Apple is infamous for it’s stringent and sometimes odd vetting process for iOS apps, but it has purportedly kept iPhone and iPad users relatively safe from the malware that has plagued the Android ecosystem for years. Unfortunately, they can no longer wear that badge with pride anymore, as dozens (possibly hundreds) of apps written by Chinese developers and distributed through the official Apple App Store have been found to be infected with malware that can cause serious security problems for the affected device. Before you get up in arms about the brazen escalation of Sino-American cyber-hostilities, security analysts believe that the infected apps weren’t purposefully compromised, but were caused by Chinese app developers using an infected version of Apple’s coding framework, Xcode to build or update their apps. These apps were then submitted and, upon passing through Apple’s security screening, distributed in both the Chinese and American App Stores to upwards of hundreds of millions of users.
What this means for you:
Unless you make a habit of installing Chinese iOS apps you probably aren’t directly affected by this. Check this list, and if you did install one of the affected apps remove it or update it immediately, and change your Apple Cloud password and any other passwords you might have used while the infected app was installed on your device. For the rest of us that aren’t impacted, this particular failure illustrates two important points about security:
- No security system or process is infalliable. Apple’s fall from grace in this regard was only a matter of time. Every good security plan should include a failure contingency. In Apple’s case, they know exactly who installed what apps and plan to notify all affected customers.
- The use of the compromised Xcode framework was traced to many developers using a non-official download source to retrieve the code, which is very large (3gb) and is very to slow to download in China from Apple’s servers. Rather than being patient/diligent, Chinese programmers used local, unofficial repositories hosting malware infected versions of Xcode. Always confirm your source (whether reading email or downloading software) before clicking that link!
Several clients learned some hard lessons this week. First and foremost, no one is immune from malware, no matter how much money and time is invested in security. If you still don’t believe this, you might be surprised to know that the White House was hacked recently. Granted, I made fun of government-run websites and their pitiful security, but one has to imagine that the Secret Service takes POTUS security very seriously, and yet Russian hackers seemed to be able to access sensitive information by fooling someone through a phishing email. Yes, email. That indispensable tool that we can’t live with and can’t live without. While we are frequently the agents of our own demise (surely this email from this overseas lawyer about a long lost inheritance is real this time), we can also be the agents of our own salvation as well.
Let me testify!
Above all, stop opening attachments sent via email, and likewise, look for ways to stop sending attachments via email. There are tons of secure file sharing options out there (keep in mind we don’t consider the free Dropbox among them…yet), but as long as the business world continues to rely on attachments to get things done, cyber criminals will exploit your willingness to open things sent to you via email. Resist the urge to open attachments even if you recognize the sender, and verify via phone if they indeed sent the attachment. Here’s an important clue: financial institutions, law enforcement, government agencies and just about any large consumer-serving company will not send you an attachment in order to get you do something or notify you of important information. FedEx nor UPS do not send you delivery confirmations as attachments. Neither your bank or credit card company will send you an attachment asking you to open them. If you receive what you believe to be a legitimate attachment from a company with which you do business, call them to verify they sent you that file. Ninety-nine times out of one hundred, they did not send that file. I guarantee that you will receive emails that look and read 100% legitimate, but will in fact be clever attempts to trick you into nasty malware infection. Even the best anti-malware software won’t be 100% effective all the time. The criminals who send you attachments anticipate you have some form of protection installed, and their payloads are designed to turn that “foot in the door” into a full-scale home invasion, anti-malware or no.
The best management coaches say to always pair a “stop doing this” with a “start doing this”. Are you backing up your data? If not, you need to start, right now. If you are, have you checked your backups lately? Tried restoring a file? Are your backups stored offsite? One of the clients mentioned above was thoroughly decimated by the infamous cryptolocker malware. Not only did it take out a principle workstation and all data, it also kidnapped their server data and mangled their backups, primarily because they were onsite and not designed to go back more than a week before being overwritten. Cryptolocker is infamous for hiding out for days before making its presence known, precisely to destroy local backups in this fashion. If you are using proper offsite backups, either through rotating media offsite manually or by using a cloud-based platform, this form of infection is annoying but survivable. Do yourself a favor and review your backup strategies immediately!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Russian security firm Kaspersky has just released details of an elaborate, multi-year, multi-country heist that netted hundreds of millions for the group orchestrating the crime. Rather than a series of spectacularly violent bank robberies, this campaign played out quietly and slowly on the technology infrastructure of over 100 financial institutions in 30 different countries. Unfortunately for us, Kaspersky and the banking industry are keeping specific names out of the public spotlight, as expected. It can be assumed that the organizations involved don’t want to damage their reputations, and authorities typically refuse to comment on onging investigations. How did the criminals gain such unprecedented access? Simple malware campaigns targeting employees and officials, which eventually led to a fully compromised infrastructure that allowed the criminals to quietly funnel away millions and leave very few traces behind.
What this means for you:
It may sound a bit cliched to trot out the saying, “There are 2 types of companies, ones that have been hacked, and ones that have been hacked and don’t know it,” but in this case, the criminals were able to steal vast amounts of money by staying well under the radar, an approach that is at direct odds with the normally disruptive and in-your-face style of malware and hacking many people have encountered previously. By lurking quietly in the background, the criminals gained complete familiarity with organizational procedures and employee habits, allowing them to digitally impersonate privileged officials and processes to move money around and out of the organization with impunity. Without a smoking gun, shell casings, fingerprints or DNA evidence, the only trail authorities could follow was the money one – a trail that was obfuscated by digital sleight-of-hand and spoofed internet addresses. Even though your organization may not be targeted for this kind of heist, there are many other types of data cybercriminals value, and it’s in their best interest to not get caught. Don’t look for the obvious malware symptoms – those types of attacks are analogous to vandalism and random, impersonal pollution. The real cyberattack you need to worry about is the one you can’t see.
Image courtesy of 1shots at FreeDigitalPhotos.net
Like the predictable “tick-tock” of a clock, reports are coming in of an infection spreading rapidly through Facebook via a fake Flash Update. The “tick” in this case was the report last week of a zero-day Flash vulnerability, and the subsequent legitimate update of the Adobe Flash plug-in. Not wanting to miss an opportunity, cybercriminals have released the “tock” – a video on Facebook is tricking clickers into installing a set of malware that can take complete control of the victim’s computer. Over 100k have fallen for this scam which is only 2 days old as of this writing.
What this means for you:
If you see a warning pop up on your computer that software on your computer may be out of date, it may be legitimate, and it may not be. With Adobe Flash, it’s very easy to check by going to Adobe’s own Flash website http://helpx.adobe.com/flash-player.html. Also be wary of the source of the update warning, such as that which comes from clicking on a dodgy link on Facebook or in an email. Doublecheck it against a legitimate source. Not sure what that source might be? Your trusted IT professional is only a quick call away. Spending five more minutes to vette that update warning is certainly worth avoiding a malware infection, right?
As many of you know, one of my specialties is framing complex technology concepts in more simple, human-relatable terms. When people have a better understanding of the tools they use, they have a tendency to use them more efficiently, effectively and to take better care of them. A thoughtful article in the Atlantic written by security guru Bruce Schneier got me thinking about cyber security and the internet in a new way.
Cyber attacks are something most people only comprehend at a conceptual level, but even high-profile victims and their big-budget investigations struggle to really understand what actually happened. In the case of the Sony attack, even the experts are still debating who was behind the attack, and it’s a definite possibility that we may never find out. As Schneier deftly points out, with physical attacks (criminal and political) there is usually a trail of evidence and witnesses that allow us to identify the weapons and attackers as well as motives.
Unfortunately, modern technology and the internet have made it possible to perpetrate large scale, damaging attacks that are difficult to see (even when they are underway), vexingly hard to counteract and sometimes impossible to trace back to the aggressor. In the case of Sony, does it even matter who was behind the attack? Would they retaliate? How? For those of us suffering under a never ending tide of smaller malware attacks held back by only the thinnest veneer of defenses, there’s no one person to arrest, group to disband or government to disrupt that will stop the onslaught. It’s largely anonymous, amorphous and pretty much dangerous to everyone who comes in contact with it.
It’s better to think of malware and cyber attacks as the digital equivalent of pollution.
It’s certainly a lot easier to visualize, and the analogies might help everyone understand and better prepare themselves for the next time they head out on the digital highway. It may also help organizations and governments frame their actions in a more productive manner. Even if North Korea was actually behind the Sony attack, is leveling sanctions against them really going to stop future attacks? No. Neither will hacking their internet nor any other retaliation measure we could take. Why not invest efforts in combating internet “pollution” (you could lump hate speech in there as well!) – instead of putting fingers in a leaky dike, why not see if you can reduce the pressure causing the leaks?
It’s hard to imagine how the cyber equivalent of solar energy or the banning of CFC’s might be able to stem the growing miasma of malware choking our technology, but maybe that’s because we are thinking about it the wrong way.
A client recently asked me, “What’s the difference between ‘malware’ and a ‘virus’? Is ‘spyware’ still a thing? Are these pop-ups a virus, or something else? Was I hacked?!?” As a computer user who could easily remember the earliest days of computer viruses, his confusion was understandable, especially when the media and sometimes even industry pros have a tendency to use those terms interchangeably when they really aren’t. The complexity of today’s malware landscape is complex enough to fill multiple textbooks, but I’ll try to boil it down to the things most professionals should know.
Hacking
The term “hacking” is probably the most mis-appropriated term in use today. Originally, the true purpose of hacking something was to make alterations to how a device (or system) operated in order to achieve results different from the originally intended purpose of the hacked object. This could take just about any form: the brilliant, life-saving hacks used to return the Apollo 13 crew safely to earth in 1961, all the way to subverting computer security systems to paralyze a giant corporation in 2014. The important qualifier in determining if something was “hacked” is identifying actual, human-driven intent. In most cases, malware-compromised systems are the result of an “infection” versus a purposeful hacking.
Malware
The term “malware” is a portmanteau of the two words “malicious software” which, as you might imagine, is used to describe any sort of non-native programming or code loaded into a device that subverts the device’s original purpose, with the result that its activities cause some form of harm (hence the “mal” part). Malware covers a broad range of code including the annoying pop-ups and browser redirects that take control of your internet searches to show you advertising (aka “adware”), to the incredibly disruptive (and effective) malware that encrypts your data and holds it for ransom (aka “ransomware”). “Spyware” still exists – though it has taken a dark turn from it’s original advertising roots of harvesting your demographics to now harvesting your sensitive personal information for the purposes of identity theft.
Viruses
Though a computer “virus” is still considered malware, most malware found today are not considered actual viruses. In keeping with the spirit of its biological predecessor, a true computer virus distinguishes itself by insinuating itself into or altering the host’s code with the express purpose of multiplying and spreading, something that is relatively rare at the moment in most malware, even the ones that spread via email. Though they exhibit virus-like infection patterns, their methods of spreading are more akin to poisoning or parasitic infection.
How it all comes together
It’s important to note that malware is often a primary tool in any computer hacking effort. It can be used to weaken or subvert security systems, usually by installing other programs that facilitate other activities that can range from gathering passwords, data and opening security backdoors to erasing hard drives and crippling critical network infrastructure. Though they find little comfort in it, I tell my clients that most malware infections are akin to getting the flu: it’s highly unlikely someone set out to get you sick. Typically you got it from someone who didn’t even know they were contagious.
However, similar to their biological counterparts, other digital pathogens may take advantage of your computer’s compromised immune system to cause further damage. At best, these malware infections take the form of a symbiotic parasite that may surface relatively innocuous symptoms (pop-ups, Google doesn’t work, etc.), but those redirects can lead you to further infection by more harmful malware. At the extreme, they can lead to the digital equivalent of metastatic cancer, usually with fatal results. Suffice it to say, any form of malware infection should not be tolerated, regardless of the host machine’s primary purpose, and should be taken care of immediately.
If you’ve been following my advice on securing your technology, one of the steps you’ve taken was to use unique, strong passwords for all your critical online accounts. If you have more than 2-3, you might also be using software known as a “password manager” which allows you to store your complex, hard-to-remember passwords in one place, secured by a master password. Examples of these include Lastpass, 1Password, Roboform, and Passpack (the one I use). Security analysts at IBM Trusteer have now identified a new form of malware that specifically targets password managers, turning on a keylogger when it detects the program being launched, with the intent of capturing your master password, and thereby gaining access to everything stored within.
What this means for you:
Though this particular malware isn’t widespread yet, it has the potential to cause devastating harm to compromised individuals, if only because it gives the hacker focused and confirmed access to every account stored in that particular password manager. As is always the case, security is only as strong as the weakest link, and 9 out of 10 times we humans are the weakest link. This form of attack requires a particular type of keylogger and trojan infection, so don’t discontinue use of your password manager unless you have reason to suspect you’ve been compromised. While there are no guarantees, you are much less likely to fall victim to a trojan attack like this if you have legitimate, updated anti-malware running on all your internet-connected devices and keep your operating system updated. Constant vigilance is also required: don’t open strange email attachments, carefully read/avoid pop-ups, and always have an experienced IT professional on speed dial.
Note: if you are still running Microsoft XP in your environment, you are putting your whole organization at risk. I’ve been seeing an increasing number of malware infections on older operating systems as antimalware manufacturers end support for their software. In most cases, these machines are running in forgotten corners of your workplace, but may monitor or control critical components of your infrastructure. The cost to recover a compromised XP machine and remediating the damage it caused typically outstrips the cost to replace it. Don’t put it off until it’s too late.
Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net
The New York Times is reporting that the number of Android smartphones infected with a ransomware virus has grown to nearly one million devices in the past 30 days. Though the concept of ransomware is not new to the technology world, only minor outbreaks of this particularly nasty malware have been seen on mobile devices, and have either been quickly defeated or bypassed. Not so with this latest set of extortionware: most prolific is a trojan called ScarePackage, which, as the name suggests, locks your phone with a warning that the device has been used to commit a crime (child porn and media piracy are two of the most common tactics), and can only be unlocked by paying a fine to “law enforcement”.
What this means for you:
Up until now, the most common way Android devices were infected with malware like the above was through “sideloading” apps from questionable sources other than Google’s own “Play” store. Unfortunately, hackers seem to have perfected mobile browser drive-by infections so that they don’t even need to rely on someone bypassing the normal controls all Android phones ship with by default. It’s unclear whether Android antimalware apps (I use WebRoot’s SecureAnywhere) can protect you from drive-by infections reliably, but it does provide a layer of protection when installing apps and it will block suspicious text messages; both are a common source of malware infections. On top of installing malware protection on your mobile device, you should always be very careful surfing unknown or questionable websites, avoid installing brand-new, never-reviewed apps (sometimes trojans slip through Google’s malware screening), and always scrutinize the permissions that installed apps are requesting, especially the ones that ask for full administrative permissions or unfettered access to make mobile calls and send text messages.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.
A new battle front just opened up in the corporate espionage cyberwar. Security firm TrapX has released information on a new attack that appears to be focused on shipping and logistics firms, and is being delivered via hand-held inventory scanners made by a specific manufacturer in China. The wireless devices appear to contain malware that once connected to a company’s corporate network targets enterprise resource planning (ERP) servers and attempts to compromise them through a variety of known weaknesses. If successful it then facilitates the installation of command-and-control malware that provides a backdoor on the compromised server to an unidentified location in China. The manufacturer of the scanners has denied the devices were intentionally shipped with the malware, but their close proximity to the Lanxiang Vocational School (allegedly tied to other infamous hacking incidents) has raised security eyebrows everywhere.
What this means for you:
It’s a safe bet that you probably won’t be directly affected by this particular hacking vector unless you are one of the handful of firms who bought and used the devices before the manufacturer rectified the issue. However, this is just another crack in the dangerously swollen dike that is technology security, and the white hats are rapidly running out of fingers and toes with which to plug the holes. The fact that the Chinese have targeted supply chain technologies means they are fishing for big data to steal, and the amount of money (and power) at stake is enough for the bad guys to continually search out new ways to compromise and breach businesses. They know they have the good guys over a barrel, as we have to continually try to guess where the next mole will pop up in a playing grid with an infinite number of holes. Will we get to a point that we have to run a malware scan on anything with electronics and a means to transmit data? It’s starting to look that way.