Archive for author: makoadmin

As cybersecurity products evolve to better protect against new forms of malware, trickier evasion techniques, and more organized cybercrime campaigns, the practice of cybersecurity evolves, too, providing simple, streamlined methods to manage hundreds of endpoints through one tool: RMM software.

What is RMM?

Remote Monitoring and Management (RMM) software is one of the go-to products for the types of IT shops that externally support small-to-medium-sized businesses, from dentists’ offices to independent newspapers to small retail shops. RMM tools allow those external IT shops—called “Managed Service Providers” or MSPs—to do much of their work remotely.

That means that, with a good RMM, the IT experts working at an MSP do not need to physically visit a client to fix their computer or to address any help tickets. It also means that MSPs can fix critical problems for their clients as they arise, rather than having to take scheduled, physical trips on a rotating basis just to find out whether a client’s machines and networks are operating smoothly.

But the benefit of these tools extends further than basic maintenance, as RMM software can also give MSPs an option to monitor cybersecurity protection to their clients all at once. Years ago, MSPs would have to install antivirus software on each client machine, and then individually run antivirus scans or remediation tools. For an MSP supporting just a few clients that each have 100 machines, this laborious process could eat up entire days. Thankfully, many cybersecurity tools have begun to integrate directly with RMM products, so that IT experts can directly run security scans from their RMM portal.

Essentially, an RMM can be a toolbox for any successful MSP, as they house and provide direct access to the most essential tools necessary for IT experts today.

Selecting an RMM solution for an MSP’s business needs

Picking an RMM solution is trickier than picking a product for just yourself because you need to consider both the success of your business and the safety of your clients. Imagine using an RMM platform that integrates seamlessly with top-tier cybersecurity software, but itself is open to ransomware and brute force attacks. Sure, you’ve done the right thing by giving your clients up-to-date cybersecurity protection, but your own systems could be compromised.

For MSPs considering how to select an RMM solution, there are a few features that could help their own business, including 24/7 support, a cloud-based model, data protection and restoration services, and integration with another type of tool called “professional services automation,” which boost the administration process of running an MSP, like finding potential new customers, chatting with clients, drawing up invoices, and making sure the bills get paid.

MSPs should also ask themselves a series of questions about how they want their RMM to help their business stay successful. As we wrote about last time, some helpful questions to consider when selecting an RMM solution include:

• Does this vendor take security seriously as much as we do?
• Does this RMM adapt to new demands and scale well with the changing trends?
• Does the vendor provide proactive patching and show momentum in improving?
• How easily can my employees use this platform?
• Can the platform be accessed via mobile devices?

Remember, an RMM solution needs to both provide for easier management of your clients endpoints and it needs to support your business as an MSP. A solution that’s clunky and hard to use won’t set your IT experts up for success. A solution that refuses to update its offering—with cybersecurity integration, for example—likely won’t help you run your business for more than a year or two. And with so much of today’s work being on-the-go, an RMM solution that can be accessed through a mobile app could greatly benefit your team.

None of this is easy work, and finding the right tool can, and should, take serious consideration. But the benefits of an RMM are proven. Just make sure you’re finding one for your business needs in the future, not just today.

The post RMM software: What is it and do you need it? appeared first on Malwarebytes Labs.

Healthcare and ransomware are in the news in a big way. Data leaks are inevitable, but those are typically associated with accidents by the general public. Possibly the most malicious type of data spillage is when people compromising said data decide to do the spilling. It’s one thing to accidentally leave a database exposed; it’s quite another for someone else to grab it, then blackmail the data owners to pay up or else.

Well, we have our “pay up or else” business model and have done for some time; it’s called ransomware. We also have our latest pay up or else story, in the form a of New Zealand health system compromise.

The background

Last week, a part of New Zealand’s health service was brought down. Specifically, one district’s “entire IT network” which caused appointment cancellations, postponed surgeries, and deferred outpatient activity at rural hospitals. Disruptions during normal times…remember those?…are bad enough. Anything interfering with hospitals during the pandemic is as danger-filled as it gets.

Let’s not forget that with lockdowns easing off, there’s lots of people out there with severely delayed non-Covid treatments waiting. Imagine wait to be seen for a year or more, finally landing an appointment, and then it’s cancelled because of people breaking into computer systems. Worse, Covid-19 infection numbers aren’t exactly stable. People could lose their slot, discover their area’s had a sudden outbreak, and then they’re left waiting…again.

The human cost of any attack on health services is absolutely horrendous. As far as the attack in New Zealand goes, the ITPro article mentions investigators suspect the “initial incursion” came about via a bogus email attachment. However, the Health Service newsroom page doesn’t mention this or go into further details while investigations are taking place.

The fallout

Being shut out of systems is bad enough. Having to cancel appointments, or (for example) lose access to crucial patient data, is also a disaster. The promise of attackers dropping confidential information across the internet or putting it up for sale is the icing on a terrible slice of cake.

Where ransomware is concerned, this can happen should victims refuse to pay up. “Best” case scenario, they’re permanently locked out of encrypted files once the payment deadline passes. Worst case, they pay up and the files remain encrypted. Or, they refuse to pay and then the documents start to leak, and drip, into places they should never go.

It seems the group behind the ransomware have indeed done some leaky dripping, because the victims refuse to pay. Private patient information has found its way to media outlets, according to Reuters. Documents purportedly include names, addresses, and phone numbers of patients and / or staff.

Pay up…or else (maybe)

Passing this information to media outlets feels very much like the warning shot across the bow. If the situation here is the attackers are holding out for payment, the next step will be a dump of data to more public locations.

Note that nobody bar the affected organisation knows for sure at this stage. They won’t reveal if this initial leak is off the back of a request for payment, or some other demand. This is because they’re concerned that discussing details publicly could shape the attacker’s next steps. As a result, we’re all waiting to see what happens next (or, quite possibly, doesn’t).

A critical mass approaching

Ransomware is increasingly in the news for causing severe harm and disruption. If it isn’t hospitals and healthcare, it’s incredibly important oil pipelines. These attacks are now generating levels of heat towards attackers perhaps not seen before. If things keep going like this, who knows where things will end up. When critical infrastructure, healthcare, and other important functions are impacted, you can bet governments won’t sit idly by. The question is: Who will win this digital arms race?

The post Healthcare service faces test of willpower with Ransomware authors appeared first on Malwarebytes Labs.

The Portable Document Format (PDF) file type is one of the most common file formats in use today. It’s value comes from the fact that PDFs always print the same way, and that PDFs are supposed to be read-only (unlike a Word document, say, which is designed to be easy to edit). This immutability can be assured by password protection and digital signing.

PDFs are used extensively in the legal, medical and real-estate industries, but are also seen in education, small businesses and other sectors. The format’s popularity really took off when Adobe released it as an open standard in around 2008, which untethered it from the company’s Acrobat software.

PDF security

PDF files can be password protected so that only people with the password can read the content of the file. However, for anyone that knows the password it’s trivial to remove the password or create an identical file that is not password protected.

Certified PDFs

PDFs can be digital signed, which indicates that the signer approves of its contents. The PDF specification defines two different types of digital signatures to guarantee the authenticity and integrity of documents:

• Approval signatures testify one specific state of the PDF document. If the document is changed the signature becomes invalid.
• Certification signatures allow for specific changes to a signed document without invalidating the signature. You can specify the types of changes that are permitted for the document to remain certified. For example, a sender can specify that a signature from a receiver in the designated field does not invalidate the certification. This way the sender can be sure that when they receive the signed copy that the signature was the only change in the document. Certifying signatures can be visible or invisible.

Digital signatures

You cannot remove a digital signature from a PDF unless you are the one who placed it and you have the digital ID for signing it installed. Each time a document is signed using a certificate, a signed version of the PDF at that time is saved with the PDF. Each version is saved as append-only and the original cannot be modified. After a document is signed, you can display a list of the changes made to the document after the last version.

Secretly changing signed documents

Researchers working at the Ruhr University Bochum (Germany) however, have presented two possible attacks where the content of the PDF document can be altered by the receiver in such a way that the changes are undetectable, either in all PDF applications or in a subset of them. The names that they gave to these two attacks are:

• Evil Annotation Attack (EAA)
• Sneaky Signature Attack (SSA)

Both vulnerabilities allow an attacker to change the visible content of a PDF document by displaying unauthorized content over the certified content. However, the certification remains valid and the application shows no warnings that unauthorized changes were made.

The success of these attacks depends on the specific PDF viewer. These applications are supposed to alert the reader to any unauthorized changes. The researchers evaluated 26 popular PDF viewers. They were able to break the security of certified documents in 15 of them with EAA. Eight applications were vulnerable to SSA. Only two were not fooled by either attack. The researchers responsibly disclosed these issues and supported the vendors to fix the vulnerabilities.

An additional code injection attack

An incremental update introduces a possibility to extend a PDF by appending new information at the end of the file. The original document stays unmodified and a revision history of all document changes is kept. An example of an Incremental Update is the inclusion of an certification, signature, annotation, or the filling out forms within a PDF.

Only certified documents are allowed to execute high privileged JavaScript code in Adobe products, but the research shows that such code is also executed if it is added as an allowed incremental update. This  allows attackers to directly embed malicious code into a certified document. If you’re wondering why that’s bad, consider that we are now into our fourth decade of malicious Microsoft Office macros.

Permission levels for certified documents

The certifier has a choice of three different permission levels to allow different modifications:

• P1: No modifications on the document are allowed.
• P2: Filling out forms, and digitally signing the document are allowed.
• P3: In addition to P2, annotations are also allowed.

Annotations introduce a different method for a user input by allowing a user to put remarks in a PDF document like text highlighting, strikeouts, or sticky notes. Annotations are not limited to predefined places within the PDF and can be applied everywhere within the document.

Evil Annotation Attack (EAA) breaks P3

The researchers found three types of annotations capable of hiding and adding text and images. All three can be used to stealthily modify a certified document and inject malicious content. To execute the attack, the attacker modifies a certified document by including the annotation with the malicious content at a position of the attacker’s choice. According to the researchers, a victim would have to manually inspect UI-Layer 3 or click on the annotation to detect the modification. And the attacker could even lock an annotation to disable clicking on it.

Sneaky Signature Attack (SSA) breaks P2

The idea of the Sneaky Signature Attack is to manipulate the appearance of arbitrary content within the PDF by adding overlaying signature elements to a PDF document that is certified at level P2. The attacker modifies a certified document by including a signature field with the malicious content at a position of an attacker’s choice. The attacker then needs to sign the document, but does not need to possess a trusted key. A self-signed certificate for SSA is sufficient.

Vulnerabilities

The researchers used additional techniques to make their attacks even less easy to detect. What the attacks reveal is that signatures and annotations can:

• Be customized to appear as a normal text/images above the signed content.
• Be made indistinguishable from the original content.
• And their indications can be hidden from UI layers.

Using EAA and SSA to inject JavaScript

For annotations and signature fields, it is possible to pass a reference to an object containing JavaScript. It is possible to trigger the code execution when opening the page. The victim is unable to prevent this. The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDF document.

PDF specification

By design, certified documents enable complex and highly desired use-cases and the devil here seems to be in the specification details, which runs to 994 pages! The specification will need to be updated to address the issues found by these researchers. It perhaps also needs simplifying, to avoid further unintended consequences.

For more technical details and the research methodology we advise interested readers to go over the original paper (pdf). You will also be able to find out how your favorite application handles these issues.

The post Falsifying and weaponizing certified PDFs appeared first on Malwarebytes Labs.

You may decide to delete your Twitter account, because social media isn’t for everyone. Perhaps you set up an account to see what the big deal is. Maybe you wanted to hang out with friends but you’re all moving to a new platform. It’s possible the service just isn’t very good and filled with trolls or bad content. Some folks also discover that they’ve posted a little too much personal information down the years and would like a clean break.

Whatever your reason, if you’re looking to delete your account, you’ve come to the right place.

How to delete your Twitter account permanently

Deleting your account on Twitter can be a confusing subject for some, because the process is actually a little more involved and called something else: deactivation. If you don’t follow the steps below, your account won’t be going anywhere. Settle in as we lead you through the process.

Twitter account deactivation

“Deactivation” is a kind of halfway-house for deletion. When you deactivate, Twitter places you in a deletion queue for 30 days.

For that 30 day period, your profile is not visible to anybody and references to it by other people won’t tie back to your account. Eventually, your username is released back into the wild for others to use.

We’re using the web version of Twitter (not mobile, no apps) to give you the most vanilla description possible. These steps may differ slightly from app to platform, but in the main they should be mostly identical.

Directly above the “Tweet” button on the lower left hand side, is a “More” option. Click that, and then click into the “Settings and Privacy” option. Under “Your account”, select “Deactivate your account”.

You now have to confirm and reconfirm a few times to let Twitter know you definitely want to do this. After reading the deactivation information, Twitter will pop a password prompt and then ask you one final time to deactivate the account.

Deleting Twitter accounts from your phone

It’s important to note there are two possible aspects to this on a mobile device, and they don’t have the same end result. You may mean deleting the app from your phone, as opposed to your account itself. If this is the case, remove the app the way you’d normally delete an app from your phone. This is typically whatever form of App Manager your flavour of device is using. Important: This will not delete your Twitter account, it will only remove the app from your mobile. Your account will still be out there, on Twitter.

To delete your account, the steps listed further up will work in the same way if on mobile web. Please note there may still be variance if you’re using various types of Twitter app to manage your account.

How to delete an old Twitter account you cannot access

If you’ve lost access to the email account tied to your Twitter profile, support won’t be able to do anything about it. Not great, but this is one way to prevent trolls simply causing account deletions galore for innocent parties. Apart from anything else, it’s good practice to secure email accounts anyway. Lock them down with two-factor authentication (2FA). Anything which tightens the security of your email will also strengthen Twitter accounts connected to it. Win win!

When your account vanishes, Twitter may retain some data to “ensure the safety and security of its platform and users”. They link to this article as an explanation of what they might keep.

Otherwise, that’s it! You’re all done, and your account is gone…or at least, it will be once the 30 day window passes. Note that the usual Internet rules apply. Old Tweets may well be cached in search engines. Portions or all of your account could be saved in the Internet Archive, screenshots on other people’s computers, by Reddit data archivers, or even on sites like Politwoops. While cached search engine results will likely eventually vanish, and you’ll need to contact the Internet Archive directly to see if there’s anything it can do to help, the rest are out of your hands.

The post How to delete your Twitter account: the deactivation process appeared first on Malwarebytes Labs.

Encryption is a term used to describe the methods that hide the true meaning of messages using code, especially to prevent unauthorized access to the information in the messages.

Not all users of virtual private networks (VPN) care about encryption, but many are interested and benefit from strong end-to-end encryption. So let’s have a look at the different types of encryption and what makes them tick.

We have discussed the different types of VPN protocols elsewhere, and pointed out that a big factor in many of the important properties of a VPN is the type and strength of encryption. To accomplish end-to-end encryption a process called VPN tunneling is needed.

What is a VPN tunnel?

A VPN tunnel is an encrypted link between your device and an outside network. But there are significant differences between VPN tunnels and not all of them are equally effective in protecting your online privacy. The strength of a tunnel depends on the type of protocol your VPN provider uses. One of the key factors is the type of encryption.

What is encryption used for?

Encryption is used to hide the content of traffic from unauthorized readers. This is often referred to as end-to-end encryption since usually only the sender at one end and the receiver at the other end are authorized to read the content.

Privacy of Internet traffic is, or should be, a major concern, because we use the Internet in all its forms to send a lot of sensitive information to others. For example:

• Personal information.
• Information about your organization.
• Bank and credit card information.
• Private correspondence.

Since human-based code is far too easy to crack by modern computers, we rely on computers to encrypt and decrypt our sensitive data.

Types of encryption

“What are the types of encryption?”, you may ask. Computerized encryption methods generally belong to one of two types of encryption:

• Symmetric key encryption
• Public key encryption

Public-key cryptography is sometimes called asymmetric cryptography. It is an encryption scheme that uses two mathematically related, but not identical, keys. One is a public key and the other a private key. Unlike symmetric key algorithms that rely on one key to both encrypt and decrypt, each key performs a unique function. The public key is used to encrypt and the private key is used to decrypt. The mathematical relation makes it possible to encode a message using a person’s public key, and to decode it you will need the matching private key.

Symmetric-key encryption

This type of encryption is called symmetric because you need to have the same substitution mapping to encrypt text and decrypt the encoded message. This means that the key which is used in the encryption and decryption process is the same.

Symmetric key encryption requires that you know which computers will be talking to each other so you can install the key on each one. This way each computer has the secret key that it can use to encrypt a packet of information before being sent over the network to the other computer. Basically, it is a secret code that each of the two computers must know in order to decode the information. But since this design necessitates sharing of the secret key,  this is considered to be a weakness when there is a chance of the key being intercepted.

Advanced Encryption Standard (AES)

The best example of symmetric encryption is probably AES, which the US government adopted in 2001. The government classifies information in three categories: Confidential, Secret or Top Secret. All key lengths can be used to protect the Confidential and Secret level. Top Secret information requires either 192- or 256-bit key lengths.

How is AES encryption done?

The AES encryption algorithm defines numerous transformations that are to be performed on data stored in an array. The first transformation in the AES encryption cipher is substitution of data using a substitution table; the second transformation shifts data rows, and the third mixes columns. The last transformation is performed on each column using a different part of the encryption key. The key length is important because longer keys need more rounds to complete.

Public-key encryption

To deal with the possibility of a symmetric key being intercepted, the concept of public-key encryption was introduced. Public-key encryption uses two different keys at once. A combination of a private key and a public key. The private key is known only to your computer, while the public key is provided by your computer to any computer that wants to communicate securely with it.

To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. The key pair is based on prime numbers of a long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are nearly infinite possibilities for keys.

VPNs use public-key encryption to protect the transfer of AES keys. The server uses the public key of the VPN client to encrypt the key and then sends it to the client. The client program on your computer than decrypts that message using its own private key.

Why is end-to-end encryption important?

End-to-end encryption is important to create a secure line of communication that blocks third-party users from intercepting data. It limits the readability of transmitted data to the recipient. Most VPN services use asymmetric encryption to exchange a new symmetric encryption key at the start of each VPN session. The data is only encrypted between you and the VPN server. This secures it from being inspected by any server in-between you and the VPN, such as your ISP or an attacker operating a rogue WiFi hotspot. The data transferred between the VPN server and the website you’re visiting is not encrypted, unless the website uses HTTPS.

This is why we said in an earlier post that using a VPN is shifting your trust to a new provider. When you use a VPN you transfer access to your traffic to a third party, the VPN provider. All that visibility that users balk at relinquishing to their ISP has now been handed over to their VPN provider. Careful consideration should be given to the trustworthiness of said VPN provider.

The post What is encryption? And why it matters in a VPN appeared first on Malwarebytes Labs.

Incognito mode is the name of Google Chrome’s private browsing mode, but it’s also become the catch-all term used to describe this type of web surfing, regardless of the browser being used. Some call it Private Mode, others call it Private Browsing. Apple almost certainly got there first, yet Chrome’s 2008 creation has largely become the generic name for all private browsing activity.

What’s the difference between Private browsing and Incognito Mode?

This is an important distinction to make. People can often get lost in options settings when reading articles about incognito mode because some aspects may be Chrome specific. This won’t help when trying to select something in options related to Safari on a Mac. With that in mind, everything we talk about below will be in relation to Chrome’s actual Incognito Mode. If we’re being more general, or referring to privacy modes in other browsers, we’ll also explain which ones.

How to go Incognito

In Chrome, Incognito is a privacy-focused option available from the dropdown menu in the top right hand corner. It’s a brand new, fresh out of the box, temporary version of your regular web browser. We’ll explain the key differences, and possible drawbacks, below.

Edge follows the same process. Click “Settings and more…” and this leads to what they call an InPrivate window.

You won’t be surprised to learn things are the same in Firefox. Its Private browsing is also opened up by the dropdown icon on the right hand side, then picking “New Private Window”.

Safari on a Mac works a little differently than the rest. You need to click on File / New Private Window from the dropdown options at the top of the screen.

What is Incognito mode?

In Incognito mode, your browsing history, cookies, site data, and information entered into forms aren not saved on your device. This means that when you start an Incognito window, you’re not logged into anything from your other session(s). You can be logged into your Amazon account, your email accounts, social media, and anything else in your “main” browser. That won’t be the case with the Incognito window when you open it up. It is completely separate from whatever you’re doing elsewhere. You don’t need to close your other browser(s) while using an Incognito window. They’ll co-exist quite happily.

Why use Incognito mode?

Incognito mode is primarily designed to keep your information private from other users of the same computer. It isn’t designed to keep your information private from the websites you visit, although that is sometimes a side effect.

The old joke is that it’s “pornography mode”, for people wanting to hide more personal aspects of their browsing. While this is no doubt true for some, there’s a lot more scope to Incognito mode and its uses than people give it credit for.

People may share computers. “Switch your login to another account” may be the first suggestion, but it’s not typically a realistic one in every scenario. What if you want to buy a surprise gift for a loved one? Nobody wants to play a game of “endlessly hide your Amazon history” while casually surfing. This is why people will look for gifts in Incognito mode, copy the URL, then drop it into their regular browser session afterwards to make the purchase. From there, they can delete it from their actual, logged-in history before forgetting about it. One additional bonus is that they won’t have dozens of similar gift items showing up in purchase suggestions. Again, this is very useful for accidental over-the-shoulder gift spoilage.

Avoid getting personal with private browsing

There’s a desire to avoid “cross-pollination” of data related to people logged in on their main browser. Sure, your Google account may know a lot about you. It’s still possible to isolate your most personal details from services you use. Suppose you don’t want your Google account to get a read on where you live, or go to work, or perhaps know the name of your children’s school. This is, again, doable. However. When your child falls ill and you can’t remember the school’s number? Punching it into your logged in account may be something you were trying to avoid. Same goes for a quick Google Maps route from your house to your office when roadworks cause delays. These are all things people who compartmentalise bits and pieces of crucial personal information like to avoid. There’s always the possibility of something going wrong in search engine land, and steps to mitigate issues like this are wise.

Is Incognito mode totally private?

Please note that the below applies to all browsers, when talking about Incognito / Privacy modes. The answer is, “no” and “because it largely depends”. Depends on what, you may ask?

If you’re on a corporate network, or on a home network with logging enabled? The person with access to the logs might not be able to see the site content, but they may be able to see URLs and can almost certainly see the names of the sites. As the text in the Incognito mode window at launch states, your ISP and websites themselves may see what you’re doing.

There’s also an option to enable third-party cookies (off by default in Incognito), though this may be something most people would naturally avoid in private browsing mode. Google has made statements about most of the above already. In fact, some of this has become quite a headache for the search giant.

Private browsing should not be used as a replacement for tools like a VPN, which are designed to solve a very different set of privacy problems. Some folks like to take things a step further. Otherwise, private browsing modes are a useful thing to have, but certainly not a one-stop fix for all privacy problems. Keep this in mind and your Incognito surfing sessions will hopefully be free from worry.

The post What is Incognito mode? Our private browsing 101 appeared first on Malwarebytes Labs.

Following a devastating cyberattack on the Colonial Pipeline, the Transportation Security Administration—which sits within the government’s Department of Homeland Security—will issue its first-ever cybersecurity directive for pipeline companies in the United States, according to exclusive reporting from The Washington Post.

The directives are expected to arrive within the week and will require pipeline companies in the US to report any cyberattacks they suffer to the TSA and the Cybersecurity Infrastructure and Security Agency. Such attacks will be reported by newly designated “cyber officials” to be named by every pipeline company, who will be required to have 24/7 access to the government agencies, The Washington Post reported. Companies that refuse to comply with the directives will face penalties.

The regulations represent a tidal shift in how the TSA has protected pipeline security in the country for more than a decade. Though the government agency has for 20 years been tasked with protecting flight safety in the country, the new cybersecurity directives fall under the agency’s purview following a government restructuring after the attacks on September 11, 2001. More than a decade after the attacks, the agency leaned on voluntary collaboration with private pipeline companies for cybersecurity protection, sometimes offering to perform external reviews of a company’s networks and protocols. Sometimes, the Washington Post reported, those offers were declined.

But after the ransomware group Darkside attacked the East Coast oil and gas supplier Colonial Pipeline, which led to an 11-day shut-down and gas shortages in the Eastern US, it appears that the federal government is no longer satisfied with private industry’s lagging cybersecurity protections. Already, President Joe Biden has signed an Executive Order to place new restrictions on software companies that sell their products to the federal government. Those rules were reportedly refined after the Colonial Pipeline attack, and are expected to become an industry norm as more technology companies vie to include the government as a major customer.

The TSA’s new rules for pipeline companies fall into the same trend.

In speaking with The Washington Post, Department of Homeland Security spokeswoman Sarah Peck said:

“The Biden administration is taking further action to better secure our nation’s critical infrastructure. TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”

Though the first directive from TSA is expected this week, follow-on directives could come later. Those directives are reported to include more detailed rules on how pipeline companies protect their own networks and computers against a potential cyberattack, along with guidance on how to respond to cyberattacks after they’ve happened. Further, pipeline companies will be forced to assess their own cybersecurity against a set of industry standards. These directives, like the one expected this week, will also be mandatory, but one expected, voluntary guidance from TSA will be whether a pipeline company must actually fix any issues it finds from a required cybersecurity assessment.

The new rules will bring the private pipeline industry into a small group of regulated sectors of US infrastructure, including bulk electric power grids and nuclear plants. These sectors are the outliers in US infrastructure, as most components—including water dams and wastewater plants—have no mandatory cybersecurity protections.

Several hurdles remain for the TSA’s rules to be effective, including a dearth of staff at the agency itself. According to The Washington Post, the TSA’s pipeline security division had just one staff member in 2014, and according to testimony in 2019, that number had grown to only five. To assuage the problem, the Department of Homeland Security is expected to hire 16 more employees at TSA and 100 more employees at CISA.

The post Colonial Pipeline attack spurs new rules for critical infrastructure appeared first on Malwarebytes Labs.

If you’re worried about the risk of insider threats, you’re not alone. It can affect anyone, even the FBI. A federal grand jury has just charged a former intelligence analyst with stealing confidential files from 2004 to 2017. That’s an incredible 13 years of “What are you doing with that pile of classified material?”. Even more so, considering the indictment states the defendant did not “…have a ‘need to know’ in most, if not all, of the information contained in those materials”.

There’s lots of ways this kind of data collection and retention could go wrong. What happens if the person hoarding the documents decides to sell to the highest bidder? Or even just starts giving it away to specific entities? Could it all be digital? What happens when a random third party compromises the PC / storage the files are located on?

How about a plain old burglary, with unsuspecting thieves swiping an inconspicuous looking external hard drive?

However you look at it, this is not a great situation for those files to be in.

The safe zone is compromised

Organisations have multiple problems dealing with the issue of insider threats. They feel more comfortable locking down their data from outside entities. Mapping out ways to keep the soft underbelly of the organisation protected from its own employees is more difficult.

This makes sense. It’s frankly overwhelming for many businesses to figure out where to even begin. How many physical security experts do people know? What about social engineers? Hardware lockdown specialists? The IT department should know their way around firewall configuration. However, there may be weak spots in auditing folks with privileged IT access.

Is there someone at a business who has an idea that printer security is even a thing? If not, that could spell trouble.

Anyone can be a security risk

There’s many forms of insider threat, which we’ve explored in great detail. They differ greatly, and their motivations can differ considerably from individual to individual. If you’ve never considered the difference between intentional and unintentional insiders, and all the different varieties thereof, then now is a great time to start.

If your approach is simply “a bad person wants to steal my files”, any potential defences likely won’t contain enough nuance to be sufficient in the first place. It’s a big, complicated problem. There are lots of moving parts. It needs the same level of thought and attention given to other areas of business security elsewhere.

Some additional reading

This FBI insider threat story is quite timely, given how much attention the subject is experiencing recently. Some additional reading for your consideration:

• Don’t make headlines over an insider incident: A good piece which digs into the potential costs of insider mishaps, complete with a report looking at where to focus on possible areas of attack.
• It’s time to prepare for a rise in insider threats: Focuses on maximising budgets, and tackling ways to more quickly identify when data is ending up in places it shouldn’t be.
• Insider threat fundamentals and mitigation techniques: Digs into “usual suspects and red flags”, including employees who don’t follow best practices and unwittingly aid an attacker. Also includes a link to an FBI article which explains how to detect and deter insider spies.
• Defend against insider threats from remote workers: The pandemic has made businesses think differently about unexplored angles of insider threats.
• “More than half of U.S. companies hit with privileged credential theft, insider threats last year”: A piece of research reveals some worrying findings in relation to how cybercriminals are accessing sensitive data.

This is hopefully just the splash of light reading material required to get you up to speed on this insidious form of data exfiltration.

The post Insider threats: If it can happen to the FBI, it can happen to you appeared first on Malwarebytes Labs.

Months ago, we told readers about the importance of using a VPN on their iPhones, and while those lessons do apply to Android devices—a VPN for Android will encrypt your Android’s web activity and app traffic, and it will stop your mobile carrier from monetizing your data—Android users should caution against one particular risk: That of the free VPN app.

In just the past year, free VPN for Android apps have exposed the data of as many as 41 million users, revealing consumers’ email addresses, payment information, clear text passwords, device IDs, and more. Investigations into one of those free VPN Android apps also revealed that it may have been part of a larger web of Android VPNs all operating under the same company—a company that was nearly impossible to reach for customer support, borrowed liberally from other company privacy policies, and failed to meet its promises to keep “no logs” of user activity. And while poorly built VPNs are not reserved only for Android devices, Android users in particular should wade cautiously through the Google Play Store, where countless VPN apps demarcate themselves under bland terminology such as “ultimate,” “super,” “fast,” and, of course, “free.”

In reality, a secure, trustworthy VPN Android app is rarely, if ever, free, and that’s largely because the actual work that goes into running a secure VPN service costs money. As Malwarebytes senior security research JP Taggart said on our podcast Lock and Code:

“Deploying a VPN service is, you know, it requires infrastructure. It requires servers, it requires staff, it requires coders to make sure that it’s done properly or that it’s done the way you want it to work,” Taggart said. “All of that has to be paid. All these people that work on [the VPN service], nobody is going to do it for free. No one is that altruistic.”

There is no best free VPN for Android

Searching for a VPN app shouldn’t be so hard, but it is. A quick query in the Google Play store conjures up at least 250 results, and, without any knowledge of the VPN industry, it can be difficult to know which app to trust. For users taking their first steps into learning about VPNs, the temptation to download any of the countless free VPN Android apps is high.

But some of those free apps are the same ones with a poor track record of protecting user data.

In February of this year, a cybercriminal claimed to have stolen user data from three, separate VPN apps available on the Google Play Store: SuperVPN, GeckoVPN, and ChatVPN. The cybercriminal said on an online hacking forum that they’d managed to swipe email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and whether a user was a “Premium” member, along with that “Premium” membership’s expiration date. Follow-on reporting from the tech outlet CyberNews also revealed that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.  

The impact of such a data breach is hard to measure, because it goes beyond just the harm caused to the victims. At risk here is also the trust that users are expected to place in a service that is specifically advertised as a privacy and security measure.

Troy Hunt, the founder of the data breach website HaveIBeenPwned, called the breach “a mess” on Twitter, saying that it was a “timely reminder of why trust in a VPN provider is so crucial.”

“This level of logging isn’t what anyone expects when using a service designed to *improve* privacy,” Hunt said, “not to mention the fact they then leaked all the data.”

But for one of the VPN Android apps, SuperVPN, it was actually the second time it had been named in a cybersecurity mishap.

In July, 2020, cybersecurity researchers at vpnMentor published a report that showed that  seven VPN Android apps had left 1.2 terabytes of private user data exposed online. According to the report, the data belonged to as many as 20 million users, and it included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

Particularly upsetting in this discovery was the fact that all of the seven VPN Android apps had promised to keep “no logs” of user activity—a provably false claim since vpnMentor actually found user logs in its research. The VPNs named in the report were UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.

In its investigation, vpnMentor also proposed that the seven VPN Android apps were likely made by the same developer, as the VPN services shared a common Elasticsearch server, along with the same payment recipient, Dreamfii HK Limited. Three of the VPN apps also featured branding and website layouts that looked similar to one another.

These are known privacy and security failures, and they just so happen to afflict free VPN for Android apps. A free VPN may cost nothing out of your pocket, but it could cost your privacy a lot more.  

We can’t tell you the best VPN for Android, free or not free

We’ve told you the bad news—free Android VPNs are too big a risk to take. Now, understandably, you might ask about the good news—what VPN Android app should I use?

Unfortunately, we can’t recommend any VPN Android app, and that’s because what VPNs offer— which are varying privacy protections—are not uniformly valuable to every user.

For instance, for users who want to protect their Internet activity while connecting to a public WiFi hotspot, VPNs offer a strong solution to that, as VPN services encrypt web traffic and make it incomprehensible to digital eavesdroppers. Also, for users who want to access content that is geo-restricted, VPNs also offer a helpful workaround, as they can make a user’s Internet traffic appear as though it is originating from another location.

But where VPN value starts to differentiate is in the realm of privacy, and that’s because, as we’ve learned in recent years, privacy could mean something different for every user. For some users, privacy might mean hiding their Internet traffic from their Internet Service Provider, which a VPN can do. But for other users, privacy might mean keeping their sensitive data from today’s enormous social media companies, which a VPN cannot do. Or it might mean stopping cross-site tracking across the Internet, which, again, a VPN cannot do.

But do not worry if you’re still looking for help, because we can recommend the same advice we did earlier this year for anyone looking for the right VPN for themselves.

Think about how you’ll use the VPN service and look for a variety of features, like the ease of use, the connection speed, any potential data limits, the availability of customer support, and the VPN’s policy on keeping user logs. With the right info, you’ll be protecting yourself in no time.

Just remember, if you’re willing to take your privacy seriously, you should also be willing to spend a little money on it.

The post VPN Android apps: What you should know appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at a banking trojan full of nasty tricks, explained some tips and pointers for using VirusTotal, and dug into how an authentication vulnerability was patched by Pega Infinity. We also explored how a Royal Mail phish deploys evasion tricks to avoid analysis, and gave a rundown of how Have I been Pwned works. The human cost of the HSE ransomware attack was explored, new Android patches hit the streets, and Apple confirmed that Macs get malware.

Other Cybersecurity news

• Chrome automatically fixes breached passwords on Chrome (source: Bleeping Computer)
• NVIDIA reduces attractiveness of graphics cards to cryptominers (Source: NVIDIA)
• Do customers have a right to know how companies that use algorithms make their decisions? (Source: Help Net Security)
• Eufycam Wi-Fi security cameras streamed video feeds from other people’s homes (Source: The Register)
• Australian Federal Police give demonstration of Technology Detection Dogs (Source: AFP)
• Phishing behind 70% of Government breaches (Source: GCN)
• Panda stealer malware targets digital currencies (Source: CoinGeek)
• Personal data of 279m Indonesians leaked (Source: AA)
  DarkSide go to “hacker’s court” (Source: ThreatPost)
  Police lift lid on social media marketplace cyber scam (Source: Swindon Advertiser)

Stay safe, everyone!

The post A week in security (May 17 – May 23) appeared first on Malwarebytes Labs.