Tag: Security

Malware Infections Grow 4X In Just One Quarter

The world’s hackers have been busy according to the latest report by Comodo security, which tracks the total number of threats around the globe, quarter by quarter. The latest statistics are alarming, showing a massive jump in the total number of malware infections reported in the third quarter of 2017. Reports show nearly 400 million infections.

What’s worse is that the infections have spread to literally every corner of the globe. No nation is completely safe.

Digging more deeply into the statistics offered by Comodo, we find that the top five countries for malware infections this quarter were:

  • Russia
  • The United States
  • Poland
  • The United Kingdom
  • And Germany

These five nations combined accounted for fully 80 percent of the total number of infections reported.

Breaking the infections down by type, we find the following as the top 5:

  • Trojans (13.7 million)
  • Viruses (5.4 million)
  • Worms (2.8 million)
  • Backdoors (553,000)
  • And Packed Malware (284,000)

Diving even more deeply into the statistics yields more good information, including the fact that poorer nations tend to be afflicted more often by viruses and worms as these nations tend to use older, unpatched or unlicensed software. These types of infections tend to run rampant in Southeast Asia, Southeastern Europe, Africa and South America.

The report also details that the number of large-scale email phishing attacks is on the rise, due in no small part to the recent popularity of Locky and other strains of ransomware, with the largest phishing attack having been conducted from August to September 2017. According to the report:

“This attack was unique in its combination of sophistication and size, backed by a botnet spread across more than 11,000 IP addresses in 133 countries in just the first stage of the attack. Also, the malware was designed to avoid detection by sandboxing and artificial intelligence technologies common in many endpoint protection systems.”

All in all, it’s a fascinating, though disturbing read, and points to the rapidly increasing sophistication of the world’s hackers that will no doubt continue to spell trouble for security professionals around the globe.

Granting Photo Access In iPhone Might Allow Unauthorized Photographing

An Austrian software engineer named Felix Krause has made a disturbing discovery about iPhones using iOS11. Once an app has been given permission to access the device’s camera, it can take pictures and videos without alerting the user and upload them to the internet in real time.

Unfortunately, there are a lot of apps that users grant camera permissions to. Basically, any time you upload an avatar or post a picture with an app, you’ve got to give it camera permissions to do that.

Krause documented his findings in a short video presentation. As long as an app with camera permissions was in the foreground, it could snap photos literally every second, all without the user being alerted to what was going on.

Krause was quick to point out that he wasn’t naming names, and so far, at least, there are no known instances of malicious apps abusing this flaw, nor are any legitimate apps misusing it to anyone’s knowledge. The simple fact that it is possible, though, opens the door to a whole host of malicious apps that could, and that’s disturbing.

For the moment, there are really only two ways to address the issue: either go in and modify all your apps’ permissions so that they no longer have camera access, or use lens covers to make it so that your front and back cameras can’t record anything unless you specifically want them to.

Longer term, there are a number of things Apple could do to address the issue. The two simplest fixes would be introducing expiring permissions for apps to allow for more precise user controls, or introducing LED lights that would activate any time the camera was in use, thus giving the user a clear visual marker.

In any case, for the moment, it’s important to know that your phone may be watching and/or recording you.

More Bad News For OnePlus Phone Users

OnePlus phones have been getting plenty of bad press lately, thanks to malicious apps found to be factory-installed on a percentage of the devices, along with some intrusive data collection features the manufacturer has installed. As it turns out, though, the story gets worse.

Recently, a security researcher going by the alias “Elliot Alderson” discovered a factory-installed application called “Engineering Mode” that can perform a series of intrusive hardware diagnostic routines, and can even be used to root the device. What’s worse is that security flaws in the app make it easy for hackers to exploit.

Alderson believes that the likeliest scenario for the existence of the Engineering Mode application is that it was a diagnostic app installed and used at the factory to test OnePlus phones prior to shipment.  Somehow, the app was never uninstalled after the initial testing was completed, exposing OnePlus users to extreme danger of losing control over their devices and any data stored on them.

According to Alderson, all a hacker would need is physical access to the phone. Once he has it in hand, one simple command is all it takes to root the phone. Other researchers have independently verified Alderson’s findings. Since he first published them, the company has admitted their mistake and promised to remove Engineering Mode from all OnePlus phones in a future update, although no ETA has given for when that might occur.

If you currently own and use a OnePlus phone, be aware of this and use with caution. Keep on the lookout for the update from the manufacturer which will remove the “feature” for you, but if you’d rather not wait, you can go into the phone’s settings and manually remove it.

Physical security of smart devices has always been vitally important, but in the case of the OnePlus, that’s doubly true. Keep it close!

New Ransomware “BadRabbit” Starting To See Infections In The US

You may not have heard of the new strain of ransomware known as BadRabbit. If you haven’t, it’s because the overwhelming percentage of BadRabbit attacks have been occurring in Russia, which accounts for 71 percent of all known infections at present. Unfortunately, there have been a few infections reported in the United States, which may be a harbinger of things to come.

The new threat is functionally similar to NotPetya, which not only encrypts the files on a target system, but also then encrypts the file system, which gives the victim a lovely ransom lock screen before the OS can even boot up.

Fortunately, there are simple things you can do to help protect yourself from this latest threat.

Event Log Monitoring

Windows Defender is capable of recognizing the threat, provided you’re using detections update 1.255.29.0 or higher. If you haven’t updated to this version, do so immediately.

Once that is done, be aware that BadRabbit will schedule tasks using the names “Viserion,” “Rhaegal” and “Drogon.” If you see any of these, it’s a clear sign of an infection in process on your network. Administrators can attach scheduled tasks to events bearing these names, running specified commands should one of these be detected. For example: initiating a “shutdown -a” command.

Obviously, this stuff can be quite complicated. We would highly recommend you reach out to us to not only scan your network, but to also evaluate your entire network for potential threats or vulnerabilities. Ransomware is a real threat that is literally shutting down businesses, and this is on a global scale. If you aren’t being proactive against hackers, you can easily find yourself locked out of your own network.

BadRabbit is just the latest in hackers’ arsenal of ransomware and threats on your network. If you are as concerned as we are, give us a quick call.

Large Number Of HP Models May Have Keyloggers

HP is in the news again. If you missed the initial story, earlier in the year, it was reported that an audio driver that came pre-installed on a number of HP laptops contained keylogging code that stored every key stroke made by the person using the machine to a human-readable file. Once discovered, HP issued a patch that removed the keylogging function and deleted the data file.

Now, an independent security researcher going by the name “ZwClose” has discovered more built-in keyloggers in 460 HP Notebook models and counting.

At issue is the SynTP.sys file, which is an integral part of the Synaptics Touchpad driver that ships with a great many HP Notebooks. Although the keylogger is disabled by default, a hacker could enable it using open source tools, simply by changing a registry value.

After HP was notified, the company released a security advisory, which included the following:

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners. A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”

Since the release of the security advisory, HP has issued a driver update that removes the code for all affected models, so from a business and security standpoint, there’s nothing to be done here.

In an era where privacy on the internet is under increasingly intense assault, however, it’s worth noting that this is the second time an issue like this has been tied to HP equipment, and that’s concerning.  Privacy matters, and if you’re concerned about it, then two such issues might be enough to make you start looking at some other vendor when it comes time to start replacing or upgrading your equipment.

Google Can Still Track You With Location Services Disabled

Google recently found itself in a bit of hot water after an investigation by Quartz revealed that the company was intrusively collecting location data on literally every Android device in use today. That’s billions of devices all over the globe.

There are many instances when there’s an expectation that location data can and will be tracked. In fact, one of the most commonly used features of smartphones in general (GPS and directions) demands it.  After all, Google Maps can’t tell you how to get where you’re going if it doesn’t know where you are to begin with, so that’s all fine and good.

The problem, as revealed by the recent investigation, is that for all of 2017, Google was collecting location data on every Android device. This was happening even if the user took a series of frankly heroic measures in an effort to prevent it, including turning off location services, not allowing any apps to track their location and even pulling their SIM card from the phone.

The practice, as Quartz rightly pointed out, goes far beyond any reasonable expectation of consumer privacy and is wildly intrusive.

When Quartz made inquiries of Google regarding the matter, part of the official company response, sent via email, was as follows:

“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivers. However, we never incorporated Cell ID into our network sync system, so that the data was immediately discarded, and we updated it to no longer request Cell ID.”

In recent years, all the major tech companies have come under fire for the vast amounts of data they collect on consumers of their products. Although Google made it clear that they were formally ending the practice, the current climate makes their intrusive data collection effort (which, again, went completely undetected for the better part of a year) even more disturbing, especially given the lengths the company has gone to in an effort to position themselves as champions of user privacy.

Popular Android Keyboard App Collected Private Information, Has Been Breached

How many apps do you have on your smartphone? Do you know how much data they’re collecting about you?

Most people have scores of apps installed (and often hundreds), even if they only use a few on a regular basis, and shockingly, most users have no idea just how much information those apps are collecting about them.

However much you imagine, the answer is probably “more.”

This point was driven home painfully, courtesy of a recent discovery by a team of researchers at the Kromtech Security Center. They found completely insecure database online, a staggering 577GB in size, owned by an Israeli-based startup called AI.type, makers of a virtual keyboard app bearing the same name.

The information it contained is simply mind boggling.

Not only does it contain personal information on 31 million of the app’s 40 million users, but the database contents reveal just how intrusive AI.type actually is. The data includes:

  • Each user’s full name, email address and phone number
  • What OS version the user is using (AI.type is only available to Android users)
  • Each user’s nation of residence, mobile network name and what languages each user has enabled
  • IP and GPS location data
  • All information included with each user’s social media profiles, including birthdays, photos, posts, etc.
  • Each user’s device name, the make and model of their smartphone and screen resolution

As If that wasn’t enough, the research team also discovered that each user’s contact list had been scraped (including names, email addresses and phone numbers), and that the company was tracking a whole range of internet behaviors, including Google search queries, number of messages sent per day, the average length of those messages and more.

Obviously, there’s no reason that a simple keyboard app needs this level of information on its users. The only possible explanation is that it’s being collected for resale. If you use the app, be aware that the company knows almost everything about you and everyone you’ve been in contact with on your phone, and now, so do a lot of other people who don’t have your best interests at heart.

USB Drives Could Be Huge Factor In Data Loss, Theft

Most people agree that the use of USB drives increases efficiency and boosts productivity, which goes a long way toward explaining their popularity, but these handy little drives can also be problematic.

According to a recently published survey by Apricorn, 87 percent of employees surveyed report that they have lost or had a USB drive stolen and failed to notify their employer. Worse, 80 percent of employees surveyed reported using non-encrypted USB drives that they’ve often acquired for free at trade shows or conferences.

The fact that these drives are unencrypted is bad enough, but there’s another, even more frightening dimension to the problem. Such drives could be pre-loaded with malware, which could easily make it onto your company’s network the moment they’re connected to any office machine.

Apricorn had this to say about the results of the survey:

“With the ever-increasing amount of data breaches and compromises, companies need to carefully monitor what data is being created in their organizations, and what is leaving.

Government, healthcare, finance and education industries have access to copious amounts of sensitive information and most of these industries are using USBs without advanced permission. Not only are these companies leaving themselves vulnerable, they are placing their customers’ and employees’ data at risk.”

Although the company notes that there is an awareness of the damage that lost or compromised data can cause, not much is being done about preventing that loss, at least where the use of USB drives is concerned. According to the survey, fully half of the respondents indicated that they didn’t need to seek permission to use a USB drive to copy or transport potentially sensitive information.

Does your company have a robust set of policies in place to control the use of USB drives? Are all the USBs used by your employees encrypted and secure? Do you have a policy in place regarding proper reporting procedures should a USB drive go missing? Important questions, all.

Android Gets Fix For KRACK WiFi Vulnerability

Last month, a new WiFi security vulnerability known as “Krack” was discovered by a security researcher named Mathy Vanhoef. It was about as serious as a security flaw could be, enabling hackers to clone a router and funnel traffic through it, either monitoring all the activity on the network, or, if they wanted to be more destructive, conducting all manner of “man in the middle” attacks against anyone on the network.

The major tech companies were all given advance notice of Vanhoef’s research, and as such, not long after it was published, many responded almost immediately with patches. Apple, for example, released a Krack patch at the end of October.

Microsoft was even quicker to respond, releasing a patch to the problem quietly before Vanhoef’s research was even published.

In that regard, Google has been a bit behind the curve, but as of the release of this month’s Android Security Bulletin, the company has at last provided a fix for the issue.

This month’s update is spread over the following three updates:

• 2017-11-01
• 2017-11-05
• And 2017-11-06

The fix for the Krack issue is contained in this last one.

If your Android device is set to automatically receive security updates, then there’s nothing for you to do. The patch has already been installed on your phone.

If you tend to take a skeptical view of automatic updates, then at the very least, be sure to grab 2017-11-06. If you don’t, you’re probably putting your organization at unnecessary risk. If you want to check to see if you’re vulnerable before applying the update, you can do that, too. Vanhoef released his proof-of-concept code and detection tools on his GitHub account, and since releasing the data, an interested third-party has developed a tool aptly named “Krack Detector” you can use to see if you need the fix.

Either way, it’s worth looking into, and something your team should make a priority.

Issue With Android Could Let Someone Record Screen And Audio

Do you have an Android phone? Is it running either Lolipop, Marshmallow or Nougat? Those three account for slightly more than 75 percent of the Android phones in service today, so odds are excellent that you do. If so, you should be aware of a nasty vulnerability that could allow a hacker to perform at-will screen captures and audio recording without your knowledge.

The issue resides within Android’s MediaProjection service, which has been a part of the OS since its earliest days. The reason that it has only recently become an issue, though, is that prior to the release of Android Lolipop (version 5.0), third-party apps couldn’t make use of it. It required both root-level access and the app in question had to be signed with the device’s release keys, which meant that only system-level apps deployed by Android OEMs could utilize MediaProjection.

That changed with the release of Lolipop, which opened the service up so that anyone could use it.  Unfortunately, when Google relaxed access to the service, they didn’t put it behind a permission that apps could require from users. All a third-party developer needs to do to access MediaProjection is to make an “intent call” that would show a System UI popup, warning users that an app wanted to capture the screen and/or system audio.

Here’s the problem, though. Security researchers discovered that an attacker could detect when the system popup would appear, and knowing that piece of information, they could trigger some other message to appear on top of it, effectively blinding the phone’s owner to the fact that screen captures and audio recordings were in process.

Since the discovery of the security flaw, Google has released a patch that addresses it. Unfortunately, the patch only applies to Android Oreo (8.0). Older phones are still vulnerable.

If there’s one saving grace, it is the fact that the attack is not completely stealthy, and observant users will note the screencast icon in the phone’s notification bar. It’s far from perfect protection, but it’s something, so be aware if you’ve got an older Android phone.