Category Archives: Malware

What Makes Industrial Control Systems a Target for Attack?

There is a great article from Trend Micro on why attackers target Industrial Control Systems (ICS) and how the Industrial Internet of Things (IIoT) will affect it. This is worth knowing as ICS is used to describe dissimilar types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.  ICS are used in almost every industrial sector and critical infrastructure from manufacturing, transportation, energy, and water treatment to running the power grid, regulating energy use in a building or managing the process of brewing beer.

At a presentation I gave at Cyber Security 2017: Securing the Smart City of the Future I spoke about the anatomy of an attack but didn’t get into the details as to the motivation or technicalities. ICS have been with us for more than a few years but recent modernization has created new ways for these systems to communicate with their controller. This has improved overall productivity but not security. New security issues have arisen that can be exploited by cybercriminals including:

  • Components that were not meant to be for public access are now accessible via the Internet.
  • Security and privacy features that were not considered by solution architects and engineers at design time.
  • Threat modelling not conducted either by the component manufacture or the solution provider.
  • Products that are not required to be fully tested or assessed to provide a minimum level of assurance or security.
  • Installations that were not formally evaluated for cyber risk prior to deployment.
  • An implicit trust at the systems operational level that all components are safe.

Increased aggressive targeting of these will impact many areas including smart cities, smart manufacturing, smart infrastructure projects and even our soon to be smart homes and cars unless we can get control of these issues. In many cases of these attacks data risk is the least of our worries as they could potentially result in injury or death. To deal with this comprehensively everyone in the product and service chain must play their part:

  1. Manufacturers need to ensure that their products are designed with security, privacy and safety in mind. This includes a multitude of aspects depending on the product being developed. Only through comprehensive threat modelling at design time will they fully understand how attacks can happen in the field and the necessary controls that will be required.
  1. Implementers need to conduct security testing and evaluation at all stages of the project to ensure that systems are not misconfigured or prone to attack once in the field.
  1. Customers whether they are a city manager, a building manager or an information security manager need to better understand the risks to their specific deployments including how to perform Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs).

Always remember that security is more than a technology you can just implement. Attempting to protect bad coding and engineering practices with a badly configured firewall will just end up in an attack succeeding.

Lastly, the authors of the article reference the NIST Security Guide for ICS, I would recommend that you also look at IEC 62443. Why? It was written so that an ICS company (vendor, implementer or purchaser) could be evaluated and tested against stringent controls for risk. This wide series of standards covers the breath of deployment and in-field issues that need to be considered and assessed against. It forces all parties involved to get their act together and ensure they have important aspects such as integrating activities across the Software Development Life Cycle (to help discover and reduce vulnerabilities early and build security in) and operational security policies and procedures. You might be surprised how many don’t.

Facebooktwittergoogle_plusredditpinterestlinkedin

Mac OS Is A Target

If you own an Apple product and  have not seen or heard about the recent increase of nasty malware targeting Mac OS then now is your chance to get up to speed. I know that many of you out there using this Mac OS do so due to ease of use and seamless integration into your tech toys like iPhones and iPads.  The belief that Windows users were the only ones with a malware problem is a myth. You need to wake up to fact that your laptop, iPhone or iPad is being targeted; the malware is getting really sophisticated and all platforms are susceptible to attack!

Here are some examples of the recent malware you should know about:

Proton – The malware includes root-access privileges and features that allow an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, key logging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.

Xagent – This malware contains payload that can make a compromised system running Mac OS X provide passwords, take screen captures and wipe iPhone backups stored on the Mac OS system.

As you can see being a Mac user  does not guarantee security and this scenario is only going to get worse. For your own sake please always keep that in mind. That said, here is what you can do to protect yourself:

  1. Use Time Machine to make backs up regularly and ensure they are encrypted. I prefer not to use iCloud due to the fact I am not really sure who Apple shares this data with. While they say things publicly the other side of the fence might offer a differing view.
  2. Ensure all iPhone backups are also encrypted.
  3. Use a tool such as Little Snitch to determine when unknown connections are leaving your Mac. Getting to know what your computer is doing and what it should be doing is key to early detection of compromise.
  4. Determine if a downloaded application might not be what you think it is using Suspicious Package.
  5. Get alerted if your being watched with OverSight.
  6. For your base install you already have the following:
    1. Using a passphrase for a password that 20+ characters long
    2. Using FileVault
    3. Using DuckDuckGo for your searching and research
    4. Use a VPN if you have to use a public or untrusted WiFi provider
    5. Track the security news for new developments in Mac OS malware

The main goal here is to not be an easy target and to create as many layers of defense as possible to protect yourself. As in life, prevention is always better than the cure!

Facebooktwittergoogle_plusredditpinterestlinkedin

Securing your device from Malware

Android and iOS devices both attempt to secure their OS from Malware and other vulnerabilities. They implement a myriad of security features in each new release, but that is just not good enough. Users still need to be vigilant and keep an eye on things.
You may not be able to adhere to everything but here is a list of things you can do to secure your device.

 keyboard

1. Don’t download apps from 3rd party sites

Avoid installing Android Package Files ( .apk’s) directly to your device. “Sideloading”, as it is called, installs apps not from Google Play but from 3rd party sites. The app may look exactly the same as it does from Google but may be repackaged to include malware. The signs of compromises are difficult for many users to identify, so don’t take the chance.

 

2. Don’t grant administrator access or extra permissions

Many apps ask for permissions to your device that they really don’t need. Before installing an app find out what permissions are required and if you don’t feel comfortable don’t install it. Is that app absolutely necessary? If you are seeing lots of adware then its probably too late but you still have the option of uninstalling the app.

 

3. Install a security application

Free security apps like Lookout do a decent job of scanning your device for malware, viruses and spyware. The security app will find the apps that are causing you problems and incorporates a malicious website blocker. If possible implement a security app but make sure you do your due diligence on the security app. Check the reviews to see what others are saying about the app.

 

4. Keep up-to-date on OS and app updates

This is a simple step but it keeps your operating system and apps up-to-date. These updates are often patches for security leaks and known or new found vulnerabilities. You can close the door on thieves but the door needs to be locked as well.

 

5. Disable cookies and Javascript

This is a tough one. Many apps use cookies and javascript to run. The issue here is that the majority of the apps that use cookies and javascript also incorporate analytic engines. Analytic engines will process your personal data and send it back to a corporate server. This data is even compiled offline and then sent when you are back online. Google’s policy is to retain your data for 25 months at a minimum and longer if possible… http://www.google.com/policies/privacy/#infocollect

 

6. Don’t jailbreak or root your device

Many users do not know what is done to the Operating System during either a jailbreak or the rooting of a device. Once completed it becomes easier to compromise a device as many users do not have the technical savvy to be able to harden a device in this state. Your dervice becomes more open to drive-by hackings especially if your using public Wi-Fi and no, you will not get a notification that your device has been compromised.

 

Some of these may be tough to swallow but compare that to your personal data or your banking information being freely available to the highest bidder. Keep in mind many criminal organizations are targeting individual mobile devices as they are not securely configured. Mobile has become the low hanging fruit for identity and data thieves, don’t make it easy.

Facebooktwittergoogle_plusredditpinterestlinkedin

Embedded Malware in Mobile Applications

Embedded Malware in Mobile Applications Blog

Project Overview

smartphone-601554_1280

Mobile is ripe for attack, as many people only associate cyber threats with their PCs and neglect even basic security precautions on their mobile devices. Under the Public Safety Canada Cyber Security Cooperation Program (CSCP) TwelveDot created a standardized methodology to qualitatively identify malware and vulnerabilities in mobile applications.

Given the risk of exposure to both consumers and businesses we needed to ensure that Canadians are protected from embedded malware while using mobile applications. This included the development of a standard method for mobile application developers to ensure their apps are tested and validated to minimum security levels for usage not only in Canada but globally. This methodology provides users with an easy to use grading system to determine if they are accepting of the risk of using the application.

GCAM and why a standardized method is important…

TwelveDot successfully developed a methodology to test mobile application security. This is a formalized methodology known as General Code Assessment Methodology (GCAM) which can identify, categorize and report on malware and application weaknesses for resolution by the vendor/developer.

There is a need to move towards a mobile application security standard. There are no current standards for mobile application security. Most mobile applications do not even pass basic security tests. Some organizations have mobile application security tests such as dynamic and static code analysis but these only validate the code and does not encompass mobile application behaviour nor the interaction between mobile applications, their users, cloud services and 3rd parties.

Using the GCAM methodology, we were able to identify mobile applications that indicate signs of bad coding practice and poor application design. These factors were used to derive a calculation that can be used to determine an application grade. This grade clearly indicates to a user the potential risk of security and privacy exposure.

keyboard

For the data captures, a Man-In-The-Middle (MITM) proxy was used to intercept and decrypt secure network sessions and we used Wire Shark to capture all the network session traffic. The network traffic shows, from a security perspective, how someone with intent could use fingerprinting techniques to target a device/user.

Application Selection

The applications were selected from both the Apple and Google Play app stores. We did not focus on other app stores due to lack of source control over the posted apps. We wanted to focus on applications that users and business would use everyday. Applications can be broken down into two major categories, free and paid applications. We have selected applications from both major categories.

appselection

The applications are then further broken down as shown in the categories below.

App Store Categories:

Books

Business

Catalogs

Education

Entertainment

Finance

Food & Drink

Games

Health & Fitness

Lifestyle

Medical

Music

Navigation

News & Video

Productivity

Reference

Social Networking

Sports

Travel

Utilities

Weather

Findings

There is a general trend, from the analysis of the tested mobile applications, for someone with intent to use advanced techniques to target a device or user. Security and privacy is not a primary concern when designing/coding mobile applications, and many developers do not have the necessary skills for these considerations at design time. Larger more established organizations with more resources (time and money) such as Google and Facebook, generally have better coded and designed applications, where as the smaller less process mature organizations demonstrate less skill in developing secure mobile applications. However, the larger organizations also attempt to exploit user data by creating malware and using vulnerabilities built-in to their applications. This can be demonstrated by the fact that analytic engines collect user data and behaviours without user knowledge. These include API’s and SDKs from Google, Yahoo, and Amazon. These engines are included in the majority of applications given that they are free and easy to integrate for developers.

iosembedded

Figure 1 iOS Embedded Malware

androidembedded

Figure 2 Android Embedded Malware

legend

Our tests show that the SDKs and API’s that developers implement are not just Apple or Google APIs but 3rd party APIs that may not be securely tested or validated but just added in. Over 40% of the applications we tested contained embedded 3rd party SDK/API’s.

3rd party libraries in the SDK’s have known vulnerabilities but the majority of mobile applications have not been tested against these known vulnerabilities. Many developers don’t even now the risk of using these 3rd party APIs nor do they evaluation the source code for origin.

The vast majority of library flaws remain undiscovered and typical Java applications are likely to include at least one vulnerable library.

3rd party libraries in the SDK’s have known vulnerabilities as can be seen in the CVE database but the majority of mobile applications have not been tested against the known vulnerabilities. Nor do the developers of these libraries report the vulnerabilities to the developers.

Sample SDK Vulnerability

  • A vulnerability in the OpenSSL ssl3_get_key_exchange function could allow a remote attacker to downgrade the security of certain TLS connections. An OpenSSL client accepts the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. This could allow a remote attacker using man-in-the-middle techniques to facilitate brute-force decryption of TLS/SSL traffic between vulnerable clients and servers. This vulnerability is also known as the FREAK attack.

 

Analytic engines are the largest threat vector in mobile environments.

These engines collect a variety of data from account names to country codes to browser versions. Data is even collected when the user is offline and saved to persistent storage on the device and forwarded on to the server during the next session. The data is retained for months if not years and the user is never advised of the storage length or uses of the data being collected. In many instances the companies that offer these services will typically sell this data to marketing companies looking to directly target advertising to these users.

AnalyticEngine

An example of a popular analytic engine can be seen below in Figure 2. It shows the network traffic timestamp of the Crashlytics engine at work. Crashlytics is a popular analytic engine and it was prevalent in the applications we tested.

Figure2NetTraffic

Figure 2 Network traffic timestamp of crashlytics data being transferred

Data found in application directories with compiled data to be sent to crashlytic analytic server.

Figure3Dir

Figure 3 – Crashlytics directory created by app on device

Looking at the directory structure pictured above (Figure 3), one can see that the data is grouped according to its processing status. The engine will process data it deems valid to send back to the server. Sendable data, data being processed, data that is prepared to send and invalid data. This data is also processed offline and can be sent back once a network connection has been established.

Fake apps mimic the actual applications they are supposed to replace. They are easily found on third party app download sites, websites and official app stores including Google Play. While outside the scope of our security testing users need to be aware these apps are prevalent and pose significant exposure risk when used.

Fake apps are available in every app category from Business to Games, Finance and Weather. These apps are not harmless copycats, they are intended to be malicious and include embedded malware.

Applications can be downloaded directly from the developer’s site. They can also be downloaded from 3rd party sites. There are thousands of sites that offer application files available for download.

Herein lies the problem. The 3rd party sites are not secure. They do not ensure the apps are secure or free from malware/vulnerabilities. Moreover some of the sites are purpose built venues for malware/vulnerabilities to be introduced to users. These sites actually repackage the application with embedded malware/vulnerabilities. The files are then unwittingly downloaded by users and installed. The user’s device is now compromised.

Cloud Services are used by a majority of the mobile applications tested. Approximately 80% of the apps tested use cloud services. The main players in this are Amazon and Google.

Sample test results from the DropBox application in iOS show both Amazon and Google Cloud services in use. Google cloud services uses Google cloud endpoints, so it can determine user location, locate nearby stores, and then provide the user relevant offers and recommendations. These usage patterns build on the users’ already growing user profile created for each and every user of these services. Many users are not aware of the metadata being collected on them at this point and once they do it is too late to remove your fingerprint.

What can you do to ensure your apps are safe?

Users and businesses need to assess risks, determine threats and mitigate threats. These threats include, threats to data, threats to availability and system integrity.

  • Always research the publisher/developer of the app. For iOS apps a user can look at the details tab of the mobile app in the Apple App Store and look at the information about the app and search the publisher/developer.
  • Read application reviews. Check around to see what others are saying ( macworld.com,  pcworld.com, androidtapp.com)
  • Always check application permissions (a simple calculator app should not need access to personal information) For iOS open the Settings app and scroll down to the list of apps at the very bottom. Tap an app and you’ll see the permissions it wants. You can enable or disable individual permissions for specific apps from here. For Android apps select Menu>Settings>Applications>Manage Applications. Then choose an app and scroll to the bottom and it shows you the list of permissions.
  • Avoid installing Android Package files ( APK’s ) directly to your device. If you use the Google Play site to install apps then you should be ok. However if you download .apk files from developer sites or third party sites and install the .apk , then you are putting yourself at higher risk. Sideloading is the process of loading an .apk file directly to your device. Not all manufacturers support Google Play on their devices. Also regional restrictions imposed by Google Play may prevent you from loading an app. In order to install an .apk file you will need to enable unknown sources which allows the installation of apps from sources other than Google Play. But be forewarned do not allow apps extra permissions for the majority of these will most likely contain malware.
  • Install an antivirus app on your phone. Lookout is a quality mobile security app that is available for both iOS and Android.
  • Disable cookies and don’t allow javascripts to run to prevent analytic engines from sending your personal data. In doing, so you reduce your risk from malware, however some apps may not run properly with cookies and more specifically javascript disabled. Many apps nowadays use javascript for plugins. You will have to decide what is more important the app or the security of your data?

 

There is also a comprehensive list of steps developers need to address to ensure mobile application security but that is for another day…another blog.

Full report on Embedded Malware in Mobile Applications available please contact us.

Facebooktwittergoogle_plusredditpinterestlinkedin

Did you consider security of your mobile app? Should you?

The problem with creating a BYOM strategy is that many organizations are ill equipped to detect policy violations. While a MDM can help with defining a device policy and implementing said policy. When a device has been compromised it becomes much more difficult for an organization to detect these. Whats more dangerous is many organization don’t even consider the risk of using certain applications which due to bad security coding practice can leave your personal and corporate data at risk.

How many people store their companies IP on a cloud storage providers because it is free? Does your company know? Will you still have access to this data when you leave. When the cloud storage provider is compromised what then? Do you think they are going to disclose the compromise? Not bloody likely if the bigs guys don’t disclose don’t expect the small guys to.

Spend some time getting to know what an app really does under the hood. Services are starting to appear the claim to do this. I will not comment on this or recommend anyone but you need to know “how” to do this.

As for privacy, I know you don’t care about yours today. But when your identify has been stolen you will. So start planning for that day because the way many apps handle your data that day will soon be upon you.

Facebooktwittergoogle_plusredditpinterestlinkedin

Why Android is vulnerable based on the deployment model

While I do enjoy using my Sony Xperia and the latest version of Android Jelly Bean I look at many other Android users who due to lock in with carrier cannot upgrade their mobile operating system. Yes, we users who are looking to get a free or no money down phone are now restricted to the mobile operating system provided by the carrier. As we know carriers are in the money making business so getting you into a new contract is more important than security — even if it is service impacting on their network.

Now for the tech savvy in the crowd they can easily get the unlock code and replace the current version with a patched and less vulnerable version but in many cases they will also root their devices to get all the toys. The only problem with that is many fail to understand the implications of installing a rootkit on a device and not change some parameters that will give those members of society who like to attack mobile devices. You know who you are and we thank you for keeping us gainfully employed at TwelveDot.

So what can a user do to protect themselves from the vulnerability ridden device being used for the masses. You can look to setup a secure policy for your device that will reduce the risk however depending on the vulnerability there is somethings that just cannot be prevented.

We need to push carriers to unlock these devices early or provide the updates. I would say have the government create a regulatory requirement that all mobile devices under support should have the latest security patches. But this seems too harsh or is it? Imagine for a second what would happen if a vulnerability in a mobile handset OS was used to target a nations critical infrastructure. Would your perspective change?

Facebooktwittergoogle_plusredditpinterestlinkedin

A Swiss Security Conference AKA #hashdays

I was lucky enough to be in Switzerland for the annual #hashdays conference held in Luzern. CH. I was invited to attend from a friend and I have to say that it was a really good conference. After DEFCON earlier this year it left me wondering where have all the good conferences gone?? Not a dig at the conference but it has gotten REALLY big and it hard to make good connections with +25k attendees — I was not the only one with this comment.

It seems once fame and fortune set in conferences seem to downhill. That is why Apple seems to keep WWDC to 5K – I can see the position. Smaller is better for these kinds of subject…..but back to CH. Well, it was great to meet so many other researchers who are dedicating their time and effort to break stuff….even better that they are sharing their knowledge.

Here is what a short list of the topics presented:

1. Tactical Surveillance
2. IPv6 Attack Vectors
3. VMWare hacking
4. NFC hacking

This included tools, hacks, and a new perspective on risk management. More than anything it was a chance to meet some new security researchers who were approachable and without the crowds.

Now, I have to take all this data and start compiling it into something useful. It is going to take a month or two but will benefit both me and our customers.

I am looking forward to #hashdays 2013.

Facebooktwittergoogle_plusredditpinterestlinkedin

Pssst Mobile Users………Malware is amongst us!

I am sure this is not news to you. However, the innocent among us must finally realize that mobile malware has some wings and you need to wake up to this reality. More recently, at the EUSecWest conference several new hacks were disclosed. You don’t need to know the technical details but you need to become aware that mobile malware exists and will get really messy in the future.

Check these details out:

http://bit.ly/OFPMgb – Samsung Hack
http://bit.ly/R2rYXQ – EUSecWest Coverage
http://bit.ly/RQCSlT – NFC Hack

As you can see these hacks are platform agnostic, you are no more protected on a Android or iOS.

Keys to protecting yourself:

1. If you don’t need all the fancy features such as NFC, Bluetooth, etc turn them off. Likewise, any apps that are requesting access to these should be either be disable or removed.
2. Know what WiFi networks you are connecting to and if possible us a VPN.
3. Use a remote location and wiping technology. This will save your bacon when you loose your device.
4. Don’t provide your credit card or banking details on/over/using a mobile EVER! This includes passwords to these accounts.

Keep up to speed on mobile attacks, your device and you need to be protected.

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Cold War has “officially” begun

With the recent announcement and discovery of the Flame malware and the “intent” of this software; it is becoming very evident that we are entering into a phase of “cyber cold war”. Before nations depended on top secret persons who work above the law to infiltrate countries of interest and gather intel and generate unrest. Not saying this does not happen any more just it becomes more cost effective when you don’t have to put a life at risk. You also don’t have to worry about defection and your secrets getting out……..but this is fodder for another blog.
These days my friends things only require slick software and techniques. I would argue that most OSes are unsecure and will remain as such as governments want the ability to infiltrate systems of interest both domestically and abroad. Just a question — who does have hardened OSes? If you know the answer to that then you see the alignment to the possible creator of this software.

They both have intent and expertise. I am not going to side with either party nor I am prepared to state that it can be stopped……..it can’t. We are only seeing the tip of the iceberg of this technology with a better global sensor network the real interesting stuff would be discovered. Researchers are going to enjoy the next few years as more and more discoveries are made in this area. The problem is that the average user is completely oblivious to these activities…………….. If only they knew!

The full technical report is found here. Great reading!

Links to Flame:
http://en.wikipedia.org/wiki/Flame_%28malware%29
http://www.wired.com/threatlevel/2012/05/flame/

Facebooktwittergoogle_plusredditpinterestlinkedin

Smart Grid search lead to this….

Today, quite innocently I was doing some research on smart grid security and located  an interesting diagram that I clicked on. Here is what was presented in my browser. Your saying so what……but my security senses started to tingle. First of all this site is done really well from a graphical standpoint, it is a Mac Finder view without a doubt. Second, a file was automatically downloaded to my system. I did not click to download, it just sent it and the installer automatically executed. I have not seen that before.

So what the heck is it? Right now I don’t now exactly. The DNS block is registered to a hosting company called “DigitalOne”. They seem to have some fancy data centre based out of the Northern Virginia (US) region. So I am guessing someone is just hosting “it” here. I don’t want to install the software that was just sent to me it could be just about anything and I need my system operational at least for today.

DNS lookup:

% Information related to ‘212.124.124.0 – 212.124.127.255’

inetnum:        212.124.124.0 – 212.124.127.255

netname:        DIGITALONE-NET

descr:          DigitalOne AG Colocation and Dedicated Servers

remarks:        ————————————————–

remarks:        Please, send abuse reports to abuse@digitalone.com

remarks:        ————————————————–

country:        US

admin-c:        DA440-RIPE

tech-c:         DA440-RIPE

status:         ASSIGNED PA

mnt-by:         MNT-TRI

source:         RIPE # Filtered
role:           DigitalOne AG

address:        12100 Sunrise Valley Drive

address:        Reston, VA 20191, United States

abuse-mailbox: abuse@digitalone.com

admin-c:        SO1294-RIPE

tech-c:         SO1294-RIPE

nic-hdl:        DA440-RIPE

mnt-by:         MNT-TRI

source:         RIPE # Filtered


I let the “virus scan” finish to see what it would report. So here it is. Strange when I did run my AV software (yes I have one for my Mac), it found nothing. Scanning my system for the files listed also came back empty. I do find it interesting that a site was setup to either sell AV software or install malware on a Mac. I am just scared by the fact that many users could start to fall trap to sites that will execute some malware on their system. It also proves to this security guy the level of sophistication of malware targeting the Mac is increasing significantly……and will continue to do so. I just hope that user out there start to take notice.

 

Facebooktwittergoogle_plusredditpinterestlinkedin