Thursday, January 31, 2013

The Mac Security Myth

You know that feeling you get when someone declares something so boldly which you know is absolutely wrong? It's that moment when you interpret what they said which triggers an internal struggle of trying to decide if you should correct them or not. With kids it's easy; your correct them. With adults, it's harder because there's that whole pride and sensitivities thing involved. In that moment a feeling begins which sort of blends sympathy, "oh man they have no idea what they are talking about," with the driving need to show your knowledge. You brain calls for instruction on how to respond; smile or correct. I was recently on the recipient end of this when I pronounced a medical condition of mine to a friend who is a doctor. He's decided that smiling at people when they are wrong doesn't help them, and so he proceeded to correct my terminology. 

And so in honor of standing up for what is true, Mac users, I have bad news.

The cringe moment I wrote of before for me is triggered when I hear people say something like, "I don't have to worry about cyber threats because I use a Mac and Macs are secure." As someone who has been practicing cyber defense and threat analysis for over a decade, I can't help but cry a little inside when I hear that. Another common one I hear comes when someone who uses a Microsoft Windows based system complains to their Apple yielding friend about an infection. Their Apple buddy retorts with something like, "You should switch to a Mac so you can't get infected. There aren't any viruses for Macs."

<insert cringe/pucker face here>

While this misconception is perpetuated among uninformed Apple fans, Apple themselves have done an incredible injustice to their consumers by stoking these false assumptions through their marketing campaigns and suppression of talking about this in public. I recall a commercial that ran for a while within the "I'm a Mac, and I'm a PC" series where the PC becomes infected and the Mac says something like "I don't have to worry about that." Sorry, that's wrong. Let me burst your bubble with some hard facts:

Apple Malware Exists in Spades

Security research firm and services provider, SOPHOS, revealed in their report, "Security Threats in 2013," that they detected on average 4,900 Mac based malware infections per month last year. Ironically, the majority of these are types of fake anti-virus software. So people who don't think they need to secure their Mac because there are no viruses are being duped into installing fake AV. In 2012 the Flashback malware which uniquely targeted Macs gained public notoriety and is expected to have infected more than 700,000 Macs worldwide. With numbers like that, one can hardly make a claim so called viruses are only a PC problem. Perhaps it's a matter of defining what the word "is" is as former president Bill Clinton became notorious for saying.

4,900 Mac malware detection per month in 2012 by one security firm alone!!

Coincidentally, this week Apple released an update to their iOS (version 6.1) which fixed 27 significant vulnerabilities in their mobile operating system, 20 of which can be leveraged by an attacker to execute code remotely on your Apple device. Considering the fact that iOS 6.0 was released in September 2012 means your precious Apple has been sitting their vulnerable for over three months. Has anyone been taking advantage of these vulnerabilities on your device? If you believe there's no security problem, then you probably don't have detection and prevention software like AntiVirus or AntiMalware installed, and so you simply don't know if you are a victim or not. Ignorance is bliss right?

Ever heard of jail-breaking your iPhone? That is malware at it's finest. Yes, it's a root level exploit which takes control of the entire system and changes core functions (including security mechanisms), allowing users to run and integrate features otherwise prevented. That's hacking.

Apple is Slow to Patch Vulnerabilities

More bad news. The weakness exploited by the Flashback malware were reported 9 months before massive outbreaks became public knowledge. Microsoft released patches in mid-February 2012, while massive outbreaks spread among Mac users through March, and Apple finally released an update in late April. That is horrendous.

One of the fixes released this week by Apple addresses a vulnerability announced in 2011 while another removes fraudulent Google certificates issued in December by TURKTRUST root certificate authority. Certificates are used by your browser to validate it has connected to the correct servers when you browse the Internet. This prevents someone from putting up a fake website (or any other website) without your browser knowing it and warning or stopping you. However, if someone can send your browser a fake certificate through a root certificate authority like TURTRUST, one that matches their fake website, then when you browse on over to the fake site (say to check your Gmail or Google Plus or any other Google service), you'll be hitting that fake site and entering your data trusting the information is safe in the hands of who it should be. Iran used this tactic in 2012 to identify all political dissidents in the country who were using Gmail to communicate with outsiders via the Internet. In the case of the TURKTRUST mishap, Google issued a warning the same day and Microsoft issued fixes that week. Apple took over a month!

This shows a significant risk imposed on Apple users by their slow-to-patch response. Even still, because Apple has perpetuated this myth that they are inherently secure, users may not even worry about installing updates and patches, leaving them exposed for even longer periods of time.

Ok, so I've hopefully broken two false assumptions so far; yes, there is Mac malware, and yes your Mac does have security weaknesses. You might be asking yourself, but is it more secure than Windows? That's not an easy question to answer but I'll try.

False Sense of Security

Apple has long benefited from what we in industry call security through obscurity. That means they are secure because they are insignificant. They are insignificant (in number of users) and so they aren't targeted. It's like saying in a group of 50 people, you are safe because there's plenty of other targets around you. It has nothing to do with your actual state of personal security. There is some truth to that. While the modern adversary can be quite sophisticated, they are also in many ways like us. They need strong return on investment and focus on the path of least resistance. Their target surface has some common attributes. The mass majority of computers in the world run a Microsoft operating system.  If an adversary can create one new form of malware that affects 99% of their target victims, then that's where they are going to focus their effort. Even better, if they can find a flaw in an application used by both platforms (say JAVA), then they cover everyone. Still, they focus on Windows because the majority of computers out there are Windows based. This approach to security works as long as you remain background noise. The moment you become and object of interest, it's game over. Creating Mac targeting malware is also an insignificant task. I've heard some people claim that it's easy for hackers to create Windows malware because Windows is so full of "holes" but Mac malware is hard to create. That's simply nonsense. More and more we in the researcher community are seeing simultaneous releases of new malware that affects multiple platforms; Windows and OS X.

The tide is already changing. Apple's popularity thanks to their cool looks and "i" line of products (iMac, iPhone, iPods, and iPads), is drawing more users away from Microsoft, thus reducing the shadow they've hidden behind for all these years. They are becoming a larger target for the adversary. SOPHOS reports that among companies surveyed, 52% plan on issuing more Macs to employees in 2013. The move away from Apple's proprietary hardware into the Intel common hardware market also means virtualizing Intel based software no longer requires trading performance for style. Now you can get both. Now you can run Windows on your Mac without much performance difference. This means the Mac is becoming more popular, and actually viable for most users including the enterprise. The most sophisticated malware out there starts in the government and enterprise world, then moves public. As enterprises adopt Apple, the adversary will change their attention and will develop new capabilities unique to that platform, which will make their way to the public very quickly. This isn't a prediction, it's happening.

This trend is proving itself as multiple reports showed significant increases in unique Mac malware released  in 2012. As the pendulum swings, so is the adversaries attention. Fortunately for iOS users, the Android open app development environment is still too tempting to part from so I think the adversary will stay there for a while. But, that's not the case for OS X.

Without repeating too much of what I wrote in a previous article, the primary flaw in cybersecurity is you. Adversaries know this and so they use tactics which exploit you, or mostly your inherent trust in the Internet and your own computing device. Their primary paths of entry into your computer are your email inbox and your web browser. Again, as I previously documented in a past article, Safari (Apple's web browser) has significant security gaps just as IE does. Also, as mentioned before, the primary method of exploiting a computer via the browser is to use a vulnerability in a 3rd party application like JAVA. Since both Windows and OS X use a 3rd party provider (Adobe) to supply them JAVA, they are both vulnerable to weaknesses in JAVA.

Yes, OS X does include some features to prevent administrative functions from automatically executing (this was their primary claim to security for a long time), but so does Windows as of version 7. Because most malware requires the ability to make system level changes to persist, this prevention mechanism can be effective (when the malware doesn't evade it by using an application which already has hooks into administrative level tasks). It used to be that Windows users were by default system administrators, making it easier for malware to establish a foothold. Windows 7 changed this and added the security feature of monitoring all running processes and warning you whenever one attempts a administrative function. Apple was also early to incorporate network access controls of their platforms, but Microsoft's inclusion of the Windows firewall as met this capability as well. They are competitors after all.

Since the primary threat vectors are the same, and the target is the same (you), and the primary defense is the same, what then is left? Patching and application control. It's about ensuring your system and applications are not vulnerable, and monitoring those applications for abuse or malicious behavior. Those two areas are strengths of Microsoft, and significant weaknesses of Apple. Again, because Windows is so widely used, the number of available applications far exceeds those available for OS X. This means by nature, there are more possible points of vulnerabilities to control. Security through obscurity.

You can't exploit what isn't vulnerable and patches fix vulnerabilities. I hear people moan and groan all the time about the weekly patches from Microsoft. The IT world lovingly refers to this weekly event as "Patch Tuesday." However, if a critical flaw is discovered in Windows or an associated application, at least we know we only have to worry until Tuesday. Apple is notoriously slow at releasing security updates, sometimes taking several months. They have no defined or regular patch cycle. Updates are released as Apple get's around to it. Microsoft was forced into this rapid pace of releasing updates through user pressure. No such pressure exists for Apple, because a) use is still really low and b) they perpetuate the idea that Macs are inherently safe. Being a minority in a market means you are shielded by the majority. It's that simple. Microsoft takes the brunt because they are the biggest and have more users.

Then there's application control which is mostly administered through AntiVirus or AntiMalware products in the public market. Windows users are well accustomed to needing and using AV, and the AV market is well mature in terms of effective products. If you believe you don't have a malware problem, then you probably aren't running any sort of AntiMalware software on your Mac. This means you have no way to stop malware from running or knowing if it exists except through the native Apple permissions control feature. This feature warns you and prompts for an administrator password when system changes are being made (or an application is attempting to). If you are relying on this, then you are assuming the malware hasn't bypassed that mechanism and that you know everytime you enter your password, exactly what that application is doing in the background. You have no idea if that file you opened contains malware...all you know is you needed to enter your password to open it.

Secret Society

Apple is very secretive and closed. As a fond user of the Apple TV and iPad, I'm often frustrated by their policies which control content and apps so strictly. For example, I can't stream my Amazon cloud content through my Apple TV because Apple won't let Amazon develop an app without promising a certain level of revenue sharing. Same goes for the Amazon Kindle app; you can no longer buy books directly through the app. They are also very quiet on releasing new products and product updates. They develop in secret and closely control what is allowed on their products. I thought Microsoft was sued over this a few years ago...oh yeah, they were. This secretive approach permeates everything they do...including security.

Maintaining their image of a secure platform is mission critical for Apple.

However, they are noticeably absent in the world of threat information exchanges and cybersecurity conferences. In 2012 I attended the annual Blackhat conference in Las Vegas where security researchers (good guys and bad guys) come together to present new ideas and findings. Microsoft was there in a big way, talking about security and reaching out to the researcher community to promote an open dialog. Apple was absent. This is a common scene at every security conference I've been to over the past 12 years. Wherever cybersecurity is being discussed, Microsoft is there, Apple is a no show. They simply don't talk about security in the public. This makes them even more prone to weaknesses and exploitation. In the world of intelligence sharing, there is a balance between divulging information which can aid or expose the adversary, with divulging information to aid the defenders. Apple doesn't participate in this exchange very well. As adversaries use their tools, once exposed the game's up. Everyone defends. With Apple, they suppress notifications which means the adversary (like in the case of Flashback) has a long time to wreak havoc on their targets. Once Apple is forced into the public light (as with Flashback), they suddenly respond.

This lack of visibility also means no accountability. If Microsoft knows about a vulnerability, and the public knows, then all users (government, commercial  and consumer) put on the pressure. If no one knows about an Apple flaw, then there's no pressure. If Apple is made aware, but the public isn't, then there is no accountability. Works well for them, no so well for us.


For these reasons (slow patching, false claims of security, real threats, and detachment), I believe Apple products are less secure than their Microsoft counterparts. More specifically, I believe Apple users are at greater risk than are Microsoft users.

The key is of course practicing smart Internet use. Don't panic, and switch back. Don't dump that investment. But do get yourself a quality AntiVirus or AntiMalware solution for that Mac, check for updates regularly, and be careful with web browsing and email.

Just please, for the love of Pete, don't go buy a Mac simply because you think it's more secure. You won't be.

Thursday, January 17, 2013

Web Exploits and Intrusion Detection Systems


Over the past year, I have observed a significant decrease in the number of detections of modern threats among organizations protected by traditional Intrusion Detection and Prevention Systems (IDS/IPS) while those monitored by community intelligence based solutions and behavioral analysis have shown increases. Meanwhile organizations are becoming increasingly educated about modern threats and have been seeking confirmation that their chosen products can address these threats. Organizations and their executives are expecting their staff to show them where they have been compromised and attacked, however the traditional configurations employed are not producing data representing detections of modern threat activity. Relying on these vendor produced solutions alone has forced some to conclude that their networks are clean when in reality they are deeply infiltrated. Representing adequate threat coverage has become an increasing challenge as a result.

Highly Pervasive Threats

Recent surges in exploit delivery kits and the evolution away from direct exploitation has largely moved the bulk of Internet based attacks to a passive model. The sharing of resources and monetization of exploit kits has resulted in a surge of weapons and variants available to the adversary and has eased the process of exploitation. Additionally the increasing use of encoding and encryption to hide malicious content has decreased the visibility the IDS has over the session. Traditionally an adversary would scan a network, find applications they could interact with, and attempt to directly deliver exploit code to them.

Weaponization: From a kill chain perspective, industry is seeing pervasive threats weaponize files like documents (MS Office, Adobe PDF, MS Excel), as well as active Internet content (Java, Flash) by embedding exploit code within them and hiding this code through obfuscation tactics including encoding and encryption. In this new model the “attack” has become akin to successfully delivering the weaponized file to a victim and executing it locally. The weapons themselves have become additional delivery channels, often exploiting a vulnerability in an Internet based application to download a final stage package containing the core malware.

Delivery: Rather than identifying a specific target and launching a custom or tool driven direct attack by delivering exploit code directly to the vulnerable application, adversaries are using embedded weapons like mines throughout the Internet and luring unwitting victims to them through phishing, injecting into legitimate websites, and creating malicious versions of seemingly legitimate websites. One tactic recently discovered and employed by the adversary is the monitoring of top news and creating malicious websites purporting to be related or hosting information about the story. JavaScript, iFrame, PHP, and CGI is being commonly used to redirect a user’s browser to access content unintended by the user. As users are lured to the delivery websites, they are exposed to the exploit through passive actions which often result in their inadvertent requesting of the weaponized file. These delivery websites are often temporary and dynamic making tracking difficult. They get registered through free online domain registry sites using fake personas and change quickly or go silent after first use. This tactic is used by the adversary to evade black list attempts by defenders to prevent or detect known malicious websites.

Exploitation: When exposed to one of these delivery sites, the client application (web browser) receives the weaponized file still in its obfuscated state. The weaponized file (JavaScript, Flash, PDF etc.) containing the encoded or encrypted contents also includes decode or decrypt functions which are performed within the client application during execution, finally exposing the exploit code to the application and resulting in a compromise. With these exploit kits, this is usually the first stage. The application has been exploited and is then used to retrieve and execute an additional malware package which results in a system level compromise.

Example from Blackhole: A lab test conducted using the Blackhole Exploit Kit resulted in the following progression:
Initial redirect: GET <baddomain>/main.php?page=<string>

Weapon retrieval
: GET /archive=”Leh.jar” loads the Java applet in the browser and triggers the next stage
Second stage: GET /w.php?f=<string> about 2 seconds later, served “contacts.exe” in response

Exploitation: contacts.exe executed on the local system performing persistent changes

Compromise symptoms: A new application on the victim system began generating repetitive HTTP GET requests using a User-Agent string of “Windows 98” which did not match any known applications previously installed.

A compilation of the most active exploit kits which leverage this model is represented below. A keyword based cross reference of the exploit kits against a leading Intrusion Prevention System (IPS) vendor’s content encyclopedias was conducted to find if there were any IPS/IDS, AV, App Control, or other signatures available to address these adversary tools. The results are included below.

Redkit: 0 references found
NeoSploit: 0 references found
Cool Exploit kit: 0 IPS references
Blackhole: 0 IPS references found, numbers virus results
Nuclear Pak: 1 reference in IPS to an RFI related attack (not the exploit kit) and 1 RAT sig
Crimeboss: 0 references found
Cridex: 0 IPS references
Phoenix: 0 IPS references
TDS Sutra: 0 references found
Sweet orange: 0 references

These exploit kits each represent a delivery system. The weapons used within each exploit kit can vary from user to user, however they often use a common set of standard exploits. A review of the 2012 exploits used by these kits as noted by their Common Vulnerabilities and Exposures (CVE) reference is listed below. A keyword search within the same IPS vendor’s threat encyclopedia using the CVE identifier of the specific exploits used by each of these kits was conducted and found at least one signature match for each exploit.

CVE-2012-4969 (Java 0-day used in blackhole) – 1 prevention signature
CVE-2012-4681 (Java 0-day used in NeoSploit, Blackhole, Redkit, Nuclear, Crimeboss, Sweet Orange) – 2 prevention signatures
CVE-2012-1723 (Java exploit used in Blackhole, Cool, NeoSploit, Nuclear) – 1 prevention signature
CVE-2012-1535 (Flash 0-day exploit) – 1 prevention signature
CVE-2012-0779 (Flash targeted exploit, Phoenix) – 1 prevention signature
CVE-2012-1875 (MS IE exploit) – 1 prevention signature
CVE-2012-0507 (Java exploit used in Redkit, Phoenix, Blackhole, Cool) – 1 prevention signature

A review of these vendor threat encyclopedia articles validates they appear to be directly related to detecting the exploits associated with each of the vulnerabilities. The articles also reference the correct delivery model for the exploits targeting active Internet content (ie malicious websites) and the vulnerable application (ie Java). From this finding, one conclusion could be drawn that the IPS vendor has the ability to detect these modern day exploit kits because they have signatures that detect the exploit code associated with the exploits used by the kits. Another conclusion can be drawn that since the vendor did not reference these exploit kits by name, their approach appears to be to focus on the actual exploit code and not how it is used.

Lab Tests

Testing actual system exploitation in a lab using some of these exploit kits resulted in 0 detections by a leading IPS system (the same vendor referenced above) running configurations validated by the vendor’s technical resources. The logical question is if the product has detection content to address these exploits, then why is it not detecting the activity?

A Lesson in Obfuscation

The reason the before mentioned exploit kits have become so highly effective and pervasive is they each employ various methods of obfuscation and encryption to hide the exploit payload from inspection by technology such as IDS/IPS. Recall the Weaponization, Delivery, and Exploitation sections above. The exploit code is not passed directly between the “attacker” and victim in normal clear syntax for inspection by the IDS, but rather encoded within websites or within files transferred to the victim. All of these kits use an intermediary application or file to obfuscate and carry the exploit code to the target where it is exposed only during execution, not during the delivery stage where IDS can inspect the payload. Encoding comes in various forms including character substitution, XOR, base64, string reversal, custom encoding, encryption etc. The basic progression is:

  1. User browses to malicious website containing “clean” HTML, PHP, or CGI code
  2. Website contains HTML, PHP, or often an iFrame which instructs the browser to retrieve a secondary active content file (usually JavaScript or Flash) – no exploit code is in the HTML, PHP, or CGI
  3. This file contains the obfuscated or encoded exploit code which cannot be inspected by the IDS/IPS (because it’s encoded)
  4. The file is received by the client and loaded into the browser where the contents are decoded and the exploit executed
  5. Game over

Competitive and Community Solutions

Some in the competitive field have taken a more proactive approach to threat detection, focusing not on the actual exploit, but rather the delivery model and methods to perform the initial detection. The threat community group called “Emerging Threats” lead by researcher Matt Jonkman takes this approach a step further by developing detection signatures based on the behaviors of delivery and exploitation as well as the attributes of weaponized files or websites and compromised systems. Rather than detecting an exploit, they detect websites, URLs, URIs, and files which match attributes of weapon delivery, weaponization, and command and control (C2). This model produces the highest fidelity detection on exploitation behaviors, preceded by informational alerts but also generates a high volume of alerts which must be correlated for their potential to be realized. Using these behavioral indicators will produce a significant volume of independently uninteresting alerts, however the combination of multiple alerts in sequence enables the high fidelity “detection” rather than any single signature by itself. For example:

·         ET CURRENT_EVENTS Blackhole – Blackhole Java Exploit request to spn.jar (Java asked for a file)
·         ET INFO JAVA – Java Archive Download (A .jar was downloaded)
·         ET INFO Java .jar request to dotted-quad domain (Java requested a .jar to an unusual domain)
·         ET INFO EXE – Served Attached HTTP (an EXE was attached to an HTTP request)
·         ET CURRENT_EVENTS DRIVEBY Blackhole – Payload Download – readme.exe (readme.exe was downloaded)
·         ET POLICY Windows 98 User-Agent Detected – Possible Malware or Non-Updated System (an Internet application using an outdated identification string was detected)

These are all behavioral indicators of exploit kit activity. Specifically these examples are used in conjunction to detect the various stages of the Blackhole kit, however these attributes exist among numerous kits. In this example, some of these indicators are benign but when represented together in context, they provide a positive detection.

Missing the Message

Coincidentally I have heard countless arguments from security minded people who claim these highly pervasive exploit kits aren’t worth the resources to detect and defend against because they represent basic criminal activity. They argue that the real threat, the “Advanced Persistent Threat,” is where we should be focusing resources because they cause major damage. The basis for this argument assumes the delivery method used by the adversary is a direct representation of their level of sophistication which is a direct sign of their intent and ability. As operation ShadyRAT, Night Dragon, and now Red October have shown, this is a dangerous assumption. We see time and time again extremely sophisticated adversaries using common methodologies because that’s all it takes to infiltrate an organization. Why use your most sophisticated tactics and risk exposing them, when common tactics will suffice?

Advanced Threats

The Red October campaign with Flame-like characteristics uncovered by Kaspersky this week has been hitting the news rounds. More information is coming out daily and today it was revealed that the two primary delivery vectors were spear-phishing with a weaponized file (MS Word, Adobe PDF, or MS Excel) and web exploit via Java. Nothing new there, however it’s interesting to note the similarities with common web exploit kits (Blackhole, Redkit etc) which tend to get downplayed as common threats not worthy of the same attention as “APT” activity. This is a good reminder that the severity of the threat and who’s behind it is less about delivery and compromise symptoms and more about use. It’s not how it was delivered, it’s how it’s being used.

Notice this excerpt about delivery from the article referenced above: “the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java (CVE-2011-3544), and in the background downloaded and executed the malware automatically.” Later it appears the malware authors changed from PHP to CGI but continued to use web exploits. This maps exactly to the exploit kit methodology previously described.

That specific exploit and method was also used by Blackhole during early 2012 (the methodology is still active it just uses different exploits). Something organizations might downplay as Internet noise, hence the reason malware analysis is so critical; understanding what the malware is and does is essential to understanding the nature and severity of the threat and other reminder that web-based monitoring and behavioral detection remains a critical component of comprehensive defense.

Then there’s this: “Analysis of the server side source code of the exploit showed that the malware payload URL is encoded before being passed to the Java applet. ‘When the client is exploited, the URL gets decoded and the malware gets downloaded.’” That’s something else we’ve seen among common web exploit kits and the reason IDS often misses the exploit code and “attack” stage. The delivery is obfuscated and the exploit exposed post-delivery (rendered in the browser).


The combined research above has shown that market leading Intrusion Detection and Prevention Systems (IDS, IPS) are woefully unprepared to not only address highly pervasive threats but also sophisticated nation-state sponsored campaigns which have persisted undetected for years. To detect and defend against the modern threat, whether they be common criminals or Advanced Persistent Threats, a comprehensive approach that covers all delivery vectors and focuses on behavior rather than exploit code is needed. Community based groups such as and the various private threat intelligence sharing groups are a critical inclusion into active defense. Going stock IDS alone won’t solve this problem. A combination of able technology, people and process including understanding the nature of the threat; conducting ongoing research and analysis into adversary tools, tactics, and techniques  identifying behavioral indicators and developing signatures; community sharing; and data correlation is needed.


Online Banking and Purchases


This is a topic I get asked about often; "is it safe to bank online?" Closely related is the question, "is it safe to buy things online?" As with everything done on the Internet, there is risk involved. By using the Internet you are opening new possibilities for theft and exploitation. Personal safety is really an individual assessment based on your threshold for risk and the potential impact. The more you have to lose, the greater the risk, and we all have more to lose than we think. But risk can be mitigated to a point which may make you comfortable with moving forward. Risk also requires a threat before it can be realized.

The threat is absolutely there. The threat is bigger, more sophisticated, and more active than you realize. The threat is the same for everyone and yes, you are being targeted whether for direct theft or to be used as an intermediary.

But is it safe? It can be "safe enough" but again that's really a personal assessment which must be made after understanding the threat, the risk, and mitigation options.

Personally, I do bank online and I do make online purchases, however I am very careful and take active measures to protect myself and my accounts as much as possible. That includes being selective with whom I will make online financial transactions with. There are many whom I will not transact with. Let's take a look at a few.

Personally Identifiable Information (PII)

The information that forms your identity or can be used to validate your identity is termed PII by industry. This can include social security numbers, date-of-birth, place-of-birth, address, mother's maiden name etc. Basically anything you use to validate who you are with your bank over the phone. Information that is unique to you. This data is used to prove who you are when opening or creating accounts (banks, credit cards, loans) as well as associate you with medical records or any information which is considered private by industry. Safeguard this information. If with this information you can make financial transactions like opening lines of credit or accessing your bank accounts, then someone else can do the same on your behalf if they have this information. Don't ever transmit or post PII over the Internet unless it's secure and never post PII to a social media website including information you use for your security questions.

Examples of the Threat

There was a recent criminal ring in Long Beach, CA that was cracked and the ring leader (a 15 year old) put behind bars. The fraud ring used common information about customers to access their online accounts. They figured out that to reset a user's password for their online accounts of say Amazon, PayPal, Netflix, and others all you need is your name, billing address, and last four numbers of your social security or credit card on file. Then once they had a new password for the account, they could login legitimately and do whatever they want; copy down full credit cards, order services etc. When they didn't have the last 4 credit card numbers, the ring leader figured out a new trick. He would collect information about a person (name, address, maiden name, security question, personal information like dog's name etc.), then would call the customer support line of a telecommunications provider (say Cox, Time Warner etc.) saying they were a technician dispatched to a customer's home, then they would rattle off the information making it sound like they were there. The tech person on the phone would believe it and offer them more account information or reset the user's password for him. He'd hang up, then login with the temporary credentials to access the account and siphon information like credit card numbers which he'd use to access more accounts.

The Zeus banking trojan is one of the most prolific pieces of malware out there today. Recent updates have shown thousands of websites have been used to serve Zeus and infect visitors. Hundreds of financial institutions have been affected, and European bank regulators have adopted the assumption that every PC connected to the Internet has been infected with Zeus. Zeus is nasty because it infects your computer silently through your web browser, then monitors your online activity to steal financial information and your passwords used to access online accounts.

Data In Transit

Everything we interact with on the Internet is logged. The data we send, the links and images with click on. The URLs we enter, the searches we make, every tweet, like, comment, message etc. is logged. Running a trace between me and Google (which hosts this blog) reveals there are minimally 15 network routing devices (more likely dozens of silent devices) which handle this session. They are logging, scanning, and inspecting this data while it's in transit. There are unknown copies of this data and session being stored for unknown reasons. Google uses SSL to encrypt my session which means only they can decrypt this data when they receive it. However, if they didn't use encryption, then everything I type would be visible to them. Data while in transit is usually unencrypted which means it is visible to everyone between you and the destination. There are ever increasing government regulations which are attempting to mandate and enforce encryption of sensitive personal information while in transit, but compliance is sketchy.

Data At Rest

Once the data has arrived at it's destination, it is stored for an unknown period of time. Could be days, weeks, months, years, decades, or forever. You and I have no idea. We are forced to trust that those holding our data are securing it appropriately. Securing it includes physical as well as virtual access. Think of all the employees who have access to that data and the fact that it's transmitted online means it can be accessed online by good guys and bad guys. Again, government regulations are increasingly requiring vendors to secure data while it is at rest or in storage on their servers. Securing this data can include physical and virtual access controls, encryption, separation of data, summarization of data etc.

Opening Doors

If you don't have an online account, then the possibilities for abuse via the Internet are just about nil. Once you create that account, you've created a doorway and it's largely up to you to maintain the locks and make sure you traverse that doorway carefully. You've opened a door for exposure of your data while in transit and you've created a place where your data can be stored while at rest.

Your browser is another door between your computer, tablet, or smartphone and the Internet. That door way works two ways. Data and applications are transferred in both directions. For more information about browsers, see my 2012 post titled "Web Browsers." Never enter PII information into online forms that are not encrypted. In your web browser, look at the address bar and make sure it starts with https. That "s" is critical as it implies Secure Socket Layer (SSL) is being used to encrypted the data you transmit between your computer and the website.

Email is another door between you and the Internet. Never ever under any circumstance email PII information unless it is secured. Even if you are in the process of refinancing your home as was recently the case for me. Don't fill out those forms, scan them, then email them to the lender. Email is not secure. There are numerous companies and intermediaries between you and the recipient who copy, log, and store that message. Besides, you have no idea if the other end has a secure computer or not. If you are emailing this information you are allowing the other person to store it on their computer. Entering form data into an online form or physically sending it is always a more secure option. Typically faxes are used by the other party to file away or to record the information in a database of some sort, then they are destroyed. Those databases are typically more secure than an individual's computer. Email is much more easily kept on the recipient's computer and not secured in a database or shredded after use. If you have WinZip or a similar program that can create a self-decrypting archive of the file that is password protected, then that's a viable option to transmit the data, but again you can't control what happens on the other end. Make sure you choose a password that is unique and not easy to guess in the context of your email (don't make it easy to guess) and request the person on the other side to delete the email once they have the information they need.

To help secure your data while at rest, it's best to not allow the merchant to save your credit card number or billing address. These features enable easy return visits and future purposes but also allow the merchant to store your information in their databases (at rest). It's another doorway.


The convenience of being able to transfer funds, view transactions, and pay bills from the comfort of your home makes online banking a serious draw. However, before you start or even if you already have, there are some steps you should take to limit your risk.

1. Use your own computer only

Never use a computer other than a device you own and if you are using an Android based mobile device, it's probably a good idea to avoid online banking with it. You can't trust other computers and you can't trust the Android app store (that's a discussion for another post).

2. Don't bank from public WIFI

Avoid doing online banking from any public WIFI network or hotspot. Don't do it at Starbucks or while at the airport or anywhere the WIFI network is used by people you don't know. It's trivial for me to setup a listener on a WIFI network from my laptop and copy down everything transmitted, or even route all the WIFI connections through my laptop in a public area. If you are on the road and in a hotel, use a wired connection. These are much more difficult to spy on.

3. Use AntiVirus

Make sure you are running current AntiVirus software on your computer. This includes Windows and Apple OSX users. For more information on AV, see my 2012 posts on that subject. Banking malware abounds and is likely the single most common malware out there. It exists to monitor your online activities, while recording the data you enter (before it's transmitted), to capture passwords, credit card numbers, social security numbers etc., then to transmit this information to an awaiting criminal. Keeping active AV will help keep this malware off your computer.

4. Check the URL for Encryption

Make sure the bank website uses SSL. Check your web browser address bar and make sure the URL starts with "https." This will secure your data while in transit.

5. Use Multi-Factor Authentication

Make sure the bank uses some sort of multi-factor or two-way authentication. Many online financial institutions today use a security key or picture which you choose when creating your account and include multiple stages of authentication. This image is stored by the financial institution to validate they are who they say they are (an anti phishing/spoofing method). Once you enter your user name, you're presented with this unique word or graphic and prompted for a password. This helps you validate the site is what it claims to be so you can send data in confidence. This also helps to prevent automated password guessing tools which constantly scan the Internet attempting to guess your password to gain access to your account. Password cracking is trivial these days.

6. Username not Account Number

Avoid using your account number as your account username. Credit card companies often allow you to use either option - a name or account number to login. Try to use your username to limit exposure of your data.

7. Use a unique password

Use a unique password for your bank account. Never use this password for any other online accounts. If you have multiple banks, use unique passwords for each. I know it's a pain, but you'll be grateful if one of these accounts is compromised.

8. Don't save passwords

Don't let your browser cache or save your password or account name information. Browsers offer this feature to help ease the process of logging into websites, but this information is stored in your browser and trivial to access by a malware or rogue application. Don't do it.

9. Log off

Log off when you are done. Most banks today will use an time-out feature to log you out automatically when you are idle, but it's a good idea to do it proactively.


Buying stuff online is great. You might find the best deals for stuff online plus the selections and convenience factor simply make online buying a must for most of us. Before you create that account though, there's a few things to do to mitigate the risks.

1. Secure data in transit

Make sure the merchant website uses SSL. Check your web browser address bar and make sure the URL starts with "https." That means the data you enter into your web browser will be encrypted when it is transmitted to the website. This prevents unintended leaking of data in transit.

2. Secure data at rest

Avoid allowing the vendor to save your credit card number. Again, while this may help to ease the process of performing future transactions, allowing the vendor to save your credit card number means your number is being stored somewhere.

3. Use a trusted system and network

Like online banking, avoid using public computers (Internet cafe's) or even a friend's computer to perform online purchases as well as public networks such as WIFI hot spots.

4. Secure your account

Use unique passwords for online vendor accounts. If you use a common password for multiple websites, minimally separate your financial accounts from your bank account and email accounts.

5. Use trusted vendors

Try to restrict your online purchases to major retailers and avoid sending your credit card information to online versions of mom-and-pop shops. I know this sounds like I'm promoting big business, but these big businesses have more resources to secure your data and typically fall under greater government regulations.

In Conclusion

As I mentioned in the introduction, performing financial transactions through the Internet presents significant risks. These risks can be mitigated to a degree which may make you feel comfortable. The fact is you will probably encounter and become a victim of fraud at some point, no matter how careful you are. I have had credit cards stolen twice. It simply is a symptom of the world we live in. The only way to mitigate this risk 100% would be to avoid the Internet altogether. Since that's likely not to happen, take care and you'll be relatively safe.

Wednesday, January 16, 2013

Risks of Social Media


Before you read, please remind yourself that I'm paid to be paranoid and to know about things that would make you paranoid. I'm trained to see vulnerabilities, gaps, weaknesses, things that could be used in ways other than intended, and specifically to find how things can be abused. Knowing all that might help lighten the tone a little. Yeah, I'm overly paranoid...but that's my job.

That being said, I hope to share with you some words of caution as you use social media applications and websites like Facebook, LinkedIN, Instagram, Twitter, and whatever else fulfills your self-glorifying needs. Sorry for the thinly veiled dig...but you know what I mean. This post is dedicated to the perils of social media from a risk perspective. A follow-up post will come soon about how to use social media safely (as much as you can).

There is No Internet Privacy
Once it's online it's forever online so be careful what you post

If you send it or post it assume you have released ownership.

Everything you do online is logged. It's recorded by something and saved somewhere outside of your control. The privacy controls given to you are intended to limit access via authorized channels from other users like you, but the fact remains that the information (text, pictures etc) is no longer in your possession and someone else has control of it. Most providers use data about your Internet activities for advertising purposes. Others track your Internet associations for statistical analysis. Still others resell your information. Ever notice that you suddenly get inundated with website advertisements for topics you just Googled or for a product you just bought off That's a simple example. What you do is logged, recorded, and used.

The announcement today by Facebook and their new search utility is a great example. Now you can perform analytic searches in Facebook for things like "places my friends have been to" and get a list of places, pictures, and videos from your friends and all the places they've been. They advertise a few other examples like searching for people who like trail running or road trips or dancing or people from your company who like to ski. To do that, Facebook had to review, analyze, categorize, catalog, group and query your stuff. This one frightens me. How about the news media or government doing a search for "people who like the NRA." Yikes. In response, I removed some content from my Facebook page today that could be used in these sorts of searches and received a warning that my content would still be included in Facebook Graph search results. That means they've already tagged it and stored it somewhere else and will continue to make it available.

Now think about everything you've done on Facebook or Twitter. Everything, content you added or have "removed" or "deleted" is stored somewhere. Every message, tweet, status update, like, comment, picture, literally everything is stored by the social media provider, it's being analyzed, cataloged, and used for something other than to let your friends know what's happening in your life. That's how they make it available to others to view; the data is stored on their servers. To provide continuity of operations and ensure that experience is always available, that data is moved around, backed-up, transported to other servers etc. all behind the scenes. They also use this data to feed you personalized advertisements or recommendations for content, peers, pages etc. Now, you would think that when you delete or remove something, it's deleted off the social media provider's servers, but in the case of Facebook and others, this is not so. They simply mark that content as unavailable from your page via normal users like you...but it's still there in their databases and it has already been summarized, trended, analyzed, and used.

I know you're thinking, "I don't do or say anything wrong so I'm safe," or perhaps, "well that's ok, the stuff I don't want public, I'll delete so it's unavailable and I have nothing to worry about." Ok, what happens when Facebook changes their policy, or get's hacked, or get's a subpoena to provide relevant content in court, or snip-its of information is leaked out-of-context, or in the future that benign information may become socially unacceptable? Is it really benign forever? What if someone wants to perform a historical search of everyone who visited a location on a given day? Or let's say a rogue employee is bribed into selling your information to an advertising firm or identity theft ring. Or let's say the government wants to know everyone who is opposed to gun control legislation. The possibilities for leakage and abuse abound and aren't just limited to the social media provider. The implication is whatever you post can and likely will become public at a later date.

In a recent example, Instagram announced a change in their content use policy that said all the pictures users have uploaded are free for them to use or sell however they wish. Your pictures being sold by them to whomever and for whatever. Wouldn't that be funny if you suddenly see one of your pictures in a magazine advertisement? Maybe not. What about a picture of your family or your kids. Yeah, not so cool. Instagram has backed off due to public response, but what they are doing with your pictures still isn't clear.

News organizations have been accused of infiltrating social circles by paying off friends of people associated with newsworthy individuals. Ever wonder how your local news organization gets information from a suspect's Facebook page? They find friends and offer them cash for information (allegedly of course).

In another really dumb example, an 18 year old posted to his Facebook page an apology for the hit-and-run he just caused saying he was driving home drunk. Bad idea because some of his "friends" clearly didn't appreciate his behavior and reported him to the police. Think of a more benign example, like let's say you post out of frustration that you've spanked your kid 5 times today and they just aren't correcting their behavior and you need advice on some other methods of behavior correction. A "friend" might consider this abusive and might report your actions to CPS. Do you really know all your friends and their perspective? Would you share that post with everyone you know and people you don't know?

Email and messages (including SMS or text messages) are even more dangerous as shown recently by the leaking of General Petraeus' personal email which was later used to oust him from his role as CIA director. Once you click send, you've released ownership of that information. It's out there and you have no control. The recipient has it and it's been copied and logged along the way. Now the recipient has ownership and control. Whom they choose to forward the message to is completely unknown to you. Who is logging those emails as they traverse the Internet is unknown, but you can bet intelligence organizations are watching.

Ironically, European governments and privacy groups have already figured this out and are hitting social media giants with regulatory controls. In the UK for example, Facebook has been required to provide users upon request, an archive of all the information Facebook has about the individual. Researchers, advocates, and regular users were shocked to find data they thought they had deleted, still held by Facebook.

While figuring this out, researchers also discovered that Facebook is proactively building social connections from your information to provide predictive capabilities for current and potential users. Ever notice that people who create new Facebook pages are instantly inundated with recommended social connections? That's because Facebook is quietly building shadow profiles for potential future users. When you enter someone's name in a post, Facebook performs a lookup of that name in their database to see if that person has an account so they can be tagged. If they don't yet have an account, then Facebook creates one for them. These "ghost" accounts are there in case the individual happens to create an account in the future. Scary stuff really.

The point remains - once you post, send, like, or upload, the data is no longer under your control and is being used for reasons beyond your intention. Ask yourself, "do I want this on the Internet forever with no ability to explain or provide context or control?"

Location Services Like GPS and Checking In Reveal More Than You Realize

This one above all the social media privacy concerns annoys me the most. I cringe whenever I see "Joe Mama is at Victoria's Secret with Matt Johnston." Ok, that's a joke, but you get the point. Call me old fashioned, but I really don't want my whereabouts broadcast on the Internet. If I want someone to know where I am, I'll let them know. Again, you never know who is sitting behind the data and what they could be looking for. It makes me feel special that you like people to know you're with me, but how about a little privacy? So most of these GPS or location related updates aren't embarrassing but in my world knowing someone's locations is a huge personal and virtual security risk. When we travel, we try not to broadcast to others that we're away from home. Again, call me old fashioned but I don't want to advertise that my house is empty for the next 5 days or whatever. I think I can trust that none of my true friends would rob my house, but again, I don't know who their friends are or what their Facebook sharing settings are set to. Let's say I checkin from Hawaii and you post a comment that says "have fun on vacation" and you're sharing with public or one of our friends that information is public. I know it sounds over paranoid, but yes, people are trying to befriend you to get closer to others. You do it too. Let's say you're trying to get into a social circle and you friend someone in that you're in and you get visibility into that group. I'm not speaking of Google circles but rather general social groups. So while I'm just trying to brag about my vacation, I'm also letting people I don't know that my house is empty.

Besides annoying and having physical security implications, there's also the risk of data mining and targeting. Again, let's say someone wants to know everyone who attended an event or location...for whatever reason. You've enabled them to track that. In light of this gun debate in the country, let's say someone wants to know everyone who attended an NRA event or a gun show or a gun range etc. If you've checked-in, you've been tracked and you have no control over how that information is going to be used nor by whom. That might seem like an extreme example, but remember there are people out there with all sorts of criminal, social, and political motivations that you can't possibly account for.

Invasion of Privacy: Image Tagging

This one is similar to checking in with GPS location enabled, but it's worse because it's imposed on you by someone else. Ever done something or been somewhere you wouldn't share with all of your social associations or if taken out of context could be really bad? Here's a scenario I found myself in. As I mentioned before, I don't like broadcasting that I'm away from home. I also don't like Las Vegas. I don't like what it represents, and I don't like what goes on there. It's assumed when you tell someone you were in Las Vegas that you were there doing something bad. Because after all, that's why people go right? I also consider my life a morally respectable one (in whole). I also happen to serve in leadership roles at my local church body. While I strive for transparency since we're all on this journey of life together, I'm also careful about to whom I share what with because again, context is everything. So I find myself on a business trip to Las Vegas at the Hard Rock Hotel and Casino standing next to Billy Idol in the green-room at a private concert co-sponsored by my company. I put a picture of Billy and I up on social media. The responses I got were really interesting. Some included shorts like "cool!" I got a few "likes." I also got a "wow, I didn't know you were such a wild child." Hrm...hadn't thought that image would lead to that conclusion. While at this experience, Las Vegas was on full tilt. You can assume away.

So now let's speculate a little. If you knew little to nothing about me, but saw this picture and heard from one of your friends who may have also been there that the concert was wild and the night ended early AM involving any sort of Las Vegas endings, you might assume that I participated or endorsed said activities. This is an extreme example, but I'm sure you get the picture. That mere image could be used to communicate anything you want and I don't have any control over the context or story behind it. I have no way of telling others who may have seen the image why I was there or that it was a company event and hanging out with Billy was a company function. This one was my choice...but may times image tagging isn't your choice. Let's say someone else snapped that picture from their smartphone, tagged me, and posted it, but I intended to keep that image and event private for personal reasons. Too bad. Insert yourself into any physical location or event you don't want to broadcast your presence at and someone you know there happens to snap a picture, post it, and tag you in it. You see my point.

Unintended Associations: Invitations and what they say about you

Another notification I cringe when I see on my wall: "Joe Schmoe has invited you to the event 'Free Tattoos'." Or better yet, "Jane Smith has invited you to the event 'How to recover from bankruptcy.'" Ok, so what if I didn't want everyone knowing I am getting a tattoo or going through financial trouble? These are made up examples, but I've seen some invitations as jokes, some totally benign, and some quite embarrassing. Let's say a friend wants to invite you to a political event. And of course when you click on the event, you see the list of everyone else invited, so now you know who else is getting tats or going through tough financial times. Do us all a favor and pick up the phone or shoot an email. If you choose email, BCC everyone to help protect the reputation and dignity of everyone.

Unintended Visibility: Friends of Friends

This one happens all the time. I see a comment regarding someone I know nothing about and whom isn't one of my friends. In this scenario, a friend of mine (Joe) has a friend (Jane) who posts something. Let's say Jane says "just cooked eggs for breakfast" and Joe posts a comment saying "wish I was there!" Now I know some lady named Jane had eggs for breakfast. Yeah, that's benign, but again think of other scenarios like if Jane posts something personal which she only intended for her "friends."


Social media sites are great tools for espionage and information theft. I already cited examples of how someone can track you using the GPS check-in and tagging features of social media. Well what about the personal information you enter which seems benign or would help potential friends identify you. Now think in context of what information is needed by your bank to validate your identity over the phone. Name, mother's maiden name, date-of-birth, personal question (dog's name, city you were born in, best friend etc.). That's stuff people post to social media all the time. Just by monitoring your Facebook account I could probably call your bank, throw information at them, and get them to think I am you. Now think about all the information you put about your career on LinkedIN. There are groups out there trying to use you to infiltrate the organization or company you belong to. The more they can gather about you online, the more potential points for blackmail they have.

Kids and Their Future

On one hand, it's cool to be able to share pictures and videos of all the cute things your kids do. It's a great medium to share that fun part of life with friends and family. But think about your children in 10...20...30...40 years. Will they want that remark or picture or embarrassing moment documented on the Internet? Could that image or post be used against them? Give them an honest chance.

Moving Target

Above all the greatest risk with social media is that it's a moving target. Today the rules and privacy controls are defined, but as Instagram and Facebook have shown us recently, those rules are subject to change at any moment and especially if it gives them a competitive advantage. We have no idea who or what will have access to the information we post through social media.

Be safe out there!

Someone Hacked my Email

Ever receive an email like this one and wonder...huh?

From: Some Friend <>
Date: Tue, Dec 25, 2012 at 12:23 AM

Hi, I tried an it was wonderful. I hope have fun with more like me.

Within a few days, you'll usually see another email from this same person to a massive distribution list saying something like,

"oh no, my email account has been hacked. If you received this I'm so sorry but it wasn't me!"

Or worse yet, ever been the one who receives an email from a friend that says,

"Um, I think your email account has been hacked. I just received a really odd message from you with some link to a foreign website."

Whether you are the recipient of these fake emails or the sender, there are things to be done ASAP to ensure you don't become or haven't already become a victim.

What really happened?

We like to toss around the word hacked because it sounds cool. In reality, very few of these phishing emails actually come from a hacked email account. If the source is a friend of yours, then it's likely their computer has been compromised with malware or their email account is being accessed by someone else who guessed the username/password or stole the credentials through malware on their computer or through an online account that uses the same password. Most likely, they have some email address stealing malware on one of their computers which has accessed their address book and is generating phishing emails to everyone in the list. If the email came from you, then re-read the above replacing "they" with "you." Typically these emails don't actually come from the computer of your friend, nor from the actual email account. They are generally spoofed to look like they came from your friend, but if you look at the technical information (email headers), you'll see they were probably sourced from someone and somewhere else using your friend's name. That's why when you look at your sent items, you don't see the fraudulent emails. The action of hacking is typically an active effort where someone intentionally targets you and infiltrates your computer through an active process. Most compromises today are passive and non-targeted (among the general public). I don't consider these to be "hacks." The word compromised is a more accurate representation of what has actually happened. Either a computer has been compromised, or an email account.

What should you do?

If you received an email like this from someone you don't know, delete it right away and run a full AntiVirus scan on your computer. Never click the link or open any attachments. If you didn't click, then you're probably safe, but run that scan just to be sure.

If you received an email like this from someone you do know, run the AV scan right away, don't click the link, don't open any attachments, don't forward the email, but do send a new email to the originator (your friend) letting them know about it. Delete the original as soon as possible. Don't worry, most likely there isn't someone else sitting on the other end reading your response, and even if there is, you aren't leaking anything or opening any new doors; they already have your email address.

If you were the sender (or if the email appears to have come from you), you've got some work to do. Don't panic and don't be embarrassed...this happens all the time.

1. Immediately change the password on all your online accounts that use that same password. It's a good rule of thumb to make sure you don't repeat passwords between different online accounts, but if you do, make sure you don't blend communications and social media account passwords with sensitive stuff like bank accounts. Don't use the same password for email/Facebook as you do for your bank/investments/medical provider etc. If you did use that same password on other accounts (especially bank accounts), login with your new password and scrutinize all recent activity and keep a close eye on transactions for a while. Report anything fraudulent to your bank. Many people minimally have the following online accounts (just to refresh your memory) which may be tied to your email account somehow:

  • Email (multiple accounts probably with your ISP plus some webmail)
  • ISP/Cable provider
  • Cell phone provider
  • Financial institutions (bank, credit cards, retirement, investments, brokers)
  • Mortgage company
  • Utilities (gas & electric, water, sewer, waste management)
  • Social Media (Facebook, Twitter, LinkedIN, Instagram)
  • Clubs or memberships
  • Subscriptions
  • Online retailers (Amazon, Apple, etc.)

2. Update your AV and run a full system scan ASAP. Clean up anything the AV engine finds, reboot, and re-run the full scan. If the problem persists beyond AV's ability to clean or comes back immediately after a reboot, then you likely have some form of bootkit or rootkit which will require a new hard drive and a re-install of all your software. Time to call in professionals or friends who are professionals during the day.

3. Contact your email provider and let them know your email account has been used fraudlently. If possible, forward the fraudulent email to them. They usually have some sort of abuse reporting capability and often run investigations to determine if anyone else may have been victimized. More sophisticated email providers actually profile these fraudulent emails to attempt to attribute them to an actor or group and to provide future defenses for their users. Check your email provider's website for contact information. When you do notify them, provide them your new contact information (email address) and let them know you will be taking the next step so they don't try to contact you on that same account.

4. Disable or delete your email account and create a new one with a different password. Notify all your friends and family to ignore any future emails from that old account. I know this is a pain, but once your account has been used, you can bet it will continue to be used unless you delete it. You are putting yourself and your friends at risk if you don't delete the account.

5. If you are super curious and want to know what the file attached to the emails or the link in the spoofed emails would do if you did click on them, contact me and I'll run it through my lab. You can also submit it (copy/paste - don't click!!) to and they will give you a threat score.

Most likely, you have been used as an object of opportunity and you aren't going to continue to be targeted. If your adversary did access one of your online accounts through your legitimate credentials, then they may try again, but most likely they have a long list of more victims to use and they will be on their way. Again, don't panic and don't worry.

Tuesday, January 15, 2013

2013 Cyber Predictions


It's that time again. As people are settling into their 2013 routines, companies and organizations are implementing their plans for the year. I've already been asked for my 2013 Cyber predictions to help a) direct defenses and b) direct marketing. The questions from cyber sensitive executives are "what do I need to prepare for?" and "what do I need to invest in to capture the trend."

I've already reviewed several "2013 Cyber Threats" prediction reports from numerous security organizations. Many of them tout numbers and try to gain the reader's confidence by tossing out facts and figures from 2012. In short, these are all just marketing slicks designed to get people to buy more from the company authoring or sponsoring the report. The least self serving I've seen actually came from McAfee because they actually took a self-serving approach. They asked their customer base "what is it you want us to invest in this year?" Others try to tell their customers and potential customers what it is they should invest in from their products and services, using the "report" to drive sales.

In short no one can prove or disprove these predictions. They are all contextual. Those being derived from data points are limited to the data points captured by the authoring company. If the company is strong in the compliance market, chances are their "data" will predict issues in compliance. If the report is from an AntiVirus vendor, chances are it will be all about malware.

In terms of accuracy  looking back at reports from early 2012, you can find truth to them all. Why? Well because the cyber security space is so diverse. There's bound to be at least a few predictions that turn out to be true from everyone. It's also relatively easy to make predictions based on generalities. The hard "data" to support the predictions is again, just marketing fluff in my opinion. The core premise we need to all remember is the adversary is out to get to our data using what we use and abusing the trust we place in computing as their path. They are opportunists and lazy at the same time. They will target what we use, and popularity drives their focus. The more popular the medium, the more they can re-use their weapon.

And so...without using any hard facts or figures, I deliver my predictions for 2013.

1. Malware sophistication will increase.
Given the fact that the adversary doesn't want to be found or detected, and given that malware kits are increasing in availability and usability, I predict we will continue to see more and more sophisticated malware this year. More specifically I believe rootkits and bootkits will become the mainstay of malware used in common exploit kits. Rootkits and bootkits install themselves outside of the operating system (in the boot sector of the hard disk), hence achieving persistence beyond a reboot and beyond any operating system based removal and mitigation (such as antivirus software). Along these same lines, I have a sub-prediction in which we'll see an increase in single-use malware. Traditionally malware is mass produced and mass used, but this is due to the level of sophistication required to develop and delivery the malware. Again, with the rise in popularity and ease of use of adversary kits, I believe the uniqueness and customization of malware will also be on the rise. This is dangerous since most malware detection and prevention solutions still rely on fingerprinting of known malware rather than behavioral analysis of malicious characteristics.

2. Mobile devices will be the targeted platforms of choice
This one's a no-brainer. Just about everyone has a smartphone or wifi enabled tablet of some sort. Just about every user of said device uses their platform for personal and business related work. The mass majority of these even use their personal devices on corporate or business networks or while at work. A very few actually incorporate the same level of security on their mobile device as they do for say their work computer. Hence a target of opportunity for the adversary; unsecured and unprotected access to multiple data sets and networks. What other device has voice and video recording, Internet access, data send/receive, multiple network connection methods, and is physically carried between secure and insecure environments? If I want to steal intellectual property, a great way to do that would be to embed malware on your iPhone or Android device which monitors GPS and engages the microphone to record when you reach a certain location (say your office), then sends the recordings via data feeds, SMS text, email, cellular band, or website uploads?

3. Social media will be used for espionage and compromise
One simple reason; we're careless with social media and our social lives are closely related to our personal information. Think of it this way, what do you need to confirm your identity with your bank or credit card provider? Name, Mother's maiden name, date-of-birth, and some question about your past, your likes, your family etc. How about "dog's name" as a security question. Well, let's say all this information is available through the posts, comments, likes, and pictures you upload to social media. A smart thief can probably use personal information from your social media to validate your identity. Not to mention social media is often used at work or on personal devices while at work. If an adversary can inject your computer through social media they can travel with you. Social media applications themselves are designed to bring people together, not validate identities, and still we inherently assume the person sending us the friend request or message is who they say they are.

4. Attacks against banks and bank fraud will increase 
Again, no rocket science here. Criminals are after money. Banks hold our money. Enough said.

5. Attacks against Internet infrastructure will increase
By this I'm referring to attacks against the systems that make the Internet possible; the infrastructure. As we saw in 2012, governments across the globe are increasingly becoming interested in what their citizens are doing online and whom they are communicating with. This isn't isolated to tyrannical states like Iran as evidenced by the leaking of CIA director General Petraeus' private emails. Espionage is on the rise and since people are increasingly turning to the Internet to communicate (SMS text, email, blogs, social media, VOIP etc.), nation states will be there waiting. We've already had one example with the certificate authority compromise involving Google and TURKTRUST.

6. Spear phishing will increase in sophistication
Spear phishing remains to be the delivery method of choice by the adversary because people are click happy. We like getting email, we trust the sender, and we feel compelled to respond. So I predict we'll all see more targeted spear phishing emails in our inboxes that will increasingly look more and more legitimate or too enticing to pass up. Typically these phishing attempts are easy to spot, but they are getting better and will continue to do so.

7. Multiple major company breaches 
Even given all the media hype and buzz and self awareness of security issues, I still see the mass majority of companies viewing cyber threats as something to be controlled through insurance and non-disclosure rather than advanced and comprehensive defense. They believe they won't be targeted and if they are they believe the damages will be less than the cost to adequately secure; it will be covered by insurance. Security is deployed to meet government mandates and to improve public or investor confidence, but will be woefully under funded and half-way implemented. I read a statistic recently that said 10% of companies in the US (small, medium and large) understand the threat and are taking steps to adequately defend. 10& more understand the threat but aren't taking adequate steps. 80% believe there is no threat or they won't be targeted and security is another form of insurance; buy what you need to have some level of coverage to comply with a mandate or just because it's a good thing to do. I've also seen a related statistic from an in-the-know source that says 100% of companies have already been compromised by a nation-state and just don't knot it. That's not 100% of the fortune 500, that's 100%. Because we continue to misunderstand this problem, we'll continue to see some major breaches this year. Security is expensive and corporate leadership continues to believe they are alone in this fight. They continue to believe that non-disclosure is the best approach because it saves face and keeps investors happy. In reality it keeps everyone ignorant and that trickles down. Executives don't want to report to their board and shareholders that they've been had, and so they don't want to hear it from their support staff, and so the data is ignored or solutions half-implemented. Head in sand.

8. Cyber war 
There it is, yep, I gave into the hype and added it to my list. I can add it because there continues to be no standard definition of this term. Victims of nation-state sponsored cyber activity (espionage, theft, and disruption) continue to cry "war" as a means to obtain international support and pressure while perpetrators tend to point to the lack of physical damage as defined by traditional international conventions and definitions of war for protection. Further, because every nation has a vested interest in continuing to use the cyber world for espionage and virtual advantage, we'll see more of it in 2013. The recent stuxnet actions which did cause physical damage to Iranian nuclear infrastructure got by because Iran doesn't want anyone looking closely at what they are doing. They aren't going to complain too loudly.

9. Data stolen from the cloud 
Another easy one to predict as more and more companies move their data and services to the cloud. Adversaries go where the data and money are. If it's in the enterprise, they'll target the enterprise. If it's in the cloud, or the cloud as a trusted partner can be used to access the enterprise, they'll go there. Either way, the growing popularity of cloud based services means the growing attention by the adversary. It'll happen. This year, something will get leaked which will result in a massive breach and questioning of the security of the cloud. Further since people seem to get easily confused by the cloud, they struggle to understand security in that context and struggle to implement adequate defenses.

10. Extensive breach of private records 
This one is similar to item 7, but I separate it by the data and I believe this one will be government focused. Specifically, and at the risk of sounding political, I'll say this one will be directly related to private medical records and Obamacare. I say that because Obamacare mandates centralized collection and storage of citizen's medical records for access by any medical provider. Common storage and common access. Having seen how the government protects the .com and .gov world, I have no doubt these Obamacare data warehouses or access systems will be breached and a massive amount of private medical records will be stolen and leaked online. The perpetrator will likely be hactivists like Anonymous trying to embarrass the government or trying to embarrass those tasked with guarding the information. This one might lean into 2014 since Obamacare continues to limp along in implementation while everyone and their brother, sister, mother, father, aunt, and uncle try to stop it. Only the imposers are exempt (isn't that interesting?).