By turning security into a data problem, we can turn the tables on the bad guys

Big data and predictive technologies – sometimes called artificial intelligence (AI) – are changing the world. Everyone from Google to your supermarket and hospital are leveraging the power of data to transform the way they operate fundamentally. While the traditional security industry has tended to take a reactive approach towards prevention (rather than a data-driven one) innovative practitioners are now beginning to show the transformative impact big data can have when used intelligently.

The security of yesterday

In this age of custom malware and targeted advanced persistent threats (such as Stuxnet), slow, resource-intensive security is a big problem. One example was the recent attack on the New York Times. Chinese intruders installed 45 different pieces of malware on the media company’s systems over a period of four months. All this happened despite the presence of traditional endpoint protection, including up-to-date antivirus from a traditional security player which, according to cyber security firm Mandiant, detected just one piece of malware.

We can’t say for certain what was at play in this instance, but it does point to some fundamental challenges with traditional, non-predictive security systems. The faster a bad guy can act, the further behind the good guys will end up. This leads to long delays in identifying new threats and in protecting vulnerable systems. With more time to plan and execute their attacks – and aided by the delay to push out protection – cyber criminals are able to compromise many more systems than ever before. In the absolutely worst cases, this gap becomes something the most sophisticated attackers can hide indefinitely.

Data is the DNA of security

Security is the science of detecting and preventing attacks against our electronic systems. It’s an industry that’s swimming in classifiable data, and one that had been crying out for a big data overhaul. Until very recently, security systems were limited to searching in small chunks of that data for a few tell-tale bytes – those being a pattern of data or an antivirus signature unique to a specific attack. Found some matching bytes? Bad guy possibly detected. Didn’t find the bytes? Not conclusive.

Security systems built this way are brittle and resource-intensive. They spend all their time looking for the proverbial byte-sized needle in a data haystack, only to start the whole cycle from scratch when some of those bytes get changed by an attacker looking to evade detection.

Making sense of data to improve security

This is where big data and machine learning (systems that can learn from data) can level the playing field. We can use machines to identify more complex signals and relations in datasets far bigger than any human could analyse. Consider the digital profile that advertisers are able to build by collecting and correlating multiple sources of data. The same approach can also apply to security. Imagine hundreds, even thousands of sources of data – system logs, code, attacker behaviour, preferred target types, method of operation – all being collected and correlated to produce a profile on steroids.

Instead of just creating a signature for each piece of malware, we can build a database of all the malware and everything associated with the people who use it, from their development accounts through to the servers they use and how they plan to monetise.

But why stop there? By going even further, by breaking down the malware itself and reducing it to its fundamental building blocks, we can create a database of all the bad code in the world. Once you start to analyse code use across applications you realise just how institutional code reuse is. Everything evolves from everything else, and suddenly we have a way to detect new threats long before they get found on a victim’s computer.

In the same way Google shines a spotlight on every single web page, big data can allow security companies to do the same thing to the threat landscape, turning over every stone looking for any sort of link to previously seen threats or incidents. Suddenly it’s the malware authors who have to do the hard work. Now, evading detection is more than changing a few key parameters – they have to ensure no code is reused, no server is reused and no development accounts are reused. They have to start from scratch each and every time.

Combining big data with machine learning allows the security industry to develop agile, machine-driven analytics that can identify threats before they do harm. It’s another example of the practical benefits that a big data approach can have on an industry. While this isn’t going to solve the problem of advanced attacks and malware alone, for the first time the tables are turned and the good guys are gaining an advantage.

Marc Rogers is principal security researcher at Lookout

Get more articles like this sent direct to your inbox by signing up for free membership to the Guardian Media Network – this content is brought to you by Guardian Professional.

How to rebuild your small business after an online attack

When malware or a hacker strikes, it can raise terror in even the biggest enterprises, let alone a SME where typically the person who knows about computers is the guy who’s memorised the office Wi-Fi code and knows how to change the printer cartridges.

Dielle Hannah, founder of music tuition business, Igloo Music, is a typical example. Ask her how to detune a guitar to play folk music and she can run through the options. Get her to figure out why her website started pointing towards a Russian porn site a year ago though and she’s not quite as well equipped to respond.

“It happened at the worst time,” she recalls.”We’d just kicked off a big PR push to get our name out there and then anyone who came to check us out was getting a message that we were distributing porn and were not a trusted site.

“I can only imagine how much business we lost. We had to quickly rebuild a new site but that got infected too and it wasn’t until several months later, with a total web rebuild with new technology, that we were OK. It’s cost thousands but more importantly, it’s cost us a lot of new business and it’s just been so embarrassing.”

While SMEs may be targeted by sophisticated cyber criminals, they are more likely to be hit by far less sophisticated random, automated attacks, according to Pete Chadah, founder of DrPete security providers, which specialises in working with SMEs.

“The headlines are always about hackers and spies,” he says. “In my experience of helping out mainly SMEs, the vast majority of attacks are either automated malware let into the business from within by people accidentally clicking on phishing emails or by a disgruntled former, or current, employee causing trouble.”

Pull the plug

James Lyne could not agree more. As global head of security research at Sophos, he estimates around four in five of the companies impacted by malware every day will be SMEs. Not because they are being specifically targeted but because they form the vast majority of companies in the UK.

The most common is “ransomware”, which freezes a computer and displays a message on screen to say you need to pay someone a few thousand pounds to unlock it or, in another variant, to unscramble data the infection has encrypted.

“First thing you do seems unnatural but you have to just pull the plug out so it doesn’t spread,” he says.

“It’s normally very simple to deal with. Just download a freely available piece of scanning software and put it on a disc or memory stick. Then start up the computer again and it should clear it. You then ideally need to do this on every computer and server to make sure it hasn’t spread and run a full anti-virus scan. If you’re clear, great. If it was one which scrambles data, then you need to go to a backup. If you don’t have a backup, I’m afraid you’ve almost certainly lost the data from that drive.”

The one bright point here is that at least the malware informs the company they have a problem. If an SME is hit by an automated hacking attack, or even an individual hacker, it is a very different issue.

“With hacking there’s only one piece of advice – have a very good security expert on speed dial,” says Lyne.

“You may only find out when customers call you saying something odd has happened, like typically rogue payments being made through the details you have stored for them. No anti-virus software can help here, you need an expert. So it’s a very good idea to line one up in advance. Ask your IT supplier for a recommendation or other companies in your area.”

Phishing scams

Another common attack is for a phishing email of some kind to trick a member of staff in to clicking on a rogue link which asks for a password which is then used to take over corporate email or gain access to sensitive data. This can be quickly overcome by resetting passwords and calling your email provider to take back control of your account.

The top advice here is to work with providers who ask a security question or have a second form of identifying you that goes beyond a single password. A folder with all the relevant information for the provider will speed things up taking back the account.

As Igloo Music found out, this can also happen to websites, can be hijacked either at server level or through the registry system which links web address names to a web address. If diverted, criminals can attempt to attract a lot of extra traffic to their site at the expense of a hard working SME’s good name.

Open approach

Whatever type of attack you suffer, the best advice is for staff to be open about what happened and be educated to take the power and network connection out of an infected computer without hesitation. Time spent worrying will only make the situation worse and risk damaging an SME’s reputation, which is best protected by having the best defences in place and a plan of action ready should a breach occur.

If this happens, and customer data has been stolen, the Information Commissioner’s Office needs to be informed. Empirical wisdom suggests they are normally understanding and are very loathe to use their power to fine infected organisations, so long as they can show remedying steps are being taken.

The police should also be contacted. Technically, the law has been broken if you’ve been hit by malware but, in reality, an SME will often be doing little more than helping with national cybercrime statistics.

Do you have a top tip for SMEs on how they can protect themselves from hackers? Tweet your advice using #smallbizsecurity

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.

Trojan Hides in ROM of Chinese Android Devices

In China, some mobile phone geeks like to refresh their Android machines with images from the Internet. For some mobile phone dealers, this makes good business. They can earn extra money from refreshing phone ROMs for those users who want to erase a lot of useless applications in the original ROMs.

However, making an Android ROM image is not very difficult, which makes refreshing Android devices dangerous. Once malware has been added to an image, it is hard to get rid of it.

Last week, McAfee Labs acquired a sample found in some Android images from China. Among other interesting behavior, it downloads JavaScript code from a control server, and runs the code within WebView. McAfee Labs detects this threat as Android/Huigezi.A.

Android/Huigezi.A runs at boot up, and when SMS messages come in and calls go out. It runs as a service in the background, and poses as a system service. Once started, it sets up a timer to restart itself every 30 minutes.


Service runs background
Malware “service” running in the background.

The malware sends sensitive information–IMEI, IMSI and OS version–to a remote server, and get a response string in JSON format. The string contains nonstandard Base64-encoded JavaScript code. The malware injects the code to a piece of HTML, and writes it to a file under “/data/data/” on the device. The filename is the integer value of the current time.


Post sensitive information to C&C server
Posting sensitive information to the control server.

The following image shows one of the HTML files being injected with the malicious encoded JavaScript.


Artificially html with encoded javascript
HTML altered by the encoded JavaScript.

The decoded JavaScript:


Decoded javascript code
Decoded JavaScript.

Android/Huigezi.A sets up the binding of classes with a JavaScript interface for the HTML, and loads the HTML in the WebView client. The functions in the dex file will be executed by the JavaScript in the HTML.


Add javascript interface
Adding a JavaScript interface.

The payloads of this malware depend on the JavaScript downloaded from the control server. According to its code, the malware can take the following actions:

  • Send SMS messages
  • Post sensitive information–IMEI, IMSI, device model name, phone number, carrier name–to remote server
  • Download some install packages and install them silently
  • Retrieve SMS messages and store them to a hash map
  • Set up SMS messages to be blocked
  • Download a dex file, and load the class in it
  • Create a shell for the remote server


Create shell
Creating a shell.

Android/Huigezi.A is very different than other mobile Trojans. It is more flexible for hackers to launch attacks and harder for victims to become aware of its presence. Most important: It could hide in an Android image. Users probably need to refresh their ROM images, or get root privileges and uninstall the malware with command tools, not easy task for most people.

The post Trojan Hides in ROM of Chinese Android Devices appeared first on McAfee Blogs.

Apple Could Kill Jailbreaking with Latest Update

The latest iteration of Apple’s iOS platform, iOS 7.1, launched on March 10 with an updated look and new features, as well as some key improvements to the security of the operating system. For this, you can thank hackers. Or, more specifically, you can thank the hackers who help people jailbreak their device.

The practice of jailbreaking, which is the process of bypassing Apple’s iOS restrictions so that a user can introduce new functionalities and aesthetic changes through unapproved third-party app stores, is as old as the iPhone itself. Many feel that this back-door process is necessary given the somewhat limited personalization options offered by Apple devices, but jailbreaking does carry risk. If the modification goes awry, your phone could easily become a very expensive paperweight. Additionally, bypassing and removing key parts of Apple’s built-in security makes your iPhone an easier target for hackers and malware.

After going through the complicated process of jailbreaking their iPhone and iPad, people must also understand that additional work is necessary to re-secure their jailbroken device. For example, the jailbreaking process sets a common default password for Secure Shell (SSH) application that must be changed. Ordinarily, users have no interaction with this feature, as it comes automatically installed and works in tandem with other security measures like PIN codes.

Without changing the default SSH password, a jailbroken phone runs the risk of falling victim to any malicious individual merely connected to the same network. In fact, one enterprising Dutch hacker held several iPhone users’ phones hostage by replacing their background image with a threatening message manipulating this vulnerability. Theoretically, the hacker could have executed any command they wanted, even remotely wiping the phone—all the more reason to check for jailbreaking and back up your contacts with security programs such as McAfee® Mobile Security for iOS, which will notify you immediately if your phone has in fact been tampered with in such a way.

And yet, despite these inherent risks, jailbreaking is wildly popular among those who want greater control over their Apple devices.

However, the release of iOS 7.1 may have put the brakes on the jailbreaking community, so to speak. Apple frequently patches the holes that jailbreakers exploit to modify phones based on the work of other jailbreakers before them, and iOS 7.1 is no different. It takes longer and longer for the jailbreaking community to successfully crack Apple’s code for every iOS update. It took roughly 10 months to release the jailbreak for iOS 7. Now, with previously used doors closed to them, it will take jailbreakers even longer to find new paths.

Anyone who has jailbroken their device will likely have to eventually decide between updating to the latest Apple-approved operating system, or holding onto dated hardware and software to maintain their freedom from Apple. Old software is another security risk in and of itself and it’s up in the air whether customization or safety will win out among users.

Have you jailbroken your device and taken other steps to secure it? Let us know in the comments.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post Apple Could Kill Jailbreaking with Latest Update appeared first on McAfee Blogs.