Archive for author: makoadmin

The Portable Document Format (PDF) file type is one of the most common file formats in use today. It’s value comes from the fact that PDFs always print the same way, and that PDFs are supposed to be read-only (unlike a Word document, say, which is designed to be easy to edit). This immutability can be assured by password protection and digital signing.

PDFs are used extensively in the legal, medical and real-estate industries, but are also seen in education, small businesses and other sectors. The format’s popularity really took off when Adobe released it as an open standard in around 2008, which untethered it from the company’s Acrobat software.

PDF security

PDF files can be password protected so that only people with the password can read the content of the file. However, for anyone that knows the password it’s trivial to remove the password or create an identical file that is not password protected.

Certified PDFs

PDFs can be digital signed, which indicates that the signer approves of its contents. The PDF specification defines two different types of digital signatures to guarantee the authenticity and integrity of documents:

• Approval signatures testify one specific state of the PDF document. If the document is changed the signature becomes invalid.
• Certification signatures allow for specific changes to a signed document without invalidating the signature. You can specify the types of changes that are permitted for the document to remain certified. For example, a sender can specify that a signature from a receiver in the designated field does not invalidate the certification. This way the sender can be sure that when they receive the signed copy that the signature was the only change in the document. Certifying signatures can be visible or invisible.

Digital signatures

You cannot remove a digital signature from a PDF unless you are the one who placed it and you have the digital ID for signing it installed. Each time a document is signed using a certificate, a signed version of the PDF at that time is saved with the PDF. Each version is saved as append-only and the original cannot be modified. After a document is signed, you can display a list of the changes made to the document after the last version.

Secretly changing signed documents

Researchers working at the Ruhr University Bochum (Germany) however, have presented two possible attacks where the content of the PDF document can be altered by the receiver in such a way that the changes are undetectable, either in all PDF applications or in a subset of them. The names that they gave to these two attacks are:

• Evil Annotation Attack (EAA)
• Sneaky Signature Attack (SSA)

Both vulnerabilities allow an attacker to change the visible content of a PDF document by displaying unauthorized content over the certified content. However, the certification remains valid and the application shows no warnings that unauthorized changes were made.

The success of these attacks depends on the specific PDF viewer. These applications are supposed to alert the reader to any unauthorized changes. The researchers evaluated 26 popular PDF viewers. They were able to break the security of certified documents in 15 of them with EAA. Eight applications were vulnerable to SSA. Only two were not fooled by either attack. The researchers responsibly disclosed these issues and supported the vendors to fix the vulnerabilities.

An additional code injection attack

An incremental update introduces a possibility to extend a PDF by appending new information at the end of the file. The original document stays unmodified and a revision history of all document changes is kept. An example of an Incremental Update is the inclusion of an certification, signature, annotation, or the filling out forms within a PDF.

Only certified documents are allowed to execute high privileged JavaScript code in Adobe products, but the research shows that such code is also executed if it is added as an allowed incremental update. This  allows attackers to directly embed malicious code into a certified document. If you’re wondering why that’s bad, consider that we are now into our fourth decade of malicious Microsoft Office macros.

Permission levels for certified documents

The certifier has a choice of three different permission levels to allow different modifications:

• P1: No modifications on the document are allowed.
• P2: Filling out forms, and digitally signing the document are allowed.
• P3: In addition to P2, annotations are also allowed.

Annotations introduce a different method for a user input by allowing a user to put remarks in a PDF document like text highlighting, strikeouts, or sticky notes. Annotations are not limited to predefined places within the PDF and can be applied everywhere within the document.

Evil Annotation Attack (EAA) breaks P3

The researchers found three types of annotations capable of hiding and adding text and images. All three can be used to stealthily modify a certified document and inject malicious content. To execute the attack, the attacker modifies a certified document by including the annotation with the malicious content at a position of the attacker’s choice. According to the researchers, a victim would have to manually inspect UI-Layer 3 or click on the annotation to detect the modification. And the attacker could even lock an annotation to disable clicking on it.

Sneaky Signature Attack (SSA) breaks P2

The idea of the Sneaky Signature Attack is to manipulate the appearance of arbitrary content within the PDF by adding overlaying signature elements to a PDF document that is certified at level P2. The attacker modifies a certified document by including a signature field with the malicious content at a position of an attacker’s choice. The attacker then needs to sign the document, but does not need to possess a trusted key. A self-signed certificate for SSA is sufficient.

Vulnerabilities

The researchers used additional techniques to make their attacks even less easy to detect. What the attacks reveal is that signatures and annotations can:

• Be customized to appear as a normal text/images above the signed content.
• Be made indistinguishable from the original content.
• And their indications can be hidden from UI layers.

Using EAA and SSA to inject JavaScript

For annotations and signature fields, it is possible to pass a reference to an object containing JavaScript. It is possible to trigger the code execution when opening the page. The victim is unable to prevent this. The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDF document.

PDF specification

By design, certified documents enable complex and highly desired use-cases and the devil here seems to be in the specification details, which runs to 994 pages! The specification will need to be updated to address the issues found by these researchers. It perhaps also needs simplifying, to avoid further unintended consequences.

For more technical details and the research methodology we advise interested readers to go over the original paper (pdf). You will also be able to find out how your favorite application handles these issues.

The post Falsifying and weaponizing certified PDFs appeared first on Malwarebytes Labs.

You may decide to delete your Twitter account, because social media isn’t for everyone. Perhaps you set up an account to see what the big deal is. Maybe you wanted to hang out with friends but you’re all moving to a new platform. It’s possible the service just isn’t very good and filled with trolls or bad content. Some folks also discover that they’ve posted a little too much personal information down the years and would like a clean break.

Whatever your reason, if you’re looking to delete your account, you’ve come to the right place.

How to delete your Twitter account permanently

Deleting your account on Twitter can be a confusing subject for some, because the process is actually a little more involved and called something else: deactivation. If you don’t follow the steps below, your account won’t be going anywhere. Settle in as we lead you through the process.

Twitter account deactivation

“Deactivation” is a kind of halfway-house for deletion. When you deactivate, Twitter places you in a deletion queue for 30 days.

For that 30 day period, your profile is not visible to anybody and references to it by other people won’t tie back to your account. Eventually, your username is released back into the wild for others to use.

We’re using the web version of Twitter (not mobile, no apps) to give you the most vanilla description possible. These steps may differ slightly from app to platform, but in the main they should be mostly identical.

Directly above the “Tweet” button on the lower left hand side, is a “More” option. Click that, and then click into the “Settings and Privacy” option. Under “Your account”, select “Deactivate your account”.

You now have to confirm and reconfirm a few times to let Twitter know you definitely want to do this. After reading the deactivation information, Twitter will pop a password prompt and then ask you one final time to deactivate the account.

Deleting Twitter accounts from your phone

It’s important to note there are two possible aspects to this on a mobile device, and they don’t have the same end result. You may mean deleting the app from your phone, as opposed to your account itself. If this is the case, remove the app the way you’d normally delete an app from your phone. This is typically whatever form of App Manager your flavour of device is using. Important: This will not delete your Twitter account, it will only remove the app from your mobile. Your account will still be out there, on Twitter.

To delete your account, the steps listed further up will work in the same way if on mobile web. Please note there may still be variance if you’re using various types of Twitter app to manage your account.

How to delete an old Twitter account you cannot access

If you’ve lost access to the email account tied to your Twitter profile, support won’t be able to do anything about it. Not great, but this is one way to prevent trolls simply causing account deletions galore for innocent parties. Apart from anything else, it’s good practice to secure email accounts anyway. Lock them down with two-factor authentication (2FA). Anything which tightens the security of your email will also strengthen Twitter accounts connected to it. Win win!

When your account vanishes, Twitter may retain some data to “ensure the safety and security of its platform and users”. They link to this article as an explanation of what they might keep.

Otherwise, that’s it! You’re all done, and your account is gone…or at least, it will be once the 30 day window passes. Note that the usual Internet rules apply. Old Tweets may well be cached in search engines. Portions or all of your account could be saved in the Internet Archive, screenshots on other people’s computers, by Reddit data archivers, or even on sites like Politwoops. While cached search engine results will likely eventually vanish, and you’ll need to contact the Internet Archive directly to see if there’s anything it can do to help, the rest are out of your hands.

The post How to delete your Twitter account: the deactivation process appeared first on Malwarebytes Labs.

Encryption is a term used to describe the methods that hide the true meaning of messages using code, especially to prevent unauthorized access to the information in the messages.

Not all users of virtual private networks (VPN) care about encryption, but many are interested and benefit from strong end-to-end encryption. So let’s have a look at the different types of encryption and what makes them tick.

We have discussed the different types of VPN protocols elsewhere, and pointed out that a big factor in many of the important properties of a VPN is the type and strength of encryption. To accomplish end-to-end encryption a process called VPN tunneling is needed.

What is a VPN tunnel?

A VPN tunnel is an encrypted link between your device and an outside network. But there are significant differences between VPN tunnels and not all of them are equally effective in protecting your online privacy. The strength of a tunnel depends on the type of protocol your VPN provider uses. One of the key factors is the type of encryption.

What is encryption used for?

Encryption is used to hide the content of traffic from unauthorized readers. This is often referred to as end-to-end encryption since usually only the sender at one end and the receiver at the other end are authorized to read the content.

Privacy of Internet traffic is, or should be, a major concern, because we use the Internet in all its forms to send a lot of sensitive information to others. For example:

• Personal information.
• Information about your organization.
• Bank and credit card information.
• Private correspondence.

Since human-based code is far too easy to crack by modern computers, we rely on computers to encrypt and decrypt our sensitive data.

Types of encryption

“What are the types of encryption?”, you may ask. Computerized encryption methods generally belong to one of two types of encryption:

• Symmetric key encryption
• Public key encryption

Public-key cryptography is sometimes called asymmetric cryptography. It is an encryption scheme that uses two mathematically related, but not identical, keys. One is a public key and the other a private key. Unlike symmetric key algorithms that rely on one key to both encrypt and decrypt, each key performs a unique function. The public key is used to encrypt and the private key is used to decrypt. The mathematical relation makes it possible to encode a message using a person’s public key, and to decode it you will need the matching private key.

Symmetric-key encryption

This type of encryption is called symmetric because you need to have the same substitution mapping to encrypt text and decrypt the encoded message. This means that the key which is used in the encryption and decryption process is the same.

Symmetric key encryption requires that you know which computers will be talking to each other so you can install the key on each one. This way each computer has the secret key that it can use to encrypt a packet of information before being sent over the network to the other computer. Basically, it is a secret code that each of the two computers must know in order to decode the information. But since this design necessitates sharing of the secret key,  this is considered to be a weakness when there is a chance of the key being intercepted.

Advanced Encryption Standard (AES)

The best example of symmetric encryption is probably AES, which the US government adopted in 2001. The government classifies information in three categories: Confidential, Secret or Top Secret. All key lengths can be used to protect the Confidential and Secret level. Top Secret information requires either 192- or 256-bit key lengths.

How is AES encryption done?

The AES encryption algorithm defines numerous transformations that are to be performed on data stored in an array. The first transformation in the AES encryption cipher is substitution of data using a substitution table; the second transformation shifts data rows, and the third mixes columns. The last transformation is performed on each column using a different part of the encryption key. The key length is important because longer keys need more rounds to complete.

Public-key encryption

To deal with the possibility of a symmetric key being intercepted, the concept of public-key encryption was introduced. Public-key encryption uses two different keys at once. A combination of a private key and a public key. The private key is known only to your computer, while the public key is provided by your computer to any computer that wants to communicate securely with it.

To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. The key pair is based on prime numbers of a long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are nearly infinite possibilities for keys.

VPNs use public-key encryption to protect the transfer of AES keys. The server uses the public key of the VPN client to encrypt the key and then sends it to the client. The client program on your computer than decrypts that message using its own private key.

Why is end-to-end encryption important?

End-to-end encryption is important to create a secure line of communication that blocks third-party users from intercepting data. It limits the readability of transmitted data to the recipient. Most VPN services use asymmetric encryption to exchange a new symmetric encryption key at the start of each VPN session. The data is only encrypted between you and the VPN server. This secures it from being inspected by any server in-between you and the VPN, such as your ISP or an attacker operating a rogue WiFi hotspot. The data transferred between the VPN server and the website you’re visiting is not encrypted, unless the website uses HTTPS.

This is why we said in an earlier post that using a VPN is shifting your trust to a new provider. When you use a VPN you transfer access to your traffic to a third party, the VPN provider. All that visibility that users balk at relinquishing to their ISP has now been handed over to their VPN provider. Careful consideration should be given to the trustworthiness of said VPN provider.

The post What is encryption? And why it matters in a VPN appeared first on Malwarebytes Labs.

Incognito mode is the name of Google Chrome’s private browsing mode, but it’s also become the catch-all term used to describe this type of web surfing, regardless of the browser being used. Some call it Private Mode, others call it Private Browsing. Apple almost certainly got there first, yet Chrome’s 2008 creation has largely become the generic name for all private browsing activity.

What’s the difference between Private browsing and Incognito Mode?

This is an important distinction to make. People can often get lost in options settings when reading articles about incognito mode because some aspects may be Chrome specific. This won’t help when trying to select something in options related to Safari on a Mac. With that in mind, everything we talk about below will be in relation to Chrome’s actual Incognito Mode. If we’re being more general, or referring to privacy modes in other browsers, we’ll also explain which ones.

How to go Incognito

In Chrome, Incognito is a privacy-focused option available from the dropdown menu in the top right hand corner. It’s a brand new, fresh out of the box, temporary version of your regular web browser. We’ll explain the key differences, and possible drawbacks, below.

Edge follows the same process. Click “Settings and more…” and this leads to what they call an InPrivate window.

You won’t be surprised to learn things are the same in Firefox. Its Private browsing is also opened up by the dropdown icon on the right hand side, then picking “New Private Window”.

Safari on a Mac works a little differently than the rest. You need to click on File / New Private Window from the dropdown options at the top of the screen.

What is Incognito mode?

In Incognito mode, your browsing history, cookies, site data, and information entered into forms aren not saved on your device. This means that when you start an Incognito window, you’re not logged into anything from your other session(s). You can be logged into your Amazon account, your email accounts, social media, and anything else in your “main” browser. That won’t be the case with the Incognito window when you open it up. It is completely separate from whatever you’re doing elsewhere. You don’t need to close your other browser(s) while using an Incognito window. They’ll co-exist quite happily.

Why use Incognito mode?

Incognito mode is primarily designed to keep your information private from other users of the same computer. It isn’t designed to keep your information private from the websites you visit, although that is sometimes a side effect.

The old joke is that it’s “pornography mode”, for people wanting to hide more personal aspects of their browsing. While this is no doubt true for some, there’s a lot more scope to Incognito mode and its uses than people give it credit for.

People may share computers. “Switch your login to another account” may be the first suggestion, but it’s not typically a realistic one in every scenario. What if you want to buy a surprise gift for a loved one? Nobody wants to play a game of “endlessly hide your Amazon history” while casually surfing. This is why people will look for gifts in Incognito mode, copy the URL, then drop it into their regular browser session afterwards to make the purchase. From there, they can delete it from their actual, logged-in history before forgetting about it. One additional bonus is that they won’t have dozens of similar gift items showing up in purchase suggestions. Again, this is very useful for accidental over-the-shoulder gift spoilage.

Avoid getting personal with private browsing

There’s a desire to avoid “cross-pollination” of data related to people logged in on their main browser. Sure, your Google account may know a lot about you. It’s still possible to isolate your most personal details from services you use. Suppose you don’t want your Google account to get a read on where you live, or go to work, or perhaps know the name of your children’s school. This is, again, doable. However. When your child falls ill and you can’t remember the school’s number? Punching it into your logged in account may be something you were trying to avoid. Same goes for a quick Google Maps route from your house to your office when roadworks cause delays. These are all things people who compartmentalise bits and pieces of crucial personal information like to avoid. There’s always the possibility of something going wrong in search engine land, and steps to mitigate issues like this are wise.

Is Incognito mode totally private?

Please note that the below applies to all browsers, when talking about Incognito / Privacy modes. The answer is, “no” and “because it largely depends”. Depends on what, you may ask?

If you’re on a corporate network, or on a home network with logging enabled? The person with access to the logs might not be able to see the site content, but they may be able to see URLs and can almost certainly see the names of the sites. As the text in the Incognito mode window at launch states, your ISP and websites themselves may see what you’re doing.

There’s also an option to enable third-party cookies (off by default in Incognito), though this may be something most people would naturally avoid in private browsing mode. Google has made statements about most of the above already. In fact, some of this has become quite a headache for the search giant.

Private browsing should not be used as a replacement for tools like a VPN, which are designed to solve a very different set of privacy problems. Some folks like to take things a step further. Otherwise, private browsing modes are a useful thing to have, but certainly not a one-stop fix for all privacy problems. Keep this in mind and your Incognito surfing sessions will hopefully be free from worry.

The post What is Incognito mode? Our private browsing 101 appeared first on Malwarebytes Labs.

Following a devastating cyberattack on the Colonial Pipeline, the Transportation Security Administration—which sits within the government’s Department of Homeland Security—will issue its first-ever cybersecurity directive for pipeline companies in the United States, according to exclusive reporting from The Washington Post.

The directives are expected to arrive within the week and will require pipeline companies in the US to report any cyberattacks they suffer to the TSA and the Cybersecurity Infrastructure and Security Agency. Such attacks will be reported by newly designated “cyber officials” to be named by every pipeline company, who will be required to have 24/7 access to the government agencies, The Washington Post reported. Companies that refuse to comply with the directives will face penalties.

The regulations represent a tidal shift in how the TSA has protected pipeline security in the country for more than a decade. Though the government agency has for 20 years been tasked with protecting flight safety in the country, the new cybersecurity directives fall under the agency’s purview following a government restructuring after the attacks on September 11, 2001. More than a decade after the attacks, the agency leaned on voluntary collaboration with private pipeline companies for cybersecurity protection, sometimes offering to perform external reviews of a company’s networks and protocols. Sometimes, the Washington Post reported, those offers were declined.

But after the ransomware group Darkside attacked the East Coast oil and gas supplier Colonial Pipeline, which led to an 11-day shut-down and gas shortages in the Eastern US, it appears that the federal government is no longer satisfied with private industry’s lagging cybersecurity protections. Already, President Joe Biden has signed an Executive Order to place new restrictions on software companies that sell their products to the federal government. Those rules were reportedly refined after the Colonial Pipeline attack, and are expected to become an industry norm as more technology companies vie to include the government as a major customer.

The TSA’s new rules for pipeline companies fall into the same trend.

In speaking with The Washington Post, Department of Homeland Security spokeswoman Sarah Peck said:

“The Biden administration is taking further action to better secure our nation’s critical infrastructure. TSA, in close collaboration with [the Cybersecurity and Infrastructure Security Agency], is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems.”

Though the first directive from TSA is expected this week, follow-on directives could come later. Those directives are reported to include more detailed rules on how pipeline companies protect their own networks and computers against a potential cyberattack, along with guidance on how to respond to cyberattacks after they’ve happened. Further, pipeline companies will be forced to assess their own cybersecurity against a set of industry standards. These directives, like the one expected this week, will also be mandatory, but one expected, voluntary guidance from TSA will be whether a pipeline company must actually fix any issues it finds from a required cybersecurity assessment.

The new rules will bring the private pipeline industry into a small group of regulated sectors of US infrastructure, including bulk electric power grids and nuclear plants. These sectors are the outliers in US infrastructure, as most components—including water dams and wastewater plants—have no mandatory cybersecurity protections.

Several hurdles remain for the TSA’s rules to be effective, including a dearth of staff at the agency itself. According to The Washington Post, the TSA’s pipeline security division had just one staff member in 2014, and according to testimony in 2019, that number had grown to only five. To assuage the problem, the Department of Homeland Security is expected to hire 16 more employees at TSA and 100 more employees at CISA.

The post Colonial Pipeline attack spurs new rules for critical infrastructure appeared first on Malwarebytes Labs.

If you’re worried about the risk of insider threats, you’re not alone. It can affect anyone, even the FBI. A federal grand jury has just charged a former intelligence analyst with stealing confidential files from 2004 to 2017. That’s an incredible 13 years of “What are you doing with that pile of classified material?”. Even more so, considering the indictment states the defendant did not “…have a ‘need to know’ in most, if not all, of the information contained in those materials”.

There’s lots of ways this kind of data collection and retention could go wrong. What happens if the person hoarding the documents decides to sell to the highest bidder? Or even just starts giving it away to specific entities? Could it all be digital? What happens when a random third party compromises the PC / storage the files are located on?

How about a plain old burglary, with unsuspecting thieves swiping an inconspicuous looking external hard drive?

However you look at it, this is not a great situation for those files to be in.

The safe zone is compromised

Organisations have multiple problems dealing with the issue of insider threats. They feel more comfortable locking down their data from outside entities. Mapping out ways to keep the soft underbelly of the organisation protected from its own employees is more difficult.

This makes sense. It’s frankly overwhelming for many businesses to figure out where to even begin. How many physical security experts do people know? What about social engineers? Hardware lockdown specialists? The IT department should know their way around firewall configuration. However, there may be weak spots in auditing folks with privileged IT access.

Is there someone at a business who has an idea that printer security is even a thing? If not, that could spell trouble.

Anyone can be a security risk

There’s many forms of insider threat, which we’ve explored in great detail. They differ greatly, and their motivations can differ considerably from individual to individual. If you’ve never considered the difference between intentional and unintentional insiders, and all the different varieties thereof, then now is a great time to start.

If your approach is simply “a bad person wants to steal my files”, any potential defences likely won’t contain enough nuance to be sufficient in the first place. It’s a big, complicated problem. There are lots of moving parts. It needs the same level of thought and attention given to other areas of business security elsewhere.

Some additional reading

This FBI insider threat story is quite timely, given how much attention the subject is experiencing recently. Some additional reading for your consideration:

• Don’t make headlines over an insider incident: A good piece which digs into the potential costs of insider mishaps, complete with a report looking at where to focus on possible areas of attack.
• It’s time to prepare for a rise in insider threats: Focuses on maximising budgets, and tackling ways to more quickly identify when data is ending up in places it shouldn’t be.
• Insider threat fundamentals and mitigation techniques: Digs into “usual suspects and red flags”, including employees who don’t follow best practices and unwittingly aid an attacker. Also includes a link to an FBI article which explains how to detect and deter insider spies.
• Defend against insider threats from remote workers: The pandemic has made businesses think differently about unexplored angles of insider threats.
• “More than half of U.S. companies hit with privileged credential theft, insider threats last year”: A piece of research reveals some worrying findings in relation to how cybercriminals are accessing sensitive data.

This is hopefully just the splash of light reading material required to get you up to speed on this insidious form of data exfiltration.

The post Insider threats: If it can happen to the FBI, it can happen to you appeared first on Malwarebytes Labs.

Months ago, we told readers about the importance of using a VPN on their iPhones, and while those lessons do apply to Android devices—a VPN for Android will encrypt your Android’s web activity and app traffic, and it will stop your mobile carrier from monetizing your data—Android users should caution against one particular risk: That of the free VPN app.

In just the past year, free VPN for Android apps have exposed the data of as many as 41 million users, revealing consumers’ email addresses, payment information, clear text passwords, device IDs, and more. Investigations into one of those free VPN Android apps also revealed that it may have been part of a larger web of Android VPNs all operating under the same company—a company that was nearly impossible to reach for customer support, borrowed liberally from other company privacy policies, and failed to meet its promises to keep “no logs” of user activity. And while poorly built VPNs are not reserved only for Android devices, Android users in particular should wade cautiously through the Google Play Store, where countless VPN apps demarcate themselves under bland terminology such as “ultimate,” “super,” “fast,” and, of course, “free.”

In reality, a secure, trustworthy VPN Android app is rarely, if ever, free, and that’s largely because the actual work that goes into running a secure VPN service costs money. As Malwarebytes senior security research JP Taggart said on our podcast Lock and Code:

“Deploying a VPN service is, you know, it requires infrastructure. It requires servers, it requires staff, it requires coders to make sure that it’s done properly or that it’s done the way you want it to work,” Taggart said. “All of that has to be paid. All these people that work on [the VPN service], nobody is going to do it for free. No one is that altruistic.”

There is no best free VPN for Android

Searching for a VPN app shouldn’t be so hard, but it is. A quick query in the Google Play store conjures up at least 250 results, and, without any knowledge of the VPN industry, it can be difficult to know which app to trust. For users taking their first steps into learning about VPNs, the temptation to download any of the countless free VPN Android apps is high.

But some of those free apps are the same ones with a poor track record of protecting user data.

In February of this year, a cybercriminal claimed to have stolen user data from three, separate VPN apps available on the Google Play Store: SuperVPN, GeckoVPN, and ChatVPN. The cybercriminal said on an online hacking forum that they’d managed to swipe email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and whether a user was a “Premium” member, along with that “Premium” membership’s expiration date. Follow-on reporting from the tech outlet CyberNews also revealed that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.  

The impact of such a data breach is hard to measure, because it goes beyond just the harm caused to the victims. At risk here is also the trust that users are expected to place in a service that is specifically advertised as a privacy and security measure.

Troy Hunt, the founder of the data breach website HaveIBeenPwned, called the breach “a mess” on Twitter, saying that it was a “timely reminder of why trust in a VPN provider is so crucial.”

“This level of logging isn’t what anyone expects when using a service designed to *improve* privacy,” Hunt said, “not to mention the fact they then leaked all the data.”

But for one of the VPN Android apps, SuperVPN, it was actually the second time it had been named in a cybersecurity mishap.

In July, 2020, cybersecurity researchers at vpnMentor published a report that showed that  seven VPN Android apps had left 1.2 terabytes of private user data exposed online. According to the report, the data belonged to as many as 20 million users, and it included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

Particularly upsetting in this discovery was the fact that all of the seven VPN Android apps had promised to keep “no logs” of user activity—a provably false claim since vpnMentor actually found user logs in its research. The VPNs named in the report were UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.

In its investigation, vpnMentor also proposed that the seven VPN Android apps were likely made by the same developer, as the VPN services shared a common Elasticsearch server, along with the same payment recipient, Dreamfii HK Limited. Three of the VPN apps also featured branding and website layouts that looked similar to one another.

These are known privacy and security failures, and they just so happen to afflict free VPN for Android apps. A free VPN may cost nothing out of your pocket, but it could cost your privacy a lot more.  

We can’t tell you the best VPN for Android, free or not free

We’ve told you the bad news—free Android VPNs are too big a risk to take. Now, understandably, you might ask about the good news—what VPN Android app should I use?

Unfortunately, we can’t recommend any VPN Android app, and that’s because what VPNs offer— which are varying privacy protections—are not uniformly valuable to every user.

For instance, for users who want to protect their Internet activity while connecting to a public WiFi hotspot, VPNs offer a strong solution to that, as VPN services encrypt web traffic and make it incomprehensible to digital eavesdroppers. Also, for users who want to access content that is geo-restricted, VPNs also offer a helpful workaround, as they can make a user’s Internet traffic appear as though it is originating from another location.

But where VPN value starts to differentiate is in the realm of privacy, and that’s because, as we’ve learned in recent years, privacy could mean something different for every user. For some users, privacy might mean hiding their Internet traffic from their Internet Service Provider, which a VPN can do. But for other users, privacy might mean keeping their sensitive data from today’s enormous social media companies, which a VPN cannot do. Or it might mean stopping cross-site tracking across the Internet, which, again, a VPN cannot do.

But do not worry if you’re still looking for help, because we can recommend the same advice we did earlier this year for anyone looking for the right VPN for themselves.

Think about how you’ll use the VPN service and look for a variety of features, like the ease of use, the connection speed, any potential data limits, the availability of customer support, and the VPN’s policy on keeping user logs. With the right info, you’ll be protecting yourself in no time.

Just remember, if you’re willing to take your privacy seriously, you should also be willing to spend a little money on it.

The post VPN Android apps: What you should know appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at a banking trojan full of nasty tricks, explained some tips and pointers for using VirusTotal, and dug into how an authentication vulnerability was patched by Pega Infinity. We also explored how a Royal Mail phish deploys evasion tricks to avoid analysis, and gave a rundown of how Have I been Pwned works. The human cost of the HSE ransomware attack was explored, new Android patches hit the streets, and Apple confirmed that Macs get malware.

Other Cybersecurity news

• Chrome automatically fixes breached passwords on Chrome (source: Bleeping Computer)
• NVIDIA reduces attractiveness of graphics cards to cryptominers (Source: NVIDIA)
• Do customers have a right to know how companies that use algorithms make their decisions? (Source: Help Net Security)
• Eufycam Wi-Fi security cameras streamed video feeds from other people’s homes (Source: The Register)
• Australian Federal Police give demonstration of Technology Detection Dogs (Source: AFP)
• Phishing behind 70% of Government breaches (Source: GCN)
• Panda stealer malware targets digital currencies (Source: CoinGeek)
• Personal data of 279m Indonesians leaked (Source: AA)
  DarkSide go to “hacker’s court” (Source: ThreatPost)
  Police lift lid on social media marketplace cyber scam (Source: Swindon Advertiser)

Stay safe, everyone!

The post A week in security (May 17 – May 23) appeared first on Malwarebytes Labs.

This week on Lock and Code, we speak to cybersecurity advocate and author Carey Parker about “dark patterns,” which are subtle tricks online to get you to make choices that might actually harm you.

Dark patterns have been around for years, and the tricks they’re based on are even older. Ever bought a pretty much useless concert ticket warranty? Ever paid for 12 months at a gym when you were really just interested in a trial membership? Ever been fooled in spending just a little more money than you planned?

Well, those tricks exist online, too, and they often show up in hidden, visual cues that make you think that one option is better for you than another. But, lo and behold, the option that looks appealing to you might actually be the option that best serves a company. You could be tricked into staying into a newsletter subscription. You could find it exceedingly difficult to delete an account entirely. And you may be signing away your data privacy protections without even knowing it.

But, as Parker helps explain in today’s episode, even those lowered privacy protections are a means of making money for some of today’s largest social media companies:

“They want to know as much about you, they want to know about everyone you know, so they use dark patterns to trick you into providing way more personal data than any sane human would ever want to provide. And that’s how they make more money.”

Tune in to learn about dark patterns—how to spot them, what any future fixes might look like, and what one company is doing to support you—on the latest episode of Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Shining a light on dark patterns with Carey Parker: Lock and Code S02E09 appeared first on Malwarebytes Labs.

“It’s cracking, the whole thing.”

The words were delivered quickly, but in a thoughtful and measured way. As if the person saying them was used to delivering difficult news. Little surprise, given they belonged to a doctor. But this doctor wasn’t describing a medical condition—this was their assessment of the situation on the ground in the hospital where they’re working today, in Ireland.

Since May 14, Ireland’s Health Service Executive (HSE) has been paralysed by a cyberattack. In the very early hours of Friday morning, a criminal gang activated Conti ransomware inside HSE’s computer systems, sparking a devastating shutdown.

Government officials were quick to reassure people that emergency services remained open and the country’s vaccine program was unaffected. The story echoed around the world, and then, outside of Ireland at least, the news moved on. Just as it had moved on from the Colonial Pipeline attack that preceded HSE, and the attack on AXA insurance that followed it.

But the HSE attack isn’t over.

Daniel (not his real name) sat with Malwarebytes Labs on condition of anonymity, to explain how this cyberattack is continuing to affect the lives of vulnerable patients, and the people trying to treat them. Throughout our interview he speaks quickly, but with control and understatement. He has the eyes and slightly exaggerated movements of somebody substituting adrenaline for sleep.

A 21st century health system runs on computers, but the computers in Daniel’s hospital have notes on them saying they cannot be used, and should not be restarted. While those computers are dormant, simple things become difficult; everything takes longer; complex surgeries have to be cancelled.

Daniel told us that before the attack he would go through a system linked to HSE for each of his appointments, looking for GP referrals by email, checking blood results, accessing scans, reading notes linked to each patient. That is gone now.

“Before surgery I review [each patient’s] scans. Or even during the surgery. Legally I have to look at the scans.”

“I can’t even check my hospital mail. Our communication with everyone has been affected… They can’t ring me. The whole thing is just breaking apart.” The GDPR, which is designed to protect patients’ data, prevents him from using his personal email or other messaging systems for hospital business. A generation of staff raised on computers are back to pen and paper. “You don’t know who’s looking for who, who wants to see who.”

I ask him how he first learned about the attack and he tells me about coming to work on Friday totally unprepared for what he’d encounter. The only nurse he sees asks “did you hear?”. He had not. The systems he relies on to stay informed aren’t working. “I didn’t get a heads up. All computers are not allowed to be touched. Do not restart.”

He describes how uncertainty hung over them, until at midday he let a patient who had been waiting for surgery since 7 am know that the day is cancelled. “She’s been fasting. With her stress up I had to tell her to go home.”

The staff are in the dark. “We were optimistic it would get done over the weekend. We thought it might get done the same day. Then we thought maybe Monday.” It has been this way since Friday and he is not optimistic that it will be sorted any time soon. “There is no official timeline but we’re thinking it will take at least a week or so. We are not optimistic about it.”

As he says this to me all I can think about is a statistic from the recent Ransomware Task Force report. According to the report, the average downtime after a ransomware attack is 21 days. The time to fully recover is over nine months. I can’t bring myself to mention it.

I ask him about the impact on patients.

“I have to tell patients, sorry I can’t operate on you. You’ve been fasting, you came a long distance, you rescheduled things to make time for me, maybe you have had to come off work. After all this I have to say sorry, I can’t see you.”

“I’m dealing with patients lives here. It’s not something you can take lightly. You either do it right or you do it wrong, and if you do it wrong you’re harming somebody.”

But not harming people requires access to information he no longer has. Delays can be life threatening. “If I reschedule a patient and they come back a few weeks or a few months later with a tumour that I couldn’t asses from the paperwork…”, he stops there. He doesn’t need to finish the thought. Those that don’t get worse while they’re delayed are still suffering too. They will stay that way until they can be seen.

And it’s obvious from my conversation with Daniel that it isn’t only the patients who are being put at risk. There are grinding, corrosive effects on the hospital staff too. Everything takes longer, which requires more work, and nobody knows when it will be over.

It is a wicked burden for a medical profession that has spent the last year grappling with a once-in-a-century pandemic. “Our backlog just became tremendous”, Daniel says, before explaining that over the last few months he and his colleagues have performed surgeries at nighttime and weekends to work through the backlog of operations and appointments delayed by the response to COVID.

And now there is another reason to work late.

Because of the ransomware attack, he must put in hours of extra effort after his day’s work is done just to determine which of tomorrow’s appointments he will have to cancel for lack of information. And then he must deal with those anguished, sometimes angry patients, telling them their appointment cannot go ahead.

“Imagine the scenario,” he says. “Patients will wait literally two years to see us. After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’. They know it’s not my fault but they are upset and very annoyed.” Daniel’s understatement kicks in. “They teach us ways to speak to angry patients, but it’s not nice.”

And hanging over all these interactions is the spectre of litigation. Whichever way he turns, his decisions have consequences and his decision making process is in tatters.

I ask him if he thinks they should pay the ransom (the Irish Taoiseach does not.) I am expecting rage and anger. A defiant “no”. I am projecting. His first thought is for the health of the people being denied care.

“I think they will pay the ransom. I don’t think there is another way around it. The pressure will build up, they will have to do what has to be done. This can’t go on. This is disastrous.” If it was his decision, would he pay? “I would. There is no money you can pay to take somebody’s life away. I would make my system more robust so this doesn’t happen again.”

I ask him if there’s anything he’d say to his attackers if he could.

“If your loved one was sick. Would you do this? If you had somebody you cared about, would you do this to them. That’s what I’d ask them.”

“I think they lost their humanity.”

The post A doctor reveals the human cost of the HSE ransomware attack appeared first on Malwarebytes Labs.