way to disable it, making them susceptible to attacks. What’s more, research has shown that 3G, 4G, and even 5G have vulnerabilities that may allow new generations of cell-site simulators to continue working.

Nobody could have envisioned how deeply ingrained cellular technology would become in our society, or how easy and lucrative exploiting it would be. Companies from China, Russia, Israel and elsewhere are making cell-site simulators and providing access to the SS7 network at prices affordable even to the smallest criminal organizations. It is increasingly easy to build a cell-site simulator at home, for no more than the cost of a fast-food meal. Spies all over the world — as well as drug cartels — have realized the power of these technologies.
Editors’ Picks
Forget the Suburbs, It’s Country or Bust
Dorm Living for Professionals Comes to San Francisco
This Town Once Feared the 10-Story Waves. Then the Extreme Surfers Showed Up.

So far, industry and policymakers have largely dragged their feet when it comes to blocking cell-site simulators and SS7 attacks. Senator Ron Wyden, one of the few lawmakers vocal about this issue, sent a letter in August encouraging the Department of Justice to “be forthright with federal courts about the disruptive nature of cell-site simulators.” No response has ever been published.

The lack of action could be because it is a big task — there are hundreds of companies and international bodies involved in the cellular network. The other reason could be that intelligence and law enforcement agencies have a vested interest in exploiting these same vulnerabilities. But law enforcement has other effective tools that are unavailable to criminals and spies. For example, the police can work directly with phone companies, serving warrants and Title III wiretap orders. In the end, eliminating these vulnerabilities is just as valuable for law enforcement as it is for everyone else.

As it stands, there is no government agency that has the power, funding and mission to fix the problems. Large companies such as AT&T, Verizon, Google and Apple have not been public about their efforts, if any exist.

This needs to change. To start, companies need to stop supporting insecure technologies such as 2G, and government needs a mandate to buy devices solely from companies that have disabled 2G. Similarly, companies need to work with cybersecurity experts on a security standard for SS7. Government should buy services only from companies that can demonstrate that their networks meet this standard.

Finally, this problem can’t be solved by domestic regulation alone. The cellular communications system is international, and it will take an international effort to secure it.

We wouldn’t tolerate gaping potholes in our highways or sparking power lines. Securing our mobile infrastructure is just as imperative. Policymakers and industries around the world must work together to achieve this common goal.

Cooper Quintin is a senior staff technologist with the Electronic Frontier Foundation, where he investigates digital privacy and security threats to human-rights defenders, journalists and vulnerable populations.

Cyber-crooks think small biz is easy prey… – They are!

In our experience many small businesses do not take cyber security seriously. Too bad. They are an open book to most crooks.

Quote

Here’s a simple checklist to avoid becoming an easy victim
Make sure you’re spending your hard-earned cash on the ‘right’ IT security

…Today, SMBs are no longer secondary targets, and are up against exactly the same cyber-threats with the same level of sophistication as larger organizations. Criminals have evolved, the economy in which they work has become more professional, and their understanding of SMBs has moved with the times.

Traditionally, SMB cybersecurity has been a scaled-down version of the enterprise grade, adapted to suit relatively trivial networks of commodity Windows PCs, printers, LANs, servers, and software.

As times change, what are emerging threats and what should SMBs be spending on in order to stay safe if the generic, cut-down versions of old defense measures struggle to keep up?

Here’s a simple guide on issues and pitfalls for IT bods at SMBs to think about; a starting point, if you will, for further research and planning.

Targeted extortion, email weakness

The stand-out threat is the rapid rise in extortion-based attacks that are designed to force a company to pay a ransom to regain access to data, internal systems, or paid off hackers from launching crippling distributed denial-of-service attack against public web servers. According to Osterman, nearly one in five US-based SMBs reported being on the receiving end of a successful ransomware attack, with approaching one in three reporting the same for phishing.

Phishing can also be highly targeted with Business Email Compromise (BEC) – tricking employees into making payments to fraudsters using impersonation and spoofing – now another widely-reported attack. Typically, a miscreant pretends to be a supplier to fool staffers into paying invoices into the crook’s bank account. Alternatively, a hacker hijacks the corporate email account of a senior manager, or otherwise impersonates that person, and asks the finance department for sensitive employee files, such as tax forms that, when provided by a hoodwinked beancounter, can be used for identity theft.

This type of fraud has boomed in the last year, with cloud security company AppRiver reporting it had quarantined one million BEC emails in the first half of 2018, a rise of 55 per cent on the previous half year.

The easiest way to stop phishing attacks is never to receive them, which is the job of the email service provider or email service gateway. These vary widely in their capabilities, but all service providers should enforce spoofing control and email authentication, rejecting messages which don’t confirm to standards such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC (Domain-based Message Authentication, Reporting and Conformance). Ideally, employees should have a way of reporting suspicious emails.

We see many small businesses outsourcing their mail to gmail, yahoo, or worse, their ISP. What a disaster. Our mail server reject logs are full “reject events” from their servers. Setting up a secure mail server is not that difficult and does *NOT* have to be done on the same server as the Website Server. And it need not be expensive. There are many good options from Microsoft Cloud to spinning up a small cloud based Linux system running postfix. We are experts in setting this up. We setup DKIM, DMARC, all DNS records, and configure server to check real time online blacklists. We also provide secure mail server appliances which should always be used by companies dealing with sensitive data like medical, financial records, etc. Contact us for more info.

All backed up

An SMB’s backup routines become doubly critical to beat ransomware. Online shares and backups must be protected to stop ransomware targeting these, while offline backups are a must to act as plan B. There are numerous ways of defending valuable directories, including Windows itself such as controlled folder access as well as network-wide approaches such as VLANs. Most important of all is to test backups.

Unfortunately, ransomware doesn’t always go after data, and can be deployed to lock up entire servers running applications, knackering production systems and databases. SMB endpoint suites often include server protection which can be strengthened with careful network segmentation.

It never ceases to amaze me how many companies simply think since they have a hardware firewall, they are protected. Not true. You also need solid end point protection on all devices – workstations, servers, mobile devices, etc. ESET is one the best in our opinion. We also have several affordable back-up solutions.  Contact us for more info.

Office applications

Beyond email, office applications are often the next target. Any attachments that can be booby-trapped with malicious code that sneak through – particularly PDF and Word – should be limited by, for example, Microsoft Office’s protected view, disabling macros, and scanned for known malware. Legacy capabilities such as Object Linking and Embedding (OLE) should be disabled while powerful interfaces such as Powershell, VBScript and Jscript scripting need care and attention. If it’s not needed, chuck it.

User training is very important in this regard. Also, as previously stated, Endpoint Security helps greatly in controlling and scanning these objects.

Backdoor RDP and authentication

Another emerging target for hackers is Microsoft’s Remote Desktop Protocol (RDP), which many SMBs turn on to enable remote support. Discovering RDP ports left open to the internet isn’t hard, and all crooks need is a password to use this as a door into the average SMB – this can often be brute-forced assuming one’s even been set.

The sad part is, it’s incredibly easy not to notice that this weakness even exists because it’s not the first thing admins think about. Armed with an open RDP, attackers have effectively found a way to bypass all controls, turning off whichever processes – including the security protecting servers – they please. Game over. Configuration weaknesses are often to blame for the RDP hole and it could be mitigated in many instances by simple investment in better authentication for admin accounts, which should always enforce this security.

But let’s not forget firewalls – they’re no longer a magic shield but are great friends such as closing RDP back doors to outside access. Firewalls also lock down guest Wi-Fi networks from reaching other parts of the business, detect suspicious outgoing connections – such as malware or rogue employees exfiltrating sensitive information, and more.

Use access controls and firewalls to limit and compartmentalize your organization, so teams access only the information they need, and sensitive data cannot leave those compartments.

Anyone not using two factor authentication for remote access along with strong password management is simply being foolish. It is not expensive and there are several options including Microsoft, ESET and others. Contact us for more info.

Data theft

IT security breaches resulting in the theft of data are a perennial threat. Ten years ago, the unauthorized slurpage of customer data appeared to be something that happened only to large outfits such as US company TJX that had huge amounts of data worth stealing. Recent headlines, British Airways and Equifax, confirm this is still the case, although thieves are setting their sights lower. Verizon’s 2018 Data Breach Investigations analysis of 2,216 known data thefts found that 58 per cent of such breaches were reported at SMBs.

While rogue insiders are a legit security threat IT managers should be on the look out for, the exploitation of vulnerabilities in software lies at the root of many successful cyber attacks. The scale of the challenge in defending against hackers leveraging buggy code can be seen in figures from CVE Details, which reported 14,600 vulnerabilities in 2017, excluding zero days, up from 6,447 in 2016.

You shouldn’t read too much from CVE-labeled bug totals – more flaws found may well mean we’re getting better at finding and fixing them – although it does mean there’s more patching to do before exploits are developed and used in the wild.

SMBs lacking dedicated in-house security personnel need to automate patch management as much as possible. The first trick is to reduce the amount of software that needs patching in the first place by removing old applications and plugins such as Flash and Java and standardising on one browser and office suite. Service providers will do some of the patching job while endpoint security suites will usually now have a module for managing more specialised needs.
Data security

The struggle small organisations have in securing sensitive data is often tied to the difficulty in properly and competently using encryption. Many SMBs end up with a patchwork of systems, and varying levels of protection. It’s too easy to make a mistake, and leave chunks of information unprotected. The logical solution is to use a single product that can be controlled centrally, but as with authentication finding a system built for SMB use can be a challenge.

Encrypting outward email is becoming more popular but may not be practical for all SMBs. Encrypting files when at rest is, however, a must. Every portable device should be encrypted while Microsoft’s BitLocker can be used for local file security on Windows PCs.

ESET offers an excellent, easily managed whole disk encryption. Contact us for more info.

Watch the cloud

SMBs are increasingly using cloud services for data storage and applications, indeed this might one day soon become the main place much of their IT systems reside. Arguably, this should boost security because it will rationalise many of the problems already mentioned into a series of security processes under one or a small number of services. Most SMBs are not yet ready to trust cloud platforms with their crown jewels, but when they do, it could potentially improve their security simply because it will make it easier to manage.

The cybersecurity challenge for SMBs has always been that they must cope with the same security threats as larger companies but without the same level of resources. Cybercriminals know this, which is why – in a sense – SMB-specific campaigns are always a form of social engineering that exploits pressure points, such as a lack of understanding, time, and weak processes.

Irrespective of size, there’s not always a single failure that explains why these keep happening so much as a collection of weaknesses covering patching, data controls and encryption, cloud security, authentication, privilege management, as well as the difficulty of defending email systems.

Lacking resources to throw at a cyber-incident, the rules for every SMB are clear: simplify the IT estate as much as possible, clear out unwanted software, layers of access controls, and choose a good partner to help with the tricky details as insurance against the day when the cybercriminals come knocking with a crowbar.

In conclusion, it is long past the time for SMBs to get serious about security. It does not need to be expensive. We can help on all these items and more. Contact us for more info.

Thousand-dollar iPhone X’s Face ID wrecked by ‘$150 3D-printed mask

Quote

Apple’s facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone.

Bkav Corporation, an tech security biz with offices in the US and Singapore, specializes in bypassing facial-recognition systems, and set out to do the same with Face ID when it got hold of a $999 iPhone X earlier this month. The team took less than a week to apparently crack Cupertino’s vaunted new security mechanism, demonstrating that miscreants can potentially unlock a phone with a mask of the owner’s face.

“Everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face,” the biz said in an advisory last updated on Saturday.

The team is still researching how to crack the system more easily and refining their methods. In the meantime the biz advises sticking to fingerprints for biometric security. ®

Another malware outbreak in Google’s Play Store

Regular readers (are their any?) will note that I often rail against Google not policing their Good Play Store. Users think that since it has Google’s name on it, it is safe. Not in the least bit. In addition to the fact that the majority of apps have built in spyware, there are even more serious malware laden apps as the following article delineates.

Quote

50 apps get pulled as ExpensiveWall malware runs riot in the store

Google has had to pull 50 malware-laden apps from its Play Store after researchers found that virus writers had once again managed to fool the Chocolate Factory’s code checking system.

The malware was dubbed ExpensiveWall by Check Point security researchers because it was found in the Lovely Wallpaper app. It carries a payload that registers victims for paid online services and sends premium SMS messages from a user’s phone and leaves them to pick up the bill. It was found in 50 apps on the Play Store and downloaded by between 1 million and 4.2 million users.

Once downloaded, the malware asks for permission to access the internet and send and receive SMS messages. It then pings its command and control server with information on the infected handset, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI numbers.

The servers then send the malware a URL, which it opens in an embedded WebView window. It then downloads the attack JavaScript code and begins to clock up bills for the victim. The researchers think the malware came from a software development kit called GTK.

“Check Point notified Google about ExpensiveWall on August 7, 2017, and Google promptly removed the reported samples from its store,” the researchers note. “However, even after the affected Apps were removed, within days another sample infiltrated Google Play, infecting more than 5,000 devices before it was removed four days later.”

It appears that Google missed warnings about the malware infection. The user comments section of at least one of the infected apps was filled with outraged users noting that it was carrying a malicious payload and it appears that the apps were being promoted on Instagram.

Cases of malware infecting Google’s Play Store are becoming depressingly common. Just last month it was banking malware and a botnet controller, in July commercial spyware made it in, advertising spamming code popped up in May (preceded by similar cases in March and April), and there was a ransomware outbreak in January.

By contrast, Apple’s App Store appears to do a much better job at checking code, and malware is a rarity in Cupertino’s app bazaar. While some developers complain that it can take a long time to get code cleared by Apple, at least the firm is protecting its customers by doing a thorough job, although Apple’s small market share also means malware writers tend not to use iOS for their apps.

By contrast, Google’s Bouncer automated code-checking software appears to be very easily fooled. Google advised users to only download apps from its Store, since many third-party marketplaces are riddled with dodgy apps, but that advice is getting increasingly untenable.

It’s clear something’s going to have to change down at the Chocolate Factory to rectify this. A big outbreak of seriously damaging malware could wreak havoc, given Android’s current market share, and permanently link the reputation of the operating system with malware, in the same way as Windows in the 90s and noughties. ®

Oh, that Apple Link you clicked on — it is Russian or Chinese or anything but Apple

Quote

Click this link (don’t fret, nothing malicious). Chances are your browser displays “apple.com” in the address bar. What about this one? Goes to “epic.com,” right?

Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.

In quick testing by El Reg, Chrome 57 on Windows 10 and macOS 10.12, and Firefox 52 on macOS, display apple.com and epic.com rather than the actual domains. We’re told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear. Bleeding-edge Chrome 60 on macOS 10.12 was not vulnerable.

This domain disguising, which tricks people into visiting a site they think is legit but really isn’t, is called a “homograph attack” – and we were supposed to have fixed it more than a decade ago when the exact same problem was noticed with respect to the address “paypal.com.”

So what is this, how does it work, and why does it still exist?

Well, thanks to the origins of the internet in the United States, the global network’s addressing systems were only designed to handle English – or, more accurately, the classic Western keyboard and computer ASCII text.

The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language.

And so a lengthy and often embarrassingly tone-deaf effort was undertaken by largely American engineers to resolve this by assigning ASCII-based codes to specific symbols. Unicode became “Punycode.”

PS: To fix the issue with Chrome, wait for Chrome 58 to arrive around April 25 and install it. On Firefox, Firefox Mobile, and Seamonkey, go to about:config and set network.IDN_show_punycode to true.