Star Wars: A New Hope – 5 information security lessons

Unless you have literally been living on a remote, desert-like planet in a galaxy, far far away, spending your days looking out over the horizon as two suns start to set, then you might have missed a certain level of buzz about a certain new Star Wars movie.

Indeed, the world has gone positively potty over The Force Awakens, the seventh and latest instalment in the now possible endless franchise. Without giving anything away (this feature is entirely spoiler free), the J.J. Abrams directed film has been declared a triumph by critics all over the world. In short, it has been described as both a fitting tribute to the original trilogy and a triumphant start to what will be the next chapter of the saga.

Like most Star Wars fans, we’ve made an effort to rewatch all of the movies – not that we needed an excuse to revisit this captivating world – and in doing so, we inadvertently uncovered some interesting information security insights, specifically from the first ever flick, A New Hope.

After some further scrutiny (i.e. we watched the movie again and again), it became all too clear that there’s a lot that can actually be learnt from this magical space opera. So, here we are … a Star Wars-inspired cybersecurity feature. Enjoy, and may the force be with you.

1.     Do not underestimate the power of end-to-end encryption

If you want to ensure that the details of your communication remain hidden from prying eyes, so that only the sender and the receiver have access to it, then end-to-end encryption will serve you well.

The Rebel Alliance is big on encryption. Princess Leia needs to get a message to her “only hope”, Obi-Wan Kenobi, and, attune to the fact that the Empire is hot on her heels, she duly encrypts her plea for help (as well as the Death Star blueprint) and hides it in everyone’s favorite little droid R2-D2.

Leia understands that if R2-D2 is captured, she can feel somewhat confident that data will remain secure –  in other words, while it might now be in the hands of the bad guys, it’s unreadable. Only Obi-Wan has the key needed to decrypt the message, meaning the princess’ secret plea for his assistance can only ever be unlocked by the Jedi Master.

2.     You must learn the ways of social engineering to stay secure

Social engineering is an effective form of manipulation that allows cybercriminals to deceive victims. From an information security point of view, it’s used to covertly gather sensitive information and/or gain access to devices and accounts, usually for fraudulent reasons.

The Jedi are, in some ways, masters of social engineering (used, of course, for the greater good of the galaxy). We first get a glimpse of this when Obi-Wan, accompanied by Luke, is stopped by stormtroopers on their way to meet Han Solo and Chewbacca.

They are asked for identification, and swiftly, with a subtle wave of the hand, this is rebutted. They stormtroopers have no idea what’s happened. Being aware of social engineering techniques might have made a difference, as in Return of the Jedi, Luke’s efforts to sway Jabba with the force fail.

3.     I find your lack of faith in your vulnerabilities disturbing

Even the most comprehensive security systems have their vulnerabilities, which is why it is important to constantly assess the means by which you’re protecting your assets to uncover hidden flaws.

General Tagge is all too aware of this. In a meeting with his colleagues and superiors he cautions that the data breach experienced by the Empire might leave them open to an attack.

“They might find a weakness and exploit it,” he warns, appreciating the fact that because the information that was accessed was highly sensitive, it presents a grave danger.

“Any attack made by the Rebels against this station would be a useless gesture, no matter what technical data they have obtained.”

However, this analysis of the situation isn’t shared by all. General Motti, for example, underestimates the skillset of the rebels: “Any attack made by the rebels against this station would be a useless gesture, no matter what technical data they have obtained.”

While the Death Star is pretty heavily protected, a small vulnerability, overlooked by the Empire, is discovered: a thermal exhaust port that is connected to the space station’s reactor core. If you can gain entry through that small opening, well, it’s game over.

4.     I sense the presence of a something I can’t quite put my finger on (trojan horse)

A trojan horse is a type of malicious software that purports to be anything but. In other words, as in the Greek mythology from which it gets its name from, the superficial and seemingly innocuous nature of it belies the devastating and harmful nature which lurks below.

The crew of the Millennium Falcon, when caught in the Death Star’s tractor beam – after discovering the planet Alderaan has been destroyed – possess all the hallmarks of a trojan.

Although the Empire is initially cautious about what they have just beamed into the battle station – the equivalent of downloading a shortened link – the check they perform doesn’t spot the hidden crew (ultimately the trojan).

“Great shot kid! That was one in a million!”

While Darth Vader kills Obi-Wan – they have finally spotted the malicious software and attempted to contain it – it is too late. The tractor beam is disabled, the Millennium Falcon escapes, the Rebel Alliance gets hold of the Death Star’s blueprints and … well, you know the rest: “Great shot kid! That was one in a million!”

5.     The password protection and 2FA is not strong with this system

If you don’t invest in strong passwords and two-factor authentication (2FA) solutions, coupled with an open access policy to your network – as opposed to only senior employees possessing the rights to this – then you’re likely to experience some sort of data breach, big or small and intentionally or otherwise.

R2-D2 – who faces stiff competition from BB-8 these days – makes easy work of the Death Star’s lack of password protection. Not only is he able to plug himself into the battle station’s central computer, he is able to locate specific information with very little effort (specifically Leia’s location).

Moreover, later on, when the heroes are trapped in the trash compactor, R2-D2 is once again able to effortlessly locate the kind of data and controls he needs. To all intents, there is nothing by way of security to stop him in his tracks.

However, had the Empire anticipated the threat of a cyber expert; had strong passwords in place; and had invested in two-factor authentication, then the ending of a New Hope would have been remarkably different.

Author Editor, ESET

ESET Grows Faster than its Top 5 Peers and the Global Security Software Market as a Whole, according to IDC

ESET continues to gain market share in both the consumer and corporate segments of the Endpoint Security Software market.

With a growth rate of 7.7%, ESET increased its share of the global Endpoint Security Software market in 2014 to 4.6%, up from 4.4% the previous year. The market as a whole grew by 2.6%, with total revenues among all vendors reaching $9.0 billion, according to the IDC “Worldwide Endpoint Security Market Shares, 2014” (doc #US40546915, December 2015) report.

According to IDC, growth in the global consumer market’s growth slowed down in 2014, mainly due to declining shipments of PCs. Despite the consumer market growing by only 1%, ESET managed to grow by 9.4% in this segment, the second highest rate among the top 10 vendors.

Also in the corporate segment, ESET posted healthy growth of 6.4% in 2014, increasing its market share by 0.1 percentage point’s year-on-year, to 5.4%.

“We are proud of our record of growth that has placed up us among the top 5 vendors in the global endpoint security market. Our growth is organic and there is a huge amount of hard work behind it. We thank to our partners and customers and promise to keep on doing our best to allow businesses and consumers in more than 180 countries to make the most of the digital world“, said Ignacio Sbampato, Chief Sales and Marketing Officer at ESET.

ESET’s success is based on its security products, which deliver outstanding detection rates[1], minimum-to-no false alarms[2], low system footprint[3] as well as the highest security[4] and which receive consistently excellent independent reviews[5].

In 2015 ESET introduced a completely redesigned and re-engineered range of next-generation business security products, and improved its consumer security products.

ESET’s business security products offer maximum proactive protection with low impact on company infrastructure, fully manageable via the new ESET Remote Administrator. ESET Endpoint Security solutions now include a wealth of new features, such as Botnet Protection, Exploit Blocker and Vulnerability Shield.

A key innovation in ESET’s flagship consumer product, ESET Smart Security 9, is the Banking & Payment Protection, which secures users’ personal and financial data.

---

[1] ESET is the only vendor to neither miss nor fail a single VB100 test since June 2003

[2] ESET detection returned no false alarms in the latest False Alarm Test by AV-Comparatives.

[3] ESET was found to be the second lightest security product in Pass Mark’s Consumer Security Products Performance Benchmarks (Edition 2, 2015/11), behind Norton Security by Symantec. Symantec Corporation funded the production of that report, selected the test metrics and list of products to include in the report, and supplied some of the test scripts used for the tests.

[4] ESET is the only vendor that reached 100% in both 2014 and 2015 Self-Protection test by AV-TEST.

[5] AV-Comparatives, an independent testing organization called ESET’s business products outstanding in its annual IT Security Suites for Small Businesses Review.

How do you know if your smartphone has been compromised?

By Denise Giusto Bilić posted 16 Dec 2015 - 01:49PM

Little by little, smartphone users are beginning to understand how important it is to protect their devices so malware can’t be installed on them. As the information stored on our phones becomes increasingly sensitive, the risk of losing it becomes increasingly real, and the consequences of such a loss become disproportionately more significant.

However, many users are unaware of what measures they can take to identify malicious activity on their devices. To complicate the picture, when the attacker gets to the final link in the chain of steps that make up a mobile attack, and the threat is finally installed on the victim’s device, they may take certain measures to prevent the threat from being noticed.

Delaying the malicious action, using only Wi-Fi networks, or reducing the level of activity when the user is operating the device are some of the strategies used by the malware to conceal itself. Nonetheless, eventually the malicious activity will have to kick into action, and that’s when you can pay attention to certain signs to detect illegitimate activity.

Signs that may indicate a mobile infection: Has your phone been compromised?

#1: You notice the system or apps behaving strangely

One possible clue to diagnosing malware on the device is the sudden failure of apps that usually work fine. If you haven’t updated the system or the app in question recently, and then unexpectedly that app suddenly starts closing or displaying various error messages, it may be that some malicious code on your device is interfering with its normal running processes.

The malware may try to take advantage of vulnerabilities present in the system’s apps, using them to access permissions that have been granted to them, or to violate the platform and run commands with administrator permissions. Such attempts to exploit the weaknesses of other apps may result in errors that can be noticed by the user.

Additionally, a malicious app may overuse the device’s resources. Given that smartphones and tablets are personal devices that we get to know in great detail, you may notice that the device isn’t functioning as usual: calls and messages don’t reach their destination, you run out of battery more quickly than usual, etc.

Being aware beforehand of what apps are installed on your phone will make it easier to identify any app that you didn’t authorize. Taking a look at the permissions used by this app will enable you to see whether it could be creating charges in your name through online purchases.

You need to bear in mind that many malicious apps disguise themselves as system components, so an app may be something other than what it appears to be. If the app has requested administrator permissions, you may not be able to uninstall it through the system settings. For this reason, it’s important to be extremely careful with what permissions you grant to apps when they are installing—or running.

#2: Your call or message history includes some unknown entries

Regularly checking your call history for unknown numbers is an excellent habit to adopt. Lots of malware families try to make calls or send messages to premium international numbers. Such malware ends up having a direct impact on the user, who unjustly has to pay the costs.

Our products identify this type of malware under the Android/TrojanSMS family. If we analyze the number of new variants of this family that have been created since the start of this year, we can see the extent of this family’s growth. On average, about 50 new examples are detected each month. Unfortunately, this trend shows no sign of decreasing in the near future.

Malicious apps may be using the data system to communicate with command and control centers operated by cybercriminals in order to download orders and updates, as well as send back information stolen from the device.

#3: Excessive data usage

If you usually check how much data your apps use, you will quickly become aware of any changes to the normal pattern. Below you can see a screenshot that shows a description of data usage by an Android app. This way, you can check the times when the sending and receipt of data is highest and compare this with your use of the device. If there is an excessive amount of data exchange taking place at times when you don’t use the device, you have grounds for suspecting that something strange is going on.

#4: You or your contacts receive strange text messages

One method used a lot by cybercriminals to control infected mobile devices is sending text messages containing commands to be interpreted by the malware, which then takes the corresponding action. Lots of examples of malware manipulate message logs to delete any such messages that could raise the user’s suspicions, but others don’t bother with such precautionary measures, in which case the user can read the content that is received and sent.

For example, the following image illustrates the “conversation” held between an emulator infected by a bot and the machine that acts as the control center. In this case, the user would be able to notice that text messages were being received, containing the order “ping”.

Mobile malware can also send text messages to phone numbers from the user’s list of contacts as a way to propagate itself, using this method to get the recipients to download malicious content via specific links. If your friends receive strange messages from your phone, you should check what apps are installed on it.

#5: Your payment breakdown includes actions you did not make

Sending text messages, making calls, and using the data system will result in increased costs, which the user will be responsible for. Examining the costs attributed to your mobile phone number on a monthly basis is a good practice to be able to detect any malicious activity quickly.

You also need to take into account the fact that a lot of malware tries to pass through official app stores to steal your credit card data. For this reason, if you regularly make such payments through your mobile device—or any other platform—you should also check the transactions through such services to ensure there are no unwarranted charges.

What steps should you take if your phone has been compromised or infected?

If for any of the reasons mentioned above you believe you may have been infected by malware, you can install a trustworthy security solution to scan your device in order to identify the threat. You can also contact the official customer services provided by the seller so they can look into the problem.

If you have the technical know-how, you can try to remove the threat yourself through a command console.

Furthermore, if you suspect that sensitive information stored on your device may have been stolen, you can change your credentials for accessing any services you have used on your device.

Prevention is better than cure

To avoid any unpleasant experiences when using your device and be able to enjoy the available technology safely, you should take a proactive and preventive approach to keep the data on your mobile device secure:

·         Always keep your device’s operating system and apps updated with the latest available versions.

·         Make a backup copyof all data on the device, or at least the most important data.

·         Usesecurity solutions provided by a highly reputable company and keep them up to date.

·         Be sure to use only official stores for downloading apps, where the likelihood of becoming infected by malware is lower—although still not zero.

·         Use a screen lock, and remember thatthe pattern may be easy to guess and less secure than a PIN, and that a password is your best option.

·         Encrypt the content on your device.

·         Try to avoid running rootingor jailbreaking processes on the device.

o    http://www.welivesecurity.com/2015/12/16/know-smartphone-compromised/

5 things you need to know about connected toys

ags

Connected tech, connected homes, connected cars, connected cities … you get the picture: the 21^st century is an extremely connected place and, thanks to the internet of things, the world is set to become even more connected.

The current hype, this Christmas and beyond, is the connected toy. Not sure what that means? Well, here are seven things you need to know about this increasingly popular plaything.

1.     This is the start of artificial intelligence

Connected toys may sound like an expensive gimmick pedaled by retailers to boost sales, but, in reality, they are a sign of things to come with technology and, more specifically, artificial intelligence (AI).

Once the preserve of more niche industries, AI can now be found in toys. For example, Cognitoys has released a talking dinosaur, which uses IBM’s Watson supercomputer to understand what a child has said. The more a child interacts with the toy, the more it learns.

“Each toy will get to know the child and grow with him/her interacting directly with them to create an experience around each child’s personal interests,” the developers state online.

“The toy will explore favorite colors, toys, interest and use these to customize engagement. Even better, the toy has a personality of its own that changes over time.”

Some may argue that these are simply toys for the digital age, with data often being transmitted over Wi-Fi or Bluetooth. However, in reality, toys like Hello Barbie, are also a sign of our future with AI (good and bad). As the futurist Dominic Basulto noted in the Washington Post last month, the level of sophistication is not to be underestimated:

“Unlike the classic Turing Test, however, the kids are not attempting to figure out whether Barbie is human or not – they are simply engaging in a conversation with a make-believe object imbued with consumer-grade AI.”

2.     It’s too early to call on just how smart they are

Smart is a word bandied quite a bit in the tech industry, so it’s no surprise that with connected toys, there is a lot of talk about how sophisticated these toys are, so much so that they can be, advocates argue, instrumental in a child’s development.

“At the moment, [connected toys are] in the world of things that companies are trying to market to parents and they’re essentially superfluous or a novelty.”

Given that these toys are in the early days of their development with very little evidence of their educational efficacy, the jury is still out. One such critic of connected toys is Graham Schafer, an associate professor at the University of Reading. He is of the opinion that they “are not very good at the moment”, and smart is perhaps too generous a description.

“I’m an associate professor of cognitive development [and] I wouldn’t recommend them to parents,” he told the Guardian in the summer. “At the moment, they’re in the world of things that companies are trying to market to parents and they’re essentially superfluous or a novelty.”

Nevertheless, he concedes that it’s still very early days – they will get better and more complex – and even then, for youngsters with conditions like autism, they may prove to be effective as they currently stand.

3.     Connected toys will go beyond just play

Connected toys are very much seen as being part of the wider Internet of Things ecosystem, meaning that their functionality is likely to go beyond just play and extend into other areas (such as the ‘not so very secure’ connected home).

For example, a much-discussed patent that was originally filed by Google in February 2012 – but only published this year – reveals the tech giant’s thinking on the matter.

“An anthropomorphic device, perhaps in the form factor of a doll or a toy, may be configured to control one or more media devices,” the abstract explained. “Upon reception or detection of a social cue, such as movement and/or a spoken word/phrase, the … device may aim its gaze at the source of the social cue.

“In response to receiving a social command … [it] may interpret the voice command and map it to a media device command … [and instruct] the media device to change state.”

Needless to say, this kind of concept has not been met with universal support. Speaking to the BBC earlier this year, Emma Carr, director of StartUp, expressed her apprehensions.

“The privacy concerns are clear when devices have the capacity to record conversations and log activity,” she said. “When those devices are aimed specifically at children, then for many, this will step over the creepy line.

“Children should be able to play in private and shouldn’t have to fear this sort of passive invasion of their privacy. It is simply unnecessary.”

4.     Privacy, then, is a potential pitfall

As noted by Ms. Carr, the biggest potential barrier to adoption of these toys at the moment is concern over privacy. While the Google idea is unique and not on the immediate agenda, with today’s connected toys however, the problem lies with the fact that some devices are capable of storing huge amounts of data about its users.

Consider, for example, Toy Talk’s privacy policy. The company, which has partnered with Mattel for its Hello Barbie range, notes online that it “may store, process, convert, transcribe and review recordings”.

“We may use, store, process, convert, transcribe and review recordings.”

It’s unclear if this information could be used for advertising purposes, while there’s also the issue of whether children should be continuously monitored by their own parents. If Hello Barbie and other toys record sessions with kids, and make those recordings available to parents, how will this change the parent-child relationship? It’s a question that no one can yet answer.

5.     Cybercriminals are looking to exploit connected toys

The Internet of Things may be a relatively new phenomenon but it has already had to deal with multiple challenges when it comes it information security, as noted in a previous article on WeLiveSecurity.

Consequently, it’s not unexpected to learn that connected toys have been found to be exploitable. The most notable example of this came at the start of 2015, when Ken Munro, a security researcher at Pen Test Partners, hacked Vivid Toy’s My Friend Cayla.

Describing the toy as a “Bluetooth headset dressed up as a doll”, Mr. Munro identified four ways in which the device could be attacked, which included a man-in-the-middle attack and random pairing.

“The real fun starts with the mobile app that she interfaces with,” he wrote. “It’s available on iOS and Android, but for this task we looked at the Android version, as it’s generally easier to intercept, decompile, and modify the code.” And the result? They could make the doll swear.

This is an important discovery, as it highlights the cybersecurity risk that connected toys pose. In short, if a device can be connected to the web and other devices, and isn’t secured, it can be accessed stealthily and used to a cybercriminals advantage.