The Need for Test Data

Last week at the RSA Conference, I spoke to several vendors about their challenges offering products and services in the security arena. One mentioned a problem I had not heard before, but which made sense to me. The same topic will likely resonate with security researchers, academics, and developers.

The vendor said that his company needed access to large amounts of realistic computing evidence to test and refine their product and service. For example, if a vendor develops software that inspects network traffic, it’s important to have realistic network traffic on hand. The same is true of software that works on the endpoint, or on application logs.

Nothing in the lab is quite the same as what one finds in the wild. If vendors create products that work well in the lab but fail in production, no one wins. The same is true for those who conduct research, either as coders or academics.

When I asked vendors about their challenges, I was looking for issues that might meet the criteria of Allan Friedman’s new project, as reported in the Federal Register: Stakeholder Engagement on Cybersecurity in the Digital Ecosystem. Allan’s work at the Department of Commerce seeks “substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.”

I don’t know if “realistic computing evidence” counts, but perhaps others have ideas that are helpful?

Will “Guaranteed Security” Save the Digital World?

Thanks to a comment by Jeremiah Grossman on LinkedIn, I learned of his RSA talk No More Snake Oil: Why InfoSec Needs Security Guarantees. I thought his slide deck looked interesting and I wish I had seen the talk.

One of his arguments is that security products and services lack guarantees, “unlike every day ‘real world’ products,” as shown on slide 3 at left.

The difference between the products at left and those protected by security products and services, however, is that security products and services are trying to counter intelligent, adaptive adversaries.

Jeremiah does include a slide showing multiple “online security guarantees” for financial services. Those assets do indeed face challenges from the sorts of adversaries I have in mind. I need to hear more about what Jeremiah said at this point, and also I need to learn more about this individual guarantees.

It may be useful to look at what physical security companies offer by way of guarantees. I did not see this angle in Jeremiah’s slides, although he may have talked about it.

Taking a tentative step in this direction, I visited the ADT web site. You’ve seen their ads for protecting homes, and you might even be a customer. This is the sort of company that faces at least some threats who are intelligent and/or adaptive. What guarantees does ADT offer?

The screen capture below shows the answer. I am particularly interested in the “Theft Protection Guarantee.”

A theft protection guarantee is like a “hack prevention guarantee.” As you can see, if your home is burglarized while under ADT monitoring, you get up to $500 paid toward your insurance deductible.
The fine print is even more interesting:
“The Customer presenting ADT with this ORIGINAL CERTIFICATE will be eligible to receive a reimbursement of up to five hundred dollars ($500) of Customer’s homeowner’s insurance deductible (if any) if, and only if, ALL of the following requirements are met to ADT’s reasonable satisfaction

(i) the property loss was the result of a burglary that took place while the security system installed at Customer’s protected premises was in good working order and was “on,” and while all of Customer’s doors and windows were locked; and 

(ii) the intruder entered the residence through a door, window or other area equipped with an ADT detection device, and such detection device was not “bypassed”; and 

(iii) Customer is not in any way in default under the ADT Residential Systems Customer’s Order; and 

(iv) Customer files a written claim with their homeowner’s insurance company, and such claim is not rejected or otherwise contested by the insurer; and 

(v) Customer reports the burglary loss to the appropriate police department and obtains 
a written police report; and 

(vi) Customer provides ADT with copies of the insurance claim report, the police report within six
ty (60) days of the property loss and proof of settlement by insurance carrier; and 

(vii) Customer certifies in writing to ADT (by signing this ORIGINAL CERTIFICATE and presenting it to ADT within sixty [60] days of the property loss) that all of the foregoing requirements have been satisfied. 

Customer understands that presentation of this ORIGINAL CERTIFICATE signed by Customer is required and understands that ADT reserves the right to reject any application for reimbursement that does not comply with ALL of the requirements.” (emphasis added)

Can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?

It would be interesting to see how many times ADT has paid out this guarantee money.

Wait, you might say, Jeremiah showed a car in the slide at the top of this post. What do car security guarantees look like? I’m glad you asked. Here’s one of the top results I found online, for Viper.

Here is the fine print:

“Qualifications:

    The qualifying system was sold, installed, and serviced by an authorized dealer for DIRECTED, remains in the car in which the system was originally installed, and owned by the original purchaser of the qualifying system. Window decals must have been in place on the vehicle at the time of installation.

    The theft occurred less than one year after the date of purchase of the qualifying Viper system.

    This GPP claim is made within sixty (60) days of settlement of your claim with your insurance carrier. (90 days in New York state)

    The warranty registration card was completely filled out and mailed to DIRECTED within 10 days of purchase.

    The vehicle was stolen as a result of alarm system failure and the automobile was not left in an inactive/disarmed mode for whatever reason, even if left at a service station.

    A police report must be filed and a copy submitted with your GPP claim.

    Vehicle must be insured against theft at the time vehicle was stolen.

    The insurance company must accept and pay the claim.

    A DIRECTED starter kill device must have been installed on the vehicle and the sales receipt must show starter kill installation.

Your claim MUST meet all of the criteria as stated above to be eligible to file a claim for reimbursement of your comprehensive deductible…

A product’s warranty is automatically void if its date code or serial number is defaced, missing, or altered. GPP does not cover vandalism, theft of vehicle parts, contents, damage to vehicle and/or towing charges. Furthermore, vehicles that are consigned or displayed for sale are not covered by the GPP program. GPP is not available to employees, agents, friends or relatives of Directed or of its dealers. 

GPP does not extend to or cover motorcycles or vehicles without lockable doors, ignition systems and/or engine compartments.” (emphasis added)

Again, I ask, can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?

Given these examples of security guarantees in the physical work, I don’t think we will see much progress in the digital world, perhaps beyond paying insurance deductibles.

I believe the heavy work on the economic side will be done by the insurance companies, as is indicated by these physical security examples.

We are likely to see more insurance on the security vendor side, as we are already seeing (as noted in Jeremiah’s talk) much more insurance in the security consumer (enterprise) arena.

Quick addendum: It just occurred to me that the security services mentioned earlier are primarily means to the following:

  1. Decrease insurance premiums.
  2. Deter attackers.
  3. If deterrence fails, increase the changes of more rapid police response.
These ideas have some relevance in the digital security world, although I think “stickers” saying “protected by product X and service Y” may have the opposite effect, as they may give intruders ideas on how to bypass the defenses. Then again, that might already happen with the house and car alarm examples.

Millennials Choose Convenience Over Security When it Comes to Information Sharing

For better or for worse, we’ve ended up amidst a society built on information sharing. There are a number of apps and sites that not only allow—but encourage you to disperse inherently personal details.

In some cases, information that you traditionally would have wanted to keep private (such as a financial transaction) is shared easily and publicly among friends, all through a mobile app. And at what cost?

There is a price to pay for convenience, which can be seen through the numerous mobile apps that make headlines due to their lax security. The latest to be inducted into this group was a mobile peer-to-peer payment app whose security policies left something to be desired.

While swapping digital money amongst peers was as easy as posting a Facebook update, the app lacked some basic security measures such as: neglecting to notify users of changes to their account settings (like changes to the primary email address or password), two-factor authentication, and monitoring of how other services, like Twitter, securely communicated with it.

Despite all of this, however, the mobile app continues to be incredibly popular—especially among millennials.

Why, you ask? Well the answer is almost too simple. Mainly, it’s all about convenience.

Too often, the services we use on our digital devices (apps, email, text and more) are compromised in a momentary lapse of security. Usernames are noted, passwords are stolen, recorded and used by those with harmful intentions—and users are forced to undergo the aggravating ritual of crafting new passwords while monitoring bank accounts with a worried eye.

But as it appears, this speed bump in the protection of our personal data isn’t enough to ignite a change in our behavior.

A recent Information Systems Audit and Control Association survey found that roughly 38% of millennials in the United States assume their accounts will be hacked for malicious purposes.

Even more concerning is that 70% of consumers said that they felt the benefits of digital devices outweigh the security risks. Meaning, a large number of users know the services and devices they employ may compromise their security, but continue to use them regardless.

So if you too fall into that group, and likely most do, then it’s best you follow a few security precautions to minimize your chance of having your information compromised:

  • Limit what you share. Keeping up to date with friends is great, but over sharing every small detail of your life can be just the crack in the door a hacker needs to break in. By limiting who can see your messages, and what you share online (of course, don’t share passwords or financial information), you can maintain a low profile that most hackers won’t pick up on.
  • Use two-factor authentication when offered. Most services today include a security feature called two-factor authentication. When you can, use it. Two-factor authentication requires users to input something only they would know, like a password or personal detail, and sends a verification message to an object that only they would have, such as a personal smartphone, for verification. It’s a great method that offers enhanced security to everyone.
  • Install comprehensive security software on your mobile device.Every device you own should have safety precautions installed on it. McAfee® Mobile Security is available for free for both Android and iOS, and offers a variety of protections to help keep unwanted people out of your devices.

To keep up with the latest security threats, make sure to follow @IntelSec_Home on Twitter and like us on Facebook.

lianne-caetano

Dyre Spreading Using Code-Signing Certificates, HTTPS

ThreatTrack Security Labs researchers have confirmed the credential-stealing Trojan Dyre  is using a new dropper — and a valid digital certificate — to carry out its dirty work over HTTPS connections.

The Ruckguv downloader works by injecting a dll into an instance of Windows Service Host (svchost.exe). Windows Service Host then uses HTTPS to download Dyreza from a compromised domain.

Labs researchers note that this new Dyre technique stands out for a few reasons:

  1. The new dropper is signed with a valid digital certificate
  2. All the action happens over HTTPS, which is generally less monitored than a HTTP connection

There are also reports of spam messages including links to file sharing and hosting sites, such as sugarsync[dot]com, leading to the download of Ruckguv as well.

This latest variation is apparently just one more way that Dyre attempts to deceive and reproduce; we recently reported on how Dyre was increasing its target range and altering the type of spambots it uses.

As always, users should remain vigilant for files or emails or files that seem suspicious, and ensure their antivirus is up-to-date to protect them from malicious threats.

VIPRE detects files signed with the misused certificate as Trojan.Compcert.42015 (fs).

Technical details

The downloader uses this code signing certificate to make it seem legitimate:

KONSALTING PLYUS OOO
Status Valid
Valid from 1:00 AM 4/17/2015
Valid to 12:59 AM 4/17/2016
Valid usage Code Signing
Algorithm 1.2.840.113549.1.1.11
Thumbprint F2DAEDD9EFA306C7F7FF2DC5885870AA06947ADD
Serial number 00 88 07 06 DC AA 0C B0 F2 4B 51 F7 F2 AB 7A 9B 9E

Analyzed md5s for Ruckguv:

86f527b816684141f25d7e0ea42c7d8b
dd4654d9c4978204b14c6fb25667fe5c

Analyzed md5s for Dyreza:

eb9bc0e306b955d04a9334e28d3bdce2
f11fb8a7593a449934c0690d7f3454ad

Reported locations of Ruckguv:

  • hxxps://i.nfil[.]es/ZnKlLv.zip
  • hxxps://demo.cozycloud[.]cc/public/files/files/fd7a3dd2b8e41f198cb2c475ea011149/attach/report2104.zip
  • hxxps://files[.]fm/down.php?i=knrryxd&n=report2104.zip
  • hxxps://www.sugarsync[.]com/pf/D3740680_035_720143350?directDownload=true
  • hxxps://www.sugarsync[.]com/pf/D7687781_714_129513481?directDownload=true

Dyreza download points initiated by Ruckguv:

  • hxxps://thewinesteward[.]com/css/Document1704.exe
  • hxxps://relianceproducts[.]com/files/jxpiinstall.exe

Credit: Matthew Mesa, Malware Researcher, ThreatTrack Security Labs

Share via email Share

6 Tips for Protecting Your Social Media Accounts

10 years ago, many of us were hearing about social media for the first time. Now, social media plays a giant role in our lives, allowing us to share pictures, connect with family and friends, and get updated news. Through social media, we can express ourselves to our inner circle and the world.

So how devastating would it be if someone got a hold of your social media accounts?

They could really wreak some havoc, like sending dirty links to all of your followers on Twitter. Or worse, take personal information in order to steal your identity, which could take years to fix. Sadly, breaking into your social media account can be easy—just one wrong click on a phishing scam or using a weak password that is easy to guess

Luckily, there are a few things you can do to protect your social media accounts from hackers. Here are my tips:

  1. Discard unused applications. Take inventory of your social media accounts to see if there are any third-party applications that have access to your personal social data. Delete the ones you don’t use or don’t need. And make sure you are ok with what information they are accessing from your social profile/account as these can be gateways to your account for hackers.
  2. Be careful who you friend online. Only accept friend requests from people you know in real life. Often hackers will send requests so they can see the information you are sharing to help them take advantage of
  3. Sharing is not always caring. Double check your privacy settings to control who sees your posts. Also, be careful what you share online—think of what you post online as being there forever, even if you have privacy setting enabled. For example, sharing that you’re away on vacation could inform a thief that you’re not home and indicate to them it’s a good time to rob you.
  4. Use strong passwords. Using “password” as a password isn’t going to cut it. The strongest passwords are at least eight characters in length, preferably 12; contain a combination of upper and lower case letters, symbols and numbers, and are unique to each account. For more information on how to create strong passwords, go to passwordday.org. And don’t forget to join us to celebrate World Password Day on May 7th. If you have trouble remembering and keeping track of all your user names and passwords, a safe option is to use a password manager. I like, which allows you to log into sites and apps using multiple factors that are unique to you, like your face and fingerprints and the devices you own.
  5. Multi-factor authentication. Imagine a hacker has your password, username and email and even knows the answer to your secret question. He can get into your account. But if you’ve enabled multi-factor authentication, the hacker will need another factor to truly access your account. So without your phone, fingerprint, face or whatever factor you’ve set up, the game’s over for him. With True Key, you have to keep you safe online.
  6. Use security software. Of course, keep all your devices updated with comprehensive security software like McAfee LiveSafe™ service.

Don’t let hackers hack into your digital life! For other tips, check out @IntelSec_Home on Twitter or like them on Facebook!

RobertSiciliano1-150x150Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.