20.2.16

Apple and ‘exceptional access’ to crypto protection


Apple is the latest in a host of technology players to be requested to allow exceptional access, that is, access in exceptional cases where it would be deemed to have high value relative to an active investigation. But they are certainly neither the first nor the last.
We recently wrote about ProtonMail’s attempt to curtail government pressure to allow backdoor access to email content, to which they’ve rallied the privacy advocates to force a public vote in Switzerland. They are not alone in the email space either – a host of other providers have been asked to defend similar positions both domestically and abroad.
“Seemingly all facets of digital communications are coming under scrutiny in exceptional access cases.”
Seemingly all facets of digital communications are coming under scrutiny in exceptional access cases. And while EFF and a host of others continue to wave the banner of privacy, it’s easy to understand why governments are interested.
After all, that’s where all the details that describe our daily activities reside. Open up our smartphones and you have access to an increasingly accurate dossier of who we consider ourselves to be. If you’ve had a smartphone for years, a timeline suggesting a personal narrative can easily be inferred.
The same is true of many of the stalwart digital activities that pepper our daily lives, like Skype, instant messaging, email and a host of others. It’s getting harder to find a single place where we don’t leave a digital footprint. Car perhaps? Not if it’s a new one – they’re wired, too.
Well over a hundred years ago, polite society had long debates about what level of legal access was deemed appropriate in public versus private spaces. But if it came down to it, the cops could break down the doors of your residence if they believed there was sufficient reason and a judge agreed to let them by issuing a warrant or similar process.
But what if you had a door that couldn’t be broken? Should law enforcement lean on the manufacture to provide a master key? Now we’re having that same conversation in a digital format.
Recent years have taught us that few digital strongholds are safe from cybercriminals. If they – or others with ill intent – were to gain access to that master key, nasty people may run amuck by unlocking doors as they see fit.
So that’s the argument. If you design a door with a lock that can’t be broken by anyone, including the manufacturer, it can certainly be argued it’s more secure. And in the marketplace, especially if you are in the security space, that trust and confidence is hard to win and maintain. Knowing you were quietly producing master locks for your security systems could suddenly and quite unceremoniously blacklist you in the market – something you can rare afford to do in a fiercely competitive marketplace.
So Apple is in a quandary, along with a host of other technology companies. Rebuild your doors with a master key, hope bad people don’t get it and the market doesn’t excoriate you when it finds out, or just say no altogether. Companies like ProtonMail are resisting. ESET has weighed in on the issue in response to questions, and now Apple joins their ranks. We’ll see who gives.

19.2.16

ESET laat nieuwe producten en cyberbedreigingen tegen bedrijven zien @ Mobile World Congress


ESET®, al meer dan twee decennia wereldwijd pionier in proactieve bescherming, presenteert op Mobile World Congress in Barcelona de beste onder zijn gelauwerde en geteste oplossingen voor mobiele platformen en bedrijven.

De bezoekers zullen een blik kunnen werpen op ESET Parental Control voor Android, recent op de markt gebracht om ouders te helpen bij het beschermen van hun kinderen in cyberspace; ESET Mobile Security, de vlaggenschipoplossing voor Android; en het nieuwe programma, op maat, voor Managed Service Providers. Bij de opening van Mobile World Congress publiceert ESET ook een document over bescherming voor bedrijven dat gebaseerd is op een enquête bij honderden experten en IT verantwoordelijken.

ESET, een welgekende naam op Mobile World Congress, is te vinden in hall 5, stand B05. De grootste beurs voor de mobiele sector opent de deuren op maandag 22 februari. Voor de beurs zal ESET een document publiceren met de resultaten van enquêtes gehouden bij de bezoekers van talloze IT beurzen, door ESET verzameld in de EMEA regio (Europa, Midden-Oosten en Afrika) en wereldwijd tijdens de ESET Security Days 2015.

Een van de meest opmerkelijke resultaten, door 58% van de respondenten vermeld als meest voorkomend incident, is de besmetting door malware. Nog opmerkelijker is het feit dat bedrijven onvoldoende aandacht schenken aan mobile security. Slechts 21% zegt hiervoor gebruik te maken van een mobile security oplossing. Dit onderwerp zal aan bod komen op het congres. “De grootte van het bedrijf schijnt van bijzonder belang te zijn als men de verschillende geïmplementeerde oplossingen bekijkt. Opmerkelijk is dat de grote bedrijven als meer verantwoordelijk voorkomen en ook meer investeren om hun kritische gegevens te beschermen.” Dat is toch de conclusie van het document. Bezoek, voor meer details hierover de sectie White Paper op WeLiveSecurity.com (BO1) of lees de blogpost (BO2).

Op het congres vindt men bij de toonaangevende producten van ESET de gloednieuwe app voor Android – ESET Parental Control, om de ouders de zekerheid te bieden dat hun kinderen volop van hun mobiele toestellen genieten, maar dan wel in alle veiligheid en op gepaste wijze. Deze app voegt een bijkomende beschermingslaag aan ESET Mobile Security, het vlaggenschipproduct van ESET, dat zopas een belangrijke erkenning kreeg door als eerste geklasseerd te zijn in testen van de Duitse Stiftung Warentest.

Ter gelegenheid van dit congres viert ESET #MobileWeek door 50% korting te geven op ESET Mobile Security met premium functionaliteiten, wereldwijd beschikbaar op Google Play.

ESET zal eveneens informatie verstrekken over de bedrijfsoplossingen voor Managed Service Providers alsook over ESET Secure Authentication, de oplossing voor toegangsbeveiliging. De hoofdredacteur van WeLiveSecurity.com, het ESET platform voor onderzoek en informatie, Raphael Labaca Castro, zal tweemaal per dag op de stand van ESET een presentatie geven  over Threatscape – het landschap van mobiele bedreigingen – uit het enquêterapport 2015 van ESET, alsook over Android Ransomware on the Rise, een witboek samengesteld door het research lab van ESET en dat nog voor het congres zal vrijgegeven worden.

De bezoekers van Mobile World Congress kunnen in première de ESET producten zien, aan life demo’s deelnemen en met het top management van ESET praten. ESET, de belangrijkste security vendor die in de Europese Unie gebaseerd is *, belicht ook zijn continue groei, die een sneller tempo kent dan de gehele sector.

Bezoek voor meer informatie over ESET Mobile World Congress, https://www.mobileworldcongress.com/exhibitor/eset/

*  ESET staat in de top 5 van security software vendors voor de consumentenmarkt  en in de endpoint protection platform markt volgens  Gartner: http://www.eset.com/int/about/press/articles/others/article/eset-continues-to-grow-faster-than-the-security-software-market/
ESET stond op de 5de plaats als Grootste Endpoint Security Vendor in 2013 en kende een groei van 23% - 6x de marktgroei, zegt  IDC in het rapport ‘Worldwide Endpoint Security 2014-2018 Forecast and 2013 Vendor Shares’ van augustus 2014.
 [BO1] te vinden in de sectie whitepapers  http://www.welivesecurity.com/papers/white-papers/

17.2.16

Gartner recognizes ESET as a Visionary in its Latest Magic Quadrant Report for Endpoint Protection Platforms

ESET placed for the first time in the “Visionaries” Quadrant of Gartner’s 2016 Magic Quadrant for Endpoint Protection Platforms.

ESET®, a global pioneer in IT security for more than two decades, today announces that Gartner, Inc. has recognized it as a Visionary in the latest Magic Quadrant for Endpoint Protection Platforms*, a report published on February 1, 2016. ESET is positioned highest for its ability to execute in the Visionaries quadrant.
The latest Gartner Magic Quadrant for Endpoint Protection Platforms report evaluated 18 vendors on 10 weighted criteria and placed ESET in the “Visionaries” quadrant, moving it from its previous categorization in the “Niche Players” quadrant.
We consider our positioning in the Magic Quadrant for Endpoint Protection Platforms by Gartner as confirmation of ESET‘s success in delivering technologically advanced, market-leading IT security solutions that enable enterprises and SMBs to achieve more with their businesses,” said Richard Marko, CEO at ESET. “We feel our continuous effort to deliver award-winning threat intelligence, balanced with usability, performance and agility, has been recognized.”
The new Gartner Magic Quadrant for Endpoint Protection Platforms report provides a comprehensive analysis of the top endpoint security vendors, and an overview of the endpoint protection platforms market. The full report is available at http://www.eset.com/int/business/gartner-magic-quadrant-endpoint-platforms/
*Gartner “Magic Quadrant for Endpoint Protection Platforms” by Peter Firstbrook, Eric Ouellet, February 1, 2016
Magic Quadrants provide a graphical comparative positioning of technology and service providers where market growth is high and provider differentiation is distinct. Magic Quadrants depict markets in the middle phases of their life cycle by using a two-dimensional matrix that evaluates vendors based on their “Completeness of Vision” and “Ability to Execute.”**
** Gartner,  How Markets and Vendors Are Evaluated in Gartner Magic Quadrants, David Black, Julie Thomas, Tim Weaver, 22 January 2016

Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

15.2.16

Support Scams: What do I do?


Note: This blog article expands on some of the content that originally appeared in a lengthy article on support scams for ITSecurity UK, and subsequently in an article for the ESET Threat Report for December 2015.

The implications of intrusion

I’m returning to the theme of what to do if a scammer actually gets a foothold on your system, because I still see a number of blog comments from people worried about the implications of such an intrusion and wondering what action they need to take. In fact, there is no single clear-cut answer to that question.

Variety is the ‘spice of scamming’

That’s because there is no single ‘support scam’, though I often see articles that describe a single type of scam as if they all worked the same way.
They don’t all involve being cold-called by a scammer claiming to be from Microsoft, Cisco, BT, anti-virus companies and so on. Many of the reports I see nowadays come from people who’ve been lured by fake alert pop-ups into ringing a deceptive support desk number. Nowadays, there’s an accelerating trend among support scammers towards luring victims using pop-up ‘security alerts’ and fake system crashes. These invariably incorporate a phone number which is supposed to be to an ‘appropriate’ help line, thus trying to trick victims into making the initial telephone contact. For the scammer, this approach has an additional advantage: the scams can easily be changed to target users of OS X and iOS, Android and even Linux.

Furthermore, as long as people aren’t aware of this variation on the scam theme, it can be implemented without the complicated social engineering sometimes involved in misrepresenting system utilities, or messing about with the command line after tricking the victim into allowing remote access. As far as the scammer is concerned, it’s better to get the individual to ring their helpline than for them to waste time cold-calling individuals who in many cases have been hearing the same rubbish for years, and will either ring off or try to waste their time. (I certainly don’t have a particular objection to wasting a scammer’s time, but I don’t particularly advocate it, either, unless you know exactly what you’re doing.)

Misused utilities

They do, however, still often include the use of ploys such as the deceptive use of Eventviewer and ASSOC, as described in a paper that Martijn Grooten, Craig Johnston, Steve Burn and I wrote for Virus Bulletin: these are used in order to convince the victim that the scammer really knows something about his (the victim’s!) PC. Utilities like EventViewer do have their uses, of course, for a tech looking for real problems. The trouble is, it’s easy for a scammer to misrepresent their output when talking to someone who isn’t knowledgeable about Windows internals.

Imports, homegrown, and scam improvement schemes

They don’t all originate in India, though many clearly still do. Some of the reports I see are from people who’ve used a search engine in order to track down support for a specific product and have come across a fake site rather than the product’s real support team, and some of those reports concern companies in the US or Europe.
The same call centers that are peddling support scams are often peddling other scams such as dubious home improvement schemes, accident compensation schemes and PPI reimbursement fraud. (Which sound very strange when the scammer clearly knows very little about the legislation that applies in the country where the victim lives.) But some of the social engineering techniques used are common to most of these schemes: not least, pretending to represent a legitimate company or government department and to ‘solve’ an issue that doesn’t exist. Some scammers actually even to be offering recompense for money obtained fraudulently by support scammers, in the same way that 419 scammers sometimes claim to be offering repayment to 419 victims.
They may also be providing genuine support to the customers of legitimate companies – SymantecAvast! and Microsoft are among the companies who’ve found their trust in an external contractor betrayed by the use of fraudulent sales techniques.

What to do?

Blog comments come up time and time again from people who’ve been sucked at least part way into the scam, asking ‘What should I do now?’ I’m not comfortable making some sort of blanket recommendation: it’s a question best answered on a case-by-case basis, though I’m afraid I can’t generally offer one-to-one support. For example, a comment on one of my articles on support scams was concerned that the (limited) access he apparently gave the scammer might have put him at risk of identity theft.
I can’t make any guarantees (reassuring or otherwise), of course, but this kind of scam isn’t usually reported as being directly associated with ID theft: they usually just want payment for their ‘services’. However, a recent Moneybox broadcast on leaks of TalkTalk customer information to scammers suggests that a customer was told ‘to download TeamViewer software, which was used to try to make a number of money transfers using third-parties’ credit card information’. And you may consider that to go beyond simply demanding money for deceptive services, though not necessarily any less fraudulent.
American readers can, however, check the FTC advice page for people who think their ID might be at risk.

Have I been hacked?

I often get requests for help from people who ran ASSOC, or Event Viewer or Netstat, and wonder if that could that have allowed the scammer to hack their systems.
I can’t give authoritative advice regarding a system I’ve never seen, but the answer is generally no. A scammer at the far end of a phone can’t do anything directly to a system if he doesn’t have remote access to that system. That doesn’t mean you shouldn’t give a real support tech access your PC when you have a real system problem, if the nature of the problem allows. And utilities like EventViewer do have their uses, for looking for (some) real problems. Unfortunately, however, it’s easy for a scammer to misrepresent their output.

Remediation

Still, ‘what should I do?’ is perhaps a question most easily answered when the victim has actually given away pretty much everything the scammer has asked for.
  • If you’re looking for information after you gave them access to your device, your system seems to be running more or less normally, and you haven’t restarted it, do that. (If you see one of those pop-ups that claim you have a virus problem and should call a help line, it will usually tell you not to restart your system. That’s usually because if you do restart, it will usually be obvious that you aren’t looking at a real, permanent problem.) Unfortunately, I can’t say for sure that there isn’t something malicious on a system I’ll never see, especially if you don’t use good security software. There is another caveat.
  • Sometimes the scammer deliberately trashes the victim’s system, usually when the victim has allowed access but has decided not to pay up. The scammer may then delete files and/or lock the victim out of his own system. There are web pages around that offer a one(-ish)-size-fits-all approach to remediating this situation, but I’m not comfortable with that approach. Even well meant advice may actually make the situation worse in some cases. In any case, computer users who fall for this scam are not usually particularly tech-savvy, and it seems wrong somehow to expect them to undertake a potentially technically complex salvage operation on their own. Better to get professional help as soon as possible. One of my colleagues in North America suggests that if you’re an ESET customer – I suspect that most of the people who ask about this aren’t, though – that you power off (using the power switch, not a ‘polite shutdown’) and contact ESET Customer Care from another device. In the US you can do that via the web during business hours, or by email with this form. Outside the US, you should be able to find local support via the ESET support site, if needed. If you are not an ESET customer, you might consider ESET Support Services.
  • Run a reputable security program to check for anything unpleasant that they may have installed. I’m not going to claim that anti-malware always catches all malware, but the chances are good that they will detect programs that are unequivocally malicious and not fresh out of the developer’s lab. (Even brand new malware might, in any case, be blocked by a good security suite, even if it isn’t identified as a specific malicious program.)
  • Change any passwords you’ve given them. If you gave them remote access, change any passwords to which they might have had access without your knowing. You can make life a little more difficult for the scammers if you made a note of their PIN/ID for the remote access utility they used, by reporting the misuse to the utility/service provider. AMMYY doesn’t seem to have an abuse report point as such, but LogMeIn does, and our friends at Malwarebytes say that if you contact TeamViewer’s support with the 9-digit code used by the scammer, it can be revoked. AMMYY does have advice on what to do if your scammer was using their service.
  • Contact your credit card provider for their advice on stopping payment, getting money back, and if necessary, replacing cards. (Be aware, though, that there are actually scams that specifically make use of a phony security incident to try to get hold of your credit card for criminal purposes.)
  • Contact law enforcement. The more law enforcement learns about current scams, the better the chances that action will be taken that reduces the scam’s effectiveness, though I don’t generally hold out much hope that the police can help as regards restitution and prosecution of the scammer in individual cases. However they can advise you on the possibility of identity theft, especially if you gave away personal information as well as financial information. You can also file a report with the FTC in the US and Action Fraud in the UK. Canadians can report fraud at the Canadian Anti-Fraud Centre, and Australians can report it here. Don’t expect too much, though. In my experience, reporting scam calls is of limited use in remediating individual cases. No agency has the resources to follow up on every scam call, but the more information they have, the more effective they may be in pursuing persistent offenders.
The best way to counter the problem, though, is to forestall it by thinking ahead.

An ounce of prevention …

You can’t trust unsolicited phone calls: anyone can ring you up and say they’re calling from or on behalf of Microsoft (or anyone else).

The circumstances under which some random caller can really know anything about your computer(s) are very rare. In general, if someone rings and says your PC is infected, it’s a scam. If he or she asks you for money to fix it, it’s always a scam. Or, at best, aggressive marketing, which is sometimes barely distinguishable from fraud.
If you (or your employer) have some sort of support contract that might just possibly involve someone calling you out of the blue about a security issue, make sure you have a way to verify their bona fides. If you see some sort of pop-up message or even a Blue Screen of Death including a ‘helpdesk’ telephone number, expect the worst. If it turns out you really do have a problem, find a more reliable source for a helpdesk number.
If you really think it might just be a genuine call, ring back to a known genuine number, and make sure the initial caller is really disconnected. (Here’s an extract from an earlier blog on another scam to explain why that’s important):

When you put your phone down, it doesn’t mean the line is immediately cleared. This may be changed at some point because of the ways in which this feature can be misused, but the system does have legitimate advantages: for instance, if the phone is put down on 999 call, it allows the operator to trace the call (for instance, where the caller has disconnected under duress). I can’t say if the same is true with 911 calls.

[There have even been reports of scammers using a recorded dialing tone so that the victim doesn’t realize the scammer is still on the line.]
If you need to look up a suitable support service, bear in mind that a search engine is likely to find links to scam pages as well as to companies offering genuine support services, including sites that have deceptive names suggesting links with Microsoft or Windows or Apple or Android. By sites, I mean not only company sites, but secondary sites such as Facebook pages and blog pages, where a great deal of unpleasant content of all sorts can be found lurking.
Many of the ‘what do I do now?’ questions I see seem to come from people who don’t have a regular security product installed, not even a free one. Given what I do for a living, you won’t be surprised that I strongly recommend using security software, even a free product, though a good for-fee product usually has the advantage of more reliable support. Don’t forget, though, that there is plenty of software passed off as a security product that ranges from useless to downright malicious. If you’re not sure which product to get (I could make a suggestion, but I’m not in marketing!), check out the mainstream security product testing organizations. I don’t always agree with the testing industry’s methodologies and claims, but reputable testers are not usually fooled into recommending fake products.
A good starting point would be the testers who are represented in AMTSO. (That’s the Anti-Malware Testing Standard Organization.) Testers and vendors that join AMTSO are usually trying to improve the accuracy of testing rather than just trying to manipulate it: participating testers do look at genuine products, and they do tend to conform to ethical guidelines.