Category Archives: News

BackStab Attack Takes Indirect Route To Mobile Data

Attack technique takes advantage of weak protections around mobile user’s backup files.

While there are plenty of mobile device vulnerabilities just waiting for bad guys to pick up on, some of the lowest hanging fruit for mobile-oriented attackers isn’t on the device itself. Instead, the softest target comes in the form of insecure back-ups stored on a traditional desktop or laptop.

Palo Alto Networks’ Unit 42 research team calls the technique “BackStab.” In a report out today by researchers with the team, they explain that this indirect route can nab attackers text messages, photos, geo-location data and just about anything else that’s been stored on a mobile device.

“While the technique is well-known, few are aware of the fact that malicious attackers and data collectors have been using malware to execute BackStab in attacks around the world for years,” writes report author Claud Xiao. “iOS devices have been the primary target, as default backup settings in iTunes® have left many user backups unencrypted and easily identified, but other mobile platforms are also at risk.”

According to the report, Unit 42 has found over 700 recent flavors of Trojans, adware and other hacking tools designed to target Windows and Mac systems containing user data from backup files from iOS and BlackBerry devices.  Several of the malware families discovered by the researchers have been around for at least five years. They explain that there are tons of public articles and video tutorials detailing how to carry out a BackStab attack. And unlike a lot of mobile device attacks, the attack doesn’t require for a targeted user to have a jailbroken device.

In the case of iOS attacks, often BackStab is made possible due to default settings on iTunes that don’t encrypt backed up data.

The report today detailed some of the most common tools that employ BackStab, including a dropped portable executable file often used in concert with the DarkComet remote access Trojan called USBStler. Interestingly, they also showed how RelevantKnowledge, a tool developed by Internet research firm comScore, leans on BackStab techniques to spy on consumers.

“We found that many RelevantKnowledge samples contain code to collect users’ iPhone and BlackBerry data through these mobile devices’ backup archives,” Xiao wrote. “During their execution, these samples will search for files under the Windows iTunes backup directory, collect information, compress it into a file and upload it to (comScore’s) web server.” 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights

Why people are lugging around their sensitive information every single day

Walking down the street, have you ever seen a woman pushing a wheelbarrow filled to the brim with photos? Have you ever watched a man push a cart overflowing with letters and envelopes? How about a backpack stuffed with rolodexes?

As weird as that all sounds, if you’ve seen a person walking down the street and looking at their phone you have seen exactly what we’ve described. Here’s what we mean:

Those photos in that wheelbarrow, the letters, the rolodexes? They’re representative of the large amounts of data that live on a mobile device. Mobile devices carry around and access so much more information than we realize. It’s the password or fingerprint you use to access your device and all your accounts. The photos of your child’s first birthday. The financial and customer records you access through apps. The personal information you hide in your notes.

You trust this information to your phone or tablet because these devices make your life simpler, more connected. They help you navigate better, inspire you to stay healthy, give you faster and smarter ways to complete your work, and quicker access to your financials — and these are just a few ways mobile devices have helped people all around the world.

Indeed, in many countries phones and tablets act as a primary and portable computing device — cheaper and more reliable in many cases than PCs.

Our lives have become mobile, but with great power comes great responsibility. Sensitive information, or data, is money to a criminal. Check out this article from a past talk at Def Con (the world’s largest hacker conference) about the underground markets where much of this data is sold.

So if your data is increasingly mobile, shouldn’t your security be too?

To learn about how Lookout protects individuals’ mobile devices, read more here. Interested in learning about our Mobile Threat Protection for enterprises? Read more here.

Don’t have Lookout on your device?

Screen Shot 2015-12-04 at 2.17.08 PM Screen Shot 2015-12-04 at 2.17.16 PM

Perimeter Inversion: Turning Digital Security Inside Out

We need security solutions that are designed from the ground up to operate in today’s dynamic environment.

The idea of a network perimeter is quickly morphing into something more complicated. We work outside of the corporate network on our own devices, storing and moving things through clouds of applications, storage, and service providers. How will security change in the next few years to adapt to this new reality?

Almost since its inception, digital security has followed a perimeter model, which may seem like the Maginot Line of cybersecurity. We are spending more and more time outside the firewall, so we need to think beyond it. At the same time, attackers are finding new vulnerabilities to get under the walls, developing new techniques to get around them, and finding softer targets with valuable assets to compromise. With the wide scale adoption of server virtualization and cloud computing, the concept of an enterprise data center has evolved into private and hybrid clouds that span on-premises and cloud-hosted servers in a seamless fashion.

The new security model needs to follow the data and users, as well as their devices and services. This does not mean that security will be completely cloud-based, with no on-premises component. Cloud computing and storage will still incorporate a perimeter and access approach, as will the data center. The data center needs to shift focus from servers to applications and data, which move in a dynamic manner with decreasing emphasis on location or ownership of hardware. But it will have to augment this with multiple vantage points of traffic flows, analytics, and collaborative intelligence. Encrypted communications make it difficult for firewalls to inspect individual traffic flows, increasing the importance of multiple perspectives.

This is strikingly similar to the physical security world we find around us. Attackers are not defined by physical borders, so defenses need a much higher level of collaboration, large volumes of intelligence, and powerful analytics to pull insight out of the noise and chatter.

Real-Time Security

The key to successful security operations in the new data center is real-time dynamic provisioning and orchestration. Security must follow the data, follow the application, and follow the user. One approach is a dynamic perimeter that forms around every flow. The network is no longer static or deterministic; it has become fluid, and security needs to be agile. This means implementing cloud security solutions that can redirect flows between endpoint devices and applications for inspection, analysis, and prediction. These solutions need to ask, “Is this normal activity between this device/location/user/application?”

With mobile users and IoT devices connecting directly to the cloud, the new model means securing the channel between endpoints and applications, not just with encryption but by watching out for attacker redirection and man-in-the-middle attacks that could disrupt devices or data enough to affect your operations. Encryption and tokenization become critical when corporate data is stored on shared resources in hybrid or public clouds. Data must be secured both at rest and at all points of the flow to protect it from hardware or virtualization exploits. Identity and policy management will become extremely important in such a dynamic environment, defining and enforcing policies that prevent sensitive information such as personally identifiable data or health details from straying outside of secure locations and devices.

Another approach of real-time dynamic provisioning and orchestration is shrinking the perimeter around each individual device, forcing the devices to protect themselves. Many devices will not have the compute power necessary to do this, requiring a mix of hardware-enabled trust and cloud-based processing.

Perhaps the most important part of this new security model is the analytics necessary to put together multiple observations from different agents at varying points in the cloud into a cohesive picture that can differentiate signal from noise, without an overwhelming number of false positives.

An interesting analogy to this method is how airplane flight control systems were developed. Different developers in different locations using different languages and algorithms running on different hardware developed systems for the same set of controls. In operation, only when multiple systems were within tolerance would the airplane actually take action. In security, this approach not only reduces false positives, it makes it far more difficult for attackers to develop threats that can evade the detection algorithms because multiple are in use at any time.

We need to build security solutions that are designed from the ground up to operate in this new dynamic environment: Multiple perimeters, hardware-based trust, and cloud-scale analytics fuelled by large volumes of shared threat intelligence must enable local and cloud-based agents to detect and disrupt attacks at machine speeds. 

Michael Sentonas is the Chief Technology and Strategy Officer, APAC for Intel Security. Michael has been with the company for fifteen years, previously holding leadership roles such as VP and Chief Technology Officer of Security Connected, VP and CTO for Asia Pacific and, … View Full Bio

More Insights

Four critical Android flaws fixed in monthly Nexus patch update

(Image: CNET/CBS Interactive)

Google has fixed 16 security vulnerabilities in Android, four of which it rated “critical.”

The search and mobile giant said earlier this year it will release monthly security patches to ensure devices are protected against the latest security flaws. On Monday the company released its fifth monthly release so far for all Nexus devices.

Google said the most severe bugs (CVE-2015-6619) is rated at the highest “critical” level due to the possibility of a “permanent device compromise” that could only be repaired by reflashing the Android software.

The bug, which affects all versions of Android, was reported earlier this year. It could allow an attacker to remotely run code by exploiting a flaw in the system kernel.

Google said it had “no reports of active customer exploitation” of these new issues.

The remaining “critical” bugs relate to media file processing.

One of the bulletins (CVE-2015-6616) said an attacker could be allowed to remotely run malware, which could be triggered by sending an MMS with a specially-crafted media file to an affected device, leading to memory corruption.

The critical flaw targets a core part of the Android software, which has access to permissions that third-party apps cannot normally access, the advisory said.

All versions of Android are affected by three of the bugs in the bulletin.

A similar flaw (CVE-2015-6617) affects all versions of Android, which could lead to an attacker running malware by sending an MMS with a specially-crafted media file to an affected device.

Other highly-rated vulnerabilities target flaws in Bluetooth, the media processing service, audio file processing, and how Android handles Wi-Fi.

Nexus devices will get the security updates first, while other Android manufacturers — Samsung, LG, and BlackBerry — will follow suit in the coming days.

Brazen North American Cyber Underground Offers DIY Criminal Wares For Cheap

Inexpensive and easily accessible cybercrime products and services as well as drugs, counterfeit documents, weapons, cater to would-be and existing criminals, new report says.

You don’t have to be a stealthy hacker or member of organized crime to buy and sell goods in the North American cyber underground: it’s a wide open, easily accessible cyber marketplace that makes it easy for anyone to illegally buy weapons, crimeware, and botnets.

What sets the North American underground economy apart from that of Russia and other more stealthy cyber-based crime conduits is that it’s easy for novices to access — there’s no limited access like in the Russian underground. And that means it makes it easy for anyone to conduct cybercrime or access the tools for physical crime, a new report from Trend Micro has found.

“It’s more of an Amazon [type] shopping mall for goods and services, a one-stop shop for anything nefarious,” says Tom Kellermann, chief cybersecurity officer at Trend Micro.

Many of the underground sites studied by Trend Micro are searchable via the Web. All it takes is the right search query, and a novice can access what he or she needs to perform criminal acts, such as guides for how to use VPNs or TOR for nefarious purposes, and goods and services for cybercrime (stolen payment card information), physical fraud (fake passports), drugs, and even murder. “You can get ransomware in the US for $10,” Kellermann notes.

But the brazen openness of the North American cyber underground also means it’s in the sights of law enforcement, a tradeoff the peddlers and buyers seem willing to risk. They get around getting busted by constantly changing up their sites: “Although several criminal transactions are done out in the open, they are very fickle. The life span of most underground sites is short. They could be up one day and gone the next. Investigations will have to keep up with this fast pace,” Trend Micro’s report says.

There’s also rampant competition among the vendors, which has made the purchase of these wares relatively inexpensive.

[When you think cybercrime, Japan probably isn’t top of mind. But like anywhere else, the bad guys there are following the money, and an emerging yet highly stealthy underground economy is growing in Japan. Read Japan’s Cybercrime Underground On The Rise.]

One of the trademark offerings in the North American underground is crypting services, which offer bad guys a way to camouflage their malware from anti-malware systems. They submit their malware, and the providers check it against security tools and then encrypt it such that it’s no longer detectable. That service is available from $20 for a one-shot deal to $1,000 for a monthly offering.

The Xena RAT Builder crimeware kit is price anywhere from $1 to $50, and offers two levels of customer service:  silver ($15) and gold ($20). Gold encrypts it so it’s undetectable. Would-be cybercriminals can buy a worm from between $7 and $10; botnet or botnet-builder tools for between $5 and $200; ransomware for $10; and the Betabot DDoS tool for $74.

There also are DDoS-as-a-service options, which start as low as $5 for 300 seconds of a 40 gigabits-per-second DDoS attack, to $60 for a 2,000-second 125Gbps DDoS. Bulletproof hosting services are also available for $75 per month.

A phony US passport costs $30, and a phony US driver’s license, $145, Trend Micro’s researchers found.

“They’re [the sellers] trying to enable anyone with criminal intentions. That’s problematic,” Trend Micro’s Kellermann says. “It speaks to more crime having a duality to it, and with cyber-components.”

Unlike the Russian underground, North America’s has no organizational structure, he says. “Germany’s is the most sophisticated in operational security … Russia is selling the most zero-days and advanced attack platforms.”

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights