Do You Know Who is Watching You? Part 2

Invisable Hand

On Tuesday we covered the basics of Remote Access/Administration Trojan also known as RATs. You can read that post here.

To dive deeper on the topic, one of the most common types of RATs is “Pandora”. The Pandora RAT allows an attacker to gain access to the following items on a compromised computer: files, processes, services, and active network connection.

If all of this doesn’t concern you, Pandora can also: remotely control the compromised desktop, take screenshots, record webcam footage, record audio, log keystrokes, steal passwords, download files, open Web pages, display onscreen messages, restart the compromised computer, hide the taskbar, and  hide desktop icons. It can even cause one of the most dreaded attacks: system failure and the blue screen of death.  Like many RATs, Pandora is user friendly, and can be mastered by expert and beginner hackers alike.

There is prosperous market of underground software sales based on RATs. They can be purchased from many websites and even appears for sale in hacking forums online.  The three main types that appear for sale are:

1) FUD which is fully undetectable by security vendors

2) Crypter which is a tool used to rearrange files in a way that the actual bytes are scrambled

3) JDB (Java drive-by) which involves a Java applet being placed onto a website disguised as a  pop-up to continue to the site

A few rules to stay protected: keep your anti-virus software up-to-date, avoid opening emails that look suspicious or if you are unsure of the sender, always be a skeptic when clicking on links that you receive from other sources, and only download files from sites that you know are secure. Always be aware of your webcam activity, if you do not have a shutter that closes then consider putting a piece of paper over the shutter as a precaution. Most importantly use common sense, if your computer told you to drop it off a bridge would you?

 

Resource:

http://www.symantec.com/connect/blogs/creepware-who-s-watching-you

Image Source:

http://i.telegraph.co.uk/multimedia/archive/01961/hack_1961123b.jpg

Do You Know Who is Watching You? Part 1

Hand Through Screen

Everyone knows at least one paranoid person that insists on covering the web cam of their computer. Activities like this may be necessary due to the malicious attacks out there. These attacks use your web cam and allow it to be taken over, giving them access to your computer remotely. According to Symantec, “Remote access Trojans (RATs), or what we (Symantec) are calling creepware, are programs that are installed without the victim’s knowledge and allow an attacker to have access and control of the compromised computer from a remote location.”

The two most common types are Remote Access/Administration Tool and Remote Access/Administration Trojan, the biggest difference between the two is that the Trojan is installed for malicious purposes.  One of the major ways that they take advantage of your computer is to remotely access of your device; there are lots of different pieces of malware out there.

“Creepware” as Symantec calls it, flips your machine with the hacker’s, so your computer is the victim and the attacker’s computer becomes the client.  Once this has happened an attacker then has the ability to retrieve files easily from the victim’s machine. The degree to which this takes place can vary from people out to commit fraud to those who just think it is a harmless prank. Most victims don’t report this type of crime until their reputation has been damaged so often the attackers often aren’t caught.  Many of these activates often fall under the umbrella of cyber bullying.  

The hackers get crafty and downright mean, for example one instance they attacked a victim by sending a pop-up on the screen saying, “their webcam’s internal sensor needed to be cleaned. To do this, they were told to place the computer close to steam.” Many victims brought their laptops into the bathroom to “steam clean” their machine, but don’t most people understand that you are not supposed to put electronics near moisture? 

Check back on Thursday for Part 2.

Resource:

http://www.symantec.com/connect/blogs/creepware-who-s-watching-you

Image Source: http://www.sitejabber.com/blog/wp-content/uploads/2013/02/identity-theft-500×260.jpg

The 'Cryptopocolypse'

To further iterate a topic broached last week, this week an article by Patrick Lambert on TechRepublic.com investigates the issue of cryptography soon becoming obsolete by our own advancing computing power.  Cryptography is used to secure data in the virtual world, be it stored locally or on the internet, by taking advantage of some simple yet unintuitive properties of mathematics, and wrapping said data within it.  For a detailed look, you may also refer to our post earlier this month which describes various aspects of the topic; The surface level detail however is this: It is cryptography that allows us to protect our sensitive files, our personal data and our messages to others from prying eyes on the Internet, and without it, any data, anywhere on the net is fair game to anyone.

Hence why the forthcoming moment when our computing power advances enough to easily crack any standard cryptographic practices in use right now is being called the ‘cryptopocalypse’.  In the event that this happens, all computer security would be rendered meaningless in an instant, and the reasons that this would be such a terrible and chaotic event need not be expounded upon.  Is there really a chance of this happening? The topic has been long debated by experts.

The initial threat against cryptographic algorithms is the ability to reverse them, which would allow someone with malicious intent to analyze the encrypted data to remove the encryption by running the mathematical properties used to create it, backwards.  The entire cryptographic system is built on the idea that this is nearly impossible to do, and would take more guesses than any person has time for in their lifetimes.  So why have a person make guess after guess for years on end, when a modern computer can do the same in fractions of the time.  Computers are getting fast enough to ‘brute force’, or make tremendous amounts of guesses per second as to what the sensitive data is.  The latest version of the ‘Hashcat’ password cracker software for example, now supports attacking passwords of up to 55 characters long, and is capable of conducting about eight billion guesses per second as to what that password is – and has been previously known to do well in cracking passwords of 15 characters.  What will the next update be capable of?

Read more

Password breaker successfully tackles 55 character sequences

Are we heading for a ‘cryptopocolypse’?

Inside Twitter's Two-Factor Solution

Back in April, we’d reported that Twitter was the latest to be hopping onto the Two-Factor bandwagon, and have, since then, fully implemented the technology.  Only recently however, have they provided insight on the future of their security enhancement agenda in a blog post last week.  It states that, in addition to the SMS-based two-factor login they’d released in May, they will be rolling out a new two-factor authentication method that eliminates the need for text messages.

The blog states that “now you can enroll in login verification and approve login requests directly from your iOS or Android app”, and goes on to tout the following new features:

    • No phone number required: By using push messaging and in-application approvals, you no longer need to provide your phone number to use login verification. If you manage multiple Twitter accounts, but only have one phone number, you can now opt all of them into login verification.
    • Broader international support: Now, all you need is an Internet connection and one of our supported apps to enroll in login verification. Login verification via SMS has been available through supported mobile carriers across the world, but that didn’t cover everybody.
    • “My phone fell in the ocean!”: Backup codes generated in the application can be written down, stored in a safe place, and used to access your account on twitter.com even if you lose your phone.
    • More context: When a login request is made, you will see browser details and approximate location in the app. If you receive an approval request from halfway across the world, you may be getting phished. Review this page for more information on keeping your account secure.

Twitter’s security engineer Alex Smolen had the following to say regarding the new system: “When we decided to implement two-factor, we wanted something that was easy to use and didn’t follow the same formula everyone else was using… Other two-factor systems rely on a shared secret… We wanted to come up with a design where it is only stored on the client side; the secret’s only stored on the phone.”

Twitter’s approach to enhanced security through two-factor authentication is surely an interesting one, albeit not entirely new, and has some interesting fail-safes in the event that you’re without a network connection.  “We involved support very early on in the process, we want to make sure people don’t lose access to their Twitter accounts even though the nature of this feature is to deny service.”  says Smolen.

The new two-factor service debuted on August 6th, and is still in active development, with more features planned to be added in the coming months.

Your Password is Obsolete

Your password is obsolete, or so says this infographic we’d like to share, with data compiled by Backroundcheck.org earlier year.  We’re certainly no strangers to this topic, and had even posted our own take on the subject even earlier this year in January, titled The Death of the String Password.  Though, we certainly can’t take credit for the idea either, as Bill Gates was quoted as predicting similar things as early as the RSA Security conference in 2004.  Gates had said that “There is no doubt that over time, people are going to rely less and less on passwords” when speaking about the oncoming popularity of two-factor authentication technologies.

Says the infographic: “Some say 2012 may have been the year the password broke.  With password leaks and dumps becoming common occurrences our lives are simply becoming too easy to crack.  The string of characters you use as a password can’t protect you anymore.”  And they’re right, especially with the onset of cloud computing and having dozens of online accounts – it’s a wonder the arrays of difficult to remember mixes of captials, symbols and numbers have lasted us this long in the first place.  It’s simply impractical, and increasingly unsafe.

Whereas a series of replacements for the password have been suggested over the years, from picture passwords, to ‘fastwords’ and biometrics, it would seem that two-factor with (hardware or software) tokens have for now grabbed the attention of most organizations hoping to remain secure and progressive with their authentication systems.  As we’ve also previously reported, Google, Twitter, and other major enterprises have already been in the process of introducing (and hoping to enforce as the default) two-factor authentication options that employ OTPs and TOTPs generating authenticators.

Have a look at the infographic and see for yourself just why your password isn’t protecting you anymore.

The Shortcomings of Two-Factor

As more and more organizations are adding two-factor authentication systems to their web applications, the reactions are in.  Among those with  appreciation for the stronger authentication mechanisms are also various criticisms of the approach, ranging from resistance due to holding-up workflow, to reminding us that even the most hardened of locks can still be picked.  Whereas the two-factor trend continues to expand, as we’ve continually reported on this blog staggering numbers of organizations continue to ignore the solution, and these accounts may shed some light on the reasons for their resistance.

MedAllie’s A. John Blair MD is one such fellow that has expressed disinterest over implementing two-factor within EHR (Electronic Health Records) security at the Health IT Policy Committee in January.  Citing concerns over productivity, Blair states that he sees the additional factors of security as a workflow obstacle, stating that clinical workflow should be the topmost priority when evaluating the system’s security:

“If the provider honestly believes these enhancements will improve care and efficiency–and particularly if they are indirectly tied to increased reimbursements for improved health care value–interoperability will advance rapidly. If the providers do not believe this, nothing else we do here will make much of a difference in the long run.”

Blair’s point is a certainly a valid one, though prioritizing accessibility to patient sensitive data over ensuring its security is surely a matter of conflict of interests, and so one whose right or wrong answers are purely situational.  In this case, as in many, the need for security might not be apparent until data becomes compromised.

In another article, Mark Risher, CEO and co-founder of Impermium, a vendor of digital fingerprinting software lays out his reasons why the two-factor authentication system is not the be-all end-all measure for securing data that it’s being made out to be.  He feels as though “service providers need to take on more of the responsibility for securing a consumer’s information online, utilizing similar proactive monitoring and not expecting [two-factor] perimeter defenses to suffice”.  Stating that while multi-factor approaches to security certainly enhance it, that more still must be done to guard against hack attacks.

Risher’s suggestion is a sort of ‘virtual police’, in the form of learning algorithms that, much like actual policemen, can track and intelligently identify suspicious behavior.  His description largely resembles contextual authentication, which may prove to be the heightened level of security over two-factor that some are looking for.

Read More – Physician sees two-factor authentication as efficiency barrier

Read More – Why two-factor authentication isn’t a cure-all

Cloud Security an Afterthought

cloud

The cloud is growing fast, very fast.  As more organizations consider joining the trend of offering cloud services, some 90 percent, according to a survey by Symantec Corp, perhaps the biggest challenge for them is ensuring all the data on that cloud is secure.  Hosting your data online so that it may be accessible to you on any device where ever you are comes with substantial risks, begging the question of how you truly, confidently prevent others from doing the same.

The question has been thus far largely unanswered, but that isn’t hindering those organizations excitement, and certainly isn’t hindering the cloud’s continuing expansion.  Despite those 90 percent, the same Symantec survey found that 77 percent of organizations know of unsecured cloud deployments, of which 40 percent knew of information breaches, and 25 percent of hijack accounts on cloud services.

What’s being identified to be the greatest obstacle in the way of a reliably secure cloud is the Bring You Own Device BYOD trend, whose aim is for IT to allow users to implement their own PCs, tablet and smartphone devices at their organizations.  In a survey conducted at the RSA conference in San Francisco, of 176 IT security professionals,  44 percent cited BYOD as their most significant roadblock – however just 18 percent expressed they were dissatisfied with the current security situation, 41% had no opinion of it, and a little over half (51 percent) were happy with it.

It would appear that, with all the excitement surrounding the cloud and offering next generation services, that the lack of attention paid to securing these services is simply due to a lack of awareness of their current state of fragility.  It’s no secret that cloud providers are under constant siege – but in many cases having your data compromised is the only true motivator to give it a closer look.

Read More