The State of the Deep Web 2017: Part 1: The AlphaBay Incident and Its Implications

As I began writing this post about the deep web, news broke that the number one deep web marketplace, AlphaBay, had been compromised by a hacker known only as Cipher0007. This sent a wave of panic through an underground community that is already fueled by hyper-paranoia.

It seems that the hacker found two bugs on the site that allowed him access to over 218,000 unencrypted messages between buyers and sellers. Such messages on AlphaBay were supposed to be encrypted by default. Oops. It now seems that it was possible for anyone knowing this vulnerability to see who was buying what from whom and where that merchandise was being sent. The following is a screenshot given by the hacker to prove the validity of his hacking claim.

alphabay

User login information was also compromised. You cannot ask for a greater disaster for a site that depends entirely on anonymity. And if you wander around the deep web, you know who its users fear the most. That’s right, the federal government. There is concern, and very valid concern, that federal law enforcement agencies (known in deep web jargon as ‘LE’, law enforcement) may have known about this vulnerability all along and were secretly using it to accumulate data on AlphaBay users. This is not paranoia. It’s a justified fear.

Unsurprisingly, AlphaBay tried to downplay the vulnerability. They claimed that this exploit was done by a single hacker who they had subsequently paid for finding the bugs. The amount they paid was undisclosed. They also stated that only users who had done business on the site during the last 30 days were affected. My observation on this is…really? That’s only true if this vulnerability was only known to Cipher0007. Let me cite a few occurrences that may show that others may have also found this vulnerability.

AlphaBay users should have been suspicious when, in September, a hacker compromised an AlphaBay account and remotely viewed a chat about Philadelphia ransomware. Was this hacker also aware of this bug?

Even earlier in the year, fraudsters tricked AlphaBay users with phishing scams that involved a fake AlphaBay login page. In May, another phishing scam saw hackers posing as AlphaBay administrators. This scam temporarily shut down the site. Below is one of the phishing messages used to trick users. Visiting the link in the message would require the victim to login with personal information that would be captured by the attacker and later used to wipe out the victim’s account. (Notice the grammatical errors which should have alerted users that something was wrong.)

“Hello

All account’s have been locked until verification is complete, This is to ensure the safety of all our Alphabay user’s!

Please copy & paste the link below into your browser:

phishinglink.onion/verification

*NOTE* Members who do not protect there account’s will not be able to access the market, once this is done you should be able to access your account within the next few hour’s!

We apologize for the inconveniences,

AlphaBay Team”

If these events don’t make users nervous, then the arrests  of some AlphaBay users last year should; especially since AlphaBay was cited as a key element in these arrests. Here are some of the most prominent AlphaBay-related arrests.

In December, 2016, Aaron James Glende, aka, IcyEagle, was sentenced to 4 years for selling stolen login credentials.

 Former Australian police officer, James Goris, was arrested for selling stolen police ID and fake police, airport, and port authority identification.

 Cary Lee Ogborn, of Houston, was arrested for trying to buy explosives.

 Chrissano Leslie, aka, Owlcity, was arrested for selling drugs.

 Abudullah Almashwali and Chaudhry Ahmad Farooq were arrested for selling drugs.

 It is possible that other, minor arrests were made, but no information on these is available. It appears that federal law enforcement agencies are only interested in larger vendors or in those individuals who may pose a security threat. The fact that the feds can target whomever they choose should make users take notice. If this and other deep web sites are infiltrated or even run by law enforcement, the agencies involved would certainly want to maintain a low profile and would not want to bother with small time criminals. It would blow their cover if they started to arrest large numbers of small time buyers of drugs, for example.

AlphaBay was originally established by Russian carders and may still be legitimate. In this case, it is possible that Cipher0007 really did find previously undiscovered bugs. AlphaBay administrators are not commenting on what vulnerabilities were discovered. However, if I were to guess, I would suspect that AlphaBay stored unencrypted information on users and user messages somewhere on the site before encryption was applied. It may have been in a file that automatically deletes itself after a certain period of time, such as 30 days. This is why most users writing on the topic insist that everyone use client-side encryption (PGP). They also wondered why sites like AlphaBay don’t require such encryption, but the answer to this is easy. Many users of these deep market sites are looking for something that’s easy to use. As one European user noted on Reddit, “It just seems like these American kids want Amazon for drugs and that just doesn’t exist.”

PGP (Pretty Good Privacy) is a good first step towards keeping your information secure, but it is not flawless. In short, it’s just as the name implies: pretty good. It does have vulnerabilities and some say it is past its pull date. Still, many deep web sites do require users to use PGP, and, consequently, do not have the number of clients that AlphaBay has. After the hack, AlphaBay put up the following warning/suggestion on users’ pages after they log in.

alpha-security

Though the implication is that PGP will give better security, they stopped short of requiring that you use it. It remains just a suggestion.

Short of the government actually taking down the site, nothing will really stop users from going to AlphaBay for what they need. It is, for the most part, a well-designed online market site which, despite the fact that it uses Bitcoins and sells unusual merchandise and services, will be recognizable to anyone who has shopped on Amazon. Denizens of deep web markets will not be leaving them soon. Here, hope and personal gratification inevitably triumph over paranoia. Too many people depend on these deep web markets for a variety of reasons. Let’s face it. Some may simply be drug addicts. The discussions in many forums, following the AlphaBay breach, revolved around which deep web markets are safest, with the conclusion being that none of them are or ever will be completely safe. True, but they will continue to thrive.

In my next post I will look more at what is available on the deep web and what innovative markets are sprouting up there. In this regard, there have been some interesting and even frightening developments over the past year.

 

 

Posted in Uncategorized | 1 Comment

Talking to the Dead in Virtual Graveyards: Digital Death and Virtual Resurrection

The dead have always tried to speak to us. Walk through almost any graveyard and you will see epitaphs written by those whose physical remains have long since blended with the soil while their words live on. Such words give the living a sense of the character of the person interred beneath the stone. Here are a couple of examples of what can be learned of the character of a person from what they had carved on their tombstones.

 tombstone1

tombstone2.jpg Those were the good old days of analog memories, but advances in technology indicate that those days may be about to come to an end.

 Have you ever wondered what would happen to your Facebook account when your mortality was finally verified?  Well, you have the choice of having your account deleted or memorialized. This can be set up through your Facebook security menu.

 facebook-memorial

  If you sign up for a memorial account, when you die, your account will still appear but with the word, ‘remembering’ placed in front of the profile name. Here is Whitney Houston’s memorial account.

 whitney

 Visitors to a memorial account can view the person’s history and photos as well as leave memorial messages.

 For years, digital cemeteries have been popping up online and, physically, in places around the globe. For those that require physical access, a member must put all the deceased person’s digital information (photos, videos, documents)  on a typical USB stick. The stick is, then, put it in a digital cemetery. Those who would like to view this information would have to go to the ‘cemetery’, retrieve the stick, and look at its contents in a private room.

 usb-tomb

This, of course, begs the question as to why the family of the deceased wouldn’t simply distribute copies of the information to friends and family without having the need for a digital repository/graveyard.

 The far more common form of digital cemetery can be found online. They offer a variety of services from designing the tombstone, choosing the location to place the tombstone (field, forest, seaside), to adding music. Most will allow you to write a personal remembrance and allow visitors to leave messages and sometimes digital flowers. Whether they will ever give the personal satisfaction of visiting an actual graveyard is difficult to assess. To me, the fact that they are digital, make them feel rather impersonal.

 But the landscape of digital death is now changing. The old digital age has been replaced by the new digital age; the age of virtual reality. Virtual reality can do things for the dead that have not been done before, like, for instance, resurrect them.

 Steve Koutsouliotas and Nick Stavrou were longtime friends who both lost their fathers. In their grief, they began to wonder if digitally reproducing their fathers would help them come to grips with their losses. Thus arose the concept of Project Elysium. Project Elysium exists to answer one question: If you had the choice to meet with and talk to some loved one who had passed away, would you do it?

 Both Koutsouliotas and Stavrou worry that the experience might prove too traumatic for some people. “We aren’t chasing realism; in fact we are aiming more towards hyper-realism,” says Stavrou. In other words, they want the participant to continually be aware of the fact that what they are experiencing is not real. “It wouldn’t overwhelm you so much that it takes the experience away, but it would visually keep reminding you where you are,” Stavrou emphasizes.

 It is necessary to keep in mind that both developers work in gaming, They understand the power of virtual reality and how it can fool the mind into believing the experience it is having is real. For this reason, they have employed grief counselors to help them build an emotionally satisfying experience. A person who wants to meet with a lost loved one must wait for a specified time before having this meeting. The grieving process must have been already rationalized to some degree. The participant will only have a limited time to visit with the person they lost. They may return to the visit, but only after a break. There will also be a debriefing program built in to help the participant assess the experience before returning to the actual world. As Stavrou notes, “This is a serious service and we don’t know what ramifications things can have. This is all a new frontier.”

 Currently, the service is being purposely underdeveloped to make it less ‘real’ than it could be. They use photos to build the avatar. Then, they work with the client to fine-tune the avatar to express certain idiosyncrasies. They fully understand that more realism is possible, but for now, they only want the client to have a one way conversation with the avatar. It is also possible to use audio recordings to allow the avatar to say a few phrases but it won’t really be anything close to a true, interactive conversation.

 That said, it is clear we are venturing into a new frontier here. As technology advances, programmers could gather together a compendium of information about a person from videos, chats, photos, recordings, and writings to construct a far more realistic avatar. Avatars will someday reach a point where they will become nearly indistinguishable from the real person they are modeled on, at least in a VR environment. If self-learning, neural net programs are thrown into the mix, fully conversant avatars may be the result. At the ultimate end, we may even have realistic looking robots which could do all of this. Actually, we are closing in on this with every passing day, but we still have a long way to go before any of these digital re-creations can pass the Turing test.

 The developers of Project Elysium have other uses for their project. If you wanted to create your own avatar before you die, you can work with them to design it. Wouldn’t you like to speak to your future grandchildren or great grandchildren? How about those people who you may not have time to say goodbye to? Yes, it’s the digital age’s equivalent of the epitaph, but much more so. In the future, VR technology is more likely to become available to the general public and, when this happens, expect virtual epitaphs and resurrections to become the norm.

 The developers also have the idea of allowing clients to speak to famous people from the past. Would you like to have a conversation with Beethoven, Teddy Roosevelt, or Marilyn Monroe? There seems to be a lot of potential here and we are only beginning to realize a small part of it.  

 

Posted in Uncategorized | Leave a comment

How Many of Your LinkedIn Contacts are Fake and What Do They Want From You?

The purpose of LinkedIn is to help people make business contacts. It’s natural, then, that if someone wants to become one of your contacts, you will accept them, right? Well, there are people out there who will be happy to become your contact, but who have absolutely no interest in doing business with you. Sure, they are interested in profiting from a connection with you, but not in the way you may think. And it’s unwise to simply brush them aside as harmless, because harmless they are not. Fake contacts do not only negatively affect you, but they can also negatively affect all of the other contacts in your LinkedIn network and, in the end, destroy not only your reputation but your company’s reputation as well.

LinkedIn has come a long way in their ability to uncover fake profiles. This is because the traditional fake profile is relatively easy to spot. According to a study done by Symantec, fake LinkedIn profiles tend to be attractive women claiming to be recruiters. Let me give you an example of some that I found.

constance

My first question about Constance was: Why is she wearing a cowboy hat for a professional profile picture? So I did an image search on Google and found this ad.

cowboy-hat

Look familiar?

I then checked out her company, XONOVIA Technologies. Here is their LinkedIn page.

xonia

Hmm, surprisingly little information. They also have a Facebook page with even less information.

But here’s the interesting part. She has at least 30 endorsements, some from company CEOs. She’s even indirectly connected to one of my contacts. That’s disturbing. Her work history is cut and pasted from other recruitment sites such as Upwork. She also went to an unspecified California High School, which seems a bit vague.

But what about all those endorsements? Well, first of all, there’s kind of an unstated rule that if you endorse me, I’ll endorse you. For many, it doesn’t much matter if they are endorsed by someone they don’t know and never worked with. Maybe the person just saw their stunning profile and just couldn’t stop themselves from giving an endorsement. Maybe, but the chances of this are low. The better chance is that these blind endorsers are hoping for a return endorsement that will give them credibility. And if you have a fake profile, you really need credibility to work your angle, whatever that may be. I’m not even going to get into the topic of buying endorsements, but here is what such endorsement-selling firms claim to do. (100 endorsements cost $9)

buy-endorsements

Also, I noticed on the right side of Constance’s profile was a section called, “People also viewed”, which contained several fake profiles. In other words, although LinkedIn has gone a long way in eliminating many false profiles, there are still many more out there waiting to cause problems.

But what is it they want? Why should someone go through all the trouble of setting up a fake profile? At the lowest level, they just want to crawl around your network trying to pick up information such as email addresses. At higher levels, they may want to gain your trust for a later spear phishing attack on you, someone on your network, or someone in your company.

But why do many of them pose as recruiters? Well, that’s simple enough. Many people join LinkedIn to find jobs. If you’ve ever been out of a job, floundering around in a sea of desperation, you will grasp at any straw that may promise you salvation. If a purported recruiter asks you to send them a resume, you will do so without hesitation. If the recruiter is really a hacker, you’ve just handed over a ton of usable information. So what? You may say. So what if a recruiter joins your LinkedIn network? Well, you may be targeted through the information you’ve given away. A person given as a reference on your resume may suddenly contact you and ask you to look at an attachment. A contact could do the same. Unfortunately, they are not who you think they are and your opening an attachment or visiting a suggested website may end up with you having a RAT (remote access Trojan) installed on your device. A RAT enables a criminal to remotely operate your computer and follow you around, taking your picture, recording your chats, stealing your passwords, and sending emails from your email to more of your contacts, hoping to compromise them as well.

Iranian hackers used LinkedIn fake profiles to target individuals in the military, government, oil and gas, energy and utilities, chemical, transportation, healthcare, education, telecommunications, technology, aerospace, and defense sectors. They would establish leader profiles and then build a support network to make these leaders look legitimate. The hackers used profile details of actual company management as well as actual job postings to lead others astray. The purpose of the group seems to be that of gaining access to the networks of major corporations by using a compromised endpoint. They may also be connected with, or identical to, Operation Cleaver, the Iranian, government-supported hacking group which penetrated banks and key infrastructure, including a small dam in northern New York. It was this that got them on the FBI’s most wanted list.

iran-fbi

Obviously, these hackers didn’t use their own photos. They may have been smart enough to avoid those attractive model photos that give away so many false profiles. They may have even used photos they got from LinkedIn. Who knows? They may have used your profile picture. In any event, these Iranian hackers produced profiles that looked completely legitimate.

So how do you check to see if a contact is real? Let me use another fake profile to show you what you can do. Here is the profile of another recruiter named Christina Janet.

christina

Well, it’s not a model photo. I did, however, question why this was a profile photo for a professional recruiter, unless its to show that recruiting is a depressing job. When you have questions about a profile photo, copy it and paste it into Google’s image search. When I did this with Christina, I found this photo was taken from an article on homeless people. Yeah, but she works for a seemingly real company called Neeyamo and she has a Neeyamo email address. How is this possible?

If you have a question about whether an email address is valid, go to a site like Email Checker. Here is what I found.

email-check

That’s odd. Why would she have an email that looked valid but didn’t exist, especially when she asks people to send their resumes to this address? Why did she post job ads? Why does Christina have 3,426 followers and 60 endorsements?

Clearly, Christina wants to look legitimate. She probably has some legitimate followers among those fake ones added to pad her stats. Someday, Christina may send one of her legitimate contacts an email, complete with a LinkedIn logo and format, asking for the contact to make a connection to another user. That user may even be legitimate and may check out on LinkedIn. Unfortunately, the receiver of this fake email, may decide to click on one of the links. Here are a couple of example of what the email might look like. One may look like a standard connection request

linkedin-phish1

while others may take the form of a request reminder.

linkedin-phish2

Clicking on ANY link in these emails (including ‘Unsubscribe’) can send you to a page that installs dangerous malware on your device. Again, check the link address by hovering over it with your cursor and reading the true address, often in the lower, left hand corner of your screen. Using this technique alone can go a long way to protecting you from fake LinkedIn emails.

You may not be so ambivalent about having a fake contact when you find that your bank account has been drained and you can’t figure out how that happened. There are ways to set your LinkedIn privacy settings so you cannot get any contact requests, but that sort of defeats the purpose of LinkedIn. In other words, it’s really up to you to investigate potential LinkedIn contacts. If your potential LinkedIn contact looks to good to be true, she probably is.

 

 

 

 

Posted in Uncategorized | 1 Comment

“Should I let the browser remember my password?” Not as Easy a Question as You May Think

 When I was recently asked this question about saving passwords in the browser, my instinctive response was to say, “no, of course not.” After all, I reasoned, a browser is just software, and all software is vulnerable to a variety of cyber attacks. But instead of responding immediately, I decided to look into this a little further to see if I was, in fact, correct in my assessment. That’s when I learned that the situation is more complex than it seems on the surface. In fact, your decision on whether or not you want your browser to remember your password depends on 4 factors, 1) the website that requires your password, 2) the browser you are using, 3) the operating system you are using, and, 4) your trust or paranoia level.

 First of all, you have to consider the importance of the website that needs your password. If the site is something like a forum site, which you are only visiting to get some information, for convenience sake, you may simply let the browser remember your password. This is because you may not care if someone hacks your password. That said, be sure you don’t use a derivative of a password that you use on other more important sites. For example, don’t use the password, ‘password’, and on another site use ‘Password’, or ‘PassWord’.

 For more important sites, sites that may have your personal information or that you go to in order to buy merchandise, it would be better not to store your passwords in the browser. Then again, that may depend on the browser.

 The Windows 10, Edge browser can be, in my opinion, easily hacked. If you don’t believe me, look in your Windows control panel (windows key + x) under user accounts. There, you will find something called, Credential Manager.

 web-credentials

 Click on it and you will see all of the sites for which you have saved passwords. Clicking the down arrow will give you more information including your password. To actually see your password, you will need to give the password you use to log onto your computer. If you have no password, you are already in trouble. You would still be in danger if a keylogger was used that captured your logon information or if you had the misfortune of having a RAT (remote access Trojan) installed by some criminal hacker.

 Windows gets around this weakness by offering those with the right equipment an additional layer of protection called, Windows Hello. Windows Hello offers you the option of signing in using facial recognition or a fingerprint scan. According to those who’ve investigated it, Windows Hello is pretty secure. Unfortunately, many devices don’t have the necessary camera or fingerprint readers that using Hello requires.

 Firefox is a little better at general security. It puts an extra layer of protection in by giving you the option of using a master password. It’s like a password manager built into the browser. Before Firefox retrieves a stored password, it will ask you for the master password, thereby making it a bit more difficult for hackers trying to gain access to your stored passwords. It’s not foolproof, however, so I would still not recommend storing sensitive passwords in the browser. Firefox does not, by default, enable the master password option so you will need to do that yourself.

 If the browser you are using does not have a master password option, you can add an extra layer of protection by getting a password manager. These will encrypt and save all of your passwords in one location that is accessible through a master password. Passwords managers store your passwords on your computer, on your hard drive, in your cloud account, or in the cloud on the password manager’s company server. None of these password managers are absolutely safe. One of the most well-known password managers, LastPass, has been hacked a number of times. Other users have had problems with Dashlane  and Keepass.  Be aware that no password manager can keep your passwords safe on a compromised computer. However, if your enterprise employs hardware separated security architecture, any passwords stored in the safe zone cannot be accessed by hackers and are, therefore, safe.

 In the end, it comes down to trust. At some point, you will have to decide which password storage you have the most trust in. Even if you keep all of your passwords in your head, you’ll still have to trust your memory. So why can’t you use something besides passwords to get into a site? Well, that’s exactly what Google thought. Google wants to get rid of passwords completely, at least on Android devices, by replacing them with a trust score based on biometrics. If your face, fingerprints, walking style, and typing pattern look familiar, then you will receive a high trust score rating and be allowed directly onto certain sites. Some sites may require a higher trust score than others, such as banks, but it would mean you would never have to remember a password again.

 This sounds pretty good on paper but I have a feeling that implementing it will be fraught with many problems. What if you do everything right but still can’t reach the required trust score level? What if, for example, you sprain your ankle and have to alter your walking style? What if you grow a beard? Well, you get the picture. It may lead to more frustration than memorizing your passwords. Why do people keep using simple passwords? Because time and again, convenience outpaces fear. If biometrics prove to be inconvenient, you can expect that passwords will persist and people will keep them simple and keep storing them in browsers.

 

 

Posted in Uncategorized | 2 Comments

What Do the Top Cybersecurity Firms Predict for 2017?

It’s that time when cybersecurity firms are predicting what will happen in the year ahead. But, as I reported in my last post, often the most serious cybersecurity breach is never even considered. No one really thought the entire internet would be put at risk by a DDoS attack or that the hacking of the DNC would be the hacking highlight of the year. However, in a general way, the firms did get a few things right and I gave them a ‘B’ rating.

So what do these firms see in the year ahead? Well, most of them agree on a few points. Most are just looking at what happened in 2016 and using that as a template for 2017. I suppose that will guarantee some success, but what else may be on the horizon?

This year’s selection of firms has changed slightly from last year. At the time of this writing, Wired has not come out with any predictions and I have, therefore, replaced it with Symantec. Websense has changed its name to Forcepoint. The other firms remain the same as in previous years. The abbreviations following their names will be used for easier reference. The firms are Symantec (S), Forcepoint (FP), FireEye (FE), Trend Micro (TM), and Kaspersky (K).

Here are their main predictions for 2017.

1.Ransomware attacks will continue to increase with new variations (S, FP, FE, TM, K)

 This is really a no-brainer. Ransomware attacks were wildly successful in 2016 and there is no reason to believe this will change anytime soon, despite the fact that a huge, international takedown of the Avalanche crime network occurred in early December. True, it will take ransomware operatives a while to recover, but this attack vector is too lucrative for criminals to give up on. Some cybersecurity firms see ransomware growing in sophistication. FireEye believes ransomware will target companies more and more as they have more money to pay. Symantec sees ransomware targeting cloud storage, while Forcepoint and Trend Micro believe attackers may abandon monetary rewards for other kinds of extortion. Ethical hackers may encrypt an organization or company’s files to make a political statement.

I’m not really sure ransomware criminals want to abandon a business model that has been so successful, especially since many ransomware criminals are in it for a quick buck. Attacking small or medium-sized companies usually results in them paying the ransom, however, attacking larger enterprises risks attracting too much attention from authorities. The San Francisco metro hacker quickly backed off of his demands when the authorities became involved. He was clearly in over his head.

2. Internet of Things (IoT) attacks (FE, S, TM, K)

 In October, 2016, a huge DDoS attack using bots organized with Mirai software brought down major internet sites. The attack depended to a large degree on devices that are unprotected but connected to the internet; things like web cameras, TVs, and refrigerators, to name but a few.  It’s still not clear who was behind the attack, but the take away was clear: If you can organize enough bots, you can take down anyone. This has got to be appealing to hacktivists willing to make a point of some kind. Trend Micro agrees.

FireEye believes that ‘things;’ may be held hostage. (Pay or we’ll defrost all of your food.) Others (S) believe that more companies will be attacked through things (like printers), which are often overlooked by security teams.

3. Nation-state related attacks (FE, FP, S, K?)

I include in this category any nation-state involvement predicted by these firms. They all have different ideas on the type of involvement, but predict an underlying nation-state connection. Symantec sees rogue states trying to finance their projects by aligning themselves with criminal hacker groups. Forcepoint foresees “hacking machines” run by nation-states prowling the internet, looking for weak points to automatically attack for the purpose of causing panic. Kaspersky seems to believe that espionage through compromised mobile devices will increase, but it is not clear if this espionage is nation-state, industrial, or both.

4. Cloud attacks (FE, FP, S)

 The prevailing belief held by many companies is that their data will be safe in the cloud. The cloud may have its benefits, but safety is certainly not guaranteed. In fact, it is the very convenience that the cloud offers that could make it unsafe. The fact that it gives employees the opportunity to access corporate files from anywhere with any device exposes it to being compromised by hackers. It certainly seems logical that this vector will be increasing used by hackers.

5. Attacks using mobile devices (K, S, FP)

 Several firms believe that major hacks will occur through compromised mobile devices. Notice from the discussion above how the cloud becomes more vulnerable due to the number of devices able to access it. Forcepoint has an interesting view of this attack vector. They claim that as corporations and institutions become more ‘millennial-based’, they will become more vulnerable to attacks through mobile devices connected to the corporate network. This, they say, is because millennials have a certain blind trust in social media and information sharing while having a tendency to ignore security concerns, not what you want if you believe in good security.

Interesting Predictions

 FireEye – Attacks on religious institutions

Why not? They’ve got money, lots of personal information, and their networks are probably not very well protected. I’ll be interested to see if this vector appears at all this year because even one successful breach will encourage more.

Forcepoint – Abandonware attacks

Forcepoint claims that there are a lot of companies using security software from companies that no longer exist. This is kind of like using software that’s not updated, but worse. This is software that can never be updated making it permanently vulnerable to attacks.

Symantec– Fileless malware will increase

“Fileless infections – those written directly onto a computer’s RAM without using files of any kind.” These are attacks that corrupt the boot sector and load before any antivirus programs get a chance to stop them. These types of attacks are difficult to prevent and detect. They increased during 2016 so they may continue to do so in 2017.

Trend Micro – Business Process Compromise

business-process-compromise

In this hack, the attacker penetrates the company network and, posing as someone in authority, begins to transfer money or merchandise to themselves. Since it looks like a legitimate transfer, it is very difficult to detect if done correctly.

Kaspersky – Manipulation of News and Information

Kazpersky points to hackers like the Lazarus Group, who can break into networks, gather information, and then release it, causing a sort of panic or use the information they find to manipulate public opinion or create false news.

My Own Predictions

 1. Hacktivist-based DDoS Attacks

With the Mirai Malware code now in the wild, the use of the IoT pathway for organizing botnet attacks seems highly likely, especially if hacktivist groups get together to make this a reality. These attacks may be on news outlets, financial institutions, or nation-states that hold opinions these groups disapprove of.

2. Nation-state proof of concept infrastructure penetration

I don’t think any advanced nation would be stupid enough to launch a true cyber attack on another country’s infrastructure because of the fear of a similar counterattack. That said, I do think many countries would like to make their cyber strength known by penetrating the cyber defenses of a rival nation. The best way for them to gain attention, and possible respect, is by showing that they can put malware into some part of a nation’s vital infrastructure, like a power station. These nations actually want the malware to be found and even have it point back to them. However, they have no wish to deploy it…at least for the moment. Such discoveries could cause minor panic among the general public.

3. Ransomware attacks

Yes, I believe ransomware will still be around causing distress for normal users as well as small companies. Hospitals seem ready to pay up so they will also be a main target. There may be a lull in such attacks at the beginning of the year due to the takedown of the Avalanche crime network, but they are bound to increase in the second half of 2017. The potential for ransomware to be used for political purposes does exist, but I don’t expect to see this because DDoS attacks can achieve the same goals and are easier to organize. There will no doubt be one ransomware attack on a large firm or organization that gets the headlines, but this may be due to an attacker accidentally hacking an organization that is bigger than they can handle.

4. A major attack on Facebook, WhatsApp, or Snapchat

Facebook is notoriously slow to react to hacks. It has tons of data that can be used for any number of financial purposes. It has a huge network which is accessible in any number of ways.  In other words, it’s just waiting to be hacked and hacked in a major way. Prepare to be told to change your passwords “as a precautionary measure” when they try to downplay the hack. The same can be said for other social media sites like WhatsApp and Snapchat.

5. A major battle between personal privacy and security will develop

Donald Trump seems to favor security over personal privacy. If he attempts to introduce legislation requiring individuals or companies to give up more of their personal privacy to increase national security, a huge battle will ensue which will divide the country. Such a move will divide politicians on both sides of the aisle. It is an emotional issue for many Americans and one which contains constitutional considerations. A case may arise where a company is asked either to install backdoors, give up customer data, or give encryption information to the government in order to solve some crime or subvert possible terrorist attacks. Many see these sorts of actions as attacks against individual liberty in that they create the foundation for a China-like surveillance society. However, it is also appealing to many, perhaps most, people to hear the comforting promise of living in a safe, secure world. So far, many have chosen to give up a little of one to achieve the other, but a line could be drawn which will not allow for fence sitting. It may force Americans to consider Benjamin Franklin’s quote which reads, “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.”

A year from now, I will once again assess the merit of all of these predictions. Happy Cyber 2017!

Posted in Uncategorized | Tagged , , | Leave a comment

How Did Major Cybersecurity Firms do in Predicting the Breaches of 2016?

To continue a seasonal tradition I began a few years ago, I will assess how some major cybersecurity firms (as well as myself) did in predicting the cyber attacks for the past year. The reason for doing this is that most firms are quite happy to put out predictions, but rarely do we see them discuss how those predictions actually turned out. When they do assess their predictions, they seem to stretch the facts to make themselves appear more omniscient than they truly are. One year ago, I looked at the predictions of five of these firms and sifted out the main themes that emerged. I also made my own predictions.

The five companies whose predictions I considered at the beginning of 2016 were Websense (WS), FireEye  (FE), Wired ( W ), Kaspersky (K), and Trend Micro (TM). (The abbreviations will be used for easier reference.) Here is what they predicted for the past year as compared with what actually eventuated.

Internet of Things (IoT) Hacks (TM, FE, WS, W)

Okay, you have to give these firms some credit on this one. Back in October, attackers used a botnet, organized with Mirai malware, to launch a DDoS (Distributed Denial of Service) attack on a number of high profile internet sites (Twitter, Facebook, Amazon, Reddit, and others). For the first time, people had to consider the idea that their internet-connected devices posed a threat to their and others’ cybersecurity. It also showed the vulnerability of prominent internet sites and raised the specter of the consequences of a cyber war. That said, neither the firms nor myself predicted the DDoS potential in this type of attack vector. Overall, however, Prediction Validated

Mobile Payment Hacks(TM, FE, WS, K)

Security researcher, Salvador Mendoza, showed how Samsung Pay could be hacked. Such a hack, however, would be difficult to pull off and I saw no instance of it actually taking place. However, besides this, there was little in the way of mobile payment hacks in the news. Though the vector remains ripe for exploitation, I’d have to say that the firms were off on this prediction. I also believed (and still believe) such hacks could take place. Well, maybe we have something to look forward to in 2017. Prediction not confirmed

Hacktivist Attacks (TM, WS, W)

Hmm, this one is hard to assess. Was the big DDoS attack a hacktivist attack, as some claim, or was it caused by some ‘script kiddies’ playing around? Both seem equally disturbing if you ask me. There were some attacks on both the KKK and Black Lives Matter websites. There was a weak attempt to attack Trump enterprises and another to bring down banks to prove one point or another. Both of these largely failed to make an impact. Was the biggest hack of the year, the attack on the DNC, a hactivist attack? If so, then this prediction was correct.  However, overall, I’d have to say that this prediction was only weakly confirmed.

Extortion/Ransomware(TM, K, W)

No doubt about it. This was the year of the ransomware attack. As I wrote in a recent post, ransomware attacks have increased 3,500% this year. Several companies, myself included, thought that ransomware could be used more for extortion on ideological grounds (either you do or say x or we will encrypt all of your files). This did not happen as far as we know. Then again, most ransomware attacks aren’t even reported. I still feel that ideologically-based ransomware attacks have a future, however. The closest we had to this was the ransomware attack on the San Francisco metro. In this case, it was not really planned as an extortion attack, but it kind of evolved into one.  Prediction validated

Apple Becomes a Target (FE, K)

Apple users used to gloat about how safe their devices were while they watched other operating systems get routinely hacked. Not anymore. Apple products have grown in popularity and, in so doing, are looked at as a source of riches for hackers. Apple was attacked with “the most sophisticated spyware ever seen” in August and scrambled to patch the holes in its system before the exploit went viral. It is unclear how many phones may have been compromised before users installed the updates. Other attacks occurring this year were as follows:

January – A prank website, crashsafari.com, crashed iphones

February – Apple devices targeted for ransomware attacks

July – image hack

October – iMessage hacked by Chinese hackers

One year ago when I was making my predictions, I wrote, “I think this prediction has a nearly 100% chance of being realized this year.” (Pause here while I pat myself on the back.)

This prediction is validated.

 

Stock Market Hacks (W, K)

This still remains an elusive target for hackers, though, in my opinion, it’s just a matter of time before an effective attack takes place. My guess would be that the attack would be of the DDoS variety. Such an attack, even if it only interfered with normal operations, would be financially devastating. It’s not that evil operatives didn’t try such an attack in 2016. They did,  The hacktivist group, Anonymous, made several attempts to bring down the operations of stock markets, banks, and other institutions they felt were corrupt. Some attacks did bring down smaller banks. If they combined their bot networks with the growing number of IoT bot networks, they may eventually be able to pull a stock market hack off. However, for 2016, I would say this prediction was not confirmed.

My Own Predictions

 My own predictions were largely based on the fact that this was an election year.

Political Bot Attacks

Bots from both parties routinely spammed comments on opponents’ social media sites. No candidate’s Twitter account was taken over, but Hillary Clinton’s campaign chairman’s account was. Back in May, I analyzed the social media use of all the major candidates. Using this and other data, I predicted that not only would Donald Trump win the nomination without a problem, but that he would subsequently win the election. It was a shaky limb to climb out on at that time, but the statistical analysis was simply too overwhelming to reach any other conclusion. I would have to say that this prediction was confirmed.

Attack on a High Level Government Agency

 Was the DNC hack a hack on a high level government agency? Was the election manipulated through hacking? If you think the answer either of these questions is, ‘yes’, then the prediction is confirmed. If not then, it wasn’t. I’ll call it weakly confirmed.

 ISIS Ramps up Attacks

ISIS was more of a target of attacks than an attacker. Anonymous took over several of their sites and used them to promote a pro-gay-pride stance, which probably irked the ISIS elite. The fact that ISIS was not a presence in the hacking community lends support to the prevailing view that ISIS, as an organization, is in retreat. Not confirmed

 Final Tally

 I included weakly confirmed predictions as a positive. I did not give myself credit for anything in the main predictions except for my strong view on Apple hacks. There were, therefore, 3 winners in correct predictions this year. Here are the tallies.

Correct Predictions

 Trend Micro – 3

Wired – 3

Me – 3

FireEye – 2

Kaspersky – 2

Websense – 2

 Incorrect Predictions

 Trend Micro – 1

FireEye – 1

Websense – 1

Wired – 1

Kaspersky – 2

Me – 2

Because both Trend Micro and Wired had the better correct to incorrect ratio, I would have to declare them the cybersecurity prediction winners for 2016. Overall, I would give the predictions a ‘B’ grade. Better luck next year.

 

Posted in Uncategorized | Tagged | Leave a comment

Update: Facebook Messenger and Linkedin Users: You are Being Targeted

Check Point finally posted a detailed description on how attackers use images on Facebook and LinkedIn to install dangerous malware on a user’s computer/device. (For more on this exploit see the original article.) The installed malware will give the criminal full access to a victim’s computer and possibly encrypt all files on it with Locky Ransomware. In other words, if you open the downloaded image file, you will have to pay, in Bitcoins, to get your files back.

I will not go through all the technical details, but those interested in such things can find them here. What you need to know is that the attackers were able to probe Facebook and Facebook Messenger’s defenses with an image file in .hta or .svg format. They would see how Facebook defended itself against malware embedded in the image until they learned how to manipulate the code to breach the defense. A Facebook or Facebook Messenger user who clicked on the infected image file (often coming from a contact) will force a download, likely followed by a “how would you like to open?” interface. Opening the downloaded image releases the payload and your computer is now in control of the criminal.

The vector using LinkedIn images is a little different and Check Point’s description is a bit hard to follow. However, from what I understand, the attacker manipulates the user’s profile picture in such a way that it allows the attacker to store a malicious link in the user’s account. The profile picture will show no change as it is only used as a way into the victim’s account. It is not clear from the Check Point explanation what really happens after this. In some way, the victim is led to a malicious site which will automatically download an image file with the embedded malware. I have written to Check Point for a clarification and will let everyone know if or when I get one.

linkedin-photo-edit

As far as I could see from the Check Point update, these attack vectors remain open. The Facebook exploit seems especially hard to patch since the attackers use the site’s own defenses against it.

It still appears that the exploit is restricted to the Chrome browser, at least for Facebook, which is why Facebook says it is not their problem. However, as I’ve written previously, it is probably just a matter of time before other browsers are manipulated. For now, I can only repeat the caution I gave in the original article as to not download images from contacts who seldom send images. This is especially true for contacts using Facebook Messenger. Since the exploit automatically downloads the infected image when clicking on it, do not open it when it reaches your computer/device. You can, however, use your own antivirus software to scan the downloaded file. Depending on your software, it may or may not detect the malware. For now, however, it is better not to download or open any files with the .hta or .svg extension. Remember also that, by default, windows will not show the extension. Thus, an image that appears to have the name, ‘Holiday.jpg’, may actually have the name, ‘Holiday.jpg.svg’. I am not using this example frivolously as this is the season for sending images, especially on Facebook.

I realize this information is incomplete at this time but I hope it helps.

Posted in Uncategorized | Tagged , , | 4 Comments