Archive for author: makoadmin

A Virtual Private Network (VPN) creates a safe “tunnel” between you and a computer you trust (normally your VPN provider) to protect your traffic from spying and manipulation. Any VPN worth its money encrypts the information that passes through it, so in this article we will ignore those that don’t use encryption. Among VPNs that offer encryption there is a large choice of available protocols. Every one of those protocols has some advantages and disadvantages. These are the important factors to look at when you are about to choose one:

• Speed
• Strength of the encryption
• Stability
• Ease of use
• Security/privacy

In this article we’ll look at the different VPN tunneling protocols and how they perform.

What does the VPN protocol do?

Basically, the VPN protocol, or better the rules it uses, decides how exactly your data is routed through a connection. All these protocols have different rule sets based on what they care about most. For example, some VPN protocols prioritize data throughput speed while others focus on masking or encrypting data packets for privacy and security.

How many VPN protocols are there?

This extensive list is not complete, but it covers the most commonly used VPN protocols:

• OpenVPN
• L2TP/IPSec
• SSTP
• IKEv2
• PPTP
• WireGuard

Why does a fast VPN protocol matter?

Even though speed should not be the deciding factor, a slow VPN will discourage users and will therefore quickly be abandoned. You don’t pay top dollar for a fast internet connection just for the VPN to slow it down. Or, when you have a slow connection, you don’t want your VPN to make it even worse. But speed is often a trade-off with other characteristics like the encryption strength and security. And the speed also depends on factors outside of the protocol, like the distance to the VPN server, and obviously the basic speed of your internet connection. Using a VPN will never make it faster.

Security and privacy

This will be the deciding factor for many users when they are about to make a choice for a VPN. It needs to be said that the vendor is at least as important here as the protocol. After all, what good is a secure protocol if it turns out the vendor is willing to hand over your data at the first request? So, if you hear people ask what is better than OpenVPN, for example, the answer is that it depends on what you are looking for exactly. Many protocols are capable of comparable speeds and levels of secure encryption.

Ease of use

A point that we have made often in the past is that security and privacy software that is hard to set up or difficult to manage often misses the target. Misconfigured software doesn’t do what it potentially can do for the user, so it’s basically a waste of time and money. To be honest, we have seen cases where the user would have been safer using a free VPN or none at all.

What VPN protocol should I use?

This is a question that everyone has to answer for themselves. We can tell you about some protocols that are often recommended and why. But you will have to make up your own mind.

OpenVPN

OpenVPN is an excellent open-source protocol, but many users struggle to set it up properly. If you have an installer software or expert help, then this is not your problem. You will find that OpenVPN is the default protocol used by many paid VPN providers. It is a secure protocol but not super-fast (not super-slow either).

L2TP/IPSec

L2TP/IPSec is actually a combination. Layer 2 Tunnel Protocol (L2TP) is the protocol that is paired with Internet Protocol Security (IPsec). In speed and security, it is on par with OpenVPN. It is easier to set up unless you have to bypass a firewall. Some security concerns have been raised because the NSA helped develop IPSec.

SSTP

SSTP is short for Secure Socket Tunneling Protocol which was developed by Microsoft. Although the protocol works on Linux it is primarily thought of as a Windows-only technology. It is easy to set up on Windows machines as you might expect. It is impossible to use on Macs and hard to deploy on Linux. Speed and security are about the same as for OpenVPN and L2TP/IPSec.

IKEv2

IKEv2 was developedin a joint effortby Microsoft and Cisco. It is very well suited for mobile devices on 3G or 4G LTE because it’s good at reconnecting whenever the connection drops out. The protocol is very fast and secure. It is also easy to set up on the few devices that are compatible.

PPTP

PPTP is short or point-to-point-tunneling. This protocol was originally developed by Microsoft for dial-up networks. PPTP is fast and easy, but this is mostly due to a low encryption standard and it comes with some known vulnerabilities, it is no longer suitable for users that are privacy-focused.

WireGuard

WireGuard is relatively new compared to the other protocols, but it’s quickly become widely adopted because of the high security standard. This does not take away from the speed because WireGuard ditched a lot of unnecessary extras that other protocols are burdened with, and it runs from a Linux kernel. Which also makes it suitable for many platforms and applications.

Choose wisely!

We can only hope you read this article because you set out to make an informed decision (and we hope we have helped you with that). It is important to consider what matters to you in a VPN and also take into account that VPN software is more than just the protocol. The reason why you need a VPN and whether you trust the VPN provider should be equally important. Aside from a few outdated protocols, speed should no longer be an issue. Internet speeds are usually so much higher than what we actually need, a modern VPN should not interfere in a way that is noticeable.

The post VPN protocols explained and compared appeared first on Malwarebytes Labs.

If you use a Google account, it may soon be mandatory to sign up to Google’s two-step verification program. As recently as 2017, a tiny amount of GMail users made use of its two-step options. Maybe the uptake is still slow, and Google has decided enough is enough. With so much valuable data stuffed inside Google accounts, it’s beyond time to ensure they’re locked down properly.

It’s enrolment time

With this need for security in mind, Google has announced the roll-out of automatic two-step verification. If your account is “appropriately configured”, you’ll be ushered into a land of extra security measures. There doesn’t seem to be any additional information about what “appropriately configured” means yet. The Google blog cites the security check-up page, but that simply lists:

• Devices which are signed in
• Recent security activity from the last 28 days
• 2-step verification, in terms of sign-in prompt style, authenticator apps, phone numbers, and backup codes
• Gmail settings (specifically, emails which you’ve blocked)

How this translates into “Hello, we’re going to enrol you into our two-step verification program”, I’m not entirely sure. Perhaps they’ll add more specific requirements which need to be met to enable the enrolment process at a later date. If the requirement is a minimum level of setting up various security options, then only the most security conscious might be asked to enable it in the first place. This would surely mean those in most need of security fine-tuning, won’t get it.

The password problem

Questions how this will work aside, Google continues to keep plugging away at the eternally relevant password problem. Their password import feature allows people to save passwords as a CSV file, then port it into Chrome. If you’re hopping from one password manager to another, and have a lot of yourself tied into Google services, this may be ideal.

We’re all impacted by weak security. Compromised logins have a knock-on effect for everybody. When your email is broken into, it allows attackers potential access into every account tied to it. A few password resets later, and one account used for spam is now multiple accounts spamming, sending infections, social engineering, the works. This is how people quickly build up small armies of compromise and go about their shenanigans on a daily basis.

It doesn’t have to be a major campaign. The operators don’t have to be criminal masterminds. A couple of random people with a little bit of tech know-how can quickly figure out how to monetise a few dozen stolen accounts. That’s how you eventually do end up with major campaigns, with more work for law enforcement and security researchers to figure out who the new kids on the block are.

Step up, and lock down

By keeping your accounts secure, you’re not just helping yourself. You’re helping everybody, and preventing them losing their savings or non-compromised PC to attackers leveraging your bad password practices. This is a good thing to keep in mind as we wave goodbye to this year’s World Password Day. It’s never too late to start brushing up on your passwords. Get yourself familiar with a couple of password managers and pick the right one for you.

Lock down your master password. Set up restrictions on who can login, and how. Make it so that only people in your specific geographical region can log in. Make yourself some backup codes, print them off, put them somewhere safe in case you lose master password access. Just a few of these steps will go a long way towards keeping both yourself and others much more secure than you were previously. There can’t be any better way to close out the week playing host to World Password Day than that.

The post Google to start automatically enrolling users in two-step verification “soon” appeared first on Malwarebytes Labs.

Since the first stay-at-home measures were imposed by governments to keep everyone safe from the worsening COVID-19 pandemic, we at Malwarebytes have been making sure that you, dear reader, are as cyber-secure as possible in your home network, while you try to work and while your children attend online classes.

There has been much discussion of antivirus protection, patching your software, and using VPNs. But what if the security flaws aren’t in your phones or laptops, but the router your ISP gave you?

Which?, a consumer watchdog in the UK, recently released its findings about routers issued by UK Internet Service Providers (ISPs). Based on its assessment, it reckons that at least two million Britons are at risk from routers that haven’t been updated since 2016. This alone seems to go against the Secure by Design proposal, an already-drafted law that gives power to the Department of Culture, Media, and Sports (DCMS) to order tech makers (phone, tablet, IoT) to be transparent about when they’ll stop providing security updates to their new devices from launch.

Granted, the Secure by Design hasn’t been made law yet, so the ISPs aren’t breaking any regulations. However, it seems preposterous to think that companies would have to wait to be mandated before they start caring about their customers’ security and privacy.

Router flaws found by Which?

Which? has looked into routers provided by EE, Sky, TalkTalk, Virgin Media, and Vodafone. Based on 13 router models it tested, the watchdog found that two-thirds—9 routers out of the 13—had flaws that, if the Security by Design law were in effect, would easily mark these providers as non-compliant. Below are the old router vulnerabilities Which? found:

* Weak default passwords. These passwords can be easily guessed by hackers, are common across devices and could grant someone access. This can be done from outside of the home network, so a hacker could access a router from anywhere in the world.

* Local network vulnerabilities. While the risk here is lower as a hacker would have to be in the vicinity of the router, vulnerabilities such as this could allow a cybercriminal to completely control your device, see what you’re browsing or direct you to malicious websites.

* Lack of updates. Firmware updates aren’t only important for performance, they’re also needed to fix security issues when they arise. Most of the routers we looked at hadn’t had a security update since 2018 at the latest, with no guarantee of a new one in the near future.

The consumer body is concerned that many UK internet users are using old router models with no guarantee of an upgrade, thus making them “low hanging fruits” for criminal hackers to target. With its findings, Which? encourages customers of UK ISPs mentioned in the report to contact their provider and ask about potentially getting a router upgrade.

Although one of the companies that Which? contacted is using old routers, they said that they continue to monitor for threats and provide updates if needed. Despite this claim, Which? did find an unpatched vulnerability on one of the routers it tested. This could suggest that, although ISPs are doing what they can to patch flaws, it’s likely that they’d miss a few holes.

Virgin Media, one of the ISPs, didn’t accept the testing results from Which?, telling the BBC that “nine in 10 of its customers are using the latest Hub 3 or Hub 4 routers.” However, Which? Noted that Virgin only considered the number of paying households, whereas the testing counted each member of the household.

A wake up call to ISPs

Which? is a proponent of ISP transparency with regard to routers receiving firmware and security updates, a requirement of the Secure by Design proposal. The company also calls for the government to ban the use of default passwords, or ISPs allowing users to set weak passwords on their routers.

This is a good move. Although convenient, setting a weak password isn’t going to strengthen anyone’s security. On top of that, ISPs allowing users to always take the convenient and insecure route misses a good opportunity to educate their customers on good computer—and password creation and management—practices.

“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals.” says Kate Bevan, computer editor for Which?, in a press release. “Proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.”

Lastly, Which? calls for UK ISPs to “be ready to respond when security researchers warn them about possible issues – and should make it easy for researchers to contact them.”

Is your router secure?

Many households rely heavily on their routers, for working from home, studying, or simply keeping in touch with friends and families during these tough times. Sure, you may have been using it for years and you haven’t been hacked yet—”to the best of your knowledge”—but you shouldn’t take comfort in this for long. Now is a good time as any to focus on securing your router.

Using routers that can’t be patched if a serious vulnerability appears increases your risk of being exposed to attacks, and increases the risks for everyone else too. Routers are computers like any other and (as the Mirai botnet showed) they can be compromised and added to a botnet like any other.

So, the best way to stay safe is to make sure you’re using your ISPs latest router. 

Whatever router you’re using, be sure to change the default password if it had one. These are known to criminals and there are vast lists of default passwords circulating on the Internet for anyone to read. For more steps to take, Which? has a section on what to do if you’re affected by the routers mentioned in its lab tests.

The post Millions put at risk by old, out of date routers appeared first on Malwarebytes Labs.

Most of our readers are well aware of the fact that the big tech corporations, especially those that run social media know a great deal about us and our behavior. But it rarely hits home how much personal data they have about us and how they can guess, quite correctly, even more. Lots more.

Signal came up with an idea to drive that point home. A simple but very effective idea, nothing short of genius. They bought advertising space on Instagram and showed visitors ads full of the characteristics that were used to target them.

In an a blog post, the company explains what it tried to do and how Facebook banned their ads. While they only tried to demonstrate that Facebook’s own tools have the potential to divulge what is otherwise unseen.

About Signal

Signal is a privacy-focused messaging app that has picked up a lot of new users recently, after rival WhatsApp made an unpopular change to its privacy policy. It has made the news on several occasions after being asked by governments to hand over user data. It has always declined, stating that it does not record the data it is being asked to produce. The company says that it keeps minimal records about its users and all Signal messages and voice calls are end-to-end encrypted.

The many faces of Facebook

The US-based photo and video sharing social networking Instagram was acquired by Facebook in 2012. Facebook also developed and runs Facebook Messenger, a messaging app and platform. Facebook also owns WhatsApp, a massively popular messaging service that allows users to send text messages and voice messages, and with that is a direct competitor to Signal.

The contrast

The very different ways these two companies deal with user data while being active on the same playing field explains some of the animosity between the two. And Signal has never shied away from criticizing other companies it thinks are compromising users’ privacy or security. (I’m not even mentioning that Facebook introduced a discovery and curation tool called, you guessed it, Signal for Facebook and Instagram.)

The user data

All this does not take away from the fact that I would have loved to see the effect on Facebook users if these ads had been allowed to run. Would it have outraged users? Because seeing that sort of personal information displayed on a website really hits home. Could they even have scared users away from commercial social media? Let’s not forget that not only does Facebook gather that data, it also sells it to advertisers, as Signal tried to point out with its campaign.

What you share

Recently we have warned our readers against the worst possible info you could share on social media. And those are the ones that are the things that are easy to understand and follow once you see the dangers. But all the small details that you give away in your posts matter too. Taken together they can amount to a thorough customer profile that is valuable for advertisers. Knowing where your interests lie allows them to spend their advertising dollars more effectively.

Advertising on social media

Advertising is a straightforward way for social media networks to not only make money from the data they’ve collected—by offering ad space to advertizers, but also by allowing external parties to potentially dip into the same pool. Unlike traditional publishing, social media ads can be tailored, based on personalized data the social network sees you searching for, talking about, or liking daily.

If you thought hitting “like” (or its equivalent) on a website was simply a helpful thumbs up in the general direction of someone providing content, think again. Even if you don’t click like, if you’re a Facebook user and you’ve not logged out then Facebook knows you’ve visited that web page. And if you click “like”, it also knows that you liked that page. All of which feeds data into the big pot of “These are the ads we should show this person”, even when you’re not actually using Facebook.

Guessing the rest about you

What they know about you can be topped off by what they can guess about you. Guesses are based on the interests of you, your family, your friends, and your friends’ friends, plus other demographic clues, such as your job title, pictures of your home, travel experiences, cars, and marriage status. All of these data points help the social network figure out which specific adverts to send your way. And they offer this information readily to their customers, the advertisers.

They just don’t want you to see it in the ads.

The post Facebook bans Signal ads that reveal the depth of what it knows about you appeared first on Malwarebytes Labs.

Spectre is the name for a whole class of vulnerabilities discovered in January 2018 that affected huge numbers of modern computer processors that rely on a performance feature called speculative execution. Since then, some of the world’s most talented computer scientists from industry and academia have worked on software patches and hardware defenses.

Now it seems they may have to do it all over again.

New research has discovered Spectre attacks that bypass existing mitigations. Before we explain that though, let’s recap what Spectre is all about.

Speculative execution?

Speculative execution happens when a computer processor does some work it might need later, instead of waiting until it knows it definitely needs it. What emerged in 2018 is that speculative execution opens the possibility of side-channel attacks. Spectre-based attacks trick a program into accessing arbitrary locations in a program’s memory space. As a result an attacker may be able to read the content of the accessed memory, and thus potentially obtain sensitive data.

Or, as the researchers put it:

A Spectre attack tricks the processor into executing instructions along the wrong path. Even though the processor recovers and correctly completes its task, hackers can access confidential data while the processor is heading the wrong way.

Speculative execution can be compared to a reverse firing squad: One person has the gun and all the potential victims are lined up opposite. For the potential victims there is no way of knowing who will get executed first. But the person holding the gun may have one in mind.

Exploiting changes of heart

The researchers behind the latest discovery, a team of computer scientists from the University of Virginia and the University of California, San Diego, have just published a paper (pdf) describing a new set of Spectre attacks based on processor micro-op caches.

To return to our analogy, let’s say our executioner (the computer processor) is making preparations for the first target to be executed and writes some notes about what it’s going to do. Processors store these notes in what is called the op-cache. Basically, they are simple instructions that the processor expects to need later, when it executes that target instruction.

Now let’s say our executioner decides to target somebody else first instead. They still have their notes about the first target. When a processor decides to target another instruction first, or erroneously does so, it opens up a possible attack vector that can read its notes from the op-cache. With enough data an attacker can then predict which was the intended first target.

The new Spectre attacks

The research claims that all modern AMD and Intel chips with micro-op caches are vulnerable to Spectre-style attacks, and sets out “attacks that exploit the micro op-cache as a timing channel to transmit secret information”. The attacks exploit the micro-op cache to leak secrets in three ways:

• Across the user-kernel boundary.
• Between two SMT (Simultaneous MultiThreading) threads running on the same physical core
• Along a mis-speculated execution paths

Back to the drawing board

The new lines of attack demolish current defenses because they only protect the processor in a later stage of speculative execution. According to the researchers, all the defenses against Spectre side-channel attacks that have been developed since 2018 can be bypassed by these new attacks. Thus, “leaving billions of computers and other devices just as vulnerable today as they were three years ago”. So, it’s basically back to the drawing board for everyone that has put in the time and energy.

The paper propose three  possible mitigation techniques:

• Flushing the micro op-cache at domain crossings. This wipes the content of the op-cache so It can’t be queried for information. This however, causes a great deal of the speed that is gained by using an op-cache to be lost.
• Performance counter-based monitoring. A method to leverage performance counters and detect anomalies based on potential malicious activity in the micro-op cache.
• Privilege level-based partitioning. A partitioning of the op-cache based on the level of privilege assigned to the code would prevent unauthorized code from getting higher privileges, but given the -small- size of the op-cache partitioning could prove to be cumbersome.

The impact

The good news is that exploiting Spectre vulnerabilities isn’t easy. It will require an enormous amount of knowledge about the processor at hand and a lot of luck to find any specific information an attacker could be looking for. But it does allow for random gathering of information and then hope for that golden bullet to be in there. Given the large amount of affected processors it concerns, essentially all modern 32- and 64-bit PC processors and the vast majority of the standard server hardware, the laws of big data may apply.

May the 4^th be with you!

The post Spectre attacks come back from the dead appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at which age range is most likely to be targeted by online predators, talked to Malwarebytes CISO John Donovan on our Lock and Code podcast, and explored the latest deepfake happenings. We also dug into a supply chain attack, discussed threats from a ransomware group, and did a deep dive on wallet recovery code scams. There were also fines for cities, and a 101 guide to Smishing. We had Signal insisting it’s very private indeed, an explainer for ip addresses, vulnerabilities in IoT land, and a plan for success from the Ransomware Task Force.

Other cybersecurity news

• Australia starts cyber-learning early (Source: The Register)
• Vivaldi browser crumbles some cookies (Source: Vivaldi)
• UK rail network hit by ransomware (Source: Bleeping Computer)
• RAT malware causes problems for Telegram (Source: How To Geek)
• Linux malware and the art of evasion (Source: TechRadar)
• Phishing campaign targets Chase bank customers (Source: TechRepublic)
• Remembering Dan Kaminsky (Source: New York Times)
• Hackers attacking COVID-19 supply chain (Source: CBS News)
• Watch a TESLA have its doors hacked open by a drone (Source: Forbes)
• Banks fail in bid to share cost of refunding scam victims (Source: BBC)

Stay safe, everyone!

The post A week in security (April 26 – May 2) appeared first on Malwarebytes Labs.

An IP address tells computers how to find a certain device within a computer network. An IP address is like an address label for information packets. For each network your computer is connected to, it has a unique IP address on that network. So, one device can have several IP addresses at the same time. In most home computers you may see traffic on these IP addresses:

• 127.0.0.1 is the loopback address which is used if something on your device needs to talk to another service on the same device.
• A home network address which is usually in a range reserved for private networks. Well known ranges for this purpose start with 10. and 192.168. which are often pre-programmed in routers whose job it is, among others, to assign IP addresses to connected devices.
• Your IP address on the Internet, which is in most cases is assigned to you by your Internet Service Provider (ISP), and changes from time to time. You can learn your current Internet IP address by looking at this site.

What does IP stand for?

IP is short for Internet Protocol and is part of TCP/IP which is the networking software that makes it possible for your device to interact with other devices on a computer network, including the Internet. TCP/IP is actually a stack of protocols that make it possible for computers around the world to communicate without differences between languages and hardware. For a device to be able to use the Internet protocol it needs to have IP software and an IP address.

How are IP addresses written?

Most IP addresses that you see will be Internet Protocol version 4 (IPv4) addresses. These have 32 bits of information and are written in four octets of eight bits. Since we are used to working with decimal numbers, you will usually see the four octets written as four decimal numbers between 0 and 255, separated by dots. For example, at the time of writing, the computer running this website had an IP address of 130.211.198.3.

Decimal vs octal

In some cases, it might be beneficial to know the difference between the different notations.

Decimal means a number expressed in the base-ten system which is the system that we use every day that uses the ten digits 0-9, whereas octal means the number system that uses the eight digits 0-7.

Since an IP address is a 32-bit number, sometimes it makes sense to use the octal number system instead of decimal. The decimal IP address 127.0.0.1 looks like 0177.0000.0000.0001 in octal. A computer will recognize both of them as different, equally valid ways of writing the same address. Here’s why:

In decimal, numbers are written according to how many ones they have, how many tens, how many hundreds, and so on. So, the number 127 is 1 * 100, 2 * 10 and 7 * 1.

In octal, numbers are written according to how many ones they have, how many eights, how many 64s, and so on. So, the number 127 is represented as 0177, which is 0 * 128, 1 * 64, 7 * 8 and 7 * 1.

Running out of IP addresses

There are only 4,294,967,296 different combinations of four numbers between 0-255, so that is the theoretical maximum number of IPv4 addresses you could have on any one network (in reality it’s less than this because some IP address ranges are reserved).

In November 2019, the RIPE NCC (the regional Internet registry for Europe, West Asia, and the former USSR) announced that it had exhausted its pool of IPv4 addresses. This did not come as a surprise, and it didn’t mean that suddenly nobody could have an IP address—sometimes addresses can be recovered, and networks can be extended using Network Address Translation—but it demonstrated the need to implement the successor of IPv4. RIPE warned that “Without wide-scale IPv6 deployment, we risk heading into a future where the growth of our Internet is unnecessarily limited. “

IPv4 and IPv6

What is Internet protocol version 6 (IPv6) and what makes it different from IPv4? Obviously, since one of the reasons to deign IPv6 was the shortage of IPv4 addresses, there are more IPv6 addresses available. As we pointed out earlier an IPv4 address is a 32 bit number, whereas IPv6 address is a 128 bit number. IPv4 is a numeric addressing method whereas IPv6 is an alphanumeric addressing method. And where IPv4 binary bits are separated by a dot(.), the IPv6 binary bits are separated by a colon(:).

The difference in bits allows for IPv6 to multiply the number of possible IP addresses by 1028, which may not sound like much, but it gives us 340 trillion trillion trillion possible addresses!

There are technical differences between the protocols as well. We will not handle them in detail as that is outside the scope of this post, but it’s good to be aware of them:

• IPv6 has built-in quality of service (QoS).
• IPv6 has a built-in security layer (IPsec).
• IPv6 eliminates the need for Network Address Translation (NAT).
• IPv6 enables multicasting by default which means the same packet can be sent to several addresses.

IP addresses and geolocation

IP addresses are allocated on a geographic basis, so they can be used for a crude form of geolocation. An important thing to remember though, especially for all the Internet detectives out there, is that finding out an IP address does not provide you with a physical location. The result you get from looking up an IP address’s location can be wrong by hundreds of miles. The location of an IP address on a map can be very misleading as it will often point to the location of the ISP that assigned the address, or to the center of an area where similar IP addresses reside. Innocent people have been harassed, even by the police, based on misunderstanding these “maps”.

IP-based geolocation is useful for website geotargeting (showing users content based on their country or region) but it is not suitable if you want to pay someone a visit.

Aside from geolocation, there is another way to connect an IP address into a physical address: Your Internet IP address is typically allocated by your ISP, and your ISP typically knows your physical address. Anyone who can convince your ISP to give up that information, either by buying it, issuing a subpoena or by social engineering, can learn your address.

How to hide your IP address

Many people don’t like their IP address to be known or visible to the websites or services they are interacting with. There are various possible reasons for wanting to hide your IP address. As awareness of corporate surveillance and criminal hacking has grown, so have concerns about personal privacy. Many people believe that it should be their choice when and how they give up some of their privacy, and don’t want prying eyes on their normal, legitimate behavior.

A Virtual Private Network (VPN) gives you more control over the IP address and other information that is visible on the Internet. Of course, you still need an IP address when using an online service or website, or the packets will not know where to go, but the outside world can only see your VPN provider’s IP address, not the one given to you by your ISP.

By using a VPN, your packets are taking a detour. Compare it to a PO box where you can have your mail sent without providing your physical address to the sender. With the difference that you don’t have to go out and fetch it, it still gets delivered to your home by the one thing that knows your real IP address: The VPN provider that you have decided to trust.

The post What is an IP address? Do I need one? appeared first on Malwarebytes Labs.

The Cybersecurity and Infrastructure Security Agency (CISA) has published advisory ICSA-21-119-04 about vulnerabilities found in multiple real-time operating systems (RTOS) and supporting libraries. Those operating systems and libraries are widely used in smart, Internet-connected “things”. The number of affected devices could be enormous.

As is the fashion these days, the collection of vulnerabilities has been given a name: BadAlloc. CISA has assigned a vulnerability score of 9.8 out of a maximum of 10 for the BadAlloc vulnerabilities and has urged organizations to address these issues as soon as possible.

The vulnerabilities included in BadAlloc

BadAlloc is a large set of remote code execution (RCE) vulnerabilities found by Microsoft’s Section 52:

These remote code execution (RCE) vulnerabilities cover more than 25 CVEs and potentially affect a wide range of domains, from consumer and medical IoT to Industrial IoT, Operational Technology (OT), and industrial control systems.

Section 52 is Microsoft’s Azure Defender for IoT security research group consisting of IoT/OT/ICS domain experts that reverse-engineer malware, and track ICS-specific zero-days, campaigns, and adversaries.

Where does the name BadAlloc come from?

The researchers found that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device.

Heap is the name for a region of a process’ memory which is used to store dynamic variables. If these get written to the wrong place, an attacker could input malicious data, which if it is not validated, could allow an attacker to perform remote code execution, or crash the affected system.

In the programming language C++, bad_alloc is the type of the object thrown as exceptions by the allocation functions to report failure to allocate storage. So, this may have been the inspiration for the name.

Which devices are affected?

This is a long list and some of these, in turn, represent a lot of different devices:

• Amazon FreeRTOS, Version 10.4.1
• Apache Nuttx OS, Version 9.1.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3
• ARM Mbed OS, Version 6.3.0
• ARM mbed-uallaoc, Version 1.3.0
• Cesanta Software Mongoose OS, v2.17.0
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3
• Google Cloud IoT Device SDK, Version 1.0.2
• Linux Zephyr RTOS, versions prior to 2.4.0
• Media Tek LinkIt SDK, versions prior to 4.6.1
• Micrium OS, Versions 5.10.1 and prior
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior
• NXP MCUXpresso SDK, versions prior to 2.8.2
• NXP MQX, Versions 5.1 and prior
• Redhat newlib, versions prior to 4.0.0
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB
• TencentOS-tiny, Version 3.1.0
• Texas Instruments CC32XX, versions prior to 4.40.00.07
• Texas Instruments SimpleLink MSP432E4XX
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03
• Uclibc-NG, versions prior to 1.0.36 
• Windriver VxWorks, prior to 7.0

Microsoft worked with all the affected vendors in collaboration with the US Department of Homeland Security (DHS) to coordinate the investigation and release of updates.

Mitigation

For now, we have not seen any indications of these vulnerabilities being exploited, but given the amount of available targets, you can be sure exploits are being sought. Unlike computers, Internet-connected devices can be difficult, or even impossible to update. Because of that, mitigating against these issues could be extremely important for years to come.

In the CISA advisory you can find a list (under 4. Mitigations) which shows the updates that are available. The agency advises users to take the following defensive measures, to minimize the risk of exploitation:

• Apply available vendor updates.
• Ensure that affected devices are not accessible from the Internet.
• Minimize network exposure for all control system devices and/or systems.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required.

Microsoft provides the following mitigation advice:

…we recognize that patching IoT/OT devices can be complex. For devices that cannot be patched immediately, we recommend mitigating controls such as: reducing the attack surface by minimizing or eliminating exposure of vulnerable devices to the internet; implementing network security monitoring to detect behavioral indicators of compromise; and strengthening network segmentation to protect critical assets, as described in the mitigations section at the end of this blog post.

Stay safe, everyone!

The post IoT riddled with BadAlloc vulnerabilities appeared first on Malwarebytes Labs.

The Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments, has recently pushed out a comprehensive and strategic plan for tackling the increasing threat and evolution of ransomware.

The report, entitled “Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force”, which you can read here [PDF]  advocates for “a unified, aggressive, comprehensive, public-private anti-ransomware campaign.”

The purpose of creating the document seems to be threefold: first, to educate the targeted reader—in this case, policy makers and industry leaders—about the dangers of ransomware; second, to call for unification amongst organizations to collectively beat the ransomware enterprise; and third, to guide organizations and governments on action items (48 in total) they can pursue to disrupt the ransomware-as-a-service (RaaS) model and extensively lessen the impact of current and future attacks.

“This is great news and sorely needed,” says Jerome Segura, Director of Threat Intelligence at Malwarebytes, in an email. “One key aspect is, of course, international cooperation (or the lack thereof) which has proven to be a key reason why many criminals from Eastern Europe can continue their business without real fear of prosecution.”

Ransomware: a threat to national security

Ransomware attacks had been popping up left and right, even before the COVID-19 pandemic threw a wrench into cybersecurity efforts of many already challenged companies and industries. Ransom demands inflated steeply through the pandemic, and the money raised appears to be being reflected in increasing innovation and sophistication.

The report quantifies the impact of a ransomware attacks with some startling statistics. According to the RTF the average ransom payment in 2020 was $312,493, an increase of 171% over the previous year. Perhaps even more costly and damaging, it puts the average time it takes to fully recover from a ransomware attack at just over nine months.

Note that these are average numbers, which means that there are cases when organizations have dealt with much longer downtimes and paid far higher ransoms (demands go into the tens of millions) to get their businesses back up and running as quickly as possible.

Gone are the days when threat actors behind ransomware campaigns targeted organizations they thought had the means to readily cough up money to meet their demands. These past few years, ransomware gangs have become more opportunistic, perhaps comforted by the wide availability of ransom insurance. They have deliberately targeted networks and breached systems of vital infrastructure, such as hospitals, schools, local governments, and nuclear plants, knowing full well that they may be putting lives at risk.

Organizations who refuse to pay the ransom have then to deal with the data leaking that will inevitably follow; the delays caused by identifying and fixing the problems that allowed the ransomware gang into its systems; and the cost to undergo crisis management efforts and generally getting back on track as quickly as possible, while also increasing their overall cybersecurity posture. On the other hand, organizations who do pay the ransom get to spend millions of dollars, too, on top of the ransom payment and still aren’t guaranteed to get their data back, or a speedy recovery.

Ransom payments may then used to fund criminal enterprises that, for example, engage in human trafficking, terrorism, and “the proliferation of mass destruction”. But perhaps the most damaging of all is that ransomware attacks can sow doubt in the minds of the public towards public institutions.

To add salt to the wound, ransomware threat actors do this from within countries that are turning a blind eye to, or even encouraging, these cybercrime campaigns. They are safe havens where gangs know they won’t be charged, prosecuted or extradited for their actions. It is not difficult then to see why the RTF urged its audience to “raise the priority of ransomware within the intelligence community, and designate it as a national security threat” while advocating the use of “criminal prosecution and other tactics”.

Core actions organizations and governments must take

Although there are multiple steps recommended in the report, the RTF prescribes that these steps should be viewed and considered part of a bigger whole as they were each designed to complement and build on each other.

According to the report:

“The strategic framework is organized around four primary goals: to deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; to disrupt the business model and reduce criminal profits; to help organizations prepare for ransomware attacks; and to respond to ransomware attacks more effectively.”

To see the necessary impact against the ransomware enterprise, the task force stresses the importance of adopting these steps as soon as possible, with continuous coordination among the involved parties at a national and international level. (The RTF has proposed that the US government take charge in international coordination efforts with its partners.)

Among its priority recommendations, the RTF proposes that greater prioritization be given to an intelligence-driven anti-ransomware efforts; mandatory reporting of ransomware attacks and the creation of Cyber Response and Recovery funds; the development of a framework to help organizations prepare for, and respond to, ransomware attacks; and greater regulation of the cryptocurrency sector.

About the RTF and other anti-ransomware efforts

The Institute of Security and Technology (IST) is the host organization that launched the Ransomware Task Force four months ago in December 2020. Before this, significant efforts have been made by organizations within or associated with the cybersecurity industry in combating ransomware.

In January this year, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Reduce the Risk of Ransomware Campaign where it focused on educating the public and private sectors on anti-ransomware best practices and what tools and resources to use to mitigate attacks. CISA’s one-stop page for everything one needs to know about ransomware can be found on this CISA ransomware page.

In July 2016, Europol’s European Cybercrime Centre joined forces with other law enforcement bodies and IT security companies to launch No More Ransom (NMR). Similar to the above mentioned efforts, NMR also aims to help victims recover their data without shelling out money. They do this by collating decryption tools for ransomware families, created by cybersecurity volunteers. You can learn more about No More Ransom by visiting its official website.

The post Task Force delivers strategic plan to address global ransomware problem appeared first on Malwarebytes Labs.

Signal—the private, end-to-end encrypted messaging app that surged in popularity in recent months—once again reminded criminal investigators that it could not fully comply with a legal request for user records and communications because of what it asserts as a simple, unchanging fact: The records do not exist on Signal’s servers.

This is at least the second request of this kind that Signal has received in the last five years, and in the same time period, similar government demands to pry apart end-to-end encrypted communications have become commonplace. Every single time the government has tried this—from the FBI’s insistence in 2016 that Apple create new software to grant access to a device, to the introduction of the EARN IT Act in Congress last year—cybersecurity experts have pushed back.

The legal request to Signal came from the US Attorney’s Office in the Central District in California in the form of a federal grand jury subpoena. According to the subpoena, investigators sought “all subscriber information” belonging to what appeared to be six Signal users. The requested information included “user’s name, address, and date and time of account creation,” the date and time that the users downloaded Signal and when they last accessed Signal, along with the content of the messages sent and received by the accounts, described in the request as “all correspondence with users associated with the above phone numbers.”

Signal responded to the subpoena with help from lawyers from American Civil Liberties Union. According to the company’s response, Signal could only comply with two categories of information requested by the US Attorney’s Office.

“The only information Signal maintains that is responsive to the subpoena’s inquiries about particular user accounts is the time of account creation and the time of the account’s last connection to Signal servers,” wrote ACLU attorneys Brett Kauffman and Jennifer Granick. Kauffman and Granick also addressed some of the US Attorney’s Office’s questions about the physical locations of Signal’s servers and whether the technical processes of account creation and communication for Signal users in California ever leave the state of California itself.  

In a blog published this week, Signal said why it again could not comply with a subpoena for user information, explaining that, because of the app’s design, such user information never reaches their hands.

“It’s impossible to turn over data that we never had access to in the first place,” the company wrote. “Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for.”

This lacking access, while excellent for user privacy, has frustrated law enforcement for years. It is a problem that is often referred to as “going dark,” in that the communications of criminals using end-to-end encrypted messaging apps are inaccessible to any third parties, including government investigators. Former Deputy Attorney General Rod Rosenstein has referenced the “going dark” problem, as has current FBI Director Christopher Wray. Many other representatives have, as well, and each time their refrain has stayed the same: End-to-end encrypted messaging apps provide a level of security that is too extreme to allow without a way for law enforcement to break through it.

But it’s magical thinking on the government’s part.

As many cybersecurity experts have explained over literal decades, allowing third parties to access secure, end-to-end encrypted communications will, by definition, make them less secure, functioning in effect as a backdoor. And a backdoor, in and of itself, is a security vulnerability.

Signal’s efforts to publicize its grand jury subpoena are notable—these requests often come with an instruction that the recipient not disclose any details of the request, else they risk jeopardizing an ongoing criminal investigation. These are valid concerns, but so are the concerns raised by Signal, which are that, even after all this time, government agents still believe that evidence can be conjured out of thin air.

The post Signal app insists it’s so private it can’t provide subpoenaed call data appeared first on Malwarebytes Labs.