21.10.17

Top tips to keep cybercriminals out of your home

By Editor
Your home is not just bricks and mortar anymore – it is becoming a connected web of technology that needs to be protected. Every new smart  ‘thing’ we bring into our homes – be it just a simple smart meter or Amazon’s Alexa – increases the number of devices connected via our internet router and, as a result, the opportunity grows for hackers to gain access to homes grows.
Lessons learnt
You only have to look at recent attacks to see how devastating the consequences of not securing internet-connected devices can be. For example, this time last year we witnessed the largest DDoS attack ever known. This was caused by the Mirai botnet – which is made up of a large number of internet-connected devices, including home routers – generating massive amounts of bogus traffic to swamp targeted servers and thus essentially bring down much of the internet.
It’s argued that some of the successful attacks against routers are due to the use of default passwords which, for most devices, are widely known. In fact, ESET researchers revealed that out of 12,000 home routers they checked, 15% used weak passwords, with “admin” often left as the username.
Securing the foundations

With this in mind, better security of your internet router is one of the simplest ways in which you can cyber-safeguard your home, and the technology you keep there. The router is essentially the foundation of the connected home, so this year during European Cyber Security Month, take time to follow these four simple steps:
1.     Invest in the right router: Read online reviews of routers before purchase and look for easily-used security features. WEP encryption was broken long ago, and the recent WPA2 encryption attack known as KRACK has shown that WEP’s replacement may be vulnerable too. Although few routers — most commonly found in homes — needed updating because KRACK-affected client-side WPA2 implementations, some devices did need updating and many older devices were stranded by their vendors.
2.     Always update the firmware: It’s easy to forget to check your router for security updates. You may not get prompted to do this as soon as updates become available so it’s well worth the effort to make sure you’re signed up to the vendor’s alert list to remind you to check for any updates. Consider such updatability issues when choosing a router, as the next WPA2 flaw may require a router update. When considering how important your router is in protecting your home, an extra $20-30 now, for a well-supported brand who will still ship updates for today’s devices a couple of years’ time is a better investment than having to bin a cheaper device and buy a new one to fix that next vulnerability.
3.     Disable Universal Plug and Play (UPnP) on your router: The majority of people won’t need to use router UPnP, in which case it’s good practice to disable this option in your router settings. The feature allows people to access your network without authentication so it’s best to disable it where possible.
4.     Turn off remote management: To avoid hackers changing the settings on your router via remote access, turn off wireless remote management. This means that physical access to the router is required in order to change many settings.
As we introduce more devices into our homes, security has to be front of mind. You are fundamentally adding more windows and doors for hackers to push to gainaccess to your home and, just as you lock your front door, you need to lock down these virtual access points too. Security is essential to anything, especially our routers, and it’s important that we ensure that the Internet of Things doesn’t instead become the Ransomware of Things instead.
If you are worried about your own situation, the guys over at bleepingcomputer.com have produced a useful list of companies that have already supplied a patch to their customers.

20.10.17

Malware in firmware: how to exploit a false sense of security


When it comes to cyberthreats, we in ESET-LATAM Research often see ransomware, banking trojans (especially in my home country – Brazil), botnets or worms. As a consequence, other types of dangerous malware that run inconspicuously might get less of our attention; as is the case with firmware malware or bootkits.
Bootkits run before the OS loads and target OS components in order to modify or subvert their behavior. The fact that bootkits execute early in the system boot gives them the ability to remain stealthy and be persistent, surviving hard drive reformatting or OS reinstallation.
This type of threat targets Basic Input/Output System and Unified Extensible Firmware Interface (BIOS and UEFI) firmware in many different ways, such as firmware flashing, upgrades or vulnerability exploitations, to name but a few. Currently, the very advanced capabilities that make UEFI such an attractive platform also open ways to new vulnerabilities that didn’t exist in the age of the more rigidly structured BIOS. For instance, the ability to run custom executable modules makes it possible to create malware that would be launched by UEFI before any anti-malware solution, or the OS itself, is able to start up.
These characterists make a bootkit the apple of advanced threats’ eye. Despite the fact that bootkits concepts have been implemented for many years, as long ago as 1986 or earlier, advances in cyberthreats skill pose new challenges and concerns for computer users.
Why worrying about bootkits?
When thinking about security we generally take risk into account. It is well known that risk is a composition of likelihood and potential impact, so while a bootkit’s impact is undoubtedly hefty, what can be said about the likelihood of coming across such threat?
Trying to answer this question, we need to think about two issues: on the one hand, we have to identify possible actors and scenarios that may benefit from bootkits and ponder whether they will become more or less common in the future; on the other hand, we must assess our capacity to detect these threats, otherwise “likelihood” won’t go beyond a hunch.
To identify actors and scenarios, let’s take a look at the past to see the most notable bootkit cases. Looking at a timeline, it is clear that the threat has become increasingly frequent.
Mebromi, known to be the first bookit in the wild, comprises a BIOS rootkit, MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader, executed in such a way that the compromised system requests external content — which could be virtually any malware — every time the system boots. To accomplish the attack, Mebromi escalates privilege by loading its code in kernel mode to gain access to the BIOS.
Interestingly, as of 2014, other bootkits spotted in the wild were often closely related to governmental hacking (directly or indirectly).
In the NSA ANT catalog revelations (2014), DEITYBOUNCE was unveiled — a software application that provided “persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads”. The usage was similar to that of Mebromi, which again means downloading payloads and running them on the system during the boot process.
In 2015, it was the time for “HT rkloader”, exposed after the Hacking Team leak. Unlike the NSA, the Hacking Team is not a governmental agency; nevertheless, it sells offensive intrusion and surveillance capabilities to different governments. In particular, “HT rkloader” was the first case of a UEFI Rootkit discovered in the wild.
Unsurprisingly, the leak of the (NSA) Equation Group’s tools by the Shadow Brokers brought more bootkits to light. The catalogue of leaked tools contained some “implants”, namely BANANABALLOT, “a BIOS module associated with an implant (likely BANANAGLEE)”, and JETPLOW, “a firmware persistence implant for Cisco ASA and PIX devices that persists BANANAGLEE”.
Finally, this very year, CIA’s Vault7 revelations disclosed that governmental tools also targeted firmware. The attack exploited an S3BootScript vulnerability (patched in 2015) in order to install UEFI components on Apple systems.
These are just some examples of bootkits caught in the wild that we happen to know of, mainly due to major (and rare) leak incidents. Nevertheless, it shows the appetite that leading actors have for advanced attacks targeting firmware.
Still, you might ask yourself how it can interfere in our “normal lives”. Here we have to take a look to the past again and realize that we stand on treacherous ground. The WannaCryptor (aka WannaCry) pandemic is an example of what can go wrong when advanced hacking tools fall into the wrong hands.
Furthermore, we have seen many cases of attacks aiming at the supply chain, so that devices might get infected even before they are first used by their eventual owners. An attack targeting the firmware supply chain could possibly affect many users, while staying under the radar for a long period of time.
Therefore, it is highly important to have the capability to detect stealth infections, which takes us to the second aspect of this post.
Our capabilities to defend
Nothing is worse or more dangerous than a false sense of security. Snowden’s leaks and the aforementioned cases are wake-up calls to the whole security industry about malware in firmware.
VirusTotal, in a blogpost entitled “Putting the spotlight on firmware malware”, announced its new capability of “characterizing in detail firmware images, legit or malicious”.

As of 27 January 2016, the day of VirusTotal’s new feature announcement, it is possible to extract and upload UEFI Portable Executables for analysis and these contain “precisely executable code that could potentially be a source of badness”, as the post’s author observed.
This is a great contribution to the security of cyberspace as a whole, since a simple and well-known interface for (firmware) malware analysis has been made available. Nonetheless, its main drawback is the procedure for capturing the firmware images before uploading them for analysis.
VirusTotal suggests some tools capable of doing this task; they are, however, mostly intended for computer experts rather than for the non-expert. Not only that, the suggested tools are explicitly developed for test environments for reasons that range from the broadening of the attack surface to fortuitous errors that may hamper the operating system:

Concerned with the security of our users, ESET includes an additional protection layer against UEFI bootkits. The advantage in this case is that our suite is able to scan the UEFI-enabled firmware without resorting to additional tools that may pose risks to the system. Therefore, it becomes much more user-friendly for regular users to scan their computer for stealth malware in firmware.
Findings about highly advanced threats in the wild that target firmware are certainly worrisome, especially because they run in the system concealed. On top of that, detecting this type of malware (in the wild) is difficult and arduous (and barely possible not so long ago), possibly instilling a false sense of security in many of its victims.
But every cloud has a silver lining. This never-ending game of cat and mouse has enabled us to once again to protect our customers better.

19.10.17

Google Chrome versterkt beveiliging met ESET

Nieuwe oplossing van ESET om veilig op internet te browsen, beschermt toestellen tegen ongewenste software

ESET, een toonaangevend wereldwijde cybersecurity bedrijf, brengt Chrome Cleanup, een nieuwe scanner voor Google Chrome, ontworpen om gebruikers ononderbroken en veilig op het web te laten browsen. Chrome Cleanup zal beschikbaar zijn voor alle gebruikers van Google Chrome op Windows. 
Daar cyberaanvallen steeds complexer worden en moeilijk op te sporen zijn, kan online surfen leiden tot het bezoek aan gevaarlijke sites die kwaadaardige software op apparaten kunnen installeren.  
Chrome Cleanup waarschuwt gebruikers van Google Chrome voor mogelijke bedreigingen als het ongewenste software detecteert. Vervolgens biedt Google Chrome de gebruiker de optie om die software te verwijderen. Chrome Cleanup werkt zonder onderbrekingen op de achtergrond en is niet zichtbaar voor de gebruiker. Het verwijdert de software en informeert de gebruiker eens de schoonmaak succesvol is voltooid. 
“Het internet gebruiken zou voor iedereen steeds vlot en veilige moeten kunnen,” weet Juraj Malcho, hoofd technologie bij ESET. “Sinds drie decennia heeft ESET heel wat beveiligingsoplossingen ontwikkeld om gebruikers veiliger te laten genieten van technologie en talloze cyberbedreigingen te beperken. Chrome Cleanup pakt het probleem aan van ongewenste software die  een negatieve impact kan hebben op het browsen op internet.”
Chrome Cleanup is geïntegreerd in de nieuwste versie van Google Chrome.

Meer informatie over deze tools is te vinden op de blopgpost van Google,  For more information about these tools, read Google’s blog post: https://www.blog.google/products/chrome/cleaner-safer-web-chrome-cleanup/

17.10.17

Securing printed data in the ‘paperless’ office

While we are supposedly in the era of the paperless office, intentional leaks via printed documents remain very common and can be just as damaging as their digital counterparts. While most of us realize the necessity of paper, do we recognize the risks of unauthorized viewing or document removal from the worksite?
Data loss – hidden in plain sight
The removal of sensitive documents is perhaps best highlighted by the recent case of Reality Winner, an NSA contractor, jailed in the first week of June after it was discovered that she ‘mishandled’ top-secret documents  (as reported June 6, in the NY Times). She stands accused of “gathering, transmitting or losing defense information.”
With leaks very much on the US administration’s radar, internal investigators discovered documents that had been damaged (creased), and thus likely printed, removed and subsequently returned to their secure location. As reported by the New York Times, Ms. Winner, a US Air Force Veteran, almost immediately admitted to the crime, citing the motivation that she had to resist the administration’s moves to erect a border wall with Mexico, along with her posting the #NeverMyPresident hashtag on Twitter.
While most incidents don’t involve such high levels of international intrigue and purposeful intent, security incidents and lapses can happen in any company.
Document control is a reputational issue
Just as there are ways to audit, manage and protect electronic documents, there are ways to manage printed documents, too. So, how can you protect your printed data so that it won’t fall into the wrong hands, and are there any additional threats that should be addressed?
Human error – the most common problem
As a consultant who has earned his wings running security audits at SMBs, I can recall one case where an employee from a company in Frankfurt undertook regular business trips to visit a subcontractor. Apart from the printers he used in his office, his laptop was also configured to use any of the subcontractor’s printers. One day, when out at the subcontractor’s again, a colleague back in Frankfurt received a message from him, saying: “Run to the printer, pick up the document, don’t look at it and shred it.” What had happened was that the employee decided to print a database of personal customer data, but picked the wrong printer to do it on. The problem is that when you print a document on a remote printer, it can be accessed by anyone in the organization and it doesn’t require a malicious insider for this to become a security threat. Imagine an ordinary employee reviewing some important contracts or management salaries by accident. These situations can lead to problems within the company.
When it comes to an internal or external attacker, people can very easily take documents from a printer and walk away with them. Also, if you don’t find your documents at the printer, you are more likely to consider it a hardware failure than a security incident with someone actively leveraging your data for malicious purposes.
“Prevention means managing the printing of sensitive documents. One possible solution is to focus on a Data Loss Prevention (DLP) product.
Prevention means managing the printing of sensitive documents. One possible solution is to focus on a Data Loss Prevention (DLP) product. These applications can define which data can be printed on specific printers and by whom. One advantage of this technical solution is that in the event of unauthorized activity, the DLP system logs the incident, notifies the user of the risks, and can also block the print. Potential breaches trigger alerts, which are then delivered to the security manager. Other options include print management solutions that allow document printing only after explicit user authentication (e.g. using a contactless smartcard) at the printer’s user interface.
Important documents are everywhere
Since I’ve just mentioned HR above, I should address the many times I’ve seen printed CVs lying around on work desks, tables and of course in printers. Commonly containing manager’s notes and comments, loose CVs also have the potential to cause interpersonal conflicts based on speculation over issues of seniority, leadership and pay. At larger companies, financial documents, contracts and customer data could be at risk. One time when I was visiting a company as an incognito auditor, I was able to see a document left in a printer in the corridor. It only took me a few seconds to find out that the company wanted to buy a piece of property. I saw the negotiated prices, contact information of all the relevant people, a business potential analysis and the results of an internal SWOT property analysis. Phone always at the ready, all I would need is two seconds to capture this information and walk away with it. Similarly, in the corridor of a healthcare company while waiting for a meeting, I once found a document that contained personal patient data and medical histories.
When documents containing sensitive data are left in a corridor or other public place, it is mainly a problem of physical security. In order to reduce the risks related to such document exposure, we recommend removing printers from places accessible to guests or the general public. It is also important to implement and enforce a clear desk policy. The policy itself is not enough, of course – best practice is to support it with regular training and internal audits. When a company already has a data classification plan in place, it can mark important documents with a “sensitive”, “internal”, or “top secret” watermark. Then, employees can also see what data they should be protecting. Another point to add here is to look at departments or units that are ‘hardcopy-heavy’ in nature and assess the level of risk they pose to the organization. Marketing and PR teams represent print heavy departments and have access to sensitive corporate information.
While they are unlikely to have access to core intellectual property – or as in the case with HR, another ‘hardcopy-heavy’ department, their ability to make or break a company’s reputation means that their printing ‘behaviors’ might be worthy of further examination.
How to keep print under control
Among the most important issues with the exposure of sensitive printed data is that these kinds of incidents happen very frequently. It is therefore highly probable that they will eventually cause a great deal of trouble if they are not prevented in the first place. Just as with information security as a whole, the protection of physical data should be a mix of organizational, physical and technical controls:
·         A good first step is to conduct a printing audit. This often reveals security issues – e.g. sensitive data being printed unnecessarily, or problems in physical security.
·         After the risks are identified, it is logical to proceed with the implementation of security measures – setting up policies, training users, and implementing a print management or Data Loss Prevention solution.
·         Just as with other channels of potential data leakage, document printing should be subject to regular audits. A company should then adjust security measures according to audit results.
At the end of the day, you should remember that the employee (user) is the most important part of data security. Companies should work on inspiring awareness, motivation and loyalty: without it, encountering a security incident is just a matter of time.
About the Writer: Matej Zachar is a Project & Security Manager @Safetica TechnologiesData Protection Expert, ESET Technology Alliance.


WPA2 security issues pose serious Wi-Fi safety questions


The WPA2 encryption scheme has been broken leaving Wi-Fi connections open for would-be attackers who could use an attack to read information that was previously believed to have been secure because it was encrypted.
‘KRACK’ or Key Reinstallation AttaCK, as it has been labeled, means third parties could eavesdrop on a network meaning private conversations might no longer in some circumstances be so private as Wi-Fi traffic passing between computers and access points could be picked up by cybercriminals that are within range of the Wi-Fi of a potential victim.
This will be a major problem for companies and their IT departments as they scramble to protect themselves. Fortunately, for them, they should have experts within their teams that should be able to get to grips with the issue.
Unfortunately, those that might suffer most from the WPA2 issue could be family and friends who have older routers at home or in small businesses, that are desperately in need of firmware upgrades. However, Alex Hudson over at alexhudson.com has some sage advice for those who might fear for all things internet related if these rumors are indeed true:
“Secure websites are still secure, even over WiFi; think about setting your computers to “Public Network” mode – that increases the level of security on the device relative to “Private / Home Network” modes. Remember, if third parties can get onto our home networks, they’re no longer any safer than an internet cafe; if you’re paranoid about your mobile, turn off WiFi and use mobile data when necessary; it sounds like no similar attack against ethernet-over-mains power line is possible, so home networks based on mains plugs are problem still ok; keep computers and devices patched and up-to-date.
ESET senior research fellow David Harley says of Hudson’s advice, “treat your own network as if it were a public network and configure your computers accordingly. Many home users would probably not be unduly inconvenienced that way, or will at least be able to work round likely difficulties, but businesses, even relatively small ones with a single small LAN, would tend to be hit harder”.
It is hoped that large vendors will be able to release new firmware that will diminish the impact that ’KRACK’ will have.
The question will arise though: Do we now need WPA3? Well the short answer is not yet. Thankfully the issue can be addressed, and be patched in a backwards-compatible manner. This will mean that WPA2 will not need to be replaced just yet.