24.3.17

When bad bugs bite: Apple iCloud accounts ‘held hostage’

For those of you with Apple devices, you may want to read this. Recently, a group of attackers identifying themselves as the ‘Turkish Crime Family’ have reportedly come into possession of a large amount of compromised iPhone and iCloud accounts.
Through these accounts, anyone with the credentials can locate the devices you may carry, access the stored pictures in iCloud, and also remotely wipe the device.
The group claims that it has access to approximately 200-250 million credentials, maybe more, which it says it will reset unless Apple pays the ransom it is demanding (the amount reported by the media varies – between $75,000 in cryptocurrency and $1 million in iTunes vouchers).
Currently, Apple does have a bug bounty program. However, they are not of the ethos to pay attackers holding data hostage.
A screen capture provided to a news outlet from the so-called Turkish Crime Family’ shows a message from Apple’s security team stating that they do not reward cybercriminals for breaking the law.
Other videos and screen captures have shown the attackers validating the log ins by logging into an account that is part of the compromised cache of data.
In subsequent screen capture from Apple’s security team, Apple has stated that archived transcripts of the conversations will be provided to the appropriate authorities.
So far, a date of April 7th has been given for the attackers to receive the funds before the resets commence.
The group has also been approaching various media groups in an attempt to draw attention to the issue, forcing Apple to pay the ransom that is being demanded.
It is unknown truly if the rumors of mass compromise of are true, however, this is just another indication to play it safe in cyberspace and make smart decisions when it comes to securing your devices.


GDPR: A simple explainer

The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and when it comes into effect on May 25th, 2018, it intends to give European citizens back control over their personal data. Its impact won’t just be felt in Europe though, as it will have wider implications for companies across the world that hold data on the continent.
While great news for individuals, it presents complex problems for companies. As a case in point – they could face fines running into tens of millions of Euros if they breach the new directive. With that in mind, we’ve put together this simple explainer to answer the key questions.
What’s GDPR again?
It is a new set of rules governing the privacy and security of personal data laid down by the European Commission.
The new single data protection act will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection Directive from 1995.
What is the point of the new laws?
They have been designed to give power back to citizens over how their data is processed and used.
Under the new rules, individuals have “the right to be forgotten”, meaning they will be able to request that businesses delete their no longer necessary or accurate personal data.
Plus, the intention is to simplify the regulatory environment.
How will this impact individuals?
As well as the right to be forgotten, the law holds provisions that could potentially increase consumers’ rights over their data.
But there is a huge grey area about how it will apply in reality. The laws mean that in theory someone could ask social networks like Facebook to delete their profile entirely.
Laws relating to freedom of expression will stop “the right to be forgotten” extending to news articles.
But there is the potential for individuals to transfer their data from one service to another more easily – which is great news for consumers, making it simpler to swap utilities, insurance or ISPs.
How will this impact my business? 
This shake-up of data protection laws is all well and good for individuals, but it could mean huge fines for businesses that don’t comply with the laws.
This is because data breaches have become increasingly common in recent years. However, giving citizens back control of their complex personal data is not necessarily easy.
Plus working out how to give it back to them and how to ensure it is stored adequately throughout employment and then deleted securely is a bit of a technical and HR minefield.
How much will it cost?
The biggest change to the law is the increase in the amount of money regulators can fine companies who do not comply – up to 4% of their global turnover or 20 million Euros, whichever is greater.
This threat is certainly big enough to frighten companies into changing their data dealings.
But I’m not in the EU – will it affect my business?
GDPR has serious implications for companies in countries outside the EU. So even if you’re based overseas, but hold data belonging to anyone living in Europe, you’re liable.
So, in short, if you process data that belongs to individuals living and working within the EU, you will be subject to aspects of the directive.
What should businesses be aware of?
The Information Commissioner’s Office in the UK recently released a set of guidelines to help businesses prepare for GDPR.
It also recommends that companies review privacy notices and ensure there is a plan in place that allows them to make any necessary changes to be in compliance with GDPR.
However, it’s not too scary potentially as the ICO insists the new measures will contain many of the same principles and concepts as the current Data Protection Act.
Which means the companies already successfully abiding by the 1995 legislation will probably be covered.
But there are predictions businesses will go on recruitment drives for data protection officers – to ensure they’ve got the right personnel in place.
What are the other potential ramifications?
Once GDPR comes in companies could see more legal challenges from individuals and groups that take up privacy issues on behalf of citizens.
But they may also see fewer challenges from individual country regulators, because of a “one-stop shop” clause that would put the onus on the regulator in the country in which the company is headquartered to pursue legal action.
Regulators are also being given more powers to intervene if they feel another is being too lenient.
For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that when the time comes, you have everything covered. 
Author Editor, ESET



If you download Minecraft mods from Google Play, read on …


Minecraft players have been exposed to scams and aggressive ads brought by 87 fake Minecraft mods recently spotted on Google Play.
The apps can be divided into two categories – the ad-displaying downloader detected by ESET as Android/TrojanDownloader.Agent.JL and fake apps redirecting users to scam websites, detected as Android/FakeApp.FG.
Altogether, the 87 fake mods reached up to 990,000 installs before we reported them on March 16th and 21st.
Ad-displaying downloader

Figure 1 – Ad-displaying downloader disguised as Minecraft mods on Google Play
In the first category, 14 apps impersonating Minecraft mods with up to 80,000 installs have been discovered. Similar to the ad-displaying dropper we analyzed earlier in March, this trojan uses an additional component to display out-of-app advertisements.
In this case, the component acts like a module necessary for installing the mods. The module isn’t a part of the original app – it has to be downloaded from the web and manually installed by the user after launch.
Having no real functionality and displaying aggressive ads, the apps aren’t very popular among users – as shown in the poor ratings and widely negative reviews on Google Play.

How does it operate?
When launched, the apps immediately request device administrator rights. Once device administrator is activated, a screen with an “INSTALL MOD” button is displayed. Simultaneously, a push notification informs the user that a “special Block Launcher” is needed in order to proceed with the installation.
After clicking the “INSTALL MOD” button, the user is prompted to install the additional module “Block Launcher Pro”, granting it several intrusive permissions (including device administrator rights) in the process. The payload downloaded during the installation is detected by ESET as Android/Hiddad.DA.
Installing the module brings the user to a dead end – a static Minecraft-themed screen with no clickable elements. The only actual function of the app and its module is to display ads – which now show up on the user’s device, interrupting their activity.

Figure 3 – Out-of-app advertisements showing up on victim’s device
Interestingly, this ad-displaying downloader is an evolved version of an app that was originally uploaded to Google Play in February. The original version used a similar interface and also demanded device administrator rights. However, it didn’t have any downloading functionality and, unlike the downloader analyzed in this article, the first version actually provided the user with real Minecraft mods.
Since the result of this evolution – a downloader – is able to download any sort of additional malware to the victim’s device, there is no reason to believe malware authors would stop at only displaying unwanted ads. Seeing they can lure thousands of users into installing their deceptive applications, more dangerous threats distributed under similar disguise might be the next logical step. 
Video capture from installation
Fake apps redirecting to scams
The remaining 73 of the detected applications use an old trick of redirecting users to scammy websites. The apps, detected by ESET as Android/FakeApp.FG, were added to Google Play between January and March 2017 and reached up to 910,000 installs before we reported them.
How does it operate?
Once launched, the apps display a screen with a download button. Clicking the button doesn’t download any mods; instead, it redirects the user to a website opened in a browser. The websites display all kinds of obtrusive content – ranging from ads, through surveys, free coupon offers, jackpot wins, porn, to fake updates and fake virus warnings attempting to scare the user. The messages are displayed to users in different languages based on their IP addresses.
How to protect yourself?
If you like to download mods for Minecraft, you might have come across one of these malicious fakes.
With the fake apps redirecting to scam websites, the effects are easy to recognize – the apps don’t work and you’ll see a random scam message upon clicking their fake download button.
In the case of the ad-displaying downloader, there is no functionality either and your device keeps displaying unwanted ads. However, as the downloader is capable of downloading any additional apps to infected devices, the payload responsible for the ads may be substituted by more dangerous malware in the future.
To make sure your device is malware-free, use a reputable mobile security solution to detect and remove the threats.
If you want to remove the threats manually, you can do so by following the steps below.
To clean your device of the ad-displaying downloader, you’ll first have to deactivate device administrator rights for both the app and the downloaded module found under Settings -> Security -> Device
With the scam app, uninstalling is one step easier – you can uninstall the app in Settings -> Application Manager.

To prevent being tricked by fake apps and malware, opt for official app markets. Even then, exercise extra caution when downloading third-party apps offering additional functions to existing applications, as there may be a “catch” in these attractive-sounding offers.
Before downloading, check the popularity of the app by number of installs, ratings and, most importantly, content of reviews. In the case of these apps, low ratings and angry reviews should have been a good enough indicator of their untrustworthiness.

23.3.17

Google: More websites failing victim to cybercriminals

By Editor
The number of websites compromised by cybercriminals during 2016 was 32% higher than the previous year, according to Google.
The tech giant added that this spiral of cyberattacks is unlikely to lose momentum anytime soon, as more websites become “outdated” and cyberattackers “more aggressive”.
One area of weakness identified by Google has been the slow uptake of webmasters verifying themselves on Search Console.
As a result, some 61% of webmasters that experienced a security incident never received a notification from Google that their website had been compromised.
The company has subsequently urged sites to sign up to Search Console, adding that it is the main channel used to communicate health alerts for sites.
Additionally, Google says it has been listening to feedback from webmasters in order to “better understand how it can help”.
“One area of weakness identified by Google has been the slow uptake of Search Console.”
The most popular request is for simpler documentation about compromised sites.
As a result, Google has taken a new approach that offers webmasters more information about when their site has been compromised, as well as offering clean up guides that give advice on how to deal with certain types of attacks.
One guide shows how to fix the Gibberish Hack, which automatically creates numerous pages on webmasters’ sites, filled with keyword-enriched nonsense.
When people attempt to visit the site, they are diverted to an unrelated page.
Meanwhile, there’s the Japanese Keywords Hack, which creates new pages with Japanese text.
These pages are then monetized by way of links to stores selling fake goods, and then shown in Google search.
The best way, however, of dealing with these attacks, remains prevention. “As always it’s best to take a preventative approach and secure your site rather than dealing with the aftermath,” says Google.
Unfortunately, it still seems to be the case that not enough people are heeding this advice.
The threat posed by cybercriminals was brought into sharp focus again this week, after the Association of British Travel Agents proved to be the latest victim of cybercrime, reporting it had suffered a severe data breach affecting 43,000 people.

The economics of cybersecurity for the undecided

The economics of cybersecurity for the undecided
Buyers rarely use all the information necessary to evaluate the utility of a particular good or service even when it’s accessible, but in most cases, they do not possess even a fraction of the information available to the vendors.
This information imbalance means that the buyers of antivirus software are placing themselves in the precarious safekeeping of invisible market forces or, even worse, at the mercy of market-dominant vendors. Consumers who don’t like this setup either buy cheaper products (thus reducing the risk of overpaying for a product with qualities they’re unable to evaluate) or postpone the decision to purchase until more information is available.
On the flip side of this conundrum is the cost of doing nothing, a pervasive concept despite its counterintuitive name. In the context of cybersecurity, this means that the decision not to buy antivirus software might end up costing way more than a single-seat license if a CryptoLocker clenches all of your data, photos and correspondence.
The value of a cybersecurity solution
It is precisely because of this concept of the cost of doing nothing that we’re able to determine the value of a cybersecurity solution. Helping you estimate the aforementioned cost is a measure known as ‘Value at Risk’ (VaR), the probability that a specific loss will occur within a specific timeframe.
“Helping you estimate the cost of doing nothing is Value at Risk, the probability that a specific loss will occur within a specific timeframe.”
For example, after looking at a certain set of statistics, you might conclude there is a 1% chance that within a year a DDoS attack will disable your online business for one day, leading to a loss of profit of $10,000. If the management of your company finds this risk acceptable, there’s no need to invest in appropriate security measures (but if misfortune strikes, nobody has the right to say they didn’t see it coming).
VaR is never zero even for typical PC users. They risk their data every time they go online, as confirmed by antivirus software logs that record malware incidents prevented by security software, or by tools like ESET’s Virus Radar.
Accepting and aggravating the risk
As it became increasingly obvious that the risk of a malware infection can never be 100% avoided regardless of the time and money invested, the usually upbeat attitude of the internet community turned sour.
At one point, former senior vice president for information security at Symantec, Brian Dye, went so far as to make the oft-repeated claim that antivirus software is dead. His argument was based on the hotly debated assertion that almost all cyber damage is caused by the so-called “zero-day” attacks that exploit vulnerabilities unknown to the developers and antivirus vendors.
According to Dye, security software performs significantly worse against such attacks, and as soon as they’re discovered, cybercriminals move on to the next exploitable flaw, making protection from those attacks obsolete. However, even if we take this argument at face value, anti-malware still stops some “zero-day” attacks, which is better than nothing.
In fact, much better: if we were to trust Dye’s numbers, commercial anti-malware stops 45% of such previously unknown attacks. Besides, the attitude of IT professionals who consider anti-malware redundant is not based on recklessness, but on efficient backup and recovery procedures: their files are safe either way.
This is not the case when it comes to typical users, who account for a decent share of security breaches.
“Not only do users tend to fall for ‘social engineering’ traps, but sometimes run straight through the red lights.”
Not only do they tend to fall for “social engineering” traps, but sometimes run straight through the red lights. A study by the Carnegie Mellon University School of Computer Science found that 21% of tested users ignored active phishing warnings in their web browsers. The authors of a Microsoft Research study of password habits estimated that 0.4% of internet users type in their passwords at verified phishing sites. That certainly doesn’t sound like much, but the consequences can be dire, as was the case with the recent hacking of US Democratic National Committee systems.
Attackers, allegedly from Russia, mimicked the domains of targeted organizations and tricked victims into entering their credentials. According to the FBI report, “at least one targeted individual activated links to malware hosted on operational infrastructure of [sic] opened attachments containing malware”, while others were tricked into disclosing their passwords to a fake webmail domain hosted on the attacker’s infrastructure.
Making it harder for the rest of us
Whether you’re a business or home user, your attitude towards security affects the whole network, because your IT resources can be used to propagate threats and cause damage to other users located anywhere in the world. This is where estimates on global damage from malware come into play.
Inga Beale, CEO of Lloyds, said that cyberattacks cost business worldwide as much as $400 billion in 2015, and a joint study by IBM and Ponemon Institute surveying 350 companies around the world that experienced a data breach in 2015 indicated that the average cost of such incidents amounted to $3.79 million – a total cost of over $1.3 billion for that sample set alone.
No matter how much one downplays the value of security software, the discrepancy between the total estimated damage caused by malware and the money spent on anti-malware solutions globally is still huge: in 2015, all security software vendors generated combined revenues of approximately $22 billion, or roughly 5% of the estimated cost caused by all cyberattacks. Since cybercriminals show no signs of relenting – according to some estimates, damages caused by malware could reach $2.1 trillion by 2019 – it is no wonder that in certain cases, taking cybersecurity risks is no longer allowed by law.
Cybersecurity ceases to be a private matter
Cybersecurity has been a part of the global legislative agenda for some time. In 2007, the European Union, although a bit at odds over how to define what qualifies as cybercrime, communicated the need for “a general policy on the fight against cybercrime”.
In accordance with this policy, the General Data Protection Regulation, which is scheduled to come into force in May 2018, increases the penalties for institutions handling private data that fail to implement appropriate cyber security measures.
“If your company decides to ditch the IT security requirements mandated by law, it leaves itself open to penalties and lawsuits.”
Government regulation of cybersecurity can be seen as unjust dumping of IT security costs on the private sector. However, as Ross Anderson of the University of Cambridge noted in his EdX course, the trouble is that the incentives for securing the respective public services just aren’t there: most of the time, cybercrime comes down to a series of petty thefts – a couple of hundred dollars here, a couple of hundred dollars there – and remains under the police radar.
In addition, perpetrators of cybercrime are often located in a different jurisdiction and therefore inaccessible to the local law enforcement agencies. Whether this shifting of responsibility for cybersecurity is justified or not, it has become an inevitable circumstance that adds to the cost of business – if your company decides to ditch the IT security requirements mandated by law, it leaves itself open to penalties and lawsuits.
Finally, how much should you invest?
In their 2002 paper The Economics of Information Security Investment, Lawrence Gordon and Martin Loeb of the University of Maryland estimated that in most cases, optimal investment in information security is less or equal to 36.97% of the loss expected in the absence of security.
An important thing to remember is that firewalls and antivirus software are only a part of the solution (and Gordon and Loeb’s 36.97%). If you want your company secure, you need user training, awareness campaigns and a set of preemptive and corrective measures. Therefore, Gordon and Loeb’s figure represents the total cost of all cybersecurity products and activities that your company should implement if it wants to effectively mitigate respective risks.
As far as individual users are concerned, it’s interesting to look at how much people tend to pay to rescue their IT resources when they have to. According to a report by IBM, almost 40% of consumers would be willing to pay more than $100 to get data back, and most ransomware fetches over $300 per victim.
The paradox here is that typical users usually don’t know how much they’re willing to pay before a security incident happens, so the realization that it might have been worth paying $50 to prevent a cost of $300 often comes too late.
Whatever you choose to do as an individual user, bear in mind that rudimentary antivirus solutions can be installed free of charge, regular software patches don’t cost anything, and basic data backup can be arranged at a cost of a single USB stick that you probably already have – in other words, basic implementation of the three key aspects of PC security doesn’t have to cost you anything at all.
Ultimately, there are two ways of deciding what to do about cybersecurity. The first is to check the regulatory requirements that apply to your business, estimate your VaR and the inconvenience of restoring your systems and weigh these against the cost of a security solution.
“Basic implementation of the three key aspects of PC security doesn’t have to cost you anything.”
Alternatively, you can simply place your trust in the market for cybersecurity solutions and services, which is expected to grow from $75 billion in 2015 to $170 billion in 2020. It’s not that conformism is a particularly sound approach when it comes to making strategic decisions, but before you beg to differ, make sure you know why and what to do if you turn out to be wrong.
Miroslav Nikolac
Business development at ESET, Croatia


21.3.17

ABTA experiences data breach


The Association of British Travel Agents (ABTA) has suffered a major data breach, affecting thousands of customers.
As some news providers have observed, it took the UK’s largest holiday and travel association 16 days to alert customers of the data breach, which it said took place on February 27th.
The breach was subsequently discovered on March 1st but not announced until the 16th. 
Cybercriminals managed to expose a flaw in ABTA’s web server, which gave them access to the website and the personal information of as many as 43,000 customers, including a possible 650 ABTA members.
In a statement, Mark Tanzer, ABTA’s CEO, said: “Although [our] own IT systems remained secure, there was a vulnerability to the web server for abta.com, which is managed for ABTA through a third-party web developer and hosting company.”
The majority of customers who were impacted by the breach were those who had registered on the website or filled in an online form.
Some of the personal details came from around 1,000 people who had submitted details of their holiday complaints, revealing their emails and contact details.
Following the detection of the attack, ABTA urgently notified the third-party suppliers of the website who “immediately fixed the vulnerability”.
In the meantime, the travel body suggested customers should “remain vigilant regarding online and identity fraud: actively monitor your bank accounts and any social media and email accounts”.
ABTA is “taking every step … to help those affected”, with Tanzer apologizing and admitting that it was “extremely disappointing” that the web server was compromised.
Harsher penalties will be in store for companies who don’t comply with new security regulations imposed by the General Data Protection Regulation (GDPR), which comes into play in May 2018.
New GDPR regulations include rules around notification of data breach, consent and mandatory privacy impact assessments.
Companies that do not abide by the rules will face heavy fines.
Author Narinder Purba, We Live Security