Δευτέρα 31 Αυγούστου 2015

Our First Birthday


Its been a year since the first post appeared in ISL blog! On September 1st, we celebrate our birthday and in order to thank all our loyal followers we have setup a small giveaway as the least we can do to thank you for all your support. The whole process is powered by Rafflecopter and all you have to do is follow us on Twitter, tweet about our birthday, or visit our Facebook page. Each of these actions will give you one chance to win one of the prizes.

  1. One (1) winner will receive a 12 months Heimdal Pro premium subscription, (approximate retail value or "ARV": €34)
  2. One (1) winner will receive quertyCard (approximate retail value or "ARV": €4.99)
The giveaway will last for the entire September, so the winners will be announced in the first couple of days of October.

You can enter the giveaway through our special Giveaway page.

Παρασκευή 28 Αυγούστου 2015

Tell Me Who You Are, and I Will Tell You Your Lock Pattern


You are predictable, your passwords are predictable, and so are your PINs. This simple fact is often exploited by hackers, as well as the agencies watching you. But what about your Android lock patterns? Can who you are reveal what patterns you create?

Pattern unlock is one of the entry protection mechanisms in Android system for unlocking the screen. It was introduced by Google in 2008. By connecting 4–9 dots in a 3 x 3 grid, the user can set up an unlock pattern which is equivalent to a password or a PIN. As an alternative to the traditional password/PIN, the visual pattern has gained its popularity because of the potential advantages in memorability and convenience of input. However, the limited pattern space and existing attacks such as shoulder surfing, or smudge attack make this mechanism weak in security.

A recent study by Marte Loge, as part of her MSc thesis, presents the results from a set of 3400 users and their selected lock patterns.
"Humans are predictable, we're seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords."
Lock patterns, for Android, can contain a minimum of four nodes and a maximum of nine, making there 389,112 possible combinations. In a similar fashion as passwords, the number of possible combinations grows exponentially with the length, at least up to a point.

Loge asked subjects to create three ALPs, one for an imaginary shopping app, a second for an imaginary banking app, and the last to unlock a smartphone. Sadly, the minimum four-node pattern was the most widely created one by both male and female subjects, followed by five-node ALPs. For reasons Loge still can't explain, eight-node patterns were the least popular, attracting significantly fewer subjects than nine-node choices, even though both offered the same number of possible combinations.

The minimal use of eight-node patterns, by both males and females, was a surprise. Both sexes were two to four times more likely to choose a nine-node pattern rather than one with eight nodes, even though both provided precisely the same number of possible combinations. Another unexpected finding, left-handed users tended to pick the same starting places as their right-handed counterparts.

Males were much more likely than females to choose long and complex patterns, with young males scoring the highest. The slide below illustrates the overall breakdown between men's and women's choices differently.

Loge said the number of nodes isn't the only thing that determines how susceptible an ALP is to guessing attacks. The specific sequence of nodes is also key in how complex a pattern is. Assigning the nine nodes the same digits found on a standard phone interface, the combination 1, 2, 3, 6 will receive a lower complexity score than the combination 2, 1, 3, 6, since the latter pattern changes direction.

A team of researchers formalized this scoring system in a 2014 paper titled Dissecting pattern unlock: The effect of pattern strength meter on pattern selection. They analyzed the characteristics of all valid patterns and proposed a way to quantitatively evaluate their strengths. They also designed two types of pattern strength meters as visual indicators of pattern strength.

Data breaches over the years have repeatedly shown some of the most common passwords are "1234567", "password", and "letmein". Loge said many ALPs suffer a similar form of weakness. More than 10% of the ones she collected were fashioned after an alphabetic letter, which often corresponded to the first initial of the subject or of a spouse, child, or other person close to the subject. The discovery is significant, because it means attackers may have a one-in-ten chance of guessing an ALP with no more than about 100 guesses. The number of guesses could be reduced further if the attacker knows the names of the target or of people close to the target.

Loge had several suggestions for ways to make lock patterns more secure. The first, naturally, is to choose one with more nodes and a higher complexity score. Another is to incorporate crossovers, since it makes it harder for an attacker looking over the target's shoulder to trace the precise sequence. Better yet, she suggested people open the Security category in their Android settings and turn off the "make pattern visible" option. This will prevent the drawing of lines that connect each pattern node, making shoulder surfing even more difficult.

Full disk encryption won't save you if your lock pattern is L - as in "loser"

Κυριακή 2 Αυγούστου 2015

Patch Management for Home Users


For system administrators, patch management is a routine activity. But for most home users, patch management is a uncharted waters. Knowing when to patch products and how often patches need to be applied are some of the questions that most home users never think about. Knowing what to patch and when can make a difference in the security of your home computer or network.

First things first, let's clarify some terms. The following definitions come from a post of Allen Householder in CERT Blog.

Zero Day Exploit (a.k.a 0-day)

There are many definitions of zero-day exploit available. These definitions are not merely diverse wordings that map onto the same concepts; they refer to distinct (albeit related) concepts.

"A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack." — SearchSecurity

By the way, nothing in this definition talks about patch availability. We'll come back to that in a moment.

"A zero day exploit attack occurs on the same day a weakness is discovered in software. At that point, it's exploited before a fix becomes available from its creator." — Kaspersky

Stating it explicitly: if the following events occur (a) a vulnerability is announced by a vendor, (b) a patch is provided along with the announcement, and (c) it is exploited on the same day (whatever you decide that means, just be consistent), definition 1 says it's a zero-day exploit while definition 2 says it isn't.

 "An attack on a software flaw that occurs before the software's developers have had time to develop a patch for the flaw is often known as a zero-day exploit. The term "zero-day" denotes that developers have had zero days to fix the vulnerability.  It can also refer to attacks that occur on the same day (day zero) a vulnerability is disclosed. In fact, some zero-day exploits are the first indication that the associated vulnerability exists at all."  — Tom's Guide

Here we find that the definition hinges on the existence of a patch. A strict interpretation of this definition would permit someone to apply the zero-day exploit label even if the vulnerability is known to the vendor and the public long before the first attack. The vulnerability may have been known to the vendor for months, and a patch is in development but not does not yet exist. Thus definition 3 directly conflicts with both definitions 1 and 2 above. Definition 1 says nothing of patches. Definition 2 talks about patch availability, not existence.

"Zero-day attacks...software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it." — FireEye

Granted, this definition is for a zero-day attack, but since it mentions exploitation, I think we are justified to include it here. FireEye adds hardware to our growing list of definitions. Further, they discriminate based on the state of knowledge of the general information security community, with the implication that if that community is unaware of the vulnerability, there must not be a patch available. From context, this general information security community appears to be larger than the affected vendor(s) yet smaller than the public. So while it shares some degree of overlap with the other definitions discussed above, it remains distinct in its referents.

There is no generally accepted formal definition for "0Day (also known as zero-day) vulnerability." The term has been used to refer to flaws in software that no one knows about except the attacker. Sometimes the term is used to mean a vulnerability for which no patch is yet available.

Shortly after the Italian firm Hacking Team was hacked and at least two zero-day exploits the firm possessed were released to the public, along with about 400GB of company emails and other data.

Hacking Team has long been a source of controversy because the company sells surveillance tools to law enforcement and intelligence agencies around the world—among them repressive regimes that use the tools to spy on human rights activists and political dissidents.

But the hack of last week highlights another serious issue around Hacking Team and companies like it that stockpile or store zero-day exploits, including software vendors who run bug bounty programs: they can be rich targets for hackers who might want to steal the zero-days to use them for nefarious purposes or sell them. This places an added onus on companies to protect their repositories to prevent the zero-days from getting into the hands of unintended parties.

Automating Patch Management

Enable auto update of your software. Apply patches any time a program asks (needs) to be updated. Although these updates don't always mean it is for security reasons, a security patch may be issued along with the update. Microsoft Windows offers automatic windows updates and in their newest release, of Windows 10, it will not be an option to install them or not. So updating windows is easier than ever when users choose this option.

Problems with Patches

The main risk with patching software is breaking other programs. This is usually only the case with updates from larger programs that other programs hang on. Such as operating systems, anti virus software, etc. Applications that other software does not rely on are usually immune from this. During automated patch management, this may happen and you don't realize it has happened. The problem can be combated with manual patches, but knowing when and what to patch may be a hassle for home users.

When to Patch?

The short answer is: As soon as a stable pach or fix is released by the vendor. It is a good practice to check for patches to your software products about once per month. If you use your computer on a daily basis, or the computer stays online constantly, such as with high speed connections, you may need to opt for a stricter schedule on patches. Such as weekly or bi weekly. Of course, using automated patch management software can eliminate this need for such time consuming tasks.

As mentioned, automating patch management can save much time and energy. Check with your software vendor for information on when patches are usually available. And also check if the program offers automatic updates to its software. This mundane task can be handled with little user intervention and may be possible to run at times when the computer is idle or late at night when it is not in use and doesn't restrict your browsing bandwidth.

Act proactively in order to minimize exposure to known vulnerabilities and zero day attacks.



Information Security League, through our partnership with Heimdal Security, offers you a 70% discount to the Heimdal Pro. Just use infosecleague34 as voucher code in their site when you order the product.

Τετάρτη 29 Ιουλίου 2015

Stagefright: The Latest Android Phobia


Zimperium zLabs, discovered what they believe to be the worst Android vulnerabilities discovered to date. The vulnerability, nicknamed 'Stagefright', it is a media library that processes several popular media formats. Since media processing is often time-sensitive, the library is implemented in native code (C++) that is more prone to memory corruption than memory-safe languages like Java.

These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS.

Android devices since version 2.2 are vulnerable. Devices running Android versions prior to Jelly Bean (roughly 11% of devices) are at the worst risk due to inadequate exploit mitigations.

The Stagefright vulnerability was assigned with the following CVEs:
  • CVE-2015-1538 
  • CVE-2015-1539 
  • CVE-2015-3824 
  • CVE-2015-3826 
  • CVE-2015-3827 
  • CVE-2015-3828 
  • CVE-2015-3829 
Fixes for these issues require an OTA firmware update for all affected devices. The bug was reported by Zimperium zLabs, in April in order to give Google enough time to fix the problem and send patches out to its partners. The security company says that Google has done so -- but that most manufacturers have not reissued them to users, working to the traditionally slow pace of Android phone partners. Devices older than 18 months are unlikely to receive an update at all.

Risk mitigation

Consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Deselect “automatically retrieve MMS messages.” In the meantime, consider using alternate messaging services.

Other than that, keep your phone number private. Researchers plan to present more details at the Black Hat conference next month.

Image credit: Stagefright, Zimperium blog

Τετάρτη 1 Ιουλίου 2015

Cyber Safety Tips for Summer Vacation


Haven't taken your summer vacation yet? You should make sure that you enjoy your vacation to the fullest by avoiding the stress of dealing with identity theft.

Last Day in the Office
When you will be away from work for an extended period, make sure your computer, external drives and other copies of sensitive information are behind a locked door, in a locked cabinet, or under close supervision from others. Before traveling with your computer, make sure you have a current backup of your files.

Be Cautious of Public WiFi Networks
When you connect to email, social networking sites or online stores via public WiFi, make sure you are using a secure connection (https://), so that traffic is encrypted and no one else can access the information. Always check with the hotel first to properly connect to their network and correct SSiD (bad guys might try to setup sneaky networks like “Hotel_Free_Wireless”). Perhaps you should consider turning off features on your computer or mobile devices that allow you to automatically connect to WiFi.

Save the (Public) Social Media Vacation Posts Until You Get Back Home
It may be tempting to post details of where and when you'll be traveling, but don't. By revealing such specifics, you are providing information that could be used by criminals to target your home while you're gone. Before you post your travel plans or vacation photos on Facebook or Twitter, stop and think: ‘who will be able to see this?’. Another common scam involves compromising email accounts to contact your friends or family with requests for help, claiming that you were robbed while on vacation and need money. Sending private posts and photos during your vacation to family and friends is ok, but if you post them publicly, you increase the risk of someone using that information for malicious activities. Also, make sure your children understand what, and when, they should post regarding your vacation plans.

Mobile Devices
If you are traveling with a laptop computer or USB drives, don't get separated from your computer bag. When getting out of a taxi, bus or train; be sure you have all of your items with you. Back up any important data before traveling, also make sure to have your smartphones and tablets locked with a security code/PIN to protect if stolen. Most devices allow you to activate the GPS tracking option to locate the device if stolen. If your device goes missing, report it immediately to the police and your service carrier. If the thief might have access to your banking, email and other accounts, change your passwords immediately.

Monitor Account Activity
Prior to your trip, write down important contact numbers such as credit card, banking and your cell phone customer service so you can quickly report any lost or stolen items. When you return from your trip, use a secure network to check your online bank account for any unauthorized purchases while you were gone.

Have a great and safe summer!

Τρίτη 5 Μαΐου 2015

Financial Malware: Past and Present


Malware is not only increasingly diversified and capable, but also easier to create. Through 2015, this widespread threat will continue to grow unabated. An effective cyber criminal effort could just as well be predicated on an overwhelming amount of simple pieces of malware as it could be upon a monolithic, state-level attack. There are two primary mitigation vectors that can be used against such powerful financial malware - backend protection and specialized endpoint protection.

Malicious software (aka malware) affects us all. Modern malware ranges from keyloggers, to ransom ware to spyware to botnets. Arguably the most advanced are financial trojans, which are capable of emptying bank accounts in seconds. The Zeus toolkit has stolen hundreds of millions of dollars globally in recent years, and is one of the most effective financial trojan platforms. This platform has been used to launch other powerful financial malware such as KINS and Citadel, which has stolen millions of dollars from banks in 2013 alone.

The two main mitigation vectors against this blitz of advanced malware are backend protection and specialized endpoint protection. Backend protection involves the bank implementing multiple controls which are unseen by the average bank customer. They may involve building out powerful antifraud risk engines built on big data, and implementing dual custody for wire and ACH transactions, and limiting customer transfer limits. They are generally very slow rollouts and resource intensive.
Endpoint protection involves placing software on the customer endpoint, typically PC and Mac devices. Effective end point protection against financial malware is not commonly found in common antivirus suites. Modern financial malware uses techniques such as packing and polymorphic encryption to completely bypass detection by well-known antivirus suites. Zeus has historically been so effective at avoiding antivirus detection that other cybercriminals have adopted its use: Zeus has been used to send spam and steal Facebook credentials in addition to stealing bank credentials since its source code leaked in 2011. The antivirus detection rate for Zeus on average is still only 40,1% , with many of those detected being early Zeus versions.

Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on versions of the Microsoft Windows. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Game over Zeus was first developed in September 2011, and runs software on an infected devices which is then used to intercept online banking transactions, defrauding customers and banks. Zeus controllers can fine tune the copy of Zeus they are using to steal only information they are interested in; typically login credentials for online social networks, e-mail accounts, online banking or other online financial services. 

Citadel
Citadel is a relativly recent incarnation of Zeus, first appearing in February 2012. The owners of Citadel are actively building on to the source code of leaked Zeus (2.0.8.9), and adding new functionality. 2013 has been a banner year for cyber criminals. Their tools had greatly evolved, and new advanced malware suites are now available. Hesperbot, Shylock, Beta Bot, KINS and Carberp are also now being used against banks, and this trend shows no sign of abatement.

According to Symantec, the number of detections of financial malware dropped off significantly in 2014. The total number of common financial Trojans detected decreased by 53%, while financial phishing emails fell by 74%. The U.S. had the most detections, with the UK and Germany rounding out the top three.

While some malware families such as Trojan.Shylock nearly disappeared, others such as the new spin-off threat Infostealer.Dyranges stepped into the void, blogged Symantec security researcher Candid Wueest.
"In the U.S., there is a larger number of potential organizations to target, many of whom conduct banking online and have more wealth across the board, making the U.S. a good target for the attacker in terms of revenue per infection."
In July 2014, an operation led by the UK National Crime Agency (NCA) and European Cybercrime Centre (EC3) at Europol resulted in the seizure of command and control servers and domains used by Trojan.Shylock. Shylock has been observed being distributed by at least five different exploit kits, including Nuclear and Blackhole. After the takedown, the number of Shylock infections fell by more than half, according to Symantec. 

Over the past couple months, the FS-ISAC SOC has been tracking malicious activity associated with the Neverquest banking trojan. Neverquest is a new variant of the Vawtrak banking trojan that primarily targets on-line banking customers in the US and Asia-Pacific countries. It is primarily a credential stealing Trojan that targets the login credentials for specific websites. Like other credential-stealing malware, Neverquest leverages a “trigger list” of URLs and keywords to identify when an infected user logs into a secure banking site or other targeted secure website. Recent configurations show a shift to include social networking sites, gaming sites, and online retailers in their target list. Other optional functionality reportedly includes a VNC module to provide remote control of an infected computer, and a webinject module to collect additional information from victims. Recent related campaigns use the Chanitor malware downloader for initial infection and to download the Neverquest malware to the victim’s computer. Chanitor primarily leverages malicious macros in Microsoft Word documents, which are typically delivered via phishing emails, although they could also be hosted on malicious or compromised websites.

Ineffectiveness of traditional antivirus suites against financial malware? I would say no. Most common desktop antivirus suites are having a hard time of detecting and protecting endpoints from modern financial malware. New financial malware is highly targeted and antivirus vendors do not see copies in the wild until the malware has mainstreamed, by which time cybercriminals will have moved to newer malware having successfully raided countless bank accounts. While it is true that some malware attacks utilize "zero-day" vulnerabilities (attacks that have just been discovered and are referred to as 'unknown vulnerabilities') these attacks are a tiny minority. The reason is that 'zero day', unknown vulnerabilities are hard to discover and are thus expensive and relatively few in number. Rather than being reactive to threats and relying on aging solutions such as blacklist-based malware, an effective security architecture should incorporate practices such as proactive network monitoring with deep discovery, as well as tools that protect endpoints and cloud assets.

Πέμπτη 9 Απριλίου 2015

Does IT Security Fail?


RSA, the security division of EMC, with the contribution of Northeastern University, recently published a report on the reasons why the IT security sector fails to effectively address the modern cyber attacks. The report highlights the challenges faced by the industry, while deepening the best practices that can build an organization in order to achieve everything that managed to achieve so far in safety. It also includes practical advice for professionals from the field of IT security, which can help to improve the strategy and tactics with which face modern threats.

The main messages of the report:

The attacks on the IT infrastructure of an organization and multiply them increases and the economic damage that accompanies them.

The economic impact of these attacks are important and tend to expand.

According to The Global State of Information Security® Survey Research 2015, the number of established attacks worldwide increased by 48%, to 42,8 million, which is equivalent to 117339 per day attacks. Since 2009, the incidents of attacks are growing at 66 % annually. The economic losses due to detected attacks worldwide raised to US$ 2,7 million, about 34% higher than in 2013.

The report notes that the lack of awareness of risk is one of the most vulnerable points in terms of IT security in the US.

Amounts invested in cyber-attacks prevention technologies (prevention-based security) is disproportionately high in relation to expenditure for procurement solutions that can detect and adequately address these attacks. Moreover, the situation aggravated by a "skills shortage". It is important to note that IT security should be based on adequate preparation. One needs a thorough understanding of business processes and entire operation of an organization, as well as the ability to collect and analyze all information related to the security of IT infrastructure. Those organizations do not have adequate staff or experience to deal with such situations should consider whether they need to strengthen the internal IT security team, buying specialized cloud-based services to more fully protect their infrastructures.

Recommendations for better preparation against threats

The focus should now be focused not on what attacks are detected or how successful the effort to prevent several aspiring invaders, but who managed to escape, you may not be protected adequately and what attacks might not have been known.

Preparation - The vigilance and sustained attention should be an inherent feature of any plan to protect the IT infrastructure of an organization. The access control systems can not by themselves effectively against modern attackers who launch attacks at high speed, drawing more and more new weapons to exploit any weakness of protective systems.
Setting priorities - Every IT system and all information has the same value as another. Each organization should define what is critical for a particular function (mission critical) and what about all of the activity (business-critical). What attack would prevent the business development of the company in the future and what will lead many years back or out of the market.
Customization - Those professionally engaged in IT security should first understand the nature of the changes that have occurred in terms of infrastructure - cloud, mobility, BYOD etc. - And then prepare methodically defensive plan and the corresponding tactics to neutralization of new and sophisticated threats.
Light everywhere - There should be no 'dark' points in the IT infrastructure, which could be hidden or where they could escape the invaders. The use of the tools offered by modern technology as well as the examination of the behavior of each user and each device connected to the network infrastructures help to better equip an organization.
Flexibility - A business can not operate under a system of strict policing. The officials should be given freedom and flexibility, there is - to some extent - respect for private activity and sense of confidence. Education and communication with staff should be continuous, so that users can understand and be ready to properly react to attacks that occur through social networks (social engineering).