Macs are not safe from Bears

Bear fancy pattern Mac users have long had an unwarranted level of confidence about their immunity to malware and hackers. Palo Alto Networks’ recently discovered some Mac malware in the wild, which I hope will make us Mac users pay more attention to security. The malware, which targets mostly the aerospace industry, appears to be from an APT group they call “Fancy Bear”.

The malware is a trojan executable designed to look and act like a PDF file. It is being used in highly targeted attacks where the apparent content of the file is something that the recipient was expecting to receive.

These kinds of attacks typically start with the nation state level APT attackers and quickly make their way down to the street level cybercriminals. Everyone on every platform needs to pay attention to their security and take proper precautions.

Security lessons from Pokemon Go - Catch them all!

IMG_0810 When anything big happens on the Internet, the criminals and snoops are not far behind. This time the event is Pokemon Go and there are all kinds of different threats developing in its wake from malware to tracking to physical danger. I you are not familiar with this game yet just look around next time you step outside, it is everywhere.

Criminals have jumped quickly on the piecemeal global rollout of the game. Players unwilling to wait for the official release in their countries have been looking for the game on unofficial app stores. A version with the Android trojan DroidJack has been seen which allows the attacker to take complete control of the victim’s phone and access any files or information. The vast majority of users should absolutely avoid any third party app stores. Only get your software from known and reputable sources and don’t do anything to bypass the phone’s security. The best practice is to stick with the app store that came with your phone.

Even the official version of the game raises some troubling privacy concerns. By design the application tracks you when you are using it, and you are strongly encouraged to be using it all the time. This is hardly the only application tracking you, but the privacy policy on the game is not great. Also, it is likely to be disproportionately tracking children. Always think about who has access to your information and how it can be used for and against you. The tracking data might be ok in the hands of the current company but if it is sold or stolen, you might be less happy with the people who have it.

Conventional muggers have also discovered the power of Pokemon Go to lure their victims. In the game players need to search out fixed locations called Poke Stops and Gyms. Criminals can add capabilities to these virtual constructs to make them even more interesting and attractive. If the location is dark and somewhat hidden it becomes the perfect location for an ambush. The divide between virtual and physical keeps getting narrower. Physical attacks are launched from cyberspace and cyber attacks can start with physical device access. We can’t just focus on the digital risks of tools and attacks, but must also consider how it could impact us in the the analog world.

Finally, this game is causing people to walk into the street, down dark alleys, and into rough neighborhoods without paying attention or taking appropriate care. Like distracted driving, this is another example of our immersion in the electronic realm causing us to neglect the basics of staying safe in the here and now.

I find it fascinating that one program, and a game at that, can have so many and varied security implications. Now, I am off to catch me some Pokemon, I think there are some down my driveway!

Why targeting is a trend and how to protect yourself

Rhino in the cross hairs at a watering hole At the recent BSides security conference in San Francisco (just before the RSA conference) I had the opportunity to give a talk about targeted attacks and how they are changing the game of cyber defense. The talk was recorded so you can listen to the whole thing, or read a brief summery below.

Sophisticated targeting is one of the most important trends in security right now. Although most of the malware and attacks we see are still un-targeted the biggest and most damaging ones are highly targeted.

  1. Targeted attacks are harder to detect because they impact a much smaller population.
  2. Targeted attacks avoid attacking security researchers, bots, and honeypots making discovery and analysis more difficult and time consuming.
  3. Targeted attacks preserve expensive zero-day exploits from being added to detection signatures.
  4. Attackers know exactly what they want and what they want to do with it so they can get much more impact for a given effort (whether cash, political impact, revenge, or whatever).

A random attack like a ransomware incident should be no more than an annoyance to a reasonably prepared business. Employees can be trained to avoid clicking on links or attachments in suspicious emails. The same is not true of targeted attacks. A masterfully crafted spear phishing email will fool just about anyone, even the most savvy or expert users. Attack emails will come from people the victim knows and will be written in that person’s style and be completely appropriate to their topics of discussion. Attachments and links will appear normal and expected. Targeted watering hole attacks compromise marquee websites like Forbes and Yahoo, and then avoid detection by only launching attacks against the small handful of desired victims. Far from being in the dark back alleys of the Internet, these attacks happen in the cyber equivalent of noon in Times Square. Because targeted attacks are harder to detect, attackers are willing to deploy their most valuable zero-day or otherwise undetectable exploits and tools. They know that they are likely to remain effective long after the attack. These tools are also the most effective and reliable at penetrating the target company.

Once the attacker is in, they can move directly to getting what they came for. That could be credit card numbers, personal information, business secrets, or just embarrassing emails. The Sony hackers almost certainly knew what they wanted to do with their stolen emails before they started. Likewise the OPM hackers doubtless had very specific plans for the detailed personal information they were able to take. Defending against targeted attacks is also much more difficult. The low volume makes it much less likely that anomaly detection system will trigger. The use unknown tools makes signature detection fail. And attacker research allows them to find a soft entry point to the enterprise and move strategically from there. Businesses need to move quickly towards security that is less reliant on detection for protection. Architectures must contain attacks, minimize damage, and automatically restore systems whether or not they are known to be compromised. Detection and training will always be valuable but we can not rely on them to be effective, especially against targeted attacks.

PRISM fears being used by scammers

In a new attack, some websites have been set up to show visitors a slash page that says the vicim's computer has been blocked because is has been used to access illegal pornographic content. The user is then presented a link to pay an instant "fine" of $300 to the scammers.

This is a new variant of "ransomware". The most common of which is "fake AV". A fake anti-virus website or software will claim to scan your computer for free, then charge you to remove malware that it has "detected".

Details and screenshots here.

Signed Mac Malware discovered on activist's laptop

Arstechnica reports on the discovery of signed malware designed for surveillance on the Mac laptop of an Angolan activist.

The malware was a trojan that the activist obtained through a spear phishing email attack. The news here is that the malware was signed with a valid Apple Developer ID. 

The idea is that having all code signed should substantially reduce the amount of malware on the platform. This works because creating a valid Apple Developer ID requires significant effort, and may expose the identity of the hacker unless they take steps to hide their identity. This is not trivial as the Developer ID requires contact information and payment of fees.

The second advantage of signed code is that the Developer's certificate can be quickly revoked, so the software will be detected as invalid and automatically blocked on every Mac world wide. This limits the amount of damage a given Malware can do, and forces the attacker to create a new Apple Developer ID every time they are detected.

This has been seen to work fairly well in practice, but it is not perfect. If a target is valuable enough, a Developer ID can be set up just to go after that one person or small group. The malware is targeted to just them, so the likelihood of detection is low. In this case, it would continue to be recognized as a legitimates signed valid application for a very long time.

In the case of the Angolan activist, it was discovered at a human rights conference where the attendees were learning how to secure their devices against government monitoring.

Dark alleys of the Internet not actually the dangerous parts.

For years I have been telling people to be especially careful when they venture into the dark back alleys of the Internet. My thinking was that these more "wild west" areas would be home to most of the malware and other attacks.

Dark Reading analyzes a Cisco report which says that online shopping sites and search engines are over 20 times more likely to deliver malware than counterfeit software sites. Advertisers are 182 times more dangerous than pornography sites.

So, I guess I need to change my tune. Be careful when you are going about your daily business, and have fun in those dark alleys!