Category Archives: Phishing

The Security of the Small Business

Image by Charlie, used under Creative Commons

In the United Kingdom, as in many other economies around the world, smaller businesses are the lifeblood of national prosperity. In essence SMEs *are* the private sector, according to the Department for Business, Innovation & Skills, they employ more people (60% in the UK in 2014) and generate almost half the total turnover of the private sector (48% in the UK in 2014).

Given the importance of these businesses to the UK economy, Trend Micro decided to attempt to discover just how ready many of these businesses are for the potentially devastating consequences of compromise.

Small businesses represent an attractive target for online criminals for several reasons; of course many of them hold or process a large amount of personal information, identities, legal, financial and medical records just for example. They also have less convoluted financial and banking arrangements, making them easier to exploit with traditional banking malware whilst also being less likely to be compensated for any fraudulent transactions. Quite aside from the dangers of information or financial theft, small and medium businesses are increasingly in the sights of sophisticated criminals looking for ways into larger organisations. In an attack technique that has become known as “island hopping“, determined attackers seek out the smaller business partners of their eventual target in the hope that they will be less security savvy and less well-protected. Fazio Mechanical Services has become the unfortunate poster child of the island hopping attack ever since it was used as a stepping stone to the huge Target data breach in late 2013.

So what did we discover?

We interviewed 500 key decision makers and business owners in UK SMEs to compile the research. Amazingly, only half of them said they rely on internet security tools to protect their organisation from cyber attack. In addition, just 44% said they knew how to check if their laptops, mobiles or tablets had been infected with malware. Three-quarters (74%) admitted to not fully understanding the legal implications of a cyber attack, while 67% said the same was true of the financial implications of an attack.

Tellingly, just 18% said they thought their data was worth stealing.

What now?

It isn’t only the internet security industry that is sounding the alarm and offering assistance to SMEs. The UK government too has recognised the threat. Last month Ed Vaizey, the Digital Economy Minister outlined how the voucher scheme, operated by the government’s Technology Strategy Board,  Innovate UK would be extended to cover cybersecurity. This scheme offers businesses the chance to apply for £5000 in funding for specialist advice to help better secure their businesses and digital assets. Unfortunately right now there isn’t enough in the pot to cover every application, so lucky recipients are selected in a random draw on a quarterly basis, still as they say, you’ve got to be in it to win it…

in the meantime the key to online security lies in the selection of a trusted security partner. As a small business, your core skills are not in cyber security or network or system administration. You are focussed on growing your business, on being succesful and on being the best in your field, and rightly so.

There are other small and medium businesses like yours who are striving to be the best in their field too and their field is security. A specialist partner, providing a managed security service, will be able to provide you with the assurance and peace of mind that you need to focus all your efforts on success and who knows… You may even get the funding!

The research was conducted on behalf of Trend Micro via Vital Statistics – sampled 500 UK business owners and decision makers in August 2015.

Small Business Advice Week runs from 31st August -6th September 2015. More information can be found here: www.smallbusinessadviceweek.co.uk

Superfish (and chips) or Super Phish?

 

Image credit: seekeraftertruth[.]com

UPDATE: The private key and associated password which enable 3rd party (i.e. attacker) MITM attacks have successfully been extracted. This means that an attacker on the same network as a compromised machine will be able to intercept any supposedly SSL encrypted traffic.

UPDATE 2: Trend Micro detects the associated files as ADW_LOADSHOP and ADW_SUPERFISH. Compromised machines where a detection is made will still need to manually remove the Superfish certificate as detailed at the end of this post.

UPDATE 3: Lenovo have now posted their own advisory on the “Superfish vulnerability” containing details of which models are affected and removal instructions for both the application and the associated certificate.

UPDATE 4: Lenovo have made support tools available to remove both the Superfish application and the certificate

___________________________________________________________________________________________________

When the bad-guys get into the production line it’s really bad news, and rightly so. We’ve already seen stories about the e-cig charger that ships with malware preinstalled, the digital photo frame and many others. But what about when the manufacturers themselves start acting like bad-guys, whether out of malice or ignorance?

User reports are now emerging online that PC manufacturer Lenovo is shipping certain versions of its consumer laptops with the ironically named software “Superfish Visual Discovery” preinstalled at the factory, and that this software has capabilities far beyond the simple “adware” that you may have (unfortunately) come to expect from some manufacturers out there.

This spyware (we’ll discuss my use of that term in a second) has been shipping with Lenovo laptops for some time, in fact back in January a Social Media Program Manager at Lenovo confirmed that Lenovo was putting a “temporary” hold on shipping this spyware, due to “some issues”. Of course that doesn’t stop units already in the distribution chain from shipping pre-compromised.

What does Superfish do that is SO worrying?

Among it’s bag of usual adware type tricks, Superfish also installs its own self-signed Root Certificate Authority. In layman’s terms this means that Superfish can generate any certificate it wants, which will be trusted by your browser as entirely legitimate, allowing it to impersonate any destination on the internet. These sites are normally protected by strong encryption for your security,  and usually only the other party in the conversation, your bank, facebook, your email account or an online store for example, is able decrypt this privileged content.

By generating self-signed certificates, Superfish is able to perform a Man-in-the-Middle attack, masquerading as any of these secure destinations, and intercepting otherwise privileged communications. All this without ringing a single visual (or other) alarm bell on your PC or in your browser because it is acting as a “trusted” root certificate authority. Worse still, the certificate they install uses SHA-1 (deprecated since 2011) and 1024 bit RSA keys (outdated since 2013), and it uses the same Root CA private key on *every* Lenovo laptop opening up the possibility of attacks against the certificate itself for widespread criminal abuse.

Images are already cropping up on Twitter showing the potential implications of this functionality.

Worse still it seems that a simple removal of Superfish does not remove this associated root certificate, leaving the computer open to further compromise such as eavesdropping or phishing, though misuse or misappropriation of the certificate’s private key.

Affected users will need to first manually remove the Superfish application and subsequently to revoke and remove the Superfish root certificate, Here is a list of root certificates that are necessary for Windows and a link to certificate removal instructions.

Longer term, I believe manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option i.e. with no operating system pre-installed. Not only would this reduce cost to the user, it would also increase freedom of choice of Operating System and hand full control back to the owner of the device.

Naked celebrities revealed by “iCloud hack”

I was young and I really wanted the job.

I was young and I needed the money!.

We awoke this morning to the entirely unnecessary sight of the personal photos of several celebrities, the pictures range from the fully clothed “mirror selfie” to the far more explicit. Victims include Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice. For obvious reasons, clicking on links to “naked celebrity” photos, or opening email attachments would be a *very* bad idea right now, expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board where the author is claiming to have much more photographic and even video material, stolen from iCloud accounts and for sale to the highest bidder. Of course the release of the photos has also prompted a rash of fake images but the reality of many of these images, confirmed in some cases by the victim’s agents, poses an uncomfortable question for anyone using iCloud and indeed anyone who has anything they would rather keep private… Is my cloud storage safe?

A wide scale “hack’ of Apple’s iCloud is unlikely, even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material makes this seem far more targeted. So how could it have happened?

1- (Least likely) All the celebrities affected had weak, easy to guess, passwords. The hacker simply worked them out and logged in.

2 – If the attacker already knew the email address which the victim is using for iCloud, then they could have used the “I forgot my password” link, assuming that the victim had not enabled two-factor authentication for iCloud. Without two factor authentication, the password reset uses the traditional “security question” method. The peril in this for celebrities is that much of their personal information is already online and a security question such as “Name of my first pet” may be a lot less “secret” for a celebrity that it is for you and I?

3 – The attacker broke into another connected account with weaker security or password, perhaps a webmail account that is used to receive password reset emails sent by iCloud.

4 – Password reuse. Too many people are happy to reuse the same password across multiple services. With so many people affected by recent high-profile mega-breaches, simple lookup services for stolen credentials and the number of details for sale online have skyrocketed, while at the same time the price of stolen data has tumbled, through oversupply. Of course if the victim is using the same password for iCloud as for another, already compromised or easily compromised, service the doors to iCloud are opened.

5 – Phishing. It’s old school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack.

What are the lessons here for all of us?

If any online service is offering you options that increase your security, enable them. Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use or better yet, use a Password Manager which offers you the convenience of only having to remember a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Deleted may not always mean deleted, as some of these victims are discovering. Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple’s Photo Stream.

Oh and the other thing stop taking naked photos.